| Message ID | 20231101163830.177769-3-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d2d24b933178 |
| Headers | show |
| Series | [1/3] libsepol: validate default type of transition is not an attribute | expand |
On Wed, Nov 1, 2023 at 12:39 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Ensure the ibendport port is not 0 (similar to the kernel). > > More general depth test for boolean expressions. > > Ensure the boolean id is not set for logic operators. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/policydb_validate.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > index c6a66fb3..0e4805ef 100644 > --- a/libsepol/src/policydb_validate.c > +++ b/libsepol/src/policydb_validate.c > @@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex > case COND_BOOL: > if (validate_value(expr->boolean, boolean)) > goto bad; > - if (depth == (COND_EXPR_MAXDEPTH - 1)) > + if (depth >= (COND_EXPR_MAXDEPTH - 1)) > goto bad; > depth++; > break; > case COND_NOT: > if (depth < 0) > goto bad; > + if (expr->boolean != 0) > + goto bad; > break; > case COND_OR: > case COND_AND: > @@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex > case COND_NEQ: > if (depth < 1) > goto bad; > + if (expr->boolean != 0) > + goto bad; > depth--; > break; > default: > @@ -1199,6 +1203,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid > goto bad; > break; > case OCON_IBENDPORT: > + if (octx->u.ibendport.port == 0) > + goto bad; > if (!octx->u.ibendport.dev_name) > goto bad; > break; > -- > 2.42.0 >
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index c6a66fb3..0e4805ef 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex case COND_BOOL: if (validate_value(expr->boolean, boolean)) goto bad; - if (depth == (COND_EXPR_MAXDEPTH - 1)) + if (depth >= (COND_EXPR_MAXDEPTH - 1)) goto bad; depth++; break; case COND_NOT: if (depth < 0) goto bad; + if (expr->boolean != 0) + goto bad; break; case COND_OR: case COND_AND: @@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex case COND_NEQ: if (depth < 1) goto bad; + if (expr->boolean != 0) + goto bad; depth--; break; default: @@ -1199,6 +1203,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid goto bad; break; case OCON_IBENDPORT: + if (octx->u.ibendport.port == 0) + goto bad; if (!octx->u.ibendport.dev_name) goto bad; break;
Ensure the ibendport port is not 0 (similar to the kernel). More general depth test for boolean expressions. Ensure the boolean id is not set for logic operators. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/policydb_validate.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)