| Message ID | 20231128182334.57740-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 14f76201da62 |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | [1/7] libsepol: validate conditional type rules have a simple default type | expand |
On Tue, Nov 28, 2023 at 1:23 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Similar to unconditional avtab keys check the default type of type av > rules are a simple type, not an attribute. > Since extended permission rules are not allowed in conditional policies > this check does not need to be performed. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> For every patch except for patch 4. Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/policydb_validate.c | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) > > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > index 8b87675f..c2f19fa0 100644 > --- a/libsepol/src/policydb_validate.c > +++ b/libsepol/src/policydb_validate.c > @@ -885,14 +885,21 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c > > for (; cond_av; cond_av = cond_av->next) { > for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) { > - if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) { > - ERR(handle, "Invalid cond av list"); > - return -1; > - } > + const avtab_key_t *key = &avtab_ptr->key; > + const avtab_datum_t *datum = &avtab_ptr->datum; > + > + if (validate_avtab_key(key, 1, p, flavors)) > + goto bad; > + if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors)) > + goto bad; > } > } > > return 0; > + > +bad: > + ERR(handle, "Invalid cond av list"); > + return -1; > } > > static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[]) > -- > 2.43.0 > >
On Fri, Dec 1, 2023 at 2:52 PM James Carter <jwcart2@gmail.com> wrote: > > On Tue, Nov 28, 2023 at 1:23 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Similar to unconditional avtab keys check the default type of type av > > rules are a simple type, not an attribute. > > Since extended permission rules are not allowed in conditional policies > > this check does not need to be performed. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > For every patch except for patch 4. > Acked-by: James Carter <jwcart2@gmail.com> > Patches 1-3 and 5-7 have been merged. Thanks, Jim > > --- > > libsepol/src/policydb_validate.c | 15 +++++++++++---- > > 1 file changed, 11 insertions(+), 4 deletions(-) > > > > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > > index 8b87675f..c2f19fa0 100644 > > --- a/libsepol/src/policydb_validate.c > > +++ b/libsepol/src/policydb_validate.c > > @@ -885,14 +885,21 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c > > > > for (; cond_av; cond_av = cond_av->next) { > > for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) { > > - if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) { > > - ERR(handle, "Invalid cond av list"); > > - return -1; > > - } > > + const avtab_key_t *key = &avtab_ptr->key; > > + const avtab_datum_t *datum = &avtab_ptr->datum; > > + > > + if (validate_avtab_key(key, 1, p, flavors)) > > + goto bad; > > + if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors)) > > + goto bad; > > } > > } > > > > return 0; > > + > > +bad: > > + ERR(handle, "Invalid cond av list"); > > + return -1; > > } > > > > static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[]) > > -- > > 2.43.0 > > > >
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 8b87675f..c2f19fa0 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -885,14 +885,21 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c for (; cond_av; cond_av = cond_av->next) { for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) { - if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) { - ERR(handle, "Invalid cond av list"); - return -1; - } + const avtab_key_t *key = &avtab_ptr->key; + const avtab_datum_t *datum = &avtab_ptr->datum; + + if (validate_avtab_key(key, 1, p, flavors)) + goto bad; + if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors)) + goto bad; } } return 0; + +bad: + ERR(handle, "Invalid cond av list"); + return -1; } static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[])
Similar to unconditional avtab keys check the default type of type av rules are a simple type, not an attribute. Since extended permission rules are not allowed in conditional policies this check does not need to be performed. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/policydb_validate.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)