[7/7] libsepol: reject linking modules with no avrules

Message ID	20231128182334.57740-7-cgzones@googlemail.com (mailing list archive)
State	Accepted
Commit	4724538b62e4
Delegated to:	Petr Lautrbach
Headers	show Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="Egc0n0R1" From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [PATCH 7/7] libsepol: reject linking modules with no avrules Date: Tue, 28 Nov 2023 19:23:34 +0100 Message-ID: <20231128182334.57740-7-cgzones@googlemail.com> In-Reply-To: <20231128182334.57740-1-cgzones@googlemail.com> References: <20231128182334.57740-1-cgzones@googlemail.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[1/7] libsepol: validate conditional type rules have a simple default type \| expand [1/7] libsepol: validate conditional type rules have a simple default type [2/7] libsepol: use correct type to avoid truncations [3/7] checkpolicy/dismod: avoid duplicate initialization and fix module linking [4/7] checkpolicy/dispol: misc updates [5/7] libsepol: reject invalid class datums [6/7] libsepol/fuzz: handle empty and non kernel policies [7/7] libsepol: reject linking modules with no avrules

Message ID

20231128182334.57740-7-cgzones@googlemail.com (mailing list archive)

State

Accepted

Commit

4724538b62e4

Delegated to:

Petr Lautrbach

Headers

show

Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com
 header.b="Egc0n0R1"
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com
 [IPv6:2a00:1450:4864:20::12c])
	by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F5769D
	for <selinux@vger.kernel.org>; Tue, 28 Nov 2023 10:23:44 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id
 2adb3069b0e04-50bc2e7f1e4so202421e87.1
        for <selinux@vger.kernel.org>; Tue, 28 Nov 2023 10:23:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20230601; t=1701195822; x=1701800622;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wbuVTEiIzJiwIo7dN8hiU8dK38A8G5i3SvER6EcQWBI=;
        b=Egc0n0R1iXSpDI+IS3WNRc6kON+PDRsyt0/1E01KYONwkP5VFe95G7wXD75pB2P1Vt
         Mj1NvWp7ZMPFIVrFoBTccxn4qH3TNbgVPlBb8eM4MrN6JkAqgk+wjJAL/4R6XIf2fbFw
         gOqayUc7EUro29uVnTHQl3f45/08lrRvbxVyXdlklKIiIilU09UhX4IwAJpUAwYUhPYR
         g620pOjX0/NY4R9pldh7VVMBYYVqLBDUr60mh1mCZ3pQcGx03yoTFXuMPEKZSYGSlybn
         NDEHZUIAk3FUp4u9WJtisMsvzUr1HgQ1TCu3MKyraq2T5TUTxWHcrpXkWZx44Q3YQGOv
         4MFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1701195822; x=1701800622;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wbuVTEiIzJiwIo7dN8hiU8dK38A8G5i3SvER6EcQWBI=;
        b=oi+fd4xXpe/RAYQVX7EF59Mx2ZfRHJJHJ2Ke2fLX6T9FR5itJxXFHV2jhI3Jg2UJ79
         grpqL7XWhNvHEKIJxf2hFXcr17YeDRmPlYbOh6vFLkdI52z5IEy1BI/un/pqaLpGB0N5
         xvDfJD4r5heAioV+nSOKZ7pIp0J6QnxQ8Guj7qara8oz20OiipfjXzzkGC2rF6eK/dpW
         ETr1NWYmgsfygs/VQ+3qFIlUKz9oltbUv/LknRmkACkew07CtforgjtPo7cz9GCUPrvK
         AI0IzcbnW/H/KHUHzDWKeYJBLEdy8YlD2yUPOdHTWtFt0sq+9ONvBN0Hoh1mEGWcqwBW
         Ptow==
X-Gm-Message-State: AOJu0YxDIhbWQMYi40npxIXI7vuU/HVblFPTMc/jGKFcj0s1tvy6z+uS
	51UAF9SixDPJ6u0YraoedtYr+FlrHEs=
X-Google-Smtp-Source: 
 AGHT+IHn9s0tYS0o110lIjAX5BWvqeIwKvS/WJs5zpprXD93P3k85yjzW1pvD+z5iSPu1rPKF3XZvA==
X-Received: by 2002:a05:6512:280d:b0:509:e5a4:2b03 with SMTP id
 cf13-20020a056512280d00b00509e5a42b03mr15449229lfb.13.1701195822564;
        Tue, 28 Nov 2023 10:23:42 -0800 (PST)
Received: from debian_development.DebianHome
 (dynamic-077-003-184-154.77.3.pool.telefonica.de. [77.3.184.154])
        by smtp.gmail.com with ESMTPSA id
 v11-20020a1709067d8b00b009dddec5a96fsm7122024ejo.170.2023.11.28.10.23.42
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Nov 2023 10:23:42 -0800 (PST)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 7/7] libsepol: reject linking modules with no avrules
Date: Tue, 28 Nov 2023 19:23:34 +0100
Message-ID: <20231128182334.57740-7-cgzones@googlemail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231128182334.57740-1-cgzones@googlemail.com>
References: <20231128182334.57740-1-cgzones@googlemail.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[1/7] libsepol: validate conditional type rules have a simple default type | expand

Commit Message

Christian Göttsche Nov. 28, 2023, 6:23 p.m. UTC

Standard policy modules generated by compilers have at least one global
av rule.  Reject modules otherwise, e.g. generated by a fuzzer.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/link.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 3b7742bc..b8272308 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2019,7 +2019,7 @@  static int debug_requirements(link_state_t * state, policydb_t * p)
 	memset(&req, 0, sizeof(req));
 
 	for (cur = p->global; cur != NULL; cur = cur->next) {
-		if (cur->enabled != NULL)
+		if (cur->enabled != NULL || cur->branch_list == NULL)
 			continue;
 
 		ret = is_decl_requires_met(state, cur->branch_list, &req);
@@ -2142,6 +2142,11 @@  static int enable_avrules(link_state_t * state, policydb_t * pol)
 	/* 1) enable all of the non-else blocks */
 	for (block = pol->global; block != NULL; block = block->next) {
 		block->enabled = block->branch_list;
+		if (!block->enabled) {
+			ERR(state->handle, "Global block has no avrules!");
+			ret = SEPOL_ERR;
+			goto out;
+		}
 		block->enabled->enabled = 1;
 		for (decl = block->branch_list->next; decl != NULL;
 		     decl = decl->next)

[7/7] libsepol: reject linking modules with no avrules

Commit Message

Patch