[4/5] checkpolicy: do not consume unmatched identifiers

Message ID	20250115131329.132477-3-cgoettsche@seltendoof.de (mailing list archive)
State	New
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B56E822FDE9 for <selinux@vger.kernel.org>; Wed, 15 Jan 2025 13:13:37 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> Subject: [PATCH 4/5] checkpolicy: do not consume unmatched identifiers Date: Wed, 15 Jan 2025 14:13:27 +0100 Message-ID: <20250115131329.132477-3-cgoettsche@seltendoof.de> In-Reply-To: <20250115131329.132477-1-cgoettsche@seltendoof.de> References: <20250115131329.132477-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[1/5] libselinux: set errno in failure case \| expand [2/5] checkpolicy: check identifier before copying [3/5] checkpolicy: remove unneeded queue_head() [4/5] checkpolicy: do not consume unmatched identifiers [5/5] checkpolicy: clear queue between parser passes [1/5] libselinux: set errno in failure case

Message ID

20250115131329.132477-3-cgoettsche@seltendoof.de (mailing list archive)

State

New

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Subject: [PATCH 4/5] checkpolicy: do not consume unmatched identifiers
Date: Wed, 15 Jan 2025 14:13:27 +0100
Message-ID: <20250115131329.132477-3-cgoettsche@seltendoof.de>
In-Reply-To: <20250115131329.132477-1-cgoettsche@seltendoof.de>
References: <20250115131329.132477-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[1/5] libselinux: set errno in failure case | expand

Commit Message

Christian Göttsche Jan. 15, 2025, 1:13 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

Avoid consuming identifiers during pass 1 in functions that do not parse
them during pass 2. This currently works due to the subsequent
parse_security_context(NULL) call.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/policy_define.c | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 275ef5fe..a056be67 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -4850,7 +4850,6 @@  int define_fs_context(unsigned int major, unsigned int minor)
 int define_pirq_context(unsigned int pirq)
 {
 	ocontext_t *newc, *c, *l, *head;
-	char *id;
 
 	if (policydbp->target_platform != SEPOL_TARGET_XEN) {
 		yyerror("pirqcon not supported for target");
@@ -4858,8 +4857,6 @@  int define_pirq_context(unsigned int pirq)
 	}
 
 	if (pass == 1) {
-		id = (char *) queue_remove(id_queue);
-		free(id);
 		parse_security_context(NULL);
 		return 0;
 	}
@@ -4904,7 +4901,6 @@  bad:
 int define_iomem_context(uint64_t low, uint64_t high)
 {
 	ocontext_t *newc, *c, *l, *head;
-	char *id;
 
 	if (policydbp->target_platform != SEPOL_TARGET_XEN) {
 		yyerror("iomemcon not supported for target");
@@ -4912,8 +4908,6 @@  int define_iomem_context(uint64_t low, uint64_t high)
 	}
 
 	if (pass == 1) {
-		id = (char *)queue_remove(id_queue);
-		free(id);
 		parse_security_context(NULL);
 		return 0;
 	}
@@ -4968,7 +4962,6 @@  bad:
 int define_ioport_context(unsigned long low, unsigned long high)
 {
 	ocontext_t *newc, *c, *l, *head;
-	char *id;
 
 	if (policydbp->target_platform != SEPOL_TARGET_XEN) {
 		yyerror("ioportcon not supported for target");
@@ -4976,8 +4969,6 @@  int define_ioport_context(unsigned long low, unsigned long high)
 	}
 
 	if (pass == 1) {
-		id = (char *)queue_remove(id_queue);
-		free(id);
 		parse_security_context(NULL);
 		return 0;
 	}
@@ -5032,7 +5023,6 @@  bad:
 int define_pcidevice_context(unsigned long device)
 {
 	ocontext_t *newc, *c, *l, *head;
-	char *id;
 
 	if (policydbp->target_platform != SEPOL_TARGET_XEN) {
 		yyerror("pcidevicecon not supported for target");
@@ -5040,8 +5030,6 @@  int define_pcidevice_context(unsigned long device)
 	}
 
 	if (pass == 1) {
-		id = (char *) queue_remove(id_queue);
-		free(id);
 		parse_security_context(NULL);
 		return 0;
 	}
@@ -5845,7 +5833,6 @@  int define_ipv6_cidr_node_context(void)
 	}
 
 	if (pass == 1) {
-		free(queue_remove(id_queue));
 		free(queue_remove(id_queue));
 		parse_security_context(NULL);
 		return 0;

[4/5] checkpolicy: do not consume unmatched identifiers

Commit Message

Patch