代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/libsepol 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 903e8cf26e2ab874618e0fdaef537bc3d9a8b69d Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Fri, 13 Oct 2023 09:26:50 -0400
Subject: [PATCH] libsepol/cil: Do not allow classpermissionset to use
anonymous classpermission
Macros can use classpermission arguments. These are used in two
different ways. Either a named classpermission is passed (which is
declared using a classpermisison rule) or an anonymous classpermission
is passed (something like "(CLASS (PERM))").
Usually this will look like either of the following:
Ex1/
(classpermission cp1)
(classpermisisonset cp1 (CLASS (PERM)))
(macro m1 ((classpermisison ARG1))
(allow t1 self ARG1)
)
(call m1 (cp1))
or
Ex2/
(macro m2 ((classpermission ARG2))
(allow t2 self ARG2)
)
(call m2 ((CLASS (PERM))))
The following would also be valid:
Ex3/
(classpermission cp3)
(macro m3 ((classpermission ARG3))
(classpermissionset ARG3 (CLASS (PERM)))
(allow t3 self ARG3)
)
(call m3 (cp3))
The oss-fuzzer did the equivalent of the following:
(classpermission cp4)
(macro m4 ((classpermission ARG4))
(classpermissionset ARG4 (CLASS (PERM1)))
(allow t4 self ARG4)
)
(call m4 (CLASS (PERM2)))
It passed an anonymous classpermission into a macro where there
was a classpermissionset rule. Suprisingly, everything worked well
until it was time to destroy the AST. There is no way to distinguish
between the anonymous classpermission being passed in which needs
to be destroyed and the classpermission in the classpermissionset
rule which is destroyed when the classpermissionset rule is
destroyed. This led to CIL trying to destroy the classpermission
in the classpermissionset rule twice.
To fix this, when resolving the classpermission name in the
classpermissionset rule, check if the datum returned is for
an anonymous classpermission (it has no name) and return an
error if it is.
This fixes oss-fuzz issue 60670.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reference: https://github.com/SELinuxProject/selinux/commit/903e8cf26e2ab874618e0fdaef537bc3d9a8b69d
Conflict: Context adaptation
---
libsepol/cil/src/cil_resolve_ast.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 4e8a375d6..427a320c9 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -253,6 +253,12 @@ int cil_resolve_classpermissionset(struct cil_tree_node *current, struct cil_cla
goto exit;
}
+ if (!datum->fqn) {
+ cil_tree_log(current, CIL_ERR, "Anonymous classpermission used in a classpermissionset");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
rc = cil_resolve_classperms_list(current, cps->classperms, extra_args);
if (rc != SEPOL_OK) {
goto exit;
--
2.33.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手