From 4724538b62e4eb846057b227ce12052749bd4473 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 28 Nov 2023 19:23:34 +0100
Subject: [PATCH] libsepol: reject linking modules with no avrules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
 
Standard policy modules generated by compilers have at least one global
av rule.  Reject modules otherwise, e.g. generated by a fuzzer.
 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
 
Reference: https://github.com/SELinuxProject/selinux/commit/4724538b62e4eb846057b227ce12052749bd4473
Conflict: NA
---
 libsepol/src/link.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 3b7742bc..b8272308 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2019,7 +2019,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
 	memset(&req, 0, sizeof(req));
 
 	for (cur = p->global; cur != NULL; cur = cur->next) {
-		if (cur->enabled != NULL)
+		if (cur->enabled != NULL || cur->branch_list == NULL)
 			continue;
 
 		ret = is_decl_requires_met(state, cur->branch_list, &req);
@@ -2142,6 +2142,11 @@ static int enable_avrules(link_state_t * state, policydb_t * pol)
 	/* 1) enable all of the non-else blocks */
 	for (block = pol->global; block != NULL; block = block->next) {
 		block->enabled = block->branch_list;
+		if (!block->enabled) {
+			ERR(state->handle, "Global block has no avrules!");
+			ret = SEPOL_ERR;
+			goto out;
+		}
 		block->enabled->enabled = 1;
 		for (decl = block->branch_list->next; decl != NULL;
 		     decl = decl->next)
-- 
2.33.0