libsepol/cil: fix mlsconstrain segfault #164
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Installing a cil module with invalid mlsconstrain syntax currently results in a segfault. In the following module, the right-hand side of the second operand of the OR is a list (mlstrustedobject): $ cat test.cil (class test (foo) ) (classorder (unordered test)) (mlsconstrain (test (foo)) (or (dom h1 h2) (eq t2 (mlstrustedobject)) ) ) $ sudo semodule -i test.cil zsh: segmentation fault sudo semodule -i test.cil This syntax is invalid and should error accordingly, rather than segfaulting. This patch provides this syntax error for the same module: $ sudo semodule -i test.cil t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side Bad expression tree for constraint Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4 semodule: Failed! Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Installing a cil module with invalid mlsconstrain syntax currently
results in a segfault. In the following module, the right-hand side of
the second operand of the OR is a list (mlstrustedobject):
$ cat test.cil
(class test (foo) )
(classorder (unordered test))
(mlsconstrain (test (foo))
(or
(dom h1 h2)
(eq t2 (mlstrustedobject))
)
)
$ sudo semodule -i test.cil
zsh: segmentation fault sudo semodule -i test.cil
This syntax is invalid and should error accordingly, rather than
segfaulting. This patch provides this syntax error for the same module:
$ sudo semodule -i test.cil
t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side
Bad expression tree for constraint
Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4
semodule: Failed!
Signed-off-by: Mike Palmiotto mike.palmiotto@crunchydata.com