From: Dominick Grift <dominick.grift@defensec.nl>
To: "Lawrence, Stephen" <slawrence@tresys.com>
Cc: "selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: Re: CIL: another segfault producer
Date: Tue, 28 Jan 2020 17:25:58 +0100 [thread overview]
Message-ID: <20200128162558.GB36656@brutus.lan> (raw)
In-Reply-To: <486b1ea4-421e-dbf9-430e-db6566028d2f@tresys.com>
[-- Attachment #1: Type: text/plain, Size: 6797 bytes --]
On Tue, Jan 28, 2020 at 02:00:08PM +0000, Lawrence, Stephen wrote:
> Looks to be an ordering issue with how we verify classmaps when they are
> nested. If you define (classmap common_appletalk_socket ...) before
> (classmap all_sockets ...), you'll get this error error:
>
> Map class common_appletalk_socket does not have a classmapping for
> common_readwrite_socket_perms
> Map class common_appletalk_socket does not have a classmapping for
> common_create_socket_perms
>
> So you're just missing the mapping for common_appletalk_sockets.
>
> The right fix for the segfault isn't immediately clear to me--might need
> to change some orderings or maybe even add another verify pass? But
> adding the mapping should resolve your segfault for now.
>
Thanks. My bad: overlooked...
>
> On 1/28/20 7:25 AM, Dominick Grift wrote:
> > In trying to reduce points of failure in my policy I encountered another segfault
> >
> > I want to centralize common permissions, for example common create and common read/write socket perms:
> >
> > 872 (classmap all_sockets |
> > 873 (common_create_socket_perms common_readwrite_socket_perms)) |
> > 874 |
> > 875 (classmap common_alg_socket |
> > 876 (common_create_socket_perms common_readwrite_socket_perms)) |
> > 877 (classmap common_appletalk_socket |
> > 878 (common_create_socket_perms common_readwrite_socket_perms)) |
> > 879 |
> > 880 (classmapping |
> > 881 all_sockets |
> > 882 common_create_socket_perms |
> > 883 (common_alg_socket |
> > 884 (common_create_socket_perms))) |
> > 885 |
> > 886 (classmapping |
> > 887 all_sockets |
> > 888 common_create_socket_perms |
> > 889 (common_appletalk_socket |
> > 890 (common_create_socket_perms))) |
> > 891 |
> > 892 (classmapping |
> > 893 all_sockets |
> > 894 common_readwrite_socket_perms |
> > 895 (common_alg_socket |
> > 896 (common_readwrite_socket_perms))) |
> > 897 |
> > 898 (classmapping |
> > 899 all_sockets |
> > 900 common_readwrite_socket_perms |
> > 901 (common_appletalk_socket |
> > 902 (common_readwrite_socket_perms))) |
> > 903 |
> > 904 (classmapping |
> > 905 common_alg_socket |
> > 906 common_create_socket_perms |
> > 907 (alg_socket |
> > 908 (append bind connect create getattr getopt ioctl read setattr setopt shutdown|
> > 909 write))) |
> > 910 |
> > 911 (classmapping |
> > 912 common_alg_socket |
> > 913 common_readwrite_socket_perms |
> > 914 (alg_socket |
> > 915 (append bind connect getattr getopt ioctl read setattr setopt shutdown |
> > 916 write))) |
> > 917 |
> > 918 (classpermission create_alg_socket_perms) |
> > 919 |
> > 920 (classpermissionset |
> > 921 create_alg_socket_perms |
> > 922 (common_alg_socket |
> > 923 (common_create_socket_perms))) |
> > 924 |
> > 925 (classpermission readwrite_alg_socket_perms) |
> > 926 |
> > 927 (classpermissionset |
> > 928 readwrite_alg_socket_perms |
> > 929 (common_alg_socket |
> > 930 (common_readwrite_socket_perms))) |
> >
> > <snip>
> > Building AST from Parse Tree
> > Destroying Parse Tree
> > Resolving AST
> > Qualifying Names
> > Compile post process
> > make: *** [Makefile:21: policy.32] Segmentation fault (core dumped)
> >
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2020-01-28 16:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 12:25 CIL: another segfault producer Dominick Grift
2020-01-28 14:00 ` Lawrence, Stephen
2020-01-28 16:25 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200128162558.GB36656@brutus.lan \
--to=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
--cc=slawrence@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.