From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Cc: "Christian Göttsche" <cgzones@googlemail.com>,
"James Carter" <jwcart2@gmail.com>
Subject: Re: [PATCH] libsepol: Do not reject all type rules in conditionals when validating
Date: Mon, 17 Jun 2024 11:09:54 +0200 [thread overview]
Message-ID: <87bk409bq5.fsf@redhat.com> (raw)
In-Reply-To: <CAJ2a_Dderor=tkxK9YDNN9r_xb-rpcSHXJcBiCf0nMuhakBUoQ@mail.gmail.com>
Christian Göttsche <cgzones@googlemail.com> writes:
> On Fri, 14 Jun 2024 at 21:45, James Carter <jwcart2@gmail.com> wrote:
>>
>> Commit 1c91bc84 ("libsepol: reject self flag in type rules in old
>> policies") actually rejects all type rules in conditionals in modular
>> policies prior to version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).
>>
>> The problem is because of fall-through in a switch statement when
>> the avrule flags are 0. Instead, break rather than fall-through when
>> avrule flags are 0.
>
> Thanks for spotting this.
> I'am probably going to look to enhance the downgrade unit test for the
> next validate updates...
>
> Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
>
>> ---
>> libsepol/src/policydb_validate.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
>> index 9746f562..2043e437 100644
>> --- a/libsepol/src/policydb_validate.c
>> +++ b/libsepol/src/policydb_validate.c
>> @@ -1076,6 +1076,7 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
>>
>> switch(avrule->flags) {
>> case 0:
>> + break;
>> case RULE_SELF:
>> if (p->policyvers != POLICY_KERN &&
>> p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
>> --
>> 2.45.2
>>
next prev parent reply other threads:[~2024-06-17 9:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-14 19:45 [PATCH] libsepol: Do not reject all type rules in conditionals when validating James Carter
2024-06-15 13:29 ` Christian Göttsche
2024-06-17 9:09 ` Petr Lautrbach [this message]
2024-06-21 18:07 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bk409bq5.fsf@redhat.com \
--to=lautrbach@redhat.com \
--cc=cgzones@googlemail.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.