From: Dominick Grift <dominick.grift@defensec.nl>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: James Carter <jwcart2@gmail.com>,
SElinux list <selinux@vger.kernel.org>,
Jonathan Hettwer <j2468h@gmail.com>
Subject: Re: [PATCH] libsepol/cil: Give an error when constraint expressions exceed max depth
Date: Tue, 08 Sep 2020 20:25:27 +0200 [thread overview]
Message-ID: <ypjlimconn1k.fsf@defensec.nl> (raw)
In-Reply-To: <CAEjxPJ7fd62jYjhT18tNRhdMiRHt1Nt6QGexHDaDx4DcrBY42w@mail.gmail.com> (Stephen Smalley's message of "Tue, 8 Sep 2020 09:50:42 -0400")
Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> On Tue, Sep 8, 2020 at 9:46 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
>>
>> On Fri, Sep 4, 2020 at 8:49 AM Stephen Smalley
>> <stephen.smalley.work@gmail.com> wrote:
>> >
>> > On Thu, Sep 3, 2020 at 2:19 PM James Carter <jwcart2@gmail.com> wrote:
>> > >
>> > > CIL was not correctly determining the depth of constraint expressions
>> > > which prevented it from giving an error when the max depth was exceeded.
>> > > This allowed invalid policy binaries with constraint expressions exceeding
>> > > the max depth to be created.
>> > >
>> > > Correctly calculate the depth of constraint expressions when building
>> > > the AST and give an error when the max depth is exceeded.
>> > >
>> > > Reported-by: Jonathan Hettwer <j2468h@gmail.com>
>> > > Signed-off-by: James Carter <jwcart2@gmail.com>
>> >
>> > The fix for conditional boolean expression depth checking can be a
>> > separate patch. For this one,
>> >
>> > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>>
>> Actually, this breaks selinux-testsuite. Will have to look into why.
>> /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil
>> test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
>> Max depth of 4 exceeded for constraint expression
>> Bad expression tree for constraint
>> Bad constrain declaration at
>> /var/lib/selinux/targeted/tmp/modules/100/base/cil:919
>
> Here is the failing cil module:
> $ cat policy/test_mlsconstrain.cil
> (mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1
> mcs_constrained_type) (neq t2 mcs_constrained_type))))
> (mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1
> mcs_constrained_type) (neq t2 mcs_constrained_type))))
>
> Maybe an off-by-one in your depth checking?
That looks scary to me. Those constrains are simple compared to some of
the ones I currently successfully use and rely upon:
https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/constrain/rbacsep.cil;h=935c722167bcf214f286eb339e0793cd94d3edd0;hb=HEAD
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2020-09-08 18:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 18:19 [PATCH] libsepol/cil: Give an error when constraint expressions exceed max depth James Carter
2020-09-03 19:42 ` Stephen Smalley
2020-09-03 20:13 ` James Carter
2020-09-04 12:49 ` Stephen Smalley
2020-09-08 13:46 ` Stephen Smalley
2020-09-08 13:50 ` Stephen Smalley
2020-09-08 15:15 ` James Carter
2020-09-08 15:27 ` Stephen Smalley
2020-09-08 20:31 ` James Carter
2020-09-08 21:11 ` Stephen Smalley
2020-09-08 18:25 ` Dominick Grift [this message]
2020-09-08 19:26 ` bauen1
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlimconn1k.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=j2468h@gmail.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.