[PATCH] libsepol/cil: Expand class-permissions in deny rules

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] libsepol/cil: Expand class-permissions in deny rules
@ 2025-07-01 12:13 James Carter
  2025-07-03 14:35 ` James Carter
  0 siblings, 1 reply; 2+ messages in thread
From: James Carter @ 2025-07-01 12:13 UTC (permalink / raw)
  To: selinux; +Cc: James Carter

The classperms list of deny rules is not being expanded. This causes
an invalid read if "all" is used in the permissions.

Evaluate the classperms list of deny rules.

Reported-by: oss-fuzz (issue 398075935)
Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_post.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 70e5b734..2b6dad73 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -2265,6 +2265,14 @@ static int __cil_post_db_classperms_helper(struct cil_tree_node *node, uint32_t
 		}
 		break;
 	}
+	case CIL_DENY_RULE: {
+		struct cil_deny_rule *deny = node->data;
+		rc = __evaluate_classperms_list(deny->classperms, db);
+		if (rc != SEPOL_OK) {
+			goto exit;
+		}
+		break;
+	}
 	case CIL_CONSTRAIN:
 	case CIL_MLSCONSTRAIN: {
 		struct cil_constrain *constrain = node->data;
-- 
2.50.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] libsepol/cil: Expand class-permissions in deny rules
  2025-07-01 12:13 [PATCH] libsepol/cil: Expand class-permissions in deny rules James Carter
@ 2025-07-03 14:35 ` James Carter
  0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2025-07-03 14:35 UTC (permalink / raw)
  To: selinux

On Tue, Jul 1, 2025 at 10:20 AM James Carter <jwcart2@gmail.com> wrote:
>
> The classperms list of deny rules is not being expanded. This causes
> an invalid read if "all" is used in the permissions.
>
> Evaluate the classperms list of deny rules.
>
> Reported-by: oss-fuzz (issue 398075935)
> Signed-off-by: James Carter <jwcart2@gmail.com>

Seeing no objections, I have merged this.
Jim

> ---
>  libsepol/cil/src/cil_post.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> index 70e5b734..2b6dad73 100644
> --- a/libsepol/cil/src/cil_post.c
> +++ b/libsepol/cil/src/cil_post.c
> @@ -2265,6 +2265,14 @@ static int __cil_post_db_classperms_helper(struct cil_tree_node *node, uint32_t
>                 }
>                 break;
>         }
> +       case CIL_DENY_RULE: {
> +               struct cil_deny_rule *deny = node->data;
> +               rc = __evaluate_classperms_list(deny->classperms, db);
> +               if (rc != SEPOL_OK) {
> +                       goto exit;
> +               }
> +               break;
> +       }
>         case CIL_CONSTRAIN:
>         case CIL_MLSCONSTRAIN: {
>                 struct cil_constrain *constrain = node->data;
> --
> 2.50.0
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-07-03 14:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-01 12:13 [PATCH] libsepol/cil: Expand class-permissions in deny rules James Carter
2025-07-03 14:35 ` James Carter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).