From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 3/3] libsepol: Validate datum array entries for avrule blocks
Date: Tue, 14 Apr 2026 15:11:20 -0400 [thread overview]
Message-ID: <20260414191120.29067-3-jwcart2@gmail.com> (raw)
In-Reply-To: <20260414191120.29067-1-jwcart2@gmail.com>
Both base and module policies have avrule blocks that have their
own symbol tables. When validating a policy, only a very basic
check of the validity of the datum's value was being done for
these symbol tables. The data specific to each kind of datum was
not being checked. This can lead to invalid policies being loaded.
Instead, preform the same specific checks being done on the global
symbol tables on these avrule block symbol tables.
This patch is based on a report from the security firm Trail of Bits
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/src/policydb_validate.c | 36 ++++++++++----------------------
1 file changed, 11 insertions(+), 25 deletions(-)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 9ee71bf2..3fcdab23 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -874,32 +874,32 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
return !value_isvalid(s->value, *nprim);
}
-static int validate_datum_array_entries(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
+static int validate_datum_array_entries(sepol_handle_t *handle, const policydb_t *p, const symtab_t *symtabs, validate_t flavors[])
{
map_arg_t margs = { flavors, handle, p, 0 };
- if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, &margs))
+ if (hashtab_map(symtabs[SYM_COMMONS].table, validate_common_datum_wrapper, &margs))
goto bad;
- if (hashtab_map(p->p_classes.table, validate_class_datum_wrapper, &margs))
+ if (hashtab_map(symtabs[SYM_CLASSES].table, validate_class_datum_wrapper, &margs))
goto bad;
- if (hashtab_map(p->p_roles.table, validate_role_datum_wrapper, &margs))
+ if (hashtab_map(symtabs[SYM_ROLES].table, validate_role_datum_wrapper, &margs))
goto bad;
- if (hashtab_map(p->p_types.table, validate_type_datum_wrapper, &margs))
+ if (hashtab_map(symtabs[SYM_TYPES].table, validate_type_datum_wrapper, &margs))
goto bad;
- if (hashtab_map(p->p_users.table, validate_user_datum_wrapper, &margs))
+ if (hashtab_map(symtabs[SYM_USERS].table, validate_user_datum_wrapper, &margs))
goto bad;
- if (p->mls && hashtab_map(p->p_levels.table, validate_level_datum_wrapper, &margs))
+ if (p->mls && hashtab_map(symtabs[SYM_LEVELS].table, validate_level_datum_wrapper, &margs))
goto bad;
- if (hashtab_map(p->p_cats.table, validate_datum, &flavors[SYM_CATS]))
+ if (hashtab_map(symtabs[SYM_CATS].table, validate_datum, &flavors[SYM_CATS]))
goto bad;
- if (hashtab_map(p->p_bools.table, validate_bool_datum_wrapper, &margs))
+ if (hashtab_map(symtabs[SYM_BOOLS].table, validate_bool_datum_wrapper, &margs))
goto bad;
return 0;
@@ -1565,20 +1565,6 @@ bad:
return -1;
}
-static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], validate_t flavors[])
-{
- unsigned int i;
-
- for (i = 0; i < SYM_NUM; i++) {
- if (hashtab_map(symtabs[i].table, validate_datum, &flavors[i].nprim)) {
- ERR(handle, "Invalid symtab");
- return -1;
- }
- }
-
- return 0;
-}
-
static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *avrule_block, const policydb_t *p, validate_t flavors[])
{
const avrule_decl_t *decl;
@@ -1601,7 +1587,7 @@ static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *
goto bad;
if (validate_filename_trans_rules(handle, decl->filename_trans_rules, p, flavors))
goto bad;
- if (validate_symtabs(handle, decl->symtab, flavors))
+ if (validate_datum_array_entries(handle, p, decl->symtab, flavors))
goto bad;
}
@@ -1853,7 +1839,7 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
if (validate_datum_array_gaps(handle, p, flavors))
goto bad;
- if (validate_datum_array_entries(handle, p, flavors))
+ if (validate_datum_array_entries(handle, p, p->symtab, flavors))
goto bad;
if (validate_permissives(handle, p, flavors))
--
2.53.0
next prev parent reply other threads:[~2026-04-14 19:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:11 [PATCH 1/3] libsepol: Fix out-of-bounds memory write in discard_tunbables() James Carter
2026-04-14 19:11 ` [PATCH 2/3] libsepol: When resolving names check if a block is abstract James Carter
2026-04-27 18:17 ` Petr Lautrbach
2026-04-28 15:49 ` James Carter
2026-04-14 19:11 ` James Carter [this message]
2026-04-22 19:07 ` [PATCH 1/3] libsepol: Fix out-of-bounds memory write in discard_tunbables() James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414191120.29067-3-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox