diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2022-11-02 15:30:51 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2022-11-07 14:19:08 -0500 |
commit | e9270d6e5889a854edd1305b91d3e5c7268d0cb8 (patch) | |
tree | 6243d8198f0d9c4446b1b1d643668c5cd488d59e | |
parent | 08a2705c007b046696457cbc83e5fc354e984659 (diff) | |
download | meta-selinux-e9270d6e5889a854edd1305b91d3e5c7268d0cb8.tar.gz |
libsepol: fix build failure for refpolicy-mls
Backport a patch to fix build failure for refpolicy-mls:
| Creating mls xserver.pp policy package
| libsepol.validate_user_datum: Invalid user datum
| libsepol.validate_datum_array_entries: Invalid datum array entries
| libsepol.validate_policydb: Invalid policydb
| /buildarea/build/tmp/work/qemux86_64-poky-linux/refpolicy-mls/2.20220520+gitAUTOINC+f311d401cd-r0/recipe-sysroot-native/usr/bin/semodule_package:
Error while reading policy module from tmp/xserver.mod
| make: *** [Rules.modular:98: xserver.pp] Error 1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
-rw-r--r-- | recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch | 80 | ||||
-rw-r--r-- | recipes-security/selinux/libsepol_3.4.bb | 2 |
2 files changed, 82 insertions, 0 deletions
diff --git a/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch b/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch new file mode 100644 index 0000000..47c1806 --- /dev/null +++ b/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 4831f73dd356fd72916f594dbeae44d26c93bb6b Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> | ||
3 | Date: Tue, 7 Jun 2022 17:01:45 +0200 | ||
4 | Subject: [PATCH] libsepol: fix validation of user declarations in modules | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Users are allowed to be declared in modules. Modules do not get expanded | ||
10 | leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel` | ||
11 | empty. | ||
12 | Do no validate the expanded range and level for modular polices. | ||
13 | |||
14 | Reported-by: bauen1 <j2468h@gmail.com> | ||
15 | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> | ||
16 | Acked-by: James Carter <jwcart2@gmail.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | [https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694] | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
22 | --- | ||
23 | src/policydb_validate.c | 12 ++++++------ | ||
24 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/src/policydb_validate.c b/src/policydb_validate.c | ||
27 | index da18282..99d4eb7 100644 | ||
28 | --- a/src/policydb_validate.c | ||
29 | +++ b/src/policydb_validate.c | ||
30 | @@ -18,7 +18,7 @@ typedef struct validate { | ||
31 | typedef struct map_arg { | ||
32 | validate_t *flavors; | ||
33 | sepol_handle_t *handle; | ||
34 | - int mls; | ||
35 | + policydb_t *policy; | ||
36 | } map_arg_t; | ||
37 | |||
38 | static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t *gaps) | ||
39 | @@ -571,7 +571,7 @@ static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t * | ||
40 | return -1; | ||
41 | } | ||
42 | |||
43 | -static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], int mls) | ||
44 | +static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], policydb_t *p) | ||
45 | { | ||
46 | if (validate_value(user->s.value, &flavors[SYM_USERS])) | ||
47 | goto bad; | ||
48 | @@ -581,9 +581,9 @@ static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, valid | ||
49 | goto bad; | ||
50 | if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) | ||
51 | goto bad; | ||
52 | - if (mls && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) | ||
53 | + if (p->mls && p->policy_type != POLICY_MOD && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) | ||
54 | goto bad; | ||
55 | - if (mls && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) | ||
56 | + if (p->mls && p->policy_type != POLICY_MOD && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) | ||
57 | goto bad; | ||
58 | if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS])) | ||
59 | goto bad; | ||
60 | @@ -599,7 +599,7 @@ static int validate_user_datum_wrapper(__attribute__((unused)) hashtab_key_t k, | ||
61 | { | ||
62 | map_arg_t *margs = args; | ||
63 | |||
64 | - return validate_user_datum(margs->handle, d, margs->flavors, margs->mls); | ||
65 | + return validate_user_datum(margs->handle, d, margs->flavors, margs->policy); | ||
66 | } | ||
67 | |||
68 | static int validate_bool_datum(sepol_handle_t *handle, cond_bool_datum_t *boolean, validate_t flavors[]) | ||
69 | @@ -689,7 +689,7 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum | ||
70 | |||
71 | static int validate_datum_array_entries(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) | ||
72 | { | ||
73 | - map_arg_t margs = { flavors, handle, p->mls }; | ||
74 | + map_arg_t margs = { flavors, handle, p }; | ||
75 | |||
76 | if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, &margs)) | ||
77 | goto bad; | ||
78 | -- | ||
79 | 2.25.1 | ||
80 | |||
diff --git a/recipes-security/selinux/libsepol_3.4.bb b/recipes-security/selinux/libsepol_3.4.bb index 49312da..e756557 100644 --- a/recipes-security/selinux/libsepol_3.4.bb +++ b/recipes-security/selinux/libsepol_3.4.bb | |||
@@ -11,6 +11,8 @@ require selinux_common.inc | |||
11 | 11 | ||
12 | inherit lib_package | 12 | inherit lib_package |
13 | 13 | ||
14 | SRC_URI += "file://0001-libsepol-fix-validation-of-user-declarations-in-modu.patch" | ||
15 | |||
14 | S = "${WORKDIR}/git/libsepol" | 16 | S = "${WORKDIR}/git/libsepol" |
15 | 17 | ||
16 | DEPENDS = "flex-native" | 18 | DEPENDS = "flex-native" |