52 lines
1.8 KiB
Diff
52 lines
1.8 KiB
Diff
From 25e9c91a8be5362fd4969f8b5e7710f62ec66ad5 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
|
Date: Fri, 10 Jun 2022 17:06:37 +0200
|
|
Subject: [PATCH] checkpolicy: error out if required permission would exceed
|
|
limit
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
Content-type: text/plain
|
|
|
|
A require statement for a class permission adds that permission to the
|
|
class representation for the current module. In case the resulting
|
|
class would have more than the supported amount of 32 permissions
|
|
assigned the resulting binary module will fail to load at link-time
|
|
without an informative error message (since [1]).
|
|
|
|
Bail out if adding a permission would result in a class having more than
|
|
the supported amount of 32 permissions assigned.
|
|
|
|
[1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1
|
|
|
|
Closes: https://github.com/SELinuxProject/selinux/issues/356
|
|
Reported-by: Julie Pichon
|
|
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
|
Acked-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
checkpolicy/module_compiler.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
|
|
index 129650fa2437..3188af892aa3 100644
|
|
--- a/checkpolicy/module_compiler.c
|
|
+++ b/checkpolicy/module_compiler.c
|
|
@@ -851,6 +851,14 @@ int require_class(int pass)
|
|
free(perm_id);
|
|
return -1;
|
|
}
|
|
+ if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) {
|
|
+ yyerror2("Class %s would have too many permissions "
|
|
+ "to fit in an access vector with permission %s",
|
|
+ policydbp->p_class_val_to_name[datum->s.value - 1],
|
|
+ perm_id);
|
|
+ free(perm_id);
|
|
+ return -1;
|
|
+ }
|
|
allocated = 1;
|
|
if ((perm = malloc(sizeof(*perm))) == NULL) {
|
|
yyerror("Out of memory!");
|
|
--
|
|
2.38.1
|
|
|