!105 backport patches from upstream

From: @Linux_zhang2024 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
backport patches from upstream
2025-03-18 01:10:18 +00:00 · 2025-03-18 08:34:03 +08:00 · 2025-03-17 08:39:31 +00:00 · 2024-10-15 01:36:33 +00:00 · 2024-03-26 08:17:36 +00:00 · 2024-03-26 16:03:27 +08:00
37 changed files with 2084 additions and 3 deletions
--- a/backport-hashtab-update.patch
+++ b/backport-hashtab-update.patch
@ -0,0 +1,91 @@
+From 0d1445067c67d38e7d5c14155999afb10cc2e1a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 14 Jul 2023 20:44:12 +0200
+Subject: [PATCH] hashtab: update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid overflowing number of elements in hashtab_insert().
+
+Use identical type for hashed values to avoid implicit conversions.
+
+Declare tag parameter of hashtab_hash_eval() const since it is only
+printed.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/include/sepol/policydb/hashtab.h |  2 +-
+ libsepol/src/hashtab.c                    | 14 +++++++-------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/libsepol/include/sepol/policydb/hashtab.h b/libsepol/include/sepol/policydb/hashtab.h
+index 060e8c9c5..3fcd1fdce 100644
+--- a/libsepol/include/sepol/policydb/hashtab.h
+++ b/libsepol/include/sepol/policydb/hashtab.h
+@@ -108,7 +108,7 @@ extern int hashtab_map(hashtab_t h,
+ 				     hashtab_datum_t d,
+ 				     void *args), void *args);
+ 
+-extern void hashtab_hash_eval(hashtab_t h, char *tag);
+extern void hashtab_hash_eval(hashtab_t h, const char *tag);
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/libsepol/src/hashtab.c b/libsepol/src/hashtab.c
+index 4a827fd31..b1a9bdc2f 100644
+--- a/libsepol/src/hashtab.c
+++ b/libsepol/src/hashtab.c
+@@ -103,10 +103,10 @@ static void hashtab_check_resize(hashtab_t h)
+ 
+ int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
+ {
+-	int hvalue;
+	unsigned int hvalue;
+ 	hashtab_ptr_t prev, cur, newnode;
+ 
+-	if (!h)
+	if (!h || h->nel == UINT32_MAX)
+ 		return SEPOL_ENOMEM;
+ 
+ 	hashtab_check_resize(h);
+@@ -144,7 +144,7 @@ int hashtab_remove(hashtab_t h, hashtab_key_t key,
+ 		   void (*destroy) (hashtab_key_t k,
+ 				    hashtab_datum_t d, void *args), void *args)
+ {
+-	int hvalue;
+	unsigned int hvalue;
+ 	hashtab_ptr_t cur, last;
+ 
+ 	if (!h)
+@@ -176,7 +176,7 @@ int hashtab_remove(hashtab_t h, hashtab_key_t key,
+ hashtab_datum_t hashtab_search(hashtab_t h, const_hashtab_key_t key)
+ {
+ 
+-	int hvalue;
+	unsigned int hvalue;
+ 	hashtab_ptr_t cur;
+ 
+ 	if (!h)
+@@ -240,10 +240,10 @@ int hashtab_map(hashtab_t h,
+ 	return SEPOL_OK;
+ }
+ 
+-void hashtab_hash_eval(hashtab_t h, char *tag)
+void hashtab_hash_eval(hashtab_t h, const char *tag)
+ {
+ 	unsigned int i;
+-	int chain_len, slots_used, max_chain_len;
+	size_t chain_len, slots_used, max_chain_len;
+ 	hashtab_ptr_t cur;
+ 
+ 	slots_used = 0;
+@@ -264,6 +264,6 @@ void hashtab_hash_eval(hashtab_t h, char *tag)
+ 	}
+ 
+ 	printf
+-	    ("%s:  %d entries and %d/%d buckets used, longest chain length %d\n",
+	    ("%s:  %d entries and %zu/%d buckets used, longest chain length %zu\n",
+ 	     tag, h->nel, slots_used, h->size, max_chain_len);
+ }
--- a/backport-libsepol-Initialize-strs-on-declaration.patch
+++ b/backport-libsepol-Initialize-strs-on-declaration.patch
@ -0,0 +1,63 @@
+From cd8302f0a6f38671cc0265b8ebc2cd4ea4a7b61f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:18 +0200
+Subject: [PATCH] libsepol: Initialize "strs" on declaration
+
+The value of "strs" was not always initialized before being used by
+strs_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1485|
+ \# 1486|   exit:
+ \# 1487|-> 	strs_destroy(&strs);
+ \# 1488|
+ \# 1489|   	if (rc != 0) {
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1459|
+ \# 1460|   exit:
+ \# 1461|-> 	strs_destroy(&strs);
+ \# 1462|
+ \# 1463|   	if (rc != 0) {
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_cil.c  | 2 +-
+ libsepol/src/kernel_to_conf.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index 7243b3c0..2d563e7d 100644
+--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
+@@ -1436,7 +1436,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_cil(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
+	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index ca91ffae..661546af 100644
+--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
+@@ -1419,7 +1419,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_conf(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
+	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+-- 
+2.33.0
+
--- a/backport-libsepol-add-check-for-category-value-before-printin.patch
+++ b/backport-libsepol-add-check-for-category-value-before-printin.patch
@ -0,0 +1,35 @@
+From d3c2992ed0358c8e86a83c7f55fc529cba545298 Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Thu, 16 Nov 2023 07:32:07 +0800
+Subject: [PATCH] libsepol: add check for category value before printing
+ 
+In mls_semantic_level_expand(), there is a explicitly determine
+whether category is 0, which may cause an potential integer
+overflow in error branch.
+ 
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/d3c2992ed0358c8e86a83c7f55fc529cba545298
+Conflict: NA
+---
+ libsepol/src/expand.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index ee5f9185..e63414b1 100644
+--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
+@@ -945,8 +945,8 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+ 	for (cat = sl->cat; cat; cat = cat->next) {
+ 		if (!cat->low || cat->low > cat->high) {
+ 			ERR(h, "Category range is not valid %s.%s",
+-			    p->p_cat_val_to_name[cat->low - 1],
+-			    p->p_cat_val_to_name[cat->high - 1]);
+			    cat->low > 0 ? p->p_cat_val_to_name[cat->low - 1] : "Invalid",
+			    cat->high > 0 ? p->p_cat_val_to_name[cat->high - 1] : "Invalid");
+ 			return -1;
+ 		}
+ 		for (i = cat->low - 1; i < cat->high; i++) {
+-- 
+2.33.0
--- a/backport-libsepol-adjust-type-for-saturation-check.patch
+++ b/backport-libsepol-adjust-type-for-saturation-check.patch
@ -0,0 +1,39 @@
+From 44375cb4a21dfdf3ac037237c5529049123336c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 9 Nov 2023 14:51:19 +0100
+Subject: [PATCH] libsepol: adjust type for saturation check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Change the type for the number of primary names in a symtab to uint32_t,
+which conforms to the bytes read and the type used in the symtab.
+The type is important for the saturation check via is_saturated(), since
+it checks against -1 casted to the specific type.
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/44375cb4a21dfdf3ac037237c5529049123336c2
+Conflict: NA
+---
+ libsepol/src/policydb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index f608aba4..bc7bc9dc 100644
+--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
+@@ -4120,8 +4120,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+ {
+ 
+ 	unsigned int i, j, r_policyvers;
+-	uint32_t buf[5];
+-	size_t len, nprim, nel;
+	uint32_t buf[5], nprim;
+	size_t len, nel;
+ 	char *policydb_str;
+ 	const struct policydb_compat_info *info;
+ 	unsigned int policy_type, bufindex;
+-- 
+2.33.0
--- a/backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch
+++ b/backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch
@ -0,0 +1,32 @@
+From a55cd37461f2e1ef4cec3b09aa8b99f2d12a529d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 11 Dec 2023 15:48:25 +0100
+Subject: [PATCH] libsepol: avoid integer overflow in add_i_to_a()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/a55cd37461f2e1ef4cec3b09aa8b99f2d12a529d
+Conflict: NA
+---
+ libsepol/src/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/util.c b/libsepol/src/util.c
+index 571f6c93..4a6f7d11 100644
+--- a/libsepol/src/util.c
+++ b/libsepol/src/util.c
+@@ -44,7 +44,7 @@ int add_i_to_a(uint32_t i, uint32_t * cnt, uint32_t ** a)
+ {
+ 	uint32_t *new;
+ 
+-	if (cnt == NULL || a == NULL)
+	if (cnt == NULL || *cnt == UINT32_MAX || a == NULL)
+ 		return -1;
+ 
+ 	/* FIX ME: This is not very elegant! We use an array that we
+-- 
+2.33.0
--- a/backport-libsepol-avoid-leak-in-OOM-branch.patch
+++ b/backport-libsepol-avoid-leak-in-OOM-branch.patch
@ -0,0 +1,39 @@
+From 3b05202621539843069bb1477da0d6cfdd384ebc Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 8 Jan 2024 19:51:09 +0800
+Subject: [PATCH] libsepol: avoid leak in OOM branch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+In case the member sid_key failed to allocate, free the parent struct.
+ 
+Reported by Clang Analyzer:
+ 
+    module_to_cil.c:2607:9: warning: Potential leak of memory pointed to by 'item' [unix.Malloc]
+     2607 |         return rc;
+          |                ^~
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/5e425b4165b801666e478b19efbf8ddb14d82a02
+Conflict: Context adaptation
+---
+ libsepol/src/module_to_cil.c | 1 +
+ 1 file changed, 1 insertion(+)
+ 
+diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
+index cc8066d..9a45cee 100644
+--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
+@@ -2570,6 +2570,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
+ 		item->sid_key = strdup(sid);
+ 		if (!item->sid_key) {
+ 			log_err("Out of memory");
+			free(item);
+ 			rc = -1;
+ 			goto exit;
+ 		}
+-- 
+2.33.0
--- a/backport-libsepol-avtab-check-read-counts-for-saturation.patch
+++ b/backport-libsepol-avtab-check-read-counts-for-saturation.patch
@ -0,0 +1,37 @@
+From f9fd25005f815d996c4344967a8ad13dee853303 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 1 Nov 2023 17:37:25 +0100
+Subject: [PATCH] libsepol: avtab: check read counts for saturation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Ensure counts are not set to the maximum value of their type.
+Also limit their size during fuzzing to prevent OOM reports.
+ 
+Reported-by: oss-fuzz (issue 60572), caused at the time by the filetrans
+             prefix proposal
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/f9fd25005f815d996c4344967a8ad13dee853303
+Conflict: NA
+---
+ libsepol/src/avtab.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
+index 1ef5ee00..7c2328b7 100644
+--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
+@@ -600,7 +600,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
+ 		goto bad;
+ 	}
+ 	nel = le32_to_cpu(buf[0]);
+-	if (!nel) {
+	if (zero_or_saturated(nel)) {
+ 		ERR(fp->handle, "table is empty");
+ 		goto bad;
+ 	}
+-- 
+2.33.0
--- a/backport-libsepol-check-for-overflow-in-put_entry.patch
+++ b/backport-libsepol-check-for-overflow-in-put_entry.patch
@ -0,0 +1,33 @@
+From df666f70534ef225b97899f997b4077aeb285972 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 6 Jul 2023 15:57:18 +0200
+Subject: [PATCH] libsepol: check for overflow in put_entry()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+put_entry() is used during writing binary policies.  Avoid short writes
+due to an overflow.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/services.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 72772dbd29..6bddc287e1 100644
+--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
+@@ -1711,7 +1711,10 @@ int next_entry(void *buf, struct policy_file *fp, size_t bytes)
+ size_t put_entry(const void *ptr, size_t size, size_t n,
+ 			struct policy_file *fp)
+ {
+-	size_t bytes = size * n;
+	size_t bytes;
+
+	if (__builtin_mul_overflow(size, n, &bytes))
+		return 0;
+ 
+ 	switch (fp->type) {
+ 	case PF_USE_STDIO:
--- a/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch
+++ b/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch
@ -0,0 +1,53 @@
+From c071aa2e635935216e8e504a5b398f58aed2838e Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 1 Apr 2024 10:49:24 -0400
+Subject: [PATCH] libsepol/cil: Check common perms when verifiying "all"
+
+Commit e81c466 "Fix class permission verification in CIL", added a
+check for the use of "all" in a permission expression for a class
+that had no permissions. Unfortunately, that change did not take
+into account a class that had common permissions, so a class that
+has no permmissions of its own, but inherits permissions from a
+common, will fail the verification check.
+
+If the class inherits from a common, then add those permissions to
+the permmission list when verifying the permission expression.
+
+Example/
+(common co1 (cop1))
+(class cl1 ())
+(classcommon cl1 co1)
+(classorder (CLASS cl1))
+
+(classpermission cp1)
+(classpermissionset cp1 (cl1 (all)))
+
+(classmap cm1 (cmp1))
+(classmapping cm1 cmp1 (cl1 (all)))
+
+Previously, both the classpermissionset and the classmapping rules
+would fail verification, but now they pass as expected.
+
+Patch originally from Ben Cressey <bcressey@amazon.com>, I have
+expanded the explanation.
+
+Reported-by: Ben Cressey <bcressey@amazon.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_verify.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index 0c6d50a18..4ef2cbab3 100644
+--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
+@@ -1842,6 +1842,9 @@ static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, s
+ 				int count2 = 0;
+ 				cil_list_init(&perm_list, CIL_MAP_PERM);
+ 				cil_symtab_map(&class->perms, __add_perm_to_list, perm_list);
+				if (class->common != NULL) {
+					cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list);
+				}
+ 				cil_list_for_each(j, perm_list) {
+ 					count2++;
+ 					struct cil_perm *perm = j->data;
--- a/backport-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
+++ b/backport-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
@ -0,0 +1,40 @@
+From 6b5626fd30292b148fa8b732a38a03af1705b655 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 23 Jul 2024 16:41:57 +0200
+Subject: [PATCH] libsepol/cil: Check that sym_index is within bounds
+
+Make sure sym_index is within the bounds of symtab array before using it
+to index the array.
+
+Fixes:
+  Error: OVERRUN (CWE-119):
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN".
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name".
+  \# 3187|                   switch (curr->flavor) {
+  \# 3188|                   case CIL_STRING:
+  \# 3189|->                         rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum);
+  \# 3190|                           if (rc != SEPOL_OK) {
+  \# 3191|                                   goto exit;
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_resolve_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 427a320c..da8863c4 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -4291,7 +4291,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
+	struct cil_db *db = args->db;
+ 	struct cil_tree_node *node = NULL;
+ 
+-	if (name == NULL) {
+	if (name == NULL || sym_index >= CIL_SYM_NUM) {
+ 		cil_log(CIL_ERR, "Invalid call to cil_resolve_name\n");
+ 		goto exit;
+ 	}
+-- 
+2.33.0
+
--- a/backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch
+++ b/backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch
@ -0,0 +1,87 @@
+From 903e8cf26e2ab874618e0fdaef537bc3d9a8b69d Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Fri, 13 Oct 2023 09:26:50 -0400
+Subject: [PATCH] libsepol/cil: Do not allow classpermissionset to use
+ anonymous classpermission
+
+Macros can use classpermission arguments. These are used in two
+different ways. Either a named classpermission is passed (which is
+declared using a classpermisison rule) or an anonymous classpermission
+is passed (something like "(CLASS (PERM))").
+
+Usually this will look like either of the following:
+Ex1/
+(classpermission cp1)
+(classpermisisonset cp1 (CLASS (PERM)))
+(macro m1 ((classpermisison ARG1))
+  (allow t1 self ARG1)
+)
+(call m1 (cp1))
+or
+Ex2/
+(macro m2 ((classpermission ARG2))
+  (allow t2 self ARG2)
+)
+(call m2 ((CLASS (PERM))))
+
+The following would also be valid:
+Ex3/
+(classpermission cp3)
+(macro m3 ((classpermission ARG3))
+  (classpermissionset ARG3 (CLASS (PERM)))
+  (allow t3 self ARG3)
+)
+(call m3 (cp3))
+
+The oss-fuzzer did the equivalent of the following:
+
+(classpermission cp4)
+(macro m4 ((classpermission ARG4))
+  (classpermissionset ARG4 (CLASS (PERM1)))
+  (allow t4 self ARG4)
+)
+(call m4 (CLASS (PERM2)))
+
+It passed an anonymous classpermission into a macro where there
+was a classpermissionset rule. Suprisingly, everything worked well
+until it was time to destroy the AST. There is no way to distinguish
+between the anonymous classpermission being passed in which needs
+to be destroyed and the classpermission in the classpermissionset
+rule which is destroyed when the classpermissionset rule is
+destroyed. This led to CIL trying to destroy the classpermission
+in the classpermissionset rule twice.
+
+To fix this, when resolving the classpermission name in the
+classpermissionset rule, check if the datum returned is for
+an anonymous classpermission (it has no name) and return an
+error if it is.
+
+This fixes oss-fuzz issue 60670.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/903e8cf26e2ab874618e0fdaef537bc3d9a8b69d
+Conflict: Context adaptation
+---
+ libsepol/cil/src/cil_resolve_ast.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 4e8a375d6..427a320c9 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -253,6 +253,12 @@ int cil_resolve_classpermissionset(struct cil_tree_node *current, struct cil_cla
+ 		goto exit;
+ 	}
+ 
+	if (!datum->fqn) {
+		cil_tree_log(current, CIL_ERR, "Anonymous classpermission used in a classpermissionset");
+		rc = SEPOL_ERR;
+		goto exit;
+	}
+
+ 	rc = cil_resolve_classperms_list(current, cps->classperms, extra_args);
+ 	if (rc != SEPOL_OK) {
+ 		goto exit;
+-- 
+2.33.0
--- a/backport-libsepol-cil-Fix-class-permission-verification-in-CIL.patch
+++ b/backport-libsepol-cil-Fix-class-permission-verification-in-CIL.patch
@ -0,0 +1,257 @@
+From e81c466bca9a06e2ada7d783fe31dd44c9e04432 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 20 Apr 2023 08:58:01 -0400
+Subject: [PATCH] libsepol/cil: Fix class permission verification in CIL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before the CIL post processing phase (where expressions are evaluated,
+various ebitmaps are set, etc) there is a pre-verification where
+checks are made to find self references or loops in bounds, attribute
+sets, and class permissions. The class permission checking is faulty
+in two ways.
+
+First, it does not check for the use of "all" in a permission expression
+for a class that has no permissions. An error will still be generated
+later and secilc will exit cleanly, but without an error message that
+explains the problem.
+
+Second, it does not properly handle lists in permission expressions.
+For example, "(C ((P)))" is a legitimate class permission. The
+permissions expression contains one item that is a list containing
+one permission. This permission expression will be properly evaluated.
+Unfortunately, the class permission verification assumes that each
+item in the permission expression is either an operator or a
+permission datum and a segmenation fault will occur.
+
+Refactor the class permission checking to give a proper error when
+"all" is used in a permission expression for a class that has no
+permissions and so that it can handle lists in permission
+expressions. Also, check for the actual flavor of each item in
+the permission expression and return an error if an unexpected
+flavor is found.
+
+The failure to properly handle lists in permission expressions was
+found by oss-fuzz (#58085).
+
+Tested-by: Christian Göttsche <cgzones@googlemail.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_verify.c | 167 +++++++++++++++++++++++-----------
+ 1 file changed, 114 insertions(+), 53 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index 4640dc59de..3f58969df2 100644
+--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
+@@ -1700,31 +1700,109 @@ static int __add_perm_to_list(__attribute__((unused)) hashtab_key_t k, hashtab_d
+ 	return SEPOL_OK;
+ }
+ 
+-static int __cil_verify_classperms(struct cil_list *classperms,
+-				   struct cil_symtab_datum *orig,
+-				   struct cil_symtab_datum *parent,
+-				   struct cil_symtab_datum *cur,
+-				   enum cil_flavor flavor,
+-				   unsigned steps, unsigned limit)
+static int __cil_verify_classperms(struct cil_list *classperms, struct cil_symtab_datum *orig, struct cil_symtab_datum *cur, unsigned steps, unsigned limit);
+
+static int __cil_verify_map_perm(struct cil_class *class, struct cil_perm *perm, struct cil_symtab_datum *orig, unsigned steps, unsigned limit)
+{
+	int rc;
+
+	if (!perm->classperms) {
+		cil_tree_log(NODE(class), CIL_ERR, "No class permissions for map class %s, permission %s", DATUM(class)->name, DATUM(perm)->name);
+		goto exit;
+	}
+
+	rc = __cil_verify_classperms(perm->classperms, orig, &perm->datum, steps, limit);
+	if (rc != SEPOL_OK) {
+		cil_tree_log(NODE(class), CIL_ERR, "There was an error verifying class permissions for map class %s, permission %s", DATUM(class)->name, DATUM(perm)->name);
+		goto exit;
+	}
+
+	return SEPOL_OK;
+
+exit:
+	return SEPOL_ERR;
+}
+
+
+static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, struct cil_symtab_datum *orig, unsigned steps, unsigned limit)
+ {
+ 	int rc = SEPOL_ERR;
+-	struct cil_list_item *curr;
+	int count = 0;
+	struct cil_list_item *i = NULL;
+ 
+-	if (classperms == NULL) {
+-		if (flavor == CIL_MAP_PERM) {
+-			cil_tree_log(NODE(cur), CIL_ERR, "Map class %s does not have a classmapping for %s", parent->name, cur->name);
+	if (!perms) {
+		cil_tree_log(NODE(class), CIL_ERR, "No permissions for class %s in class permissions", DATUM(class)->name);
+		goto exit;
+	}
+
+	cil_list_for_each(i, perms) {
+		count++;
+		if (i->flavor == CIL_LIST) {
+			rc = __cil_verify_perms(class, i->data, orig, steps, limit);
+			if (rc != SEPOL_OK) {
+				goto exit;
+			}
+		} else if (i->flavor == CIL_DATUM) {
+			struct cil_perm *perm = i->data;
+			if (FLAVOR(perm) == CIL_MAP_PERM) {
+				rc = __cil_verify_map_perm(class, perm, orig, steps, limit);
+				if (rc != SEPOL_OK) {
+					goto exit;
+				}
+			}
+		} else if (i->flavor == CIL_OP) {
+			enum cil_flavor op = (enum cil_flavor)(uintptr_t)i->data;
+			if (op == CIL_ALL) {
+				struct cil_list *perm_list;
+				struct cil_list_item *j = NULL;
+				int count2 = 0;
+				cil_list_init(&perm_list, CIL_MAP_PERM);
+				cil_symtab_map(&class->perms, __add_perm_to_list, perm_list);
+				cil_list_for_each(j, perm_list) {
+					count2++;
+					struct cil_perm *perm = j->data;
+					if (FLAVOR(perm) == CIL_MAP_PERM) {
+						rc = __cil_verify_map_perm(class, perm, orig, steps, limit);
+						if (rc != SEPOL_OK) {
+							cil_list_destroy(&perm_list, CIL_FALSE);
+							goto exit;
+						}
+					}
+				}
+				cil_list_destroy(&perm_list, CIL_FALSE);
+				if (count2 == 0) {
+					cil_tree_log(NODE(class), CIL_ERR, "Operator \"all\" used for %s which has no permissions associated with it", DATUM(class)->name);
+					goto exit;
+				}
+			}
+ 		} else {
+-			cil_tree_log(NODE(cur), CIL_ERR, "Classpermission %s does not have a classpermissionset", cur->name);
+			cil_tree_log(NODE(class), CIL_ERR, "Permission list for %s has an unexpected flavor: %d", DATUM(class)->name, i->flavor);
+			goto exit;
+ 		}
+	}
+
+	if (count == 0) {
+		cil_tree_log(NODE(class), CIL_ERR, "Empty permissions list for class %s in class permissions", DATUM(class)->name);
+		goto exit;
+	}
+
+	return SEPOL_OK;
+
+exit:
+	return SEPOL_ERR;
+}
+
+static int __cil_verify_classperms(struct cil_list *classperms, struct cil_symtab_datum *orig, struct cil_symtab_datum *cur, unsigned steps, unsigned limit)
+{
+	int rc;
+	struct cil_list_item *i;
+
+	if (classperms == NULL) {
+ 		goto exit;
+ 	}
+ 
+ 	if (steps > 0 && orig == cur) {
+-		if (flavor == CIL_MAP_PERM) {
+-			cil_tree_log(NODE(cur), CIL_ERR, "Found circular class permissions involving the map class %s and permission %s", parent->name, cur->name);
+-		} else {
+-			cil_tree_log(NODE(cur), CIL_ERR, "Found circular class permissions involving the set %s", cur->name);
+-		}
+		cil_tree_log(NODE(cur), CIL_ERR, "Found circular class permissions involving %s", cur->name);
+ 		goto exit;
+ 	} else {
+ 		steps++;
+@@ -1735,44 +1813,20 @@ static int __cil_verify_classperms(struct cil_list *classperms,
+ 		}
+ 	}
+ 
+-	cil_list_for_each(curr, classperms) {
+-		if (curr->flavor == CIL_CLASSPERMS) {
+-			struct cil_classperms *cp = curr->data;
+-			if (FLAVOR(cp->class) != CIL_CLASS) { /* MAP */
+-				struct cil_list_item *i = NULL;
+-				cil_list_for_each(i, cp->perms) {
+-					if (i->flavor != CIL_OP) {
+-						struct cil_perm *cmp = i->data;
+-						rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
+-						if (rc != SEPOL_OK) {
+-							goto exit;
+-						}
+-					} else {
+-						enum cil_flavor op = (enum cil_flavor)(uintptr_t)i->data;
+-						if (op == CIL_ALL) {
+-							struct cil_class *mc = cp->class;
+-							struct cil_list *perm_list;
+-							struct cil_list_item *j = NULL;
+-
+-							cil_list_init(&perm_list, CIL_MAP_PERM);
+-							cil_symtab_map(&mc->perms, __add_perm_to_list, perm_list);
+-							cil_list_for_each(j, perm_list) {
+-								struct cil_perm *cmp = j->data;
+-								rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
+-								if (rc != SEPOL_OK) {
+-									cil_list_destroy(&perm_list, CIL_FALSE);
+-									goto exit;
+-								}
+-							}
+-							cil_list_destroy(&perm_list, CIL_FALSE);
+-						}
+-					}
+-				}
+	cil_list_for_each(i, classperms) {
+		if (i->flavor == CIL_CLASSPERMS) {
+			struct cil_classperms *cp = i->data;
+			rc = __cil_verify_perms(cp->class, cp->perms, orig, steps, limit);
+			if (rc != SEPOL_OK) {
+				goto exit;
+ 			}
+ 		} else { /* SET */
+-			struct cil_classperms_set *cp_set = curr->data;
+			struct cil_classperms_set *cp_set = i->data;
+ 			struct cil_classpermission *cp = cp_set->set;
+-			rc = __cil_verify_classperms(cp->classperms, orig, NULL, &cp->datum, CIL_CLASSPERMISSION, steps, limit);
+			if (!cp->classperms) {
+				cil_tree_log(NODE(cur), CIL_ERR, "Classpermission %s does not have a classpermissionset", DATUM(cp)->name);
+			}
+			rc = __cil_verify_classperms(cp->classperms, orig, &cp->datum, steps, limit);
+ 			if (rc != SEPOL_OK) {
+ 				goto exit;
+ 			}
+@@ -1787,9 +1841,15 @@ static int __cil_verify_classperms(struct cil_list *classperms,
+ 
+ static int __cil_verify_classpermission(struct cil_tree_node *node)
+ {
+	int rc;
+ 	struct cil_classpermission *cp = node->data;
+ 
+-	return __cil_verify_classperms(cp->classperms, &cp->datum, NULL, &cp->datum, CIL_CLASSPERMISSION, 0, 2);
+	rc = __cil_verify_classperms(cp->classperms, &cp->datum, &cp->datum, 0, 2);
+	if (rc != SEPOL_OK) {
+		cil_tree_log(node, CIL_ERR, "Error verifying class permissions for classpermission %s", DATUM(cp)->name);
+	}
+
+	return rc;
+ }
+ 
+ struct cil_verify_map_args {
+@@ -1804,8 +1864,9 @@ static int __verify_map_perm_classperms(__attribute__((unused)) hashtab_key_t k,
+ 	struct cil_perm *cmp = (struct cil_perm *)d;
+ 	int rc;
+ 
+-	rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
+	rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &cmp->datum, 0, 2);
+ 	if (rc != SEPOL_OK) {
+		cil_tree_log(NODE(cmp), CIL_ERR, "Error verifying class permissions for map class %s, permission %s", DATUM(map_args->class)->name, DATUM(cmp)->name);
+ 		map_args->rc = rc;
+ 	}
+ 
--- a/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch
+++ b/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch
@ -0,0 +1,29 @@
+From 1f173f8efab8e9931898d924057bd0ea8da759b7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 30 Apr 2024 17:30:24 +0200
+Subject: [PATCH] libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
+
+libsepol-3.6/cil/src/cil_binary.c:902: alloc_fn: Storage is returned from allocation function "cil_malloc".
+libsepol-3.6/cil/src/cil_binary.c:902: var_assign: Assigning: "mls_level" = storage returned from "cil_malloc(24UL)".
+libsepol-3.6/cil/src/cil_binary.c:903: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_init".
+libsepol-3.6/cil/src/cil_binary.c:905: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_cpy".
+libsepol-3.6/cil/src/cil_binary.c:919: leaked_storage: Variable "mls_level" going out of scope leaks the storage it points to.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 95bd18baa..c8144a5af 100644
+--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
+@@ -904,6 +904,7 @@ static int cil_sensalias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alia
+ 
+ 	rc = mls_level_cpy(mls_level, sepol_level->level);
+ 	if (rc != SEPOL_OK) {
+		free(mls_level);
+ 		goto exit;
+ 	}
+ 	sepol_alias->level = mls_level;
--- a/backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
+++ b/backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
@ -0,0 +1,81 @@
+From 0dac9813e1ea44d35b8bb8b72203ddb41c4ed751 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:15 +0200
+Subject: [PATCH] libsepol/cil: Initialize avtab_datum on declaration
+
+avtab_datum.xperms was not always initialized before being used.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:977:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1059:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1057|   			}
+ \# 1058|   		}
+ \# 1059|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1060|   	}
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:1348:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1384:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1382|   	} else {
+ \# 1383|   		avtab_datum.data = data;
+ \# 1384|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1385|   	}
+ \# 1386|
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 3dec1883..3d920182 100644
+--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
+@@ -975,7 +975,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
+	avtab_datum_t avtab_datum = { .data = res, .xperms = NULL };
+ 	avtab_ptr_t existing;	
+ 
+ 	avtab_key.source_type = src;
+@@ -997,8 +997,6 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ 		goto exit;
+ 	}
+ 
+-	avtab_datum.data = res;
+-	
+ 	existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
+ 	if (existing) {
+ 		/* Don't add duplicate type rule and warn if they conflict.
+@@ -1346,7 +1344,7 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
+	avtab_datum_t avtab_datum = { .data = data, .xperms = NULL };
+ 	avtab_datum_t *avtab_dup = NULL;
+ 
+ 	avtab_key.source_type = src;
+@@ -1372,7 +1370,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 	if (!cond_node) {
+ 		avtab_dup = avtab_search(&pdb->te_avtab, &avtab_key);
+ 		if (!avtab_dup) {
+-			avtab_datum.data = data;
+ 			rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum);
+ 		} else {
+ 			if (kind == CIL_AVRULE_DONTAUDIT)
+@@ -1381,7 +1378,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 				avtab_dup->data |= data;
+ 		}
+ 	} else {
+-		avtab_datum.data = data;
+ 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ 	}
+ 
+-- 
+2.33.0
+
--- a/backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
+++ b/backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
@ -0,0 +1,40 @@
+From 00fb52ce34773c34591166fd58b2f3d035ff47c9 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:17 +0200
+Subject: [PATCH] libsepol/cil/cil_post: Initialize tmp on declaration
+
+tmp.node was not always initialized before being used by
+ebitmap_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer.
+libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy".
+ \# 1380|   				if (rc != SEPOL_OK) {
+ \# 1381|   					cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n");
+ \# 1382|-> 					ebitmap_destroy(&tmp);
+ \# 1383|   					goto exit;
+ \# 1384|   				}
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index ac99997f..d63a5496 100644
+--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
+@@ -1315,6 +1315,8 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max,
+ 	curr = expr->head;
+ 	flavor = expr->flavor;
+ 
+	ebitmap_init(&tmp);
+
+ 	if (curr->flavor == CIL_OP) {
+ 		enum cil_flavor op = (enum cil_flavor)(uintptr_t)curr->data;
+ 
+-- 
+2.33.0
+
--- a/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch
+++ b/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch
@ -0,0 +1,77 @@
+From 162a0884cccce80b76e35bc1094d5eaef84728e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 31 Jan 2024 13:56:11 +0100
+Subject: [PATCH] libsepol/cil: ensure transitivity in compare functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure comparison functions used by qsort(3) fulfill transitivity, since
+otherwise the resulting array might not be sorted correctly or worse[1]
+in case of integer overflows.
+
+[1]: https://www.qualys.com/2024/01/30/qsort.txt
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index 7f45299a3..ac99997f7 100644
+--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
+@@ -52,6 +52,8 @@
+ #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */
+ #define TYPEATTR_INFIX "_typeattr_"        /* Also in libsepol/src/module_to_cil.c */
+ 
+#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+
+ struct fc_data {
+ 	unsigned int meta;
+ 	size_t stem_len;
+@@ -263,8 +265,8 @@ int cil_post_ibpkeycon_compare(const void *a, const void *b)
+ 	if (rc)
+ 		return rc;
+ 
+-	rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low)
+-		- (bibpkeycon->pkey_high - bibpkeycon->pkey_low);
+	rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low,
+		bibpkeycon->pkey_high - bibpkeycon->pkey_low);
+ 	if (rc == 0) {
+ 		if (aibpkeycon->pkey_low < bibpkeycon->pkey_low)
+ 			rc = -1;
+@@ -281,8 +283,8 @@ int cil_post_portcon_compare(const void *a, const void *b)
+ 	struct cil_portcon *aportcon = *(struct cil_portcon**)a;
+ 	struct cil_portcon *bportcon = *(struct cil_portcon**)b;
+ 
+-	rc = (aportcon->port_high - aportcon->port_low) 
+-		- (bportcon->port_high - bportcon->port_low);
+	rc = spaceship_cmp(aportcon->port_high - aportcon->port_low,
+		bportcon->port_high - bportcon->port_low);
+ 	if (rc == 0) {
+ 		if (aportcon->port_low < bportcon->port_low) {
+ 			rc = -1;
+@@ -394,8 +396,8 @@ static int cil_post_iomemcon_compare(const void *a, const void *b)
+ 	struct cil_iomemcon *aiomemcon = *(struct cil_iomemcon**)a;
+ 	struct cil_iomemcon *biomemcon = *(struct cil_iomemcon**)b;
+ 
+-	rc = (aiomemcon->iomem_high - aiomemcon->iomem_low) 
+-		- (biomemcon->iomem_high - biomemcon->iomem_low);
+	rc = spaceship_cmp(aiomemcon->iomem_high - aiomemcon->iomem_low,
+		biomemcon->iomem_high - biomemcon->iomem_low);
+ 	if (rc == 0) {
+ 		if (aiomemcon->iomem_low < biomemcon->iomem_low) {
+ 			rc = -1;
+@@ -413,8 +415,8 @@ static int cil_post_ioportcon_compare(const void *a, const void *b)
+ 	struct cil_ioportcon *aioportcon = *(struct cil_ioportcon**)a;
+ 	struct cil_ioportcon *bioportcon = *(struct cil_ioportcon**)b;
+ 
+-	rc = (aioportcon->ioport_high - aioportcon->ioport_low) 
+-		- (bioportcon->ioport_high - bioportcon->ioport_low);
+	rc = spaceship_cmp(aioportcon->ioport_high - aioportcon->ioport_low,
+		bioportcon->ioport_high - bioportcon->ioport_low);
+ 	if (rc == 0) {
+ 		if (aioportcon->ioport_low < bioportcon->ioport_low) {
+ 			rc = -1;
--- a/backport-libsepol-dump-non-mls-validatetrans-rules-as-such.patch
+++ b/backport-libsepol-dump-non-mls-validatetrans-rules-as-such.patch
@ -0,0 +1,51 @@
+From f5d664ebeb09d837a0551f6df0c8f038937a1b67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 12 May 2023 11:23:11 +0200
+Subject: [PATCH] libsepol: dump non-mls validatetrans rules as such
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The functions constraint_expr_to_str() prepare a string representation
+for validatetrans and mlsvalidatetrans rules.  To decide what keyword to
+use the type of expression is consulted.  Currently the extra target
+type (CEXPR_XTARGET) is considered to be an MLS statement while its not,
+e.g.:
+
+    validatetrans CLASS1 t3 == ATTR1;
+
+Actually check for MLS expression types only.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_cil.c  | 2 +-
+ libsepol/src/kernel_to_conf.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index e9cd89c299..7e279e3ff5 100644
+--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
+@@ -172,7 +172,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
+ 				goto exit;
+ 			}
+ 
+-			if (curr->attr >= CEXPR_XTARGET) {
+			if (curr->attr >= CEXPR_L1L2) {
+ 				*use_mls = 1;
+ 			}
+ 
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index c48a71147a..4c93cc10c3 100644
+--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
+@@ -169,7 +169,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
+ 				goto exit;
+ 			}
+ 
+-			if (curr->attr >= CEXPR_XTARGET) {
+			if (curr->attr >= CEXPR_L1L2) {
+ 				*use_mls = 1;
+ 			}
+ 
--- a/backport-libsepol-enhance-saturation-check.patch
+++ b/backport-libsepol-enhance-saturation-check.patch
@ -0,0 +1,138 @@
+From bd1b7848c66b69bdb1ef25332c90c47d61656437 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 9 Nov 2023 14:51:20 +0100
+Subject: [PATCH] libsepol: enhance saturation check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several values while parsing kernel policies, like symtab sizes or
+string lengths, are checked for saturation.  They may not be set to the
+maximum value, to avoid overflows or occupying a reserved value, and
+many of those sizes must not be 0.  This is currently handled via the
+two macros is_saturated() and zero_or_saturated().
+
+Both macros are tweaked for the fuzzer, because the fuzzer can create
+input with huge sizes.  While there is no subsequent data to provide
+the announced sizes, which will be caught later, memory of the requested
+size is allocated, which would lead to OOM reports.  Thus the sizes for
+the fuzzer are limited to 2^16.  This has the drawback of the fuzzer
+not checking the complete input space.
+
+Check the sizes in question for actual enough bytes available in the
+input.  This is (only) possible for mapped memory, which the fuzzer
+uses.
+
+Application like setools do currently not benefit from this change,
+since they load the policy via a stream.  There are currently multiple
+interfaces to load a policy, so reworking them to use mapped memory by
+default might be subject for future work.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/bd1b7848c66b69bdb1ef25332c90c47d61656437
+Conflict: Context adaptation
+---
+ libsepol/src/avtab.c    |  2 +-
+ libsepol/src/policydb.c |  9 ++++++---
+ libsepol/src/private.h  | 22 ++++++++++++++++------
+ libsepol/src/services.c |  2 +-
+ 4 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
+index 7c2328b7..b2fa8d85 100644
+--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
+@@ -600,7 +600,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
+ 		goto bad;
+ 	}
+ 	nel = le32_to_cpu(buf[0]);
+-	if (zero_or_saturated(nel)) {
+	if (zero_or_saturated(nel) || exceeds_available_bytes(fp, nel, sizeof(uint32_t) * 3)) {
+ 		ERR(fp->handle, "table is empty");
+ 		goto bad;
+ 	}
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index bc7bc9dc..6ba4f916 100644
+--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
+@@ -3857,7 +3857,8 @@ static int scope_index_read(scope_index_t * scope_index,
+ 	if (rc < 0)
+ 		return -1;
+ 	scope_index->class_perms_len = le32_to_cpu(buf[0]);
+-	if (is_saturated(scope_index->class_perms_len))
+	if (is_saturated(scope_index->class_perms_len) ||
+	    exceeds_available_bytes(fp, scope_index->class_perms_len, sizeof(uint32_t) * 3))
+ 		return -1;
+ 	if (scope_index->class_perms_len == 0) {
+ 		scope_index->class_perms_map = NULL;
+@@ -4036,7 +4037,8 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp)
+ 		goto cleanup;
+ 	scope->scope = le32_to_cpu(buf[0]);
+ 	scope->decl_ids_len = le32_to_cpu(buf[1]);
+-	if (zero_or_saturated(scope->decl_ids_len)) {
+	if (zero_or_saturated(scope->decl_ids_len) ||
+	    exceeds_available_bytes(fp, scope->decl_ids_len, sizeof(uint32_t))) {
+ 		ERR(fp->handle, "invalid scope with no declaration");
+ 		goto cleanup;
+ 	}
+@@ -4315,7 +4317,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+ 		if (rc < 0)
+ 			goto bad;
+ 		nprim = le32_to_cpu(buf[0]);
+-		if (is_saturated(nprim))
+		if (is_saturated(nprim) ||
+		    exceeds_available_bytes(fp, nprim, sizeof(uint32_t) * 3))
+ 			goto bad;
+ 		nel = le32_to_cpu(buf[1]);
+ 		if (nel && !nprim) {
+diff --git a/libsepol/src/private.h b/libsepol/src/private.h
+index 1833b497..1500bbc2 100644
+--- a/libsepol/src/private.h
+++ b/libsepol/src/private.h
+@@ -44,13 +44,23 @@
+ 
+ #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))
+ 
+-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+-# define is_saturated(x) (x == (typeof(x))-1 || (x) > (1U << 16))
+-#else
+-# define is_saturated(x) (x == (typeof(x))-1)
+-#endif
+static inline int exceeds_available_bytes(const struct policy_file *fp, size_t x, size_t req_elem_size)
+{
+	size_t req_size;
+
+	/* Remaining input size is only available for mmap'ed memory */
+	if (fp->type != PF_USE_MEMORY)
+		return 0;
+
+	if (__builtin_mul_overflow(x, req_elem_size, &req_size))
+		return 1;
+
+	return req_size > fp->len;
+}
+
+#define is_saturated(x) ((x) == (typeof(x))-1)
+ 
+-#define zero_or_saturated(x) ((x == 0) || is_saturated(x))
+#define zero_or_saturated(x) (((x) == 0) || is_saturated(x))
+ 
+ #define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+ 
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 51bd56a0..aa1ad52c 100644
+--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
+@@ -1748,7 +1748,7 @@ int str_read(char **strp, struct policy_file *fp, size_t len)
+ 	int rc;
+ 	char *str;
+ 
+-	if (zero_or_saturated(len)) {
+	if (zero_or_saturated(len) || exceeds_available_bytes(fp, len, sizeof(char))) {
+ 		errno = EINVAL;
+ 		return -1;
+ 	}
+-- 
+2.27.0
--- a/backport-libsepol-ensure-transitivity-in-compare-functions.patch
+++ b/backport-libsepol-ensure-transitivity-in-compare-functions.patch
@ -0,0 +1,47 @@
+From b52e27aeaa563ac998345a6a670493172411b166 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 31 Jan 2024 13:56:10 +0100
+Subject: [PATCH] libsepol: ensure transitivity in compare functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure comparison functions used by qsort(3) fulfill transitivity, since
+otherwise the resulting array might not be sorted correctly or worse[1]
+in case of integer overflows.
+
+[1]: https://www.qualys.com/2024/01/30/qsort.txt
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_common.c | 2 +-
+ libsepol/src/module_to_cil.c    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
+index 2422eed08..44f0be23a 100644
+--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
+@@ -503,7 +503,7 @@ static int ibendport_data_cmp(const void *a, const void *b)
+ 	if (rc)
+ 		return rc;
+ 
+-	return (*aa)->u.ibendport.port - (*bb)->u.ibendport.port;
+	return spaceship_cmp((*aa)->u.ibendport.port, (*bb)->u.ibendport.port);
+ }
+ 
+ static int pirq_data_cmp(const void *a, const void *b)
+diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
+index 0fce7cc7e..6699a46be 100644
+--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
+@@ -1681,7 +1681,7 @@ static int class_perm_cmp(const void *a, const void *b)
+ 	const struct class_perm_datum *aa = a;
+ 	const struct class_perm_datum *bb = b;
+ 
+-	return aa->val - bb->val;
+	return spaceship_cmp(aa->val, bb->val);
+ }
+ 
+ static int common_to_cil(char *key, void *data, void *UNUSED(arg))
--- a/backport-libsepol-expand-skip-invalid-cat.patch
+++ b/backport-libsepol-expand-skip-invalid-cat.patch
@ -0,0 +1,38 @@
+From cae65d9a10623bb9063a2e3ca5357bb1602d55af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 12 May 2023 11:30:01 +0200
+Subject: [PATCH] libsepol: expand: skip invalid cat
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Bail out on expanding levels with invalid low category.
+ 
+UBSAN report:
+ 
+    expand.c:952:21: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/cae65d9a10623bb9063a2e3ca5357bb1602d55af
+Conflict: NA
+---
+ libsepol/src/expand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index c08d3a35..8795229a 100644
+--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
+@@ -943,7 +943,7 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+ 		return -1;
+ 	}
+ 	for (cat = sl->cat; cat; cat = cat->next) {
+-		if (cat->low > cat->high) {
+		if (!cat->low || cat->low > cat->high) {
+ 			ERR(h, "Category range is not valid %s.%s",
+ 			    p->p_cat_val_to_name[cat->low - 1],
+ 			    p->p_cat_val_to_name[cat->high - 1]);
+-- 
+2.33.0
--- a/backport-libsepol-expand-use-identical-type-to-avoid-implicit-conversion.patch
+++ b/backport-libsepol-expand-use-identical-type-to-avoid-implicit-conversion.patch
@ -0,0 +1,28 @@
+From ace9ec17ffaa1ad0be165cd8ad77998cb368ca2c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 14 Jul 2023 20:44:13 +0200
+Subject: [PATCH] libsepol: expand: use identical type to avoid implicit
+ conversion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/expand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index 8795229a39..4c9f84cf9d 100644
+--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
+@@ -2350,7 +2350,7 @@ static int type_attr_map(hashtab_key_t key
+ 	policydb_t *p = state->out;
+ 	unsigned int i;
+ 	ebitmap_node_t *tnode;
+-	int value;
+	uint32_t value;
+ 
+ 	type = (type_datum_t *) datum;
+ 	value = type->s.value;
--- a/backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
+++ b/backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
@ -0,0 +1,74 @@
+From 575d1cfaac7d58b7333580fdc6203c166b89e271 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:16 +0200
+Subject: [PATCH] libsepol/mls: Do not destroy context on memory error
+
+In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized
+space and context_destroy should not be used on it.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy".
+ \#  697|   	ERR(handle, "could not check if mls context %s contains %s",
+ \#  698|   	    mls1, mls2);
+ \#  699|-> 	context_destroy(ctx1);
+ \#  700|   	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy".
+ \#  698|   	    mls1, mls2);
+ \#  699|   	context_destroy(ctx1);
+ \#  700|-> 	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+ \#  702|   	free(ctx2);
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/mls.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
+index 45db8920..a37405d1 100644
+--- a/libsepol/src/mls.c
+++ b/libsepol/src/mls.c
+@@ -672,8 +672,10 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	context_struct_t *ctx1 = NULL, *ctx2 = NULL;
+ 	ctx1 = malloc(sizeof(context_struct_t));
+ 	ctx2 = malloc(sizeof(context_struct_t));
+-	if (ctx1 == NULL || ctx2 == NULL)
+	if (ctx1 == NULL || ctx2 == NULL){
+		ERR(handle, "out of memory");
+ 		goto omem;
+	}
+ 	context_init(ctx1);
+ 	context_init(ctx2);
+ 
+@@ -690,16 +692,14 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	free(ctx2);
+ 	return STATUS_SUCCESS;
+ 
+-      omem:
+-	ERR(handle, "out of memory");
+-
+       err:
+-	ERR(handle, "could not check if mls context %s contains %s",
+-	    mls1, mls2);
+ 	context_destroy(ctx1);
+ 	context_destroy(ctx2);
+      omem:
+ 	free(ctx1);
+ 	free(ctx2);
+	ERR(handle, "could not check if mls context %s contains %s",
+	    mls1, mls2);
+ 	return STATUS_ERR;
+ }
+ 
+-- 
+2.33.0
+
--- a/backport-libsepol-more-strict-validation.patch
+++ b/backport-libsepol-more-strict-validation.patch
@ -0,0 +1,55 @@
+From 6ed7dcf2f6f71d6db5fa89e0b965c10a165f315c Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 8 Jan 2024 17:09:46 +0800
+Subject: [PATCH] libsepol: more strict validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Ensure the ibendport port is not 0 (similar to the kernel).
+ 
+More general depth test for boolean expressions.
+ 
+Ensure the boolean id is not set for logic operators.
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/7b754f703d704c9d9931497536771e6124ca2418
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index da3c7c5..09f0813 100644
+--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
+@@ -479,13 +479,15 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
+ 		case COND_BOOL:
+ 			if (validate_value(expr->bool, boolean))
+ 				goto bad;
+-			if (depth == (COND_EXPR_MAXDEPTH - 1))
+			if (depth >= (COND_EXPR_MAXDEPTH - 1))
+ 				goto bad;
+ 			depth++;
+ 			break;
+ 		case COND_NOT:
+ 			if (depth < 0)
+ 				goto bad;
+			if (expr->bool != 0)
+				goto bad;
+ 			break;
+ 		case COND_OR:
+ 		case COND_AND:
+@@ -494,6 +496,8 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
+ 		case COND_NEQ:
+ 			if (depth < 1)
+ 				goto bad;
+			if (expr->bool != 0)
+				goto bad;
+ 			depth--;
+ 			break;
+ 		default:
+-- 
+2.33.0
--- a/backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch
+++ b/backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch
@ -0,0 +1,61 @@
+From b1b3467a476b109f20ad581d73c56262205a021e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 1 Nov 2023 17:37:24 +0100
+Subject: [PATCH] libsepol: reject avtab entries with invalid specifier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Neverallow avtab entries are not supported (normal and extended). Reject
+them to avoid lookup confusions via avtab_search(), e.g. when searching
+for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
+only AVTAB_NEVERALLOW has no transition value.
+ 
+Simplify the check for the number of specifiers by using the compiler
+popcount builtin (already used in libsepol).
+ 
+Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans
+             prefix proposal
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/b1b3467a476b109f20ad581d73c56262205a021e
+Conflict: NA
+---
+ libsepol/src/avtab.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+ 
+diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
+index 6ab49c5e..1ef5ee00 100644
+--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
+@@ -441,7 +441,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
+ 	avtab_key_t key;
+ 	avtab_datum_t datum;
+ 	avtab_extended_perms_t xperms;
+-	unsigned set;
+ 	unsigned int i;
+ 	int rc;
+ 
+@@ -535,13 +534,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
+ 	key.target_class = le16_to_cpu(buf16[items++]);
+ 	key.specified = le16_to_cpu(buf16[items++]);
+ 
+-	set = 0;
+-	for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
+-		if (key.specified & spec_order[i])
+-			set++;
+	if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) {
+		ERR(fp->handle, "invalid specifier");
+		return -1;
+ 	}
+-	if (!set || set > 1) {
+-		ERR(fp->handle, "more than one specifier");
+
+	if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) {
+		ERR(fp->handle, "not exactly one specifier");
+ 		return -1;
+ 	}
+ 
+-- 
+2.33.0
--- a/backport-libsepol-reject-invalid-class-datums.patch
+++ b/backport-libsepol-reject-invalid-class-datums.patch
@ -0,0 +1,54 @@
+From 68c3a9991679702a7adc6e040e5703a7abb50b16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Nov 2023 19:23:32 +0100
+Subject: [PATCH] libsepol: reject invalid class datums
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Internally class values are stored in multiple placed in a 16-bit wide
+integer.  Reject class values exceeding the maximum representable value.
+This avoids truncations in the helper
+policydb_string_to_security_class(), which gets called before validation
+of the policy:
+
+    policydb.c:4082:9: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 2113929220 (32-bit, unsigned) to type 'sepol_security_class_t' (aka 'unsigned short') changed the value to 4 (16-bit, unsigned)
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/68c3a9991679702a7adc6e040e5703a7abb50b16
+Conflict: Context adaptation
+---
+ libsepol/src/policydb.c          | 2 ++
+ libsepol/src/policydb_validate.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index 6ba4f9168..f10a8a95a 100644
+--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
+@@ -2250,6 +2250,8 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ 	if (is_saturated(len2))
+ 		goto bad;
+ 	cladatum->s.value = le32_to_cpu(buf[2]);
+	if (cladatum->s.value > UINT16_MAX)
+		goto bad;
+ 
+ 	if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
+ 		goto bad;
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index 6d8641f..69a436b 100644
+--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
+@@ -199,7 +199,7 @@ bad:
+ 
+ static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[])
+ {
+-	if (validate_value(class->s.value, &flavors[SYM_CLASSES]))
+	if (class->s.value > UINT16_MAX || validate_value(class->s.value, &flavors[SYM_CLASSES]))
+ 		goto bad;
+ 	if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors))
+ 		goto bad;
+-- 
+2.33.0
--- a/backport-libsepol-reject-linking-modules-with-no-avrules.patch
+++ b/backport-libsepol-reject-linking-modules-with-no-avrules.patch
@ -0,0 +1,47 @@
+From 4724538b62e4eb846057b227ce12052749bd4473 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Nov 2023 19:23:34 +0100
+Subject: [PATCH] libsepol: reject linking modules with no avrules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Standard policy modules generated by compilers have at least one global
+av rule.  Reject modules otherwise, e.g. generated by a fuzzer.
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/4724538b62e4eb846057b227ce12052749bd4473
+Conflict: NA
+---
+ libsepol/src/link.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/link.c b/libsepol/src/link.c
+index 3b7742bc..b8272308 100644
+--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
+@@ -2019,7 +2019,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
+ 	memset(&req, 0, sizeof(req));
+ 
+ 	for (cur = p->global; cur != NULL; cur = cur->next) {
+-		if (cur->enabled != NULL)
+		if (cur->enabled != NULL || cur->branch_list == NULL)
+ 			continue;
+ 
+ 		ret = is_decl_requires_met(state, cur->branch_list, &req);
+@@ -2142,6 +2142,11 @@ static int enable_avrules(link_state_t * state, policydb_t * pol)
+ 	/* 1) enable all of the non-else blocks */
+ 	for (block = pol->global; block != NULL; block = block->next) {
+ 		block->enabled = block->branch_list;
+		if (!block->enabled) {
+			ERR(state->handle, "Global block has no avrules!");
+			ret = SEPOL_ERR;
+			goto out;
+		}
+ 		block->enabled->enabled = 1;
+ 		for (decl = block->branch_list->next; decl != NULL;
+ 		     decl = decl->next)
+-- 
+2.33.0
--- a/backport-libsepol-reject-unsupported-policy-capabilities.patch
+++ b/backport-libsepol-reject-unsupported-policy-capabilities.patch
@ -0,0 +1,75 @@
+From e22b7dee0d8de9bc49992fa80b9ceb53925ea36c Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 8 Jan 2024 17:16:30 +0800
+Subject: [PATCH] libsepol: reject unsupported policy capabilities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Kernel policies with unsupported policy capabilities enabled can
+currently be parsed, since they result just in a bit set inside an
+ebitmap.  Writing such a loaded policy into the traditional language or
+CIL will fail however, since the unsupported policy capabilities can not
+be converted into a name.
+ 
+Reject kernel policies with invalid policy capabilities.
+ 
+Reported-by: oss-fuzz (issue 60573)
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/7cf2bfb59313eeef59e916834c3243b7a0ce7b4f
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+ 
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index 09f0813..9553812 100644
+--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
+@@ -2,6 +2,7 @@
+ #include <sepol/policydb/conditional.h>
+ #include <sepol/policydb/ebitmap.h>
+ #include <sepol/policydb/policydb.h>
+#include <sepol/policydb/polcaps.h>
+ #include <sepol/policydb/services.h>
+ 
+ #include "debug.h"
+@@ -771,6 +772,23 @@ bad:
+ 	return -1;
+ }
+ 
+static int validate_policycaps(sepol_handle_t *handle, const policydb_t *p)
+{
+	ebitmap_node_t *node;
+	uint32_t i;
+
+	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
+		if (!sepol_polcap_getname(i))
+			goto bad;
+	}
+
+	return 0;
+
+bad:
+	ERR(handle, "Invalid policy capability");
+	return -1;
+}
+
+ static void validate_array_destroy(validate_t flavors[])
+ {
+ 	unsigned int i;
+@@ -790,6 +808,9 @@ int policydb_validate(sepol_handle_t *handle, policydb_t *p)
+ 	if (validate_properties(handle, p))
+ 		goto bad;
+ 
+	if (validate_policycaps(handle, p))
+		goto bad;
+
+ 	if (p->policy_type == POLICY_KERN) {
+ 		if (validate_avtab(handle, &p->te_avtab, p, flavors))
+ 			goto bad;
+-- 
+2.33.0
--- a/backport-libsepol-reorder-calloc-3-arguments.patch
+++ b/backport-libsepol-reorder-calloc-3-arguments.patch
@ -0,0 +1,75 @@
+From a0ff05efca3bb04b08a5f5274016d9f1286e9517 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 5 Jan 2024 19:35:31 +0100
+Subject: [PATCH] libsepol: reorder calloc(3) arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The canonical order of calloc(3) parameters is the number of elements
+first and the size of each element second.
+
+Reported by GCC 14:
+
+    kernel_to_conf.c:814:47: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
+    kernel_to_conf.c:945:46: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
+    kernel_to_conf.c:2109:35: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
+    kernel_to_common.c:578:29: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/a0ff05efca3bb04b08a5f5274016d9f1286e9517
+Conflict: Context adaptation in kernel_to_common.c.
+---
+ libsepol/src/kernel_to_common.c | 2 +-
+ libsepol/src/kernel_to_conf.c   | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
+index 4612eef3..2422eed0 100644
+--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
+@@ -575,7 +575,7 @@ static int sort_ocontext_data(struct ocontext **ocons, int (*cmp)(const void *,
+ 		return 0;
+ 	}
+ 
+-	data = calloc(sizeof(*data), num);
+	data = calloc(num, sizeof(*data));
+ 	if (!data) {
+ 		sepol_log_err("Out of memory\n");
+ 		return -1;
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index 83f46e0f..e6b449b4 100644
+--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
+@@ -811,7 +811,7 @@ static int write_sensitivity_rules_to_conf(FILE *out, struct policydb *pdb)
+ 	num = strs_num_items(strs);
+ 
+ 	if (num > 0) {
+-		sens_alias_map = calloc(sizeof(*sens_alias_map), pdb->p_levels.nprim);
+		sens_alias_map = calloc(pdb->p_levels.nprim, sizeof(*sens_alias_map));
+ 		if (!sens_alias_map) {
+ 			rc = -1;
+ 			goto exit;
+@@ -942,7 +942,7 @@ static int write_category_rules_to_conf(FILE *out, struct policydb *pdb)
+ 	num = strs_num_items(strs);
+ 
+ 	if (num > 0) {
+-		cat_alias_map = calloc(sizeof(*cat_alias_map), pdb->p_cats.nprim);
+		cat_alias_map = calloc(pdb->p_cats.nprim, sizeof(*cat_alias_map));
+ 		if (!cat_alias_map) {
+ 			rc = -1;
+ 			goto exit;
+@@ -2106,7 +2106,7 @@ static int write_cond_nodes_to_conf(FILE *out, struct policydb *pdb)
+ 		return 0;
+ 	}
+ 
+-	cond_data = calloc(sizeof(struct cond_data), num);
+	cond_data = calloc(num, sizeof(struct cond_data));
+ 	if (!cond_data) {
+ 		rc = -1;
+ 		goto exit;
+-- 
+2.33.0
+
--- a/backport-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
+++ b/backport-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
@ -0,0 +1,51 @@
+From 1f080ffd7ab24b0ad2b46f79db63d62c2ae2747c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 19 Jul 2024 18:17:13 +0200
+Subject: [PATCH] libsepol/sepol_compute_sid: Do not destroy uninitialized
+ context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid context_destroy() on "newcontext" before context_init() is called.
+
+Fixes:
+  libsepol-3.6/src/services.c:1335: var_decl: Declaring variable "newcontext" without initializer.
+  libsepol-3.6/src/services.c:1462: uninit_use_in_call: Using uninitialized value "newcontext.range.level[0].cat.node" when calling "context_destroy".
+  \# 1460|   	rc = sepol_sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+  \# 1461|         out:
+  \# 1462|-> 	context_destroy(&newcontext);
+  \# 1463|   	return rc;
+  \# 1464|   }
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libsepol/src/services.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 36e2368f..f3231f17 100644
+--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
+@@ -1362,14 +1362,12 @@ static int sepol_compute_sid(sepol_security_id_t ssid,
+ 	scontext = sepol_sidtab_search(sidtab, ssid);
+ 	if (!scontext) {
+ 		ERR(NULL, "unrecognized SID %d", ssid);
+-		rc = -EINVAL;
+-		goto out;
+		return -EINVAL;
+ 	}
+ 	tcontext = sepol_sidtab_search(sidtab, tsid);
+ 	if (!tcontext) {
+ 		ERR(NULL, "unrecognized SID %d", tsid);
+-		rc = -EINVAL;
+-		goto out;
+		return -EINVAL;
+ 	}
+ 
+ 	if (tclass && tclass <= policydb->p_classes.nprim)
+-- 
+2.33.0
+
--- a/backport-libsepol-use-correct-type-to-avoid-truncations.patch
+++ b/backport-libsepol-use-correct-type-to-avoid-truncations.patch
@ -0,0 +1,50 @@
+From 4f1435dd51f832fa3b122e5e98be2a5ab176780c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Nov 2023 19:23:29 +0100
+Subject: [PATCH] libsepol: use correct type to avoid truncations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Avoid truncations of the read 32 bit unsigned integer:
+ 
+    conditional.c:764:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 3758096384 (32-bit, unsigned) to type 'int' changed the value to -536870912 (32-bit, signed)
+    conditional.c:831:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 4280295456 (32-bit, unsigned) to type 'int' changed the value to -14671840 (32-bit, signed)
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/4f1435dd51f832fa3b122e5e98be2a5ab176780c
+Conflict: NA
+---
+ libsepol/src/conditional.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+ 
+diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
+index 24380ea0..420c7b6c 100644
+--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
+@@ -746,8 +746,8 @@ static int expr_isvalid(policydb_t * p, cond_expr_t * expr)
+ 
+ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
+ {
+-	uint32_t buf[2];
+-	int len, i, rc;
+	uint32_t buf[2], i, len;
+	int rc;
+ 	cond_expr_t *expr = NULL, *last = NULL;
+ 
+ 	rc = next_entry(buf, fp, sizeof(uint32_t));
+@@ -821,8 +821,8 @@ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
+ int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp)
+ {
+ 	cond_node_t *node, *last = NULL;
+-	uint32_t buf[1];
+-	int i, len, rc;
+	uint32_t buf[1], i, len;
+	int rc;
+ 
+ 	rc = next_entry(buf, fp, sizeof(uint32_t));
+ 	if (rc < 0)
+-- 
+2.33.0
--- a/backport-libsepol-validate-check-low-category-is-not-bigger-than-high.patch
+++ b/backport-libsepol-validate-check-low-category-is-not-bigger-than-high.patch
@ -0,0 +1,28 @@
+From ac015a3996e894754350ea8ae97e66644899a2c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 12 May 2023 11:29:59 +0200
+Subject: [PATCH] libsepol: validate: check low category is not bigger than
+ high
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/policydb_validate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index e0d290ff32..b34f83ecb5 100644
+--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
+@@ -545,6 +545,8 @@ static int validate_mls_semantic_cat(const mls_semantic_cat_t *cat, const valida
+ 			goto bad;
+ 		if (validate_value(cat->high, cats))
+ 			goto bad;
+		if (cat->low > cat->high)
+			goto bad;
+ 	}
+ 
+ 	return 0;
--- a/backport-libsepol-validate-empty-common-classes-in-scope-indi.patch
+++ b/backport-libsepol-validate-empty-common-classes-in-scope-indi.patch
@ -0,0 +1,35 @@
+From e54bedce80267b4fbd79b16f548a278c097bd675 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 11 Dec 2023 15:55:40 +0100
+Subject: [PATCH] libsepol: validate empty common classes in scope indices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Validate no common classes inside scope indices are defined.
+
+Reported-by: oss-fuzz (issue 64849)
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/e54bedce80267b4fbd79b16f548a278c097bd675
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index bd8e9f8f3..d86f885e4 100644
+--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
+@@ -730,6 +730,8 @@ bad:
+ 
+ static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[])
+ {
+	if (!ebitmap_is_empty(&scope_index->scope[SYM_COMMONS]))
+		goto bad;
+ 	if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES]))
+ 		goto bad;
+ 	if (validate_ebitmap(&scope_index->p_roles_scope, &flavors[SYM_ROLES]))
+-- 
+2.33.0
--- a/backport-libsepol-validate-old-style-range-trans-classes.patch
+++ b/backport-libsepol-validate-old-style-range-trans-classes.patch
@ -0,0 +1,41 @@
+From 4cf37608b563327ce433ce392931a9eb8bda9524 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 12 May 2023 11:29:58 +0200
+Subject: [PATCH] libsepol: validate old style range trans classes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For old style range transition rules the class defaults to process.
+However the policy might not declare the process class leading to
+setting a wrong bit later on via:
+
+    if (ebitmap_set_bit(&rtr->tclasses, rt->target_class - 1, 1))
+
+UBSAN report:
+
+    policydb.c:3684:56: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/policydb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index b79c19b94c..605d290a71 100644
+--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
+@@ -3650,10 +3650,10 @@ static int range_read(policydb_t * p, struct policy_file *fp)
+ 			if (rc < 0)
+ 				goto err;
+ 			rt->target_class = le32_to_cpu(buf[0]);
+-			if (!value_isvalid(rt->target_class, p->p_classes.nprim))
+-				goto err;
+ 		} else
+ 			rt->target_class = p->process_class;
+		if (!value_isvalid(rt->target_class, p->p_classes.nprim))
+			goto err;
+ 		r = calloc(1, sizeof(*r));
+ 		if (!r)
+ 			goto err;
--- a/backport-libsepol-validate-the-identifier-for-initials-SID-is.patch
+++ b/backport-libsepol-validate-the-identifier-for-initials-SID-is.patch
@ -0,0 +1,50 @@
+From cf6ddded1650098c05f4245df41395420cf41838 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 9 Nov 2023 14:51:21 +0100
+Subject: [PATCH] libsepol: validate the identifier for initials SID is valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the identifier for initial SIDs is less than the maximum known ID.
+The kernel will ignore all unknown IDs, see
+security/selinux/ss/policydb.c:policydb_load_isids().
+
+Without checking huge IDs result in OOM events, while writing policies,
+e.g. in write_sids_to_conf() or write_sids_to_cil(), due to allocation
+of large (continuous) string lists.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/cf6ddded1650098c05f4245df41395420cf41838
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index 016ab6550..32ad5a18b 100644
+--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
+@@ -6,6 +6,7 @@
+ #include <sepol/policydb/services.h>
+ 
+ #include "debug.h"
+#include "kernel_to_common.h"
+ #include "policydb_validate.h"
+ 
+ #define bool_xor(a, b) (!(a) != !(b))
+@@ -635,6 +636,10 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, validate_t
+ 
+ 			if (p->target_platform == SEPOL_TARGET_SELINUX) {
+ 				switch (i) {
+				case OCON_ISID:
+					if (octx->sid[0] == SEPOL_SECSID_NULL || octx->sid[0] >= SELINUX_SID_SZ)
+						goto bad;
+					break;
+ 				case OCON_FS:
+ 				case OCON_NETIF:
+ 					if (validate_context(&octx->context[1], flavors, p->mls))
+-- 
+2.33.0
--- a/libsepol-3.4.tar.gz
+++ b/libsepol-3.4.tar.gz
--- a/libsepol-3.5.tar.gz
+++ b/libsepol-3.5.tar.gz
--- a/libsepol.spec
+++ b/libsepol.spec
@ -1,11 +1,46 @@
 Name:           libsepol
-Version:        3.4
-Release:        1
+Version:        3.5
+Release:        5
 Summary:        SELinux binary policy manipulation library
 License:        LGPLv2+
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0:        https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz 

+Patch0001:      backport-hashtab-update.patch
+Patch0002:      backport-libsepol-check-for-overflow-in-put_entry.patch
+Patch0003:      backport-libsepol-dump-non-mls-validatetrans-rules-as-such.patch
+Patch0004:      backport-libsepol-expand-use-identical-type-to-avoid-implicit-conversion.patch
+Patch0005:      backport-libsepol-cil-Fix-class-permission-verification-in-CIL.patch
+Patch0006:      backport-libsepol-validate-old-style-range-trans-classes.patch
+Patch0007:      backport-libsepol-validate-check-low-category-is-not-bigger-than-high.patch
+Patch0008:      backport-libsepol-reorder-calloc-3-arguments.patch
+Patch0009:      backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch
+Patch0010:      backport-libsepol-avtab-check-read-counts-for-saturation.patch
+Patch0011:      backport-libsepol-expand-skip-invalid-cat.patch
+Patch0012:      backport-libsepol-more-strict-validation.patch
+Patch0013:      backport-libsepol-reject-unsupported-policy-capabilities.patch
+Patch0014:      backport-libsepol-adjust-type-for-saturation-check.patch
+Patch0015:      backport-libsepol-enhance-saturation-check.patch
+Patch0016:      backport-libsepol-avoid-leak-in-OOM-branch.patch
+Patch0017:      backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch
+Patch0018:      backport-libsepol-add-check-for-category-value-before-printin.patch
+Patch0019:      backport-libsepol-use-correct-type-to-avoid-truncations.patch
+Patch0020:      backport-libsepol-reject-invalid-class-datums.patch
+Patch0021:      backport-libsepol-reject-linking-modules-with-no-avrules.patch
+Patch0022:      backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch
+Patch0023:      backport-libsepol-validate-empty-common-classes-in-scope-indi.patch
+Patch0024:      backport-libsepol-validate-the-identifier-for-initials-SID-is.patch
+Patch0025:      backport-libsepol-ensure-transitivity-in-compare-functions.patch
+Patch0026:      backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch
+Patch0027:      backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch
+Patch0028:      backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch
+Patch0029:      backport-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
+Patch0030:      backport-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
+Patch0031:      backport-libsepol-Initialize-strs-on-declaration.patch
+Patch0032:      backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
+Patch0033:      backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
+Patch0034:      backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
+
 BuildRequires:  gcc flex

 %description
@ -46,7 +81,7 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install

 %files
 %defattr(-,root,root)
-%license COPYING
+%license LICENSE
 %{_libdir}/libsepol.so.*
 %{_bindir}/sepol_*

@ -65,6 +100,21 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
 %{_mandir}/man3/*

 %changelog
+* Tue Mar 18 2025 Linux_zhang <zhangruifang@h-partners.com> - 3.5-5
+- backport patches from upstream
+
+* Tue Oct 15 2024 yanglongkang <yanglongkang@h-partners.com> - 3.5-4
+- backport bugfix from upstream
+
+* Tue Mar 26 2024 gengqihu <gengqihu2@h-partners.com> - 3.5-3
+- backport bugfix from upstream
+
+* Sat Nov 25 2023 huangzq6 <huangzhenqiang2@huawei.com> - 3.5-2
+- backport bugfix from upstream
+
+* Mon Jul 17 2023 niuyaru <niuyaru@kylinos.cn> - 3.5-1
+- update to 3.5
+
 * Sat Jan 28 2023 jinlun <jinlun@huawei.com> - 3.4-1
 - update to 3.4
Author	SHA1	Message	Date
openeuler-ci-bot	6fec4303fa	!105 backport patches from upstream From: @Linux_zhang2024 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2025-03-18 01:10:18 +00:00
Linux_zhang	cad2b8d04b	backport patches from upstream	2025-03-18 08:34:03 +08:00
openeuler-ci-bot	34c3492659	!96 sync backport patches from upstream From: @markeryang Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2025-03-17 08:39:31 +00:00
markeryang	977186bea8	sync backport patches from upstream	2024-10-15 01:36:33 +00:00
openeuler-ci-bot	e8259bdf05	!88 [sync] PR-83: backport bugfix from upstream From: @openeuler-sync-bot Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2024-03-26 08:17:36 +00:00
gengqihu	59a23d7293	backport bugfix from upstream (cherry picked from commit 1f579cdcb434025d98644a74b2af544feaed51f2)	2024-03-26 16:03:27 +08:00
openeuler-ci-bot	776e4b1d8e	!68 backport bugfix from upsteam From: @huangzq6 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2023-11-25 08:54:25 +00:00
huangzq6	8b894704b7	backport bugfix from upsteam	2023-11-25 10:15:11 +08:00
openeuler-ci-bot	b2dacd571d	!66 Update package to version 3.5 From: @kirin_2_0 Reviewed-by: @jinlun123123, @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2023-07-19 03:13:41 +00:00
kirin_2_0	d5ab7acdfe	updated to latest:3.5	2023-07-19 10:40:42 +08:00