From 4724538b62e4eb846057b227ce12052749bd4473 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 28 Nov 2023 19:23:34 +0100 Subject: [PATCH] libsepol: reject linking modules with no avrules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Standard policy modules generated by compilers have at least one global av rule. Reject modules otherwise, e.g. generated by a fuzzer. Signed-off-by: Christian Göttsche Acked-by: James Carter Reference: https://github.com/SELinuxProject/selinux/commit/4724538b62e4eb846057b227ce12052749bd4473 Conflict: NA --- libsepol/src/link.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 3b7742bc..b8272308 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -2019,7 +2019,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p) memset(&req, 0, sizeof(req)); for (cur = p->global; cur != NULL; cur = cur->next) { - if (cur->enabled != NULL) + if (cur->enabled != NULL || cur->branch_list == NULL) continue; ret = is_decl_requires_met(state, cur->branch_list, &req); @@ -2142,6 +2142,11 @@ static int enable_avrules(link_state_t * state, policydb_t * pol) /* 1) enable all of the non-else blocks */ for (block = pol->global; block != NULL; block = block->next) { block->enabled = block->branch_list; + if (!block->enabled) { + ERR(state->handle, "Global block has no avrules!"); + ret = SEPOL_ERR; + goto out; + } block->enabled->enabled = 1; for (decl = block->branch_list->next; decl != NULL; decl = decl->next) -- 2.33.0