[yocto] [meta-selinux][PATCH 3/4] libsepol: fix build failure for refpolicy-mls

Wed, 02 Nov 2022 00:31:15 -0700 

Backport a patch to fix build failure for refpolicy-mls:
| Creating mls xserver.pp policy package
| libsepol.validate_user_datum: Invalid user datum
| libsepol.validate_datum_array_entries: Invalid datum array entries
| libsepol.validate_policydb: Invalid policydb
| 
/buildarea/build/tmp/work/qemux86_64-poky-linux/refpolicy-mls/2.20220520+gitAUTOINC+f311d401cd-r0/recipe-sysroot-native/usr/bin/semodule_package:
Error while reading policy module from tmp/xserver.mod
| make: *** [Rules.modular:98: xserver.pp] Error 1

Signed-off-by: Yi Zhao <[email protected]>
---
 ...idation-of-user-declarations-in-modu.patch | 80 +++++++++++++++++++
 recipes-security/selinux/libsepol_3.4.bb      |  2 +
 2 files changed, 82 insertions(+)
 create mode 100644 
recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch

diff --git 
a/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch
 
b/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch
new file mode 100644
index 0000000..47c1806
--- /dev/null
+++ 
b/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch
@@ -0,0 +1,80 @@
+From 4831f73dd356fd72916f594dbeae44d26c93bb6b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <[email protected]>
+Date: Tue, 7 Jun 2022 17:01:45 +0200
+Subject: [PATCH] libsepol: fix validation of user declarations in modules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Users are allowed to be declared in modules. Modules do not get expanded
+leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
+empty.
+Do no validate the expanded range and level for modular polices.
+
+Reported-by: bauen1 <[email protected]>
+Signed-off-by: Christian Göttsche <[email protected]>
+Acked-by: James Carter <[email protected]>
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ src/policydb_validate.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/policydb_validate.c b/src/policydb_validate.c
+index da18282..99d4eb7 100644
+--- a/src/policydb_validate.c
++++ b/src/policydb_validate.c
+@@ -18,7 +18,7 @@ typedef struct validate {
+ typedef struct map_arg {
+       validate_t *flavors;
+       sepol_handle_t *handle;
+-      int mls;
++      policydb_t *policy;
+ } map_arg_t;
+ 
+ static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t 
*gaps)
+@@ -571,7 +571,7 @@ static int validate_mls_range(mls_range_t *range, 
validate_t *sens, validate_t *
+       return -1;
+ }
+ 
+-static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, 
validate_t flavors[], int mls)
++static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, 
validate_t flavors[], policydb_t *p)
+ {
+       if (validate_value(user->s.value, &flavors[SYM_USERS]))
+               goto bad;
+@@ -581,9 +581,9 @@ static int validate_user_datum(sepol_handle_t *handle, 
user_datum_t *user, valid
+               goto bad;
+       if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], 
&flavors[SYM_CATS]))
+               goto bad;
+-      if (mls && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], 
&flavors[SYM_CATS]))
++      if (p->mls && p->policy_type != POLICY_MOD && 
validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
+               goto bad;
+-      if (mls && validate_mls_level(&user->exp_dfltlevel, 
&flavors[SYM_LEVELS], &flavors[SYM_CATS]))
++      if (p->mls && p->policy_type != POLICY_MOD && 
validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], 
&flavors[SYM_CATS]))
+               goto bad;
+       if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS]))
+               goto bad;
+@@ -599,7 +599,7 @@ static int 
validate_user_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
+ {
+       map_arg_t *margs = args;
+ 
+-      return validate_user_datum(margs->handle, d, margs->flavors, 
margs->mls);
++      return validate_user_datum(margs->handle, d, margs->flavors, 
margs->policy);
+ }
+ 
+ static int validate_bool_datum(sepol_handle_t *handle, cond_bool_datum_t 
*boolean, validate_t flavors[])
+@@ -689,7 +689,7 @@ static int validate_datum(__attribute__ 
((unused))hashtab_key_t k, hashtab_datum
+ 
+ static int validate_datum_array_entries(sepol_handle_t *handle, policydb_t 
*p, validate_t flavors[])
+ {
+-      map_arg_t margs = { flavors, handle, p->mls };
++      map_arg_t margs = { flavors, handle, p };
+ 
+       if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, 
&margs))
+               goto bad;
+-- 
+2.25.1
+
diff --git a/recipes-security/selinux/libsepol_3.4.bb 
b/recipes-security/selinux/libsepol_3.4.bb
index 49312da..e756557 100644
--- a/recipes-security/selinux/libsepol_3.4.bb
+++ b/recipes-security/selinux/libsepol_3.4.bb
@@ -11,6 +11,8 @@ require selinux_common.inc
 
 inherit lib_package
 
+SRC_URI += 
"file://0001-libsepol-fix-validation-of-user-declarations-in-modu.patch"
+
 S = "${WORKDIR}/git/libsepol"
 
 DEPENDS = "flex-native"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#58469): https://lists.yoctoproject.org/g/yocto/message/58469
Mute This Topic: https://lists.yoctoproject.org/mt/94729416/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to