tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libselinux: fix string conversion of unknown perms

Browse source 
Commit c19395d722 fixed some handling of unknown
classes/permissions, but missed the case where an unknown permission is loaded
and then subsequently logged, either via denial or auditallow. If a permission
set has some valid values mixed with unknown values, say `{ read write foo }`,
a check on `{ read write foo }` would fail to log the entire set.

To fix this, skip over the bad permissions/classes when expanding them to
strings. The unknowns should be logged during `selinux_set_mapping`, so
there is no need for further logging of the actual unknown permissions.

Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
This commit is contained in:
Mike Palmiotto 2019-09-16 16:30:15 -04:00 committed by stephensmalley
parent cfc57c2e70
commit 86df2b27a7
1 changed files with 8 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
libselinux/src/stringrep.c
View file

@ -268,7 +268,7 @@ const char *security_av_perm_to_string(security_class_t tclass,
int security_av_string(security_class_t tclass, access_vector_t av, char **res) int security_av_string(security_class_t tclass, access_vector_t av, char **res)
{ {
unsigned int i = 0; unsigned int i;
size_t len = 5; size_t len = 5;
access_vector_t tmp = av; access_vector_t tmp = av;
int rc = 0; int rc = 0;
@ -276,19 +276,12 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
char *ptr; char *ptr;
/* first pass computes the required length */ /* first pass computes the required length */
while (tmp) { for (i = 0; tmp; tmp >>= 1, i++) {
if (tmp & 1) { if (tmp & 1) {
str = security_av_perm_to_string(tclass, av & (1<<i)); str = security_av_perm_to_string(tclass, av & (1<<i));
if (str) if (str)
len += strlen(str) + 1; len += strlen(str) + 1;
else {
rc = -1;
errno = EINVAL;
goto out;
}
} }
tmp >>= 1;
i++;
} }
*res = malloc(len); *res = malloc(len);
@ -298,7 +291,6 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
} }
/* second pass constructs the string */ /* second pass constructs the string */
i = 0;
tmp = av; tmp = av;
ptr = *res; ptr = *res;
@ -308,12 +300,12 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
} }
ptr += sprintf(ptr, "{ "); ptr += sprintf(ptr, "{ ");
while (tmp) { for (i = 0; tmp; tmp >>= 1, i++) {
if (tmp & 1) if (tmp & 1) {
ptr += sprintf(ptr, "%s ", security_av_perm_to_string( str = security_av_perm_to_string(tclass, av & (1<<i));
tclass, av & (1<<i))); if (str)
tmp >>= 1; ptr += sprintf(ptr, "%s ", str);
i++; }
} }
sprintf(ptr, "}"); sprintf(ptr, "}");
out: out: