libsepol: reject unsupported policy capabilities

Kernel policies with unsupported policy capabilities enabled can currently be parsed, since they result just in a bit set inside an ebitmap. Writing such a loaded policy into the traditional language or CIL will fail however, since the unsupported policy capabilities can not be converted into a name. Reject kernel policies with invalid policy capabilities. Reported-by: oss-fuzz (issue 60573) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
SELinuxProject · Nov 7, 2023 · 7cf2bfb · 7cf2bfb
1 parent 7b754f7
commit 7cf2bfb
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
@@ -1,6 +1,7 @@
 
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/polcaps.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
 
@@ -1552,6 +1553,23 @@ static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
 	return -1;
 }
 
+static int validate_policycaps(sepol_handle_t *handle, const policydb_t *p)
+{
+	ebitmap_node_t *node;
+	uint32_t i;
+
+	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
+		if (!sepol_polcap_getname(i))
+			goto bad;
+	}
+
+	return 0;
+
+bad:
+	ERR(handle, "Invalid policy capability");
+	return -1;
+}
+
 static void validate_array_destroy(validate_t flavors[])
 {
 	unsigned int i;
@@ -1574,6 +1592,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
 	if (validate_properties(handle, p))
 		goto bad;
 
+	if (validate_policycaps(handle, p))
+		goto bad;
+
 	if (p->policy_type == POLICY_KERN) {
 		if (validate_avtab(handle, &p->te_avtab, p, flavors))
 			goto bad;