Recent upstream kernel changes have made the mmc probing order unpredictable.
Therefore, boards with both an emmc and sdmmc interface aren't guaranteed to
boot with a hard-coded root device selected.

For example, on the rock64, with linux-yocto 5.10.y, using the uSD card (i.e.
the sdmmc interface) about 50% of the time the boot would succeed, and roughly
50% of the time it wouldn't:

...
[ 0.612233] Waiting for root device /dev/mmcblk1p7...
[ 0.634551] mmc_host mmc1: Bus speed (slot 0) = 300000Hz (slot req 300000Hz, actual 300000HZ div = 0)
[ 0.639064] mmc_host mmc0: Bus speed (slot 0) = 50000000Hz (slot req 50000000Hz, actual 50000000HZ di)
[ 0.640007] mmc0: new high speed SDXC card at address 5048
[ 0.641176] mmcblk0: mmc0:5048 SD64G 58.0 GiB
[ 0.647610] random: fast init done
[ 0.648279] GPT:Primary header thinks Alt. header is not at the end of the disk.
[ 0.648941] GPT:376479 != 121634815
[ 0.649252] GPT:Alternate GPT header not at the end of the disk.
[ 0.649796] GPT:376479 != 121634815
[ 0.650106] GPT: Use GNU Parted to correct GPT errors.
[ 0.650598] mmcblk0: p1 p2 p3 p4 p5 p6 p7

NOTE the discrepancy between the kernel waiting for device /dev/mmcblk1p7,
which comes from the hard-coded kernel cmdline, and the kernel probing putting
the sdmmc on mmcblk0.

With linux-yocto 5.13.y on the rock64 using the uSD card the board would never
boot, the sdmmc always appears on mmcblk0.

Instead of simply changing the hard-coded root device (i.e. from mmcblk0 to
mmcblk1) switch to using partition UUIDs instead. Hard-coding the boot device
would work with 5.13.y but would fail 50% of the time with 5.10.y; who knows
what other kernels will do?

In any case, switching to UUIDs works regardless of board, kernel, or
available mmc interfaces.

Boot tested on:
- rock64
- nanopi-m4-2gb
- tinker-board
- rock-pi-e
- rock-pi-4b

Signed-off-by: Trevor Woerner <twoerner@...>
---
conf/machine/include/nanopi-m4.inc | 2 --
conf/machine/include/rock-pi-4.inc | 2 --
conf/machine/include/rockchip-wic.inc | 4 ----
conf/machine/rock64.conf | 3 ---
conf/machine/tinker-board-s.conf | 2 --
conf/machine/vyasa-rk3288.conf | 2 --
wic/rockchip.wks | 16 ++++++++--------
7 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/conf/machine/include/nanopi-m4.inc b/conf/machine/include/nanopi-m4.inc
index ac6479d..3870b51 100644
--- a/conf/machine/include/nanopi-m4.inc
+++ b/conf/machine/include/nanopi-m4.inc
@@ -7,5 +7,3 @@ MACHINE_FEATURES += "usbhost serial"

KMACHINE = "nanopi-m4"
KERNEL_DEVICETREE = "rockchip/rk3399-nanopi-m4.dtb"
-
-RK_BOOT_DEVICE = "mmcblk1"
diff --git a/conf/machine/include/rock-pi-4.inc b/conf/machine/include/rock-pi-4.inc
index b6fb3dd..0a86846 100644
--- a/conf/machine/include/rock-pi-4.inc
+++ b/conf/machine/include/rock-pi-4.inc
@@ -3,6 +3,4 @@ MACHINEOVERRIDES =. "rock-pi-4:"

require conf/machine/include/rk3399.inc

-RK_BOOT_DEVICE = "mmcblk1"
-
MACHINE_EXTRA_RRECOMMENDS += "kernel-modules"
diff --git a/conf/machine/include/rockchip-wic.inc b/conf/machine/include/rockchip-wic.inc
index b5939f7..15010a0 100644
--- a/conf/machine/include/rockchip-wic.inc
+++ b/conf/machine/include/rockchip-wic.inc
@@ -20,11 +20,7 @@ IMAGE_BOOT_FILES = " \
RK_CONSOLE_BAUD ?= "${@d.getVar('SERIAL_CONSOLES').split(';')[0]}"
RK_CONSOLE_DEVICE ?= "${@d.getVar('SERIAL_CONSOLES').split(';')[1].split()[0]}"

-# boot device (sd-card/emmc)
-RK_BOOT_DEVICE ??= "mmcblk0"
-
WICVARS:append = " \
- RK_BOOT_DEVICE \
RK_CONSOLE_BAUD \
RK_CONSOLE_DEVICE \
SPL_BINARY \
diff --git a/conf/machine/rock64.conf b/conf/machine/rock64.conf
index 21755a8..fa75a51 100644
--- a/conf/machine/rock64.conf
+++ b/conf/machine/rock64.conf
@@ -12,7 +12,4 @@ MACHINE_FEATURES += "usbhost serial"
UBOOT_MACHINE = "rock64-rk3328_defconfig"
KERNEL_DEVICETREE = "rockchip/rk3328-rock64.dtb"

-# set to mmcblk0 for booting from optional eMMC
-RK_BOOT_DEVICE ?= "mmcblk1"
-
KBUILD_DEFCONFIG = "defconfig"
diff --git a/conf/machine/tinker-board-s.conf b/conf/machine/tinker-board-s.conf
index 9f44f2f..870b9bc 100644
--- a/conf/machine/tinker-board-s.conf
+++ b/conf/machine/tinker-board-s.conf
@@ -9,5 +9,3 @@ require conf/machine/include/tinker.inc

KERNEL_DEVICETREE = "rk3288-tinker-s.dtb"
UBOOT_MACHINE = "tinker-s-rk3288_defconfig"
-
-RK_BOOT_DEVICE ?= "mmcblk1"
diff --git a/conf/machine/vyasa-rk3288.conf b/conf/machine/vyasa-rk3288.conf
index 9ad1ed4..5b44257 100644
--- a/conf/machine/vyasa-rk3288.conf
+++ b/conf/machine/vyasa-rk3288.conf
@@ -13,5 +13,3 @@ KERNEL_DEVICETREE = "rk3288-vyasa.dtb"
KERNEL_EXTRA_ARGS += "LOADADDR=0x02000000"

UBOOT_MACHINE = "vyasa-rk3288_defconfig"
-
-RK_BOOT_DEVICE = "mmcblk2"
diff --git a/wic/rockchip.wks b/wic/rockchip.wks
index eedae0d..5ee276b 100644
--- a/wic/rockchip.wks
+++ b/wic/rockchip.wks
@@ -15,12 +15,12 @@
# boot 32768 229376
# root 262144 - (suggested)

-part loader1 --offset 32 --fixed-size 4000K --ondisk ${RK_BOOT_DEVICE} --source rawcopy --sourceparams="file=${SPL_BINARY}"
-part reserved1 --offset 4032 --fixed-size 64K --ondisk ${RK_BOOT_DEVICE}
-part reserved2 --offset 4096 --fixed-size 4096K --ondisk ${RK_BOOT_DEVICE}
-part loader2 --offset 8192 --fixed-size 4096K --ondisk ${RK_BOOT_DEVICE} --source rawcopy --sourceparams="file=u-boot.${UBOOT_SUFFIX}"
-part atf --offset 12288 --fixed-size 4096K --ondisk ${RK_BOOT_DEVICE}
-part /boot --offset 16384 --size 114688K --active --ondisk ${RK_BOOT_DEVICE} --source bootimg-partition --fstype=vfat --label boot --sourceparams="loader=u-boot"
-part / --ondisk ${RK_BOOT_DEVICE} --source rootfs --fstype=ext4 --label root
+part loader1 --offset 32 --fixed-size 4000K --source rawcopy --sourceparams="file=${SPL_BINARY}"
+part reserved1 --offset 4032 --fixed-size 64K
+part reserved2 --offset 4096 --fixed-size 4096K
+part loader2 --offset 8192 --fixed-size 4096K --source rawcopy --sourceparams="file=u-boot.${UBOOT_SUFFIX}"
+part atf --offset 12288 --fixed-size 4096K
+part /boot --offset 16384 --size 114688K --active --source bootimg-partition --fstype=vfat --label boot --sourceparams="loader=u-boot"
+part / --source rootfs --fstype=ext4 --label root --use-uuid

-bootloader --ptable gpt --append="console=tty1 console=${RK_CONSOLE_DEVICE},${RK_CONSOLE_BAUD}n8 rw root=/dev/${RK_BOOT_DEVICE}p7 rootfstype=ext4 init=/sbin/init"
+bootloader --ptable gpt --append="console=tty1 console=${RK_CONSOLE_DEVICE},${RK_CONSOLE_BAUD}n8 rw rootfstype=ext4 init=/sbin/init"
--
2.30.0.rc0

On 2021-09-16 11:33 a.m., Trevor Gamblin wrote:

Wiki: https://wiki.yoctoproject.org/wiki/Bug_Triage

Attendees: Alex, Diane, Jon, Joshua, Michael, Richard, Ross, Saul, Stephen, Steve, Tim, Trevor

ARs:

- Trevor to move old AB defects to M4 after call

- Trevor to ping WR folks about moving Old Milestone bugs

I've moved Old Milestone AB-INT defects to M4 and pinged the group internally.

- Richard to add a comment to 7298

Notes:

- (carried over) Steve encountered build failures such as the one in https://errors.yoctoproject.org/Errors/Details/593109/ when attempting to run dunfell builds with the PARALLEL_MAKE load averaging added. WR is testing/investigating on internal Autobuilder instance - Trevor is still planning on looking into this!

Medium+ 3.4 Unassigned Enhancements/Bugs: 68 (Last week 77)

Medium+ 3.5 Unassigned Enhancements/Bugs: 10 (new)

Medium+ 3.99 Unassigned Enhancements/Bugs: 38 (No change)

AB-INT Bugs: 49 (Last week 48)

Correction: AB-INT bug count is at 52.

Currently, ptest-runner simply kills the offending test without further ado,
which is not at all helpful when trying to figure out why it happens
(especially if such hangs are intermittent and rare). There's now a script
that gets executed before killing the test, so ideas on what to have in it
are welcome.

Signed-off-by: Alexander Kanavin <alex@...>
---
Makefile | 2 +-
ptest-runner-collect-system-data | 6 ++++++
utils.c | 24 ++++++++++++++++++++++++
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100755 ptest-runner-collect-system-data

diff --git a/Makefile b/Makefile
index a6372de..168cf5a 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ $(TEST_EXECUTABLE): $(TEST_OBJECTS)
$(CC) $(LDFLAGS) $(TEST_OBJECTS) -o $@ $(TEST_LIBSTATIC) $(TEST_LDFLAGS)

check: $(TEST_EXECUTABLE)
- ./$(TEST_EXECUTABLE) -d $(TEST_DATA)
+ PATH=.:$(PATH) ./$(TEST_EXECUTABLE) -d $(TEST_DATA)

.c.o:
$(CC) $(CFLAGS) -c $< -o $@
diff --git a/ptest-runner-collect-system-data b/ptest-runner-collect-system-data
new file mode 100755
index 0000000..ba335da
--- /dev/null
+++ b/ptest-runner-collect-system-data
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Other ideas on what to do when a ptest gets stuck welcome.
+dmesg
+pstree -a -l
+df
+free
diff --git a/utils.c b/utils.c
index 58c3aa1..a67ac11 100644
--- a/utils.c
+++ b/utils.c
@@ -281,6 +281,27 @@ close_fds(void)
}
}

+static void
+collect_system_state(FILE* fout)
+{
+ char *cmd = "ptest-runner-collect-system-data";
+
+ char buf[1024];
+ FILE *fp;
+
+ if ((fp = popen(cmd, "r")) == NULL) {
+ fprintf(fout, "Error opening pipe!\n");
+ }
+
+ while (fgets(buf, 1024, fp) != NULL) {
+ fprintf(fout, "%s", buf);
+ }
+
+ if(pclose(fp)) {
+ fprintf(fout, "Command not found or exited with error status\n");
+ }
+}
+
static void *
read_child(void *arg)
{
@@ -313,6 +334,9 @@ read_child(void *arg)
}

} else if (r == 0) {
+ // no output from the test after a timeout; the test is stuck, so collect
+ // as much data from the system as possible and kill the test
+ collect_system_state(_child_reader.fps[0]);
_child_reader.timeouted = 1;
kill(-_child_reader.pid, SIGKILL);
}
--
2.33.0

if poll()'s timeout expires that means the test did not
produce any output, which is exactly what we need to catch.

So there's no need to set up separate timeouts with signals
and alarms, and this greatly simplifies more sophisticated
processing of hanging tests (such as collecting overall system data).

Signed-off-by: Alexander Kanavin <alex@...>
---
utils.c | 34 ++++++++++------------------------
1 file changed, 10 insertions(+), 24 deletions(-)

diff --git a/utils.c b/utils.c
index 128ff61..58c3aa1 100644
--- a/utils.c
+++ b/utils.c
@@ -51,7 +51,6 @@
#include "utils.h"

#define GET_STIME_BUF_SIZE 1024
-#define WAIT_CHILD_POLL_TIMEOUT_MS 200
#define WAIT_CHILD_BUF_MAX_SIZE 1024

#define UNUSED(x) (void)(x)
@@ -296,7 +295,7 @@ read_child(void *arg)
pfds[1].events = POLLIN;

do {
- r = poll(pfds, 2, WAIT_CHILD_POLL_TIMEOUT_MS);
+ r = poll(pfds, 2, _child_reader.timeout*1000);
if (r > 0) {
char buf[WAIT_CHILD_BUF_MAX_SIZE];
ssize_t n;
@@ -313,10 +312,10 @@ read_child(void *arg)
fwrite(buf, (size_t)n, 1, _child_reader.fps[1]);
}

- /* Child output reset alarm */
- alarm(0);
- alarm(_child_reader.timeout);
- }
+ } else if (r == 0) {
+ _child_reader.timeouted = 1;
+ kill(-_child_reader.pid, SIGKILL);
+ }

fflush(_child_reader.fps[0]);
fflush(_child_reader.fps[1]);
@@ -344,26 +343,11 @@ run_child(char *run_ptest, int fd_stdout, int fd_stderr)
/* exit(1); not needed? */
}

-static void
-timeout_child_handler(int signo)
-{
- UNUSED(signo);
- _child_reader.timeouted = 1;
- kill(-_child_reader.pid, SIGKILL);
-}
-
static inline int
-wait_child(pid_t pid, unsigned int timeout)
+wait_child(pid_t pid)
{
int status = -1;

- _child_reader.timeout = timeout;
- _child_reader.timeouted = 0;
- _child_reader.pid = pid;
-
- /* setup alarm to timeout based on std{out,err} in the child */
- alarm(timeout);
-
waitpid(pid, &status, 0);
if (WIFEXITED(status))
status = WEXITSTATUS(status);
@@ -462,6 +446,8 @@ run_ptests(struct ptest_list *head, const struct ptest_options opts,
_child_reader.fds[1] = pipefd_stderr[0];
_child_reader.fps[0] = fp;
_child_reader.fps[1] = fp_stderr;
+ _child_reader.timeout = opts.timeout;
+ _child_reader.timeouted = 0;
rc = pthread_create(&tid, NULL, read_child, NULL);
if (rc != 0) {
fprintf(fp, "ERROR: Failed to create reader thread, %s\n", strerror(errno));
@@ -469,7 +455,6 @@ run_ptests(struct ptest_list *head, const struct ptest_options opts,
close(pipefd_stdout[1]);
break;
}
- signal(SIGALRM, timeout_child_handler);

fprintf(fp, "START: %s\n", progname);
PTEST_LIST_ITERATE_START(head, p)
@@ -511,6 +496,7 @@ run_ptests(struct ptest_list *head, const struct ptest_options opts,
} else {
int status;

+ _child_reader.pid = child;
if (setpgid(child, pgid) == -1) {
fprintf(fp, "ERROR: setpgid() failed, %s\n", strerror(errno));
}
@@ -520,7 +506,7 @@ run_ptests(struct ptest_list *head, const struct ptest_options opts,
fprintf(fp, "BEGIN: %s\n", ptest_dir);


- status = wait_child(child, opts.timeout);
+ status = wait_child(child);

entime = time(NULL);
duration = entime - sttime;
--
2.33.0

I also took the opportunity to correct a weird API that
returns a result (or not), depending on some internal condition.

Signed-off-by: Alexander Kanavin <alex@...>
---
tests/utils.c | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/tests/utils.c b/tests/utils.c
index 8fffc18..19657ee 100644
--- a/tests/utils.c
+++ b/tests/utils.c
@@ -26,6 +26,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
+#include <stdbool.h>

#include <check.h>

@@ -61,16 +62,13 @@ static char *ptests_not_found[] = {

static struct ptest_options EmptyOpts;

-static inline void
-find_word(int *found, const char *line, const char *word)
+static inline bool
+find_word(const char *line, const char *word)
{
-
- char *pivot = NULL;
-
- pivot = strdup(line);
- pivot[strlen(word)] = '\0';
- if (strcmp(pivot, word) == 0) { *found = 1; }
- free(pivot);
+ if (strncmp(line, word, strlen(word)) == 0)
+ return true;
+ else
+ return false;
}

static void test_ptest_expected_failure(struct ptest_list *, const unsigned int, char *,
@@ -206,18 +204,19 @@ search_for_timeout_and_duration(const int rp, FILE *fp_stdout)
const char *timeout_str = "TIMEOUT";
const char *duration_str = "DURATION";
char line_buf[PRINT_PTEST_BUF_SIZE];
- int found_timeout = 0, found_duration = 0;
+ bool found_timeout = false, found_duration = false;
char *line = NULL;

ck_assert(rp != 0);

while ((line = fgets(line_buf, PRINT_PTEST_BUF_SIZE, fp_stdout)) != NULL) {
- find_word(&found_timeout, line, timeout_str);
- find_word(&found_duration, line, duration_str);
+ // once true, stay true
+ found_timeout = found_timeout ? found_timeout : find_word(line, timeout_str);
+ found_duration = found_duration ? found_duration : find_word(line, duration_str);
}

- ck_assert(found_timeout == 1);
- ck_assert(found_duration == 1);
+ ck_assert(found_timeout == true);
+ ck_assert(found_duration == true);
}

START_TEST(test_run_timeout_duration_ptest)
@@ -236,16 +235,18 @@ search_for_fail(const int rp, FILE *fp_stdout)
{
const char *fail_str = "ERROR: Exit status is 10";
char line_buf[PRINT_PTEST_BUF_SIZE];
- int found_fail = 0;
+ int found_fail = false;
char *line = NULL;

ck_assert(rp != 0);

while ((line = fgets(line_buf, PRINT_PTEST_BUF_SIZE, fp_stdout)) != NULL) {
- find_word(&found_fail, line, fail_str);
+ found_fail = find_word(line, fail_str);
+ if (found_fail == true)
+ break;
}

- ck_assert(found_fail == 1);
+ ck_assert(found_fail == true);
}

START_TEST(test_run_fail_ptest)
--
2.33.0

There are additional logs there (such as task log or qemu
console output), which can be useful for debugging test failures.

[YOCTO #14518]

Signed-off-by: Alexander Kanavin <alex@...>
---
scripts/collect-results | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/scripts/collect-results b/scripts/collect-results
index 93834d6..3663330 100755
--- a/scripts/collect-results
+++ b/scripts/collect-results
@@ -3,11 +3,9 @@ WORKDIR=$1
DEST=$2
target=$3

-RESFILE=$WORKDIR/tmp/log/oeqa/testresults.json
-
-if [ -e $RESFILE ]; then
- mkdir -p $DEST/$target
- cp $WORKDIR/tmp/log/oeqa/testresults.json $DEST/$target/
+mkdir -p $DEST
+if [ -e $WORKDIR/tmp/log/oeqa/ ]; then
+ cp -rf $WORKDIR/tmp/log/oeqa/ $DEST/$target
fi

if [ -e $WORKDIR/buildhistory ]; then
--
2.20.1

The wget now asks for user info so git clone.

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
index 8486d00..53cf8ff 100644
--- a/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ b/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -15,9 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f"

DEPENDS = "libtspi tpm-tools"

-SRC_URI = "${SOURCEFORGE_MIRROR}/tpmquotetools/${PV}/${BP}.tar.gz"
-
-SRC_URI[md5sum] = "6e194f5bc534301bbaef53dc6d22c233"
-SRC_URI[sha256sum] = "10dc4eade02635557a9496b388360844cd18e7864e2eb882f5e45ab2fa405ae2"
+SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools"
+SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"

+S = "${WORKDIR}/git"
inherit autotools
--
2.25.1

Hi all,

Intel and WR YP QA is planning for QA execution for YP build yocto-3.1.11.rc2. We are planning to execute following tests for this cycle:

OEQA-manual tests for following module:
1. OE-Core
2. BSP-hw

Runtime auto test for following platforms:
1. MinnowTurbot 32-bit
2. Coffee Lake
3. NUC 7
4. NUC 6
5. Edgerouter
6. Beaglebone

ETA for completion is next Wednesday, Sep 22.

Thanks,
Jay

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux
MR: 111869
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6
Description:

Affects: secilc <= 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/secilc/CVE-2021-36087.patch | 134 ++++++++++++++++++
recipes-security/selinux/secilc_3.0.bb | 2 +
2 files changed, 136 insertions(+)
create mode 100644 recipes-security/selinux/secilc/CVE-2021-36087.patch

diff --git a/recipes-security/selinux/secilc/CVE-2021-36087.patch b/recipes-security/selinux/secilc/CVE-2021-36087.patch
new file mode 100644
index 0000000..ad7bf9b
--- /dev/null
+++ b/recipes-security/selinux/secilc/CVE-2021-36087.patch
@@ -0,0 +1,134 @@
+From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Mon, 19 Apr 2021 09:06:15 -0400
+Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
+
+Update the documentation for macros, booleans, booleanifs, tunables,
+tunableifs, blocks, blockabstracts, blockinherits, and optionals to
+tell where these statements can be used and, for those that have
+blocks, what statements are not allowed in them.
+
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36087
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ docs/cil_call_macro_statements.md | 2 ++
+ docs/cil_conditional_statements.md | 6 +++++
+ docs/cil_container_statements.md | 28 +++++++++++++++--------
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+Index: secilc-3.0/docs/cil_call_macro_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_call_macro_statements.md
++++ secilc-3.0/docs/cil_call_macro_statements.md
+@@ -54,6 +54,8 @@ Note that when resolving macros the call
+
+ - Items defined in the global namespace
+
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ (macro macro_id ([(param_type param_id) ...])
+Index: secilc-3.0/docs/cil_conditional_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_conditional_statements.md
++++ secilc-3.0/docs/cil_conditional_statements.md
+@@ -6,6 +6,8 @@ boolean
+
+ Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
+
++[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
+ **Statement definition:**
+
+ (boolean boolean_id true|false)
+@@ -120,6 +122,8 @@ Tunables are similar to booleans, howeve
+
+ Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
+
++Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
++
+ **Statement definition:**
+
+ (tunable tunable_id true|false)
+@@ -156,6 +160,8 @@ tunableif
+
+ Compile time conditional statement that may or may not add CIL statements to be compiled.
+
++If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
++
+ **Statement definition:**
+
+ (tunableif tunable_id | expr ...)
+Index: secilc-3.0/docs/cil_container_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_container_statements.md
++++ secilc-3.0/docs/cil_container_statements.md
+@@ -4,7 +4,11 @@ Container Statements
+ block
+ -----
+
+-Start a new namespace where any CIL statement is valid.
++Start a new namespace.
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
++[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
+
+ **Statement definition:**
+
+@@ -45,6 +49,8 @@ blockabstract
+
+ Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
+ **Statement definition:**
+
+ (block block_id
+@@ -93,6 +99,8 @@ blockinherit
+
+ Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ (block block_id
+@@ -191,15 +199,11 @@ This example contains a template `client
+ optional
+ --------
+
+-Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
++Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
+
+-| | | | |
+-| ------------------- | -------------- | ------------------ | ------------------ |
+-| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
+-| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
+-| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
+-| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
+-| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
++Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
+
+ **Statement definition:**
+
+@@ -254,7 +258,11 @@ This example will instantiate the option
+ in
+ --
+
+-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
++Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
+
+ **Statement definition:**
+
diff --git a/recipes-security/selinux/secilc_3.0.bb b/recipes-security/selinux/secilc_3.0.bb
index 71b6cff..aa7d897 100644
--- a/recipes-security/selinux/secilc_3.0.bb
+++ b/recipes-security/selinux/secilc_3.0.bb
@@ -1,6 +1,8 @@
require selinux_20191204.inc
require ${BPN}.inc

+SRC_URI += "file://CVE-2021-36087.patch"
+
LIC_FILES_CHKSUM = "file://COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"

SRC_URI[md5sum] = "be7ec221b874053a843ef90e49daa5cf"
--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux/
MR: 111857
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4
Description:

Affects: libsepol <= 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/libsepol/CVE-2021-36085.patch | 38 +++++++++++++++++++
recipes-security/selinux/libsepol_3.0.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36085.patch

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
new file mode 100644
index 0000000..4bd05eb
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36085
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+- cil_reset_classperms_list(perm->classperms);
++ cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb
index 537377b..b7a7071 100644
--- a/recipes-security/selinux/libsepol_3.0.bb
+++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -10,4 +10,5 @@ SRC_URI += "\
file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
file://CVE-2021-36084.patch \
+ file://CVE-2021-36085.patch \
"
--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux
MR: 111851
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18
Description:

Affects: libsepol < 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/libsepol/CVE-2021-36084.patch | 99 +++++++++++++++++++
recipes-security/selinux/libsepol_3.0.bb | 1 +
2 files changed, 100 insertions(+)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100644
index 0000000..1001563
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+ A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+ got reported as
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+ is misleading, or is caused by another issue that conflicts with the
+ one I report in this message). Here is a minimized CIL policy which
+ reproduces the issue:
+
+ (class CLASS (PERM))
+ (classorder (CLASS))
+ (sid SID)
+ (sidorder (SID))
+ (user USER)
+ (role ROLE)
+ (type TYPE)
+ (category CAT)
+ (categoryorder (CAT))
+ (sensitivity SENS)
+ (sensitivityorder (SENS))
+ (sensitivitycategory SENS (CAT))
+ (allow TYPE self (CLASS (PERM)))
+ (roletype ROLE TYPE)
+ (userrole USER ROLE)
+ (userlevel USER (SENS))
+ (userrange USER ((SENS)(SENS (CAT))))
+ (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+ (classpermission CLAPERM)
+
+ (optional OPT
+ (roletype nonexistingrole nonexistingtype)
+ (classpermissionset CLAPERM (CLASS (PERM)))
+ )
+
+ The CIL policy fuzzer (which mimics secilc built with clang Address
+ Sanitizer) reports:
+
+ ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+ 0x7ffe2a256588
+ READ of size 8 at 0x603000004f98 thread T0
+ #0 0x56445134c841 in __cil_verify_classperms
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+ #1 0x56445134a43e in __cil_verify_classpermission
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+ #2 0x56445134a43e in __cil_pre_verify_helper
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+ #3 0x5644513225ac in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+ #4 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #5 0x5644513226af in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+ #6 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #7 0x5644512b88fd in cil_pre_verify
+ /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+ #8 0x5644512b88fd in cil_post_process
+ /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+ #9 0x5644511856ff in cil_compile
+ /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it) when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@...>
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36084
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+ return;
+ }
+
+- cil_reset_classperms_list(cp->classperms);
++ cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb
index 58559d7..537377b 100644
--- a/recipes-security/selinux/libsepol_3.0.bb
+++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -9,4 +9,5 @@ SRC_URI[sha256sum] = "5b7ae1881909f1048b06f7a0c364c5c8a86ec12e0ec76e740fe9595a60
SRC_URI += "\
file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
+ file://CVE-2021-36084.patch \
"
--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux
MR: 111869
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6
Description:

Affects: secilc <= 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/secilc/CVE-2021-36087.patch | 134 ++++++++++++++++++
recipes-security/selinux/secilc_3.2.bb | 2 +
2 files changed, 136 insertions(+)
create mode 100644 recipes-security/selinux/secilc/CVE-2021-36087.patch

diff --git a/recipes-security/selinux/secilc/CVE-2021-36087.patch b/recipes-security/selinux/secilc/CVE-2021-36087.patch
new file mode 100644
index 0000000..5410477
--- /dev/null
+++ b/recipes-security/selinux/secilc/CVE-2021-36087.patch
@@ -0,0 +1,134 @@
+From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Mon, 19 Apr 2021 09:06:15 -0400
+Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
+
+Update the documentation for macros, booleans, booleanifs, tunables,
+tunableifs, blocks, blockabstracts, blockinherits, and optionals to
+tell where these statements can be used and, for those that have
+blocks, what statements are not allowed in them.
+
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36087
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ docs/cil_call_macro_statements.md | 2 ++
+ docs/cil_conditional_statements.md | 6 +++++
+ docs/cil_container_statements.md | 28 +++++++++++++++--------
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+Index: secilc/docs/cil_call_macro_statements.md
+===================================================================
+--- secilc.orig/docs/cil_call_macro_statements.md
++++ secilc/docs/cil_call_macro_statements.md
+@@ -58,6 +58,8 @@ When resolving macros the following plac
+
+ - Items defined in the global namespace
+
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ ```secil
+Index: secilc/docs/cil_conditional_statements.md
+===================================================================
+--- secilc.orig/docs/cil_conditional_statements.md
++++ secilc/docs/cil_conditional_statements.md
+@@ -6,6 +6,8 @@ boolean
+
+ Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
+
++[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -126,6 +128,8 @@ Tunables are similar to booleans, howeve
+
+ Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
+
++Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -164,6 +168,8 @@ tunableif
+
+ Compile time conditional statement that may or may not add CIL statements to be compiled.
+
++If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
++
+ **Statement definition:**
+
+ ```secil
+Index: secilc/docs/cil_container_statements.md
+===================================================================
+--- secilc.orig/docs/cil_container_statements.md
++++ secilc/docs/cil_container_statements.md
+@@ -4,7 +4,11 @@ Container Statements
+ block
+ -----
+
+-Start a new namespace where any CIL statement is valid.
++Start a new namespace.
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
++[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
+
+ **Statement definition:**
+
+@@ -47,6 +51,8 @@ blockabstract
+
+ Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -97,6 +103,8 @@ blockinherit
+
+ Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -199,15 +207,11 @@ This example contains a template `client
+ optional
+ --------
+
+-Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
++Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
+
+-| | | | |
+-| ------------------- | -------------- | ------------------ | ------------------ |
+-| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
+-| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
+-| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
+-| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
+-| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
++Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
+
+ **Statement definition:**
+
+@@ -266,7 +270,11 @@ This example will instantiate the option
+ in
+ --
+
+-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
++Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
+
+ **Statement definition:**
+
diff --git a/recipes-security/selinux/secilc_3.2.bb b/recipes-security/selinux/secilc_3.2.bb
index 60ab2fe..50413e0 100644
--- a/recipes-security/selinux/secilc_3.2.bb
+++ b/recipes-security/selinux/secilc_3.2.bb
@@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"

require selinux_common.inc

+SRC_URI += "file://CVE-2021-36087.patch"
+
DEPENDS += "libsepol xmlto-native"

S = "${WORKDIR}/git/secilc"
--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux/
MR: 111857
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4
Description:

Affects: libsepol <= 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/libsepol/CVE-2021-36085.patch | 38 +++++++++++++++++++
recipes-security/selinux/libsepol_3.2.bb | 3 +-
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36085.patch

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
new file mode 100644
index 0000000..4bd05eb
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36085
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+- cil_reset_classperms_list(perm->classperms);
++ cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.2.bb
index 6215d24..ef5de1e 100644
--- a/recipes-security/selinux/libsepol_3.2.bb
+++ b/recipes-security/selinux/libsepol_3.2.bb
@@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"

require selinux_common.inc

-SRC_URI += "file://CVE-2021-36084.patch"
+SRC_URI += "file://CVE-2021-36084.patch \
+ file://CVE-2021-36085.patch "

inherit lib_package

--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux
MR: 111851
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18
Description:

Affects: libsepol < 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/libsepol/CVE-2021-36084.patch | 99 +++++++++++++++++++
recipes-security/selinux/libsepol_3.2.bb | 2 +
2 files changed, 101 insertions(+)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100644
index 0000000..1001563
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+ A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+ got reported as
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+ is misleading, or is caused by another issue that conflicts with the
+ one I report in this message). Here is a minimized CIL policy which
+ reproduces the issue:
+
+ (class CLASS (PERM))
+ (classorder (CLASS))
+ (sid SID)
+ (sidorder (SID))
+ (user USER)
+ (role ROLE)
+ (type TYPE)
+ (category CAT)
+ (categoryorder (CAT))
+ (sensitivity SENS)
+ (sensitivityorder (SENS))
+ (sensitivitycategory SENS (CAT))
+ (allow TYPE self (CLASS (PERM)))
+ (roletype ROLE TYPE)
+ (userrole USER ROLE)
+ (userlevel USER (SENS))
+ (userrange USER ((SENS)(SENS (CAT))))
+ (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+ (classpermission CLAPERM)
+
+ (optional OPT
+ (roletype nonexistingrole nonexistingtype)
+ (classpermissionset CLAPERM (CLASS (PERM)))
+ )
+
+ The CIL policy fuzzer (which mimics secilc built with clang Address
+ Sanitizer) reports:
+
+ ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+ 0x7ffe2a256588
+ READ of size 8 at 0x603000004f98 thread T0
+ #0 0x56445134c841 in __cil_verify_classperms
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+ #1 0x56445134a43e in __cil_verify_classpermission
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+ #2 0x56445134a43e in __cil_pre_verify_helper
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+ #3 0x5644513225ac in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+ #4 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #5 0x5644513226af in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+ #6 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #7 0x5644512b88fd in cil_pre_verify
+ /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+ #8 0x5644512b88fd in cil_post_process
+ /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+ #9 0x5644511856ff in cil_compile
+ /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it) when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@...>
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36084
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+ return;
+ }
+
+- cil_reset_classperms_list(cp->classperms);
++ cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.2.bb
index 48d5f49..6215d24 100644
--- a/recipes-security/selinux/libsepol_3.2.bb
+++ b/recipes-security/selinux/libsepol_3.2.bb
@@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"

require selinux_common.inc

+SRC_URI += "file://CVE-2021-36084.patch"
+
inherit lib_package

S = "${WORKDIR}/git/libsepol"
--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux
MR: 111869
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6
Description:

Affects: secilc <= 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/secilc/CVE-2021-36087.patch | 134 ++++++++++++++++++
recipes-security/selinux/secilc_3.2.bb | 2 +
2 files changed, 136 insertions(+)
create mode 100644 recipes-security/selinux/secilc/CVE-2021-36087.patch

diff --git a/recipes-security/selinux/secilc/CVE-2021-36087.patch b/recipes-security/selinux/secilc/CVE-2021-36087.patch
new file mode 100644
index 0000000..5410477
--- /dev/null
+++ b/recipes-security/selinux/secilc/CVE-2021-36087.patch
@@ -0,0 +1,134 @@
+From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Mon, 19 Apr 2021 09:06:15 -0400
+Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
+
+Update the documentation for macros, booleans, booleanifs, tunables,
+tunableifs, blocks, blockabstracts, blockinherits, and optionals to
+tell where these statements can be used and, for those that have
+blocks, what statements are not allowed in them.
+
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36087
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ docs/cil_call_macro_statements.md | 2 ++
+ docs/cil_conditional_statements.md | 6 +++++
+ docs/cil_container_statements.md | 28 +++++++++++++++--------
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+Index: secilc/docs/cil_call_macro_statements.md
+===================================================================
+--- secilc.orig/docs/cil_call_macro_statements.md
++++ secilc/docs/cil_call_macro_statements.md
+@@ -58,6 +58,8 @@ When resolving macros the following plac
+
+ - Items defined in the global namespace
+
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ ```secil
+Index: secilc/docs/cil_conditional_statements.md
+===================================================================
+--- secilc.orig/docs/cil_conditional_statements.md
++++ secilc/docs/cil_conditional_statements.md
+@@ -6,6 +6,8 @@ boolean
+
+ Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
+
++[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -126,6 +128,8 @@ Tunables are similar to booleans, howeve
+
+ Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
+
++Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -164,6 +168,8 @@ tunableif
+
+ Compile time conditional statement that may or may not add CIL statements to be compiled.
+
++If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
++
+ **Statement definition:**
+
+ ```secil
+Index: secilc/docs/cil_container_statements.md
+===================================================================
+--- secilc.orig/docs/cil_container_statements.md
++++ secilc/docs/cil_container_statements.md
+@@ -4,7 +4,11 @@ Container Statements
+ block
+ -----
+
+-Start a new namespace where any CIL statement is valid.
++Start a new namespace.
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
++[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
+
+ **Statement definition:**
+
+@@ -47,6 +51,8 @@ blockabstract
+
+ Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -97,6 +103,8 @@ blockinherit
+
+ Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ ```secil
+@@ -199,15 +207,11 @@ This example contains a template `client
+ optional
+ --------
+
+-Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
++Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
+
+-| | | | |
+-| ------------------- | -------------- | ------------------ | ------------------ |
+-| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
+-| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
+-| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
+-| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
+-| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
++Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
+
+ **Statement definition:**
+
+@@ -266,7 +270,11 @@ This example will instantiate the option
+ in
+ --
+
+-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
++Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
+
+ **Statement definition:**
+
diff --git a/recipes-security/selinux/secilc_3.2.bb b/recipes-security/selinux/secilc_3.2.bb
index 60ab2fe..50413e0 100644
--- a/recipes-security/selinux/secilc_3.2.bb
+++ b/recipes-security/selinux/secilc_3.2.bb
@@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"

require selinux_common.inc

+SRC_URI += "file://CVE-2021-36087.patch"
+
DEPENDS += "libsepol xmlto-native"

S = "${WORKDIR}/git/secilc"
--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux/
MR: 111857
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4
Description:

Affects: libsepol <= 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/libsepol/CVE-2021-36085.patch | 38 +++++++++++++++++++
recipes-security/selinux/libsepol_3.2.bb | 3 +-
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36085.patch

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
new file mode 100644
index 0000000..4bd05eb
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36085
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+- cil_reset_classperms_list(perm->classperms);
++ cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.2.bb
index 6215d24..ef5de1e 100644
--- a/recipes-security/selinux/libsepol_3.2.bb
+++ b/recipes-security/selinux/libsepol_3.2.bb
@@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"

require selinux_common.inc

-SRC_URI += "file://CVE-2021-36084.patch"
+SRC_URI += "file://CVE-2021-36084.patch \
+ file://CVE-2021-36085.patch "

inherit lib_package

--
2.25.1

From: Armin Kuster <akuster@...>

Source: https://github.com/SELinuxProject/selinux
MR: 111851
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18
Description:

Affects: libsepol < 3.2

Signed-off-by: Armin Kuster <akuster@...>
---
.../selinux/libsepol/CVE-2021-36084.patch | 99 +++++++++++++++++++
recipes-security/selinux/libsepol_3.2.bb | 2 +
2 files changed, 101 insertions(+)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100644
index 0000000..1001563
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@...>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+ A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+ got reported as
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+ is misleading, or is caused by another issue that conflicts with the
+ one I report in this message). Here is a minimized CIL policy which
+ reproduces the issue:
+
+ (class CLASS (PERM))
+ (classorder (CLASS))
+ (sid SID)
+ (sidorder (SID))
+ (user USER)
+ (role ROLE)
+ (type TYPE)
+ (category CAT)
+ (categoryorder (CAT))
+ (sensitivity SENS)
+ (sensitivityorder (SENS))
+ (sensitivitycategory SENS (CAT))
+ (allow TYPE self (CLASS (PERM)))
+ (roletype ROLE TYPE)
+ (userrole USER ROLE)
+ (userlevel USER (SENS))
+ (userrange USER ((SENS)(SENS (CAT))))
+ (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+ (classpermission CLAPERM)
+
+ (optional OPT
+ (roletype nonexistingrole nonexistingtype)
+ (classpermissionset CLAPERM (CLASS (PERM)))
+ )
+
+ The CIL policy fuzzer (which mimics secilc built with clang Address
+ Sanitizer) reports:
+
+ ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+ 0x7ffe2a256588
+ READ of size 8 at 0x603000004f98 thread T0
+ #0 0x56445134c841 in __cil_verify_classperms
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+ #1 0x56445134a43e in __cil_verify_classpermission
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+ #2 0x56445134a43e in __cil_pre_verify_helper
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+ #3 0x5644513225ac in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+ #4 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #5 0x5644513226af in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+ #6 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #7 0x5644512b88fd in cil_pre_verify
+ /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+ #8 0x5644512b88fd in cil_post_process
+ /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+ #9 0x5644511856ff in cil_compile
+ /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it) when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@...>
+Signed-off-by: James Carter <jwcart2@...>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36084
+Signed-off-by: Armin Kuster <akuster@...>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+ return;
+ }
+
+- cil_reset_classperms_list(cp->classperms);
++ cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.2.bb
index 48d5f49..6215d24 100644
--- a/recipes-security/selinux/libsepol_3.2.bb
+++ b/recipes-security/selinux/libsepol_3.2.bb
@@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"

require selinux_common.inc

+SRC_URI += "file://CVE-2021-36084.patch"
+
inherit lib_package

S = "${WORKDIR}/git/libsepol"
--
2.25.1