!62 [sync] PR-61: libsepol：backport upstream patches

From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-CVE-2021-36084.patch

@@ -0,0 +1,94 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+  A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+  got reported as
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+  is misleading, or is caused by another issue that conflicts with the
+  one I report in this message). Here is a minimized CIL policy which
+  reproduces the issue:
+
+  (class CLASS (PERM))
+  (classorder (CLASS))
+  (sid SID)
+  (sidorder (SID))
+  (user USER)
+  (role ROLE)
+  (type TYPE)
+  (category CAT)
+  (categoryorder (CAT))
+  (sensitivity SENS)
+  (sensitivityorder (SENS))
+  (sensitivitycategory SENS (CAT))
+  (allow TYPE self (CLASS (PERM)))
+  (roletype ROLE TYPE)
+  (userrole USER ROLE)
+  (userlevel USER (SENS))
+  (userrange USER ((SENS)(SENS (CAT))))
+  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+  (classpermission CLAPERM)
+
+  (optional OPT
+      (roletype nonexistingrole nonexistingtype)
+      (classpermissionset CLAPERM (CLASS (PERM)))
+  )
+
+  The CIL policy fuzzer (which mimics secilc built with clang Address
+  Sanitizer) reports:
+
+  ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+  0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+  0x7ffe2a256588
+  READ of size 8 at 0x603000004f98 thread T0
+      #0 0x56445134c841 in __cil_verify_classperms
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+      #1 0x56445134a43e in __cil_verify_classpermission
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+      #2 0x56445134a43e in __cil_pre_verify_helper
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+      #3 0x5644513225ac in cil_tree_walk_core
+  /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+      #4 0x564451322ab1 in cil_tree_walk
+  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+      #5 0x5644513226af in cil_tree_walk_core
+  /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+      #6 0x564451322ab1 in cil_tree_walk
+  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+      #7 0x5644512b88fd in cil_pre_verify
+  /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+      #8 0x5644512b88fd in cil_post_process
+  /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+      #9 0x5644511856ff in cil_compile
+  /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it)  when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
+index 3da1b9a64..db70a535b 100644
+--- a/libsepol/cil/src/cil_reset_ast.c
++++ b/libsepol/cil/src/cil_reset_ast.c
+@@ -54,7 +54,7 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
+ 		return;
+ 	}
+ 
+-	cil_reset_classperms_list(cp->classperms);
++	cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+ 
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)

backport-CVE-2021-36085.patch

@@ -0,0 +1,33 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
+index db70a535b..89f91e568 100644
+--- a/libsepol/cil/src/cil_reset_ast.c
++++ b/libsepol/cil/src/cil_reset_ast.c
+@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_class *class)
+ 
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+-	cil_reset_classperms_list(perm->classperms);
++	cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+ 
+ static inline void cil_reset_classperms(struct cil_classperms *cp)

backport-CVE-2021-36086.patch

@@ -0,0 +1,36 @@
+From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:06 -0400
+Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
+ classpermission
+
+In struct cil_classperms_set, the set field is a pointer to a
+struct cil_classpermission which is looked up in the symbol table.
+Since the cil_classperms_set does not create the cil_classpermission,
+it should not reset it.
+
+Set the set field to NULL instead of resetting the classpermission
+that it points to.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
+index 89f91e568..1d9ca704e 100644
+--- a/libsepol/cil/src/cil_reset_ast.c
++++ b/libsepol/cil/src/cil_reset_ast.c
+@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
+ 
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
+ {
+-	cil_reset_classpermission(cp_set->set);
++	if (cp_set == NULL) {
++		return;
++	}
++
++	cp_set->set = NULL;
+ }
+ 
+ static inline void cil_reset_classperms_list(struct cil_list *cp_list)

backport-CVE-2021-36087.patch

@@ -0,0 +1,148 @@
+From 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 30 Mar 2021 13:39:18 -0400
+Subject: [PATCH] libsepol/cil: Check for statements not allowed in optional
+ blocks
+
+While there are some checks for invalid statements in an optional
+block when resolving the AST, there are no checks when building the
+AST.
+
+OSS-Fuzz found the following policy which caused a null dereference
+in cil_tree_get_next_path().
+  (blockinherit b3)
+  (sid SID)
+  (sidorder(SID))
+  (optional o
+    (ibpkeycon :(1 0)s)
+    (block b3
+      (filecon""block())
+      (filecon""block())))
+
+The problem is that the blockinherit copies block b3 before
+the optional block is disabled. When the optional is disabled,
+block b3 is deleted along with everything else in the optional.
+Later, when filecon statements with the same path are found an
+error message is produced and in trying to find out where the block
+was copied from, the reference to the deleted block is used. The
+error handling code assumes (rightly) that if something was copied
+from a block then that block should still exist.
+
+It is clear that in-statements, blocks, and macros cannot be in an
+optional, because that allows nodes to be copied from the optional
+block to somewhere outside even though the optional could be disabled
+later. When optionals are disabled the AST is reset and the
+resolution is restarted at the point of resolving macro calls, so
+anything resolved before macro calls will never be re-resolved.
+This includes tunableifs, in-statements, blockinherits,
+blockabstracts, and macro definitions. Tunable declarations also
+cannot be in an optional block because they are needed to resolve
+tunableifs. It should be fine to allow blockinherit statements in
+an optional, because that is copying nodes from outside the optional
+to the optional and if the optional is later disabled, everything
+will be deleted anyway.
+
+Check and quit with an error if a tunable declaration, in-statement,
+block, blockabstract, or macro definition is found within an
+optional when either building or resolving the AST.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_build_ast.c   | 32 ++++++++++++++++++++++++++++++
+ libsepol/cil/src/cil_resolve_ast.c |  4 +++-
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 96c944975..882548585 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -52,6 +52,7 @@ struct cil_args_build {
+ 	struct cil_tree_node *tunif;
+ 	struct cil_tree_node *in;
+ 	struct cil_tree_node *macro;
++	struct cil_tree_node *optional;
+ 	struct cil_tree_node *boolif;
+ };
+ 
+@@ -6071,6 +6072,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 	struct cil_tree_node *tunif = args->tunif;
+ 	struct cil_tree_node *in = args->in;
+ 	struct cil_tree_node *macro = args->macro;
++	struct cil_tree_node *optional = args->optional;
+ 	struct cil_tree_node *boolif = args->boolif;
+ 	struct cil_tree_node *ast_node = NULL;
+ 	int rc = SEPOL_ERR;
+@@ -6121,6 +6123,18 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 		}
+ 	}
+ 
++	if (optional != NULL) {
++		if (parse_current->data == CIL_KEY_TUNABLE ||
++			parse_current->data == CIL_KEY_IN ||
++			parse_current->data == CIL_KEY_BLOCK ||
++			parse_current->data == CIL_KEY_BLOCKABSTRACT ||
++			parse_current->data == CIL_KEY_MACRO) {
++			rc = SEPOL_ERR;
++			cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data);
++			goto exit;
++		}
++	}
++
+ 	if (boolif != NULL) {
+ 		if (parse_current->data != CIL_KEY_TUNABLEIF &&
+ 			parse_current->data != CIL_KEY_CALL &&
+@@ -6462,6 +6476,10 @@ int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_n
+ 		args->macro = ast;
+ 	}
+ 
++	if (ast->flavor == CIL_OPTIONAL) {
++		args->optional = ast;
++	}
++
+ 	if (ast->flavor == CIL_BOOLEANIF) {
+ 		args->boolif = ast;
+ 	}
+@@ -6492,6 +6510,19 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
+ 		args->macro = NULL;
+ 	}
+ 
++	if (ast->flavor == CIL_OPTIONAL) {
++		struct cil_tree_node *n = ast->parent;
++		args->optional = NULL;
++		/* Optionals can be nested */
++		while (n && n->flavor != CIL_ROOT) {
++			if (n->flavor == CIL_OPTIONAL) {
++				args->optional = n;
++				break;
++			}
++			n = n->parent;
++		}
++	}
++
+ 	if (ast->flavor == CIL_BOOLEANIF) {
+ 		args->boolif = NULL;
+ 	}
+@@ -6520,6 +6551,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
+ 	extra_args.tunif = NULL;
+ 	extra_args.in = NULL;
+ 	extra_args.macro = NULL;
++	extra_args.optional = NULL;
+ 	extra_args.boolif = NULL;
+ 
+ 	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args);
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 56295a047..efff0f2ec 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -3808,8 +3808,10 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
+ 
+ 	if (optional != NULL) {
+ 		if (node->flavor == CIL_TUNABLE ||
++			node->flavor == CIL_IN ||
++			node->flavor == CIL_BLOCK ||
++			node->flavor == CIL_BLOCKABSTRACT ||
+ 		    node->flavor == CIL_MACRO) {
+-			/* tuanbles and macros are not allowed in optionals*/
+ 			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
+ 			rc = SEPOL_ERR;
+ 			goto exit;

backport-libsepol-add-missing-oom-checks.patch

@@ -0,0 +1,77 @@
+From 0233e4f6d59a96b759e32661a20be4bbadb374a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 31 Mar 2022 16:44:52 +0200
+Subject: [PATCH] libsepol: add missing oom checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check return values of memory allocation functions and propagate their
+failure.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ src/kernel_to_cil.c | 5 +++++
+ src/module_to_cil.c | 7 +++++++
+ src/policydb.c      | 3 ++-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/kernel_to_cil.c b/src/kernel_to_cil.c
+index d4dee8d..ef6161c 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -555,6 +555,11 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
+ 		} else {
+ 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
+ 			sid = strdup(unknown);
++			if (!sid) {
++				sepol_log_err("Out of memory");
++				rc = -1;
++				goto exit;
++			}
+ 		}
+ 		rc = strs_add_at_index(strs, sid, i);
+ 		if (rc != 0) {
+diff --git a/src/module_to_cil.c b/src/module_to_cil.c
+index 3e17018..5027fb7 100644
+--- a/libsepol/src/module_to_cil.c
++++ b/libsepol/src/module_to_cil.c
+@@ -391,6 +391,8 @@ static int typealias_list_create(struct policydb *pdb)
+ 	}
+ 
+ 	typealias_lists = calloc(max_decl_id + 1, sizeof(*typealias_lists));
++	if (!typealias_lists)
++		goto exit;
+ 	typealias_lists_len = max_decl_id + 1;
+ 
+ 	rc = hashtab_map(pdb->p_types.table, typealiases_gather_map, pdb);
+@@ -2551,6 +2553,11 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
+ 			goto exit;
+ 		}
+ 		item->sid_key = strdup(sid);
++		if (!item->sid_key) {
++			log_err("Out of memory");
++			rc = -1;
++			goto exit;
++		}
+ 		item->next = head;
+ 		head = item;
+ 	}
+diff --git a/src/policydb.c b/src/policydb.c
+index 3992ea5..982bc23 100644
+--- a/libsepol/src/policydb.c
++++ b/libsepol/src/policydb.c
+@@ -1248,7 +1248,8 @@ int policydb_index_others(sepol_handle_t * handle,
+ 	if (!p->type_val_to_struct)
+ 		return -1;
+ 
+-	cond_init_bool_indexes(p);
++	if (cond_init_bool_indexes(p))
++		return -1;
+ 
+ 	for (i = SYM_ROLES; i < SYM_NUM; i++) {
+ 		free(p->sym_val_to_name[i]);
+-- 
+2.27.0
+

backport-libsepol-avoid-potential-NULL-dereference-on-optional-parameter.patch

@@ -0,0 +1,32 @@
+From f505a73b06302ba5e84f8c56851121d4a410c1ea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 10 Jun 2022 17:06:23 +0200
+Subject: [PATCH] libsepol: avoid potential NULL dereference on optional
+ parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The parameter `reason` of `context_struct_compute_av()` is optional and
+can be passed in as NULL, like from `type_attribute_bounds_av()`.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/services.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index d7510e9da..24412d837 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -894,7 +894,8 @@ static void type_attribute_bounds_av(context_struct_t *scontext,
+ 	/* mask violated permissions */
+ 	avd->allowed &= ~masked;
+ 
+-	*reason |= SEPOL_COMPUTEAV_BOUNDS;
++	if (reason)
++		*reason |= SEPOL_COMPUTEAV_BOUNDS;
+ }
+ 
+ /*

backport-libsepol-check-correct-pointer-for-oom.patch

@@ -0,0 +1,34 @@
+From 68a29c3aee60a6dd4e0d435fc10adb0f2cc1c0ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 8 Apr 2022 15:10:51 +0200
+Subject: [PATCH] libsepol: check correct pointer for oom
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the actual pointer which memory was assigned to, not its parent
+array pointer.
+
+    services.c:810:14: warning: Assigned value is garbage or undefined [core.uninitialized.Assign]
+                                            **r_buf = **new_buf;
+                                                    ^ ~~~~~~~~~
+
+Acked-by: James Carter <jwcart2@gmail.com>
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ libsepol/src/services.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 47e564df4..d7510e9da 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -803,7 +803,7 @@ static int constraint_expr_eval_reason(context_struct_t *scontext,
+ 				if (len < 0 || len >= reason_buf_len - reason_buf_used) {
+ 					new_buf_len = reason_buf_len + REASON_BUF_SIZE;
+ 					*new_buf = realloc(*r_buf, new_buf_len);
+-					if (!new_buf) {
++					if (!*new_buf) {
+ 						ERR(NULL, "failed to realloc reason buffer");
+ 						goto out1;
+ 					}

backport-libsepol-cil-Allow-permission-expressions-when-using.patch

@@ -0,0 +1,75 @@
+From 22fb6f477bf10e834ece9eff84438fcaebf7d2ec Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:14 -0400
+Subject: [PATCH] libsepol/cil: Allow permission expressions when using map
+ classes
+
+The following policy will cause a segfault:
+  (class CLASS (PERM))
+  (class C (P1 P2 P3))
+  (classorder (CLASS C))
+  (sid SID)
+  (sidorder (SID))
+  (user USER)
+  (role ROLE)
+  (type TYPE)
+  (category CAT)
+  (categoryorder (CAT))
+  (sensitivity SENS)
+  (sensitivityorder (SENS))
+  (sensitivitycategory SENS (CAT))
+  (allow TYPE self (CLASS (PERM)))
+  (roletype ROLE TYPE)
+  (userrole USER ROLE)
+  (userlevel USER (SENS))
+  (userrange USER ((SENS)(SENS (CAT))))
+  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+  (classmap CM (PM1 PM2 PM3))
+  (classmapping CM PM1 (C (P1)))
+  (classmapping CM PM2 (C (P2)))
+  (classmapping CM PM3 (C (P3)))
+  (allow TYPE self (CM (and (all) (not PM2))))
+
+The problem is that, while permission expressions are allowed for
+normal classes, map classes are expected to only have permission
+lists and no check is done to verify that only a permission list
+is being used.
+
+When the above policy is parsed, the "and" and "all" are seen as
+expression operators, but when the map permissions are converted to
+normal class and permissions, the permission expression is assumed
+to be a list of datums and since the operators are not datums a
+segfault is the result.
+
+There is no reason to limit map classes to only using a list of
+permissions and, in fact, it would be better to be able to use them
+in the same way normal classes are used.
+
+Allow permissions expressions to be used for map classes by first
+evaluating the permission expression and then converting the
+resulting list to normal classes and permissions.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index fd4758d..05842b6 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -2137,6 +2137,10 @@ static int __evaluate_classperms_list(struct cil_list *classperms, struct cil_db
+ 				}
+ 			} else { /* MAP */
+ 				struct cil_list_item *i = NULL;
++				rc = __evaluate_classperms(cp, db);
++				if (rc != SEPOL_OK) {
++					goto exit;
++				}
+ 				cil_list_for_each(i, cp->perms) {
+ 					struct cil_perm *cmp = i->data;
+ 					rc = __evaluate_classperms_list(cmp->classperms, db);
+-- 
+1.8.3.1
+

backport-libsepol-cil-Cleanup-build-AST-helper-functions.patch

@@ -0,0 +1,88 @@
+From f043078f1debeb1c84d4f6943aa689c33dd9cefc Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 30 Mar 2021 13:39:13 -0400
+Subject: [PATCH] libsepol/cil: Cleanup build AST helper functions
+
+Since parse_current, finished, and extra_args can never be NULL,
+remove the useless check and directly assign local variables from
+extra_args.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_build_ast.c | 44 ++++++++------------------------
+ 1 file changed, 10 insertions(+), 34 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index eee21086b..0d6d91a7d 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -6065,28 +6065,16 @@ void cil_destroy_src_info(struct cil_src_info *info)
+ 
+ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args)
+ {
+-	struct cil_args_build *args = NULL;
+-	struct cil_tree_node *ast_current = NULL;
+-	struct cil_db *db = NULL;
++	struct cil_args_build *args = extra_args;
++	struct cil_db *db = args->db;
++	struct cil_tree_node *ast_current = args->ast;
++	struct cil_tree_node *tunif = args->tunif;
++	struct cil_tree_node *in = args->in;
++	struct cil_tree_node *macro = args->macro;
++	struct cil_tree_node *boolif = args->boolif;
+ 	struct cil_tree_node *ast_node = NULL;
+-	struct cil_tree_node *tunif = NULL;
+-	struct cil_tree_node *in = NULL;
+-	struct cil_tree_node *macro = NULL;
+-	struct cil_tree_node *boolif = NULL;
+ 	int rc = SEPOL_ERR;
+ 
+-	if (parse_current == NULL || finished == NULL || extra_args == NULL) {
+-		goto exit;
+-	}
+-
+-	args = extra_args;
+-	ast_current = args->ast;
+-	db = args->db;
+-	tunif = args->tunif;
+-	in = args->in;
+-	macro = args->macro;
+-	boolif = args->boolif;
+-
+ 	if (parse_current->parent->cl_head != parse_current) {
+ 		/* ignore anything that isn't following a parenthesis */
+ 		rc = SEPOL_OK;
+@@ -6474,20 +6462,11 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 
+ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args)
+ {
+-	int rc = SEPOL_ERR;
+-	struct cil_tree_node *ast = NULL;
+-	struct cil_args_build *args = NULL;
+-
+-	if (extra_args == NULL) {
+-		goto exit;
+-	}
+-
+-	args = extra_args;
+-	ast = args->ast;
++	struct cil_args_build *args = extra_args;
++	struct cil_tree_node *ast = args->ast;
+ 
+ 	if (ast->flavor == CIL_ROOT) {
+-		rc = SEPOL_OK;
+-		goto exit;
++		return SEPOL_OK;
+ 	}
+ 
+ 	args->ast = ast->parent;
+@@ -6516,9 +6495,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
+ 	cil_tree_children_destroy(parse_current->parent);
+ 
+ 	return SEPOL_OK;
+-
+-exit:
+-	return rc;
+ }
+ 
+ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct cil_tree_node *ast)

backport-libsepol-cil-Create-new-first-child-helper-function-.patch

@@ -0,0 +1,95 @@
+From ab90cb46abd4cfc5927f48c7b61782aa97e2561f Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 30 Mar 2021 13:39:14 -0400
+Subject: [PATCH] libsepol/cil: Create new first child helper function for
+ building AST
+
+In order to find statements not allowed in tunableifs, in-statements,
+macros, and booleanifs, there are tree node pointers that point to
+each of these kinds of statements when its block is being parsed.
+If the pointer is non-NULL, then the rule being parsed is in the block
+of that kind of statement.
+
+The tree node pointers were being updated at the wrong point which
+prevented an invalid statement from being found if it was the first
+statement in the block of a tunableif, in-statement, macro, or
+booleanif.
+
+Create a first child helper function for walking the parse tree and
+in that function set the appropriate tree node pointer if the
+current AST node is a tunableif, in-statement, macro, or booleanif.
+This also makes the code symmetrical with the last child helper
+where the tree node pointers are set to NULL.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_build_ast.c | 42 +++++++++++++++++++-------------
+ 1 file changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 0d6d91a7d..9836f0445 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -6429,22 +6429,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 
+ 	if (rc == SEPOL_OK) {
+ 		if (ast_current->cl_head == NULL) {
+-			if (ast_current->flavor == CIL_TUNABLEIF) {
+-				args->tunif = ast_current;
+-			}
+-
+-			if (ast_current->flavor == CIL_IN) {
+-				args->in = ast_current;
+-			}
+-
+-			if (ast_current->flavor == CIL_MACRO) {
+-				args->macro = ast_current;
+-			}
+-
+-			if (ast_current->flavor == CIL_BOOLEANIF) {
+-				args->boolif = ast_current;
+-			}
+-
+ 			ast_current->cl_head = ast_node;
+ 		} else {
+ 			ast_current->cl_tail->next = ast_node;
+@@ -6460,6 +6444,30 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 	return rc;
+ }
+ 
++int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_node *parse_current, void *extra_args)
++{
++	struct cil_args_build *args = extra_args;
++	struct cil_tree_node *ast = args->ast;
++
++	if (ast->flavor == CIL_TUNABLEIF) {
++		args->tunif = ast;
++	}
++
++	if (ast->flavor == CIL_IN) {
++		args->in = ast;
++	}
++
++	if (ast->flavor == CIL_MACRO) {
++		args->macro = ast;
++	}
++
++	if (ast->flavor == CIL_BOOLEANIF) {
++		args->boolif = ast;
++	}
++
++	return SEPOL_OK;
++}
++
+ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args)
+ {
+ 	struct cil_args_build *args = extra_args;
+@@ -6513,7 +6521,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
+ 	extra_args.macro = NULL;
+ 	extra_args.boolif = NULL;
+ 
+-	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args);
++	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args);
+ 	if (rc != SEPOL_OK) {
+ 		goto exit;
+ 	}

backport-libsepol-cil-Fix-potential-undefined-shifts.patch

@@ -0,0 +1,52 @@
+From 974da80e08d24e92e5409bb040f95d06a47776a2 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Fri, 8 Oct 2021 10:27:49 -0400
+Subject: [PATCH] libsepol/cil: Fix potential undefined shifts
+
+An expression of the form "1 << x" is undefined if x == 31 because
+the "1" is an int and cannot be left shifted by 31.
+
+Instead, use "UINT32_C(1) << x" which will be an unsigned int of
+at least 32 bits.
+
+This bug was found by the secilc-fuzzer.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index ec5f01e..d8aa495 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da
+ 			goto exit;
+ 		}
+ 	}
+-	*datum |= 1 << (sepol_perm->s.value - 1);
++	*datum |= UINT32_C(1) << (sepol_perm->s.value - 1);
+ 
+ 	return SEPOL_OK;
+ 
+@@ -1523,7 +1523,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
+ /* index of the u32 containing the permission */
+ #define XPERM_IDX(x) (x >> 5)
+ /* set bits 0 through x-1 within the u32 */
+-#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
++#define XPERM_SETBITS(x) ((UINT32_C(1) << (x & 0x1f)) - 1)
+ /* low value for this u32 */
+ #define XPERM_LOW(x) (x << 5)
+ /* high value for this u32 */
+@@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas
+ 	cil_list_init(&cp->perms, CIL_PERM);
+ 	for (i = 0; i < sepol_class->permissions.nprim; i++) {
+ 		struct cil_perm *perm;
+-		if ((data & (1 << i)) == 0) continue;
++		if ((data & (UINT32_C(1) << i)) == 0) continue;
+ 		perm = perm_value_to_cil[class][i+1];
+ 		if (!perm) goto exit;
+ 		cil_list_append(cp->perms, CIL_PERM, perm);
+-- 
+1.8.3.1
+

backport-libsepol-cil-Handle-operations-in-a-class-mapping-wh.patch

@@ -0,0 +1,95 @@
+From 18f8747b28f1620903c7a3aa8a6616c199c173a6 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 16 Sep 2021 16:29:00 -0400
+Subject: [PATCH] libsepol/cil: Handle operations in a class mapping when
+ verifying
+
+When checking for circular class permission declarations and a class
+mapping is encountered, the class permissions for each map permission
+must be checked. An assumption was made that there were no operators
+in the class permissions. An operator in the class permissions would
+cause a segfault.
+
+Example causing segault:
+  (classmap cm1 (mp1))
+  (classmapping cm1 mp1 (CLASS (PERM)))
+  (classpermission cp1)
+  (classpermissionset cp1 (cm1 (all)))
+
+For map class permissions, check each item in the permission list to
+see if it is an operator. If it is not, then verify the class
+permissions associated with the map permission. If it is an operator
+and the operator is "all", then create a list of all permissions for
+that map class and verify the class permissions associated with each
+map permission. If it is a different operator, then it can be skipped.
+
+This bug was found by the secilc-fuzzer.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_verify.c | 40 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 5 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index 5502c4d..dc29ea6 100644
+--- a/libsepol/cil/src/cil_verify.c
++++ b/libsepol/cil/src/cil_verify.c
+@@ -1689,6 +1689,15 @@ exit:
+ 	return rc;
+ }
+ 
++static int __add_perm_to_list(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
++{
++	struct cil_list *perm_list = (struct cil_list *)args;
++
++	cil_list_append(perm_list, CIL_DATUM, d);
++
++	return SEPOL_OK;
++}
++
+ static int __cil_verify_classperms(struct cil_list *classperms,
+ 				   struct cil_symtab_datum *orig,
+ 				   struct cil_symtab_datum *parent,
+@@ -1730,13 +1739,34 @@ static int __cil_verify_classperms(struct cil_list *classperms,
+ 			if (FLAVOR(cp->class) != CIL_CLASS) { /* MAP */
+ 				struct cil_list_item *i = NULL;
+ 				cil_list_for_each(i, cp->perms) {
+-					struct cil_perm *cmp = i->data;
+-					rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
+-					if (rc != SEPOL_OK) {
+-						goto exit;
++					if (i->flavor != CIL_OP) {
++						struct cil_perm *cmp = i->data;
++						rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
++						if (rc != SEPOL_OK) {
++							goto exit;
++						}
++					} else {
++						enum cil_flavor op = (enum cil_flavor)i->data;
++						if (op == CIL_ALL) {
++							struct cil_class *mc = cp->class;
++							struct cil_list *perm_list;
++							struct cil_list_item *j = NULL;
++
++							cil_list_init(&perm_list, CIL_MAP_PERM);
++							cil_symtab_map(&mc->perms, __add_perm_to_list, perm_list);
++							cil_list_for_each(j, perm_list) {
++								struct cil_perm *cmp = j->data;
++								rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
++								if (rc != SEPOL_OK) {
++									cil_list_destroy(&perm_list, CIL_FALSE);
++									goto exit;
++								}
++							}
++							cil_list_destroy(&perm_list, CIL_FALSE);
++						}
+ 					}
+ 				}
+-			}	
++			}
+ 		} else { /* SET */
+ 			struct cil_classperms_set *cp_set = curr->data;
+ 			struct cil_classpermission *cp = cp_set->set;
+-- 
+1.8.3.1
+

backport-libsepol-cil-Properly-check-for-parameter-when-inser.patch

@@ -0,0 +1,39 @@
+From 05d1c66aaae2b1ce3eaac7d241f24be121fddb39 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Fri, 27 Aug 2021 10:12:42 -0400
+Subject: [PATCH] libsepol/cil: Properly check for parameter when inserting
+ name
+
+File names for typetransition rules are stored in their own datums.
+This allows them to be passed as a parameter, but there needs to be
+a check in __cil_insert_name() so that parameter names are not
+mistaken for file name strings. This check did not verify that a
+matching parameter name had the flavor of CIL_NAME.
+
+Check that the parameter flavor is CIL_NAME and that the paramter
+name matches the file name to be stored in the datum.
+
+This bug was found by the secilc-fuzzer.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_resolve_ast.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 1800732..a4de1c7 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -87,7 +87,8 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key,
+ 	if (macro != NULL && macro->params != NULL) {
+ 		struct cil_list_item *item;
+ 		cil_list_for_each(item, macro->params) {
+-			if (((struct cil_param*)item->data)->str == key) {
++			struct cil_param *param = item->data;
++			if (param->flavor == CIL_NAME && param->str == key) {
+ 				return NULL;
+ 			}
+ 		}
+-- 
+1.8.3.1
+

backport-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch

@@ -0,0 +1,216 @@
+From 69bfe64cdf659cc47c544e6b376f0a653ff06f6f Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 30 Mar 2021 13:39:12 -0400
+Subject: [PATCH] libsepol/cil: Reorder checks for invalid rules when building
+ AST
+
+Reorder checks for invalid rules in the blocks of tunableifs,
+in-statements, macros, and booleanifs when building the AST for
+consistency.
+
+Order the checks in the same order the blocks will be resolved in,
+so tuanbleif, in-statement, macro, booleanif, and then non-block
+rules.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_build_ast.c | 100 +++++++++++++++----------------
+ 1 file changed, 50 insertions(+), 50 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index a4a2baa0f..eee21086b 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -49,10 +49,10 @@
+ struct cil_args_build {
+ 	struct cil_tree_node *ast;
+ 	struct cil_db *db;
+-	struct cil_tree_node *macro;
+-	struct cil_tree_node *boolif;
+ 	struct cil_tree_node *tunif;
+ 	struct cil_tree_node *in;
++	struct cil_tree_node *macro;
++	struct cil_tree_node *boolif;
+ };
+ 
+ int cil_fill_list(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **list)
+@@ -6069,10 +6069,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 	struct cil_tree_node *ast_current = NULL;
+ 	struct cil_db *db = NULL;
+ 	struct cil_tree_node *ast_node = NULL;
+-	struct cil_tree_node *macro = NULL;
+-	struct cil_tree_node *boolif = NULL;
+ 	struct cil_tree_node *tunif = NULL;
+ 	struct cil_tree_node *in = NULL;
++	struct cil_tree_node *macro = NULL;
++	struct cil_tree_node *boolif = NULL;
+ 	int rc = SEPOL_ERR;
+ 
+ 	if (parse_current == NULL || finished == NULL || extra_args == NULL) {
+@@ -6082,10 +6082,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 	args = extra_args;
+ 	ast_current = args->ast;
+ 	db = args->db;
+-	macro = args->macro;
+-	boolif = args->boolif;
+ 	tunif = args->tunif;
+ 	in = args->in;
++	macro = args->macro;
++	boolif = args->boolif;
+ 
+ 	if (parse_current->parent->cl_head != parse_current) {
+ 		/* ignore anything that isn't following a parenthesis */
+@@ -6102,13 +6102,31 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 		goto exit;
+ 	}
+ 
++	if (tunif != NULL) {
++		if (parse_current->data == CIL_KEY_TUNABLE) {
++			rc = SEPOL_ERR;
++			cil_tree_log(parse_current, CIL_ERR, "Found tunable");
++			cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
++			goto exit;
++		}
++	}
++
++	if (in != NULL) {
++		if (parse_current->data == CIL_KEY_IN) {
++			rc = SEPOL_ERR;
++			cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
++			cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
++			goto exit;
++		}
++	}
++
+ 	if (macro != NULL) {
+-		if (parse_current->data == CIL_KEY_MACRO ||
+-			parse_current->data == CIL_KEY_TUNABLE ||
++		if (parse_current->data == CIL_KEY_TUNABLE ||
+ 			parse_current->data == CIL_KEY_IN ||
+ 			parse_current->data == CIL_KEY_BLOCK ||
+ 			parse_current->data == CIL_KEY_BLOCKINHERIT ||
+-			parse_current->data == CIL_KEY_BLOCKABSTRACT) {
++			parse_current->data == CIL_KEY_BLOCKABSTRACT ||
++			parse_current->data == CIL_KEY_MACRO) {
+ 			rc = SEPOL_ERR;
+ 			cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data);
+ 			goto exit;
+@@ -6116,15 +6134,15 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 	}
+ 
+ 	if (boolif != NULL) {
+-		if (parse_current->data != CIL_KEY_CONDTRUE &&
++		if (parse_current->data != CIL_KEY_TUNABLEIF &&
++			parse_current->data != CIL_KEY_CALL &&
++			parse_current->data != CIL_KEY_CONDTRUE &&
+ 			parse_current->data != CIL_KEY_CONDFALSE &&
+-			parse_current->data != CIL_KEY_AUDITALLOW &&
+-			parse_current->data != CIL_KEY_TUNABLEIF &&
+ 			parse_current->data != CIL_KEY_ALLOW &&
+ 			parse_current->data != CIL_KEY_DONTAUDIT &&
++			parse_current->data != CIL_KEY_AUDITALLOW &&
+ 			parse_current->data != CIL_KEY_TYPETRANSITION &&
+-			parse_current->data != CIL_KEY_TYPECHANGE &&
+-			parse_current->data != CIL_KEY_CALL) {
++			parse_current->data != CIL_KEY_TYPECHANGE) {
+ 			rc = SEPOL_ERR;
+ 			cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data);
+ 			if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
+@@ -6138,24 +6156,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 		}
+ 	}
+ 
+-	if (tunif != NULL) {
+-		if (parse_current->data == CIL_KEY_TUNABLE) {
+-			rc = SEPOL_ERR;
+-			cil_tree_log(parse_current, CIL_ERR, "Found tunable");
+-			cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
+-			goto exit;
+-		}
+-	}
+-
+-	if (in != NULL) {
+-		if (parse_current->data == CIL_KEY_IN) {
+-			rc = SEPOL_ERR;
+-			cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
+-			cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
+-			goto exit;
+-		}
+-	}
+-
+ 	cil_tree_node_init(&ast_node);
+ 
+ 	ast_node->parent = ast_current;
+@@ -6441,14 +6441,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 
+ 	if (rc == SEPOL_OK) {
+ 		if (ast_current->cl_head == NULL) {
+-			if (ast_current->flavor == CIL_MACRO) {
+-				args->macro = ast_current;
+-			}
+-
+-			if (ast_current->flavor == CIL_BOOLEANIF) {
+-				args->boolif = ast_current;
+-			}
+-
+ 			if (ast_current->flavor == CIL_TUNABLEIF) {
+ 				args->tunif = ast_current;
+ 			}
+@@ -6457,6 +6449,14 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+ 				args->in = ast_current;
+ 			}
+ 
++			if (ast_current->flavor == CIL_MACRO) {
++				args->macro = ast_current;
++			}
++
++			if (ast_current->flavor == CIL_BOOLEANIF) {
++				args->boolif = ast_current;
++			}
++
+ 			ast_current->cl_head = ast_node;
+ 		} else {
+ 			ast_current->cl_tail->next = ast_node;
+@@ -6492,14 +6492,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
+ 
+ 	args->ast = ast->parent;
+ 
+-	if (ast->flavor == CIL_MACRO) {
+-		args->macro = NULL;
+-	}
+-
+-	if (ast->flavor == CIL_BOOLEANIF) {
+-		args->boolif = NULL;
+-	}
+-
+ 	if (ast->flavor == CIL_TUNABLEIF) {
+ 		args->tunif = NULL;
+ 	}
+@@ -6508,6 +6500,14 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
+ 		args->in = NULL;
+ 	}
+ 
++	if (ast->flavor == CIL_MACRO) {
++		args->macro = NULL;
++	}
++
++	if (ast->flavor == CIL_BOOLEANIF) {
++		args->boolif = NULL;
++	}
++
+ 	// At this point we no longer have any need for parse_current or any of its
+ 	// siblings; they have all been converted to the appropriate AST node. The
+ 	// full parse tree will get deleted elsewhere, but in an attempt to
+@@ -6532,10 +6532,10 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
+ 
+ 	extra_args.ast = ast;
+ 	extra_args.db = db;
+-	extra_args.macro = NULL;
+-	extra_args.boolif = NULL;
+ 	extra_args.tunif = NULL;
+ 	extra_args.in = NULL;
++	extra_args.macro = NULL;
++	extra_args.boolif = NULL;
+ 
+ 	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args);
+ 	if (rc != SEPOL_OK) {

backport-libsepol-cil-Reset-expandtypeattribute-rules-when-re.patch

@@ -0,0 +1,57 @@
+From b57535318af6f3f5e79c90caed06423b1f50abb1 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Fri, 27 Aug 2021 10:11:19 -0400
+Subject: [PATCH] libsepol/cil: Reset expandtypeattribute rules when resetting
+ AST
+
+A list is created to store type attribute datums when resolving an
+expandtypeattribute rule and that list needs to be destroyed if the
+AST is reset or a memory leak will occur.
+
+Destroy the list storing type attributes datums when resetting
+expandtypeattribute rules.
+
+This bug was found by the secilc-fuzzer.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
+index 6d1d2da..0ba075c 100644
+--- a/libsepol/cil/src/cil_reset_ast.c
++++ b/libsepol/cil/src/cil_reset_ast.c
+@@ -208,6 +208,11 @@ static void cil_reset_typeattributeset(struct cil_typeattributeset *tas)
+ 	cil_list_destroy(&tas->datum_expr, CIL_FALSE);
+ }
+ 
++static void cil_reset_expandtypeattribute(struct cil_expandtypeattribute *expandattr)
++{
++	cil_list_destroy(&expandattr->attr_datums, CIL_FALSE);
++}
++
+ static void cil_reset_avrule(struct cil_avrule *rule)
+ {
+ 	cil_reset_classperms_list(rule->perms.classperms);
+@@ -531,6 +536,9 @@ int __cil_reset_node(struct cil_tree_node *node,  __attribute__((unused)) uint32
+ 	case CIL_TYPEATTRIBUTESET:
+ 		cil_reset_typeattributeset(node->data);
+ 		break;
++	case CIL_EXPANDTYPEATTRIBUTE:
++		cil_reset_expandtypeattribute(node->data);
++		break;
+ 	case CIL_RANGETRANSITION:
+ 		cil_reset_rangetransition(node->data);
+ 		break;
+@@ -630,7 +638,6 @@ int __cil_reset_node(struct cil_tree_node *node,  __attribute__((unused)) uint32
+ 	case CIL_CLASSORDER:
+ 	case CIL_CATORDER:
+ 	case CIL_SENSITIVITYORDER:
+-	case CIL_EXPANDTYPEATTRIBUTE:
+ 		break; /* Nothing to reset */
+ 	default:
+ 		break;
+-- 
+1.8.3.1
+

backport-libsepol-cil-be-more-robust-when-encountering-src_in.patch

@@ -0,0 +1,53 @@
+From 4662bdc11c8f505716f8da361a07ad13083b0618 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Fri, 5 Feb 2021 10:45:38 +0100
+Subject: [PATCH] libsepol/cil: be more robust when encountering <src_info>
+
+OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
+to compile the following policy:
+
+    (<src_info>)
+
+In cil_gen_src_info(), parse_current->next is NULL even though the code
+expects that both parse_current->next and parse_current->next->next
+exists.
+
+Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28457
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/cil/src/cil_build_ast.c | 5 +++++
+ libsepol/cil/src/cil_tree.c      | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 5094d62..726f46c 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -6070,6 +6070,11 @@ int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *
+ 	/* No need to check syntax, because this is auto generated */
+ 	struct cil_src_info *info = NULL;
+ 
++	if (parse_current->next == NULL || parse_current->next->next == NULL) {
++		cil_tree_log(parse_current, CIL_ERR, "Bad <src_info>");
++		return SEPOL_ERR;
++	}
++
+ 	cil_src_info_init(&info);
+ 
+ 	info->is_cil = (parse_current->next->data == CIL_KEY_SRC_CIL) ? CIL_TRUE : CIL_FALSE;
+diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
+index 886412d..3da972e 100644
+--- a/libsepol/cil/src/cil_tree.c
++++ b/libsepol/cil/src/cil_tree.c
+@@ -69,7 +69,7 @@ struct cil_tree_node *cil_tree_get_next_path(struct cil_tree_node *node, char **
+ 
+ 	while (node) {
+ 		if (node->flavor == CIL_NODE && node->data == NULL) {
+-			if (node->cl_head->data == CIL_KEY_SRC_INFO) {
++			if (node->cl_head->data == CIL_KEY_SRC_INFO && node->cl_head->next != NULL && node->cl_head->next->next != NULL) {
+ 				/* Parse Tree */
+ 				*path = node->cl_head->next->next->data;
+ 				*is_cil = (node->cl_head->next->data == CIL_KEY_SRC_CIL);
+-- 
+1.8.3.1
+

backport-libsepol-cil-do-not-allow-0-in-quoted-strings.patch

@@ -0,0 +1,41 @@
+From af29a235531f66882e5a027e1348658b8d8c1e68 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Mon, 12 Jul 2021 10:44:28 +0200
+Subject: [PATCH] libsepol/cil: do not allow \0 in quoted strings
+
+Using the '\0' character in strings in a CIL policy is not expected to
+happen, and makes the flex tokenizer very slow. For example when
+generating a file with:
+
+    python -c 'print("\"" + "\0"*100000 + "\"")' > policy.cil
+
+secilc fails after 26 seconds, on my desktop computer. Increasing the
+numbers of \0 makes this time increase significantly. But replacing \0
+with another character makes secilc fail in only few milliseconds.
+
+Fix this "possible denial of service" issue by forbidding \0 in strings
+in CIL policies.
+
+Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36016
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/cil/src/cil_lexer.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_lexer.l b/libsepol/cil/src/cil_lexer.l
+index e28c33e..8bf2b6e 100644
+--- a/libsepol/cil/src/cil_lexer.l
++++ b/libsepol/cil/src/cil_lexer.l
+@@ -49,7 +49,7 @@ spec_char	[\[\]\.\@\=\/\*\-\_\$\%\+\-\!\|\&\^\:\~\`\#\{\}\'\<\>\?\,]
+ symbol		({digit}|{alpha}|{spec_char})+
+ white		[ \t]
+ newline		[\n\r]
+-qstring		\"[^"\n]*\"
++qstring		\"[^"\n\0]*\"
+ hll_lm          ^;;\*
+ comment		;
+ 
+-- 
+1.8.3.1
+

backport-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch

@@ -0,0 +1,42 @@
+From c5e6153720e713e72a65614f625a51ad44d1fc07 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sun, 14 Mar 2021 19:25:58 +0100
+Subject: [PATCH] libsepol/cil: fix NULL pointer dereference in
+ __cil_insert_name
+
+OSS-Fuzz found a Null-dereference in __cil_insert_name when trying to
+compile the following policy:
+
+    (macro MACRO ()
+        (classmap CLASS (PERM))
+        (type TYPE)
+        (typetransition TYPE TYPE CLASS "name" TYPE)
+    )
+    (call MACRO)
+
+When using a macro with no argument, macro->params is NULL and
+cil_list_for_each(item, macro->params) dereferenced a NULL pointer.
+Fix this by checking that macro->params is not NULL before using it.
+
+Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28565
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/cil/src/cil_resolve_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 2ea106d..63beed9 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -82,7 +82,7 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key,
+ 	} else if (parent->flavor == CIL_MACRO) {
+ 		macro = parent->data;
+ 	}
+-	if (macro != NULL) {
++	if (macro != NULL && macro->params != NULL) {
+ 		struct cil_list_item *item;
+ 		cil_list_for_each(item, macro->params) {
+ 			if (((struct cil_param*)item->data)->str == key) {
+-- 
+1.8.3.1
+

backport-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch

@@ -0,0 +1,92 @@
+From 521e6a2f478a4c7a7c198c017d4d12e8667d89e7 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sat, 3 Oct 2020 15:19:08 +0200
+Subject: [PATCH] libsepol/cil: fix signed overflow caused by using (1 << 31) -
+ 1
+
+When compiling SELinux userspace tools with -ftrapv (this option
+generates traps for signed overflow on addition, subtraction,
+multiplication operations, instead of silently wrapping around),
+semodule crashes when running the tests from
+scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
+
+    [root@localhost selinux-testsuite]# make test
+    make -C policy load
+    make[1]: Entering directory '/root/selinux-testsuite/policy'
+    # Test for "expand-check = 0" in /etc/selinux/semanage.conf
+    # General policy build
+    make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
+    Compiling targeted test_policy module
+    Creating targeted test_policy.pp policy package
+    rm tmp/test_policy.mod.fc
+    make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
+    # General policy load
+    domain_fd_use --> off
+    /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
+    make[1]: *** [Makefile:174: load] Aborted (core dumped)
+
+Using "coredumpctl gdb" leads to the following strack trace:
+
+    (gdb) bt
+    #0  0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
+    #1  0x00007f608fe38895 in abort () from /lib64/libc.so.6
+    #2  0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
+    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
+        at ../cil/src/cil_binary.c:1551
+    #4  0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
+        at ../cil/src/cil_binary.c:1596
+    #5  0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
+        args=0x239a640) at ../cil/src/cil_binary.c:1649
+    #6  0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
+        args=0x239a640) at hashtab.c:234
+    #7  0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
+        at ../cil/src/cil_binary.c:4969
+    #8  0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
+    #9  0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
+        at ../cil/src/cil.c:631
+    #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
+    #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
+    #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
+
+    (gdb) f 3
+    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
+        at ../cil/src/cil_binary.c:1551
+    1551     xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
+
+A signed integer overflow therefore occurs in XPERM_SETBITS(h):
+
+    #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
+
+This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
+
+* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
+* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
+  results in 0x7fffffff (which is unsigned)
+
+Using unsigned integers (with "1U") fixes the crash, as
+(1U << 31) = 0x80000000U has no overflowing issues.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+
+Conflict:remove contents of checkpolicy/policy_define.c
+---
+ libsepol/cil/src/cil_binary.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 36720ed..e417c5c 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
+ /* index of the u32 containing the permission */
+ #define XPERM_IDX(x) (x >> 5)
+ /* set bits 0 through x-1 within the u32 */
+-#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
++#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
+ /* low value for this u32 */
+ #define XPERM_LOW(x) (x << 5)
+ /* high value for this u32 */
+-- 
+1.8.3.1
+

backport-libsepol-do-not-modify-policy-during-write.patch

@@ -0,0 +1,49 @@
+From 2651989d3b94dd15459fbef4384f114b24850665 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 30 Jun 2022 19:03:01 +0200
+Subject: [PATCH] libsepol: do not modify policy during write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not modify the in memory default_range value of a class datum while
+writing a policy.
+
+While on it fix indentation.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/write.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/libsepol/src/write.c b/libsepol/src/write.c
+index 48ed21ea6..a9fdf93a8 100644
+--- a/libsepol/src/write.c
++++ b/libsepol/src/write.c
+@@ -1097,16 +1097,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+ 	     p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) ||
+ 	    (p->policy_type == POLICY_BASE &&
+ 	     p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
++		char default_range = cladatum->default_range;
++
+ 		buf[0] = cpu_to_le32(cladatum->default_user);
+ 		buf[1] = cpu_to_le32(cladatum->default_role);
+-		if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
++		if (!glblub_version && default_range == DEFAULT_GLBLUB) {
+ 			WARN(fp->handle,
+-                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
+-                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
+-                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
+-                        cladatum->default_range = 0;
+-                }
+-		buf[2] = cpu_to_le32(cladatum->default_range);
++			     "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
++			     p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
++			     p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
++			default_range = 0;
++		}
++		buf[2] = cpu_to_le32(default_range);
+ 		items = put_entry(buf, sizeof(uint32_t), 3, fp);
+ 		if (items != 3)
+ 			return POLICYDB_ERROR;

backport-libsepol-enclose-macro-parameters-and-replacement-lists-in-parentheses.patch

@@ -0,0 +1,113 @@
+From 65b3f695be306ad8f525d4db2befd55336bd0a09 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 13 Jul 2022 15:43:43 +0200
+Subject: [PATCH] libsepol: enclose macro parameters and replacement lists in
+ parentheses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/include/sepol/errcodes.h          | 13 ++++++-------
+ libsepol/include/sepol/policydb/policydb.h | 10 +++++-----
+ libsepol/src/kernel_to_cil.c               |  2 +-
+ libsepol/src/module_to_cil.c               |  2 +-
+ libsepol/src/util.c                        |  2 +-
+ 5 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/libsepol/include/sepol/errcodes.h b/libsepol/include/sepol/errcodes.h
+index 6e9ff3161..e5fe71e36 100644
+--- a/libsepol/include/sepol/errcodes.h
++++ b/libsepol/include/sepol/errcodes.h
+@@ -16,15 +16,14 @@ extern "C" {
+  * codes that don't map to system error codes should be defined
+  * outside of the range of system error codes.
+  */
+-#define SEPOL_ERR            -1
+-#define SEPOL_ENOTSUP        -2  /* feature not supported in module language */
+-#define SEPOL_EREQ           -3  /* requirements not met */
++#define SEPOL_ERR            (-1)
++#define SEPOL_ENOTSUP        (-2)  /* feature not supported in module language */
++#define SEPOL_EREQ           (-3)  /* requirements not met */
+ 
+ /* Error codes that map to system error codes */
+-#define SEPOL_ENOMEM         -ENOMEM
+-#define SEPOL_ERANGE         -ERANGE
+-#define SEPOL_EEXIST         -EEXIST
+-#define SEPOL_ENOENT         -ENOENT
++#define SEPOL_ENOMEM         (-ENOMEM)
++#define SEPOL_EEXIST         (-EEXIST)
++#define SEPOL_ENOENT         (-ENOENT)
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
+index de0068a6c..ef1a014a5 100644
+--- a/libsepol/include/sepol/policydb/policydb.h
++++ b/libsepol/include/sepol/policydb/policydb.h
+@@ -251,9 +251,9 @@ typedef struct class_perm_node {
+ 	struct class_perm_node *next;
+ } class_perm_node_t;
+ 
+-#define xperm_test(x, p) (1 & (p[x >> 5] >> (x & 0x1f)))
+-#define xperm_set(x, p) (p[x >> 5] |= (1 << (x & 0x1f)))
+-#define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f)))
++#define xperm_test(x, p) (1 & ((p)[(x) >> 5] >> ((x) & 0x1f)))
++#define xperm_set(x, p) ((p)[(x) >> 5] |= (1 << ((x) & 0x1f)))
++#define xperm_clear(x, p) ((p)[(x) >> 5] &= ~(1 << ((x) & 0x1f)))
+ #define EXTENDED_PERMS_LEN 8
+ 
+ typedef struct av_extended_perms {
+@@ -795,9 +795,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
+ 
+ #define policydb_has_boundary_feature(p)			\
+ 	(((p)->policy_type == POLICY_KERN			\
+-	  && p->policyvers >= POLICYDB_VERSION_BOUNDARY) ||	\
++	  && (p)->policyvers >= POLICYDB_VERSION_BOUNDARY) ||	\
+ 	 ((p)->policy_type != POLICY_KERN			\
+-	  && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY))
++	  && (p)->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY))
+ 
+ /* the config flags related to unknown classes/perms are bits 2 and 3 */
+ #define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index 9128ac553..5a1336a33 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -1626,7 +1626,7 @@ static int write_type_permissive_rules_to_cil(FILE *out, struct policydb *pdb)
+ 	return rc;
+ }
+ 
+-#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p))
++#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p))
+ 
+ static char *xperms_to_str(avtab_extended_perms_t *xperms)
+ {
+diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
+index b35bf055f..b900290a7 100644
+--- a/libsepol/src/module_to_cil.c
++++ b/libsepol/src/module_to_cil.c
+@@ -624,7 +624,7 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
+ 	return rc;
+ }
+ 
+-#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p))
++#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p))
+ 
+ static int xperms_to_cil(const av_extended_perms_t *xperms)
+ {
+diff --git a/libsepol/src/util.c b/libsepol/src/util.c
+index 1cd1308d1..0a2edc852 100644
+--- a/libsepol/src/util.c
++++ b/libsepol/src/util.c
+@@ -124,7 +124,7 @@ char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
+ 	return avbuf;
+ }
+ 
+-#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p))
++#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p))
+ 
+ char *sepol_extended_perms_to_string(avtab_extended_perms_t *xperms)
+ {

backport-libsepol-fix-missing-double-quotes-in-typetransition-CIL-rule.patch

@@ -0,0 +1,33 @@
+From eca72d8e47ac8b962f87c46aa77fb893aa0df0f8 Mon Sep 17 00:00:00 2001
+From: Juraj Marcin <juraj@jurajmarcin.com>
+Date: Thu, 25 Aug 2022 15:27:18 +0200
+Subject: [PATCH] libsepol: fix missing double quotes in typetransition CIL
+ rule
+
+CIL Reference Guide defines typetransition rule with double quotes
+around object name, but those are not present in the format string.
+
+This patch fixes this issue, so the CIL output produced by
+sepol_kernel_policydb_to_cil() is in the correct format.
+
+Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
+---
+ libsepol/src/kernel_to_cil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index 5a1336a330..ad4121d50a 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -1854,7 +1854,7 @@ static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+ 	filename = ft->name;
+ 	new =  pdb->p_type_val_to_name[datum->otype - 1];
+ 
+-	return strs_create_and_add(strs, "(typetransition %s %s %s %s %s)", 5,
++	return strs_create_and_add(strs, "(typetransition %s %s %s \"%s\" %s)", 5,
+ 				   src, tgt, class, filename, new);
+ }
+ 
+-- 
+2.27.0
+

libsepol.spec

@@ -1,6 +1,6 @@
 Name:           libsepol
 Version:        3.1
-Release:        5
+Release:        10
 Summary:        SELinux binary policy manipulation library
 License:        LGPLv2+
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -38,6 +38,28 @@ Patch28:        backport-libsepol-cil-Fix-instances-where-an-error-returns-SE.pa
 Patch29:        backport-libsepol-cil-Limit-the-number-of-open-parenthesis-al.patch
 Patch30:        backport-libsepol-cil-Fix-syntax-checking-of-defaultrange-rul.patch
 Patch31:        backport-libsepol-cil-Allow-some-duplicate-macro-and-block-de.patch
+Patch32:        backport-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch
+Patch33:        backport-libsepol-cil-Fix-potential-undefined-shifts.patch
+Patch34:        backport-libsepol-cil-be-more-robust-when-encountering-src_in.patch
+Patch35:        backport-libsepol-cil-Handle-operations-in-a-class-mapping-wh.patch
+Patch36:        backport-libsepol-cil-Allow-permission-expressions-when-using.patch
+Patch37:        backport-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch
+Patch38:        backport-libsepol-cil-Properly-check-for-parameter-when-inser.patch
+Patch39:        backport-libsepol-cil-Reset-expandtypeattribute-rules-when-re.patch
+Patch40:        backport-libsepol-cil-do-not-allow-0-in-quoted-strings.patch
+Patch41:        backport-CVE-2021-36084.patch
+Patch42:        backport-CVE-2021-36085.patch
+Patch43:        backport-CVE-2021-36086.patch
+Patch44:        backport-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch
+Patch45:        backport-libsepol-cil-Cleanup-build-AST-helper-functions.patch
+Patch46:        backport-libsepol-cil-Create-new-first-child-helper-function-.patch
+Patch47:        backport-CVE-2021-36087.patch
+Patch48:        backport-libsepol-avoid-potential-NULL-dereference-on-optional-parameter.patch
+Patch49:        backport-libsepol-check-correct-pointer-for-oom.patch
+Patch50:        backport-libsepol-do-not-modify-policy-during-write.patch
+Patch51:        backport-libsepol-enclose-macro-parameters-and-replacement-lists-in-parentheses.patch
+Patch52:        backport-libsepol-fix-missing-double-quotes-in-typetransition-CIL-rule.patch
+Patch53:        backport-libsepol-add-missing-oom-checks.patch
 
 BuildRequires:  gcc flex
 
@@ -97,6 +119,21 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
 %{_mandir}/man3/*
 
 %changelog
+* Wed Feb 15 2023 jinlun <jinlun@huawei.com> - 3.1-10
+- backport bugfix from upstream
+
+* Thu Dec 15 2022 jinlun <jinlun@huawei.com> - 3.1-9
+- fix CVE-2021-36084 CVE-2021-36085 CVE-2021-36087
+
+* Thu Jul 7 2022 panxiaohe <panxh.life@foxmail.com> - 3.1-8
+- fix CVE-2021-36086
+
+* Tue Feb 15 2022 panxiaohe <panxh.life@foxmail.com> - 3.1-7
+- libsepol/cil: do not allow \0 in quoted strings
+
+* Fri Dec 10 2021 panxiaohe <panxiaohe@huawei.com> - 3.1-6
+- fix secilc-fuzzer issues
+
 * Fri Sep 10 2021 panxiaohe <panxiaohe@huawei.com> - 3.1-5
 - fix secilc-fuzzer issues