| Message ID | 20220211184650.535016-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 1f15c6289669 |
| Headers | show |
| Series | [1/2] libsepol/cil: Don't add constraint if there are no permissions | expand |
On Fri, Feb 11, 2022 at 1:47 PM James Carter <jwcart2@gmail.com> wrote: > > Since CIL allows permission expressions, it is possible for the > expression to evaluate to no permissions. If this is the case, > then don't add the constraint. > > Signed-off-by: James Carter <jwcart2@gmail.com> These two patches have been merged. Jim > --- > libsepol/cil/src/cil_binary.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > index 4ac8ce8d..468fb595 100644 > --- a/libsepol/cil/src/cil_binary.c > +++ b/libsepol/cil/src/cil_binary.c > @@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s > goto exit; > } > > + if (sepol_constrain->permissions == 0) { > + /* No permissions, so don't insert rule. */ > + free(sepol_constrain); > + return SEPOL_OK; > + } > + > rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr); > if (rc != SEPOL_OK) { > goto exit; > -- > 2.34.1 >
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 4ac8ce8d..468fb595 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s goto exit; } + if (sepol_constrain->permissions == 0) { + /* No permissions, so don't insert rule. */ + free(sepol_constrain); + return SEPOL_OK; + } + rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr); if (rc != SEPOL_OK) { goto exit;
Since CIL allows permission expressions, it is possible for the expression to evaluate to no permissions. If this is the case, then don't add the constraint. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/src/cil_binary.c | 6 ++++++ 1 file changed, 6 insertions(+)