libsepol: Fully expand neverallowxperm rules
diff mbox

Message ID 1448123208-5557-1-git-send-email-richard_c_haines@btinternet.com
State Accepted
Headers show

Commit Message

Richard Haines Nov. 21, 2015, 4:26 p.m. UTC
Currently neverallowxperm rules will be resolved correctly when
building policy, however they are not detectable when using tools
such as an updated version of setools. This patch will allow
these to be viewed in the same way as neverallow rules are in a
text based kernel policy file (e.g. policy.conf).

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 libsepol/src/expand.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Jeffrey Vander Stoep Nov. 23, 2015, 3:18 p.m. UTC | #1
Acked-by: Jeff Vander Stoep <jeffv@google.com>

On Sat, Nov 21, 2015 at 8:30 AM Richard Haines <
richard_c_haines@btinternet.com> wrote:

> Currently neverallowxperm rules will be resolved correctly when
> building policy, however they are not detectable when using tools
> such as an updated version of setools. This patch will allow
> these to be viewed in the same way as neverallow rules are in a
> text based kernel policy file (e.g. policy.conf).
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  libsepol/src/expand.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 9047c6d..9cb7965 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t *
> handle,
>                 if (handle && handle->disable_dontaudit)
>                         return EXPAND_RULE_SUCCESS;
>                 spec = AVTAB_XPERMS_DONTAUDIT;
> +       } else if (specified & AVRULE_XPERMS_NEVERALLOW) {
> +               spec = AVTAB_XPERMS_NEVERALLOW;
>         } else {
>                 assert(0);      /* unreachable */
>         }
> @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t *
> handle,
>
>         if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
>                 return EXPAND_RULE_SUCCESS;
> -       if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
> +       if (!do_neverallow && source_rule->specified &
> AVRULE_XPERMS_NEVERALLOW)
>                 return EXPAND_RULE_SUCCESS;
>
>         ebitmap_init(&stypes);
> --
> 2.5.0
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
Stephen Smalley Nov. 24, 2015, 9:39 p.m. UTC | #2
On 11/21/2015 11:26 AM, Richard Haines wrote:
> Currently neverallowxperm rules will be resolved correctly when
> building policy, however they are not detectable when using tools
> such as an updated version of setools. This patch will allow
> these to be viewed in the same way as neverallow rules are in a
> text based kernel policy file (e.g. policy.conf).
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

Thanks, applied.

> ---
>   libsepol/src/expand.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 9047c6d..9cb7965 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle,
>   		if (handle && handle->disable_dontaudit)
>   			return EXPAND_RULE_SUCCESS;
>   		spec = AVTAB_XPERMS_DONTAUDIT;
> +	} else if (specified & AVRULE_XPERMS_NEVERALLOW) {
> +		spec = AVTAB_XPERMS_NEVERALLOW;
>   	} else {
>   		assert(0);	/* unreachable */
>   	}
> @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle,
>
>   	if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
>   		return EXPAND_RULE_SUCCESS;
> -	if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
> +	if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
>   		return EXPAND_RULE_SUCCESS;
>
>   	ebitmap_init(&stypes);
>

Patch
diff mbox

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 9047c6d..9cb7965 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1811,6 +1811,8 @@  static int expand_avrule_helper(sepol_handle_t * handle,
 		if (handle && handle->disable_dontaudit)
 			return EXPAND_RULE_SUCCESS;
 		spec = AVTAB_XPERMS_DONTAUDIT;
+	} else if (specified & AVRULE_XPERMS_NEVERALLOW) {
+		spec = AVTAB_XPERMS_NEVERALLOW;
 	} else {
 		assert(0);	/* unreachable */
 	}
@@ -1948,7 +1950,7 @@  static int convert_and_expand_rule(sepol_handle_t * handle,
 
 	if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
 		return EXPAND_RULE_SUCCESS;
-	if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
+	if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
 		return EXPAND_RULE_SUCCESS;
 
 	ebitmap_init(&stypes);