| Message ID | 20200915184806.396309-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol/cil: Fix neverallow checking involving classmaps | expand |
On Tue, Sep 15, 2020 at 2:49 PM James Carter <jwcart2@gmail.com> wrote: > > When classmaps used in a neverallow were being expanded during CIL > neverallow checking, an empty classmapping in the list of > classmappings for a classmap would cause the classmap expansion to > stop and the rest of the classmapping of the classmap to be ignored. > This would mean that not all of the classes and permissions associated > with the classmap would be used to check for a neverallow violation. > > Do not end the expansion of a classmap when one classmapping is empty. > > Reported-by: Jonathan Hettwer <j2468h@gmail.com> > Signed-off-by: James Carter <jwcart2@gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
On Tue, Sep 15, 2020 at 4:45 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Tue, Sep 15, 2020 at 2:49 PM James Carter <jwcart2@gmail.com> wrote: > > > > When classmaps used in a neverallow were being expanded during CIL > > neverallow checking, an empty classmapping in the list of > > classmappings for a classmap would cause the classmap expansion to > > stop and the rest of the classmapping of the classmap to be ignored. > > This would mean that not all of the classes and permissions associated > > with the classmap would be used to check for a neverallow violation. > > > > Do not end the expansion of a classmap when one classmapping is empty. > > > > Reported-by: Jonathan Hettwer <j2468h@gmail.com> > > Signed-off-by: James Carter <jwcart2@gmail.com> > > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Applied.
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 50cc7f75..36720eda 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4363,15 +4363,13 @@ static int __cil_rule_to_sepol_class_perms(policydb_t *pdb, struct cil_list *cla rc = __cil_perms_to_datum(cp->perms, sepol_class, &data); if (rc != SEPOL_OK) goto exit; - if (data == 0) { - /* No permissions */ - return SEPOL_OK; + if (data != 0) { /* Only add if there are permissions */ + cpn = cil_malloc(sizeof(class_perm_node_t)); + cpn->tclass = sepol_class->s.value; + cpn->data = data; + cpn->next = *sepol_class_perms; + *sepol_class_perms = cpn; } - cpn = cil_malloc(sizeof(class_perm_node_t)); - cpn->tclass = sepol_class->s.value; - cpn->data = data; - cpn->next = *sepol_class_perms; - *sepol_class_perms = cpn; } else { /* MAP */ struct cil_list_item *j = NULL; cil_list_for_each(j, cp->perms) {
When classmaps used in a neverallow were being expanded during CIL neverallow checking, an empty classmapping in the list of classmappings for a classmap would cause the classmap expansion to stop and the rest of the classmapping of the classmap to be ignored. This would mean that not all of the classes and permissions associated with the classmap would be used to check for a neverallow violation. Do not end the expansion of a classmap when one classmapping is empty. Reported-by: Jonathan Hettwer <j2468h@gmail.com> Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/src/cil_binary.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-)