Message ID | 20210220190806.22139-1-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | libsepol/cil: handle SID without assigned context when writing policy.conf | expand |
On Sat, Feb 20, 2021 at 2:13 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > CIL permits not assigning a context to a SID, e.g. to an unused initial > SID, e.g. 'any_socket'. > > When using the example policy from the SELinux Notebook, > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/notebook-examples/cil-policy/cil-policy.cil, > secilc logs: > > No context assigned to SID any_socket, omitting from policy at cil-policy.cil:166 > > But secil2conf segfaults when writing the policy.conf: > > ../cil/src/cil_policy.c:274:2: runtime error: member access within null pointer of type 'struct cil_context' > > Only print the assigned context if actually available. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/cil/src/cil_policy.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c > index 30d507f1..863636c7 100644 > --- a/libsepol/cil/src/cil_policy.c > +++ b/libsepol/cil/src/cil_policy.c > @@ -1661,7 +1661,9 @@ static void cil_sid_contexts_to_policy(FILE *out, struct cil_list *sids, int mls > cil_list_for_each(i1, sids) { > sid = i1->data; > fprintf(out, "sid %s ", sid->datum.fqn); > - cil_context_to_policy(out, sid->context, mls); > + if (sid->context) { > + cil_context_to_policy(out, sid->context, mls); > + } > fprintf(out,"\n"); > } > } > -- > 2.30.1 >
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index 30d507f1..863636c7 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -1661,7 +1661,9 @@ static void cil_sid_contexts_to_policy(FILE *out, struct cil_list *sids, int mls cil_list_for_each(i1, sids) { sid = i1->data; fprintf(out, "sid %s ", sid->datum.fqn); - cil_context_to_policy(out, sid->context, mls); + if (sid->context) { + cil_context_to_policy(out, sid->context, mls); + } fprintf(out,"\n"); } }
CIL permits not assigning a context to a SID, e.g. to an unused initial SID, e.g. 'any_socket'. When using the example policy from the SELinux Notebook, https://github.com/SELinuxProject/selinux-notebook/blob/main/src/notebook-examples/cil-policy/cil-policy.cil, secilc logs: No context assigned to SID any_socket, omitting from policy at cil-policy.cil:166 But secil2conf segfaults when writing the policy.conf: ../cil/src/cil_policy.c:274:2: runtime error: member access within null pointer of type 'struct cil_context' Only print the assigned context if actually available. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/cil/src/cil_policy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)