| Message ID | 20210316203943.47733-2-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression | expand |
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 263f9639..d385819e 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -188,7 +188,11 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr if (!names) { names = strdup("NO_IDENTIFIER"); } - new_val = create_str("%s %s %s", 3, attr1, op, names); + if (strchr(names, ' ')) { + new_val = create_str("%s %s { %s }", 3, attr1, op, names); + } else { + new_val = create_str("%s %s %s", 3, attr1, op, names); + } free(names); } } else {
When writing a policy.conf from a kernel policy, if there are multiple users, roles, or types, then the list needs to be enclosed by "{" and "}". When writing a constraint expression, check to see if there are multiple identifiers in the names string and enclose the list with "{" and "}" if there are. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/src/kernel_to_conf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)