[2/2] libsepol: Don't write out constraint if it has no permissions

Commit Message

James Carter Feb. 11, 2022, 6:46 p.m. UTC

When writing a conf file or CIL policy out from a kernel binary,
do not write out a constraint rule if it has no permissions.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c  | 3 +++
 libsepol/src/kernel_to_conf.c | 3 +++
 2 files changed, 6 insertions(+)

Patch

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 693206d2..869f6940 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -282,6 +282,9 @@  static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 	struct strs *strs;
 
 	for (curr = constraint_rules; curr != NULL; curr = curr->next) {
+		if (curr->permissions == 0) {
+			continue;
+		}
 		expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
 		if (!expr) {
 			rc = -1;
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 52b6c60f..3544f73d 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -277,6 +277,9 @@  static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 	int rc = 0;
 
 	for (curr = constraint_rules; curr != NULL; curr = curr->next) {
+		if (curr->permissions == 0) {
+			continue;
+		}
 		expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
 		if (!expr) {
 			rc = -1;