topjohnwu/selinux
1
0
Fork 0
mirror of https://github.com/topjohnwu/selinux.git synced 2024-11-30 23:10:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

libsepol: fix checkpolicy dontaudit compiler bug

Browse Source 
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.

Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2016-11-14 10:37:17 -05:00
parent 30ef8d0993
commit 6201bb5e25
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libsepol/src/expand.c
View File

@ -1604,7 +1604,8 @@ static int expand_range_trans(expand_state_t * state,
static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
avtab_t * avtab, avtab_key_t * key,
cond_av_list_t ** cond,
av_extended_perms_t *xperms)
av_extended_perms_t *xperms,
char *alloced)
{
avtab_ptr_t node;
avtab_datum_t avdatum;
@ -1658,6 +1659,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
nl->next = *cond;
*cond = nl;
}
if (alloced)
*alloced = 1;
} else {
if (alloced)
*alloced = 0;
}
return node;
@ -1750,7 +1756,7 @@ static int expand_terule_helper(sepol_handle_t * handle,
return EXPAND_RULE_CONFLICT;
}
node = find_avtab_node(handle, avtab, &avkey, cond, NULL);
node = find_avtab_node(handle, avtab, &avkey, cond, NULL, NULL);
if (!node)
return -1;
if (enabled) {
@ -1790,6 +1796,7 @@ static int expand_avrule_helper(sepol_handle_t * handle,
class_perm_node_t *cur;
uint32_t spec = 0;
unsigned int i;
char alloced;
if (specified & AVRULE_ALLOWED) {
spec = AVTAB_ALLOWED;
@ -1824,7 +1831,8 @@ static int expand_avrule_helper(sepol_handle_t * handle,
avkey.target_class = cur->tclass;
avkey.specified = spec;
node = find_avtab_node(handle, avtab, &avkey, cond, extended_perms);
node = find_avtab_node(handle, avtab, &avkey, cond,
extended_perms, &alloced);
if (!node)
return EXPAND_RULE_ERROR;
if (enabled) {
@ -1850,7 +1858,7 @@ static int expand_avrule_helper(sepol_handle_t * handle,
*/
avdatump->data &= cur->data;
} else if (specified & AVRULE_DONTAUDIT) {
if (avdatump->data)
if (!alloced)
avdatump->data &= ~cur->data;
else
avdatump->data = ~cur->data;