topjohnwu/selinux
1
0
Fork 0
mirror of https://github.com/topjohnwu/selinux.git synced 2024-12-04 01:20:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

libsepol/cil: Do not add an attribute as a type in the attr_type_map

Browse Source 
The attribute to type map is used to get all of the types that are
asociated with an attribute. To make neverallow and bounds checking
easier it was convienent to map a type to itself. However, CIL was
wrongly mapping an attribute to itself in addition to the types
associated with it. This caused type bounds checking to fail if the
parent was granted a permission through one attribute while the child
was granted the permission through another attribute.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2016-04-29 13:23:07 -04:00
parent c9ada3e470
commit 74bde7fa16
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libsepol/cil/src/cil_binary.c
View File

@ -609,9 +609,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb)
rc = SEPOL_ERR;
goto exit;
}
if (ebitmap_set_bit(&pdb->attr_type_map[i], i, 1)) {
rc = SEPOL_ERR;
goto exit;
if (pdb->type_val_to_struct[i] && pdb->type_val_to_struct[i]->flavor != TYPE_ATTRIB) {
if (ebitmap_set_bit(&pdb->attr_type_map[i], i, 1)) {
rc = SEPOL_ERR;
goto exit;
}
}
}