libsepol: Binary modules do not support ioctl rules.

Prevent writing a binary policy module if the source included an ioctl operation rule because we do not support ioctl operation rules in the binary module format. It doesn't seem worthwhile to introduce a new binary policy module version since CIL is now merged and we will have to implement the support in CIL regardless; might as well only support it in CIL modules. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2024-12-11 13:26:01 +00:00 · 2015-04-24 13:46:09 -04:00 · 2015-04-24 13:46:09 -04:00 · 7c912dbc7c
commit 7c912dbc7c
parent 11f2e159f6
1 changed files with 8 additions and 1 deletions
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@ -1546,6 +1546,12 @@ static int avrule_write(avrule_t * avrule, struct policy_file *fp)
 	uint32_t buf[32], len;
 	class_perm_node_t *cur;

+	if (avrule->specified & AVRULE_OP) {
+		ERR(fp->handle, "module policy does not support ioctl operation"
+				" rules and one was specified");
+		return POLICYDB_ERROR;
+	}
+
 	items = 0;
 	buf[items++] = cpu_to_le32(avrule->specified);
 	buf[items++] = cpu_to_le32(avrule->flags);
@ -1603,7 +1609,8 @@ static int avrule_write_list(avrule_t * avrules, struct policy_file *fp)

 	avrule = avrules;
 	while (avrule) {
-		avrule_write(avrule, fp);
+		if (avrule_write(avrule, fp))
+			return POLICYDB_ERROR;
 		avrule = avrule->next;
 	}