From f2b5aae4aa70e192a26fbf8f8cb0e621db19a25d Mon Sep 17 00:00:00 2001 From: James Carter Date: Fri, 9 Jun 2017 10:58:19 -0400 Subject: [PATCH] libsepol: Fix neverallow bug when checking conditional policy Commit 9e6840e refactored neverallow checking. In the process a bug was introduced that causes enabled conditional rules to be skipped. The bug is that the avtab key is checked by comparing the specified field of the key to the value AVTAB_ALLOWED. Since enabled conditional rules have an additional bit set as well, these rules are not considered to match. The fix is to use a bitwise AND (&) to only check the desired bit. Signed-off-by: James Carter --- libsepol/src/assertion.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index 27c39e76..b08757bf 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -222,7 +222,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void ebitmap_node_t *snode, *tnode; unsigned int i, j; - if (k->specified != AVTAB_ALLOWED) + if ((k->specified & AVTAB_ALLOWED) == 0) return 0; if (!match_any_class_permissions(avrule->perms, k->target_class, d->data)) @@ -471,7 +471,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a avrule_t *avrule = a->avrule; avtab_t *avtab = a->avtab; - if (k->specified != AVTAB_ALLOWED) + if ((k->specified & AVTAB_ALLOWED) == 0) goto exit; if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))