From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [RFC PATCH v3 5/5] libsepol: pass avtab to report function
Date: Sat, 4 Dec 2021 11:35:16 +0100 [thread overview]
Message-ID: <20211204103516.17375-5-cgzones@googlemail.com> (raw)
In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com>
Populate the avtab member before passing as argument to the report
function. Without the avtab avtab_search_node() is unable to find
allowxperm rules and this results in false-positive reports, e.g. on:
allow TATTR1 TATTR1 : CLASS1 ioctl;
allowxperm TATTR1 TATTR1 : CLASS1 ioctl 0x9501;
neverallowxperm TYPE1 ~self : CLASS1 0x9501;
Reported-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/src/assertion.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index 4600be41..a0eebb93 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -304,10 +304,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru
args.avrule = avrule;
args.errors = 0;
+ args.avtab = &p->te_avtab;
rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args);
if (rc)
goto oom;
+ args.avtab = &p->te_cond_avtab;
rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args);
if (rc)
goto oom;
--
2.34.1
next prev parent reply other threads:[~2021-12-04 10:35 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-23 19:07 [RFC PATCH 1/3] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 2/3] libsepol: add not-self neverallow support Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 3/3] checkpolicy: " Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 2/4] libsepol: add not-self neverallow support Christian Göttsche
2021-12-03 22:06 ` James Carter
2021-11-24 19:08 ` [RFC PATCH v2 3/4] checkpolicy: " Christian Göttsche
2021-12-03 21:56 ` James Carter
2021-12-04 10:45 ` Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 4/4] libsepol: free ebitmap on end of function Christian Göttsche
2021-11-29 17:48 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() James Carter
2021-11-30 11:12 ` Christian Göttsche
2021-11-30 15:35 ` James Carter
2021-12-04 10:35 ` [RFC PATCH v3 1/5] libsepol: introduce ebitmap_relative_complement() Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 2/5] libsepol: add not-self neverallow support Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 3/5] checkpolicy: " Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 4/5] libsepol: free ebitmap on end of function Christian Göttsche
2021-12-04 10:35 ` Christian Göttsche [this message]
2021-12-06 18:25 ` [RFC PATCH v3 5/5] libsepol: pass avtab to report function James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211204103516.17375-5-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.