All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions
@ 2022-02-11 18:46 James Carter
  2022-02-11 18:46 ` [PATCH 2/2] libsepol: Don't write out constraint if it has " James Carter
  2022-03-11 16:05 ` [PATCH 1/2] libsepol/cil: Don't add constraint if there are " James Carter
  0 siblings, 2 replies; 3+ messages in thread
From: James Carter @ 2022-02-11 18:46 UTC (permalink / raw)
  To: selinux; +Cc: James Carter

Since CIL allows permission expressions, it is possible for the
expression to evaluate to no permissions. If this is the case,
then don't add the constraint.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_binary.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 4ac8ce8d..468fb595 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
 		goto exit;
 	}
 
+	if (sepol_constrain->permissions == 0) {
+		/* No permissions, so don't insert rule. */
+		free(sepol_constrain);
+		return SEPOL_OK;
+	}
+
 	rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
 	if (rc != SEPOL_OK) {
 		goto exit;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/2] libsepol: Don't write out constraint if it has no permissions
  2022-02-11 18:46 [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions James Carter
@ 2022-02-11 18:46 ` James Carter
  2022-03-11 16:05 ` [PATCH 1/2] libsepol/cil: Don't add constraint if there are " James Carter
  1 sibling, 0 replies; 3+ messages in thread
From: James Carter @ 2022-02-11 18:46 UTC (permalink / raw)
  To: selinux; +Cc: James Carter

When writing a conf file or CIL policy out from a kernel binary,
do not write out a constraint rule if it has no permissions.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c  | 3 +++
 libsepol/src/kernel_to_conf.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 693206d2..869f6940 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -282,6 +282,9 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 	struct strs *strs;
 
 	for (curr = constraint_rules; curr != NULL; curr = curr->next) {
+		if (curr->permissions == 0) {
+			continue;
+		}
 		expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
 		if (!expr) {
 			rc = -1;
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 52b6c60f..3544f73d 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -277,6 +277,9 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 	int rc = 0;
 
 	for (curr = constraint_rules; curr != NULL; curr = curr->next) {
+		if (curr->permissions == 0) {
+			continue;
+		}
 		expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
 		if (!expr) {
 			rc = -1;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions
  2022-02-11 18:46 [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions James Carter
  2022-02-11 18:46 ` [PATCH 2/2] libsepol: Don't write out constraint if it has " James Carter
@ 2022-03-11 16:05 ` James Carter
  1 sibling, 0 replies; 3+ messages in thread
From: James Carter @ 2022-03-11 16:05 UTC (permalink / raw)
  To: SElinux list

On Fri, Feb 11, 2022 at 1:47 PM James Carter <jwcart2@gmail.com> wrote:
>
> Since CIL allows permission expressions, it is possible for the
> expression to evaluate to no permissions. If this is the case,
> then don't add the constraint.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>

These two patches have been merged.
Jim

> ---
>  libsepol/cil/src/cil_binary.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 4ac8ce8d..468fb595 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
>                 goto exit;
>         }
>
> +       if (sepol_constrain->permissions == 0) {
> +               /* No permissions, so don't insert rule. */
> +               free(sepol_constrain);
> +               return SEPOL_OK;
> +       }
> +
>         rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
>         if (rc != SEPOL_OK) {
>                 goto exit;
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-11 16:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-11 18:46 [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions James Carter
2022-02-11 18:46 ` [PATCH 2/2] libsepol: Don't write out constraint if it has " James Carter
2022-03-11 16:05 ` [PATCH 1/2] libsepol/cil: Don't add constraint if there are " James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.