* [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions
@ 2022-02-11 18:46 James Carter
2022-02-11 18:46 ` [PATCH 2/2] libsepol: Don't write out constraint if it has " James Carter
2022-03-11 16:05 ` [PATCH 1/2] libsepol/cil: Don't add constraint if there are " James Carter
0 siblings, 2 replies; 3+ messages in thread
From: James Carter @ 2022-02-11 18:46 UTC (permalink / raw)
To: selinux; +Cc: James Carter
Since CIL allows permission expressions, it is possible for the
expression to evaluate to no permissions. If this is the case,
then don't add the constraint.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil_binary.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 4ac8ce8d..468fb595 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
goto exit;
}
+ if (sepol_constrain->permissions == 0) {
+ /* No permissions, so don't insert rule. */
+ free(sepol_constrain);
+ return SEPOL_OK;
+ }
+
rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
if (rc != SEPOL_OK) {
goto exit;
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] libsepol: Don't write out constraint if it has no permissions
2022-02-11 18:46 [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions James Carter
@ 2022-02-11 18:46 ` James Carter
2022-03-11 16:05 ` [PATCH 1/2] libsepol/cil: Don't add constraint if there are " James Carter
1 sibling, 0 replies; 3+ messages in thread
From: James Carter @ 2022-02-11 18:46 UTC (permalink / raw)
To: selinux; +Cc: James Carter
When writing a conf file or CIL policy out from a kernel binary,
do not write out a constraint rule if it has no permissions.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/src/kernel_to_cil.c | 3 +++
libsepol/src/kernel_to_conf.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 693206d2..869f6940 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -282,6 +282,9 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
struct strs *strs;
for (curr = constraint_rules; curr != NULL; curr = curr->next) {
+ if (curr->permissions == 0) {
+ continue;
+ }
expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
if (!expr) {
rc = -1;
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 52b6c60f..3544f73d 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -277,6 +277,9 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
int rc = 0;
for (curr = constraint_rules; curr != NULL; curr = curr->next) {
+ if (curr->permissions == 0) {
+ continue;
+ }
expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
if (!expr) {
rc = -1;
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions
2022-02-11 18:46 [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions James Carter
2022-02-11 18:46 ` [PATCH 2/2] libsepol: Don't write out constraint if it has " James Carter
@ 2022-03-11 16:05 ` James Carter
1 sibling, 0 replies; 3+ messages in thread
From: James Carter @ 2022-03-11 16:05 UTC (permalink / raw)
To: SElinux list
On Fri, Feb 11, 2022 at 1:47 PM James Carter <jwcart2@gmail.com> wrote:
>
> Since CIL allows permission expressions, it is possible for the
> expression to evaluate to no permissions. If this is the case,
> then don't add the constraint.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>
These two patches have been merged.
Jim
> ---
> libsepol/cil/src/cil_binary.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 4ac8ce8d..468fb595 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
> goto exit;
> }
>
> + if (sepol_constrain->permissions == 0) {
> + /* No permissions, so don't insert rule. */
> + free(sepol_constrain);
> + return SEPOL_OK;
> + }
> +
> rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
> if (rc != SEPOL_OK) {
> goto exit;
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-11 16:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-11 18:46 [PATCH 1/2] libsepol/cil: Don't add constraint if there are no permissions James Carter
2022-02-11 18:46 ` [PATCH 2/2] libsepol: Don't write out constraint if it has " James Carter
2022-03-11 16:05 ` [PATCH 1/2] libsepol/cil: Don't add constraint if there are " James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.