From a152653b9a43fe2c776d239efc2d46d336555bc8 Mon Sep 17 00:00:00 2001 From: James Carter Date: Tue, 15 Sep 2020 14:48:06 -0400 Subject: [PATCH] libsepol/cil: Fix neverallow checking involving classmaps When classmaps used in a neverallow were being expanded during CIL neverallow checking, an empty classmapping in the list of classmappings for a classmap would cause the classmap expansion to stop and the rest of the classmapping of the classmap to be ignored. This would mean that not all of the classes and permissions associated with the classmap would be used to check for a neverallow violation. Do not end the expansion of a classmap when one classmapping is empty. Reported-by: Jonathan Hettwer Signed-off-by: James Carter Acked-by: Stephen Smalley --- libsepol/cil/src/cil_binary.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 50cc7f757c62..36720eda4549 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4363,15 +4363,13 @@ static int __cil_rule_to_sepol_class_perms(policydb_t *pdb, struct cil_list *cla rc = __cil_perms_to_datum(cp->perms, sepol_class, &data); if (rc != SEPOL_OK) goto exit; - if (data == 0) { - /* No permissions */ - return SEPOL_OK; + if (data != 0) { /* Only add if there are permissions */ + cpn = cil_malloc(sizeof(class_perm_node_t)); + cpn->tclass = sepol_class->s.value; + cpn->data = data; + cpn->next = *sepol_class_perms; + *sepol_class_perms = cpn; } - cpn = cil_malloc(sizeof(class_perm_node_t)); - cpn->tclass = sepol_class->s.value; - cpn->data = data; - cpn->next = *sepol_class_perms; - *sepol_class_perms = cpn; } else { /* MAP */ struct cil_list_item *j = NULL; cil_list_for_each(j, cp->perms) { -- 2.29.0.rc2