RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-22 12:36:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: Make use of previously created ebitmap when checking self

Browse Source 
In both check_assertion_extended_permissions() and
report_assertion_avtab_matches(), when checking for a match involving
a rule using self, the matches between the source and target of the
rule being checked are found using ebitmap_and() and then the matches
between that result and the source of the neverallow are found using
another ebitmap_and() call.

Since the matches between the sources of the rule being checked and
the neverallow have already been found, just find the matches between
that result and the target of the rule being checked. This only
requires one call to ebitmap_and() instead of two.

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2022-01-11 12:42:00 -05:00
parent cfdf4ec289
commit 3b71e51637
1 changed files with 5 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libsepol/src/assertion.c
View File

@ -214,7 +214,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
avrule_t *avrule = a->avrule;
class_perm_node_t *cp;
uint32_t perms;
ebitmap_t src_matches, tgt_matches, self_matches, matches;
ebitmap_t src_matches, tgt_matches, self_matches;
ebitmap_node_t *snode, *tnode;
unsigned int i, j;
@ -227,7 +227,6 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
ebitmap_init(&src_matches);
ebitmap_init(&tgt_matches);
ebitmap_init(&self_matches);
ebitmap_init(&matches);
rc = ebitmap_and(&src_matches, &avrule->stypes.types,
&p->attr_type_map[k->source_type - 1]);
@ -242,10 +241,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
goto oom;
if (avrule->flags == RULE_SELF) {
rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
if (rc < 0)
goto oom;
rc = ebitmap_and(&self_matches, &avrule->stypes.types, &matches);
rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]);
if (rc < 0)
goto oom;
@ -284,7 +280,6 @@ exit:
ebitmap_destroy(&src_matches);
ebitmap_destroy(&tgt_matches);
ebitmap_destroy(&self_matches);
ebitmap_destroy(&matches);
return rc;
}
@ -374,7 +369,7 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t
static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
avtab_key_t *k, policydb_t *p)
{
ebitmap_t src_matches, tgt_matches, self_matches, matches;
ebitmap_t src_matches, tgt_matches, self_matches;
unsigned int i, j;
ebitmap_node_t *snode, *tnode;
int rc;
@ -382,7 +377,6 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
ebitmap_init(&src_matches);
ebitmap_init(&tgt_matches);
ebitmap_init(&self_matches);
ebitmap_init(&matches);
rc = ebitmap_and(&src_matches, &avrule->stypes.types,
&p->attr_type_map[k->source_type - 1]);
@ -400,11 +394,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
goto oom;
if (avrule->flags == RULE_SELF) {
rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
&p->attr_type_map[k->target_type - 1]);
if (rc < 0)
goto oom;
rc = ebitmap_and(&self_matches, &avrule->stypes.types, &matches);
rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]);
if (rc < 0)
goto oom;
@ -435,7 +425,7 @@ oom:
exit:
ebitmap_destroy(&src_matches);
ebitmap_destroy(&tgt_matches);
ebitmap_destroy(&matches);
ebitmap_destroy(&self_matches);
return rc;
}