libsepol: fix neverallow checking on attributes
Ole Kliemann reported that allow rules written using type attributes were not being detected by neverallow assertions in the policy. I think that this was broken in policy.24 and later due to changes in the type datum. Fix the expand logic to correctly distinguish type attributes from types. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
f6b82ec701
commit
4a33c78ca5
|
@ -3106,12 +3106,12 @@ static int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args)
|
||||||
newkey.target_class = k->target_class;
|
newkey.target_class = k->target_class;
|
||||||
newkey.specified = k->specified;
|
newkey.specified = k->specified;
|
||||||
|
|
||||||
if (stype && ttype) {
|
if (stype->flavor != TYPE_ATTRIB && ttype->flavor != TYPE_ATTRIB) {
|
||||||
/* Both are individual types, no expansion required. */
|
/* Both are individual types, no expansion required. */
|
||||||
return expand_avtab_insert(expa, k, d);
|
return expand_avtab_insert(expa, k, d);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (stype) {
|
if (stype->flavor != TYPE_ATTRIB) {
|
||||||
/* Source is an individual type, target is an attribute. */
|
/* Source is an individual type, target is an attribute. */
|
||||||
newkey.source_type = k->source_type;
|
newkey.source_type = k->source_type;
|
||||||
ebitmap_for_each_bit(tattr, tnode, j) {
|
ebitmap_for_each_bit(tattr, tnode, j) {
|
||||||
|
@ -3125,7 +3125,7 @@ static int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ttype) {
|
if (ttype->flavor != TYPE_ATTRIB) {
|
||||||
/* Target is an individual type, source is an attribute. */
|
/* Target is an individual type, source is an attribute. */
|
||||||
newkey.target_type = k->target_type;
|
newkey.target_type = k->target_type;
|
||||||
ebitmap_for_each_bit(sattr, snode, i) {
|
ebitmap_for_each_bit(sattr, snode, i) {
|
||||||
|
@ -3236,12 +3236,12 @@ int expand_cond_av_node(policydb_t * p,
|
||||||
newkey.target_class = k->target_class;
|
newkey.target_class = k->target_class;
|
||||||
newkey.specified = k->specified;
|
newkey.specified = k->specified;
|
||||||
|
|
||||||
if (stype && ttype) {
|
if (stype->flavor != TYPE_ATTRIB && ttype->flavor != TYPE_ATTRIB) {
|
||||||
/* Both are individual types, no expansion required. */
|
/* Both are individual types, no expansion required. */
|
||||||
return expand_cond_insert(newl, expa, k, d);
|
return expand_cond_insert(newl, expa, k, d);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (stype) {
|
if (stype->flavor != TYPE_ATTRIB) {
|
||||||
/* Source is an individual type, target is an attribute. */
|
/* Source is an individual type, target is an attribute. */
|
||||||
newkey.source_type = k->source_type;
|
newkey.source_type = k->source_type;
|
||||||
ebitmap_for_each_bit(tattr, tnode, j) {
|
ebitmap_for_each_bit(tattr, tnode, j) {
|
||||||
|
@ -3255,7 +3255,7 @@ int expand_cond_av_node(policydb_t * p,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ttype) {
|
if (ttype->flavor != TYPE_ATTRIB) {
|
||||||
/* Target is an individual type, source is an attribute. */
|
/* Target is an individual type, source is an attribute. */
|
||||||
newkey.target_type = k->target_type;
|
newkey.target_type = k->target_type;
|
||||||
ebitmap_for_each_bit(sattr, snode, i) {
|
ebitmap_for_each_bit(sattr, snode, i) {
|
||||||
|
|
Loading…
Reference in New Issue