libsepol: fix xperm mapping between avrule and avtab

Commit 915fa8f08f moves the xperm specified value directly from avrule to avtab. The mapping between them is currently the same, but may not always be. Instead these values should be mapped using values defined in av_extended_perms_t and avtab_extended_perms_t. Fixes: 915fa8f08f ("checkpolicy: switch operations to extended perms") Change-Id: Ic9f4031c9381b2ff6cc46043fb1602758ef4c224 Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2025-03-05 17:57:34 +00:00 · 2016-09-29 09:38:25 -07:00 · 2016-09-29 09:38:25 -07:00 · 6ccfa46ad4
commit 6ccfa46ad4
parent 202fd6ed5d
1 changed files with 16 additions and 5 deletions
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@ -1855,20 +1855,31 @@ static int expand_avrule_helper(sepol_handle_t * handle,
 			else
 				avdatump->data = ~cur->data;
 		} else if (specified & AVRULE_XPERMS) {
-			if (!avdatump->xperms) {
+			xperms = avdatump->xperms;
+			if (!xperms) {
 				xperms = (avtab_extended_perms_t *)
 					calloc(1, sizeof(avtab_extended_perms_t));
 				if (!xperms) {
 					ERR(handle, "Out of memory!");
 					return -1;
 				}
-				node->datum.xperms = xperms;
+				avdatump->xperms = xperms;
 			}
-			node->datum.xperms->specified = extended_perms->specified;
-			node->datum.xperms->driver = extended_perms->driver;

+			switch (extended_perms->specified) {
+			case AVRULE_XPERMS_IOCTLFUNCTION:
+				xperms->specified = AVTAB_XPERMS_IOCTLFUNCTION;
+				break;
+			case AVRULE_XPERMS_IOCTLDRIVER:
+				xperms->specified = AVTAB_XPERMS_IOCTLDRIVER;
+				break;
+			default:
+				return -1;
+			}
+
+			xperms->driver = extended_perms->driver;
 			for (i = 0; i < ARRAY_SIZE(xperms->perms); i++)
-				node->datum.xperms->perms[i] |= extended_perms->perms[i];
+				xperms->perms[i] |= extended_perms->perms[i];
 		} else {
 			assert(0);	/* should never occur */
 		}