libsepol: Set args avtab pointer when reporting assertion violations
The changes are the same as in a patch sent by Christian Göttsche <cgzones@googlemail.com> to support adding not-self to neverallowxperm checking, but it is needed for normal neverallowxperm checking as well and the following explanation reflects that. When reporting neverallowxperm violations, the avtab is searched to find the rule that violates the assertion. If the avtab pointer of the args is not set, then it will report the error as if no extended permissions existed for the source and target (so allowing the ioctl permission at all violates the neverallowxperm). Example (where t1 has attribute attr): allow attr attr:CLASS ioctl; allowxperm attr attr:CLASS ioctl 0x9411; neverallowxperm t1 self:CLASS ioctl 0x9411; Would be reported as: neverallowxperm on line 3 of policy.conf (or line 3 of policy.conf) violated by allow t1 t1:CLASS { ioctl }; Instead of: neverallowxperm on line 3 of policy.conf (or line 3 of policy.conf) violated by allowxperm attr attr:CLASS ioctl { 0x9411 }; Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
fb3a383f42
commit
931380ca2e
|
@ -292,10 +292,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru
|
|||
args.avrule = avrule;
|
||||
args.errors = 0;
|
||||
|
||||
args.avtab = &p->te_avtab;
|
||||
rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args);
|
||||
if (rc < 0)
|
||||
goto oom;
|
||||
|
||||
args.avtab = &p->te_cond_avtab;
|
||||
rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args);
|
||||
if (rc < 0)
|
||||
goto oom;
|
||||
|
|
Loading…
Reference in New Issue