libsepol: do not write empty class definitions

Do not write class definitions for classes without any permission and
any inherited common class.  The classes are already declared in
write_class_decl_rules_to_conf().  Skipping those empty definitions,
which are equal to the corresponding class declarations, will enable to
parse the generated policy conf file with checkpolicy, as checkpolicy
does not accept class declarations after initial sid declarations.

This will enable simple round-trip tests with checkpolicy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2023-01-05 18:13:39 +01:00 committed by James Carter
parent b32e85cf67
commit 986a3fe27e
1 changed files with 13 additions and 8 deletions

View File

@ -591,17 +591,22 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb)
class = pdb->class_val_to_struct[i]; class = pdb->class_val_to_struct[i];
if (!class) continue; if (!class) continue;
name = pdb->p_class_val_to_name[i]; name = pdb->p_class_val_to_name[i];
perms = class_or_common_perms_to_str(&class->permissions);
/* Do not write empty classes, their declaration was alreedy
* printed in write_class_decl_rules_to_conf() */
if (perms || class->comkey) {
sepol_printf(out, "class %s", name); sepol_printf(out, "class %s", name);
if (class->comkey) { if (class->comkey) {
sepol_printf(out, " inherits %s", class->comkey); sepol_printf(out, " inherits %s", class->comkey);
} }
perms = class_or_common_perms_to_str(&class->permissions);
if (perms) { if (perms) {
sepol_printf(out, " { %s }", perms); sepol_printf(out, " { %s }", perms);
free(perms); free(perms);
} }
sepol_printf(out, "\n"); sepol_printf(out, "\n");
} }
}
exit: exit:
if (rc != 0) { if (rc != 0) {