libsepol: fix checkpolicy dontaudit compiler bug

The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. This is a reimplementation of: commit 6201bb5e25 ("libsepol: fix checkpolicy dontaudit compiler bug") that avoids the cumbersome pointer assignments on alloced. Reported-by: Nick Kralevich <nnk@google.com> Signed-off-by: William Roberts <william.c.roberts@intel.com>
2025-02-17 01:56:53 +00:00 · 2016-11-15 16:42:23 -08:00 · 2016-11-15 16:42:23 -08:00 · be96f05182
commit be96f05182
parent 5862ac5dfe
1 changed files with 6 additions and 4 deletions
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@ -1640,6 +1640,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,

 	if (!node) {
 		memset(&avdatum, 0, sizeof avdatum);
+		/*
+		 * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
+		 * others. Initialize the data accordingly.
+		 */
+		avdatum.data = key->specified == AVTAB_AUDITDENY ? ~0 : 0;
 		/* this is used to get the node - insertion is actually unique */
 		node = avtab_insert_nonunique(avtab, key, &avdatum);
 		if (!node) {
@ -1850,10 +1855,7 @@ static int expand_avrule_helper(sepol_handle_t * handle,
 			 */
 			avdatump->data &= cur->data;
 		} else if (specified & AVRULE_DONTAUDIT) {
-			if (avdatump->data)
-				avdatump->data &= ~cur->data;
-			else
-				avdatump->data = ~cur->data;
+			avdatump->data &= ~cur->data;
 		} else if (specified & AVRULE_XPERMS) {
 			xperms = avdatump->xperms;
 			if (!xperms) {