RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: Move check of target types to before check for self 

If a neverallow has target types as well as using self and a match
is found with the target types, then self does not even need to
be checked, since the rule is already in violation of the assertion.

So move the check for a match of the target types before dealing with
self.

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2022-01-11 12:39:28 -05:00
parent a9d5688031
commit d4456cb4b9
1 changed files with 19 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
libsepol/src/assertion.c
View File

@ -457,26 +457,28 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
if (!ebitmap_match_any(&avrule->stypes.types, &p->attr_type_map[k->source_type - 1]))
goto nomatch;
if (avrule->flags == RULE_SELF) {
/* If the neverallow uses SELF, then it is not enough that the
* neverallow's source matches the src and tgt of the rule being checked.
* It must match the same thing in the src and tgt, so AND the source
* and target together and check for a match on the result.
*/
ebitmap_t match;
rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
if (rc) {
ebitmap_destroy(&match);
goto oom;
}
rc2 = ebitmap_match_any(&avrule->stypes.types, &match);
ebitmap_destroy(&match);
}
/* neverallow may have tgts even if it uses SELF */
if (!ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1])) {
if (rc2 == 0)
if (avrule->flags == RULE_SELF) {
/* If the neverallow uses SELF, then it is not enough that the
* neverallow's source matches the src and tgt of the rule being checked.
* It must match the same thing in the src and tgt, so AND the source
* and target together and check for a match on the result.
*/
ebitmap_t match;
rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
if (rc) {
ebitmap_destroy(&match);
goto oom;
}
if (!ebitmap_match_any(&avrule->stypes.types, &match)) {
ebitmap_destroy(&match);
goto nomatch;
}
ebitmap_destroy(&match);
} else {
goto nomatch;
}
}
if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {