RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: Fix neverallow bug when checking conditional policy 

Commit 9e6840e refactored neverallow checking. In the process a bug
was introduced that causes enabled conditional rules to be skipped.
The bug is that the avtab key is checked by comparing the specified
field of the key to the value AVTAB_ALLOWED. Since enabled conditional
rules have an additional bit set as well, these rules are not
considered to match.

The fix is to use a bitwise AND (&) to only check the desired bit.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2017-06-09 10:58:19 -04:00
parent 9ddfb4d544
commit f2b5aae4aa
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libsepol/src/assertion.c
View File

@ -222,7 +222,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
ebitmap_node_t *snode, *tnode; ebitmap_node_t *snode, *tnode;
unsigned int i, j; unsigned int i, j;
if (k->specified != AVTAB_ALLOWED) if ((k->specified & AVTAB_ALLOWED) == 0)
return 0; return 0;
if (!match_any_class_permissions(avrule->perms, k->target_class, d->data)) if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
@ -471,7 +471,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
avrule_t *avrule = a->avrule; avrule_t *avrule = a->avrule;
avtab_t *avtab = a->avtab; avtab_t *avtab = a->avtab;
if (k->specified != AVTAB_ALLOWED) if ((k->specified & AVTAB_ALLOWED) == 0)
goto exit; goto exit;
if (!match_any_class_permissions(avrule->perms, k->target_class, d->data)) if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))