mirror of
https://github.com/SELinuxProject/selinux
synced 2025-03-04 09:17:40 +00:00
44c359aa05
The following test incorrectly asserts a neverallowxperm failure.
attribute test1_attr1;
attribute test1_attr2;
type test1_type1, test1_attr1, test1_attr2;
allow test1_type1 test1_attr1:socket ioctl;
allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }
To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
||
|---|---|---|
| .. | ||
| cil | ||
| include | ||
| man | ||
| src | ||
| tests | ||
| utils | ||
| .gitignore | ||
| Android.mk | ||
| ChangeLog | ||
| COPYING | ||
| Makefile | ||
| VERSION | ||