libsepol/0005-libsepol-cil-Fix-neverallow-checking-involving-class.patch

From a152653b9a43fe2c776d239efc2d46d336555bc8 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 15 Sep 2020 14:48:06 -0400
Subject: [PATCH] libsepol/cil: Fix neverallow checking involving classmaps

When classmaps used in a neverallow were being expanded during CIL
neverallow checking, an empty classmapping in the list of
classmappings for a classmap would cause the classmap expansion to
stop and the rest of the classmapping of the classmap to be ignored.
This would mean that not all of the classes and permissions associated
with the classmap would be used to check for a neverallow violation.

Do not end the expansion of a classmap when one classmapping is empty.

Reported-by: Jonathan Hettwer <j2468h@gmail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 libsepol/cil/src/cil_binary.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 50cc7f757c62..36720eda4549 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4363,15 +4363,13 @@ static int __cil_rule_to_sepol_class_perms(policydb_t *pdb, struct cil_list *cla
 
 				rc = __cil_perms_to_datum(cp->perms, sepol_class, &data);
 				if (rc != SEPOL_OK) goto exit;
-				if (data == 0) {
-					/* No permissions */
-					return SEPOL_OK;
+				if (data != 0) { /* Only add if there are permissions */
+					cpn = cil_malloc(sizeof(class_perm_node_t));
+					cpn->tclass = sepol_class->s.value;
+					cpn->data = data;
+					cpn->next = *sepol_class_perms;
+					*sepol_class_perms = cpn;
 				}
-				cpn = cil_malloc(sizeof(class_perm_node_t));
-				cpn->tclass = sepol_class->s.value;
-				cpn->data = data;
-				cpn->next = *sepol_class_perms;
-				*sepol_class_perms = cpn;
 			} else { /* MAP */
 				struct cil_list_item *j = NULL;
 				cil_list_for_each(j, cp->perms) {
-- 
2.29.0.rc2