c59879b8aa
Rebase on upstream commit 32611aea6543
See
$ cd SELinuxProject/selinux
$ git log --pretty=oneline libsepol-3.2..32611aea6543 -- libsepol
61 lines
2.2 KiB
Diff
61 lines
2.2 KiB
Diff
From b839e9a1cb78d67c18df8b2e75e2fa53cca74392 Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Tue, 16 Mar 2021 15:31:06 -0400
|
|
Subject: [PATCH] libsepol: Write "NO_IDENTIFIER" for empty CIL constraint
|
|
expression
|
|
|
|
If a role or user attribute with nothing associated with it is used
|
|
in a constraint expression, then the bitmap will be empty. This is
|
|
not a problem for the kernel, but does cause problems when converting
|
|
a kernel policy or module to CIL.
|
|
|
|
When creating a CIL policy from a kernel policy or module, if an
|
|
empty bitmap is encountered, use the string "NO_IDENTIFIER". An
|
|
error will occur if an attempt is made to compile the resulting
|
|
policy, but a valid policy was not being produced before anyway.
|
|
Treat types the same way even though empty bitmaps are not expected.
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libsepol/src/kernel_to_cil.c | 2 +-
|
|
libsepol/src/module_to_cil.c | 10 +++++++---
|
|
2 files changed, 8 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
|
|
index 101cb61240f5..989aacde8a12 100644
|
|
--- a/libsepol/src/kernel_to_cil.c
|
|
+++ b/libsepol/src/kernel_to_cil.c
|
|
@@ -189,7 +189,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
|
|
names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
|
|
}
|
|
if (!names) {
|
|
- goto exit;
|
|
+ names = strdup("NO_IDENTIFIER");
|
|
}
|
|
if (strchr(names, ' ')) {
|
|
new_val = create_str("(%s %s (%s))", 3, op, attr1, names);
|
|
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
|
|
index fdf56b701e2c..58df0d4f6d77 100644
|
|
--- a/libsepol/src/module_to_cil.c
|
|
+++ b/libsepol/src/module_to_cil.c
|
|
@@ -1793,9 +1793,13 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
|
|
goto exit;
|
|
}
|
|
}
|
|
- rc = name_list_to_string(name_list, num_names, &names);
|
|
- if (rc != 0) {
|
|
- goto exit;
|
|
+ if (num_names == 0) {
|
|
+ names = strdup("NO_IDENTIFIER");
|
|
+ } else {
|
|
+ rc = name_list_to_string(name_list, num_names, &names);
|
|
+ if (rc != 0) {
|
|
+ goto exit;
|
|
+ }
|
|
}
|
|
|
|
// length of values/oper + 2 spaces + 2 parens + null terminator
|
|
--
|
|
2.32.0
|
|
|