56 lines
1.9 KiB
Diff
56 lines
1.9 KiB
Diff
|
From 725d224e8dd8af3a5a56c71b9de7936d098cae61 Mon Sep 17 00:00:00 2001
|
||
|
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
||
|
Date: Tue, 16 May 2023 13:21:09 -0400
|
||
|
Subject: [PATCH] AVRule/AVRuleXperm: Treat rules with no permissions as
|
||
|
invalid policy.
|
||
|
Content-type: text/plain
|
||
|
|
||
|
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
||
|
---
|
||
|
setools/policyrep/terule.pxi | 22 ++++++++++++++++++++++
|
||
|
1 file changed, 22 insertions(+)
|
||
|
|
||
|
diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi
|
||
|
index 6c869ed08ad9..4f4a95f553bc 100644
|
||
|
--- a/setools/policyrep/terule.pxi
|
||
|
+++ b/setools/policyrep/terule.pxi
|
||
|
@@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule):
|
||
|
r._conditional = conditional
|
||
|
r._conditional_block = conditional_block
|
||
|
r.origin = None
|
||
|
+
|
||
|
+ if not r.perms:
|
||
|
+ rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};"
|
||
|
+ try:
|
||
|
+ rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
|
||
|
+ except RuleNotConditional:
|
||
|
+ pass
|
||
|
+
|
||
|
+ raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: "
|
||
|
+ f"{rule_string}")
|
||
|
+
|
||
|
return r
|
||
|
|
||
|
def __hash__(self):
|
||
|
@@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule):
|
||
|
r._conditional = conditional
|
||
|
r._conditional_block = conditional_block
|
||
|
r.origin = None
|
||
|
+
|
||
|
+ if not perms:
|
||
|
+ rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};"
|
||
|
+ try:
|
||
|
+ rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
|
||
|
+ except RuleNotConditional:
|
||
|
+ pass
|
||
|
+
|
||
|
+ raise LowLevelPolicyError(
|
||
|
+ f"Invalid policy: Found a rule with no extended permissions: {rule_string}.")
|
||
|
+
|
||
|
return r
|
||
|
|
||
|
def __hash__(self):
|
||
|
--
|
||
|
2.41.0
|
||
|
|