setools/0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch

From 725d224e8dd8af3a5a56c71b9de7936d098cae61 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 16 May 2023 13:21:09 -0400
Subject: [PATCH] AVRule/AVRuleXperm: Treat rules with no permissions as
 invalid policy.
Content-type: text/plain

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 setools/policyrep/terule.pxi | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi
index 6c869ed08ad9..4f4a95f553bc 100644
--- a/setools/policyrep/terule.pxi
+++ b/setools/policyrep/terule.pxi
@@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule):
         r._conditional = conditional
         r._conditional_block = conditional_block
         r.origin = None
+
+        if not r.perms:
+            rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};"
+            try:
+                rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
+            except RuleNotConditional:
+                pass
+
+            raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: "
+                                      f"{rule_string}")
+
         return r
 
     def __hash__(self):
@@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule):
         r._conditional = conditional
         r._conditional_block = conditional_block
         r.origin = None
+
+        if not perms:
+            rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};"
+            try:
+                rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
+            except RuleNotConditional:
+                pass
+
+            raise LowLevelPolicyError(
+                f"Invalid policy: Found a rule with no extended permissions: {rule_string}.")
+
         return r
 
     def __hash__(self):
-- 
2.41.0