From d9fecb8ab0f52272fd4785fe6f15e6855b2f6008 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Fri, 3 Feb 2017 13:02:37 -0500 Subject: add pcr/libsepol --- ...ol-fix-checkpolicy-dontaudit-compiler-bug.patch | 51 ++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 pcr/libsepol/0013-libsepol-fix-checkpolicy-dontaudit-compiler-bug.patch (limited to 'pcr/libsepol/0013-libsepol-fix-checkpolicy-dontaudit-compiler-bug.patch') diff --git a/pcr/libsepol/0013-libsepol-fix-checkpolicy-dontaudit-compiler-bug.patch b/pcr/libsepol/0013-libsepol-fix-checkpolicy-dontaudit-compiler-bug.patch new file mode 100644 index 000000000..ff43a5e27 --- /dev/null +++ b/pcr/libsepol/0013-libsepol-fix-checkpolicy-dontaudit-compiler-bug.patch @@ -0,0 +1,51 @@ +From 00603062c7e9d74a76d62ee9806c9042ec7ad7fa Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Tue, 15 Nov 2016 16:42:23 -0800 +Subject: [PATCH] libsepol: fix checkpolicy dontaudit compiler bug + +The combining logic for dontaudit rules was wrong, causing +a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; +rule. + +This is a reimplementation of: +commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol: +fix checkpolicy dontaudit compiler bug") +that avoids the cumbersome pointer assignments on alloced. + +Reported-by: Nick Kralevich +Signed-off-by: William Roberts +--- + libsepol/src/expand.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c +index 004a02949b98..3e16f586028c 100644 +--- a/libsepol/src/expand.c ++++ b/libsepol/src/expand.c +@@ -1640,6 +1640,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle, + + if (!node) { + memset(&avdatum, 0, sizeof avdatum); ++ /* ++ * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for ++ * others. Initialize the data accordingly. ++ */ ++ avdatum.data = key->specified == AVTAB_AUDITDENY ? ~0 : 0; + /* this is used to get the node - insertion is actually unique */ + node = avtab_insert_nonunique(avtab, key, &avdatum); + if (!node) { +@@ -1850,10 +1855,7 @@ static int expand_avrule_helper(sepol_handle_t * handle, + */ + avdatump->data &= cur->data; + } else if (specified & AVRULE_DONTAUDIT) { +- if (avdatump->data) +- avdatump->data &= ~cur->data; +- else +- avdatump->data = ~cur->data; ++ avdatump->data &= ~cur->data; + } else if (specified & AVRULE_XPERMS) { + xperms = avdatump->xperms; + if (!xperms) { +-- +2.10.2 + -- cgit v1.2.3