If a role or user attribute with nothing associated with it is used
in a constraint expression, then the bitmap will be empty. This is
not a problem for the kernel, but does cause problems when converting
a kernel policy or module to CIL.
When creating a CIL policy from a kernel policy or module, if an
empty bitmap is encountered, use the string "NO_IDENTIFIER". An
error will occur if an attempt is made to compile the resulting
policy, but a valid policy was not being produced before anyway.
Treat types the same way even though empty bitmaps are not expected.
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
libsepol/src/kernel_to_cil.c | 2 +-
libsepol/src/module_to_cil.c | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 96e0f5d3..c6dd2e12 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -189,7 +189,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
}
if (!names) {
- goto exit;
+ names = strdup("NO_IDENTIFIER");
}
if (strchr(names, ' ')) {
new_val = create_str("(%s %s (%s))", 3, op, attr1, names);
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 3cc75b42..2a794f57 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1793,9 +1793,13 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
goto exit;
}
}
- rc = name_list_to_string(name_list, num_names, &names);
- if (rc != 0) {
- goto exit;
+ if (num_names == 0) {
+ names = strdup("NO_IDENTIFIER");
+ } else {
+ rc = name_list_to_string(name_list, num_names, &names);
+ if (rc != 0) {
+ goto exit;
+ }
}
// length of values/oper + 2 spaces + 2 parens + null terminator
--
2.26.2
