In both check_assertion_extended_permissions() and report_assertion_avtab_matches(), when checking for a match involving a rule using self, the matches between the source and target of the rule being checked are found using ebitmap_and() and then the matches between that result and the source of the neverallow are found using another ebitmap_and() call. Since the matches between the sources of the rule being checked and the neverallow have already been found, just find the matches between that result and the target of the rule being checked. This only requires one call to ebitmap_and() instead of two. Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/src/assertion.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index d3711b01..4c9b9557 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -214,7 +214,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void avrule_t *avrule = a->avrule; class_perm_node_t *cp; uint32_t perms; - ebitmap_t src_matches, tgt_matches, self_matches, matches; + ebitmap_t src_matches, tgt_matches, self_matches; ebitmap_node_t *snode, *tnode; unsigned int i, j; @@ -227,7 +227,6 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void ebitmap_init(&src_matches); ebitmap_init(&tgt_matches); ebitmap_init(&self_matches); - ebitmap_init(&matches); rc = ebitmap_and(&src_matches, &avrule->stypes.types, &p->attr_type_map[k->source_type - 1]); @@ -242,10 +241,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void goto oom; if (avrule->flags == RULE_SELF) { - rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]); - if (rc < 0) - goto oom; - rc = ebitmap_and(&self_matches, &avrule->stypes.types, &matches); + rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]); if (rc < 0) goto oom; @@ -284,7 +280,6 @@ exit: ebitmap_destroy(&src_matches); ebitmap_destroy(&tgt_matches); ebitmap_destroy(&self_matches); - ebitmap_destroy(&matches); return rc; } @@ -374,7 +369,7 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab, avtab_key_t *k, policydb_t *p) { - ebitmap_t src_matches, tgt_matches, self_matches, matches; + ebitmap_t src_matches, tgt_matches, self_matches; unsigned int i, j; ebitmap_node_t *snode, *tnode; int rc; @@ -382,7 +377,6 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab ebitmap_init(&src_matches); ebitmap_init(&tgt_matches); ebitmap_init(&self_matches); - ebitmap_init(&matches); rc = ebitmap_and(&src_matches, &avrule->stypes.types, &p->attr_type_map[k->source_type - 1]); @@ -400,11 +394,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab goto oom; if (avrule->flags == RULE_SELF) { - rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], - &p->attr_type_map[k->target_type - 1]); - if (rc < 0) - goto oom; - rc = ebitmap_and(&self_matches, &avrule->stypes.types, &matches); + rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]); if (rc < 0) goto oom; @@ -435,7 +425,7 @@ oom: exit: ebitmap_destroy(&src_matches); ebitmap_destroy(&tgt_matches); - ebitmap_destroy(&matches); + ebitmap_destroy(&self_matches); return rc; } -- 2.31.1