Since CIL allows permission expressions, it is possible for the
expression to evaluate to no permissions. If this is the case,
then don't add the constraint.
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
libsepol/cil/src/cil_binary.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 4ac8ce8d..468fb595 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
goto exit;
}
+ if (sepol_constrain->permissions == 0) {
+ /* No permissions, so don't insert rule. */
+ free(sepol_constrain);
+ return SEPOL_OK;
+ }
+
rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
if (rc != SEPOL_OK) {
goto exit;
--
2.34.1
