On Fri, Feb 11, 2022 at 1:47 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> Since CIL allows permission expressions, it is possible for the
> expression to evaluate to no permissions. If this is the case,
> then don't add the constraint.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
These two patches have been merged.
Jim
> ---
> libsepol/cil/src/cil_binary.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 4ac8ce8d..468fb595 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -2823,6 +2823,12 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
> goto exit;
> }
>
> + if (sepol_constrain->permissions == 0) {
> + /* No permissions, so don't insert rule. */
> + free(sepol_constrain);
> + return SEPOL_OK;
> + }
> +
> rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
> if (rc != SEPOL_OK) {
> goto exit;
> --
> 2.34.1
>
