Re: [PATCH] libsepol: do not modify policy during write

James Carter <jwcart2@xxxxxxxxx> · Wed, 6 Jul 2022 16:12:38 -0400

On Thu, Jun 30, 2022 at 2:45 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Thu, Jun 30, 2022 at 1:04 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Do not modify the in memory default_range value of a class datum while
> > writing a policy.
> >
> > While on it fix indentation.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>

Merged.
Thanks,
Jim

> > ---
> >  libsepol/src/write.c | 16 +++++++++-------
> >  1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/libsepol/src/write.c b/libsepol/src/write.c
> > index 48ed21ea..a9fdf93a 100644
> > --- a/libsepol/src/write.c
> > +++ b/libsepol/src/write.c
> > @@ -1097,16 +1097,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
> >              p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) ||
> >             (p->policy_type == POLICY_BASE &&
> >              p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
> > +               char default_range = cladatum->default_range;
> > +
> >                 buf[0] = cpu_to_le32(cladatum->default_user);
> >                 buf[1] = cpu_to_le32(cladatum->default_role);
> > -               if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
> > +               if (!glblub_version && default_range == DEFAULT_GLBLUB) {
> >                         WARN(fp->handle,
> > -                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> > -                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> > -                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> > -                        cladatum->default_range = 0;
> > -                }
> > -               buf[2] = cpu_to_le32(cladatum->default_range);
> > +                            "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> > +                            p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> > +                            p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> > +                       default_range = 0;
> > +               }
> > +               buf[2] = cpu_to_le32(default_range);
> >                 items = put_entry(buf, sizeof(uint32_t), 3, fp);
> >                 if (items != 3)
> >                         return POLICYDB_ERROR;
> > --
> > 2.36.1
> >