On Mon, Apr 1, 2024 at 11:09 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> Commit e81c466 "Fix class permission verification in CIL", added a
> check for the use of "all" in a permission expression for a class
> that had no permissions. Unfortunately, that change did not take
> into account a class that had common permissions, so a class that
> has no permmissions of its own, but inherits permissions from a
> common, will fail the verification check.
>
> If the class inherits from a common, then add those permissions to
> the permmission list when verifying the permission expression.
>
> Example/
> (common co1 (cop1))
> (class cl1 ())
> (classcommon cl1 co1)
> (classorder (CLASS cl1))
>
> (classpermission cp1)
> (classpermissionset cp1 (cl1 (all)))
>
> (classmap cm1 (cmp1))
> (classmapping cm1 cmp1 (cl1 (all)))
>
> Previously, both the classpermissionset and the classmapping rules
> would fail verification, but now they pass as expected.
>
> Patch originally from Ben Cressey <bcressey@xxxxxxxxxx>, I have
> expanded the explanation.
>
> Reported-by: Ben Cressey <bcressey@xxxxxxxxxx>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
This has been merged.
Jim
> ---
> libsepol/cil/src/cil_verify.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
> index 0c6d50a1..4ef2cbab 100644
> --- a/libsepol/cil/src/cil_verify.c
> +++ b/libsepol/cil/src/cil_verify.c
> @@ -1842,6 +1842,9 @@ static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, s
> int count2 = 0;
> cil_list_init(&perm_list, CIL_MAP_PERM);
> cil_symtab_map(&class->perms, __add_perm_to_list, perm_list);
> + if (class->common != NULL) {
> + cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list);
> + }
> cil_list_for_each(j, perm_list) {
> count2++;
> struct cil_perm *perm = j->data;
> --
> 2.44.0
>
