libsepol: fix checkpolicy dontaudit compiler bug

The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. This is a reimplementation of: commit 6201bb5 ("libsepol: fix checkpolicy dontaudit compiler bug") that avoids the cumbersome pointer assignments on alloced. Reported-by: Nick Kralevich <[email protected]> Signed-off-by: William Roberts <[email protected]>
makesoftwaresafe · Nov 16, 2016 · be96f05 · be96f05
1 parent 5862ac5
commit be96f05
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
@@ -1640,6 +1640,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
 
 	if (!node) {
 		memset(&avdatum, 0, sizeof avdatum);
+		/*
+		 * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
+		 * others. Initialize the data accordingly.
+		 */
+		avdatum.data = key->specified == AVTAB_AUDITDENY ? ~0 : 0;
 		/* this is used to get the node - insertion is actually unique */
 		node = avtab_insert_nonunique(avtab, key, &avdatum);
 		if (!node) {
@@ -1850,10 +1855,7 @@ static int expand_avrule_helper(sepol_handle_t * handle,
 			 */
 			avdatump->data &= cur->data;
 		} else if (specified & AVRULE_DONTAUDIT) {
-			if (avdatump->data)
-				avdatump->data &= ~cur->data;
-			else
-				avdatump->data = ~cur->data;
+			avdatump->data &= ~cur->data;
 		} else if (specified & AVRULE_XPERMS) {
 			xperms = avdatump->xperms;
 			if (!xperms) {