From patchwork Thu Sep 29 16:38:25 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeffrey Vander Stoep <jeffv@google.com>
X-Patchwork-Id: 9356751
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7EF9D6077A for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 16:39:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6EDC029B50
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 16:39:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 61B6329BCB; Thu, 29 Sep 2016 16:39:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=no version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 13DCB29B50
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 16:39:34 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.30,415,1470700800"; d="scan'208";a="18111131"
IronPort-PHdr: =?us-ascii?q?9a23=3AFmKNyxZIHUMTPlT2c8Y6NCX/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpcm4bnLW6fgltlLVR4KTs6sC0LuM9fmxEjVYuN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JXtkbnjsMSLOk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FhFf0LRAghZns44MztqAnr?=
	=?us-ascii?q?URqE5nxaVH4f1BVPHVvr9hb/C7X8vCWyiON71CSAdfbqSr0sEWCg4qllVjfnjy?=
	=?us-ascii?q?AIMzN/+2bS3J8jxJlHqQ6s8kQsi7XfZ5uYYb8nJq4=3D?=
X-IPAS-Result: =?us-ascii?q?A2HHAwAUQu1X/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgxQ?=
	=?us-ascii?q?BAQEBAR6BU7l5BRg4IodrTAEBAQEBAQEBAgECWyeCMgQDEwUEASIBFgsxAQEBA?=
	=?us-ascii?q?QEBAQEBAQEBAQEBAQEBARYCRCoBBAIPFRMGAQEMIAwCAwkCFykICAMBLQMBBQE?=
	=?us-ascii?q?LHwsFGAQBiCuhd4EyPjKKVoUwAQEFiCUBHAgQhBeCEIhrEQFohRKPMYpLhFmLF?=
	=?us-ascii?q?wKJWCWFbQKPJzGBEVQlgmqCGlKFJniBKAEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 29 Sep 2016 16:39:32 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8TGcgI7026729;
	Thu, 29 Sep 2016 12:38:53 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u8TGcfmU019692 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 29 Sep 2016 12:38:41 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8TGcf04026727
	for <selinux@tycho.nsa.gov>; Thu, 29 Sep 2016 12:38:41 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1AvAACgQu1Xhi/cVdFdHAYMg0EBAQEBAYFxtkKDNwVZhh6BZkwBAgEBAQEBAhMBAQEICwsJGYUTARUVGQEBNwGBFAEFATUiiCuhd4EyPjKKVoUwAQEFiBkBAQEBBgIdCBCEF4IQiWWCAAuDB48xikuEWYsXAolYhhICjycxgRF5gwmBex40h0YBAQE
X-IPAS-Result: 
 A1AvAACgQu1Xhi/cVdFdHAYMg0EBAQEBAYFxtkKDNwVZhh6BZkwBAgEBAQEBAhMBAQEICwsJGYUTARUVGQEBNwGBFAEFATUiiCuhd4EyPjKKVoUwAQEFiBkBAQEBBgIdCBCEF4IQiWWCAAuDB48xikuEWYsXAolYhhICjycxgRF5gwmBex40h0YBAQE
X-IronPort-AV: E=Sophos;i="5.30,415,1470715200"; d="scan'208";a="5736652"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 29 Sep 2016 12:38:41 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AHIFnnBadAcdPottL87nx1QT/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpc+9bnLW6fgltlLVR4KTs6sC0LuM9fmxEjVYuN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JXtkbnjsMSLOk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD86Fpy8kVSqj+fqIlXZREHT8mNCYz/8Stuh7d?=
	=?us-ascii?q?HiWV4X5JcGgYnFJ2Cg7J4QuyZYv2vzOy4uhw1ieEFcLxSr8wVHKp6KI9G0ygsz?=
	=?us-ascii?q?sOKzNsqDKfscd3lq8O+B8=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HoAAAUQu1Xhi/cVdFdSAEFAQsBgxQBA?=
	=?us-ascii?q?QEBAYFxtkKDNwUYQYYegWZMAQEBAQEBAQECAQIQAQEBCAsLCRkvgjIYCwEiARY?=
	=?us-ascii?q?LMQEBAQEBAQEBAQEBAQEBAQEBAQEWAkQqARUVGQEBNwGBFAEFATUiiCuhd4EyP?=
	=?us-ascii?q?jKKVoUwAQEFiBkBAQEBBgEBAQEbCBCEF4IQiWWCAAuDB48xikuEWYsXAolYhhI?=
	=?us-ascii?q?CjycxgRF5gwmBex40h0YBAQE?=
X-IPAS-Result: =?us-ascii?q?A0HoAAAUQu1Xhi/cVdFdSAEFAQsBgxQBAQEBAYFxtkKDNwU?=
	=?us-ascii?q?YQYYegWZMAQEBAQEBAQECAQIQAQEBCAsLCRkvgjIYCwEiARYLMQEBAQEBAQEBA?=
	=?us-ascii?q?QEBAQEBAQEBAQEWAkQqARUVGQEBNwGBFAEFATUiiCuhd4EyPjKKVoUwAQEFiBk?=
	=?us-ascii?q?BAQEBBgEBAQEbCBCEF4IQiWWCAAuDB48xikuEWYsXAolYhhICjycxgRF5gwmBe?=
	=?us-ascii?q?x40h0YBAQE?=
X-IronPort-AV: E=Sophos;i="5.30,415,1470700800"; d="scan'208";a="18111060"
Received: from mail-pa0-f47.google.com ([209.85.220.47])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256;
	29 Sep 2016 16:38:39 +0000
Received: by mail-pa0-f47.google.com with SMTP id cd13so26113192pac.0
	for <selinux@tycho.nsa.gov>; Thu, 29 Sep 2016 09:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20120113; h=from:to:cc:subject:date:message-id;
	bh=Pc4rBnbRwacEVgWp9rTRvYOmKRXKaOsQusWkTxm+maY=;
	b=DTPy//bh9UEwWx/MZFdTU1C8Z4jUAgaIsVp6LzUvfpt3ffarryL6wVZYah+krNu88c
	1FiPfPUiBgCfLEswxflb0QzjQRvWkQuHeoYegZD+T+tsdJDemNM43Tn50aRiJn8KfT/G
	IQ3V3IIAeAgnjHkgXcmz0U9uMR9k6p5ayJmqDWmS3LfHYGqlOFJw6US6tzWrvUpoo3G5
	CqiKWv66Ugt7mPhpXhQkbrGa8U0hm+vbdMTLNREPARdMyCxJHEX8NIahfqS9Lf2P05Fx
	kzINXCOimkBh30h5cxDzk8BFzfR4QVnrGGAq3hnfv+/zdNP8PdIXV3lw3vj3YXO+XvcG
	hrMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Pc4rBnbRwacEVgWp9rTRvYOmKRXKaOsQusWkTxm+maY=;
	b=DcvQ01e50Ru1Pd1+JPDdrgmRCOygcS9jrAm8goZlqYQL45zGnH2yHCKuFLF2cgTmnn
	G0wLk9WIPRXRnX8gIVWBcRAlWYsjcj66aifOrAQMVpDDk4okFAuS94Rq62H+Hk7eVuwX
	odb7pAsIEXj8uui2YJVeOWn8W17hIyU/bajcZ58Y7mf1vVG6GeUTccql4lja1Gfz4udD
	KICxHkoY+X0LaKtF/Uexli/U/OM1U9d/gGKORF/vSejguc0O81Qx5yrW0QyVBYuD/ZcZ
	mQC5v4jevWIVYq6mnJwiSrCkLQs6rL9khSvhrIgVO0lsXu50vnVSsaRtScWzquD+n3O6
	zRuA==
X-Gm-Message-State: 
 AA6/9Rl609ekO7aZ5J572IRfU1a0ZgNo4Nhd5kGUwJCfQRSUQwvg4RwiYL1EtrNdPk7D1kvJ
X-Received: by 10.66.89.34 with SMTP id bl2mr3898728pab.33.1475167119034;
	Thu, 29 Sep 2016 09:38:39 -0700 (PDT)
Received: from jeffv-linux.mtv.corp.google.com ([172.22.112.85])
	by smtp.gmail.com with ESMTPSA id
	s12sm21502291pfj.73.2016.09.29.09.38.33
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 29 Sep 2016 09:38:33 -0700 (PDT)
From: Jeff Vander Stoep <jeffv@google.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] libsepol: fix xperm mapping between avrule and avtab
Date: Thu, 29 Sep 2016 09:38:25 -0700
Message-Id: <1475167105-16420-1-git-send-email-jeffv@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Commit 915fa8f08f4f moves the xperm specified value directly from
avrule to avtab. The mapping between them is currently the same,
but may not always be. Instead these values should be mapped using
values defined in av_extended_perms_t and avtab_extended_perms_t.

Fixes: 915fa8f08f4f ("checkpolicy: switch operations to extended perms")

Change-Id: Ic9f4031c9381b2ff6cc46043fb1602758ef4c224
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
 libsepol/src/expand.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index e6d3ef1..004a029 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1855,20 +1855,31 @@ static int expand_avrule_helper(sepol_handle_t * handle,
 			else
 				avdatump->data = ~cur->data;
 		} else if (specified & AVRULE_XPERMS) {
-			if (!avdatump->xperms) {
+			xperms = avdatump->xperms;
+			if (!xperms) {
 				xperms = (avtab_extended_perms_t *)
 					calloc(1, sizeof(avtab_extended_perms_t));
 				if (!xperms) {
 					ERR(handle, "Out of memory!");
 					return -1;
 				}
-				node->datum.xperms = xperms;
+				avdatump->xperms = xperms;
 			}
-			node->datum.xperms->specified = extended_perms->specified;
-			node->datum.xperms->driver = extended_perms->driver;
 
+			switch (extended_perms->specified) {
+			case AVRULE_XPERMS_IOCTLFUNCTION:
+				xperms->specified = AVTAB_XPERMS_IOCTLFUNCTION;
+				break;
+			case AVRULE_XPERMS_IOCTLDRIVER:
+				xperms->specified = AVTAB_XPERMS_IOCTLDRIVER;
+				break;
+			default:
+				return -1;
+			}
+
+			xperms->driver = extended_perms->driver;
 			for (i = 0; i < ARRAY_SIZE(xperms->perms); i++)
-				node->datum.xperms->perms[i] |= extended_perms->perms[i];
+				xperms->perms[i] |= extended_perms->perms[i];
 		} else {
 			assert(0);	/* should never occur */
 		}