diff mbox series

libsepol: Make an unknown permission an error in CIL

Message ID 20190912183035.2946-1-jwcart2@tycho.nsa.gov (mailing list archive)
State Accepted
Headers show
Series libsepol: Make an unknown permission an error in CIL | expand

Commit Message

James Carter Sept. 12, 2019, 6:30 p.m. UTC
This patch is loosely based on a patch by Yuli Khodorkovskiy
<yuli@crunchydata.com> from June 13th, 2019.

Since any permission used in the policy should be defined, CIL
should return an error if it cannot resolve a permission used
in a policy. This was the original behavior of CIL.

The behavior was changed over three commits from July to November
2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change
was motivated by Fedora trying to remove permissions from its
policy that were never upstreamed (ex/ process ptrace_child and
capability2 compromise_kernel). Local or third party modules
compiled with those permissions would break policy updates.

After three years it seems unlikely that we need to worry about
those local and third party modules and it is time for CIL to
give an error like it should.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/cil/src/cil_resolve_ast.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)
diff mbox series

Patch

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index ea08087d..863d9fe8 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -131,18 +131,14 @@  static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
 				}
 			}
 			if (rc != SEPOL_OK) {
-				struct cil_list *empty_list;
 				if (class_flavor == CIL_MAP_CLASS) {
 					cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
-					goto exit;
+				} else {
+					cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
 				}
-				cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
-				/* Use an empty list to represent unknown perm */
-				cil_list_init(&empty_list, perm_strs->flavor);
-				cil_list_append(*perm_datums, CIL_LIST, empty_list);
-			} else {
-				cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
+				goto exit;
 			}
+			cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
 		} else {
 			cil_list_append(*perm_datums, curr->flavor, curr->data);
 		}