@@ -131,18 +131,14 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
}
}
if (rc != SEPOL_OK) {
- struct cil_list *empty_list;
if (class_flavor == CIL_MAP_CLASS) {
cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
- goto exit;
+ } else {
+ cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
}
- cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
- /* Use an empty list to represent unknown perm */
- cil_list_init(&empty_list, perm_strs->flavor);
- cil_list_append(*perm_datums, CIL_LIST, empty_list);
- } else {
- cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
+ goto exit;
}
+ cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
} else {
cil_list_append(*perm_datums, curr->flavor, curr->data);
}
This patch is loosely based on a patch by Yuli Khodorkovskiy <yuli@crunchydata.com> from June 13th, 2019. Since any permission used in the policy should be defined, CIL should return an error if it cannot resolve a permission used in a policy. This was the original behavior of CIL. The behavior was changed over three commits from July to November 2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change was motivated by Fedora trying to remove permissions from its policy that were never upstreamed (ex/ process ptrace_child and capability2 compromise_kernel). Local or third party modules compiled with those permissions would break policy updates. After three years it seems unlikely that we need to worry about those local and third party modules and it is time for CIL to give an error like it should. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/cil/src/cil_resolve_ast.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-)