diff mbox series

[06/16,v2] libsepol: Move check of target types to before check for self

Message ID 20220111215446.595516-7-jwcart2@gmail.com (mailing list archive)
State Accepted
Commit d4456cb4b9ff
Headers show
Series Refactor and fix assertion checking | expand

Commit Message

James Carter Jan. 11, 2022, 9:54 p.m. UTC 
If a neverallow has target types as well as using self and a match
is found with the target types, then self does not even need to
be checked, since the rule is already in violation of the assertion.

So move the check for a match of the target types before dealing with
self.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/assertion.c | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)
diff mbox series

Patch

diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index bd0dc4ed..7a1c4a5e 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -457,26 +457,28 @@  static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
 	if (!ebitmap_match_any(&avrule->stypes.types, &p->attr_type_map[k->source_type - 1]))
 		goto nomatch;
 
-	if (avrule->flags == RULE_SELF) {
-		/* If the neverallow uses SELF, then it is not enough that the
-		 * neverallow's source matches the src and tgt of the rule being checked.
-		 * It must match the same thing in the src and tgt, so AND the source
-		 * and target together and check for a match on the result.
-		 */
-		ebitmap_t match;
-		rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
-		if (rc) {
-			ebitmap_destroy(&match);
-			goto oom;
-		}
-		rc2 = ebitmap_match_any(&avrule->stypes.types, &match);
-		ebitmap_destroy(&match);
-	}
-
 	/* neverallow may have tgts even if it uses SELF */
 	if (!ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1])) {
-		if (rc2 == 0)
+		if (avrule->flags == RULE_SELF) {
+			/* If the neverallow uses SELF, then it is not enough that the
+			 * neverallow's source matches the src and tgt of the rule being checked.
+			 * It must match the same thing in the src and tgt, so AND the source
+			 * and target together and check for a match on the result.
+			 */
+			ebitmap_t match;
+			rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
+			if (rc) {
+				ebitmap_destroy(&match);
+				goto oom;
+			}
+			if (!ebitmap_match_any(&avrule->stypes.types, &match)) {
+				ebitmap_destroy(&match);
+				goto nomatch;
+			}
+			ebitmap_destroy(&match);
+		} else {
 			goto nomatch;
+		}
 	}
 
 	if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {