checkpolicy: treat -self as an error

checkpolicy wrongly handles "-self". At the least, it should handle it as an error. At best, it should support it correctly (which would involve libsepol support as well). At present, it looks like it will end up negating (-) the next type/attribute in the list after self, or if there are no entries after self, ignoring it entirely. This originally was raised by the Android team, which wanted to support something like the following: neverallow domain { domain -self }:dir search; to prohibit cross domain access to some resource but allow access within the same domain. This change just makes it a fatal error during compilation. Implementing real support for -self is left as future work. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
SELinuxProject · Nov 18, 2016 · 49bfee8 · 49bfee8
1 parent a609434
commit 49bfee8
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
@@ -1978,6 +1978,11 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
 	while ((id = queue_remove(id_queue))) {
 		if (strcmp(id, "self") == 0) {
 			free(id);
+			if (add == 0) {
+				yyerror("-self is not supported");
+				ret = -1;
+				goto out;
+			}
 			avrule->flags |= RULE_SELF;
 			continue;
 		}
@@ -2437,6 +2442,11 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
 	while ((id = queue_remove(id_queue))) {
 		if (strcmp(id, "self") == 0) {
 			free(id);
+			if (add == 0) {
+				yyerror("-self is not supported");
+				ret = -1;
+				goto out;
+			}
 			avrule->flags |= RULE_SELF;
 			continue;
 		}