libsepol/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch

From c071aa2e635935216e8e504a5b398f58aed2838e Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Mon, 1 Apr 2024 10:49:24 -0400
Subject: [PATCH] libsepol/cil: Check common perms when verifiying "all"

Commit e81c466 "Fix class permission verification in CIL", added a
check for the use of "all" in a permission expression for a class
that had no permissions. Unfortunately, that change did not take
into account a class that had common permissions, so a class that
has no permmissions of its own, but inherits permissions from a
common, will fail the verification check.

If the class inherits from a common, then add those permissions to
the permmission list when verifying the permission expression.

Example/
(common co1 (cop1))
(class cl1 ())
(classcommon cl1 co1)
(classorder (CLASS cl1))

(classpermission cp1)
(classpermissionset cp1 (cl1 (all)))

(classmap cm1 (cmp1))
(classmapping cm1 cmp1 (cl1 (all)))

Previously, both the classpermissionset and the classmapping rules
would fail verification, but now they pass as expected.

Patch originally from Ben Cressey <bcressey@amazon.com>, I have
expanded the explanation.

Reported-by: Ben Cressey <bcressey@amazon.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_verify.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 0c6d50a18..4ef2cbab3 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -1842,6 +1842,9 @@ static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, s
 				int count2 = 0;
 				cil_list_init(&perm_list, CIL_MAP_PERM);
 				cil_symtab_map(&class->perms, __add_perm_to_list, perm_list);
+				if (class->common != NULL) {
+					cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list);
+				}
 				cil_list_for_each(j, perm_list) {
 					count2++;
 					struct cil_perm *perm = j->data;