selinux: add support for xperms in conditional policies

Add support for extended permission rules in conditional policies. Currently the kernel accepts such rules already, but evaluating a security decision will hit a BUG() in services_compute_xperms_decision(). Thus reject extended permission rules in conditional policies for current policy versions. Add a new policy version for this feature. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Christian Göttsche <cgzones@googlemail.com> 2024-10-23 17:27:10 +0200
committer: Paul Moore <paul@paul-moore.com> 2024-12-13 16:35:38 -0500
commit: 4aa176193475d37441cc52b84088542f3a59899a (patch)
tree: a7db1ea0ce0e051b8b08e07833db31888fd5f8b1 /security/selinux/ss/conditional.c
parent: 034294fbfdf0ded4f931f9503d2ca5bbf8b9aebd (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 64ba95e40a6f..c9a3060f08a4 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -349,7 +349,7 @@ static int cond_read_av_list(struct policydb *p, void *fp,
 	for (i = 0; i < len; i++) {
 		data.dst = &list->nodes[i];
 		rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
-				     &data);
+				     &data, true);
 		if (rc) {
 			kfree(list->nodes);
 			list->nodes = NULL;
author	Christian Göttsche <cgzones@googlemail.com>	2024-10-23 17:27:10 +0200
committer	Paul Moore <paul@paul-moore.com>	2024-12-13 16:35:38 -0500
commit	4aa176193475d37441cc52b84088542f3a59899a (patch)
tree	a7db1ea0ce0e051b8b08e07833db31888fd5f8b1 /security/selinux/ss/conditional.c
parent	034294fbfdf0ded4f931f9503d2ca5bbf8b9aebd (diff)