commit 1f15c628966966b823dd56dab0613482497c22b4
author James Carter <jwcart2@gmail.com> Wed Feb 09 16:39:47 2022 -0500
committer James Carter <jwcart2@gmail.com> Fri Mar 11 10:19:00 2022 -0500
tree c38aeee7f32d914417fd1964e9fcc77bc20aa4aa
parent 0d84ebcbc475d70a3747bdcb4ad1235e932bb7c1

libsepol/cil: Don't add constraint if there are no permissions

Since CIL allows permission expressions, it is possible for the
expression to evaluate to no permissions. If this is the case,
then don't add the constraint.

Signed-off-by: James Carter <jwcart2@gmail.com>

libsepol/cil/src/cil_binary.c

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 8b64b37..53017e2 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2823,6 +2823,12 @@
 		goto exit;
 	}
 
+	if (sepol_constrain->permissions == 0) {
+		/* No permissions, so don't insert rule. */
+		free(sepol_constrain);
+		return SEPOL_OK;
+	}
+
 	rc = __cil_constrain_expr_to_sepol_expr(pdb, db, expr, &sepol_expr);
 	if (rc != SEPOL_OK) {
 		goto exit;