libsepol: Sort portcon rules consistently

The comparison function, portcon_data_cmp(), only made use of the protocol to put tcp before udp, dccp, and sctp. Rules that have the same port range, but with different protocols would be considered equal unless one of the protocols was tcp. When generating a CIL or conf source policy from a binary or using the "-S" option in checkpolicy the non-tcp portcon rules with the same port range would not be consistently sorted. Changed portcon_data_cmp() to sort portcon rules like the CIL function cil_post_portcon_compare(). Reported-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: James Carter <jwcart2@gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
sailfishos-mirror · Jun 2, 2020 · 2a63109 · 2a63109
1 parent 4ad0abd
commit 2a63109
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
@@ -470,11 +470,9 @@ static int portcon_data_cmp(const void *a, const void *b)
 	rc = compare_ranges((*aa)->u.port.low_port, (*aa)->u.port.high_port,
 			    (*bb)->u.port.low_port, (*bb)->u.port.high_port);
 	if (rc == 0) {
-		if ((*aa)->u.port.protocol == (*bb)->u.port.protocol) {
-			rc = 0;
-		} else if ((*aa)->u.port.protocol == IPPROTO_TCP) {
+		if ((*aa)->u.port.protocol < (*bb)->u.port.protocol) {
 			rc = -1;
-		} else {
+		} else if ((*aa)->u.port.protocol > (*bb)->u.port.protocol) {
 			rc = 1;
 		}
 	}