diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd index 922065e4..4db8fc3c 100644 --- a/setools/policyrep/sepol.pxd +++ b/setools/policyrep/sepol.pxd @@ -157,6 +157,7 @@ cdef extern from "": # cdef int AVTAB_XPERMS_IOCTLFUNCTION cdef int AVTAB_XPERMS_IOCTLDRIVER + cdef int AVTAB_XPERMS_NLMSG cdef struct avtab_extended_perms: uint8_t specified @@ -437,6 +438,7 @@ cdef extern from "": # cdef int AVRULE_XPERMS_IOCTLFUNCTION cdef int AVRULE_XPERMS_IOCTLDRIVER + cdef int AVRULE_XPERMS_NLMSG cdef int EXTENDED_PERMS_LEN cdef struct av_extended_perms: diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi index 0aa807d4..ddb2e950 100644 --- a/setools/policyrep/terule.pxi +++ b/setools/policyrep/terule.pxi @@ -300,9 +300,10 @@ cdef class AVRuleXperm(BaseTERule): # for curr in range(len): if sepol.xperm_test(curr, xperms.perms): - if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION: + if (xperms.specified == sepol.AVTAB_XPERMS_IOCTLFUNCTION \ + or xperms.specified == sepol.AVTAB_XPERMS_NLMSG): perms.add(xperms.driver << 8 | curr) - elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER: + elif xperms.specified == sepol.AVTAB_XPERMS_IOCTLDRIVER: base_value = curr << 8 perms.update(range(base_value, base_value + 0x100)) else: @@ -317,6 +318,8 @@ cdef class AVRuleXperm(BaseTERule): if datum.xperms.specified == sepol.AVTAB_XPERMS_IOCTLFUNCTION \ or datum.xperms.specified == sepol.AVTAB_XPERMS_IOCTLDRIVER: xperm_type = intern("ioctl") + elif datum.xperms.specified == sepol.AVTAB_XPERMS_NLMSG: + xperm_type = intern("nlmsg") else: raise LowLevelPolicyError(f"Unknown extended permission: {datum.xperms.specified}")