libsepol: Fix erroneous genfscon asterisks

When genfs_seclabel_wildcard is on, extra asterisks are added to keep
semantics of genfscon entries. That needs to be removed when converting
the policy to CIL or conf, but genfscon_to_cil is missing it.

Signed-off-by: Inseob Kim <[email protected]>
Acked-by: James Carter <[email protected]>

Author: iskim517

libsepol/src/module_to_cil.c

@@ -2987,10 +2987,22 @@ static int genfscon_to_cil(struct policydb *pdb)
 	struct genfs *genfs;
 	struct ocontext *ocon;
 	uint32_t sclass;
+	char *name;
+	int wildcard = ebitmap_get_bit(&pdb->policycaps, POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);
+	size_t name_len;
 
 	for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
 		for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
 			sclass = ocon->v.sclass;
+			name = ocon->u.name;
+			name_len = strlen(name);
+			if (wildcard) {
+				if (name_len == 0 || name[name_len - 1] != '*') {
+					ERR(NULL, "genfscon path must end with '*' when genfs_seclabel_wildcard");
+					return -1;
+				}
+				--name_len;
+			}
 			if (sclass) {
 				const char *file_type;
 				const char *class_name = pdb->p_class_val_to_name[sclass-1];
@@ -3011,9 +3023,10 @@ static int genfscon_to_cil(struct policydb *pdb)
 				} else {
 					return -1;
 				}
-				cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type);
+				cil_printf("(genfscon %s \"%.*s\" %s ", genfs->fstype, (int)name_len, name,
+				           file_type);
 			} else {
-				cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
+				cil_printf("(genfscon %s \"%.*s\" ", genfs->fstype, (int)name_len, name);
 			}
 			context_to_cil(pdb, &ocon->context[0]);
 			cil_printf(")\n");