RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-17 10:06:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: validate conditional type rules have a simple default type

Browse Source 
Similar to unconditional avtab keys check the default type of type av
rules are a simple type, not an attribute.
Since extended permission rules are not allowed in conditional policies
this check does not need to be performed.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2023-11-28 19:23:28 +01:00 committed by James Carter
parent d1ea1a1634
commit 14f76201da
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libsepol/src/policydb_validate.c
View File

@ -885,14 +885,21 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c
for (; cond_av; cond_av = cond_av->next) {
for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) {
if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) {
ERR(handle, "Invalid cond av list");
return -1;
}
const avtab_key_t *key = &avtab_ptr->key;
const avtab_datum_t *datum = &avtab_ptr->datum;
if (validate_avtab_key(key, 1, p, flavors))
goto bad;
if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors))
goto bad;
}
}
return 0;
bad:
ERR(handle, "Invalid cond av list");
return -1;
}
static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[])