libsepol: reject MLS support in pre-MLS policies
If MLS support is enabled check the policy version supports MLS. Reported-by: oss-fuzz (issue #67322) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
f4330d5770
commit
6f7ddf2742
|
@ -1554,11 +1554,15 @@ static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
|
||||||
case POLICY_KERN:
|
case POLICY_KERN:
|
||||||
if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX)
|
if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX)
|
||||||
goto bad;
|
goto bad;
|
||||||
|
if (p->mls && p->policyvers < POLICYDB_VERSION_MLS)
|
||||||
|
goto bad;
|
||||||
break;
|
break;
|
||||||
case POLICY_BASE:
|
case POLICY_BASE:
|
||||||
case POLICY_MOD:
|
case POLICY_MOD:
|
||||||
if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX)
|
if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX)
|
||||||
goto bad;
|
goto bad;
|
||||||
|
if (p->mls && p->policyvers < MOD_POLICYDB_VERSION_MLS)
|
||||||
|
goto bad;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
goto bad;
|
goto bad;
|
||||||
|
|
Loading…
Reference in New Issue