RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: reject MLS support in pre-MLS policies 

If MLS support is enabled check the policy version supports MLS.

Reported-by: oss-fuzz (issue #67322)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2024-03-11 15:57:05 +01:00 committed by James Carter
parent f4330d5770
commit 6f7ddf2742
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libsepol/src/policydb_validate.c
View File

@ -1554,11 +1554,15 @@ static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
case POLICY_KERN:
if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX)
goto bad;
if (p->mls && p->policyvers < POLICYDB_VERSION_MLS)
goto bad;
break;
case POLICY_BASE:
case POLICY_MOD:
if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX)
goto bad;
if (p->mls && p->policyvers < MOD_POLICYDB_VERSION_MLS)
goto bad;
break;
default:
goto bad;