mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-25 15:32:07 +00:00
982ec302b6
It is possible for anonymous category sets to be in a category expression if the expression has a macro parameter in it. Unfortunately, anonymous category sets are not looked for when resolving category expressions and a segfault will occur during later processing if there was one. As an example, consider the following portion of a policy. (macro m1 ((categoryset cs)) (userlevel USER (s0 (cs))) ) (call m1 ((c0 c1))) This policy will cause a segault, because the categoryset datum for the parameter cs is not seen as a categoryset and is treated as a plain category. When resolving an expression, check whether or not the datum that is found is actually an anonymous category set associated with a macro parameter. If it is, then resolve the category set if it has not already been resolved and treat its categories as a sub expression. Signed-off-by: James Carter <jwcart2@gmail.com> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> |
||
---|---|---|
.. | ||
cil | ||
include | ||
man | ||
src | ||
tests | ||
utils | ||
.gitignore | ||
COPYING | ||
Makefile | ||
VERSION |