process_line called compat_validate, but never actually looked at the return value. When an invalid entry is found, a warning is printed, but since the upper layers of the code don't see the error, validation appears to succeed. Steps to reproduce on Android: 1) Edit system/sepolicy/private/file_contexts and create an entry with an invalid label. 2) Recompile Android, which executes out/host/linux-x86/bin/checkfc to check if file_contexts is valid. Expected: Compile failure. Actual: Compile succeeds with warnings. Change-Id: I20fa18c7b11b5ffdd243c3274bedc4518431e1fb --- libselinux/src/label_file.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h index 00c0a5c..4ac64d5 100644 --- a/libselinux/src/label_file.h +++ b/libselinux/src/label_file.h @@ -467,7 +467,7 @@ static inline int process_line(struct selabel_handle *rec, spec_hasMetaChars(&spec_arr[nspec]); if (strcmp(context, "<<none>>") && rec->validating) - compat_validate(rec, &spec_arr[nspec].lr, path, lineno); + return compat_validate(rec, &spec_arr[nspec].lr, path, lineno); return 0; } -- 2.8.0.rc3.226.g39d4020 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
