- Set rc to SEPOL_ERR if the alias part of an aliasactual statement
does not resolve to the correct alias flavor (e.g. typealias, senalias, catalias)
- Add an error check if the actual part of an aliasactual statement
does not resolve to the correct actual flavor (type, sens, cat)
Signed-off-by: Steve Lawrence <slawrence@xxxxxxxxxx>
---
libsepol/cil/src/cil_resolve_ast.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index a671068..5c26530 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -521,6 +521,7 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
}
if (NODE(alias_datum)->flavor != alias_flavor) {
cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
+ rc = SEPOL_ERR;
goto exit;
}
@@ -529,6 +530,12 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
goto exit;
}
+ if (NODE(actual_datum)->flavor != flavor) {
+ cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n", alias_datum->name, cil_node_to_string(NODE(alias_datum)), cil_node_to_string(NODE(actual_datum)));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
alias = (struct cil_alias *)alias_datum;
if (alias->actual != NULL) {
--
2.9.4
