On Wed, Sep 9, 2020 at 4:57 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > CIL was not correctly determining the depth of constraint expressions > which prevented it from giving an error when the max depth was exceeded. > This allowed invalid policy binaries with constraint expressions exceeding > the max depth to be created. > > Validate the constraint expression using the same logic that is used > when reading the binary policy. This includes checking the depth of the > the expression. > > Reported-by: Jonathan Hettwer <j2468h@xxxxxxxxx> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
