On Thu, Sep 10, 2020 at 8:36 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Sep 9, 2020 at 4:57 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > CIL was not correctly determining the depth of constraint expressions > > which prevented it from giving an error when the max depth was exceeded. > > This allowed invalid policy binaries with constraint expressions exceeding > > the max depth to be created. > > > > Validate the constraint expression using the same logic that is used > > when reading the binary policy. This includes checking the depth of the > > the expression. > > > > Reported-by: Jonathan Hettwer <j2468h@xxxxxxxxx> > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> Applied.
