On Tue, Oct 20, 2020 at 3:29 PM James Carter <jwcart2@xxxxxxxxx> wrote: > Both tunableif and booleanif use conditional blocks (either true or > false). No ordering is imposed, so a false block can be first (or even > the only) block. Checks are made to ensure that the first and second > (if it exists) blocks are either true or false, but no checks are made > to ensure that there is only one true and/or one false block. If there > are more than one true or false block, only the first will be used and > the other will be ignored. > > Create a function, cil_verify_conditional_blocks(), that gives an error > along with a message if more than one true or false block is specified > and call that function when building tunableif and booleanif blocks in > the AST. > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > --- > V2: Put spaces between items in argument list > > libsepol/cil/src/cil_build_ast.c | 44 +++++--------------------------- > libsepol/cil/src/cil_verify.c | 35 +++++++++++++++++++++++++ > libsepol/cil/src/cil_verify.h | 1 + > 3 files changed, 42 insertions(+), 38 deletions(-) Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
