On Tue, Oct 20, 2020 at 3:43 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Tue, Oct 20, 2020 at 3:29 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > Both tunableif and booleanif use conditional blocks (either true or > > false). No ordering is imposed, so a false block can be first (or even > > the only) block. Checks are made to ensure that the first and second > > (if it exists) blocks are either true or false, but no checks are made > > to ensure that there is only one true and/or one false block. If there > > are more than one true or false block, only the first will be used and > > the other will be ignored. > > > > Create a function, cil_verify_conditional_blocks(), that gives an error > > along with a message if more than one true or false block is specified > > and call that function when building tunableif and booleanif blocks in > > the AST. > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > --- > > V2: Put spaces between items in argument list > > > > libsepol/cil/src/cil_build_ast.c | 44 +++++--------------------------- > > libsepol/cil/src/cil_verify.c | 35 +++++++++++++++++++++++++ > > libsepol/cil/src/cil_verify.h | 1 + > > 3 files changed, 42 insertions(+), 38 deletions(-) > > Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> Now applied: https://github.com/SELinuxProject/selinux/commit/2d353bd5850a4b3fc8480806010e08b59f4a4835 -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
