For every call to cil_fill_classperms_list(), the syntax of the whole rule, including the class permissions, has already been checked. There is no reason to check it again. Also, because the class permissions appear in the middle of some rules, like constraints, the syntax array does not end with CIL_SYN_END. This is the only case where the syntax array does not end with CIL_SYN_END. This prevents __cil_verify_syntax() from requiring that the syntax array ends with CIL_SYN_END. Remove the redundant syntax checking in cil_fill_classperms_list(). Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/cil/src/cil_build_ast.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 9da90883..514cac8d 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -736,20 +736,11 @@ int cil_fill_classperms_list(struct cil_tree_node *parse_current, struct cil_lis { int rc = SEPOL_ERR; struct cil_tree_node *curr; - enum cil_syntax syntax[] = { - CIL_SYN_STRING | CIL_SYN_LIST, - }; - int syntax_len = sizeof(syntax)/sizeof(*syntax); if (parse_current == NULL || cp_list == NULL) { goto exit; } - rc = __cil_verify_syntax(parse_current, syntax, syntax_len); - if (rc != SEPOL_OK) { - goto exit; - } - cil_list_init(cp_list, CIL_CLASSPERMS); curr = parse_current->cl_head; -- 2.31.1