On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 5c06e6f4..63fd935c 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -712,6 +712,25 @@ bad:
> return -1;
> }
>
> +static int validate_genfs(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
> +{
> + genfs_t *genfs;
> + ocontext_t *octx;
> +
> + for (genfs = p->genfs; genfs; genfs = genfs->next) {
> + for (octx = genfs->head; octx; octx = octx->next) {
> + if (validate_context(&octx->context[0], flavors, p->mls))
> + goto bad;
> + }
> + }
> +
> + return 0;
> +
> +bad:
> + ERR(handle, "Invalid genfs");
> + return -1;
> +}
> +
> /*
> * Functions to validate a module policydb
> */
> @@ -898,6 +917,8 @@ int validate_policydb(sepol_handle_t *handle, policydb_t *p)
> goto bad;
> if (validate_ocontexts(handle, p, flavors))
> goto bad;
> + if (validate_genfs(handle, p, flavors))
> + goto bad;
> if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS)
> if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors))
> goto bad;
> --
> 2.33.0
>
Like ocontexts, genfs rules can be in base modules.
Jim
