On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Check for invalid avtab types.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/policydb_validate.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index fa128794..89830ff3 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -441,6 +441,20 @@ static int validate_avtab_key(avtab_key_t *key, validate_t flavors[])
> goto bad;
> if (validate_value(key->target_class, &flavors[SYM_CLASSES]))
> goto bad;
> + switch (0xFFF & key->specified) {
> + case AVTAB_ALLOWED:
> + case AVTAB_AUDITALLOW:
> + case AVTAB_AUDITDENY:
> + case AVTAB_XPERMS_ALLOWED:
> + case AVTAB_XPERMS_AUDITALLOW:
> + case AVTAB_XPERMS_DONTAUDIT:
> + case AVTAB_TRANSITION:
> + case AVTAB_MEMBER:
> + case AVTAB_CHANGE:
> + break;
> + default:
> + goto bad;
> + }
>
> return 0;
>
> --
> 2.33.0
>
avrule_t also has a specified field that could be checked.
Thanks,
Jim
