After generating policies validate them.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
checkpolicy/checkmodule.c | 8 ++++++++
checkpolicy/checkpolicy.c | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
index 3432608b..846e5a36 100644
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@@ -29,6 +29,7 @@
#include <sepol/policydb/expand.h>
#include <sepol/policydb/link.h>
#include <sepol/policydb/sidtab.h>
+#include <sepol/policydb/validate.h>
#include "queue.h"
#include "checkpolicy.h"
@@ -329,6 +330,13 @@ int main(int argc, char **argv)
sepol_sidtab_destroy(&sidtab);
+ modpolicydb.policyvers = policyvers;
+
+ if (validate_policydb(NULL, &modpolicydb)) {
+ fprintf(stderr, "%s: validation of generated policy failed\n", argv[0]);
+ exit(1);
+ }
+
if (outfile) {
FILE *outfp = fopen(outfile, "w");
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 926ce72c..3ce63d06 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -87,6 +87,7 @@
#include <sepol/policydb/hierarchy.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/link.h>
+#include <sepol/policydb/validate.h>
#include "queue.h"
#include "checkpolicy.h"
@@ -652,6 +653,11 @@ int main(int argc, char **argv)
}
}
+ if (validate_policydb(NULL, policydbp)) {
+ fprintf(stderr, "%s: validation of generated policy failed\n", argv[0]);
+ exit(1);
+ }
+
if (outfile) {
if (!strcmp(outfile, "-")) {
outfp = stdout;
--
2.33.1
