Check for invalid avtab or avrule types.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
v2:
also check avrule types
---
libsepol/src/policydb_validate.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 82193379..5ef95c61 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -483,6 +483,20 @@ static int validate_avtab_key(avtab_key_t *key, validate_t flavors[])
goto bad;
if (validate_value(key->target_class, &flavors[SYM_CLASSES]))
goto bad;
+ switch (0xFFF & key->specified) {
+ case AVTAB_ALLOWED:
+ case AVTAB_AUDITALLOW:
+ case AVTAB_AUDITDENY:
+ case AVTAB_XPERMS_ALLOWED:
+ case AVTAB_XPERMS_AUDITALLOW:
+ case AVTAB_XPERMS_DONTAUDIT:
+ case AVTAB_TRANSITION:
+ case AVTAB_MEMBER:
+ case AVTAB_CHANGE:
+ break;
+ default:
+ goto bad;
+ }
return 0;
@@ -536,6 +550,23 @@ static int validate_avrules(sepol_handle_t *handle, avrule_t *avrule, validate_t
if (validate_value(class->tclass, &flavors[SYM_CLASSES]))
goto bad;
}
+ switch(avrule->specified) {
+ case AVRULE_ALLOWED:
+ case AVRULE_AUDITALLOW:
+ case AVRULE_AUDITDENY:
+ case AVRULE_DONTAUDIT:
+ case AVRULE_NEVERALLOW:
+ case AVRULE_TRANSITION:
+ case AVRULE_MEMBER:
+ case AVRULE_CHANGE:
+ case AVRULE_XPERMS_ALLOWED:
+ case AVRULE_XPERMS_AUDITALLOW:
+ case AVRULE_XPERMS_DONTAUDIT:
+ case AVRULE_XPERMS_NEVERALLOW:
+ break;
+ default:
+ goto bad;
+ }
}
return 0;
--
2.34.1
