On Tue, Jun 7, 2022 at 5:02 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Users are allowed to be declared in modules. Modules do not get expanded
> leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
> empty.
> Do no validate the expanded range and level for modular polices.
>
> Reported-by: bauen1 <j2468h@xxxxxxxxx>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/policydb_validate.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index da18282b..99d4eb7f 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -18,7 +18,7 @@ typedef struct validate {
> typedef struct map_arg {
> validate_t *flavors;
> sepol_handle_t *handle;
> - int mls;
> + policydb_t *policy;
> } map_arg_t;
Hello,
As the policy is not modified, could this pointer be "const policydb_t
*policy;"? (And the last parameter of validate_user_datum be "const
policydb_t *p"). On the other hand, as policydb_validate.c does not
use any const pointer, feel free to disregard my comment.
This patch nevertheless looks good to me too.
Thanks!
Nicolas
