If tunables are not preserved (the mode unconditionally used by
checkpolicy) an expression must not consist of booleans and tunables,
since such expressions are not supported during expansion (see expand.c:
discard_tunables()).
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
checkpolicy/policy_define.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index d4e376ad..95cd5c85 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3964,8 +3964,9 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
{
cond_expr_t *e;
- int depth;
+ int depth, booleans, tunables;
cond_node_t cn, *cn_old;
+ const cond_bool_datum_t *bool_var;
/* expression cannot be NULL */
if (!expr) {
@@ -3990,6 +3991,8 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
/* verify expression */
depth = -1;
+ booleans = 0;
+ tunables = 0;
for (e = expr; e; e = e->next) {
switch (e->expr_type) {
case COND_NOT:
@@ -4018,6 +4021,14 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
return -1;
}
depth++;
+
+ bool_var = policydbp->bool_val_to_struct[e->boolean - 1];
+ if (bool_var->flags & COND_BOOL_FLAGS_TUNABLE) {
+ tunables = 1;
+ } else {
+ booleans = 1;
+ }
+
break;
default:
yyerror("illegal conditional expression");
@@ -4028,6 +4039,10 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
yyerror("illegal conditional expression");
return -1;
}
+ if (booleans && tunables) {
+ yyerror("illegal conditional expression; Contains boolean and tunable");
+ return -1;
+ }
/* use tmp conditional node to partially build new node */
memset(&cn, 0, sizeof(cn));
--
2.40.1
