XEN policies with extended permissions are not supported, e.g. writing
them will fail (see write.c:avrule_write()).
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb_validate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index b34f83ec..3540f34a 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -799,6 +799,8 @@ static int validate_avtab_key(const avtab_key_t *key, int conditional, const pol
case AVTAB_XPERMS_ALLOWED:
case AVTAB_XPERMS_AUDITALLOW:
case AVTAB_XPERMS_DONTAUDIT:
+ if (p->target_platform != SEPOL_TARGET_SELINUX)
+ goto bad;
if (conditional)
goto bad;
break;
@@ -910,6 +912,8 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
}
if (avrule->specified & AVRULE_XPERMS) {
+ if (p->target_platform != SEPOL_TARGET_SELINUX)
+ goto bad;
if (!avrule->xperms)
goto bad;
switch (avrule->xperms->specified) {
--
2.40.1
