On Fri, Dec 1, 2023 at 2:52 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Tue, Nov 28, 2023 at 1:23 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Similar to unconditional avtab keys check the default type of type av
> > rules are a simple type, not an attribute.
> > Since extended permission rules are not allowed in conditional policies
> > this check does not need to be performed.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> For every patch except for patch 4.
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
Patches 1-3 and 5-7 have been merged.
Thanks,
Jim
> > ---
> > libsepol/src/policydb_validate.c | 15 +++++++++++----
> > 1 file changed, 11 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index 8b87675f..c2f19fa0 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -885,14 +885,21 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c
> >
> > for (; cond_av; cond_av = cond_av->next) {
> > for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) {
> > - if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) {
> > - ERR(handle, "Invalid cond av list");
> > - return -1;
> > - }
> > + const avtab_key_t *key = &avtab_ptr->key;
> > + const avtab_datum_t *datum = &avtab_ptr->datum;
> > +
> > + if (validate_avtab_key(key, 1, p, flavors))
> > + goto bad;
> > + if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors))
> > + goto bad;
> > }
> > }
> >
> > return 0;
> > +
> > +bad:
> > + ERR(handle, "Invalid cond av list");
> > + return -1;
> > }
> >
> > static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[])
> > --
> > 2.43.0
> >
> >
