From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Validate the type-to-associated-attributes maps also for policies prior
to version 20.
To ensure only valid entries in these maps, skip the degenerate case for
gaps during construction.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb.c | 2 +-
libsepol/src/policydb_validate.c | 6 ++----
2 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 49f9e8af..e90ccca1 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -4450,7 +4450,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
}
}
/* add the type itself as the degenerate case */
- if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
+ if (p->type_val_to_struct[i] && ebitmap_set_bit(&p->type_attr_map[i], i, 1))
goto bad;
if (p->type_val_to_struct[i] && p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) {
if (ebitmap_set_bit(&p->attr_type_map[i], i, 1))
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 04135d84..84c1071c 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1787,10 +1787,8 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
if (validate_range_transitions(handle, p, flavors))
goto bad;
- if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
- if (validate_typeattr_map(handle, p, flavors))
- goto bad;
- }
+ if (validate_typeattr_map(handle, p, flavors))
+ goto bad;
validate_array_destroy(flavors);
--
2.43.0
