[1/1] libsepol/cil: fix aliasactual resolution errors

Commit Message

Steve Lawrence May 30, 2017, 4:32 p.m. UTC

- Set rc to SEPOL_ERR if the alias part of an aliasactual statement
  does not resolve to the correct alias flavor (e.g. typealias, senalias, catalias)
- Add an error check if the actual part of an aliasactual statement
  does not resolve to the correct actual flavor (type, sens, cat)

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
---
 libsepol/cil/src/cil_resolve_ast.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

James Carter May 31, 2017, 4:56 p.m. UTC | #1

On 05/30/2017 12:32 PM, Steve Lawrence wrote:
> - Set rc to SEPOL_ERR if the alias part of an aliasactual statement
>    does not resolve to the correct alias flavor (e.g. typealias, senalias, catalias)
> - Add an error check if the actual part of an aliasactual statement
>    does not resolve to the correct actual flavor (type, sens, cat)
> 
> Signed-off-by: Steve Lawrence <slawrence@tresys.com>

Applied.

Thanks,
Jim

> ---
>   libsepol/cil/src/cil_resolve_ast.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index a671068..5c26530 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -521,6 +521,7 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
>   	}
>   	if (NODE(alias_datum)->flavor != alias_flavor) {
>   		cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
> +		rc = SEPOL_ERR;
>   		goto exit;
>   	}
>   
> @@ -529,6 +530,12 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
>   		goto exit;
>   	}
>   
> +	if (NODE(actual_datum)->flavor != flavor) {
> +		cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n", alias_datum->name, cil_node_to_string(NODE(alias_datum)), cil_node_to_string(NODE(actual_datum)));
> +		rc = SEPOL_ERR;
> +		goto exit;
> +	}
> +
>   	alias = (struct cil_alias *)alias_datum;
>   
>   	if (alias->actual != NULL) {
>

Patch

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index a671068..5c26530 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -521,6 +521,7 @@  int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
 	}
 	if (NODE(alias_datum)->flavor != alias_flavor) {
 		cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
+		rc = SEPOL_ERR;
 		goto exit;
 	}
 
@@ -529,6 +530,12 @@  int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
 		goto exit;
 	}
 
+	if (NODE(actual_datum)->flavor != flavor) {
+		cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n", alias_datum->name, cil_node_to_string(NODE(alias_datum)), cil_node_to_string(NODE(actual_datum)));
+		rc = SEPOL_ERR;
+		goto exit;
+	}
+
 	alias = (struct cil_alias *)alias_datum;
 
 	if (alias->actual != NULL) {