diff mbox series

[3/4] libsepol: validate type-attribute-map for old policies

Message ID 20240506173110.220702-3-cgoettsche@seltendoof.de (mailing list archive)
State Accepted
Commit b77d851ffabd
Delegated to: Petr Lautrbach
Headers show
Series [1/4] libsepol: reject self flag in type rules in old policies | expand

Commit Message

Christian Göttsche May 6, 2024, 5:31 p.m. UTC 
From: Christian Göttsche <cgzones@googlemail.com>

Validate the type-to-associated-attributes maps also for policies prior
to version 20.
To ensure only valid entries in these maps, skip the degenerate case for
gaps during construction.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb.c          | 2 +-
 libsepol/src/policydb_validate.c | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 49f9e8af..e90ccca1 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -4450,7 +4450,7 @@  int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
 				}
 			}
 			/* add the type itself as the degenerate case */
-			if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
+			if (p->type_val_to_struct[i] && ebitmap_set_bit(&p->type_attr_map[i], i, 1))
 				goto bad;
 			if (p->type_val_to_struct[i] && p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) {
 				if (ebitmap_set_bit(&p->attr_type_map[i], i, 1))
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 04135d84..84c1071c 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1787,10 +1787,8 @@  int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
 	if (validate_range_transitions(handle, p, flavors))
 		goto bad;
 
-	if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
-		if (validate_typeattr_map(handle, p, flavors))
-			goto bad;
-	}
+	if (validate_typeattr_map(handle, p, flavors))
+		goto bad;
 
 	validate_array_destroy(flavors);