Skip to content

Commit

Permalink
libsepol: reject MLS support in pre-MLS policies
Browse files Browse the repository at this point in the history 
If MLS support is enabled check the policy version supports MLS.

Reported-by: oss-fuzz (issue #67322)
Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>
  • Loading branch information
@cgzones @jwcart2
cgzones authored and jwcart2 committed Mar 20, 2024
1 parent f4330d5 commit 6f7ddf2
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions libsepol/src/policydb_validate.c
View file
Expand Up @@ -1554,11 +1554,15 @@ static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
case POLICY_KERN:
if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX)
goto bad;
if (p->mls && p->policyvers < POLICYDB_VERSION_MLS)
goto bad;
break;
case POLICY_BASE:
case POLICY_MOD:
if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX)
goto bad;
if (p->mls && p->policyvers < MOD_POLICYDB_VERSION_MLS)
goto bad;
break;
default:
goto bad;
Expand Down

0 comments on commit 6f7ddf2

Please sign in to comment.