From 6f7ddf2742f1f5a73ec572c619675b3c5122f7e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Mar 2024 15:57:05 +0100
Subject: [PATCH] libsepol: reject MLS support in pre-MLS policies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If MLS support is enabled check the policy version supports MLS.

Reported-by: oss-fuzz (issue #67322)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/policydb_validate.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 6e46f4266..e987d8da4 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1554,11 +1554,15 @@ static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
 	case POLICY_KERN:
 		if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX)
 			goto bad;
+		if (p->mls && p->policyvers < POLICYDB_VERSION_MLS)
+			goto bad;
 		break;
 	case POLICY_BASE:
 	case POLICY_MOD:
 		if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX)
 			goto bad;
+		if (p->mls && p->policyvers < MOD_POLICYDB_VERSION_MLS)
+			goto bad;
 		break;
 	default:
 		goto bad;