diff mbox series

[4/5] libsepol: validate: reject XEN policy with xperm rules

Message ID 20230512093001.49208-4-cgzones@googlemail.com (mailing list archive)
State Accepted
Commit 4ba8f7c38f6f
Delegated to: Petr Lautrbach
Headers show
Series [1/5] libsepol: validate some object contexts | expand

Commit Message

Christian Göttsche May 12, 2023, 9:30 a.m. UTC 
XEN policies with extended permissions are not supported, e.g. writing
them will fail (see write.c:avrule_write()).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index b34f83ec..3540f34a 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -799,6 +799,8 @@  static int validate_avtab_key(const avtab_key_t *key, int conditional, const pol
 	case AVTAB_XPERMS_ALLOWED:
 	case AVTAB_XPERMS_AUDITALLOW:
 	case AVTAB_XPERMS_DONTAUDIT:
+		if (p->target_platform != SEPOL_TARGET_SELINUX)
+			goto bad;
 		if (conditional)
 			goto bad;
 		break;
@@ -910,6 +912,8 @@  static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
 		}
 
 		if (avrule->specified & AVRULE_XPERMS) {
+			if (p->target_platform != SEPOL_TARGET_SELINUX)
+				goto bad;
 			if (!avrule->xperms)
 				goto bad;
 			switch (avrule->xperms->specified) {