From 6ed7dcf2f6f71d6db5fa89e0b965c10a165f315c Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Mon, 8 Jan 2024 17:09:46 +0800
Subject: [PATCH] libsepol: more strict validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
 
Ensure the ibendport port is not 0 (similar to the kernel).
 
More general depth test for boolean expressions.
 
Ensure the boolean id is not set for logic operators.
 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
 
Reference: https://github.com/SELinuxProject/selinux/commit/7b754f703d704c9d9931497536771e6124ca2418
Conflict: Context adaptation
---
 libsepol/src/policydb_validate.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index da3c7c5..09f0813 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -479,13 +479,15 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
 		case COND_BOOL:
 			if (validate_value(expr->bool, boolean))
 				goto bad;
-			if (depth == (COND_EXPR_MAXDEPTH - 1))
+			if (depth >= (COND_EXPR_MAXDEPTH - 1))
 				goto bad;
 			depth++;
 			break;
 		case COND_NOT:
 			if (depth < 0)
 				goto bad;
+			if (expr->bool != 0)
+				goto bad;
 			break;
 		case COND_OR:
 		case COND_AND:
@@ -494,6 +496,8 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
 		case COND_NEQ:
 			if (depth < 1)
 				goto bad;
+			if (expr->bool != 0)
+				goto bad;
 			depth--;
 			break;
 		default:
-- 
2.33.0