libsepol/cil: fix aliasactual resolution errors

- Set rc to SEPOL_ERR if the alias part of an aliasactual statement does not resolve to the correct alias flavor (e.g. typealias, senalias, catalias) - Add an error check if the actual part of an aliasactual statement does not resolve to the correct actual flavor (type, sens, cat) Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2024-12-03 09:00:51 +00:00 · 2017-05-30 12:32:06 -04:00 · 2017-05-30 12:32:06 -04:00 · 5c9fcb02ec
commit 5c9fcb02ec
parent a2fe18614b
1 changed files with 7 additions and 0 deletions
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@ -521,6 +521,7 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
 	}
 	if (NODE(alias_datum)->flavor != alias_flavor) {
 		cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
+		rc = SEPOL_ERR;
 		goto exit;
 	}

@ -529,6 +530,12 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
 		goto exit;
 	}

+	if (NODE(actual_datum)->flavor != flavor) {
+		cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n", alias_datum->name, cil_node_to_string(NODE(alias_datum)), cil_node_to_string(NODE(actual_datum)));
+		rc = SEPOL_ERR;
+		goto exit;
+	}
+
 	alias = (struct cil_alias *)alias_datum;

 	if (alias->actual != NULL) {