libsepol/cil: Sync checks for invalid rules in macros

When resolving the AST, tunable and in-statements are not considered to be invalid in macros. This is inconsistent with the checks when building the AST. Add checks to make tunable and in-statments invalid in macros when resolving the AST. Signed-off-by: James Carter <jwcart2@gmail.com>
sailfishos-mirror · Apr 19, 2021 · f38b7ea · f38b7ea
1 parent 340f0eb
commit f38b7ea
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
@@ -3796,7 +3796,9 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	}
 
 	if (macro != NULL) {
-		if (node->flavor == CIL_BLOCK ||
+		if (node->flavor == CIL_TUNABLE ||
+			node->flavor == CIL_IN ||
+			node->flavor == CIL_BLOCK ||
 		    node->flavor == CIL_BLOCKINHERIT ||
 		    node->flavor == CIL_BLOCKABSTRACT ||
 		    node->flavor == CIL_MACRO) {