[PATCH 1/3] libsepol: Fix out-of-bounds memory write in discard_tunbables()

[PATCH 1/3] libsepol: Fix out-of-bounds memory write in discard_tunbables()

[James Carter]

The function discard_tunables() will walk all the avrule blocks
and do one of the following two options.
1) If preserve_tunables == 0, then it will evalutate tunable
expressions and add the appropriate true or false block to the
avrules list of the current enabled block.
2) If preserve_tunables !- 0, then it will remove the tunable flag
from all tunables making them booleans.

The function was allocating an array of pointers to cond_bool_datum_t
with a length of COND_EXPR_MAXDEPTH. The number of tunables was the
index and each tunable found would be pointed to be the array. This
is a potential buffer overflow because COND_EXPR_MAXDEPTH is the
limit on the depth of sub expressions, not the limit on the number
of items in an expression. Having more than COND_EXPR_MAXDEPTH
number of tunables in an expression that had a maximum sub
expression depth of less than COND_EXPR_MAXDEPTH would cause an
out-of-bounds memory write.

There is no need to wait to update a tunable datum's flag, so
just update the flags as tunables are found when preserve_tunables
is true.

This patch is based on a report and patch from the security firm
Trail of Bits.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/expand.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index ed912b57..5b2b7b03 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -3042,22 +3042,21 @@ static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
 
 		for (cur_node = decl->cond_list; cur_node != NULL;
 		     cur_node = cur_node->next) {
-			int booleans, tunables, i;
+			int booleans = 0, tunables = 0;
 			cond_bool_datum_t *booldatum;
-			cond_bool_datum_t *tmp[COND_EXPR_MAXDEPTH];
-
-			booleans = tunables = 0;
-			memset(tmp, 0, sizeof(cond_bool_datum_t *) * COND_EXPR_MAXDEPTH);
 
 			for (cur_expr = cur_node->expr; cur_expr != NULL;
 			     cur_expr = cur_expr->next) {
 				if (cur_expr->expr_type != COND_BOOL)
 					continue;
 				booldatum = pol->bool_val_to_struct[cur_expr->boolean - 1];
-				if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE)
-					tmp[tunables++] = booldatum;
-				else
+				if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE) {
+					tunables++;
+					if (preserve_tunables)
+						booldatum->flags &= ~COND_BOOL_FLAGS_TUNABLE;
+				} else {
 					booleans++;
+				}
 			}
 
 			/* bool_copy_callback() at link phase has ensured
@@ -3069,10 +3068,6 @@ static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
 
 			if (booleans || preserve_tunables) {
 				cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
-				if (tunables) {
-					for (i = 0; i < tunables; i++)
-						tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
-				}
 			} else {
 				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
 				cur_state = cond_evaluate_expr(pol, cur_node->expr);
-- 
2.53.0

[PATCH 2/3] libsepol: When resolving names check if a block is abstract

[James Carter]

Nothing in an abstract block in CIL is instantiated until the block
is inherited. No declartion, macro, or optional block within an
abstract block should ever be referred to from outside of the block.

Check for abstract blocks when resolving names and return an error
if one is found.

This patch is based on a report from the security firm Trail of Bits.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_resolve_ast.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index bcac4026..b0965f1d 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -4355,7 +4355,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
 		node = ast_node;
 		if (*name == '.') {
 			/* Leading '.' */
-			symtab = &((struct cil_root *)db->ast->root->data)->symtab[CIL_SYM_BLOCKS];
+			symtab = ((struct cil_root *)db->ast->root->data)->symtab;
 		} else {
 			rc = __cil_resolve_name_helper(db, node->parent, current, CIL_SYM_BLOCKS, datum);
 			if (rc != SEPOL_OK) {
@@ -4366,14 +4366,20 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
 		}
 		/* Keep looking up blocks by name until only last part of name remains */
 		while (next != NULL) {
-			rc = cil_symtab_get_datum(symtab, current, datum);
+			rc = cil_symtab_get_datum(&(symtab[CIL_SYM_BLOCKS]), current, datum);
 			if (rc != SEPOL_OK) {
 				free(name_dup);
 				goto exit;
 			}
 			node = NODE(*datum);
 			if (node->flavor == CIL_BLOCK) {
-				symtab = &((struct cil_block*)node->data)->symtab[CIL_SYM_BLOCKS];
+				if (((struct cil_block *)node->data)->is_abstract) {
+					cil_log(CIL_WARN, "Found %s which is an abstract block and invalid for name resolution\n", current);
+					free(name_dup);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
+				symtab = ((struct cil_block*)node->data)->symtab;
 			} else {
 				if (ast_node->flavor != CIL_IN) {
 					cil_log(CIL_WARN, "Can only use %s name for name resolution in \"in\" blocks\n", cil_node_to_string(node));
@@ -4383,7 +4389,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
 				}
 				if (node->flavor == CIL_MACRO) {
 					struct cil_macro *macro = node->data;
-					symtab = &macro->symtab[sym_index];
+					symtab = macro->symtab;
 				}
 			}
 			current = next;
@@ -4401,6 +4407,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
 
 exit:
 	if (rc != SEPOL_OK) {
+		cil_tree_log(ast_node, CIL_ERR, "Failed to resolve %s", name);
 		*datum = NULL;
 	}
 
-- 
2.53.0

Re: [PATCH 2/3] libsepol: When resolving names check if a block is abstract

[Petr Lautrbach]

James Carter <jwcart2@gmail.com> writes:

> Nothing in an abstract block in CIL is instantiated until the block
> is inherited. No declartion, macro, or optional block within an
> abstract block should ever be referred to from outside of the block.
>
> Check for abstract blocks when resolving names and return an error
> if one is found.
>
> This patch is based on a report from the security firm Trail of Bits.


Since this commit, it's not possible to build Fedora selinux-policy:

# semodule -B -n
Failed to resolve pcp_var_lib_t at /var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1241
Failed to resolve pcp_var_lib_t at /var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1244
Failed to resolve pcp_var_lib_t at /var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1245
Failed to resolve dirsrvadmin_config_t at /var/lib/selinux/targeted/tmp/modules/100/apache/cil:2384
Failed to resolve dirsrvadmin_tmp_t at /var/lib/selinux/targeted/tmp/modules/100/apache/cil:2385
Failed to resolve dirsrvadmin_unconfined_script_t at /var/lib/selinux/targeted/tmp/modules/100/apache/cil:2386
...



>
> Signed-off-by: James Carter <jwcart2@gmail.com>
> ---
>  libsepol/cil/src/cil_resolve_ast.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index bcac4026..b0965f1d 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -4355,7 +4355,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
>  		node = ast_node;
>  		if (*name == '.') {
>  			/* Leading '.' */
> -			symtab = &((struct cil_root *)db->ast->root->data)->symtab[CIL_SYM_BLOCKS];
> +			symtab = ((struct cil_root *)db->ast->root->data)->symtab;
>  		} else {
>  			rc = __cil_resolve_name_helper(db, node->parent, current, CIL_SYM_BLOCKS, datum);
>  			if (rc != SEPOL_OK) {
> @@ -4366,14 +4366,20 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
>  		}
>  		/* Keep looking up blocks by name until only last part of name remains */
>  		while (next != NULL) {
> -			rc = cil_symtab_get_datum(symtab, current, datum);
> +			rc = cil_symtab_get_datum(&(symtab[CIL_SYM_BLOCKS]), current, datum);
>  			if (rc != SEPOL_OK) {
>  				free(name_dup);
>  				goto exit;
>  			}
>  			node = NODE(*datum);
>  			if (node->flavor == CIL_BLOCK) {
> -				symtab = &((struct cil_block*)node->data)->symtab[CIL_SYM_BLOCKS];
> +				if (((struct cil_block *)node->data)->is_abstract) {
> +					cil_log(CIL_WARN, "Found %s which is an abstract block and invalid for name resolution\n", current);
> +					free(name_dup);
> +					rc = SEPOL_ERR;
> +					goto exit;
> +				}
> +				symtab = ((struct cil_block*)node->data)->symtab;
>  			} else {
>  				if (ast_node->flavor != CIL_IN) {
>  					cil_log(CIL_WARN, "Can only use %s name for name resolution in \"in\" blocks\n", cil_node_to_string(node));
> @@ -4383,7 +4389,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
>  				}
>  				if (node->flavor == CIL_MACRO) {
>  					struct cil_macro *macro = node->data;
> -					symtab = &macro->symtab[sym_index];
> +					symtab = macro->symtab;
>  				}
>  			}
>  			current = next;
> @@ -4401,6 +4407,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
>  
>  exit:
>  	if (rc != SEPOL_OK) {
> +		cil_tree_log(ast_node, CIL_ERR, "Failed to resolve %s", name);
>  		*datum = NULL;
>  	}
>  
> -- 
> 2.53.0

Re: [PATCH 2/3] libsepol: When resolving names check if a block is abstract

[James Carter]

On Mon, Apr 27, 2026 at 2:17 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> James Carter <jwcart2@gmail.com> writes:
>
> > Nothing in an abstract block in CIL is instantiated until the block
> > is inherited. No declartion, macro, or optional block within an
> > abstract block should ever be referred to from outside of the block.
> >
> > Check for abstract blocks when resolving names and return an error
> > if one is found.
> >
> > This patch is based on a report from the security firm Trail of Bits.
>
>
> Since this commit, it's not possible to build Fedora selinux-policy:
>
> # semodule -B -n
> Failed to resolve pcp_var_lib_t at /var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1241
> Failed to resolve pcp_var_lib_t at /var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1244
> Failed to resolve pcp_var_lib_t at /var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1245
> Failed to resolve dirsrvadmin_config_t at /var/lib/selinux/targeted/tmp/modules/100/apache/cil:2384
> Failed to resolve dirsrvadmin_tmp_t at /var/lib/selinux/targeted/tmp/modules/100/apache/cil:2385
> Failed to resolve dirsrvadmin_unconfined_script_t at /var/lib/selinux/targeted/tmp/modules/100/apache/cil:2386
> ...
>
>
>
> >
> > Signed-off-by: James Carter <jwcart2@gmail.com>
> > ---
> >  libsepol/cil/src/cil_resolve_ast.c | 15 +++++++++++----
> >  1 file changed, 11 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> > index bcac4026..b0965f1d 100644
> > --- a/libsepol/cil/src/cil_resolve_ast.c
> > +++ b/libsepol/cil/src/cil_resolve_ast.c
> > @@ -4355,7 +4355,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
> >               node = ast_node;
> >               if (*name == '.') {
> >                       /* Leading '.' */
> > -                     symtab = &((struct cil_root *)db->ast->root->data)->symtab[CIL_SYM_BLOCKS];
> > +                     symtab = ((struct cil_root *)db->ast->root->data)->symtab;
> >               } else {
> >                       rc = __cil_resolve_name_helper(db, node->parent, current, CIL_SYM_BLOCKS, datum);
> >                       if (rc != SEPOL_OK) {
> > @@ -4366,14 +4366,20 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
> >               }
> >               /* Keep looking up blocks by name until only last part of name remains */
> >               while (next != NULL) {
> > -                     rc = cil_symtab_get_datum(symtab, current, datum);
> > +                     rc = cil_symtab_get_datum(&(symtab[CIL_SYM_BLOCKS]), current, datum);
> >                       if (rc != SEPOL_OK) {
> >                               free(name_dup);
> >                               goto exit;
> >                       }
> >                       node = NODE(*datum);
> >                       if (node->flavor == CIL_BLOCK) {
> > -                             symtab = &((struct cil_block*)node->data)->symtab[CIL_SYM_BLOCKS];
> > +                             if (((struct cil_block *)node->data)->is_abstract) {
> > +                                     cil_log(CIL_WARN, "Found %s which is an abstract block and invalid for name resolution\n", current);
> > +                                     free(name_dup);
> > +                                     rc = SEPOL_ERR;
> > +                                     goto exit;
> > +                             }
> > +                             symtab = ((struct cil_block*)node->data)->symtab;
> >                       } else {
> >                               if (ast_node->flavor != CIL_IN) {
> >                                       cil_log(CIL_WARN, "Can only use %s name for name resolution in \"in\" blocks\n", cil_node_to_string(node));
> > @@ -4383,7 +4389,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
> >                               }
> >                               if (node->flavor == CIL_MACRO) {
> >                                       struct cil_macro *macro = node->data;
> > -                                     symtab = &macro->symtab[sym_index];
> > +                                     symtab = macro->symtab;
> >                               }
> >                       }
> >                       current = next;
> > @@ -4401,6 +4407,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
> >
> >  exit:
> >       if (rc != SEPOL_OK) {
> > +             cil_tree_log(ast_node, CIL_ERR, "Failed to resolve %s", name);

My testing shows that it is still building, but I added this error
message which is generating a lot of noise. I forgot that optional
blocks have unresolved things. Oops.
I will send a patch that will make the log level of this message
CIL_INFO which will mean that you will need "-v -v" to see them.

Thanks,
Jim



> >               *datum = NULL;
> >       }
> >
> > --
> > 2.53.0
>

[PATCH 3/3] libsepol: Validate datum array entries for avrule blocks

[James Carter]

Both base and module policies have avrule blocks that have their
own symbol tables. When validating a policy, only a very basic
check of the validity of the datum's value was being done for
these symbol tables. The data specific to each kind of datum was
not being checked. This can lead to invalid policies being loaded.

Instead, preform the same specific checks being done on the global
symbol tables on these avrule block symbol tables.

This patch is based on a report from the security firm Trail of Bits

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/policydb_validate.c | 36 ++++++++++----------------------
 1 file changed, 11 insertions(+), 25 deletions(-)

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 9ee71bf2..3fcdab23 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -874,32 +874,32 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
 	return !value_isvalid(s->value, *nprim);
 }
 
-static int validate_datum_array_entries(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
+static int validate_datum_array_entries(sepol_handle_t *handle, const policydb_t *p, const symtab_t *symtabs, validate_t flavors[])
 {
 	map_arg_t margs = { flavors, handle, p, 0 };
 
-	if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, &margs))
+	if (hashtab_map(symtabs[SYM_COMMONS].table, validate_common_datum_wrapper, &margs))
 		goto bad;
 
-	if (hashtab_map(p->p_classes.table, validate_class_datum_wrapper, &margs))
+	if (hashtab_map(symtabs[SYM_CLASSES].table, validate_class_datum_wrapper, &margs))
 		goto bad;
 
-	if (hashtab_map(p->p_roles.table, validate_role_datum_wrapper, &margs))
+	if (hashtab_map(symtabs[SYM_ROLES].table, validate_role_datum_wrapper, &margs))
 		goto bad;
 
-	if (hashtab_map(p->p_types.table, validate_type_datum_wrapper, &margs))
+	if (hashtab_map(symtabs[SYM_TYPES].table, validate_type_datum_wrapper, &margs))
 		goto bad;
 
-	if (hashtab_map(p->p_users.table, validate_user_datum_wrapper, &margs))
+	if (hashtab_map(symtabs[SYM_USERS].table, validate_user_datum_wrapper, &margs))
 		goto bad;
 
-	if (p->mls && hashtab_map(p->p_levels.table, validate_level_datum_wrapper, &margs))
+	if (p->mls && hashtab_map(symtabs[SYM_LEVELS].table, validate_level_datum_wrapper, &margs))
 		goto bad;
 
-	if (hashtab_map(p->p_cats.table, validate_datum, &flavors[SYM_CATS]))
+	if (hashtab_map(symtabs[SYM_CATS].table, validate_datum, &flavors[SYM_CATS]))
 		goto bad;
 
-	if (hashtab_map(p->p_bools.table, validate_bool_datum_wrapper, &margs))
+	if (hashtab_map(symtabs[SYM_BOOLS].table, validate_bool_datum_wrapper, &margs))
 		goto bad;
 
 	return 0;
@@ -1565,20 +1565,6 @@ bad:
 	return -1;
 }
 
-static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], validate_t flavors[])
-{
-	unsigned int i;
-
-	for (i = 0; i < SYM_NUM; i++) {
-		if (hashtab_map(symtabs[i].table, validate_datum, &flavors[i].nprim)) {
-			ERR(handle, "Invalid symtab");
-			return -1;
-		}
-	}
-
-	return 0;
-}
-
 static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *avrule_block, const policydb_t *p, validate_t flavors[])
 {
 	const avrule_decl_t *decl;
@@ -1601,7 +1587,7 @@ static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *
 				goto bad;
 			if (validate_filename_trans_rules(handle, decl->filename_trans_rules, p, flavors))
 				goto bad;
-			if (validate_symtabs(handle, decl->symtab, flavors))
+			if (validate_datum_array_entries(handle, p, decl->symtab, flavors))
 				goto bad;
 		}
 
@@ -1853,7 +1839,7 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
 	if (validate_datum_array_gaps(handle, p, flavors))
 		goto bad;
 
-	if (validate_datum_array_entries(handle, p, flavors))
+	if (validate_datum_array_entries(handle, p, p->symtab, flavors))
 		goto bad;
 
 	if (validate_permissives(handle, p, flavors))
-- 
2.53.0

Re: [PATCH 1/3] libsepol: Fix out-of-bounds memory write in discard_tunbables()

[James Carter]

On Tue, Apr 14, 2026 at 3:11 PM James Carter <jwcart2@gmail.com> wrote:
>
> The function discard_tunables() will walk all the avrule blocks
> and do one of the following two options.
> 1) If preserve_tunables == 0, then it will evalutate tunable
> expressions and add the appropriate true or false block to the
> avrules list of the current enabled block.
> 2) If preserve_tunables !- 0, then it will remove the tunable flag
> from all tunables making them booleans.
>
> The function was allocating an array of pointers to cond_bool_datum_t
> with a length of COND_EXPR_MAXDEPTH. The number of tunables was the
> index and each tunable found would be pointed to be the array. This
> is a potential buffer overflow because COND_EXPR_MAXDEPTH is the
> limit on the depth of sub expressions, not the limit on the number
> of items in an expression. Having more than COND_EXPR_MAXDEPTH
> number of tunables in an expression that had a maximum sub
> expression depth of less than COND_EXPR_MAXDEPTH would cause an
> out-of-bounds memory write.
>
> There is no need to wait to update a tunable datum's flag, so
> just update the flags as tunables are found when preserve_tunables
> is true.
>
> This patch is based on a report and patch from the security firm
> Trail of Bits.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>

These three patches have been merged.
Jim

> ---
>  libsepol/src/expand.c | 19 +++++++------------
>  1 file changed, 7 insertions(+), 12 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index ed912b57..5b2b7b03 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -3042,22 +3042,21 @@ static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
>
>                 for (cur_node = decl->cond_list; cur_node != NULL;
>                      cur_node = cur_node->next) {
> -                       int booleans, tunables, i;
> +                       int booleans = 0, tunables = 0;
>                         cond_bool_datum_t *booldatum;
> -                       cond_bool_datum_t *tmp[COND_EXPR_MAXDEPTH];
> -
> -                       booleans = tunables = 0;
> -                       memset(tmp, 0, sizeof(cond_bool_datum_t *) * COND_EXPR_MAXDEPTH);
>
>                         for (cur_expr = cur_node->expr; cur_expr != NULL;
>                              cur_expr = cur_expr->next) {
>                                 if (cur_expr->expr_type != COND_BOOL)
>                                         continue;
>                                 booldatum = pol->bool_val_to_struct[cur_expr->boolean - 1];
> -                               if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE)
> -                                       tmp[tunables++] = booldatum;
> -                               else
> +                               if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE) {
> +                                       tunables++;
> +                                       if (preserve_tunables)
> +                                               booldatum->flags &= ~COND_BOOL_FLAGS_TUNABLE;
> +                               } else {
>                                         booleans++;
> +                               }
>                         }
>
>                         /* bool_copy_callback() at link phase has ensured
> @@ -3069,10 +3068,6 @@ static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
>
>                         if (booleans || preserve_tunables) {
>                                 cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
> -                               if (tunables) {
> -                                       for (i = 0; i < tunables; i++)
> -                                               tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
> -                               }
>                         } else {
>                                 cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
>                                 cur_state = cond_evaluate_expr(pol, cur_node->expr);
> --
> 2.53.0
>