From 16a168535df5c7bce94a7d6b278264e9d418c499 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=AE=8B=E9=A1=B5?= <a1364259@163.com>
Date: Sat, 21 Sep 2024 21:36:20 +0800
Subject: [PATCH] Check sepolicy database version in add_xperm_rule

Fix #8344
---
 native/src/sepolicy/sepolicy.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/native/src/sepolicy/sepolicy.cpp b/native/src/sepolicy/sepolicy.cpp
index 82cecc8e3..7fbefaf86 100644
--- a/native/src/sepolicy/sepolicy.cpp
+++ b/native/src/sepolicy/sepolicy.cpp
@@ -271,6 +271,10 @@ bool sepol_impl::add_rule(const char *s, const char *t, const char *c, const cha
 #define ioctl_func(x) (x & 0xFF)
 
 void sepol_impl::add_xperm_rule(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, const Xperm &p, int effect) {
+    if (db->policyvers < POLICYDB_VERSION_XPERMS_IOCTL) {
+        LOGE("policy version %u does not support ioctl extended permissions rules\n", db->policyvers);
+        return;
+    }
     if (src == nullptr) {
         for_each_attr(db->p_types.table, [&](type_datum_t *type) {
             add_xperm_rule(type, tgt, cls, p, effect);