| Message ID | 20210316204646.52060-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/4] libsepol/cil: Allow lists in constraint expressions | expand |
On Tue, Mar 16, 2021 at 9:49 PM James Carter <jwcart2@gmail.com> wrote: > > The expectation in CIL was to use user, role, or type attributes in > constraint expressions. The problem is that neither user nor role > attributes are part of the kernel binary policy, so when converting > from a kernel policy to CIL, that would require the creation of a > role or user attribute. The better solution is to just allow a list > to be used. In fact, the only thing preventing a list to be used > is a check in cil_verify_constraint_leaf_expr_syntax(). > > Remove the check and allow lists in constraint expressions. > > The following is now allowed: > (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) > > Signed-off-by: James Carter <jwcart2@gmail.com> For these 4 patches: Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> Before merging, the patch that I sent to fix an issue with some gcc optimizations (https://lore.kernel.org/selinux/20210316222313.19793-1-nicolas.iooss@m4x.org/) should be reviewed and applied. Nicolas > --- > libsepol/cil/src/cil_verify.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c > index 6706e219..09e3daf9 100644 > --- a/libsepol/cil/src/cil_verify.c > +++ b/libsepol/cil/src/cil_verify.c > @@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl > cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); > goto exit; > } > - } else if (r_flavor == CIL_LIST) { > - cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); > - goto exit; > } > } else { > if (r_flavor == CIL_CONS_U2) { > -- > 2.26.2 >
On Wed, Mar 17, 2021 at 5:31 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Tue, Mar 16, 2021 at 9:49 PM James Carter <jwcart2@gmail.com> wrote: > > > > The expectation in CIL was to use user, role, or type attributes in > > constraint expressions. The problem is that neither user nor role > > attributes are part of the kernel binary policy, so when converting > > from a kernel policy to CIL, that would require the creation of a > > role or user attribute. The better solution is to just allow a list > > to be used. In fact, the only thing preventing a list to be used > > is a check in cil_verify_constraint_leaf_expr_syntax(). > > > > Remove the check and allow lists in constraint expressions. > > > > The following is now allowed: > > (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > For these 4 patches: > Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> > These four patches have been merged (the patch below was merged as well). Thanks, Jim > Before merging, the patch that I sent to fix an issue with some gcc > optimizations (https://lore.kernel.org/selinux/20210316222313.19793-1-nicolas.iooss@m4x.org/) > should be reviewed and applied. > > Nicolas > > > --- > > libsepol/cil/src/cil_verify.c | 3 --- > > 1 file changed, 3 deletions(-) > > > > diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c > > index 6706e219..09e3daf9 100644 > > --- a/libsepol/cil/src/cil_verify.c > > +++ b/libsepol/cil/src/cil_verify.c > > @@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl > > cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); > > goto exit; > > } > > - } else if (r_flavor == CIL_LIST) { > > - cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); > > - goto exit; > > } > > } else { > > if (r_flavor == CIL_CONS_U2) { > > -- > > 2.26.2 > > >
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 6706e219..09e3daf9 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); goto exit; } - } else if (r_flavor == CIL_LIST) { - cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); - goto exit; } } else { if (r_flavor == CIL_CONS_U2) {
The expectation in CIL was to use user, role, or type attributes in constraint expressions. The problem is that neither user nor role attributes are part of the kernel binary policy, so when converting from a kernel policy to CIL, that would require the creation of a role or user attribute. The better solution is to just allow a list to be used. In fact, the only thing preventing a list to be used is a check in cil_verify_constraint_leaf_expr_syntax(). Remove the check and allow lists in constraint expressions. The following is now allowed: (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/src/cil_verify.c | 3 --- 1 file changed, 3 deletions(-)