| Message ID | 20210419152749.88086-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Create secil2tree to write CIL AST | expand |
As an example of how it can be used, I have been using secil2tree recently to make secilc fuzzing test cases readable. Running: secil2tree -A build -o fuzz_613136.cil clusterfuzz-testcase-minimized-secilc-fuzzer-6131368317812736 The attached files shows the original and the output of secil2tree. Jim On Mon, Apr 19, 2021 at 11:27 AM James Carter <jwcart2@gmail.com> wrote: > > For debugging purposes it would be useful to be able to write out > the CIL AST at various points in the build process. > > This patch set creates secil2tree which can write the CIL parse tree, > the CIL AST after the build phase, or the CIL AST after the resolve > phase (with names fully-qualified). > > Within CIL the function cil_print_tree() has existed from early in > CIL's development, but it was not exported in libsepol and there was no > way to use it except by adding a call to it where you wanted to print > out the CIL AST and then recompiling everything. It also used cil_log() > as its output, so other messages could be mixed in with the output. This > patch set moves all of this code to its own file, updates it, renames it > as cil_write_ast(), and adds libsepol functions that can be used to call > it after each one of the phases mentioned above. > > Both the parse and build CIL AST are valid CIL policies that can be > compiled with secilc, but the resolve CIL AST is not always a valid CIL > policy. The biggest problem is that fully-qualified names can contain > dots and CIL does not allow dots in declaration names. There are other > problems as well. It would be nice to get to the point where the output > for all of the trees are valid CIL, but that is a goal for the future. > > v2: > - Remove whitespace errors in cil_write_ast.h > - Use "const char*" instead of just "char*" when dealing with string > literals to satisfy clang. > > James Carter (3): > libsepol/cil: Create functions to write the CIL AST > libsepol/cil: Add functions to make use of cil_write_ast() > secilc: Create the new program called secil2tree to write out CIL AST > > libsepol/cil/include/cil/cil.h | 3 + > libsepol/cil/src/cil.c | 92 ++ > libsepol/cil/src/cil_tree.c | 1471 ---------------------------- > libsepol/cil/src/cil_tree.h | 2 - > libsepol/cil/src/cil_write_ast.c | 1573 ++++++++++++++++++++++++++++++ > libsepol/cil/src/cil_write_ast.h | 46 + > libsepol/src/libsepol.map.in | 3 + > secilc/.gitignore | 2 + > secilc/Makefile | 20 +- > secilc/secil2tree.8.xml | 81 ++ > secilc/secil2tree.c | 206 ++++ > 11 files changed, 2024 insertions(+), 1475 deletions(-) > create mode 100644 libsepol/cil/src/cil_write_ast.c > create mode 100644 libsepol/cil/src/cil_write_ast.h > create mode 100644 secilc/secil2tree.8.xml > create mode 100644 secilc/secil2tree.c > > -- > 2.26.3 >
On Tue, Apr 20, 2021 at 7:08 PM James Carter <jwcart2@gmail.com> wrote: > > As an example of how it can be used, I have been using secil2tree > recently to make secilc fuzzing test cases readable. > > Running: > secil2tree -A build -o fuzz_613136.cil > clusterfuzz-testcase-minimized-secilc-fuzzer-6131368317812736 > > The attached files shows the original and the output of secil2tree. > > Jim > > On Mon, Apr 19, 2021 at 11:27 AM James Carter <jwcart2@gmail.com> wrote: > > > > For debugging purposes it would be useful to be able to write out > > the CIL AST at various points in the build process. > > > > This patch set creates secil2tree which can write the CIL parse tree, > > the CIL AST after the build phase, or the CIL AST after the resolve > > phase (with names fully-qualified). > > > > Within CIL the function cil_print_tree() has existed from early in > > CIL's development, but it was not exported in libsepol and there was no > > way to use it except by adding a call to it where you wanted to print > > out the CIL AST and then recompiling everything. It also used cil_log() > > as its output, so other messages could be mixed in with the output. This > > patch set moves all of this code to its own file, updates it, renames it > > as cil_write_ast(), and adds libsepol functions that can be used to call > > it after each one of the phases mentioned above. > > > > Both the parse and build CIL AST are valid CIL policies that can be > > compiled with secilc, but the resolve CIL AST is not always a valid CIL > > policy. The biggest problem is that fully-qualified names can contain > > dots and CIL does not allow dots in declaration names. There are other > > problems as well. It would be nice to get to the point where the output > > for all of the trees are valid CIL, but that is a goal for the future. > > > > v2: > > - Remove whitespace errors in cil_write_ast.h > > - Use "const char*" instead of just "char*" when dealing with string > > literals to satisfy clang. > > > > James Carter (3): > > libsepol/cil: Create functions to write the CIL AST > > libsepol/cil: Add functions to make use of cil_write_ast() > > secilc: Create the new program called secil2tree to write out CIL AST > > > > libsepol/cil/include/cil/cil.h | 3 + > > libsepol/cil/src/cil.c | 92 ++ > > libsepol/cil/src/cil_tree.c | 1471 ---------------------------- > > libsepol/cil/src/cil_tree.h | 2 - > > libsepol/cil/src/cil_write_ast.c | 1573 ++++++++++++++++++++++++++++++ > > libsepol/cil/src/cil_write_ast.h | 46 + > > libsepol/src/libsepol.map.in | 3 + > > secilc/.gitignore | 2 + > > secilc/Makefile | 20 +- > > secilc/secil2tree.8.xml | 81 ++ > > secilc/secil2tree.c | 206 ++++ > > 11 files changed, 2024 insertions(+), 1475 deletions(-) > > create mode 100644 libsepol/cil/src/cil_write_ast.c > > create mode 100644 libsepol/cil/src/cil_write_ast.h > > create mode 100644 secilc/secil2tree.8.xml > > create mode 100644 secilc/secil2tree.c > > > > -- > > 2.26.3 > > Hello, Thanks for this tool! It looks great and it seems to work quite well. Anyway, while building with some warning flags, gcc reported issues about using non-const pointers to hold literal strings. For example: ../cil/src/cil_write_ast.c: In function ‘datum_to_str’: ../cil/src/cil_write_ast.c:51:28: error: return discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 51 | return datum ? datum->fqn : "<?DATUM>"; | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~ ../cil/src/cil_write_ast.c: In function ‘write_expr’: ../cil/src/cil_write_ast.c:122:12: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 122 | op_str = "<?OP>"; | ^ With the attached patch, the code compiles fine. Feel free to directly modify the first patch with these fixes. Thanks, Nicolas
On Wed, Apr 21, 2021 at 4:58 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Tue, Apr 20, 2021 at 7:08 PM James Carter <jwcart2@gmail.com> wrote: > > > > As an example of how it can be used, I have been using secil2tree > > recently to make secilc fuzzing test cases readable. > > > > Running: > > secil2tree -A build -o fuzz_613136.cil > > clusterfuzz-testcase-minimized-secilc-fuzzer-6131368317812736 > > > > The attached files shows the original and the output of secil2tree. > > > > Jim > > > > On Mon, Apr 19, 2021 at 11:27 AM James Carter <jwcart2@gmail.com> wrote: > > > > > > For debugging purposes it would be useful to be able to write out > > > the CIL AST at various points in the build process. > > > > > > This patch set creates secil2tree which can write the CIL parse tree, > > > the CIL AST after the build phase, or the CIL AST after the resolve > > > phase (with names fully-qualified). > > > > > > Within CIL the function cil_print_tree() has existed from early in > > > CIL's development, but it was not exported in libsepol and there was no > > > way to use it except by adding a call to it where you wanted to print > > > out the CIL AST and then recompiling everything. It also used cil_log() > > > as its output, so other messages could be mixed in with the output. This > > > patch set moves all of this code to its own file, updates it, renames it > > > as cil_write_ast(), and adds libsepol functions that can be used to call > > > it after each one of the phases mentioned above. > > > > > > Both the parse and build CIL AST are valid CIL policies that can be > > > compiled with secilc, but the resolve CIL AST is not always a valid CIL > > > policy. The biggest problem is that fully-qualified names can contain > > > dots and CIL does not allow dots in declaration names. There are other > > > problems as well. It would be nice to get to the point where the output > > > for all of the trees are valid CIL, but that is a goal for the future. > > > > > > v2: > > > - Remove whitespace errors in cil_write_ast.h > > > - Use "const char*" instead of just "char*" when dealing with string > > > literals to satisfy clang. > > > > > > James Carter (3): > > > libsepol/cil: Create functions to write the CIL AST > > > libsepol/cil: Add functions to make use of cil_write_ast() > > > secilc: Create the new program called secil2tree to write out CIL AST > > > > > > libsepol/cil/include/cil/cil.h | 3 + > > > libsepol/cil/src/cil.c | 92 ++ > > > libsepol/cil/src/cil_tree.c | 1471 ---------------------------- > > > libsepol/cil/src/cil_tree.h | 2 - > > > libsepol/cil/src/cil_write_ast.c | 1573 ++++++++++++++++++++++++++++++ > > > libsepol/cil/src/cil_write_ast.h | 46 + > > > libsepol/src/libsepol.map.in | 3 + > > > secilc/.gitignore | 2 + > > > secilc/Makefile | 20 +- > > > secilc/secil2tree.8.xml | 81 ++ > > > secilc/secil2tree.c | 206 ++++ > > > 11 files changed, 2024 insertions(+), 1475 deletions(-) > > > create mode 100644 libsepol/cil/src/cil_write_ast.c > > > create mode 100644 libsepol/cil/src/cil_write_ast.h > > > create mode 100644 secilc/secil2tree.8.xml > > > create mode 100644 secilc/secil2tree.c > > > > > > -- > > > 2.26.3 > > > > > Hello, > Thanks for this tool! It looks great and it seems to work quite well. > > Anyway, while building with some warning flags, gcc reported issues > about using non-const pointers to hold literal strings. For example: > > ../cil/src/cil_write_ast.c: In function ‘datum_to_str’: > ../cil/src/cil_write_ast.c:51:28: error: return discards ‘const’ > qualifier from pointer target type [-Werror=discarded-qualifiers] > 51 | return datum ? datum->fqn : "<?DATUM>"; > | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~ > ../cil/src/cil_write_ast.c: In function ‘write_expr’: > ../cil/src/cil_write_ast.c:122:12: error: assignment discards ‘const’ > qualifier from pointer target type [-Werror=discarded-qualifiers] > 122 | op_str = "<?OP>"; > | ^ > > With the attached patch, the code compiles fine. Feel free to directly > modify the first patch with these fixes. > I think that you might have tested the first version. The second version actually has everything in your patch. Thanks, Jim > Thanks, > Nicolas