[RFC,9/9] secilc/docs: Add deny rule to CIL documentation

Message ID	20221215213429.998948-10-jwcart2@gmail.com (mailing list archive)
State	Superseded
Delegated to:	Petr Lautrbach
Headers	show Return-Path: <selinux-owner@kernel.org> From: James Carter <jwcart2@gmail.com> To: selinux@vger.kernel.org Cc: dburgener@linux.microsoft.com, James Carter <jwcart2@gmail.com> Subject: [RFC PATCH 9/9] secilc/docs: Add deny rule to CIL documentation Date: Thu, 15 Dec 2022 16:34:29 -0500 Message-Id: <20221215213429.998948-10-jwcart2@gmail.com> In-Reply-To: <20221215213429.998948-1-jwcart2@gmail.com> References: <20221215213429.998948-1-jwcart2@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Add CIL Deny Rule \| expand [RFC,0/9] Add CIL Deny Rule [RFC,1/9] libsepol/cil: Parse and add deny rule to AST, but do not process [RFC,2/9] libsepol/cil: Add cil_list_is_empty macro [RFC,3/9] libsepol/cil: Add cil_tree_remove_node function [RFC,4/9] libsepol/cil: Process deny rules [RFC,5/9] libsepol/cil: Add cil_write_post_ast function [RFC,6/9] libsepol: Export the cil_write_post_ast function [RFC,7/9] secilc/secil2tree: Add option to write CIL AST after post processing [RFC,8/9] secilc/test: Add a deny rule test [RFC,9/9] secilc/docs: Add deny rule to CIL documentation

Message ID

20221215213429.998948-10-jwcart2@gmail.com (mailing list archive)

State

Superseded

Delegated to:

Petr Lautrbach

Headers

From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: dburgener@linux.microsoft.com, James Carter <jwcart2@gmail.com>
Subject: [RFC PATCH 9/9] secilc/docs: Add deny rule to CIL documentation
Date: Thu, 15 Dec 2022 16:34:29 -0500
Message-Id: <20221215213429.998948-10-jwcart2@gmail.com>
In-Reply-To: <20221215213429.998948-1-jwcart2@gmail.com>
References: <20221215213429.998948-1-jwcart2@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Add CIL Deny Rule | expand

Comments

Daniel Burgener Feb. 3, 2023, 10:55 p.m. UTC | #1

On 12/15/2022 4:34 PM, James Carter wrote:
> Signed-off-by: James Carter <jwcart2@gmail.com>
> ---
>   secilc/docs/cil_access_vector_rules.md | 68 ++++++++++++++++++++++++++
>   1 file changed, 68 insertions(+)
> 
> diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
> index f0ba4a90..35825283 100644
> --- a/secilc/docs/cil_access_vector_rules.md
> +++ b/secilc/docs/cil_access_vector_rules.md
> @@ -247,6 +247,74 @@ This example will not compile as `type_3` is not allowed to be a source type for
>           (allow type_3 self (property_service (set)))
>       )
>   ```
> +deny
> +----------
> +
> +Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking.
> +
> +**Rule definition:**
> +
> +```secil
> +    (deny source_id target_id|self classpermissionset_id ...)
> +```
> +
> +**Where:**
> +
> +<table>
> +<colgroup>
> +<col width="27%" />
> +<col width="72%" />
> +</colgroup>
> +<tbody>
> +<tr class="odd">
> +<td align="left"><p><code>deny</code></p></td>
> +<td align="left"><p>The <code>deny</code> keyword.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>source_id</code></p></td>
> +<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
> +</tr>
> +<tr class="odd">
> +<td align="left"><p><code>target_id</code></p></td>
> +<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
> +<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>classpermissionset_id</code></p></td>
> +<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
> +</tr>
> +</tbody>
> +</table>
> +
> +**Example:**
> +
> +```secil
> +    (class class1 (perm1 perm2))
> +
> +	(type type_1)
> +    (type type_2)
> +	(allow type_1 type_2 (class1 (perm1))) ; Allow_1
> +	(deny type_1 type_2 (class1 (perm1)))  ; Deny_1
> +  	; Allow_1 will be complete removed by Deny_1.
> +
> +    (type type_3)
> +	(type type_4)
> +	(allow type_3 type_4 (class1 (perm1 perm2))) ; Allow_2
> +	(deny type_3 type_4 (class1 (perm1)))        ; Deny_2
> +	; Allow_2 will be removed and replaced with the following when Deny_2 is evaluated
> +    ; (allow type_3 type_4 (class1 (perm2)))
> +
> +	(type type_5)
> +	(type type_6)
> +	(typeattribute attr_1)
> +	(typeattributeset attr_1 (type_5 type_6))
> +	(allow attr_1 attr_1 (class1 (perm1))) ; Allow_3
> +	(deny type_5 type_6 (class1 (perm1)))  ; Deny_3
> +	; Allow_3 will be removed and replaced with the following when Deny_3 is evaluated
> +	; (allow type_6 attr_1 (class1 (perm1)))
> +	; (allow attr_1 type_5 (class1 (perm1)))
> +    )
> +```

Looks like theres some intermixing of spaces and tabs messing up 
formatting on the example.

-Daniel
>   
>   allowx
>   ------

James Carter Feb. 9, 2023, 2:39 p.m. UTC | #2

On Fri, Feb 3, 2023 at 5:55 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
>
> On 12/15/2022 4:34 PM, James Carter wrote:
> > Signed-off-by: James Carter <jwcart2@gmail.com>
> > ---
> >   secilc/docs/cil_access_vector_rules.md | 68 ++++++++++++++++++++++++++
> >   1 file changed, 68 insertions(+)
> >
> > diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
> > index f0ba4a90..35825283 100644
> > --- a/secilc/docs/cil_access_vector_rules.md
> > +++ b/secilc/docs/cil_access_vector_rules.md
> > @@ -247,6 +247,74 @@ This example will not compile as `type_3` is not allowed to be a source type for
> >           (allow type_3 self (property_service (set)))
> >       )
> >   ```
> > +deny
> > +----------
> > +
> > +Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking.
> > +
> > +**Rule definition:**
> > +
> > +```secil
> > +    (deny source_id target_id|self classpermissionset_id ...)
> > +```
> > +
> > +**Where:**
> > +
> > +<table>
> > +<colgroup>
> > +<col width="27%" />
> > +<col width="72%" />
> > +</colgroup>
> > +<tbody>
> > +<tr class="odd">
> > +<td align="left"><p><code>deny</code></p></td>
> > +<td align="left"><p>The <code>deny</code> keyword.</p></td>
> > +</tr>
> > +<tr class="even">
> > +<td align="left"><p><code>source_id</code></p></td>
> > +<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
> > +</tr>
> > +<tr class="odd">
> > +<td align="left"><p><code>target_id</code></p></td>
> > +<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
> > +<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
> > +</tr>
> > +<tr class="even">
> > +<td align="left"><p><code>classpermissionset_id</code></p></td>
> > +<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
> > +</tr>
> > +</tbody>
> > +</table>
> > +
> > +**Example:**
> > +
> > +```secil
> > +    (class class1 (perm1 perm2))
> > +
> > +     (type type_1)
> > +    (type type_2)
> > +     (allow type_1 type_2 (class1 (perm1))) ; Allow_1
> > +     (deny type_1 type_2 (class1 (perm1)))  ; Deny_1
> > +     ; Allow_1 will be complete removed by Deny_1.
> > +
> > +    (type type_3)
> > +     (type type_4)
> > +     (allow type_3 type_4 (class1 (perm1 perm2))) ; Allow_2
> > +     (deny type_3 type_4 (class1 (perm1)))        ; Deny_2
> > +     ; Allow_2 will be removed and replaced with the following when Deny_2 is evaluated
> > +    ; (allow type_3 type_4 (class1 (perm2)))
> > +
> > +     (type type_5)
> > +     (type type_6)
> > +     (typeattribute attr_1)
> > +     (typeattributeset attr_1 (type_5 type_6))
> > +     (allow attr_1 attr_1 (class1 (perm1))) ; Allow_3
> > +     (deny type_5 type_6 (class1 (perm1)))  ; Deny_3
> > +     ; Allow_3 will be removed and replaced with the following when Deny_3 is evaluated
> > +     ; (allow type_6 attr_1 (class1 (perm1)))
> > +     ; (allow attr_1 type_5 (class1 (perm1)))
> > +    )
> > +```
>
> Looks like theres some intermixing of spaces and tabs messing up
> formatting on the example.
>
> -Daniel

That final ")" isn't needed as well.
Thanks,
Jim


> >
> >   allowx
> >   ------
>

diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
index f0ba4a90..35825283 100644
--- a/secilc/docs/cil_access_vector_rules.md
+++ b/secilc/docs/cil_access_vector_rules.md
@@ -247,6 +247,74 @@  This example will not compile as `type_3` is not allowed to be a source type for
         (allow type_3 self (property_service (set)))
     )
 ```
+deny
+----------
+
+Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking.
+
+**Rule definition:**
+
+```secil
+    (deny source_id target_id|self classpermissionset_id ...)
+```
+
+**Where:**
+
+<table>
+<colgroup>
+<col width="27%" />
+<col width="72%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><code>deny</code></p></td>
+<td align="left"><p>The <code>deny</code> keyword.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code>source_id</code></p></td>
+<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><code>target_id</code></p></td>
+<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
+<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code>classpermissionset_id</code></p></td>
+<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
+</tr>
+</tbody>
+</table>
+
+**Example:**
+
+```secil
+    (class class1 (perm1 perm2))
+
+	(type type_1)
+    (type type_2)
+	(allow type_1 type_2 (class1 (perm1))) ; Allow_1
+	(deny type_1 type_2 (class1 (perm1)))  ; Deny_1
+  	; Allow_1 will be complete removed by Deny_1.
+
+    (type type_3)
+	(type type_4)
+	(allow type_3 type_4 (class1 (perm1 perm2))) ; Allow_2
+	(deny type_3 type_4 (class1 (perm1)))        ; Deny_2
+	; Allow_2 will be removed and replaced with the following when Deny_2 is evaluated
+    ; (allow type_3 type_4 (class1 (perm2)))
+
+	(type type_5)
+	(type type_6)
+	(typeattribute attr_1)
+	(typeattributeset attr_1 (type_5 type_6))
+	(allow attr_1 attr_1 (class1 (perm1))) ; Allow_3
+	(deny type_5 type_6 (class1 (perm1)))  ; Deny_3
+	; Allow_3 will be removed and replaced with the following when Deny_3 is evaluated
+	; (allow type_6 attr_1 (class1 (perm1)))
+	; (allow attr_1 type_5 (class1 (perm1)))
+    )
+```
 
 allowx
 ------

[RFC,9/9] secilc/docs: Add deny rule to CIL documentation

Commit Message

Comments

Patch