| Message ID | 20230331173442.101678-3-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | [1/3] checkpolicy: add option to skip checking neverallow rules | expand |
On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > * fix minus self formatting in neverallow rules, avoiding `~ - self` > > * show neverallow and neverallowxperm rules > > * whitespace improvements in output > - avoid duplicate whitespaces before permission list, since > sepol_av_to_string() already adds a trailing one > - avoid duplicate whitespace after wildcard type > - unify indentation for xperm rules > > * drop unused global variables > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > checkpolicy/test/dismod.c | 33 ++++++++++++++++++--------------- > 1 file changed, 18 insertions(+), 15 deletions(-) > > diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c > index a2d74d42..ebc1eec3 100644 > --- a/checkpolicy/test/dismod.c > +++ b/checkpolicy/test/dismod.c > @@ -54,11 +54,8 @@ > #define DISPLAY_AVBLOCK_FILENAME_TRANS 7 > > static policydb_t policydb; > -extern unsigned int ss_initialized; > > -int policyvers = MOD_POLICYDB_VERSION_BASE; > - > -static const char *symbol_labels[9] = { > +static const char *const symbol_labels[9] = { > "commons", > "classes", "roles ", "types ", "users ", "bools ", > "levels ", "cats ", "attribs" > @@ -86,12 +83,12 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class, > { > unsigned int i; > char *perm; > - fprintf(fp, "{"); > + fprintf(fp, " {"); > for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) { > if (ebitmap_get_bit(map, i)) { > perm = sepol_av_to_string(p, class, UINT32_C(1) << i); > if (perm) > - fprintf(fp, " %s", perm); > + fprintf(fp, "%s", perm); > } > } > fprintf(fp, " }"); > @@ -117,7 +114,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic > unsigned int i, num_types; > > if (set->flags & TYPE_STAR) { > - fprintf(fp, " * "); > + fprintf(fp, " *"); > return 0; > } else if (set->flags & TYPE_COMP) { > fprintf(fp, " ~"); > @@ -149,7 +146,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic > } > > if (num_types > 1) > - fprintf(fp, "{"); > + fprintf(fp, " {"); > This causes a problem with a type set using "~". It gets displayed with a space between the "~" and the "{". Thanks, Jim > for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types); > i++) { > @@ -170,7 +167,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic > } > > if (flags & RULE_NOTSELF) { > - fprintf(fp, " -self"); > + if (set->flags & TYPE_COMP) > + fprintf(fp, " self"); > + else > + fprintf(fp, " -self"); > } > > if (num_types > 1) > @@ -234,6 +234,9 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy, > if (avrule->specified & AVRULE_DONTAUDIT) { > fprintf(fp, " dontaudit"); > } > + if (avrule->specified & AVRULE_NEVERALLOW) { > + fprintf(fp, " neverallow"); > + } > } else if (avrule->specified & AVRULE_TYPE) { > if (avrule->specified & AVRULE_TRANSITION) { > fprintf(fp, " type_transition"); > @@ -244,15 +247,15 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy, > if (avrule->specified & AVRULE_CHANGE) { > fprintf(fp, " type_change"); > } > - } else if (avrule->specified & AVRULE_NEVERALLOW) { > - fprintf(fp, " neverallow"); > } else if (avrule->specified & AVRULE_XPERMS) { > if (avrule->specified & AVRULE_XPERMS_ALLOWED) > - fprintf(fp, "allowxperm "); > + fprintf(fp, " allowxperm"); > else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW) > - fprintf(fp, "auditallowxperm "); > + fprintf(fp, " auditallowxperm"); > else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT) > - fprintf(fp, "dontauditxperm "); > + fprintf(fp, " dontauditxperm"); > + else if (avrule->specified & AVRULE_XPERMS_NEVERALLOW) > + fprintf(fp, " neverallowxperm"); > } else { > fprintf(fp, " ERROR: no valid rule type specified\n"); > return -1; > @@ -560,7 +563,7 @@ static int display_scope_index(scope_index_t * indices, policydb_t * p, > p, out_fp); > } else { > fprintf(out_fp, > - "<no perms known>"); > + " <no perms known>"); > } > } > } > -- > 2.40.0 >
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index a2d74d42..ebc1eec3 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -54,11 +54,8 @@ #define DISPLAY_AVBLOCK_FILENAME_TRANS 7 static policydb_t policydb; -extern unsigned int ss_initialized; -int policyvers = MOD_POLICYDB_VERSION_BASE; - -static const char *symbol_labels[9] = { +static const char *const symbol_labels[9] = { "commons", "classes", "roles ", "types ", "users ", "bools ", "levels ", "cats ", "attribs" @@ -86,12 +83,12 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class, { unsigned int i; char *perm; - fprintf(fp, "{"); + fprintf(fp, " {"); for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) { if (ebitmap_get_bit(map, i)) { perm = sepol_av_to_string(p, class, UINT32_C(1) << i); if (perm) - fprintf(fp, " %s", perm); + fprintf(fp, "%s", perm); } } fprintf(fp, " }"); @@ -117,7 +114,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic unsigned int i, num_types; if (set->flags & TYPE_STAR) { - fprintf(fp, " * "); + fprintf(fp, " *"); return 0; } else if (set->flags & TYPE_COMP) { fprintf(fp, " ~"); @@ -149,7 +146,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic } if (num_types > 1) - fprintf(fp, "{"); + fprintf(fp, " {"); for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types); i++) { @@ -170,7 +167,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic } if (flags & RULE_NOTSELF) { - fprintf(fp, " -self"); + if (set->flags & TYPE_COMP) + fprintf(fp, " self"); + else + fprintf(fp, " -self"); } if (num_types > 1) @@ -234,6 +234,9 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy, if (avrule->specified & AVRULE_DONTAUDIT) { fprintf(fp, " dontaudit"); } + if (avrule->specified & AVRULE_NEVERALLOW) { + fprintf(fp, " neverallow"); + } } else if (avrule->specified & AVRULE_TYPE) { if (avrule->specified & AVRULE_TRANSITION) { fprintf(fp, " type_transition"); @@ -244,15 +247,15 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy, if (avrule->specified & AVRULE_CHANGE) { fprintf(fp, " type_change"); } - } else if (avrule->specified & AVRULE_NEVERALLOW) { - fprintf(fp, " neverallow"); } else if (avrule->specified & AVRULE_XPERMS) { if (avrule->specified & AVRULE_XPERMS_ALLOWED) - fprintf(fp, "allowxperm "); + fprintf(fp, " allowxperm"); else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW) - fprintf(fp, "auditallowxperm "); + fprintf(fp, " auditallowxperm"); else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT) - fprintf(fp, "dontauditxperm "); + fprintf(fp, " dontauditxperm"); + else if (avrule->specified & AVRULE_XPERMS_NEVERALLOW) + fprintf(fp, " neverallowxperm"); } else { fprintf(fp, " ERROR: no valid rule type specified\n"); return -1; @@ -560,7 +563,7 @@ static int display_scope_index(scope_index_t * indices, policydb_t * p, p, out_fp); } else { fprintf(out_fp, - "<no perms known>"); + " <no perms known>"); } } }
* fix minus self formatting in neverallow rules, avoiding `~ - self` * show neverallow and neverallowxperm rules * whitespace improvements in output - avoid duplicate whitespaces before permission list, since sepol_av_to_string() already adds a trailing one - avoid duplicate whitespace after wildcard type - unify indentation for xperm rules * drop unused global variables Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- checkpolicy/test/dismod.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-)