[v3,1/4] libsepol: Allow booleanif to have info nodes

Commit Message

Inseob Kim April 11, 2025, 1:05 a.m. UTC

Allowing more info nodes helps debuggability, especially neverallow
failure reports.

Signed-off-by: Inseob Kim <inseob@google.com>
---
 libsepol/cil/src/cil_binary.c      | 1 +
 libsepol/cil/src/cil_build_ast.c   | 1 +
 libsepol/cil/src/cil_resolve_ast.c | 1 +
 libsepol/cil/src/cil_verify.c      | 3 +++
 4 files changed, 6 insertions(+)

Comments

James Carter April 11, 2025, 5:15 p.m. UTC | #1

On Thu, Apr 10, 2025 at 9:06 PM Inseob Kim <inseob@google.com> wrote:
>
> Allowing more info nodes helps debuggability, especially neverallow
> failure reports.
>
> Signed-off-by: Inseob Kim <inseob@google.com>

For these four patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/cil/src/cil_binary.c      | 1 +
>  libsepol/cil/src/cil_build_ast.c   | 1 +
>  libsepol/cil/src/cil_resolve_ast.c | 1 +
>  libsepol/cil/src/cil_verify.c      | 3 +++
>  4 files changed, 6 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index e84188a0..b0befda3 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -2153,6 +2153,7 @@ static int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute
>
>         case CIL_CALL:
>         case CIL_TUNABLEIF:
> +       case CIL_SRC_INFO:
>                 break;
>         default:
>                 cil_tree_log(node, CIL_ERR, "Invalid statement within booleanif");
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 072d2622..fc11758d 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -6164,6 +6164,7 @@ static int check_for_illegal_statement(struct cil_tree_node *parse_current, stru
>                         parse_current->data != CIL_KEY_AUDITALLOW &&
>                         parse_current->data != CIL_KEY_TYPETRANSITION &&
>                         parse_current->data != CIL_KEY_TYPECHANGE &&
> +                       parse_current->data != CIL_KEY_SRC_INFO &&
>                         parse_current->data != CIL_KEY_TYPEMEMBER &&
>                         ((args->db->policy_version < POLICYDB_VERSION_COND_XPERMS) ||
>                           (parse_current->data != CIL_KEY_ALLOWX &&
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index a8fa89df..392f03c7 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -3849,6 +3849,7 @@ static int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *f
>                         node->flavor != CIL_AVRULE &&
>                         node->flavor != CIL_TYPE_RULE &&
>                         node->flavor != CIL_NAMETYPETRANSITION &&
> +                       node->flavor != CIL_SRC_INFO &&
>                         ((args->db->policy_version < POLICYDB_VERSION_COND_XPERMS) ||
>                          (node->flavor != CIL_AVRULEX))) {
>                         rc = SEPOL_ERR;
> diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
> index 550b4542..cde9dd41 100644
> --- a/libsepol/cil/src/cil_verify.c
> +++ b/libsepol/cil/src/cil_verify.c
> @@ -1176,6 +1176,9 @@ static int __cil_verify_booleanif_helper(struct cil_tree_node *node, __attribute
>                    booleanif statements if they don't have "*" as the file. We
>                    can't check that here. Or at least we won't right now. */
>                 break;
> +       case CIL_SRC_INFO:
> +               //Fall through
> +               break;
>         default: {
>                 const char * flavor = cil_node_to_string(node);
>                 if (bif->preserved_tunable) {
> --
> 2.49.0.604.gff1f9ca942-goog
>
>

Patch

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index e84188a0..b0befda3 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2153,6 +2153,7 @@  static int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute
 
 	case CIL_CALL:
 	case CIL_TUNABLEIF:
+	case CIL_SRC_INFO:
 		break;
 	default:
 		cil_tree_log(node, CIL_ERR, "Invalid statement within booleanif");
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 072d2622..fc11758d 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -6164,6 +6164,7 @@  static int check_for_illegal_statement(struct cil_tree_node *parse_current, stru
 			parse_current->data != CIL_KEY_AUDITALLOW &&
 			parse_current->data != CIL_KEY_TYPETRANSITION &&
 			parse_current->data != CIL_KEY_TYPECHANGE &&
+			parse_current->data != CIL_KEY_SRC_INFO &&
 			parse_current->data != CIL_KEY_TYPEMEMBER &&
 			((args->db->policy_version < POLICYDB_VERSION_COND_XPERMS) ||
 			  (parse_current->data != CIL_KEY_ALLOWX &&
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index a8fa89df..392f03c7 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -3849,6 +3849,7 @@  static int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *f
 			node->flavor != CIL_AVRULE &&
 			node->flavor != CIL_TYPE_RULE &&
 			node->flavor != CIL_NAMETYPETRANSITION &&
+			node->flavor != CIL_SRC_INFO &&
 			((args->db->policy_version < POLICYDB_VERSION_COND_XPERMS) ||
 			 (node->flavor != CIL_AVRULEX))) {
 			rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 550b4542..cde9dd41 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -1176,6 +1176,9 @@  static int __cil_verify_booleanif_helper(struct cil_tree_node *node, __attribute
 		   booleanif statements if they don't have "*" as the file. We
 		   can't check that here. Or at least we won't right now. */
 		break;
+	case CIL_SRC_INFO:
+		//Fall through
+		break;
 	default: {
 		const char * flavor = cil_node_to_string(node);
 		if (bif->preserved_tunable) {