@@ -615,6 +615,10 @@ typedef struct policydb {
sepol_security_class_t dir_class;
sepol_access_vector_t process_trans;
sepol_access_vector_t process_trans_dyntrans;
+
+ /* avrules whose line markes will be printed. Defaults to neverallow and
+ neverallowxperm */
+ uint32_t line_marker_avrules;
} policydb_t;
struct sepol_policydb {
@@ -1196,8 +1196,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
struct type_set *ts;
for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) {
- if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) &&
- avrule->source_filename) {
+ if ((avrule->specified & pdb->line_marker_avrules) && avrule->source_filename) {
cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename);
}
@@ -1264,8 +1263,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
names_destroy(&snames, &num_snames);
names_destroy(&tnames, &num_tnames);
- if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) &&
- avrule->source_filename) {
+ if ((avrule->specified & pdb->line_marker_avrules) && avrule->source_filename) {
cil_println(0, ";;* lme\n");
}
}
@@ -945,6 +945,8 @@ int policydb_init(policydb_t * p)
ebitmap_init(&p->policycaps);
ebitmap_init(&p->permissive_map);
+ p->line_marker_avrules = AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW;
+
return 0;
err:
hashtab_destroy(p->filename_trans);
This commit introduces a new variable line_marker_avrules in the policydb structure. It controls which avrules will have their line markers upon sepol_module_policydb_to_cil. The default value is AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW to keep existing behavior. One expected usage is that checkpolicy prints line markers for allow rules, providing better debuggability. Signed-off-by: Inseob Kim <inseob@google.com> --- libsepol/include/sepol/policydb/policydb.h | 4 ++++ libsepol/src/module_to_cil.c | 6 ++---- libsepol/src/policydb.c | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-)