From patchwork Tue Mar 16 20:46:43 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12143979
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4F534C433E0
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 1980564E99
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231816AbhCPUs1 (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 16 Mar 2021 16:48:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49272 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231183AbhCPUq5 (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 16 Mar 2021 16:46:57 -0400
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com
 [IPv6:2607:f8b0:4864:20::f2d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09291C061756
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:46:57 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id t16so325174qvr.12
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:46:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=aRBz0TmwQUZDHrXeDqZKEcQG5wdjJ6pae6s147KCb/Q=;
        b=j3UrUBdibL2E5mjMPmwG+ngR+zO7sifSgVrWEg1tGKOFgz2Wvim8fq1xWvZJDuJVn6
         EV9o9R7oCQKLmjBU0JSA3QXJ+OWBQNvbZm+FryqLRLhnxAjmay/xwXsF3F+C86Yb+B97
         yysP+glE03egU/lmisHrnK/hGGtG6jd9gNLEVAt271w4XF3NWeMDI/0wq4FERRZfQFzX
         ws3IZiHhMI48TygTwKfQ7+fTydDkH1Ueeo+VQU9ISUVqpuDPRlVn63rm6Em2ue4PsJcp
         9FPKC9zirUH+NFHfGf6csk8ql7pKkbgB4o41H3irsnwSU+Uw2dw/KMX6SG+4d/qi1xmD
         Umlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=aRBz0TmwQUZDHrXeDqZKEcQG5wdjJ6pae6s147KCb/Q=;
        b=qq8+CsZRtTqSQp8ScW+7lQBWhK54HGIjdaWGflGw5q1tL1g2NfwGOZFWqVaMELBnzy
         BZ8LEIQBfAlyr/cyS2MEmHfPA3WMODvSSBV/wuBkN67oOn4YRRm9WF/3bkoifHXxovO5
         dZVZXHabcmSRK3YNsL+fOQiumSk1wdWeO+lNycY9WzKSBKagInI9JqHlzWaoEPKOuj9i
         Nr4XCdlNatnfykMceQENQaOM3e+p3jJRa5xY1VVCGbFJatqkcX9W4lMvLE7ALPgrZkcZ
         yBTiwbQ3z1ZRFxtLhCU+3zx+Jb+AgDngFOZsNF+fHtwOOHmoMKlVRGX4w2PRki5S7J5U
         1daQ==
X-Gm-Message-State: AOAM530ySiLFkWl9rhTYM9Iea+yRZ5sKQwh1YE4K7K05U+O7A9xkj77Q
        Cn68TljHfFPnMRx117kciXXixdB4m/0=
X-Google-Smtp-Source: 
 ABdhPJzNOekUqYCmF35Bb9+K6r5GLp1CwG/vBNeOgfPPsCOcKXoYrJGJ0oEmAZqqkQTBe6prR2SCTw==
X-Received: by 2002:ad4:4745:: with SMTP id c5mr1412134qvx.39.1615927616165;
        Tue, 16 Mar 2021 13:46:56 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 v4sm13905687qte.18.2021.03.16.13.46.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Mar 2021 13:46:55 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 1/4] libsepol/cil: Allow lists in constraint expressions
Date: Tue, 16 Mar 2021 16:46:43 -0400
Message-Id: <20210316204646.52060-1-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

The expectation in CIL was to use user, role, or type attributes in
constraint expressions. The problem is that neither user nor role
attributes are part of the kernel binary policy, so when converting
from a kernel policy to CIL, that would require the creation of a
role or user attribute. The better solution is to just allow a list
to be used. In fact, the only thing preventing a list to be used
is a check in cil_verify_constraint_leaf_expr_syntax().

Remove the check and allow lists in constraint expressions.

The following is now allowed:
  (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3)))

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_verify.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 6706e219..09e3daf9 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl
 				cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n");
 				goto exit;
 			}
-		} else if (r_flavor == CIL_LIST) {
-			cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n");
-			goto exit;
 		}
 	} else {
 		if (r_flavor == CIL_CONS_U2) {

From patchwork Tue Mar 16 20:46:44 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12143983
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 60EA8C433DB
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 2E64864E76
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229786AbhCPUsa (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 16 Mar 2021 16:48:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49288 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232055AbhCPUrA (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 16 Mar 2021 16:47:00 -0400
Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com
 [IPv6:2607:f8b0:4864:20::f29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A04ADC06175F
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:46:59 -0700 (PDT)
Received: by mail-qv1-xf29.google.com with SMTP id l15so354749qvl.4
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:46:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=KndiZX6ZvuL4L7L+mv14eJRLLDWcGmyh90ql2dfT/To=;
        b=UE6vBORfGlWZaZcXavJhrt69IvGi9KQP/hYnSYfPv+KU7zT9ZQMW4jAm7nytIgvXYa
         tYJueCk2jlS3U/1eOj1aA4nT1D2uKQ1z6bYC0GO1Av7rqZH3eTMx/d8zix6jbI6mrMWG
         MR2L4aa9JxVY1hcszysCSARIBqMTWoGjCcZSsjTN/QidWTw9U2c3WJLunpJAFyxlFpGx
         y4kQ5BMnOd/j5fbYIlDSw6mM+4Rw02RSgaZpstR+GXF9JaAie0mbOcBY9TriCUB9jt9l
         lLozs9CoRGZ7F2DJKB42mM5zfDNa/FrhyjpetxVg83TSUIQhu3Y6/dgnyVXGoA/qMrmm
         UZ9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=KndiZX6ZvuL4L7L+mv14eJRLLDWcGmyh90ql2dfT/To=;
        b=XrTLC+Sa+Gk79ZswjIjefTWcCJy/WX5EyLvSMfgFUA60wOr+rjgouoTj91qncECz3U
         OKJVWJdc7yWhhUG4fUbI6a+lCvV78ytq7YOdebEuS5tjxrnw0tAkusZ7XAXO7YyG2bcc
         Rb88lujNt20+HrVQOlCYxqSEs9CB7eCgCxQm7djBLMA7yVXmJOlfwOmIDQVzIglvIzXU
         S1XHSN8gwBH/wKCs0NYyfkCffoX9mgSIEjTeLDryJxMvYBbwdGWLuzkfMrXvXUmrPuhW
         RaPVAyqEgrQt6CcQVpOCEf8FZfwULk1/04BnT6J0tkVgbq1xeKxixExIKrUSIpMvOBLT
         V6rg==
X-Gm-Message-State: AOAM5324xAVjFgFYePIo4ByGoMOlZ+0egl85eG1WR8ocbE/NI/ZaBZ49
        qzq/sAgVm6ymeoQVFY3GfHDA37eZmjg=
X-Google-Smtp-Source: 
 ABdhPJzMG6WYpY+fNIP02LJ1pQlDAN55/v1JeV3a1jxG9OXSWpeZEzM5bmQQvwX4ngxj40UA1TA6xw==
X-Received: by 2002:a0c:e385:: with SMTP id a5mr1436900qvl.12.1615927618768;
        Tue, 16 Mar 2021 13:46:58 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 v4sm13905687qte.18.2021.03.16.13.46.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Mar 2021 13:46:58 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 2/4] secilc/docs: Lists are now allowed in constraint
 expressions
Date: Tue, 16 Mar 2021 16:46:44 -0400
Message-Id: <20210316204646.52060-2-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20210316204646.52060-1-jwcart2@gmail.com>
References: <20210316204646.52060-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Update the CIL documentation to show that lists are allowed in
constraint expressions.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 secilc/docs/cil_constraint_statements.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/secilc/docs/cil_constraint_statements.md b/secilc/docs/cil_constraint_statements.md
index 2dd6e6f0..358927d6 100644
--- a/secilc/docs/cil_constraint_statements.md
+++ b/secilc/docs/cil_constraint_statements.md
@@ -34,12 +34,12 @@ Enable constraints to be placed on the specified permissions of the object class
 <p><code>    (op u1 u2)</code></p>
 <p><code>    (role_op r1 r2)</code></p>
 <p><code>    (op t1 t2)</code></p>
-<p><code>    (op u1 user_id)</code></p>
-<p><code>    (op u2 user_id)</code></p>
-<p><code>    (op r1 role_id)</code></p>
-<p><code>    (op r2 role_id)</code></p>
-<p><code>    (op t1 type_id)</code></p>
-<p><code>    (op t2 type_id)</code></p>
+<p><code>    (op u1 user_id | (user_id ...))</code></p>
+<p><code>    (op u2 user_id | (user_id ...))</code></p>
+<p><code>    (op r1 role_id | (role_id ...))</code></p>
+<p><code>    (op r2 role_id | (role_id ...))</code></p>
+<p><code>    (op t1 type_id | (type_id ...))</code></p>
+<p><code>    (op t2 type_id | (type_id ...))</code></p>
 <p>where:</p>
 <p><code>  u1, r1, t1 = Source context: user, role or type</code></p>
 <p><code>  u2, r2, t2 = Target context: user, role or type</code></p>

From patchwork Tue Mar 16 20:46:45 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12143985
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 84C6DC433E6
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 52C7364F3C
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230051AbhCPUsb (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 16 Mar 2021 16:48:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49298 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232126AbhCPUrD (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 16 Mar 2021 16:47:03 -0400
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com
 [IPv6:2607:f8b0:4864:20::733])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAED6C061763
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:47:02 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id 130so36728591qkh.11
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:47:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=ZVVLeswQX3H4oa0NEfzaaNNdDOmB4ycLHUjSbK8NV9w=;
        b=qHjx+fehstsfviBWi/rXH6Fr38RXas/+aFmjdszHFzb7/5aFh4SQySP6SdnKen1LCz
         6IidjLioVUcLDLV42UM7AufIxl/XbMChkqg23/O2/+1t1qmegOoY+EnaUAD+VxLm4p1l
         wsql9PHwDPyAZerX8tBk4Ca2C4yc8bH07UxHrEBuJYBcSopU2OfkcnCsJ0aACBYFj7QE
         G/EpACo2ucEmpVila1M2TP0uSuaYJvERBQz1iDybeAnwgvcbSIBu2jL6BJyby39YzcGw
         zFFaOoYclLJ6iGt1I8+p2YZJg95ROh3TynlqptqxLe+Hjh9QrFs+zuyQ+zJIq77vt0o0
         EP2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=ZVVLeswQX3H4oa0NEfzaaNNdDOmB4ycLHUjSbK8NV9w=;
        b=g+sAEf92Iuk6f3y6s80FxXi2PckTza9/OpTnL9QJc3t2QV4KKn2GA+vkfkl/2OCwSs
         Y9DoBX8zvN7Ugj+iXMP0cu+IvdwFSFcGOwW7rNhcjJMAcP+pH51WnQdGWVLPXE2RE8+n
         4OCNEO36cYL+ewIRRU7ySwz2Latzx3Y/Ix4FblsO7IZacEq27vvLBX9LAybVJB1mPxXo
         QSYFE6BR2nM+8TLctMD4JNgur8vxqWwhtlJ21cDkyVQFArCnH7TwX+uYK9qY9dZW5lRZ
         kp14dGO021rWp77cbKFmlV53N926LCaoWVieiDGK7jnRYl1fVEqfF8KapoJEOkrOSnAT
         ONIQ==
X-Gm-Message-State: AOAM530+DWx3LFXLIJOGfvK+SrHBdxTgEkMqVo4oeIiYukzSkxWqDm5s
        evQjeDSLiXrbepjKzN/8esXEpcH2Z08=
X-Google-Smtp-Source: 
 ABdhPJxI7EQAqTSh7cHvGGYDe+5fPz3QurVYTUw7NRtX5uwbXZHf7bAUuZyn8hqitMcSNe2k6ANuTg==
X-Received: by 2002:a37:8ec4:: with SMTP id q187mr944356qkd.381.1615927621844;
        Tue, 16 Mar 2021 13:47:01 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 v4sm13905687qte.18.2021.03.16.13.47.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Mar 2021 13:47:01 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 3/4] libsepol: Enclose identifier lists in CIL constraint
 expressions
Date: Tue, 16 Mar 2021 16:46:45 -0400
Message-Id: <20210316204646.52060-3-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20210316204646.52060-1-jwcart2@gmail.com>
References: <20210316204646.52060-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

When writing CIL policy from a kernel policy or module, if there are
multiple users, roles, or types, then the list needs to be enclosed
by "(" and ")".

When writing a constraint expression, check to see if there are
multiple identifiers in the names string and enclose the list with
"(" and ")" if there are.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c | 6 +++++-
 libsepol/src/module_to_cil.c | 9 ++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index a146ac51..96e0f5d3 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -191,7 +191,11 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 				if (!names) {
 					goto exit;
 				}
-				new_val = create_str("(%s %s %s)", 3, op, attr1, names);
+				if (strchr(names, ' ')) {
+					new_val = create_str("(%s %s (%s))", 3, op, attr1, names);
+				} else {
+					new_val = create_str("(%s %s %s)", 3, op, attr1, names);
+				}
 				free(names);
 			}
 		} else {
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index a87bc15e..3cc75b42 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1800,13 +1800,20 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
 
 				// length of values/oper + 2 spaces + 2 parens + null terminator
 				len = strlen(op) + strlen(attr1) +  strlen(names) + 2 + 2 + 1;
+				if (num_names > 1) {
+					len += 2; // 2 more parens
+				}
 				new_val = malloc(len);
 				if (new_val == NULL) {
 					log_err("Out of memory");
 					rc = -1;
 					goto exit;
 				}
-				rlen = snprintf(new_val, len, "(%s %s %s)", op, attr1, names);
+				if (num_names > 1) {
+					rlen = snprintf(new_val, len, "(%s %s (%s))", op, attr1, names);
+				} else {
+					rlen = snprintf(new_val, len, "(%s %s %s)", op, attr1, names);
+				}
 				if (rlen < 0 || rlen >= len) {
 					log_err("Failed to generate constraint expression");
 					rc = -1;

From patchwork Tue Mar 16 20:46:46 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12143981
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 65999C433E9
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 421D564E42
	for <selinux@archiver.kernel.org>; Tue, 16 Mar 2021 20:49:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230508AbhCPUsc (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 16 Mar 2021 16:48:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49306 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232228AbhCPUrF (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 16 Mar 2021 16:47:05 -0400
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com
 [IPv6:2607:f8b0:4864:20::72a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1713BC061764
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:47:05 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id a9so36714918qkn.13
        for <selinux@vger.kernel.org>; Tue, 16 Mar 2021 13:47:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=8Y3ZtjVdB7S6Ir5KZsOcBYwZ4O3gd3WI1L5QfaZ+bSs=;
        b=mV9+4uTPgnTyW6MlxQMFS5k/LguRBIIJEhFu96PhMniQGZEDKcMLt1SNa0WHlLOQUR
         AIYO83U5m4SaIh8mFBBp1lZrX35BzbNgMa0WC85zrZH7pcN1F1JzEP7xEYqGXqK8TprZ
         spcq+5moyu1rBZTI4C6JCWYdR4nuPyW5qdO44y62erlFFBTHticMv9kCfYdEtNQeDKhc
         NZRD7gafDRhGn8iI1p20H46eVt7yBvlHKibLP3qeGDiMjwTrpxg3JPzSzpkiTbq0gGtP
         Q77ZriNuySvTakFEPLs/ofg+oXwuF8GOUkYyjsyTvG/FOmN4vp+/bHVTV0hjgQL2YDoa
         TB/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=8Y3ZtjVdB7S6Ir5KZsOcBYwZ4O3gd3WI1L5QfaZ+bSs=;
        b=Z7H61HDtA07oIeUKx3qUjBJZwFO1Zgw+mNMp6NJkngQ5uOkxgstbeeIyqcw25WIsEZ
         4px9PqvDHUNAjAbAvwaXzX+4jVRJDIGhg4HQF4/vRn2RtXgfW5c1/uoX8erkuRFEohbm
         OUUhevV/rcxGUjWlH3zfxI1d9KjiMjnPjcJgVmL5pB0H2vPqryTz7tUM6ZRM7Mm68BOr
         RLSUIvwHganFUdCrEmiQP8TUOYMCkjvLsaU3HNk42Hq2OyfrtYdrG1NFUexH5aST3k3B
         6Nj3O1txY+Vo1FQS7fkHvlGiT/U4oXweiaXCezu5wdDm5CrJHjx7gs5MxQFZ/v02GWVk
         LcqA==
X-Gm-Message-State: AOAM533RFGK7JmjRzS0yl08FYMoXMw6QBTHDBMzATxEA8fZgYbbhc4WH
        jsCuWNtKiLnKgRv6FAtmr6uZnWNKhy4=
X-Google-Smtp-Source: 
 ABdhPJxfn0QYscJzk7ugH4JFv7/7RjW5Q0M47C4GlJiR4a2Ye+27lJeBcnPlY+TtusAz6e6WB0pb0g==
X-Received: by 2002:a05:620a:16ad:: with SMTP id
 s13mr1027547qkj.68.1615927624143;
        Tue, 16 Mar 2021 13:47:04 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 v4sm13905687qte.18.2021.03.16.13.47.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Mar 2021 13:47:03 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 4/4] libsepol: Write "NO_IDENTIFIER" for empty CIL constraint
 expression
Date: Tue, 16 Mar 2021 16:46:46 -0400
Message-Id: <20210316204646.52060-4-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20210316204646.52060-1-jwcart2@gmail.com>
References: <20210316204646.52060-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

If a role or user attribute with nothing associated with it is used
in a constraint expression, then the bitmap will be empty. This is
not a problem for the kernel, but does cause problems when converting
a kernel policy or module to CIL.

When creating a CIL policy from a kernel policy or module, if an
empty bitmap is encountered, use the string "NO_IDENTIFIER". An
error will occur if an attempt is made to compile the resulting
policy, but a valid policy was not being produced before anyway.
Treat types the same way even though empty bitmaps are not expected.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c |  2 +-
 libsepol/src/module_to_cil.c | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 96e0f5d3..c6dd2e12 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -189,7 +189,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 					names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
 				}
 				if (!names) {
-					goto exit;
+					names = strdup("NO_IDENTIFIER");
 				}
 				if (strchr(names, ' ')) {
 					new_val = create_str("(%s %s (%s))", 3, op, attr1, names);
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 3cc75b42..2a794f57 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1793,9 +1793,13 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
 						goto exit;
 					}
 				}
-				rc = name_list_to_string(name_list, num_names, &names);
-				if (rc != 0) {
-					goto exit;
+				if (num_names == 0) {
+					names = strdup("NO_IDENTIFIER");
+				} else {
+					rc = name_list_to_string(name_list, num_names, &names);
+					if (rc != 0) {
+						goto exit;
+					}
 				}
 
 				// length of values/oper + 2 spaces + 2 parens + null terminator