From patchwork Tue Mar 30 17:39:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173409 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC65AC433E1 for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 99AAD61864 for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232403AbhC3RkE (ORCPT ); Tue, 30 Mar 2021 13:40:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231701AbhC3Rja (ORCPT ); Tue, 30 Mar 2021 13:39:30 -0400 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 981FDC061574 for ; Tue, 30 Mar 2021 10:39:30 -0700 (PDT) Received: by mail-qk1-x736.google.com with SMTP id y18so16631017qky.11 for ; Tue, 30 Mar 2021 10:39:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=g+6TjWfzdMru7Jb6qMivLGdR+Dq1tZsUpNnFX8G7o2c=; b=UN/BDg46sy3Q2I/UduA1mB4eTHCBikj9vk8jEQ/oiAQlADyILoR78EYNP34D09VE0O 9HaIDcZlZrQigzUCWp6RRLpW9MWFcUuXr7xHYqr4PSKAGmYM0UlpXaqJEDoMUvwKOR+d oc9uW0tGiVJ+9OZjjonCxg+4IeLSFY2d+ufLvoVjFVoqYoOaplZW9UV8FoXQLJgOFTOO ljn/vIfg2kdxJOKrqAErtGE6Xm565JAa2qtcojt5DECBjvRqPU+ENqWu9zmqp+yj7cR0 itRpyJf71I4tZHxEcygp5OXtCYrjK/N72KFiWSInzrWghfdv7s/XY0df86k91dQeuHHo wNDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=g+6TjWfzdMru7Jb6qMivLGdR+Dq1tZsUpNnFX8G7o2c=; b=rCvDlq2W5x8KcZM1e30nJgpr+nSkbTHPkksHGVNDJRveTwF7DxA36Aqc1WxgRcWA/p DDwmgMKD5NMRAg09cUgPTJN3vkwcPgrGjpRicUo5gOSPKwzxettuXQSZ0l2mHK1WqsXt ZjK17D0EcAuJQJ7bYDvmkLbmOaG5tcsSkFt3GdeLGDNEOwSsHyje04kJi+7G15+j8Vh9 v4TWPhm42KrnhS8sMr/ViXWCEFq1SSZTDXTWyx3hBKnWT3oLcYJ68UFQOKURtCm7rsKa eeFlcHx+d/wJP5GwQga1ZESqXTlB7qgmYHoX1bziyMUh4SuBTqa0zFZVuKgpCLnvZx5R pKkQ== X-Gm-Message-State: AOAM531WHm5kJREBvkz4RirO+z0QpBE33wMqYWNsAziG+IBg8PyVIofb UEdaT9DNUxVlOZXkg+ga+jXW3/jooM/OlQ== X-Google-Smtp-Source: ABdhPJzzMk80/c51MAky2k81dMjdB+VsEoHfIXkz5pB5ukDO1DEAxcISpJ5yZvtBfCR1tKAPMfRIjw== X-Received: by 2002:a05:620a:31a:: with SMTP id s26mr31765715qkm.355.1617125969630; Tue, 30 Mar 2021 10:39:29 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:29 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 01/12] libsepol/cil: Reorder checks for invalid rules when building AST Date: Tue, 30 Mar 2021 13:39:12 -0400 Message-Id: <20210330173920.281531-2-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Reorder checks for invalid rules in the blocks of tunableifs, in-statements, macros, and booleanifs when building the AST for consistency. Order the checks in the same order the blocks will be resolved in, so tuanbleif, in-statement, macro, booleanif, and then non-block rules. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 100 +++++++++++++++---------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 4e53f06a..1c530bbc 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -49,10 +49,10 @@ struct cil_args_build { struct cil_tree_node *ast; struct cil_db *db; - struct cil_tree_node *macro; - struct cil_tree_node *boolif; struct cil_tree_node *tunif; struct cil_tree_node *in; + struct cil_tree_node *macro; + struct cil_tree_node *boolif; }; int cil_fill_list(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **list) @@ -6097,10 +6097,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f struct cil_tree_node *ast_current = NULL; struct cil_db *db = NULL; struct cil_tree_node *ast_node = NULL; - struct cil_tree_node *macro = NULL; - struct cil_tree_node *boolif = NULL; struct cil_tree_node *tunif = NULL; struct cil_tree_node *in = NULL; + struct cil_tree_node *macro = NULL; + struct cil_tree_node *boolif = NULL; int rc = SEPOL_ERR; if (parse_current == NULL || finished == NULL || extra_args == NULL) { @@ -6110,10 +6110,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f args = extra_args; ast_current = args->ast; db = args->db; - macro = args->macro; - boolif = args->boolif; tunif = args->tunif; in = args->in; + macro = args->macro; + boolif = args->boolif; if (parse_current->parent->cl_head != parse_current) { /* ignore anything that isn't following a parenthesis */ @@ -6130,13 +6130,31 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f goto exit; } + if (tunif != NULL) { + if (parse_current->data == CIL_KEY_TUNABLE) { + rc = SEPOL_ERR; + cil_tree_log(parse_current, CIL_ERR, "Found tunable"); + cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n"); + goto exit; + } + } + + if (in != NULL) { + if (parse_current->data == CIL_KEY_IN) { + rc = SEPOL_ERR; + cil_tree_log(parse_current, CIL_ERR, "Found in-statement"); + cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); + goto exit; + } + } + if (macro != NULL) { - if (parse_current->data == CIL_KEY_MACRO || - parse_current->data == CIL_KEY_TUNABLE || + if (parse_current->data == CIL_KEY_TUNABLE || parse_current->data == CIL_KEY_IN || parse_current->data == CIL_KEY_BLOCK || parse_current->data == CIL_KEY_BLOCKINHERIT || - parse_current->data == CIL_KEY_BLOCKABSTRACT) { + parse_current->data == CIL_KEY_BLOCKABSTRACT || + parse_current->data == CIL_KEY_MACRO) { rc = SEPOL_ERR; cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data); goto exit; @@ -6144,15 +6162,15 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f } if (boolif != NULL) { - if (parse_current->data != CIL_KEY_CONDTRUE && + if (parse_current->data != CIL_KEY_TUNABLEIF && + parse_current->data != CIL_KEY_CALL && + parse_current->data != CIL_KEY_CONDTRUE && parse_current->data != CIL_KEY_CONDFALSE && - parse_current->data != CIL_KEY_AUDITALLOW && - parse_current->data != CIL_KEY_TUNABLEIF && parse_current->data != CIL_KEY_ALLOW && parse_current->data != CIL_KEY_DONTAUDIT && + parse_current->data != CIL_KEY_AUDITALLOW && parse_current->data != CIL_KEY_TYPETRANSITION && - parse_current->data != CIL_KEY_TYPECHANGE && - parse_current->data != CIL_KEY_CALL) { + parse_current->data != CIL_KEY_TYPECHANGE) { rc = SEPOL_ERR; cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data); if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { @@ -6166,24 +6184,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f } } - if (tunif != NULL) { - if (parse_current->data == CIL_KEY_TUNABLE) { - rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found tunable"); - cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n"); - goto exit; - } - } - - if (in != NULL) { - if (parse_current->data == CIL_KEY_IN) { - rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found in-statement"); - cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); - goto exit; - } - } - cil_tree_node_init(&ast_node); ast_node->parent = ast_current; @@ -6469,14 +6469,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (rc == SEPOL_OK) { if (ast_current->cl_head == NULL) { - if (ast_current->flavor == CIL_MACRO) { - args->macro = ast_current; - } - - if (ast_current->flavor == CIL_BOOLEANIF) { - args->boolif = ast_current; - } - if (ast_current->flavor == CIL_TUNABLEIF) { args->tunif = ast_current; } @@ -6485,6 +6477,14 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f args->in = ast_current; } + if (ast_current->flavor == CIL_MACRO) { + args->macro = ast_current; + } + + if (ast_current->flavor == CIL_BOOLEANIF) { + args->boolif = ast_current; + } + ast_current->cl_head = ast_node; } else { ast_current->cl_tail->next = ast_node; @@ -6520,14 +6520,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void args->ast = ast->parent; - if (ast->flavor == CIL_MACRO) { - args->macro = NULL; - } - - if (ast->flavor == CIL_BOOLEANIF) { - args->boolif = NULL; - } - if (ast->flavor == CIL_TUNABLEIF) { args->tunif = NULL; } @@ -6536,6 +6528,14 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void args->in = NULL; } + if (ast->flavor == CIL_MACRO) { + args->macro = NULL; + } + + if (ast->flavor == CIL_BOOLEANIF) { + args->boolif = NULL; + } + // At this point we no longer have any need for parse_current or any of its // siblings; they have all been converted to the appropriate AST node. The // full parse tree will get deleted elsewhere, but in an attempt to @@ -6560,10 +6560,10 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci extra_args.ast = ast; extra_args.db = db; - extra_args.macro = NULL; - extra_args.boolif = NULL; extra_args.tunif = NULL; extra_args.in = NULL; + extra_args.macro = NULL; + extra_args.boolif = NULL; rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args); if (rc != SEPOL_OK) { From patchwork Tue Mar 30 17:39:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173415 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 447F6C433E5 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EAE95619B1 for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231979AbhC3RkG (ORCPT ); Tue, 30 Mar 2021 13:40:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232059AbhC3Rjf (ORCPT ); Tue, 30 Mar 2021 13:39:35 -0400 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D738C061574 for ; Tue, 30 Mar 2021 10:39:33 -0700 (PDT) Received: by mail-qv1-xf34.google.com with SMTP id 30so8541063qva.9 for ; Tue, 30 Mar 2021 10:39:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+IaRNib8GD1HsVBTVVqgpzCvjDurnSpzLgNlA4TgSpI=; b=hdhrkPz/7+dMC5D9XYDqpCoPU3qUEhimH8Az2bvhdqvGhnxYFQnzcDofeQczSDc/1Y wGiratDRaXijhonvZmNQ0X4ZmaoX+2ItdBFQ3GkE3h/QyzU3bpQoVBZg7OqdcyKJBMak wLBmrxna0oV7/0+3ZatOcaAn7SlhRvUH8+4c6TBYk/7eNPm8OwC9hhHGbmxgClJskltJ s7iL9BVbR11iY7mTuvXKz+yh0AVTrLDWPOstYy4QMhsFaWYbO9/4m9U+xKGlg9nlhA2+ We1GFx/4XNRhZojUpQ1E214TAeAfqWrpJemwlTxzuknpLALZTme4Pnu86mMHS8y04ZBD FmDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+IaRNib8GD1HsVBTVVqgpzCvjDurnSpzLgNlA4TgSpI=; b=ugrWZes/AtqqdiT3BefocxlzdTuC2VlHznCiogDyMKNlhEHZicBk3bwpxWYoVS0iuv UehwPh3GhBcsctZFZ+H9FDU+8hsosGrotQaJErA7snZeejDnrs4W9OJ31D35A53Qrsmn QiyvjuJSfiQjiGMWqTCUdmXRWsDI7ZcTsKJltONrl77mxLh8VBvCUqeyCuNh2N3YMQDg 1aZJ+xZ7XSGqoVp36Df3NBrZg3EQftkRc5hggFVMqEgAlRf6U1E9GZdFkcKTOV5Ntm26 v26CYDBq9RX0D+B47bqdMvOjE9t/yK4sBPv67SlerAoTJQQrNJJI+Qk4fHE9Q8h8jGyf fm6w== X-Gm-Message-State: AOAM531ErQZnRG7fVo9D2yKg2Xvt/9OSOrvEg6iu0lvp3RkxwDPln0tc GEJ5Nb6wjyGNG4kv3pk2/jaSmRUnjN91/Q== X-Google-Smtp-Source: ABdhPJxAxP4AVtPE5npaLi8jVxl5gyzAvzGmkVBaH0gwp1BgFXN0lQfwIJNKbWWdWByTaGX7x5ArmA== X-Received: by 2002:a0c:f890:: with SMTP id u16mr31617152qvn.21.1617125972690; Tue, 30 Mar 2021 10:39:32 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:32 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 02/12] libsepol/cil: Cleanup build AST helper functions Date: Tue, 30 Mar 2021 13:39:13 -0400 Message-Id: <20210330173920.281531-3-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Since parse_current, finished, and extra_args can never be NULL, remove the useless check and directly assign local variables from extra_args. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 44 ++++++++------------------------ 1 file changed, 10 insertions(+), 34 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 1c530bbc..dd57ad82 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -6093,28 +6093,16 @@ void cil_destroy_src_info(struct cil_src_info *info) int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args) { - struct cil_args_build *args = NULL; - struct cil_tree_node *ast_current = NULL; - struct cil_db *db = NULL; + struct cil_args_build *args = extra_args; + struct cil_db *db = args->db; + struct cil_tree_node *ast_current = args->ast; + struct cil_tree_node *tunif = args->tunif; + struct cil_tree_node *in = args->in; + struct cil_tree_node *macro = args->macro; + struct cil_tree_node *boolif = args->boolif; struct cil_tree_node *ast_node = NULL; - struct cil_tree_node *tunif = NULL; - struct cil_tree_node *in = NULL; - struct cil_tree_node *macro = NULL; - struct cil_tree_node *boolif = NULL; int rc = SEPOL_ERR; - if (parse_current == NULL || finished == NULL || extra_args == NULL) { - goto exit; - } - - args = extra_args; - ast_current = args->ast; - db = args->db; - tunif = args->tunif; - in = args->in; - macro = args->macro; - boolif = args->boolif; - if (parse_current->parent->cl_head != parse_current) { /* ignore anything that isn't following a parenthesis */ rc = SEPOL_OK; @@ -6502,20 +6490,11 @@ exit: int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args) { - int rc = SEPOL_ERR; - struct cil_tree_node *ast = NULL; - struct cil_args_build *args = NULL; - - if (extra_args == NULL) { - goto exit; - } - - args = extra_args; - ast = args->ast; + struct cil_args_build *args = extra_args; + struct cil_tree_node *ast = args->ast; if (ast->flavor == CIL_ROOT) { - rc = SEPOL_OK; - goto exit; + return SEPOL_OK; } args->ast = ast->parent; @@ -6544,9 +6523,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void cil_tree_children_destroy(parse_current->parent); return SEPOL_OK; - -exit: - return rc; } int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct cil_tree_node *ast) From patchwork Tue Mar 30 17:39:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173405 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF137C433DB for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85DFC61987 for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232416AbhC3RkF (ORCPT ); Tue, 30 Mar 2021 13:40:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58926 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232236AbhC3Rjg (ORCPT ); Tue, 30 Mar 2021 13:39:36 -0400 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C1D8C061762 for ; Tue, 30 Mar 2021 10:39:36 -0700 (PDT) Received: by mail-qv1-xf36.google.com with SMTP id q12so8550738qvc.8 for ; Tue, 30 Mar 2021 10:39:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3Ag07xrx/t83l3rxsOY16qxRYFZUr4mjPQY6Mk8SZkU=; b=H3hXAXvaOV9JOKMYO8rAQsGRlYSfhZWtbrS50g0eLL46oYxR11xsmJ5ZiQswa+a1Om qWn8WBOWjBjP8tVfq30ZNd7RLxCHNv3M9gA6Quiig5u5wgzMN7milQ0zoOKX3syyFdww 0i7xCKm4NeDCyD88n+Z4DIEyYQZIhh+wI+HgyKE3pDoque5ICoQZrfa3Dp8BVBY0Wkj5 92bgBCCT9vTwS0afRNhE1kaiQJxcOv5Aiogm1v3ayZkfh3xau+HNq6KLKVc5c2owR9tp JmK2FR8MpSmVNbn6rD2zXR+qNXESUV1+M4/R01l4l/zbV8OGjqpLdxUDSw/AiX9l9d67 GBmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3Ag07xrx/t83l3rxsOY16qxRYFZUr4mjPQY6Mk8SZkU=; b=myWku2qpnp36TbhFYmlHOE0iS+gDdaiXpLLjl8hIUK5gzFYz9WclmHuoYPe2ur5LoD uP5UDR2U9VrKqs2ackrtQcuxi9ikko0JZHnmvU978X5XTb9j6zd2aynBmSnBS/uv4xO2 hB6Vl7nynVR16pxrW8vmZmkEBykjKZWwuZqfbBK3GC7GgqPlm7jvlUiNzibX0+csb+IS BCsGR607va99bYt5avmtLQSWmG6zsFVHr0C/se41dj3EqtOLFL++zzOikkKJ24Dz5fZq 9Npg/lgeRrqyd7tGM4j9k4lLKbXmz7urUw0ZpWaygmcsY9OYFCRf8xzOGitmFeUsMaND zxCQ== X-Gm-Message-State: AOAM532uo6WgsygjSld0d4qGd2SfFC+qMR3J3koxKOvv6buiubID/6V+ J4TmWUDGCFvdhGJWMkgR4sKiRLoiBdHJkA== X-Google-Smtp-Source: ABdhPJyyYePeZM7QxYqNQVfNYZ/ZIpCGHYKiNsI1WJNqR8p82dUClnilVtXmyDmcXQb4ubFiI+GprA== X-Received: by 2002:ad4:5887:: with SMTP id dz7mr31968545qvb.12.1617125975314; Tue, 30 Mar 2021 10:39:35 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:35 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 03/12] libsepol/cil: Create new first child helper function for building AST Date: Tue, 30 Mar 2021 13:39:14 -0400 Message-Id: <20210330173920.281531-4-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org In order to find statements not allowed in tunableifs, in-statements, macros, and booleanifs, there are tree node pointers that point to each of these kinds of statements when its block is being parsed. If the pointer is non-NULL, then the rule being parsed is in the block of that kind of statement. The tree node pointers were being updated at the wrong point which prevented an invalid statement from being found if it was the first statement in the block of a tunableif, in-statement, macro, or booleanif. Create a first child helper function for walking the parse tree and in that function set the appropriate tree node pointer if the current AST node is a tunableif, in-statement, macro, or booleanif. This also makes the code symmetrical with the last child helper where the tree node pointers are set to NULL. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 42 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index dd57ad82..c0783ba6 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -6457,22 +6457,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (rc == SEPOL_OK) { if (ast_current->cl_head == NULL) { - if (ast_current->flavor == CIL_TUNABLEIF) { - args->tunif = ast_current; - } - - if (ast_current->flavor == CIL_IN) { - args->in = ast_current; - } - - if (ast_current->flavor == CIL_MACRO) { - args->macro = ast_current; - } - - if (ast_current->flavor == CIL_BOOLEANIF) { - args->boolif = ast_current; - } - ast_current->cl_head = ast_node; } else { ast_current->cl_tail->next = ast_node; @@ -6488,6 +6472,30 @@ exit: return rc; } +int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_node *parse_current, void *extra_args) +{ + struct cil_args_build *args = extra_args; + struct cil_tree_node *ast = args->ast; + + if (ast->flavor == CIL_TUNABLEIF) { + args->tunif = ast; + } + + if (ast->flavor == CIL_IN) { + args->in = ast; + } + + if (ast->flavor == CIL_MACRO) { + args->macro = ast; + } + + if (ast->flavor == CIL_BOOLEANIF) { + args->boolif = ast; + } + + return SEPOL_OK; +} + int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args) { struct cil_args_build *args = extra_args; @@ -6541,7 +6549,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci extra_args.macro = NULL; extra_args.boolif = NULL; - rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args); + rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args); if (rc != SEPOL_OK) { goto exit; } From patchwork Tue Mar 30 17:39:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173411 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13B9BC433E3 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D106961987 for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232059AbhC3RkG (ORCPT ); Tue, 30 Mar 2021 13:40:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232292AbhC3Rjh (ORCPT ); Tue, 30 Mar 2021 13:39:37 -0400 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF628C061574 for ; Tue, 30 Mar 2021 10:39:37 -0700 (PDT) Received: by mail-qk1-x72c.google.com with SMTP id i9so16679654qka.2 for ; Tue, 30 Mar 2021 10:39:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=nc/zJUbibFsdwu4XOt5o22kI3txgov9uz+pGpG2O6pw=; b=k0wMLIF6FZR+pykf73zz43xrZk/bKpM253l5m6r3Q6kiu2JybIvbHNJMKMg4W8Lp1N aYuQbzzhlE21oRyFYC6PbUilUswSGh8y3DFJnJgwZTRR9JKW36Vo4xr5kVIEWkXRujJH aK/JV6pcOGRHgV0T+sT8ihMLrs5avhfuIAmVqIZkEKkd4XDeBA9mC8SqOgOX8MkgOIS0 gSUHdQ9H+YdKgA1jGbOAfARDx8kU9J6sW1j9De0E7otYjF/b2Q9V78gel/cmEijiJRa0 zlb6rRuEM4qnI6F8i5P3qVySDnnz3nJBUw1F1gloCku5gigUSVJckK53ztb03rEpCYbW gQ9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nc/zJUbibFsdwu4XOt5o22kI3txgov9uz+pGpG2O6pw=; b=Ea1nfeJYp3NK8iO4M5MqzYtKGG377Myqq5Y+8UDWGDb0UzanSHYmuEJJrBQcTRWdWi 31AY4ECCwB6CqKqKiK6TZIyWWL2QVgCCvErCRFLLXcFSzKMj8yDL22SQLo5yTZ2PeKVz CDr1Zwf/CIrs24cZHgpJG0CHWZt5gShvjYsDduos1Ez+5INFywyktE8F7kDabYlN/FLv 0w2h5CnZGtjtE1i6RIhqThTcXuVVMV/E4bOnH59yqCoV/hl1WSXX2voFFEphrO1EUGbJ NcsdZ2sSAEENIZOTwfGpC0QSyOpjhpX25hN1KMTPReAykbepbZHMoH4xHSBzei/w+J4F c9Fw== X-Gm-Message-State: AOAM533ZhLiy35Cc4a3XAJy4WpcM+MNL/8pSXCnFldUUoSDNnr8msWqu +v+sjUsNJwHbf1Bhfz/YFWw4k5H84wZCrA== X-Google-Smtp-Source: ABdhPJwsAqcitskiuks/6GuH1Wt3DxhmxnfzAvxh40c7YwEW7o82+Ke0rc1yp7UaKehgcSScj6GxxA== X-Received: by 2002:a37:7e87:: with SMTP id z129mr32802798qkc.243.1617125976763; Tue, 30 Mar 2021 10:39:36 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:36 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 04/12] libsepol/cil: Use AST to track blocks and optionals when resolving Date: Tue, 30 Mar 2021 13:39:15 -0400 Message-Id: <20210330173920.281531-5-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When resolving the AST, block and optional stacks are used to determine if the current rule being resolved is in a block or an optional. There is no need to do this since the parent node pointers can be used when exiting a block or an optional to determine if resolution is still within a block or an optional. When entering either a block or an optional, update the appropriate tree node pointer. When finished with the last child of a block or optional, set the appropriate pointer to NULL. If a parent of the same kind is found when the parent node pointers are followed back to the root node, then set the pointer to that tree node. Signed-off-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 107 +++++++++-------------------- 1 file changed, 32 insertions(+), 75 deletions(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 63beed92..a61462d0 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -52,10 +52,10 @@ struct cil_args_resolve { enum cil_pass pass; uint32_t *changed; struct cil_list *disabled_optionals; - struct cil_tree_node *optstack; + struct cil_tree_node *optional; struct cil_tree_node *boolif; struct cil_tree_node *macro; - struct cil_tree_node *blockstack; + struct cil_tree_node *block; struct cil_list *sidorder_lists; struct cil_list *classorder_lists; struct cil_list *unordered_classorder_lists; @@ -3777,16 +3777,16 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished int rc = SEPOL_ERR; struct cil_args_resolve *args = extra_args; enum cil_pass pass = args->pass; - struct cil_tree_node *optstack = args->optstack; + struct cil_tree_node *optional = args->optional; struct cil_tree_node *boolif = args->boolif; - struct cil_tree_node *blockstack = args->blockstack; + struct cil_tree_node *block = args->block; struct cil_tree_node *macro = args->macro; if (node == NULL) { goto exit; } - if (optstack != NULL) { + if (optional != NULL) { if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) { /* tuanbles and macros are not allowed in optionals*/ cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); @@ -3795,7 +3795,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished } } - if (blockstack != NULL) { + if (block != NULL) { if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) { cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); rc = SEPOL_ERR; @@ -3849,11 +3849,11 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished if (rc == SEPOL_ENOENT) { enum cil_log_level lvl = CIL_ERR; - if (optstack != NULL) { + if (optional != NULL) { lvl = CIL_INFO; - struct cil_optional *opt = (struct cil_optional *)optstack->data; - struct cil_tree_node *opt_node = opt->datum.nodes->head->data; + struct cil_optional *opt = (struct cil_optional *)optional->data; + struct cil_tree_node *opt_node = NODE(opt);; /* disable an optional if something failed to resolve */ opt->enabled = CIL_FALSE; cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); @@ -3876,39 +3876,18 @@ int __cil_resolve_ast_first_child_helper(struct cil_tree_node *current, void *ex { int rc = SEPOL_ERR; struct cil_args_resolve *args = extra_args; - struct cil_tree_node *optstack = NULL; struct cil_tree_node *parent = NULL; - struct cil_tree_node *blockstack = NULL; - struct cil_tree_node *new = NULL; if (current == NULL || extra_args == NULL) { goto exit; } - optstack = args->optstack; parent = current->parent; - blockstack = args->blockstack; - if (parent->flavor == CIL_OPTIONAL || parent->flavor == CIL_BLOCK) { - /* push this node onto a stack */ - cil_tree_node_init(&new); - - new->data = parent->data; - new->flavor = parent->flavor; - - if (parent->flavor == CIL_OPTIONAL) { - if (optstack != NULL) { - optstack->parent = new; - new->cl_head = optstack; - } - args->optstack = new; - } else if (parent->flavor == CIL_BLOCK) { - if (blockstack != NULL) { - blockstack->parent = new; - new->cl_head = blockstack; - } - args->blockstack = new; - } + if (parent->flavor == CIL_BLOCK) { + args->block = parent; + } else if (parent->flavor == CIL_OPTIONAL) { + args->optional = parent; } else if (parent->flavor == CIL_BOOLEANIF) { args->boolif = parent; } else if (parent->flavor == CIL_MACRO) { @@ -3927,7 +3906,6 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext int rc = SEPOL_ERR; struct cil_args_resolve *args = extra_args; struct cil_tree_node *parent = NULL; - struct cil_tree_node *blockstack = NULL; if (current == NULL || extra_args == NULL) { goto exit; @@ -3938,30 +3916,31 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext if (parent->flavor == CIL_MACRO) { args->macro = NULL; } else if (parent->flavor == CIL_OPTIONAL) { - struct cil_tree_node *optstack; - + struct cil_tree_node *n = parent->parent; if (((struct cil_optional *)parent->data)->enabled == CIL_FALSE) { *(args->changed) = CIL_TRUE; cil_list_append(args->disabled_optionals, CIL_NODE, parent); } - - /* pop off the stack */ - optstack = args->optstack; - args->optstack = optstack->cl_head; - if (optstack->cl_head) { - optstack->cl_head->parent = NULL; + args->optional = NULL; + while (n && n->flavor != CIL_ROOT) { + if (n->flavor == CIL_OPTIONAL) { + args->optional = n; + break; + } + n = n->parent; } - free(optstack); } else if (parent->flavor == CIL_BOOLEANIF) { args->boolif = NULL; } else if (parent->flavor == CIL_BLOCK) { - /* pop off the stack */ - blockstack = args->blockstack; - args->blockstack = blockstack->cl_head; - if (blockstack->cl_head) { - blockstack->cl_head->parent = NULL; + struct cil_tree_node *n = parent->parent; + args->block = NULL; + while (n && n->flavor != CIL_ROOT) { + if (n->flavor == CIL_BLOCK) { + args->block = n; + break; + } + n = n->parent; } - free(blockstack); } return SEPOL_OK; @@ -3970,16 +3949,6 @@ exit: return rc; } -static void cil_destroy_tree_node_stack(struct cil_tree_node *curr) -{ - struct cil_tree_node *next; - while (curr != NULL) { - next = curr->cl_head; - free(curr); - curr = next; - } -} - int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) { int rc = SEPOL_ERR; @@ -3994,7 +3963,8 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) extra_args.db = db; extra_args.pass = pass; extra_args.changed = &changed; - extra_args.optstack = NULL; + extra_args.block = NULL; + extra_args.optional = NULL; extra_args.boolif= NULL; extra_args.macro = NULL; extra_args.sidorder_lists = NULL; @@ -4003,7 +3973,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) extra_args.catorder_lists = NULL; extra_args.sensitivityorder_lists = NULL; extra_args.in_list = NULL; - extra_args.blockstack = NULL; cil_list_init(&extra_args.disabled_optionals, CIL_NODE); cil_list_init(&extra_args.sidorder_lists, CIL_LIST_ITEM); @@ -4107,17 +4076,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) } cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE); cil_list_init(&extra_args.disabled_optionals, CIL_NODE); - } - - /* reset the arguments */ - changed = 0; - while (extra_args.optstack != NULL) { - cil_destroy_tree_node_stack(extra_args.optstack); - extra_args.optstack = NULL; - } - while (extra_args.blockstack!= NULL) { - cil_destroy_tree_node_stack(extra_args.blockstack); - extra_args.blockstack = NULL; + changed = 0; } } @@ -4128,8 +4087,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) rc = SEPOL_OK; exit: - cil_destroy_tree_node_stack(extra_args.optstack); - cil_destroy_tree_node_stack(extra_args.blockstack); __cil_ordered_lists_destroy(&extra_args.sidorder_lists); __cil_ordered_lists_destroy(&extra_args.classorder_lists); __cil_ordered_lists_destroy(&extra_args.catorder_lists); From patchwork Tue Mar 30 17:39:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173407 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06180C433E2 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B120161953 for ; Tue, 30 Mar 2021 17:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232292AbhC3RkH (ORCPT ); Tue, 30 Mar 2021 13:40:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232336AbhC3Rjj (ORCPT ); Tue, 30 Mar 2021 13:39:39 -0400 Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E240C061574 for ; Tue, 30 Mar 2021 10:39:39 -0700 (PDT) Received: by mail-qk1-x731.google.com with SMTP id g20so16700760qkk.1 for ; Tue, 30 Mar 2021 10:39:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rykAEjz/3D9VRJTwNHTNqNM736CbNd/UlYqHvAhkMu4=; b=KHL/uagxDA8Ze0WjathWuhjkpaBKrRm21gQfsaX1JSmX4diy8VAwMUc/+akKw1Ti6g 3Qgp2cbj4m9RhpEG0VH+Cdm0UnrGAIvon726n08XS+BfZeGrfix378yOEZf6YaUsTs8O kffTGI7f/H7ppQV+AEyBJ1gPKjE+5AoZCP1NFUSn7wBA4PYIJ6Gj3lfp9N+5mxQbEBrE GF0q0k72X/72wnXu6S5lcCoHYt1HVEG9AFjT9wiBX372tbWNpTMoLM1rBmiSzSYxlOma mp8WH6ZbTbg0E/MZy5F7eG7yzFP82wMbYeMbF5dSrp7rW0zku6E5nAORipYclRJfC2Q+ Cwjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rykAEjz/3D9VRJTwNHTNqNM736CbNd/UlYqHvAhkMu4=; b=U2hSLHke+vLmAExHE9oe0RyaRynVZnsQ4EjCs+n/LjrXeLB9Oy+O0gQ+yvT6GgXYd1 Vj4RqjZWB9SVy2IFTgMnK2f6Fy3oJZmcB4znn4e9DqR3bj7a3SNc/oi/E5PAe2Rxj/u4 WkvxzyvoW0HLSahQMMVeV4yyQNmteaT05bjjrI93Upko8vzI8Ooq2nxpqWajDBlRel3Z ouPiJrKkufvjxod8WFqwZ9/n68apnLRiixZB0ThqQfBhySLJH8l7eqDS20UqRiGDBkFr RVhU5MOGS1g1AuEP+9iotnTpqsD2Vp3FHjms4ZfSX9CZ87PDUISON89l6Bpp6QfLFb7v Ffrg== X-Gm-Message-State: AOAM531xvidD1jLwwPDF6pPybJupmbCtDKL9dZoGcUxkmxX8YHEe3nrb 5xQKUxwXUsAT7gOicKGJKvmNSn6cg4OSUg== X-Google-Smtp-Source: ABdhPJzw+6c05iVWEev2IDg31Hd9Lfm1o4Uc1aEPOW7MHseJgodd+OBGkWZiZ+waiVSzwE1tPhCkTQ== X-Received: by 2002:a37:a811:: with SMTP id r17mr32326428qke.268.1617125978210; Tue, 30 Mar 2021 10:39:38 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:37 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 05/12] libsepol/cil: Reorder checks for invalid rules when resolving AST Date: Tue, 30 Mar 2021 13:39:16 -0400 Message-Id: <20210330173920.281531-6-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Reorder checks for invalid rules in the blocks of tunableifs, in-statements, macros, and booleanifs when resolving the AST for consistency. Order the checks in the same order the blocks will be resolved in, so tuanbleif, in-statement, macro, booleanif, and then non-block rules. Signed-off-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 76 +++++++++++++++--------------- 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index a61462d0..93fc0d63 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -52,10 +52,10 @@ struct cil_args_resolve { enum cil_pass pass; uint32_t *changed; struct cil_list *disabled_optionals; + struct cil_tree_node *block; + struct cil_tree_node *macro; struct cil_tree_node *optional; struct cil_tree_node *boolif; - struct cil_tree_node *macro; - struct cil_tree_node *block; struct cil_list *sidorder_lists; struct cil_list *classorder_lists; struct cil_list *unordered_classorder_lists; @@ -3777,50 +3777,52 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished int rc = SEPOL_ERR; struct cil_args_resolve *args = extra_args; enum cil_pass pass = args->pass; - struct cil_tree_node *optional = args->optional; - struct cil_tree_node *boolif = args->boolif; struct cil_tree_node *block = args->block; struct cil_tree_node *macro = args->macro; + struct cil_tree_node *optional = args->optional; + struct cil_tree_node *boolif = args->boolif; if (node == NULL) { goto exit; } - if (optional != NULL) { - if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) { - /* tuanbles and macros are not allowed in optionals*/ - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); + if (block != NULL) { + if (node->flavor == CIL_CAT || + node->flavor == CIL_SENS) { + cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; } } - if (block != NULL) { - if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); + if (macro != NULL) { + if (node->flavor == CIL_BLOCK || + node->flavor == CIL_BLOCKINHERIT || + node->flavor == CIL_BLOCKABSTRACT || + node->flavor == CIL_MACRO) { + cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; } } - if (macro != NULL) { - if (node->flavor == CIL_BLOCKINHERIT || - node->flavor == CIL_BLOCK || - node->flavor == CIL_BLOCKABSTRACT || - node->flavor == CIL_MACRO) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node)); + if (optional != NULL) { + if (node->flavor == CIL_TUNABLE || + node->flavor == CIL_MACRO) { + /* tuanbles and macros are not allowed in optionals*/ + cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; } } if (boolif != NULL) { - if (!(node->flavor == CIL_CONDBLOCK || - node->flavor == CIL_AVRULE || - node->flavor == CIL_TYPE_RULE || - node->flavor == CIL_CALL || - node->flavor == CIL_TUNABLEIF || - node->flavor == CIL_NAMETYPETRANSITION)) { + if (!(node->flavor == CIL_TUNABLEIF || + node->flavor == CIL_CALL || + node->flavor == CIL_CONDBLOCK || + node->flavor == CIL_AVRULE || + node->flavor == CIL_TYPE_RULE || + node->flavor == CIL_NAMETYPETRANSITION)) { if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node)); } else { @@ -3886,12 +3888,12 @@ int __cil_resolve_ast_first_child_helper(struct cil_tree_node *current, void *ex if (parent->flavor == CIL_BLOCK) { args->block = parent; + } else if (parent->flavor == CIL_MACRO) { + args->macro = parent; } else if (parent->flavor == CIL_OPTIONAL) { args->optional = parent; } else if (parent->flavor == CIL_BOOLEANIF) { args->boolif = parent; - } else if (parent->flavor == CIL_MACRO) { - args->macro = parent; } return SEPOL_OK; @@ -3913,7 +3915,17 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext parent = current->parent; - if (parent->flavor == CIL_MACRO) { + if (parent->flavor == CIL_BLOCK) { + struct cil_tree_node *n = parent->parent; + args->block = NULL; + while (n && n->flavor != CIL_ROOT) { + if (n->flavor == CIL_BLOCK) { + args->block = n; + break; + } + n = n->parent; + } + } else if (parent->flavor == CIL_MACRO) { args->macro = NULL; } else if (parent->flavor == CIL_OPTIONAL) { struct cil_tree_node *n = parent->parent; @@ -3931,16 +3943,6 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext } } else if (parent->flavor == CIL_BOOLEANIF) { args->boolif = NULL; - } else if (parent->flavor == CIL_BLOCK) { - struct cil_tree_node *n = parent->parent; - args->block = NULL; - while (n && n->flavor != CIL_ROOT) { - if (n->flavor == CIL_BLOCK) { - args->block = n; - break; - } - n = n->parent; - } } return SEPOL_OK; @@ -3964,9 +3966,9 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) extra_args.pass = pass; extra_args.changed = &changed; extra_args.block = NULL; + extra_args.macro = NULL; extra_args.optional = NULL; extra_args.boolif= NULL; - extra_args.macro = NULL; extra_args.sidorder_lists = NULL; extra_args.classorder_lists = NULL; extra_args.unordered_classorder_lists = NULL; From patchwork Tue Mar 30 17:39:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173421 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A1F4C433E6 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2504961864 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232336AbhC3RkH (ORCPT ); Tue, 30 Mar 2021 13:40:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232349AbhC3Rjl (ORCPT ); Tue, 30 Mar 2021 13:39:41 -0400 Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC799C061574 for ; Tue, 30 Mar 2021 10:39:40 -0700 (PDT) Received: by mail-qk1-x72b.google.com with SMTP id y5so16662038qkl.9 for ; Tue, 30 Mar 2021 10:39:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WdhepQu/VI4XTPfQ68flEPHwC1x02TMrebAN5BlNslo=; b=nbA2FgRC7BsArtj/6W8v01XTG1FbR4YWx1rDAPW/Q1yGOp3fyVPVVToUQqz85V9gbF 4mMtzValXfDvMSm3tNvD2QucXdpS1ssknmOwSkeMnnh2GWtoTBrvxRkuDPDniCSc3d+1 ilEiTdW2dfUd/alm5rpMpe/Ccyg6ovILI5TDm167hkvOYMSykZj0U8HTmnI2u15Y6Hny w7sQdZJlkF533crIC9gCN008Fei+G9+Pk6W/P3TmTVpYOEIwHTcFgVcxASQXYeRV6+cX sTkEXg5DZNjAwP3gE63X4eu/GnAP8MyqsAU3GYMyymfbLp9LhTMRgoLbuJv1wjqz3amG 9MLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WdhepQu/VI4XTPfQ68flEPHwC1x02TMrebAN5BlNslo=; b=TxaNvecE8xTdEu9Aten2Xp3aoG3VgksS8kH/QuPv70ZqX7CuoZtOSLj09CHHJUH4tP Y5IHdMe/lzmoFSl0oObon/8/VIWBYyUg802q7tYGeDfogYKyDJY+UHaRO9/nIe2UsLQI 71UYHQiQUq/RLtdpVKT8A1Sd5KIbHiPJhY+CMazNtpT42LVFXilIP+zUfTxu7nSUkqTP iOQq6c3AdM9PGrRhgIfGm/YvXi7ynEHrK1aARcQcnuCnqfNlv4q2imNeLCYucCLYcWpI rkWOt67ZuKVyQ4j5agEm9/+CquvCVSc27+x+QthbOgTz5nIl1JLhnqcGqBzKvOFIumQb IbTg== X-Gm-Message-State: AOAM533pvFHWgrbf1PcAaFwrc6T5xVPbMnBcvrHMS1qTKW1bhBqNhAxH 6GChFzK+WtX0IUe8TNZt6W5pv2axSniZhQ== X-Google-Smtp-Source: ABdhPJwLughT8Bp0VM0SYvt+RgphStHzZNWWEbGmrkxrrSXU8LHJs2iFhMeGZMOAFk2lz6W0Us/cRQ== X-Received: by 2002:a05:620a:801:: with SMTP id s1mr30822191qks.152.1617125979834; Tue, 30 Mar 2021 10:39:39 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:39 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 06/12] libsepol/cil: Sync checks for invalid rules in booleanifs Date: Tue, 30 Mar 2021 13:39:17 -0400 Message-Id: <20210330173920.281531-7-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When building the AST, typemember rules in a booleanif block will be incorrectly called invalid. They are allowed in the kernel policy and should be allowed in CIL. When resolving the AST, if a neverallow rule is copied into a booleanif block, it will not be considered an invalid rule, even though this is not allowed in the kernel policy. Update the booleanif checks to allow typemember rules and to not allow neverallow rules in booleanifs. Also use the same form of conditional for the checks when building and resolving the AST. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 3 ++- libsepol/cil/src/cil_resolve_ast.c | 23 +++++++++++++++-------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index c0783ba6..457d3ee7 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -6158,7 +6158,8 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f parse_current->data != CIL_KEY_DONTAUDIT && parse_current->data != CIL_KEY_AUDITALLOW && parse_current->data != CIL_KEY_TYPETRANSITION && - parse_current->data != CIL_KEY_TYPECHANGE) { + parse_current->data != CIL_KEY_TYPECHANGE && + parse_current->data != CIL_KEY_TYPEMEMBER) { rc = SEPOL_ERR; cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data); if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 93fc0d63..56295a04 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -3774,7 +3774,7 @@ exit: int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args) { - int rc = SEPOL_ERR; + int rc = SEPOL_OK; struct cil_args_resolve *args = extra_args; enum cil_pass pass = args->pass; struct cil_tree_node *block = args->block; @@ -3817,18 +3817,25 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished } if (boolif != NULL) { - if (!(node->flavor == CIL_TUNABLEIF || - node->flavor == CIL_CALL || - node->flavor == CIL_CONDBLOCK || - node->flavor == CIL_AVRULE || - node->flavor == CIL_TYPE_RULE || - node->flavor == CIL_NAMETYPETRANSITION)) { + if (node->flavor != CIL_TUNABLEIF && + node->flavor != CIL_CALL && + node->flavor != CIL_CONDBLOCK && + node->flavor != CIL_AVRULE && + node->flavor != CIL_TYPE_RULE && + node->flavor != CIL_NAMETYPETRANSITION) { + rc = SEPOL_ERR; + } else if (node->flavor == CIL_AVRULE) { + struct cil_avrule *rule = node->data; + if (rule->rule_kind == CIL_AVRULE_NEVERALLOW) { + rc = SEPOL_ERR; + } + } + if (rc == SEPOL_ERR) { if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node)); } else { cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs", cil_node_to_string(node)); } - rc = SEPOL_ERR; goto exit; } } From patchwork Tue Mar 30 17:39:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173413 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37DE7C433E0 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0C546619CF for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232349AbhC3RkI (ORCPT ); Tue, 30 Mar 2021 13:40:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232367AbhC3Rjm (ORCPT ); Tue, 30 Mar 2021 13:39:42 -0400 Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D335C061574 for ; Tue, 30 Mar 2021 10:39:42 -0700 (PDT) Received: by mail-qv1-xf32.google.com with SMTP id cx5so8542511qvb.10 for ; Tue, 30 Mar 2021 10:39:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fYTnDXTpvBeNq8hJ+xBU4NkkYyvt3ODJMg/G/eSCHk8=; b=n0jvsSXnUIxB46JEWMBSZ2pfI/uRmfaOUBJh0rt8c6bD8U8VGFDUO6REJ8K3f/Af0j PCh4XepyGMlubFBmJdTNv6G2hHK9rmixAEu5J7VghhT/x6wBNWH/v/YrDNrVkyHWpZY+ Ab6F53u2A063vdmodcRIK+xKFVakT7bsb/apw/ea1tnoxySttKXS0PTpOK+X6Mt5upvc /XmHT/FmgqDp6Ijw2mYMYYZdSp5Ed85Zc7QEre18jKIwzaBPTjqK6f2CiZwbga2ZFoRY YWQpFfiwcIR+eewV7hMyH5U/6WgWs0FgCKE8yBSvlDWdJvV1f278UQyPBFaCC8QFPqTk BxVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fYTnDXTpvBeNq8hJ+xBU4NkkYyvt3ODJMg/G/eSCHk8=; b=PAE+2MrePwmHG1vmmo+yfmUL4NVulm5Mg1UHJkooJ1ekfTKVuz6s/5sA+aJaPZO1A5 1NQlwx6zT2fpR2nsNK1xgqo3RL8FKVxTnleXquvpt/4V6X7ZrXnB/xgAjwib6rupuUID FG5l+hLuOwwUVqpcKHNMzWzRXLGQBTWHMSUDpzVzk+fvE75CXeI4gJiX44rZk4iJtxyY GkmSVl9gYysBQXFAZeeWunZl36LqghsSg82JFZkYUKvkc2am6yEoi/eUsEr+6096pPVl BabiJEUV9BgzhXwXTQV59TDYK6ZE0Xsqv8m2Ccwha84PubDqiHvr5TgypVFd2q+V6RN2 JPeQ== X-Gm-Message-State: AOAM532sC+r9oX5MRMQnK9uUF+LH82+9Rr9ijk2W+s4WZcqoBuP+Qg9J JpTALTBSAtqbihu7Rhk/SkLGNrmRuHpMDA== X-Google-Smtp-Source: ABdhPJzLWYFO1htrBt73yF4KVVBmvWIIoDM6icqWOoidS4SFdH9XdBnS2Qx9kJ0hX4ERjqgTAM1jkA== X-Received: by 2002:a05:6214:16c1:: with SMTP id d1mr31054532qvz.29.1617125981218; Tue, 30 Mar 2021 10:39:41 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:41 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 07/12] libsepol/cil: Check for statements not allowed in optional blocks Date: Tue, 30 Mar 2021 13:39:18 -0400 Message-Id: <20210330173920.281531-8-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org While there are some checks for invalid statements in an optional block when resolving the AST, there are no checks when building the AST. OSS-Fuzz found the following policy which caused a null dereference in cil_tree_get_next_path(). (blockinherit b3) (sid SID) (sidorder(SID)) (optional o (ibpkeycon :(1 0)s) (block b3 (filecon""block()) (filecon""block()))) The problem is that the blockinherit copies block b3 before the optional block is disabled. When the optional is disabled, block b3 is deleted along with everything else in the optional. Later, when filecon statements with the same path are found an error message is produced and in trying to find out where the block was copied from, the reference to the deleted block is used. The error handling code assumes (rightly) that if something was copied from a block then that block should still exist. It is clear that in-statements, blocks, and macros cannot be in an optional, because that allows nodes to be copied from the optional block to somewhere outside even though the optional could be disabled later. When optionals are disabled the AST is reset and the resolution is restarted at the point of resolving macro calls, so anything resolved before macro calls will never be re-resolved. This includes tunableifs, in-statements, blockinherits, blockabstracts, and macro definitions. Tunable declarations also cannot be in an optional block because they are needed to resolve tunableifs. It should be fine to allow blockinherit statements in an optional, because that is copying nodes from outside the optional to the optional and if the optional is later disabled, everything will be deleted anyway. Check and quit with an error if a tunable declaration, in-statement, block, blockabstract, or macro definition is found within an optional when either building or resolving the AST. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 32 ++++++++++++++++++++++++++++++ libsepol/cil/src/cil_resolve_ast.c | 4 +++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 457d3ee7..1fef25d4 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -52,6 +52,7 @@ struct cil_args_build { struct cil_tree_node *tunif; struct cil_tree_node *in; struct cil_tree_node *macro; + struct cil_tree_node *optional; struct cil_tree_node *boolif; }; @@ -6099,6 +6100,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f struct cil_tree_node *tunif = args->tunif; struct cil_tree_node *in = args->in; struct cil_tree_node *macro = args->macro; + struct cil_tree_node *optional = args->optional; struct cil_tree_node *boolif = args->boolif; struct cil_tree_node *ast_node = NULL; int rc = SEPOL_ERR; @@ -6149,6 +6151,18 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f } } + if (optional != NULL) { + if (parse_current->data == CIL_KEY_TUNABLE || + parse_current->data == CIL_KEY_IN || + parse_current->data == CIL_KEY_BLOCK || + parse_current->data == CIL_KEY_BLOCKABSTRACT || + parse_current->data == CIL_KEY_MACRO) { + rc = SEPOL_ERR; + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data); + goto exit; + } + } + if (boolif != NULL) { if (parse_current->data != CIL_KEY_TUNABLEIF && parse_current->data != CIL_KEY_CALL && @@ -6490,6 +6504,10 @@ int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_n args->macro = ast; } + if (ast->flavor == CIL_OPTIONAL) { + args->optional = ast; + } + if (ast->flavor == CIL_BOOLEANIF) { args->boolif = ast; } @@ -6520,6 +6538,19 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void args->macro = NULL; } + if (ast->flavor == CIL_OPTIONAL) { + struct cil_tree_node *n = ast->parent; + args->optional = NULL; + /* Optionals can be nested */ + while (n && n->flavor != CIL_ROOT) { + if (n->flavor == CIL_OPTIONAL) { + args->optional = n; + break; + } + n = n->parent; + } + } + if (ast->flavor == CIL_BOOLEANIF) { args->boolif = NULL; } @@ -6548,6 +6579,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci extra_args.tunif = NULL; extra_args.in = NULL; extra_args.macro = NULL; + extra_args.optional = NULL; extra_args.boolif = NULL; rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args); diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 56295a04..efff0f2e 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -3808,8 +3808,10 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished if (optional != NULL) { if (node->flavor == CIL_TUNABLE || + node->flavor == CIL_IN || + node->flavor == CIL_BLOCK || + node->flavor == CIL_BLOCKABSTRACT || node->flavor == CIL_MACRO) { - /* tuanbles and macros are not allowed in optionals*/ cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; From patchwork Tue Mar 30 17:39:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173419 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75647C433E8 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 54533619B1 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232367AbhC3RkI (ORCPT ); Tue, 30 Mar 2021 13:40:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232381AbhC3Rjn (ORCPT ); Tue, 30 Mar 2021 13:39:43 -0400 Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99B55C061574 for ; Tue, 30 Mar 2021 10:39:43 -0700 (PDT) Received: by mail-qk1-x72d.google.com with SMTP id o5so16706976qkb.0 for ; Tue, 30 Mar 2021 10:39:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=X00LfgVu1NPDynyWs585bitxzMaqOJepRFpelFgqTpA=; b=cGF0EPyyBtGDRTWL5tCgDNmrJzb2LyifNGKzKYBEF2jgRP7wTuwoEBuvshE4t86hmM ikZcooshxa3l0KX9gUgvOhYV67kRAQ43/+7c7J/CHLNINXispcMsKdZJVecWmm/V52DT C3RTpZxcFAyvl7KZzYNur99ZDxTnaxUYvqtKAgwG4EAJUAfG+0nirBBTZZPCxwG25skm 0c0A+aFYCfE8LZq51OG9+HPGRI/kC9QYloaUzwZ0F77wvPEaP9ghHfmfxZben7Pe/r+N 96OY7GcN01tbDB8rdhTwGaXuzZP8FodSzabfqkLTmfnL1kvGEXRsGKvgdFx0o8+Eze99 lxYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X00LfgVu1NPDynyWs585bitxzMaqOJepRFpelFgqTpA=; b=mZc6gi12l/Ypjeh2bP4prd60vKx1saEvB+GX479BK5A4i6IPLE2HBhXSmfKPRpbwNZ XIQ/ifshDPnKNgZqn0HDcvNrn52ouhaKaprksj+TC/yUrYfOq6INjUwlO64nw01A+7IH DXNFN8bZFeGehvmdqxauTWMcH/6qq7zvL3mOl2N30kmgqRPiUrcJK6J085g1513dSk51 uMmi9w+4UVcmxdKADbQDD5/AjJ6YwwoYqkBo2pQ/vUgnzCsGWgtHkIK2yObjPAftIXP/ nrnQr+1ip0gA9h3U8lUdWL1t4FntnZneEB6D7iG1m+t4BIBDp9j6IthZrmKH71K0OlWO vInQ== X-Gm-Message-State: AOAM533zgmrAyoBlju5TLL3chp69GRcSvTRfD5/rnddlTOaHQDzeNPYE kkgOc/Xtu1MvAmGkS5wR94POitqqL4e/Iw== X-Google-Smtp-Source: ABdhPJz+aLhsUeHAxQ0O3uiEfWJS7fuNYRFC3+tM88xIdXEcfXwFezVN4J6BNzYrDjedGtkhS3kekg== X-Received: by 2002:ae9:f10b:: with SMTP id k11mr31997104qkg.62.1617125982778; Tue, 30 Mar 2021 10:39:42 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:42 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 08/12] libsepol/cil: Sync checks for invalid rules in macros Date: Tue, 30 Mar 2021 13:39:19 -0400 Message-Id: <20210330173920.281531-9-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When resolving the AST, tunable and in-statements are not considered to be invalid in macros. This is inconsistent with the checks when building the AST. Add checks to make tunable and in-statments invalid in macros when resolving the AST. Signed-off-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index efff0f2e..7229a3b4 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -3796,7 +3796,9 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished } if (macro != NULL) { - if (node->flavor == CIL_BLOCK || + if (node->flavor == CIL_TUNABLE || + node->flavor == CIL_IN || + node->flavor == CIL_BLOCK || node->flavor == CIL_BLOCKINHERIT || node->flavor == CIL_BLOCKABSTRACT || node->flavor == CIL_MACRO) { From patchwork Tue Mar 30 17:39:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173417 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C330C433E4 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3E61561953 for ; Tue, 30 Mar 2021 17:40:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232381AbhC3RkI (ORCPT ); Tue, 30 Mar 2021 13:40:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232388AbhC3Rjp (ORCPT ); Tue, 30 Mar 2021 13:39:45 -0400 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09458C061574 for ; Tue, 30 Mar 2021 10:39:45 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id 1so11859545qtb.0 for ; Tue, 30 Mar 2021 10:39:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=s0KbmHCiBoyaD5qRh9OPGvlIT2r7grJT/Aetoyk0myI=; b=hKuJPrCyc4iN4tWgKgSx2w/kHPb6nu0VIcvAF+bNBm7z+leEBEXJzC7jsIR40i4d82 AOSSu7V/dTDS2ME+Kd0IdvQU3Tj2PdOPBkD5jxctTdwesrOnzlrKqo2hMGdEGOnJqLVj 8frh5gCO9uQGOo36i8EAutfkRdNGumWhTbvMbO3vzcxd+26yIJcefH/xBSxfsx4BANjJ IffQchyqFIeIw9ZYwboUoyliXNW57BNhfuSFMu/DbNKOYAaPvS/FJZpDPDDO4+GMJbFS /9ErkiGjVXf8gQvzujds4Nly7otjjmV7uO//jkNpCM79eNrm71rqsO71MQEwTAMGArO0 UmZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=s0KbmHCiBoyaD5qRh9OPGvlIT2r7grJT/Aetoyk0myI=; b=H7qz4So01G6DhNVZXjPbsygZc2jFuunddj/Y29h3CiJ1kncX3Yy036ydrs8sTE86VK r1TvLs+CRU6Klfafydj+50lGa5IH94UELQUwywK1r9B1/5Hv0vOlCV47ufu6zttKofN9 0bAku8ZlVtcoTDDlpcLbwDKzJyLtWQBXa9FMhFRBV5I5bobwEdqXTQtpDe0F66Yr3R7Z oP5k+4dCBtuArGvIFeR6R+4//7cG012ZgzMfwM7p2IMptN+9TEocfXYUE5t6qQFHNhsG XhQVokmCmc8IgPqyf/ZmPE1tAwsbWlyi0hzlgs11p10IOmmySlgOtrp3YbFkF+f5x9SP Xoog== X-Gm-Message-State: AOAM530926hkZtSJRFCQpVd0DvanWWDA8m+L22ctftmBBg5XYMkdnl+K BWEsNGp7lDt9CuXQgr6QqM9lWbvQDI5vcw== X-Google-Smtp-Source: ABdhPJwLIYkOiZJQBQ1Y4DwaoLknnIAT5lW/6n9tu+3GLyUXSVHwBDS0GXMc/XiSjf3v/tUtKVoLHQ== X-Received: by 2002:ac8:5f87:: with SMTP id j7mr3647170qta.135.1617125984205; Tue, 30 Mar 2021 10:39:44 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id r7sm13507482qtm.88.2021.03.30.10.39.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:39:43 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 09/12] libsepol/cil: Do not allow tunable declarations in in-statements Date: Tue, 30 Mar 2021 13:39:20 -0400 Message-Id: <20210330173920.281531-10-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330173920.281531-1-jwcart2@gmail.com> References: <20210330173920.281531-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Since tunableifs are resolved before in-statements, do not allow tuanble declarations in in-statements. Since in-statements are the first flavor of statement that causes part of the AST to be copied to another part, there is no need to check the in-statements when resolving the AST. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 1fef25d4..df7bb950 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -6130,7 +6130,8 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f } if (in != NULL) { - if (parse_current->data == CIL_KEY_IN) { + if (parse_current->data == CIL_KEY_TUNABLE || + parse_current->data == CIL_KEY_IN) { rc = SEPOL_ERR; cil_tree_log(parse_current, CIL_ERR, "Found in-statement"); cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); From patchwork Tue Mar 30 17:40:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173425 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C03BCC433C1 for ; Tue, 30 Mar 2021 17:41:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 89F4F61987 for ; Tue, 30 Mar 2021 17:41:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232426AbhC3Rkc (ORCPT ); Tue, 30 Mar 2021 13:40:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232429AbhC3RkJ (ORCPT ); Tue, 30 Mar 2021 13:40:09 -0400 Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFFE8C061574 for ; Tue, 30 Mar 2021 10:40:08 -0700 (PDT) Received: by mail-qv1-xf33.google.com with SMTP id iu14so2977804qvb.4 for ; Tue, 30 Mar 2021 10:40:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Yny9H2x8eQhkR972OvTl7dzJF9oH3Jychjdp1cJ1Lek=; b=XvFdUk9yyQVewcI4/yu58S1RcmS14YBvLaNkUJliVMaFoqK7J5wLH/iolXDcsJifs1 GODaJTcBV3jdd0+XxaWf7OlvygYqiHrl/c+V4uwLdVnzpEEd1pWRyYiCpcD517Vgfj4z aOu+NY5Tqsq0C0zDIN0cJd34/84YQLjtpAWw0fOM4sNcqJjEtl2KNjR6pusSGF85DiFU Zn7RZa1Wf1Fdffnmd9uEa+KfU9jZMGW6TLXy/tjtOrl3tCXS+zf1toi3APpUPUrBpV1Z ukAy6BMM88YLLLNhf2AliGYVYWCnvR5pOgcOfsMylmKIUwBeZJRge7YLSyCFeArKH5qO l3GQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Yny9H2x8eQhkR972OvTl7dzJF9oH3Jychjdp1cJ1Lek=; b=YeL9OX+dt9MGlBeMAcsTEmatKlCLi9srC6quUR32IHr5yafIchaqWoXu4xv7OR60nd zNd6+wRtZ+RU/uhTN5HRLibBIpFsD6KUDfTJQqFYU8t20ckOYsm9Eo43/AVIgAnheaX7 GtcGbkj8A3KCMUEgLgVhTF159teFDs3HFjeZv5GK0nb1cLIkQ+gDtdKSABCL+NgKBgej YMHc6NQJdp1P/AIxhj+RWsYIi2ZVejD6XffYaoZjbM/1zegkPFzc4Vy4x/yJUMhb6vh+ hl8vSEYBHAumS2Ds3lG/3M12mjg9KDNTWu6jhapqlY9F10OqRKB/Kk4zlhVx+2Qiyeo2 8NJw== X-Gm-Message-State: AOAM532EJd6tqPf3sscfGOTpPiaSypvYVPXmVi5CaBzEBjaPfP91lHta EIf3G34184HKcyQqz2bhCJDo6v8y/Nd/nw== X-Google-Smtp-Source: ABdhPJwI/FhD44ANLeBAO+nb2gRZBdN3V83xsyrSQ/VwBxyxNPtfJfNnoO8QxaKMdw7i0Xh3D6Em1A== X-Received: by 2002:a0c:e2d2:: with SMTP id t18mr31466872qvl.61.1617126007844; Tue, 30 Mar 2021 10:40:07 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id z11sm16295118qkg.52.2021.03.30.10.40.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:40:07 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 10/12] libsepol/cil: Make invalid statement error messages consistent Date: Tue, 30 Mar 2021 13:40:01 -0400 Message-Id: <20210330174003.281613-1-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Use a consistent style for the error messages when an invalid statement is found within tunableif, in-statement, block, macro, optional, and booleanif blocks. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 17 ++++++----------- libsepol/cil/src/cil_resolve_ast.c | 10 +++++----- 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index df7bb950..1e35b8bd 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -6123,8 +6123,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (tunif != NULL) { if (parse_current->data == CIL_KEY_TUNABLE) { rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found tunable"); - cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n"); + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in tunableif", (char *)parse_current->data); goto exit; } } @@ -6133,8 +6132,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (parse_current->data == CIL_KEY_TUNABLE || parse_current->data == CIL_KEY_IN) { rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found in-statement"); - cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in in-statement", (char *)parse_current->data); goto exit; } } @@ -6147,7 +6145,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f parse_current->data == CIL_KEY_BLOCKABSTRACT || parse_current->data == CIL_KEY_MACRO) { rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data); + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macro", (char *)parse_current->data); goto exit; } } @@ -6159,7 +6157,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f parse_current->data == CIL_KEY_BLOCKABSTRACT || parse_current->data == CIL_KEY_MACRO) { rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data); + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optional", (char *)parse_current->data); goto exit; } } @@ -6176,13 +6174,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f parse_current->data != CIL_KEY_TYPECHANGE && parse_current->data != CIL_KEY_TYPEMEMBER) { rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data); if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { - cil_log(CIL_ERR, "%s cannot be defined within tunableif statement (treated as a booleanif due to preserve-tunables)\n", - (char*)parse_current->data); + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in tunableif being treated as a booleanif", (char *)parse_current->data); } else { - cil_log(CIL_ERR, "%s cannot be defined within booleanif statement\n", - (char*)parse_current->data); + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in booleanif", (char *)parse_current->data); } goto exit; } diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 7229a3b4..872b6799 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -3789,7 +3789,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished if (block != NULL) { if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); + cil_tree_log(node, CIL_ERR, "%s is not allowed in block", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; } @@ -3802,7 +3802,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished node->flavor == CIL_BLOCKINHERIT || node->flavor == CIL_BLOCKABSTRACT || node->flavor == CIL_MACRO) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node)); + cil_tree_log(node, CIL_ERR, "%s is not allowed in macro", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; } @@ -3814,7 +3814,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished node->flavor == CIL_BLOCK || node->flavor == CIL_BLOCKABSTRACT || node->flavor == CIL_MACRO) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); + cil_tree_log(node, CIL_ERR, "%s is not allowed in optional", cil_node_to_string(node)); rc = SEPOL_ERR; goto exit; } @@ -3836,9 +3836,9 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished } if (rc == SEPOL_ERR) { if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node)); + cil_tree_log(node, CIL_ERR, "%s is not allowed in tunableif being treated as a booleanif", cil_node_to_string(node)); } else { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs", cil_node_to_string(node)); + cil_tree_log(node, CIL_ERR, "%s is not allowed in booleanif", cil_node_to_string(node)); } goto exit; } From patchwork Tue Mar 30 17:40:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173423 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC7E9C433DB for ; Tue, 30 Mar 2021 17:41:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 68C5C61864 for ; Tue, 30 Mar 2021 17:41:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231701AbhC3Rke (ORCPT ); Tue, 30 Mar 2021 13:40:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59068 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232001AbhC3RkM (ORCPT ); Tue, 30 Mar 2021 13:40:12 -0400 Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE569C061574 for ; Tue, 30 Mar 2021 10:40:11 -0700 (PDT) Received: by mail-qv1-xf33.google.com with SMTP id q9so8558944qvm.6 for ; Tue, 30 Mar 2021 10:40:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9ugPn4ymvJO2IysGlmVjkRSV2aKXzmMn1/mf02gyGb4=; b=EEFgvwJlYY16CXUBRMQm83tOi0Sma0bI5DYtmGNC+x3y+VEKwd50O5Wij3E0ruNAT0 2kG2RYNsgSwkHUHafjkHrux59HKAOhMCyGbsuZdHK8lq4uw+86qAR0s/Tj2qo2ftcvfm GqCxBl/QMycYBN79Rs/CoRoQP5MuJjFrsfPi3nQjowpMINR2RoaDZNN3FqtF86p+KidL XuBIDYaMiAaBMrFXU4EpZ5rt62gCoG3bROgeVsCJjm8T5H55NDqZFwJF8mhJ2mZb3wVU SIscPzjPfCukRtmQqz2kd60Xi7POVlBeM6A9AddPoX0tU5yIEH+XIGcUgai23werKe8D 1hWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9ugPn4ymvJO2IysGlmVjkRSV2aKXzmMn1/mf02gyGb4=; b=TiiOw5XzrBlUWUfd+ZjNecT9vIeOSu0fkJ6Twwzst1sSFDGTakOkBYKnyrcdZvHy3h E1fpCnquxIZYUMpKkI/mrfdNyT696OTOL3RNO+ajgTFKH1Xu3LlVAKzWyyUzNISwdulR q6FHud1Aji647rgcLUIyN80HkKI5mHQIRa7NyjCCPLKUu6DILSGiX+5bxaC4PeSqIr8p uvCrZ1t7Qdwb8vur0aJpCvdTxVD2FAxxPIgo7sBQdmFmbIfQwebqoHTDvoAogglBBc+G Zybvf9JnyIxAK+vt+5+9ibhMnVTzcc1yQilZTUE6y3fEjcRenrPtpIAA8Czfzto/EyIR h+Bg== X-Gm-Message-State: AOAM533k07crA4U/F4S+jaxYALEzvU4+3deJGSNaanfrkodEw2qvyP84 LzNVaeMY8yyKOQnn1xzWb4/L7Y94Zq9lLw== X-Google-Smtp-Source: ABdhPJyYXTT7L/JNvtjdMFVEI7kQOhi1jUGOLv9iMU+szP+GFrID0zQzuOwCKwnrIJoij7iXTGPgxA== X-Received: by 2002:a05:6214:154a:: with SMTP id t10mr31666868qvw.7.1617126010931; Tue, 30 Mar 2021 10:40:10 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id z11sm16295118qkg.52.2021.03.30.10.40.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:40:10 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 11/12] libsepol/cil: Use CIL_ERR for error messages in cil_compile() Date: Tue, 30 Mar 2021 13:40:02 -0400 Message-Id: <20210330174003.281613-2-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330174003.281613-1-jwcart2@gmail.com> References: <20210330174003.281613-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org In cil_compile(), CIL_INFO is being used as the priority for error messages. This can make it difficult to tell when the error occurred. Instead, use CIL_ERR as the priority for the error messages in cil_compile(). Signed-off-by: James Carter --- libsepol/cil/src/cil.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 99c8e288..b971922c 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -539,7 +539,7 @@ int cil_compile(struct cil_db *db) cil_log(CIL_INFO, "Building AST from Parse Tree\n"); rc = cil_build_ast(db, db->parse->root, db->ast->root); if (rc != SEPOL_OK) { - cil_log(CIL_INFO, "Failed to build ast\n"); + cil_log(CIL_ERR, "Failed to build AST\n"); goto exit; } @@ -549,21 +549,21 @@ int cil_compile(struct cil_db *db) cil_log(CIL_INFO, "Resolving AST\n"); rc = cil_resolve_ast(db, db->ast->root); if (rc != SEPOL_OK) { - cil_log(CIL_INFO, "Failed to resolve ast\n"); + cil_log(CIL_ERR, "Failed to resolve AST\n"); goto exit; } cil_log(CIL_INFO, "Qualifying Names\n"); rc = cil_fqn_qualify(db->ast->root); if (rc != SEPOL_OK) { - cil_log(CIL_INFO, "Failed to qualify names\n"); + cil_log(CIL_ERR, "Failed to qualify names\n"); goto exit; } cil_log(CIL_INFO, "Compile post process\n"); rc = cil_post_process(db); if (rc != SEPOL_OK ) { - cil_log(CIL_INFO, "Post process failed\n"); + cil_log(CIL_ERR, "Post process failed\n"); goto exit; } From patchwork Tue Mar 30 17:40:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12173427 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C3C1C433E1 for ; Tue, 30 Mar 2021 17:41:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EA83961864 for ; Tue, 30 Mar 2021 17:41:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231951AbhC3Rkf (ORCPT ); Tue, 30 Mar 2021 13:40:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232126AbhC3RkN (ORCPT ); Tue, 30 Mar 2021 13:40:13 -0400 Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B13EC061574 for ; Tue, 30 Mar 2021 10:40:13 -0700 (PDT) Received: by mail-qv1-xf31.google.com with SMTP id x27so8573431qvd.2 for ; Tue, 30 Mar 2021 10:40:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WzMghQUs1oH00BdHfNvi3ygniiFTmqhXyLpJ3N4Slu4=; b=Rxr1l7acOHV7/JbZBI6OP2R57DwjdzYQ6WHM0MgO7B2wlKg05s/24e1P16IJM7A+TX k6VRDFqGuY6dzBiwpQq4jH4UKbHmMIMPAxTxKP+ovGJoiWs+jheBVzRRshvx9CNTud/J PBcdTU42ItpPgMoXmC/9+UHbd8GQ4w30jzgqS0epgielC7GubJyX9j9gltrCYGE1cp8E HX/SrYZYC2luGszV2Bdjpz90lYTaJy44+hc3gT/rowmdjPsnAmaWFTxS1PFkQI0SOSsb x3OHDwyu+cI2dIPYfL3KZgB0w/jhSWdZVC/UXZYYzwxU+Z9pCWHVY1OurPso+yGijAQf nLvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WzMghQUs1oH00BdHfNvi3ygniiFTmqhXyLpJ3N4Slu4=; b=IvON5HABGmhO7y9cFxopWQ0ODA21+OI+GWVhGuZihtfaGJxHH2NfWhY5R+Zeny/Bxh dCySfglrLQIDKg3GRysTbGxWDS7q9xa2YAIq/94OduqVmiZGz5B0XhvVGZVzZ4URiZ76 E3r9ses2ZgKOJoAZsmjZj1d5JrWF2nWKZAB0Rqtzx9SReExjsb2H1c7aH7v7/6D9yd19 WHZGLrIA2h/BQmfzhhfWEJ3oAb4rZc4kPSC86GXOTXAQ2sPjnDxm0HtBuiCvSByJth0z ghKxzRAv3dMp3gh5VNZZwIHH+pmrnFfE0Hlg2/qXw3tFsmkqE+i4wRBsauVTJbdTEdW0 Rk4A== X-Gm-Message-State: AOAM532aKDSmjH0cUBBz2jih8rDHBDXJAGZ58wvoHNYDokCxP7hdXFQZ N1UZ5lGdbeGUAHVxwQg5dOYfMcaIaDroXw== X-Google-Smtp-Source: ABdhPJw0AAOF5xvGKcpOYug33RdBV57EKWaXcEuVU7EB8VwYFb32vixJkIJNU6Nr2lotWYNqUl928w== X-Received: by 2002:a0c:9e6a:: with SMTP id z42mr12363132qve.60.1617126012723; Tue, 30 Mar 2021 10:40:12 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id z11sm16295118qkg.52.2021.03.30.10.40.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 10:40:12 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 12/12] secilc/docs: Update the CIL documentation for various blocks Date: Tue, 30 Mar 2021 13:40:03 -0400 Message-Id: <20210330174003.281613-3-jwcart2@gmail.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210330174003.281613-1-jwcart2@gmail.com> References: <20210330174003.281613-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter --- secilc/docs/cil_call_macro_statements.md | 2 ++ secilc/docs/cil_conditional_statements.md | 6 +++++ secilc/docs/cil_container_statements.md | 28 +++++++++++++++-------- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md index 332eb28f..352a9fb0 100644 --- a/secilc/docs/cil_call_macro_statements.md +++ b/secilc/docs/cil_call_macro_statements.md @@ -58,6 +58,8 @@ When resolving macros the following places are checked in this order: - Items defined in the global namespace +[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. + **Statement definition:** ```secil diff --git a/secilc/docs/cil_conditional_statements.md b/secilc/docs/cil_conditional_statements.md index a55a9b6c..d0c8e2ce 100644 --- a/secilc/docs/cil_conditional_statements.md +++ b/secilc/docs/cil_conditional_statements.md @@ -6,6 +6,8 @@ boolean Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. +[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. + **Statement definition:** ```secil @@ -126,6 +128,8 @@ Tunables are similar to booleans, however they are used to manage areas of CIL s Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. +Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks. + **Statement definition:** ```secil @@ -164,6 +168,8 @@ tunableif Compile time conditional statement that may or may not add CIL statements to be compiled. +If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. + **Statement definition:** ```secil diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md index 76e9da51..c75c2d7c 100644 --- a/secilc/docs/cil_container_statements.md +++ b/secilc/docs/cil_container_statements.md @@ -4,7 +4,11 @@ Container Statements block ----- -Start a new namespace where any CIL statement is valid. +Start a new namespace. + +Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. + +[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks. **Statement definition:** @@ -47,6 +51,8 @@ blockabstract Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement. +Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. + **Statement definition:** ```secil @@ -97,6 +103,8 @@ blockinherit Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. +Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. + **Statement definition:** ```secil @@ -199,15 +207,11 @@ This example contains a template `client_server` that is instantiated in two blo optional -------- -Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid: +Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. -| | | | | -| ------------------- | -------------- | ------------------ | ------------------ | -| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) | -| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) | -| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) | -| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) | -| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | | +Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. + +[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks. **Statement definition:** @@ -266,7 +270,11 @@ This example will instantiate the optional block `ext_gateway.move_file` into po in -- -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit). +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). + +Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks. + +[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks. **Statement definition:**