From patchwork Tue Jun 15 18:56:53 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12322673
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 648DFC48BE8
	for <selinux@archiver.kernel.org>; Tue, 15 Jun 2021 18:57:03 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 33F4E611EE
	for <selinux@archiver.kernel.org>; Tue, 15 Jun 2021 18:57:03 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230212AbhFOS7H (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 15 Jun 2021 14:59:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44526 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229749AbhFOS7G (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Jun 2021 14:59:06 -0400
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com
 [IPv6:2607:f8b0:4864:20::82d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E12A2C06175F
        for <selinux@vger.kernel.org>; Tue, 15 Jun 2021 11:57:00 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id e3so12128594qte.0
        for <selinux@vger.kernel.org>; Tue, 15 Jun 2021 11:57:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=oqmvgu891xaz3sGDDEspH+WcSM+S7Bs/HD5GW1nhALg=;
        b=DmCweS3jIuS1WC8eWcEUrQj91tFrya3jJHTJVnjZ1UM7heADAJoL3hiwjSLNsAZfvc
         dSDTGZ7GosbSj7cU5t+014xYAXrVjAUmaCWzs5OLuJVYAQcilAqC81le5XKKcu8i5K2j
         y8+1eWTeCcc5nRs3X9HdmXgkuzTZWRvsdcdfv7V2l86Mi23JslGUjgANDCdXGITi2Tsy
         bC0Nv1t5mOziuOJwvHwwNxK6dMmt90td/pKsGsvLjpsrBWVD45MC6WFAsCfOdgs0bGlg
         5YDAqxp034kyYBJL8KuS0hDYsxkOvREPaKMeEy3CGcCG0HbRrchgU3ZYR6KegVEtJ5h1
         u67g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=oqmvgu891xaz3sGDDEspH+WcSM+S7Bs/HD5GW1nhALg=;
        b=ISWbCNkgBudgkKVoD5yxTJ4TrBvaL7gTG/f/56GiHuJzQtbf6iKIcpI709wffDBLLS
         PqlM8Pl0F4+hUbSInMZ+qwRxFkzx9pHDfQtlnZ4RkowrxCfXm76O1tbsiGM+MMeeAP/B
         b0VnPRAFXTSL993TYNixXqnjGWrQjAiHsDVKPyoTp2eUa3lB/LHWxsIKzoNiUITs4djk
         iW+yQaBoN0YBRSkEi3lxoFgbp9myLA9bEeG9mPbvUVyn49fD9bjcZhrlQfxi9pugoEoc
         FWXra8OO2gWVSkVDekt1oYQlUY1m8c27wSQAbYI1l3xQLAU/2KbSVktPHsWQsErnWOKR
         cV8Q==
X-Gm-Message-State: AOAM532omrI4s8W6xkOWq6JmNTfnHorSrrtTMPuwT5woQaQ4PhWA1ZP2
        TAQHE5SfIz31JX3tTg/dBFosIZ3xADgdcw==
X-Google-Smtp-Source: 
 ABdhPJwx07Gu7V/n987R2hobAFIcaX6EvzMUAxRv+ym2TXydqc8qgCTwzYaKX2lSjLKTF+atmOFtcw==
X-Received: by 2002:ac8:5c48:: with SMTP id j8mr1108118qtj.154.1623783419845;
        Tue, 15 Jun 2021 11:56:59 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 e1sm12746838qti.27.2021.06.15.11.56.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Jun 2021 11:56:59 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 1/3] libsepol/cil: Fix anonymous IP address call arguments
Date: Tue, 15 Jun 2021 14:56:53 -0400
Message-Id: <20210615185655.34064-2-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.3
In-Reply-To: <20210615185655.34064-1-jwcart2@gmail.com>
References: <20210615185655.34064-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

A named IP address (using an ipaddr rule) could be passed as an
argument, but trying to pass an actual IP address caused an error.

As an exmample, consider the following portion of a policy.
  (macro m4 ((ipaddr ip)(ipaddr nm))
    (nodecon ip nm (USER ROLE TYPE ((s0) (s0))))
  )
  (ipaddr nm1 255.255.255.0)
  (ipaddr ip1 1.2.3.4)
  (call m4 (ip1 nm1)) ; This works
  (call m4 (1.2.3.4 255.255.255.0)) ; This doesn't

Allow actual IP addresses to be passed as a call argument. Now the
second call works as well.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_build_ast.c   |  4 ----
 libsepol/cil/src/cil_resolve_ast.c | 23 ++++++++++-------------
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 71f14e20..538df279 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -5642,10 +5642,6 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
 		goto exit;
 	}
 
-	if (addr_node->cl_head != NULL ||  addr_node->next != NULL) {
-		goto exit;
-	}
-
 	if (strchr(addr_node->data, '.') != NULL) {
 		addr->family = AF_INET;
 	} else {
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 77ffe0ff..16c8c753 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -3024,14 +3024,18 @@ static int cil_build_call_args(struct cil_tree_node *call_node, struct cil_call
 			break;
 		}
 		case CIL_IPADDR: {
-			if (arg_node->cl_head != NULL) {
+			if (arg_node->data == NULL) {
+				cil_tree_log(call_node, CIL_ERR, "Invalid macro parameter");
+				cil_destroy_args(arg);
+				rc = SEPOL_ERR;
+				goto exit;
+			} else if (strchr(arg_node->data, '.') || strchr(arg_node->data, ':')) {
 				struct cil_ipaddr *ipaddr = NULL;
 				struct cil_tree_node *addr_node = NULL;
 				cil_ipaddr_init(&ipaddr);
-
-				rc = cil_fill_ipaddr(arg_node->cl_head, ipaddr);
+				rc = cil_fill_ipaddr(arg_node, ipaddr);
 				if (rc != SEPOL_OK) {
-					cil_log(CIL_ERR, "Failed to create anonymous ip address, rc: %d\n", rc);
+					cil_tree_log(call_node, CIL_ERR, "Failed to create anonymous ip address");
 					cil_destroy_ipaddr(ipaddr);
 					cil_destroy_args(arg);
 					goto exit;
@@ -3039,18 +3043,11 @@ static int cil_build_call_args(struct cil_tree_node *call_node, struct cil_call
 				cil_tree_node_init(&addr_node);
 				addr_node->flavor = CIL_IPADDR;
 				addr_node->data = ipaddr;
-				cil_list_append(((struct cil_symtab_datum*)ipaddr)->nodes,
-								CIL_LIST_ITEM, addr_node);
-				arg->arg = (struct cil_symtab_datum*)ipaddr;
-			} else if (arg_node->data == NULL) {
-				cil_tree_log(call_node, CIL_ERR, "Invalid macro parameter");
-				cil_destroy_args(arg);
-				rc = SEPOL_ERR;
-				goto exit;
+				cil_list_append(DATUM(ipaddr)->nodes, CIL_LIST_ITEM, addr_node);
+				arg->arg = DATUM(ipaddr);
 			} else {
 				arg->arg_str = arg_node->data;
 			}
-
 			break;
 		}
 		case CIL_CLASS:

From patchwork Tue Jun 15 18:56:54 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12322675
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7D1FFC48BE5
	for <selinux@archiver.kernel.org>; Tue, 15 Jun 2021 18:57:03 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 5CE1060FE6
	for <selinux@archiver.kernel.org>; Tue, 15 Jun 2021 18:57:03 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229749AbhFOS7H (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 15 Jun 2021 14:59:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44534 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230205AbhFOS7G (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Jun 2021 14:59:06 -0400
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com
 [IPv6:2607:f8b0:4864:20::f36])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCE6EC061574
        for <selinux@vger.kernel.org>; Tue, 15 Jun 2021 11:57:01 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id u13so221197qvt.7
        for <selinux@vger.kernel.org>; Tue, 15 Jun 2021 11:57:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=jk6zZPJsPzKDbpSQGeRCQlKG9x7FyUYChO9zaHevgmE=;
        b=JcZ+e0U75rpnLXvPl9Pk7D6bK5mh38Sr6WdaZhWDXRBY3M1ZerQV6R80rsahUm79qz
         sFIs7WbPsxLs2qyoV5APMv/SAvXFfjWy43S1/sEVAbjC5P+GUaGfe19/XuC1jAowsPts
         SA5K6Cs7JCgrPwSKFDFW9C1E4PXmZrS5ftlHvV8EihQWKlCNooYaYFMFL0Ew8o6KyIIw
         /IOmEnNAQoJ7NRAYXcVKBhhQD/JBFP9XbtefU6dRnN/Gb2P2H0j1aKFsSlBpWw5D2Dzh
         4LZGw9yWJ75ZbU7YH1dOPNX7Slop+GkyjOj3adRBYKDvOvucLsTTdTfobdpdQ1xN8ZtQ
         puMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=jk6zZPJsPzKDbpSQGeRCQlKG9x7FyUYChO9zaHevgmE=;
        b=FH131JLWLxXzeRSrhujXvFkJWB4mLcJeC3+WovNWY/Tkattpa2C12lAppcLxQ0glhr
         /3uvVfvy9wYVDMik6w6ukQY1jC01ofSUV1KlmXMybNuj5WRUl9PaBp9rDrrbV1JawzkS
         GTHnL/X5RnU6JGTo+GVsUfk2MKpH0ZswQMcXmSByYLMayrpBXbgJmOza6hJQKbqc72Oq
         F4jzbGDn5pmIjtClbLO6mktTWtedae/KaY5EOKbH3BES7AfwRDB7IakyFMkZ7SHdTSGR
         zV60t65Pw0v8nIxJ3/J8TIXZwGcQPvqdgzgDLjibkyZ4ODYdGaOECVv+eQSbn/ElkYWA
         3XTA==
X-Gm-Message-State: AOAM530xNzC4dy4IHaO6WAT193ygBM2mkUUiyoT8tMB5KBDII5m453W+
        CWDnj6JVn5xv+osS8S0pGNgih2F5ysgy7w==
X-Google-Smtp-Source: 
 ABdhPJwtpzC486ODE6cg477BT8o41mOqtjcWbiY8jRqx1HnCZJAggtg7iQKkG0Du1tpnAVLi2yynSA==
X-Received: by 2002:a05:6214:180a:: with SMTP id
 o10mr6527308qvw.31.1623783420848;
        Tue, 15 Jun 2021 11:57:00 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 e1sm12746838qti.27.2021.06.15.11.56.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Jun 2021 11:57:00 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 2/3] libsepol/cil: Account for anonymous category sets in an
 expression
Date: Tue, 15 Jun 2021 14:56:54 -0400
Message-Id: <20210615185655.34064-3-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.3
In-Reply-To: <20210615185655.34064-1-jwcart2@gmail.com>
References: <20210615185655.34064-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

It is possible for anonymous category sets to be in a category
expression if the expression has a macro parameter in it.
Unfortunately, anonymous category sets are not looked for when
resolving category expressions and a segfault will occur during
later processing if there was one.

As an example, consider the following portion of a policy.
  (macro m1 ((categoryset cs))
    (userlevel USER (s0 (cs)))
  )
  (call m1 ((c0 c1)))
This policy will cause a segault, because the categoryset datum
for the parameter cs is not seen as a categoryset and is treated
as a plain category.

When resolving an expression, check whether or not the datum that
is found is actually an anonymous category set associated with a
macro parameter. If it is, then resolve the category set if it
has not already been resolved and treat its categories as a sub
expression.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_resolve_ast.c | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 16c8c753..42a58468 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -3346,6 +3346,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
 	struct cil_list_item *curr;
 	struct cil_symtab_datum *res_datum = NULL;
 	enum cil_sym_index sym_index =  CIL_SYM_UNKNOWN;
+	struct cil_list *datum_sub_expr;
 
 	switch (str_expr->flavor) {
 	case CIL_BOOL:
@@ -3379,18 +3380,26 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
 			if (rc != SEPOL_OK) {
 				goto exit;
 			}
-
-			if (sym_index == CIL_SYM_TYPES && (expr_type == CIL_CONSTRAIN || expr_type == CIL_VALIDATETRANS)) {
-				cil_type_used(res_datum, CIL_ATTR_CONSTRAINT);
+			if (sym_index == CIL_SYM_CATS && NODE(res_datum)->flavor == CIL_CATSET) {
+				struct cil_catset *catset = (struct cil_catset *)res_datum;
+				if (!catset->cats->datum_expr) {
+					rc = cil_resolve_expr(expr_type, catset->cats->str_expr, &catset->cats->datum_expr, parent, extra_args);
+					if (rc != SEPOL_OK) {
+						goto exit;
+					}
+				}
+				cil_copy_list(catset->cats->datum_expr, &datum_sub_expr);
+				cil_list_append(*datum_expr, CIL_LIST, datum_sub_expr);
+			} else {
+				if (sym_index == CIL_SYM_TYPES && (expr_type == CIL_CONSTRAIN || expr_type == CIL_VALIDATETRANS)) {
+					cil_type_used(res_datum, CIL_ATTR_CONSTRAINT);
+				}
+				cil_list_append(*datum_expr, CIL_DATUM, res_datum);
 			}
-
-			cil_list_append(*datum_expr, CIL_DATUM, res_datum);
 			break;
 		case CIL_LIST: {
-			struct cil_list *datum_sub_expr;
 			rc = cil_resolve_expr(expr_type, curr->data, &datum_sub_expr, parent, extra_args);
 			if (rc != SEPOL_OK) {
-				cil_list_destroy(&datum_sub_expr, CIL_TRUE);
 				goto exit;
 			}
 			cil_list_append(*datum_expr, CIL_LIST, datum_sub_expr);
@@ -3404,6 +3413,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
 	return SEPOL_OK;
 
 exit:
+	cil_list_destroy(datum_expr, CIL_FALSE);
 	return rc;
 }
 

From patchwork Tue Jun 15 18:56:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12322677
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7EDD6C48BDF
	for <selinux@archiver.kernel.org>; Tue, 15 Jun 2021 18:57:04 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 619A260233
	for <selinux@archiver.kernel.org>; Tue, 15 Jun 2021 18:57:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230319AbhFOS7I (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 15 Jun 2021 14:59:08 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44538 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230205AbhFOS7I (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Jun 2021 14:59:08 -0400
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com
 [IPv6:2607:f8b0:4864:20::f2f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 700C5C06175F
        for <selinux@vger.kernel.org>; Tue, 15 Jun 2021 11:57:02 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id l3so266111qvl.0
        for <selinux@vger.kernel.org>; Tue, 15 Jun 2021 11:57:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=A82cY5VugYjEHJ8cJ3D2NzwekF4oXFYbwzPpO10oLW4=;
        b=rF43jtRzz1SeMHPRJhEvINF0y2fMSwxLgGsDPCwIsAQcNm+zUsgKcQGGcmazKnnHzm
         8PIc9TqkM4uidkQVOzQ8SZ9686DB4cFs8pHpIyThPUg3GcxSO4iNq2jajFPIpSGMM42U
         ShgVicve7XXICo9U7ElAMfgUtO7708Hu0Nqnag98wuZZNPstQqLBS8kgoKeGGM4uNDsq
         3UAp1AiS0tKJ2QfNtfAoIrW0cSSMRJIzOZcpAvZkBl7KsjlZ+nWqJQ/uak0EZEJPw+/b
         Y1KD3dyyT5QAzR2YJ+AzfgYTHt28yAHZxeWn6NAVmeI0rxozjUps3b05ELo5cFjR1nAr
         985w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=A82cY5VugYjEHJ8cJ3D2NzwekF4oXFYbwzPpO10oLW4=;
        b=OqlhBDnBHodhi7mcRlvj1jzyn+RzQAogjjYeUdMsfkq26c0w5ddQAQPXpW5BgOGZHg
         quEHpRELpeEI5FqcEqhA0ela+Fn6TDhQ5UQMTgld9MQcJsAwcUvfSJAtwuu5o8du4cg1
         mAY3qT4Bma12khFBybWK/ZrBYttXWhktqlwKYvt2tfad/4KyZXB88V2b3tFnvEcOhBLm
         dNQpRYR+vLeH4AzsOTfRh4um2RA/WkZPJyPcqh3QjSQbbDYQevgaF4aBvFiAY29O8ige
         vyNNlNrqyjSgFClnJx2w+U/R+BETfbIyjQ2NGY08SAhQGyXFA5QadKYMeJubb/LRIM7Y
         WT+g==
X-Gm-Message-State: AOAM533M6a6WOIkUygxC1LEBwXCE7J9iewkYLCVdQ55aBajNBqiko/q2
        WmZp1fgL4b6BEYQL6mPxvIt9sbe+jYy6MQ==
X-Google-Smtp-Source: 
 ABdhPJzFcEiw10rLvlus6mf+/MpqyFANmLMiTwphQk+KhRBL9/D4toFeUcL/pthJPE68acgEksdiPA==
X-Received: by 2002:a0c:f085:: with SMTP id g5mr6918343qvk.18.1623783421457;
        Tue, 15 Jun 2021 11:57:01 -0700 (PDT)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id
 e1sm12746838qti.27.2021.06.15.11.57.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Jun 2021 11:57:01 -0700 (PDT)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 3/3] secilc/test: Add test for anonymous args
Date: Tue, 15 Jun 2021 14:56:55 -0400
Message-Id: <20210615185655.34064-4-jwcart2@gmail.com>
X-Mailer: git-send-email 2.26.3
In-Reply-To: <20210615185655.34064-1-jwcart2@gmail.com>
References: <20210615185655.34064-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

CIL has rules that allow names to be assigned to certain objects
like MLS category sets, MLS levels, MLS ranges, IP addresses, and
class permission sets. These objects can also be named as parameters
for a macro. A call may pass in a name for one of these objects, but
it also may pass in one of the actual objects. These objects are
referred as anonymous arguments.

Add CIL policy that can be used to test whether or not anonymous
arguments are being handled properly in macros. Also test the
equivalent named arguments to help determine if the problem is with
that argument type or just with an anonymous argument of that type.

The anonymouse arguments that are tested are categoryset, level,
levelrange, ipaddr, and classpermission.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 secilc/test/anonymous_arg_test.cil | 106 +++++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 secilc/test/anonymous_arg_test.cil

diff --git a/secilc/test/anonymous_arg_test.cil b/secilc/test/anonymous_arg_test.cil
new file mode 100644
index 00000000..46f8ce73
--- /dev/null
+++ b/secilc/test/anonymous_arg_test.cil
@@ -0,0 +1,106 @@
+;; Test anonymous args
+
+(mls true)
+(class CLASS (PERM))
+(classorder (CLASS))
+(sid SID)
+(sidorder (SID))
+(user USER)
+(role ROLE)
+(type TYPE)
+(category CAT)
+(categoryorder (CAT))
+(sensitivity SENS)
+(sensitivityorder (SENS))
+(sensitivitycategory SENS (CAT))
+(allow TYPE self (CLASS (PERM)))
+(roletype ROLE TYPE)
+(userrole USER ROLE)
+(userlevel USER (SENS))
+(userrange USER ((SENS)(SENS (CAT))))
+(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+(category c0)
+(category c1)
+(category c2)
+(category c3)
+(categoryorder (CAT c0 c1 c2 c3))
+(categoryset cs01 (c0 c1))
+(categoryset cs03 (range c0 c3))
+
+(sensitivity s0)
+(sensitivity s1)
+(sensitivity s2)
+(sensitivity s3)
+(sensitivityorder (SENS s0 s1 s2 s3))
+
+(sensitivitycategory s0 (cs01 c2 c3))
+(sensitivitycategory s1 (c0 c1 c2 c3))
+(sensitivitycategory s2 (c0 c1 c2 c3))
+(sensitivitycategory s3 (range c0 c3))
+
+(level lvl (s0 (c0)))
+(level lvl0 (s0))
+(level lvl3 (s3 (range c0 c3)))
+
+(levelrange rng ((s0) (s3 (c0 c1 c2 c3))))
+
+(user u1)
+(user u2)
+(user u3)
+(user u4)
+
+(userrole u1 ROLE)
+(userrole u2 ROLE)
+(userrole u3 ROLE)
+(userrole u4 ROLE)
+
+; Test categoryset
+(macro m1 ((user u)(sensitivity s)(categoryset cs))
+  (userlevel u (s (cs)))
+)
+(call m1 (u1 s1 (c0 c1)))
+(call m1 (u2 s2 cs01))
+
+; Test level
+(macro m2 ((user u)(level l))
+  (userlevel u l)
+)
+(call m2 (u3 (s3 (c2))))
+(call m2 (u4 lvl))
+
+; Test levelrange
+(macro m3 ((user u)(levelrange lr))
+  (userrange u lr)
+)
+(call m3 (u1 ((s0) (s3 (range c0 c3)))))
+(call m3 (u2 (lvl0 (s3 (cs03)))))
+(call m3 (u3 (lvl0 lvl3)))
+(call m3 (u4 rng))
+
+; Test ipaddr
+(macro m4 ((user u)(ipaddr nm)(ipaddr ip))
+  (nodecon ip nm (u ROLE TYPE ((s0) (s0))))
+)
+(ipaddr nm1 255.255.255.0)
+(ipaddr ip4 1.2.3.4)
+(call m4 (u1 nm1 192.25.35.200))
+(call m4 (u2 255.255.255.0 ip4))
+
+; Test classpermission
+(type t1)
+(type t2)
+(type t3)
+
+(classpermission cp1)
+(classpermissionset cp1 (CLASS (PERM)))
+
+(classmap cm1 (cm1p))
+(classmapping cm1 cm1p (CLASS (PERM)))
+
+(macro m5 ((type t)(classpermission cp))
+  (allow t self cp)
+)
+(call m5 (t1 (CLASS (PERM))))
+(call m5 (t2 cp1))
+(call m5 (t3 (cm1 (cm1p))))