From patchwork Tue Jun 29 15:13:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12350175 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58822C11F67 for ; Tue, 29 Jun 2021 15:14:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 39B8361DAD for ; Tue, 29 Jun 2021 15:14:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234549AbhF2PQf (ORCPT ); Tue, 29 Jun 2021 11:16:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56070 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232521AbhF2PQf (ORCPT ); Tue, 29 Jun 2021 11:16:35 -0400 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18E97C061760 for ; Tue, 29 Jun 2021 08:14:08 -0700 (PDT) Received: by mail-qt1-x831.google.com with SMTP id d5so16368058qtd.5 for ; Tue, 29 Jun 2021 08:14:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UW/7/+1nLHFH/Zwqtv/3N72W+1tiKj1USjx4rMJyJMU=; b=pWh4OnMGq/DheUFdbpKzFEQHYUPgIdX4MTIwFisKJxbIOQ3Qw/jrTWFUlJkboPfv61 uy67WDE3N1Uqs6sWt2tBFZKePHKVnQ6HwHEDkqhZht5kpGatRwjfdoHB8XOjlp5ZQLVM YLFOYlUYW4xebSRzWpL8hXJJrULpZCTvZvLK21+9jvZVC1UgeLiE3iKjwJlwr0sTEwRZ WYHpm7HbiaF5Ujo18ojd6lQ7vV3rOXmEU3gsVUvMSedv9yePSG57VS5UT4zmKUY9NVeO oMlrD0hQoRGx14oV2EAzteIj7VBfFrbNNabnWRzy8Uyf/6HJ09ZrGRfRXgufZ4qVNFD5 xg4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UW/7/+1nLHFH/Zwqtv/3N72W+1tiKj1USjx4rMJyJMU=; b=SydtTPTT42VCKj4VcbENQr/j7MsTKnL+w7wBu7ULQnCELssdqLC91+0QuQWa0ogyW5 fSixl2gRCq6bpl1guaQTbMxbXbj7OF1O6GqRSBx5Ml8XnVHHKDh1vze/PXXw+q6gYtK1 G9hK5UA9tGRSEF+44m8Zc4TKBZzer1Oix9LJAIFk9ZOHFSolmZ/VmTW1KHDBHRnMSOns V4V2NS1XCwwm4zoTHMRtiDIQ5WGEBVj+bOTfHVoYQDTer1NTmGC6amnvZoQT7GE+GXO5 qxMkeQrB+6kzSNPEoBPo3v++IB/JJD0jwe7jmWuz5dopqrryvUtyAeu4rN+DI05kIv8u Xyww== X-Gm-Message-State: AOAM532gJVy6uV9otPL3xPGWqEOnTNW5LHryijy27sS+5gfinrVzvVJu 6SkLJf/IoLeAHGliWY4M4e86wuGD3K+OQw== X-Google-Smtp-Source: ABdhPJx+mF9/YldCOXdJmP+FfbcYlXnSDs+2qJoELbTnhs8B/sKK8Mig8p9pjAos1QvOVS7V+cSnpA== X-Received: by 2002:ac8:c01:: with SMTP id k1mr26955596qti.344.1624979647047; Tue, 29 Jun 2021 08:14:07 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id e12sm7880721qtj.3.2021.06.29.08.14.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Jun 2021 08:14:06 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: nicolas.iooss@m4x.org, James Carter Subject: [PATCH 1/4 v2] libsepol/cil: Provide option to allow qualified names in declarations Date: Tue, 29 Jun 2021 11:13:59 -0400 Message-Id: <20210629151402.41071-1-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Qualified names have "dots" in them. They are generated when a CIL policy is compiled and come from declarations in blocks. If a kernel policy is decompiled into a CIL policy, the resulting policy could have declarations that use qualified names. Compiling this policy would result in an error because "dots" in declarations are not allowed. Qualified names in a policy are normally used to refer to the name of identifiers, blocks, macros, or optionals that are declared in a different block (that is not a parent). Name resolution is based on splitting a name based on the "dots", searching the parents up to the global namespace for the first block using the first part of the name, using the second part of the name to lookup the next block using the first block's symbol tables, looking up the third block in the second's symbol tables, and so on. To allow the option of using qualified names in declarations: 1) Create a field in the struct cil_db called "qualified_names" which is set to CIL_TRUE when qualified names are to be used. This field is checked in cil_verify_name() and "dots" are allowed if qualified names are being allowed. 2) Only allow the direct lookup of the whole name in the global symbol table. This means that blocks, blockinherits, blockabstracts, and in- statements cannot be allowed. Use the "qualified_names" field of the cil_db to know when using one of these should result in an error. 3) Create the function cil_set_qualified_names() that is used to set the "qualified_names" field. Export the function in libsepol. Signed-off-by: James Carter Acked-by: Nicolas Iooss --- v2: Fixed misspelling in commit message Make struct cil_db * const in cil_verify_name() libsepol/cil/include/cil/cil.h | 1 + libsepol/cil/src/cil.c | 6 ++++++ libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++++-- libsepol/cil/src/cil_internal.h | 1 + libsepol/cil/src/cil_resolve_ast.c | 4 ++-- libsepol/cil/src/cil_verify.c | 19 ++++++++++++++----- libsepol/cil/src/cil_verify.h | 2 +- libsepol/src/libsepol.map.in | 1 + 8 files changed, 48 insertions(+), 10 deletions(-) diff --git a/libsepol/cil/include/cil/cil.h b/libsepol/cil/include/cil/cil.h index 92fac6e1..482ca522 100644 --- a/libsepol/cil/include/cil/cil.h +++ b/libsepol/cil/include/cil/cil.h @@ -51,6 +51,7 @@ extern int cil_selinuxusers_to_string(cil_db_t *db, char **out, size_t *size); extern int cil_filecons_to_string(cil_db_t *db, char **out, size_t *size); extern void cil_set_disable_dontaudit(cil_db_t *db, int disable_dontaudit); extern void cil_set_multiple_decls(cil_db_t *db, int multiple_decls); +extern void cil_set_qualified_names(struct cil_db *db, int qualified_names); extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow); extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables); extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown); diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 9d5038d9..3f2e6927 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -440,6 +440,7 @@ void cil_db_init(struct cil_db **db) (*db)->handle_unknown = -1; (*db)->mls = -1; (*db)->multiple_decls = CIL_FALSE; + (*db)->qualified_names = CIL_FALSE; (*db)->target_platform = SEPOL_TARGET_SELINUX; (*db)->policy_version = POLICYDB_VERSION_MAX; } @@ -1872,6 +1873,11 @@ void cil_set_multiple_decls(struct cil_db *db, int multiple_decls) db->multiple_decls = multiple_decls; } +void cil_set_qualified_names(struct cil_db *db, int qualified_names) +{ + db->qualified_names = qualified_names; +} + void cil_set_target_platform(struct cil_db *db, int target_platform) { db->target_platform = target_platform; diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index baed3e58..9da90883 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -146,7 +146,7 @@ int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_s int rc = SEPOL_ERR; symtab_t *symtab = NULL; - rc = cil_verify_name((const char*)key, nflavor); + rc = cil_verify_name(db, (const char*)key, nflavor); if (rc != SEPOL_OK) { goto exit; } @@ -204,6 +204,11 @@ int cil_gen_block(struct cil_db *db, struct cil_tree_node *parse_current, struct goto exit; } + if (db->qualified_names) { + cil_log(CIL_ERR, "Blocks are not allowed when the option for qualified names is used\n"); + goto exit; + } + rc = __cil_verify_syntax(parse_current, syntax, syntax_len); if (rc != SEPOL_OK) { goto exit; @@ -274,6 +279,11 @@ int cil_gen_blockinherit(struct cil_db *db, struct cil_tree_node *parse_current, goto exit; } + if (db->qualified_names) { + cil_log(CIL_ERR, "Block inherit rules are not allowed when the option for qualified names is used\n"); + goto exit; + } + rc = __cil_verify_syntax(parse_current, syntax, syntax_len); if (rc != SEPOL_OK) { goto exit; @@ -331,6 +341,11 @@ int cil_gen_blockabstract(struct cil_db *db, struct cil_tree_node *parse_current goto exit; } + if (db->qualified_names) { + cil_log(CIL_ERR, "Block abstract rules are not allowed when the option for qualified names is used\n"); + goto exit; + } + rc = __cil_verify_syntax(parse_current, syntax, syntax_len); if (rc != SEPOL_OK) { goto exit; @@ -376,6 +391,11 @@ int cil_gen_in(struct cil_db *db, struct cil_tree_node *parse_current, struct ci goto exit; } + if (db->qualified_names) { + cil_log(CIL_ERR, "In-statements are not allowed when the option for qualified names is used\n"); + goto exit; + } + rc = __cil_verify_syntax(parse_current, syntax, syntax_len); if (rc != SEPOL_OK) { goto exit; @@ -5261,7 +5281,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct param->str = current_item->cl_head->next->data; - rc = cil_verify_name(param->str, param->flavor); + rc = cil_verify_name(db, param->str, param->flavor); if (rc != SEPOL_OK) { cil_destroy_param(param); goto exit; diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index 8b9aeabf..f184d739 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -321,6 +321,7 @@ struct cil_db { int handle_unknown; int mls; int multiple_decls; + int qualified_names; int target_platform; int policy_version; }; diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 5245cc15..27efffa6 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -4409,8 +4409,8 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en *datum = NULL; - if (strchr(name,'.') == NULL) { - /* No '.' in name */ + if (db->qualified_names || strchr(name,'.') == NULL) { + /* Using qualified names or No '.' in name */ rc = __cil_resolve_name_helper(db, ast_node->parent, name, sym_index, datum); if (rc != SEPOL_OK) { goto exit; diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 59397f70..ce3fcd8c 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -92,7 +92,7 @@ static int __cil_is_reserved_name(const char *name, enum cil_flavor flavor) return CIL_FALSE; } -int cil_verify_name(const char *name, enum cil_flavor flavor) +int cil_verify_name(const struct cil_db *db, const char *name, enum cil_flavor flavor) { int rc = SEPOL_ERR; int len; @@ -116,10 +116,19 @@ int cil_verify_name(const char *name, enum cil_flavor flavor) goto exit; } - for (i = 1; i < len; i++) { - if (!isalnum(name[i]) && name[i] != '_' && name[i] != '-') { - cil_log(CIL_ERR, "Invalid character \"%c\" in %s\n", name[i], name); - goto exit; + if (db->qualified_names == CIL_FALSE) { + for (i = 1; i < len; i++) { + if (!isalnum(name[i]) && name[i] != '_' && name[i] != '-') { + cil_log(CIL_ERR, "Invalid character \"%c\" in %s\n", name[i], name); + goto exit; + } + } + } else { + for (i = 1; i < len; i++) { + if (!isalnum(name[i]) && name[i] != '_' && name[i] != '-' && name[i] != '.') { + cil_log(CIL_ERR, "Invalid character \"%c\" in %s\n", name[i], name); + goto exit; + } } } diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h index 4ea14f5b..26e195a9 100644 --- a/libsepol/cil/src/cil_verify.h +++ b/libsepol/cil/src/cil_verify.h @@ -56,7 +56,7 @@ struct cil_args_verify { int *pass; }; -int cil_verify_name(const char *name, enum cil_flavor flavor); +int cil_verify_name(const struct cil_db *db, const char *name, enum cil_flavor flavor); int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[], int len); int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor); int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor); diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in index 2e503bd1..0e05d606 100644 --- a/libsepol/src/libsepol.map.in +++ b/libsepol/src/libsepol.map.in @@ -272,4 +272,5 @@ LIBSEPOL_3.0 { cil_write_parse_ast; cil_write_build_ast; cil_write_resolve_ast; + cil_set_qualified_names; } LIBSEPOL_1.1; From patchwork Tue Jun 29 15:14:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12350177 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF50AC11F69 for ; Tue, 29 Jun 2021 15:14:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CE71C61DAD for ; Tue, 29 Jun 2021 15:14:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234613AbhF2PQg (ORCPT ); Tue, 29 Jun 2021 11:16:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232521AbhF2PQf (ORCPT ); Tue, 29 Jun 2021 11:16:35 -0400 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD941C061760 for ; Tue, 29 Jun 2021 08:14:08 -0700 (PDT) Received: by mail-qt1-x82b.google.com with SMTP id t9so16341682qtw.7 for ; Tue, 29 Jun 2021 08:14:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=nl/6GSi6nJLwX+VAMnsOsFwvaWWKg01e44XxQpPQkWA=; b=NAZLtFf+YwfJ6H2BTqaguJ6EPishUn+MYFbMIlOAX6UjSQVIKynH3rtjvR1TwSuRAx fO3Vic/9zS+jDPt+DNTTN/p8vplvKon9nyUh10rlc+SaJ5Ox06wa8iHJPIePKWUM4Xz9 1mKuipn+CakeiVoMot2KuyOyx92LdkigMutAa+EDF81ERZTs4zUQAC4LyvBdL9q+HWsy Gb578TNR5FojDd77KMmxVv0dhakU8PaT3K8vlnK2wxZw5tDUBdtINREPnIj2A8NxQpNH SlFlv5RW/Qo3+Z4QEMZhG/uDedQ+aEvqZqYmj/qlcbdyb/AdK0b0O3+0czly04Lq4w1k 1E3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nl/6GSi6nJLwX+VAMnsOsFwvaWWKg01e44XxQpPQkWA=; b=sp9rQw7YWUSCQqTb6sOMYAOteVpgZoD6IXN387QU4a2AOweRSEcr7X7JotoAMx7l5g y5czQXPci+j56o7ACyjVgPg0eCN0xS7AEfBqsJ6rYHFnhPqmi1N6gSqbKDRF+cnFE7lF zw/oqL2ekd0a8wjfIRv5R3RIkvmsc7SNuKHR1+uHqnpzez0xt+U6eem4ejPahnwW4img zglcxTWkyeOEL7M8lp5YTKAzgS3QMSeLR9/WBR7HOWCiJhAaTS6InTFqKNK6G0qz4xFp Vxk8kSUwl5KX+DDvjdtN04/d0JwzCKuxhQfCaxYwfXXQTSMtRyuD8C9OblpiNX1IV6XQ BNyQ== X-Gm-Message-State: AOAM530MaIYWC32+Eld99l2Y/qzhRjZ3+OSSMqMB9W445nHqU8NmxbUb W/IwyU9N7hjwqDuVpdmrJ5MF4LRVG2mLvg== X-Google-Smtp-Source: ABdhPJwAsJduA/H0n2hGWzO3BYtWD/uJayCiCKKDSQm7f3behK5VzgeqfYedF7Y7lyDHA1EFLKq2Yg== X-Received: by 2002:ac8:4b6d:: with SMTP id g13mr13239563qts.288.1624979647669; Tue, 29 Jun 2021 08:14:07 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id e12sm7880721qtj.3.2021.06.29.08.14.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Jun 2021 08:14:07 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: nicolas.iooss@m4x.org, James Carter Subject: [PATCH 2/4 v2] secilc: Add support for using qualified names to secilc Date: Tue, 29 Jun 2021 11:14:00 -0400 Message-Id: <20210629151402.41071-2-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210629151402.41071-1-jwcart2@gmail.com> References: <20210629151402.41071-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Provide the option "-Q" or "--qualified-names" to indicate that the policy is using qualified names. Using qualified names means that declaration names can have "dots" in them, but blocks, blockinherits, blockabstracts, and in-statements are not allowed in the policy. The libsepol function cil_set_qualified_names() is called with the desired value for the CIL db's "qualified_names" field. Signed-off-by: James Carter --- v2: Changed the language for the man page and "--help" documentation secilc/secilc.8.xml | 5 +++++ secilc/secilc.c | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/secilc/secilc.8.xml b/secilc/secilc.8.xml index 2b734f09..e9a121e2 100644 --- a/secilc/secilc.8.xml +++ b/secilc/secilc.8.xml @@ -75,6 +75,11 @@ Treat tunables as booleans. + + + Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed. + + Allow some statements to be re-declared. diff --git a/secilc/secilc.c b/secilc/secilc.c index 9c78e425..1c4f1ca0 100644 --- a/secilc/secilc.c +++ b/secilc/secilc.c @@ -63,6 +63,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog) printf(" statement if present in the policy\n"); printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n"); printf(" -P, --preserve-tunables treat tunables as booleans\n"); + printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n"); + printf(" Blocks, blockinherits, blockabstracts, and\n"); + printf(" in-statements will not be allowed.\n"); printf(" -m, --multiple-decls allow some statements to be re-declared\n"); printf(" -N, --disable-neverallow do not check neverallow rules\n"); printf(" -G, --expand-generated Expand and remove auto-generated attributes\n"); @@ -94,6 +97,7 @@ int main(int argc, char *argv[]) int multiple_decls = 0; int disable_neverallow = 0; int preserve_tunables = 0; + int qualified_names = 0; int handle_unknown = -1; int policyvers = POLICYDB_VERSION_MAX; int attrs_expand_generated = 0; @@ -115,6 +119,7 @@ int main(int argc, char *argv[]) {"multiple-decls", no_argument, 0, 'm'}, {"disable-neverallow", no_argument, 0, 'N'}, {"preserve-tunables", no_argument, 0, 'P'}, + {"qualified-names", no_argument, 0, 'Q'}, {"output", required_argument, 0, 'o'}, {"filecontexts", required_argument, 0, 'f'}, {"expand-generated", no_argument, 0, 'G'}, @@ -125,7 +130,7 @@ int main(int argc, char *argv[]) int i; while (1) { - opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNOc:GX:n", long_opts, &opt_index); + opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PQDmNOc:GX:n", long_opts, &opt_index); if (opt_char == -1) { break; } @@ -190,6 +195,9 @@ int main(int argc, char *argv[]) case 'P': preserve_tunables = 1; break; + case 'Q': + qualified_names = 1; + break; case 'o': output = strdup(optarg); break; @@ -238,6 +246,7 @@ int main(int argc, char *argv[]) cil_set_multiple_decls(db, multiple_decls); cil_set_disable_neverallow(db, disable_neverallow); cil_set_preserve_tunables(db, preserve_tunables); + cil_set_qualified_names(db, qualified_names); if (handle_unknown != -1) { rc = cil_set_handle_unknown(db, handle_unknown); if (rc != SEPOL_OK) { From patchwork Tue Jun 29 15:14:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12350179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16BDCC11F6A for ; Tue, 29 Jun 2021 15:14:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E5B8C61DAD for ; Tue, 29 Jun 2021 15:14:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232521AbhF2PQh (ORCPT ); Tue, 29 Jun 2021 11:16:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234675AbhF2PQh (ORCPT ); Tue, 29 Jun 2021 11:16:37 -0400 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 436CDC061760 for ; Tue, 29 Jun 2021 08:14:09 -0700 (PDT) Received: by mail-qv1-xf34.google.com with SMTP id u2so11228196qvp.13 for ; Tue, 29 Jun 2021 08:14:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hOSdcoyirD7T7lz/XB/2NnXaCzqLTb1zPohYa35nAmQ=; b=OaA+/f5Ge7ykqzFdbLqK//5pQ3yAQNvp1InFQZo7hCV9YkNIBpvS7yAFFz501B9lG4 MaIFvwhziNfxKK2MVWRG4DCz8Gxw3Kza4UEBcQdlGHDfBI2gFI9iDLSDye1XYsTZ50GO /rPuA9kdh+aLDK+yU1HN8j8ESF/gpX2IWvzj6K7dfYqvofJdvcyyebsZ/MyQAagUCkbX WieiDDefz3miyWUDrDu6o76vS34Dci8nHzjORQV924hFKipjMHjb+tHgv3wsUHqZMd5I PVCzw4J+Z1k6tqHz1XHxiCLKP0ru+GVnTxqitvr0APop2bya+pcMgzh6F7EwxhRB2Uh6 MoYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hOSdcoyirD7T7lz/XB/2NnXaCzqLTb1zPohYa35nAmQ=; b=USUR6t4JmL/gFX1PpEiTKfKsIMejm9Ya8XH903dc89RCxbV+5Qxv94WtrQancwJJgm 16WNqCpRdtu10UWIwO+MBxNXaQXUY3kxq4DuPiU2EXYW+Qi+oqwygB+OIY9j/Yz+IU3j BRhH0zW5X2m6k5Mu6kZg63+DMPb7V+l2/noIJSAdDoCavsdRd7aUctsXxfb3BTFmx+46 c8EYTMt3EchcBdf41M9jZpZPE+F8eLq/i3IeOXbA0Nagj1JqnUcjr6y8aDDgH6napdlA pANcxbe/UevoYHxPM91R8XaE/bdPb7K0lPdGuFkgi26wM0PtRc2qN+FdYLc/m6dsbD1x Hs3w== X-Gm-Message-State: AOAM531TfHk3+xEk5m476RSNDepFHZyRkSNZZ6VjxDom8DNrj6sPThwJ ck/A49p53dnK4EJZ8ArnYFVMVRzhP5fv+Q== X-Google-Smtp-Source: ABdhPJzD53lwgnuWaAmTbVQhMsjIx0AR6t9VrUi+DLi/8SClMnBaQ+zmBBfBvI0D1zVaYOw6sUBo3w== X-Received: by 2002:a0c:9a43:: with SMTP id q3mr31846192qvd.30.1624979648409; Tue, 29 Jun 2021 08:14:08 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id e12sm7880721qtj.3.2021.06.29.08.14.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Jun 2021 08:14:08 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: nicolas.iooss@m4x.org, James Carter Subject: [PATCH 3/4 v2] libsepol/cil: Add support for using qualified names to secil2tree Date: Tue, 29 Jun 2021 11:14:01 -0400 Message-Id: <20210629151402.41071-3-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210629151402.41071-1-jwcart2@gmail.com> References: <20210629151402.41071-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Provide the option "-Q" or "--qualified-names" to indicate that the policy is using qualified names. Using qualified names means that declaration names can have "dots" in them, but blocks, blockinherits, blockabstracts, and in-statements are not allowed in the policy. The libsepol function cil_set_qualified_names() is called with the desired value for the CIL db's "qualified_names" field. Signed-off-by: James Carter --- v2: Changed the language for the man page and "--help" documentation secilc/secil2tree.8.xml | 5 +++++ secilc/secil2tree.c | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/secilc/secil2tree.8.xml b/secilc/secil2tree.8.xml index 81382ffe..e95a8947 100644 --- a/secilc/secil2tree.8.xml +++ b/secilc/secil2tree.8.xml @@ -45,6 +45,11 @@ Treat tunables as booleans. + + + Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed. + + Write AST of phase phase. Must be parse, build, or resolve. (default: resolve) diff --git a/secilc/secil2tree.c b/secilc/secil2tree.c index 218d0583..e5cdf6bd 100644 --- a/secilc/secil2tree.c +++ b/secilc/secil2tree.c @@ -54,6 +54,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog) printf("Options:\n"); printf(" -o, --output= write AST to . (default: stdout)\n"); printf(" -P, --preserve-tunables treat tunables as booleans\n"); + printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n"); + printf(" Blocks, blockinherits, blockabstracts, and\n"); + printf(" in-statements will not be allowed.\n"); printf(" -A, --ast-phase= write AST of phase . Phase must be parse, \n"); printf(" build, or resolve. (default: resolve)\n"); printf(" -v, --verbose increment verbosity level\n"); @@ -71,6 +74,7 @@ int main(int argc, char *argv[]) char *output = NULL; struct cil_db *db = NULL; int preserve_tunables = 0; + int qualified_names = 0; enum write_ast_phase write_ast = WRITE_AST_PHASE_RESOLVE; int opt_char; int opt_index = 0; @@ -79,6 +83,7 @@ int main(int argc, char *argv[]) {"help", no_argument, 0, 'h'}, {"verbose", no_argument, 0, 'v'}, {"preserve-tunables", no_argument, 0, 'P'}, + {"qualified-names", no_argument, 0, 'Q'}, {"output", required_argument, 0, 'o'}, {"ast-phase", required_argument, 0, 'A'}, {0, 0, 0, 0} @@ -86,7 +91,7 @@ int main(int argc, char *argv[]) int i; while (1) { - opt_char = getopt_long(argc, argv, "o:hvPA:", long_opts, &opt_index); + opt_char = getopt_long(argc, argv, "o:hvPQA:", long_opts, &opt_index); if (opt_char == -1) { break; } @@ -97,6 +102,9 @@ int main(int argc, char *argv[]) case 'P': preserve_tunables = 1; break; + case 'Q': + qualified_names = 1; + break; case 'o': output = strdup(optarg); break; @@ -131,6 +139,7 @@ int main(int argc, char *argv[]) cil_db_init(&db); cil_set_preserve_tunables(db, preserve_tunables); + cil_set_qualified_names(db, qualified_names); cil_set_attrs_expand_generated(db, 0); cil_set_attrs_expand_size(db, 0); From patchwork Tue Jun 29 15:14:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12350181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A1E5C11F67 for ; Tue, 29 Jun 2021 15:14:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 519A661D5E for ; Tue, 29 Jun 2021 15:14:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234675AbhF2PQi (ORCPT ); Tue, 29 Jun 2021 11:16:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234645AbhF2PQi (ORCPT ); Tue, 29 Jun 2021 11:16:38 -0400 Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27394C061766 for ; Tue, 29 Jun 2021 08:14:10 -0700 (PDT) Received: by mail-qv1-xf2c.google.com with SMTP id 11so4536459qvh.3 for ; Tue, 29 Jun 2021 08:14:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5HYLX4L9Ya4++HIky7zFsjKeuN4m+kv72xw/aJWxQik=; b=gozmBy8JRafAm3zRkqvuM4O9CMGlukFliGz6EkYpgH6T/5GQ040uRP8AA/HzcKwxkO H0ceFaUDfOFHctdCSoc/pnme7wlas5C7WsMtv8YUrUYFgiCM3hJAVV+4Li58UgM4tb+b XCNhzAhrKyasp1/oIB48mIM5vu0825EddGvsDN9HCqraWsOT1LnvB8g8181kG9svw1eK shq/ighEx//d432JgvCCUG5WYRbqKpTZCCe0NIOD48yU+wBDoM/8Fq5K648Qy+ChL63q gSE3XmpbVJ2rgoQWxZgjOZwvSC/OKeCc4hyjVxYc7D/aS0fd/jM+zczFfPzH/yvwSTaG C3LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5HYLX4L9Ya4++HIky7zFsjKeuN4m+kv72xw/aJWxQik=; b=MF8wO4uNCbzFM5sz3NgpQBW+Qfe3G4Z9fWvb/SOkm/7B/hvD8Xfdd0G5seMDcYdUAM 1HEdaDRtq3Vu+Qw/rcvH9vAepqqoJXcilEnJHK5H11+IXZk80j7RX8rjmkcnXJc2Vs7m QG25zzaFdoGzO2mRcKbZodiimRYW/xJ/rP+CShu996+jtEs9hVIKmStzE3YjeZg6zyCe a1KScF42rVicZgbsbZOSMOSk0LVbm1eTYBR26RoDUmUNDNC6/tssH0Uws0BSnQVmdQJ4 nc8fFIz+X455htmUv/whrqLHPdr1ZNoIdtkvxMWaClkWX5dSuIda+HgUhNd6XOxQa4lp /2Ew== X-Gm-Message-State: AOAM531htFdmthxVE18MzTTCmWJsQ7uATOT2qOragE1xIqYyoT+6lg11 43jQHatyBCTwDIMd8P/TQfzW3ZFbUntCHQ== X-Google-Smtp-Source: ABdhPJxaVZ2Igiow2zune+sMXbMa79eFad9MuSD8EPMkjA0lsZoPYkr2KMZWsoRDmP+zqp48H3S7Tg== X-Received: by 2002:a05:6214:17d2:: with SMTP id cu18mr31635410qvb.48.1624979649249; Tue, 29 Jun 2021 08:14:09 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id e12sm7880721qtj.3.2021.06.29.08.14.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Jun 2021 08:14:08 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: nicolas.iooss@m4x.org, James Carter Subject: [PATCH 4/4 v2] libsepol/cil: Add support for using qualified names to secil2conf Date: Tue, 29 Jun 2021 11:14:02 -0400 Message-Id: <20210629151402.41071-4-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210629151402.41071-1-jwcart2@gmail.com> References: <20210629151402.41071-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Provide the option "-Q" or "--qualified-names" to indicate that the policy is using qualified names. Using qualified names means that declaration names can have "dots" in them, but blocks, blockinherits, blockabstracts, and in-statements are not allowed in the policy. The libsepol function cil_set_qualified_names() is called with the desired value for the CIL db's "qualified_names" field. Signed-off-by: James Carter --- v2: Changed the language for the man page and "--help" documentation secilc/secil2conf.8.xml | 5 +++++ secilc/secil2conf.c | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/secilc/secil2conf.8.xml b/secilc/secil2conf.8.xml index 59d87a54..33646f97 100644 --- a/secilc/secil2conf.8.xml +++ b/secilc/secil2conf.8.xml @@ -50,6 +50,11 @@ Treat tunables as booleans. + + + Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed. + + Increment verbosity level. diff --git a/secilc/secil2conf.c b/secilc/secil2conf.c index 4e97dd66..d4103777 100644 --- a/secilc/secil2conf.c +++ b/secilc/secil2conf.c @@ -52,6 +52,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog) printf(" This will override the (mls boolean) statement\n"); printf(" if present in the policy\n"); printf(" -P, --preserve-tunables treat tunables as booleans\n"); + printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n"); + printf(" Blocks, blockinherits, blockabstracts, and\n"); + printf(" in-statements will not be allowed.\n"); printf(" -v, --verbose increment verbosity level\n"); printf(" -h, --help display usage information\n"); exit(1); @@ -68,6 +71,7 @@ int main(int argc, char *argv[]) struct cil_db *db = NULL; int mls = -1; int preserve_tunables = 0; + int qualified_names = 0; int opt_char; int opt_index = 0; enum cil_log_level log_level = CIL_ERR; @@ -76,13 +80,14 @@ int main(int argc, char *argv[]) {"verbose", no_argument, 0, 'v'}, {"mls", required_argument, 0, 'M'}, {"preserve-tunables", no_argument, 0, 'P'}, + {"qualified-names", no_argument, 0, 'Q'}, {"output", required_argument, 0, 'o'}, {0, 0, 0, 0} }; int i; while (1) { - opt_char = getopt_long(argc, argv, "o:hvM:P", long_opts, &opt_index); + opt_char = getopt_long(argc, argv, "o:hvM:PQ", long_opts, &opt_index); if (opt_char == -1) { break; } @@ -102,6 +107,9 @@ int main(int argc, char *argv[]) case 'P': preserve_tunables = 1; break; + case 'Q': + qualified_names = 1; + break; case 'o': output = strdup(optarg); break; @@ -123,6 +131,7 @@ int main(int argc, char *argv[]) cil_db_init(&db); cil_set_preserve_tunables(db, preserve_tunables); + cil_set_qualified_names(db, qualified_names); cil_set_mls(db, mls); cil_set_attrs_expand_generated(db, 0); cil_set_attrs_expand_size(db, 0);