From patchwork Wed Nov 10 14:47:23 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12612243
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9932BC433F5
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 7E99860EDF
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:35 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232077AbhKJOuW (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Wed, 10 Nov 2021 09:50:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46602 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231731AbhKJOuV (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 10 Nov 2021 09:50:21 -0500
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com
 [IPv6:2607:f8b0:4864:20::833])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A12BC061766
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:34 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id j17so2305647qtx.2
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=bIVilonRoXtUWDGADdMpwASXCRPbhm0qPBpXub2SVMo=;
        b=h6CSzQgEJAe6M1b9YUhj0Zltpv2KYVdtDi+hBf+j4n2K33h6+CHx7XCpVEIUNq2I4C
         w6aLxaBFr9SKjgI6tnU9RvQk4WgULRV35wxlrruEQ1/QnS2YMEuuSBx2FTy8foSpiat4
         kxcDNdMoIehZByhIk+QAui3mfHe5X3c+2YtNfeEsmDJrv4TQaqoY0wqYBH9Vqwg8pnOb
         6If4j/z39JMCcgLFSOq6DpjiPs/bIDgeUReME9+MpUlzXYmm/okch4uWcmmGjmmy9YQo
         oGKlYaxof9DPonX4PjeunH5tazwh3d4GMvU5SH5jxa/8gz8Vk/HRKelHDLTjkIWwq/e3
         wXFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=bIVilonRoXtUWDGADdMpwASXCRPbhm0qPBpXub2SVMo=;
        b=JgXh00qETDswoSEP3AysVRGqWmbTetQzjJPc3Fej/6HPE07jf/r8sSSZ4zrkZSMAxq
         Iy6KREzvZ37laGzT3ufG4moh0amUKao4M1Q3cRNn7bBsJGj8ikYfvtTMIgZPBaIvCiM+
         zGqqptFc+h9zSerKXnxxqjVJ5Pis8IOG9i+4298iOavnWOsc+2sY5g+NJehlBsHOjNIP
         ndPXgojUQFhYwrbnl9aexwLKMYU+YR8o00PdVJV5VzhQ5BSZHB1kzRnJT8YOBvyAbI6u
         2eCP0Qag4T6CWyrttkcARpv5ldHTQvlPVSI72LtUK/jUUQ0BJrZIdn5vTWypY7IzW2Pg
         iyLA==
X-Gm-Message-State: AOAM530BirNLSLp9k0qV8y1Cf46qVFZkw7OEIef9RK84Af+U7ktBRp32
        chRdmbytOhiv/LaoDnBbg+xmZI5Xyoc=
X-Google-Smtp-Source: 
 ABdhPJxNWiJSyyi5aCYRcKJMy3OS0ojO44V9M/DIX+zo0jb4QZDPxMaanzD928Gyno2lV5W5qMEf+g==
X-Received: by 2002:ac8:4d87:: with SMTP id a7mr143656qtw.410.1636555653185;
        Wed, 10 Nov 2021 06:47:33 -0800 (PST)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id r10sm58633qta.27.2021.11.10.06.47.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 10 Nov 2021 06:47:32 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: nicolas.iooss@m4x.org, stephen.smalley.work@gmail.com,
        James Carter <jwcart2@gmail.com>
Subject: [PATCH 1/5 v2] libsepol: Add support for file types in writing out
 policy.conf
Date: Wed, 10 Nov 2021 09:47:23 -0500
Message-Id: <20211110144727.1467744-2-jwcart2@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211110144727.1467744-1-jwcart2@gmail.com>
References: <20211110144727.1467744-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Although rarely used, genfscon rules support the specification of a
file type just like the rules in a file context file. The file type
is used to make the genfscon rule apply only for a specific security
class. Currently, when writing out a policy.conf file from a kernel
policy, it is assumed that every genfscon rule applies to all security
classes and no file type will be added to the genfscon rule.

Write out the appropriate file type if the genfscon rule is only for
a specific security class (file, dir, blk_file, chr_file, fifo_file,
lnk_file, or sock_file).

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Reordered if else block to have a consistent ordering.

 libsepol/src/kernel_to_conf.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index eb72e4ac..9f04961a 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -2513,6 +2513,8 @@ static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
 	struct ocontext *ocon;
 	struct strs *strs;
 	char *fstype, *name, *ctx;
+	uint32_t sclass;
+	const char *file_type;
 	int rc;
 
 	rc = strs_init(&strs, 32);
@@ -2525,14 +2527,43 @@ static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
 			fstype = genfs->fstype;
 			name = ocon->u.name;
 
+			sclass = ocon->v.sclass;
+			file_type = NULL;
+			if (sclass) {
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "--";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "-d";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "-c";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "-b";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "-s";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "-p";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "-l";
+				} else {
+					rc = -1;
+					goto exit;
+				}
+			}
+
 			ctx = context_to_str(pdb, &ocon->context[0]);
 			if (!ctx) {
 				rc = -1;
 				goto exit;
 			}
 
-			rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3,
-						 fstype, name, ctx);
+			if (file_type) {
+				rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s %s", 4,
+										 fstype, name, file_type, ctx);
+			} else {
+				rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3,
+										 fstype, name, ctx);
+			}
 			free(ctx);
 			if (rc != 0) {
 				goto exit;

From patchwork Wed Nov 10 14:47:24 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12612245
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A6A07C433EF
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:36 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 8CAC6610A2
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232241AbhKJOuX (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Wed, 10 Nov 2021 09:50:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46604 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231593AbhKJOuW (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 10 Nov 2021 09:50:22 -0500
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com
 [IPv6:2607:f8b0:4864:20::835])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA914C061764
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:34 -0800 (PST)
Received: by mail-qt1-x835.google.com with SMTP id f20so1996198qtb.4
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=kWsaWRS1bbSVBlqyz0DEc6hz4C9Ezc/cvwumyntL4oc=;
        b=QMdVo6kBYDYRlcNE+MhO5cGzwFj7PKswATbszjC2Q21F6E5V2ri8EmBDfGP6QVYIrY
         jxvMyjlaQC/LvWp1FFNd+G7cJBFmUG54Gwx3qHdOIRfj8oFA0Dj43cXQSItXdR9TItoC
         y1JBhSLOp7fMD5Ky4hmXcgK/vYvsjlFRi444C6B8IM+gnCrrJvt2tmFYslJBMLlvFNYy
         zw7H0GzvKlOwxLviPDTJl+1ppLJxMHniAtU7UKfdsBAnHwhq0OjHd0pw22eIv9Pw36we
         i7VB/7jB82hSiJq8skYWVStPYMCGCdzjGNjgaAN1SGRI/XNues9ayggutVFA+gRuOML7
         xcfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=kWsaWRS1bbSVBlqyz0DEc6hz4C9Ezc/cvwumyntL4oc=;
        b=YmvjM+ik9cUX0QTC2wHPFpg4ovUOkkwPSe2bVC03UR3KUdNNFFiXvzdehgSz38+P+L
         QRiUIgYXYRKQa40z91s5C+qehzh4rskSTtHs2qaPw+mWE/pZ42L9BL4DiVm9SuXg7dgs
         O+SWuhR3miQf1+fp1yTALvHqtAI2RAq34ClH4eA9odu4exzpdH+5nL0jZdSfk8KC6cDj
         EPsSr9VwCUG5FTYzkFLtXsDQ16ygvqX+L7yhmeITKZQInQv1kCiMLm0jdhbbkL1LW9Ju
         +YxeDj5E0vyK0ku1nrqbknqhpwaP1NiRz3DQ72m0t/xEFApIoN94IEXkpebhSlbRuljF
         oLjg==
X-Gm-Message-State: AOAM5317BUc4ZXbHdryB+LgxTAV4xnlqdEvyLqeY3CMdXFp2u4qpW8V2
        auRIey9/9dB4yKD3S2mxKMmV90rfwjw=
X-Google-Smtp-Source: 
 ABdhPJzB+UgPzmVJqf8aCs6v7QB60R+JZOiglMaAnJIpnG9OAiSvkPdwPhyWkFid+YlM5ETIjkKyOw==
X-Received: by 2002:ac8:18c:: with SMTP id x12mr141026qtf.378.1636555654035;
        Wed, 10 Nov 2021 06:47:34 -0800 (PST)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id r10sm58633qta.27.2021.11.10.06.47.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 10 Nov 2021 06:47:33 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: nicolas.iooss@m4x.org, stephen.smalley.work@gmail.com,
        James Carter <jwcart2@gmail.com>
Subject: [PATCH 2/5 v2] libsepol/cil: Refactor filecon file type handling
Date: Wed, 10 Nov 2021 09:47:24 -0500
Message-Id: <20211110144727.1467744-3-jwcart2@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211110144727.1467744-1-jwcart2@gmail.com>
References: <20211110144727.1467744-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Prepare for the addition of an optional file type in genfscon rules
by refactoring filecon file type handling.

Make the "any" file type be the first value in enum cil_filecon_types
because it will be the most common file type.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: New patch

 libsepol/cil/src/cil.c           |  5 ++++-
 libsepol/cil/src/cil_build_ast.c |  6 +++---
 libsepol/cil/src/cil_internal.h  |  4 ++--
 libsepol/cil/src/cil_write_ast.c | 30 ++++++++++++++++++++----------
 4 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 4cc7f87f..a152d689 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -1765,6 +1765,9 @@ int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size)
 		str_tmp += buf_pos;
 
 		switch(filecon->type) {
+		case CIL_FILECON_ANY:
+			str_type = "";
+			break;
 		case CIL_FILECON_FILE:
 			str_type = "\t--";
 			break;
@@ -2530,7 +2533,7 @@ void cil_filecon_init(struct cil_filecon **filecon)
 	*filecon = cil_malloc(sizeof(**filecon));
 
 	(*filecon)->path_str = NULL;
-	(*filecon)->type = 0;
+	(*filecon)->type = CIL_FILECON_ANY;
 	(*filecon)->context_str = NULL;
 	(*filecon)->context = NULL;
 }
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 9c34be23..6a6f4f33 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4229,7 +4229,9 @@ int cil_gen_filecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
 
 	filecon->path_str = parse_current->next->data;
 
-	if (type == CIL_KEY_FILE) {
+	if (type == CIL_KEY_ANY) {
+		filecon->type = CIL_FILECON_ANY;
+	} else if (type == CIL_KEY_FILE) {
 		filecon->type = CIL_FILECON_FILE;
 	} else if (type == CIL_KEY_DIR) {
 		filecon->type = CIL_FILECON_DIR;
@@ -4243,8 +4245,6 @@ int cil_gen_filecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
 		filecon->type = CIL_FILECON_PIPE;
 	} else if (type == CIL_KEY_SYMLINK) {
 		filecon->type = CIL_FILECON_SYMLINK;
-	} else if (type == CIL_KEY_ANY) {
-		filecon->type = CIL_FILECON_ANY;
 	} else {
 		cil_log(CIL_ERR, "Invalid file type\n");
 		rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 6f1d3cb5..fb2856d6 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -730,14 +730,14 @@ struct cil_context {
 };
 
 enum cil_filecon_types {
-	CIL_FILECON_FILE = 1,
+	CIL_FILECON_ANY = 0,
+	CIL_FILECON_FILE,
 	CIL_FILECON_DIR,
 	CIL_FILECON_CHAR,
 	CIL_FILECON_BLOCK,
 	CIL_FILECON_SOCKET,
 	CIL_FILECON_PIPE,
 	CIL_FILECON_SYMLINK,
-	CIL_FILECON_ANY
 };
 
 struct cil_filecon {
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index d7f00bcc..40effcdc 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1232,24 +1232,34 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node)
 		struct cil_filecon *filecon = node->data;
 		fprintf(out, "(filecon ");
 		fprintf(out, "\"%s\" ", filecon->path_str);
-		if (filecon->type == CIL_FILECON_FILE)
+		switch (filecon->type) {
+		case CIL_FILECON_ANY:
+			fprintf(out, "%s ", CIL_KEY_ANY);
+			break;
+		case CIL_FILECON_FILE:
 			fprintf(out, "%s ", CIL_KEY_FILE);
-		else if (filecon->type == CIL_FILECON_DIR)
+			break;
+		case CIL_FILECON_DIR:
 			fprintf(out, "%s ", CIL_KEY_DIR);
-		else if (filecon->type == CIL_FILECON_CHAR)
+			break;
+		case CIL_FILECON_CHAR:
 			fprintf(out, "%s ", CIL_KEY_CHAR);
-		else if (filecon->type == CIL_FILECON_BLOCK)
+			break;
+		case CIL_FILECON_BLOCK:
 			fprintf(out, "%s ", CIL_KEY_BLOCK);
-		else if (filecon->type == CIL_FILECON_SOCKET)
+			break;
+		case CIL_FILECON_SOCKET:
 			fprintf(out, "%s ", CIL_KEY_SOCKET);
-		else if (filecon->type == CIL_FILECON_PIPE)
+			break;
+		case CIL_FILECON_PIPE:
 			fprintf(out, "%s ", CIL_KEY_PIPE);
-		else if (filecon->type == CIL_FILECON_SYMLINK)
+			break;
+		case CIL_FILECON_SYMLINK:
 			fprintf(out, "%s ", CIL_KEY_SYMLINK);
-		else if (filecon->type == CIL_FILECON_ANY)
-			fprintf(out, "%s ", CIL_KEY_ANY);
-		else
+			break;
+		default:
 			fprintf(out, "<?FILETYPE> ");
+		}
 		if (filecon->context)
 			write_context(out, filecon->context, CIL_TRUE);
 		else if (filecon->context_str)

From patchwork Wed Nov 10 14:47:25 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12612247
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0D505C4332F
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:37 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id E934D60EDF
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231593AbhKJOuX (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Wed, 10 Nov 2021 09:50:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46610 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232204AbhKJOuX (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 10 Nov 2021 09:50:23 -0500
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com
 [IPv6:2607:f8b0:4864:20::72e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2426C061764
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:35 -0800 (PST)
Received: by mail-qk1-x72e.google.com with SMTP id j2so2664534qkl.7
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=LV8d5Kob0qPFfJjFhk4yydMeDy6GOZxcVaIyLSOrUCg=;
        b=peqBnyU5WZe+c8D/vMpmNd5S9pX9BtWzg/mOWB5fqkpHfjvuWOfie3cccanMrMcy4x
         Wi30TUdDgxd96r7272DAwfcinpeAHJLOzIpak8YWlBCzKxsiWwjSf/jEUyFMX1rdr77H
         Nb1xRowEWYie5nFJD8XArssNEGLeN/T/pYxDGKFcgWPseUwjlUbAayn/pz6nm12RWOLK
         Wv4HrmlELxgzMFrju3qto1xtMM3eAXiFuixUT60+LlYkkP8BHp1vRKkeCnxr0V/BzDaq
         J9/qS/ET9GtQgJJilIaud6xPg54qurbR84kwE2Lw3eRaqYGUuM21zORL+XpPx0AVvuop
         fySA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=LV8d5Kob0qPFfJjFhk4yydMeDy6GOZxcVaIyLSOrUCg=;
        b=mPaqqP1K+DFEYS0fNvSKYLu+mqbCxL9qA9Yo6rAGyc5/XLIuWVyRr32azrtYxHVj7Y
         VP+ISph3/UCTGRD8eZnW8DAgOIJqSwEScq0F5riPTpVm+uLTS/cQHv53vS3/C+IGxANM
         K8vTBt5r0Zh240zCrtuwphfRqTL+ngVFpiHBWppVnO053T5BO/8+6UR2+Fzlb1L+V/DJ
         V/VXKWOS6sQVP/X8HqEuezWLEm3ci/v6ZqulgubpmElyni+WbiC2ndBrP/YxuMNwB7KA
         VLyY8EqK69LqJ+DmrA35+gDQ85BlEJvy+Vd7dHzEx+T6kmTDIAJWqz6ywcSY596+tGh5
         Pu0g==
X-Gm-Message-State: AOAM533LvWAeoLIEBhurfEpUMbTnTPNj5Zlc9Wdw1E1YRC2xPpBDmrmm
        9STbs43PJagdSEd8g9c69yDqlcKfn6Q=
X-Google-Smtp-Source: 
 ABdhPJxmCsZ/R8MeyPvk9M9Svwa6bQBJDncTrrNKkMxi2HKsrpiEj2QDf0XrCr9q4iZCKfa2B/vJ4w==
X-Received: by 2002:a05:620a:280a:: with SMTP id
 f10mr267698qkp.118.1636555654767;
        Wed, 10 Nov 2021 06:47:34 -0800 (PST)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id r10sm58633qta.27.2021.11.10.06.47.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 10 Nov 2021 06:47:34 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: nicolas.iooss@m4x.org, stephen.smalley.work@gmail.com,
        James Carter <jwcart2@gmail.com>
Subject: [PATCH 3/5 v2] libsepol/cil: Allow optional file type in genfscon
 rules
Date: Wed, 10 Nov 2021 09:47:25 -0500
Message-Id: <20211110144727.1467744-4-jwcart2@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211110144727.1467744-1-jwcart2@gmail.com>
References: <20211110144727.1467744-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

The optional specification of a file type for a genfscon rule to
make it apply only to a specific security class is allowed by
checkpolicy and checkmodule and should be allowed for CIL policies
as well.

Allow an optional file type to be specified for a genfscon rule.
The new syntax:
  (genfscon FSNAME PATH [FILE_TYPE] CONTEXT)

  FSNAME    - The name of the supported filesystem
  PATH      - If FSNAME is proc then this is the partial path,
              othewise this must be "/".
  FILE_TYPE - A single keyword representing the file type.
              file type  security class
                any        Same as not specifying a file type
                file       file
                dir        dir
                char       chr_file
                block      blk_file
                socket     sock_file
                pipe       fifo_file
                symlink    lnk_file
  CONTEXT    - Either a previously declared security context identifier
               or an anonymous security context.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Initialize file_type field
    Reordered if else block to start with "any"
    Write out file type when writing AST

 libsepol/cil/src/cil.c           |  1 +
 libsepol/cil/src/cil_binary.c    | 37 +++++++++++++++++++++++++++
 libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++++++++++++---
 libsepol/cil/src/cil_internal.h  |  1 +
 libsepol/cil/src/cil_write_ast.c | 27 ++++++++++++++++++++
 5 files changed, 105 insertions(+), 4 deletions(-)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index a152d689..9916cbee 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -2577,6 +2577,7 @@ void cil_genfscon_init(struct cil_genfscon **genfscon)
 
 	(*genfscon)->fs_str = NULL;
 	(*genfscon)->path_str = NULL;
+	(*genfscon)->file_type = CIL_FILECON_ANY;
 	(*genfscon)->context_str = NULL;
 	(*genfscon)->context = NULL;
 }
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index d8aa495a..4ac8ce8d 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -3462,6 +3462,43 @@ int cil_genfscon_to_policydb(policydb_t *pdb, struct cil_sort *genfscons)
 
 		new_ocon->u.name = cil_strdup(cil_genfscon->path_str);
 
+		if (cil_genfscon->file_type != CIL_FILECON_ANY) {
+			class_datum_t *class_datum;
+			const char *class_name;
+			switch (cil_genfscon->file_type) {
+			case CIL_FILECON_FILE:
+				class_name = "file";
+				break;
+			case CIL_FILECON_DIR:
+				class_name = "dir";
+				break;
+			case CIL_FILECON_CHAR:
+				class_name = "chr_file";
+				break;
+			case CIL_FILECON_BLOCK:
+				class_name = "blk_file";
+				break;
+			case CIL_FILECON_SOCKET:
+				class_name = "sock_file";
+				break;
+			case CIL_FILECON_PIPE:
+				class_name = "fifo_file";
+				break;
+			case CIL_FILECON_SYMLINK:
+				class_name = "lnk_file";
+				break;
+			default:
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+			class_datum = hashtab_search(pdb->p_classes.table, class_name);
+			if (!class_datum) {
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+			new_ocon->v.sclass = class_datum->s.value;
+		}
+
 		rc = __cil_context_to_sepol_context(pdb, cil_genfscon->context, &new_ocon->context[0]);
 		if (rc != SEPOL_OK) {
 			goto exit;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 6a6f4f33..4a501b8f 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4572,9 +4572,11 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
 		CIL_SYN_STRING,
 		CIL_SYN_STRING,
 		CIL_SYN_STRING | CIL_SYN_LIST,
+		CIL_SYN_STRING | CIL_SYN_LIST | CIL_SYN_END,
 		CIL_SYN_END
 	};
 	size_t syntax_len = sizeof(syntax)/sizeof(*syntax);
+	struct cil_tree_node *context_node;
 	int rc = SEPOL_ERR;
 	struct cil_genfscon *genfscon = NULL;
 
@@ -4592,15 +4594,48 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
 	genfscon->fs_str = parse_current->next->data;
 	genfscon->path_str = parse_current->next->next->data;
 
-	if (parse_current->next->next->next->cl_head == NULL ) {
-		genfscon->context_str = parse_current->next->next->next->data;
+	if (parse_current->next->next->next->next) {
+		/* (genfscon <FS_STR> <PATH_STR> <FILE_TYPE> ... */
+		char *file_type = parse_current->next->next->next->data;
+		if (file_type == CIL_KEY_ANY) {
+			genfscon->file_type = CIL_FILECON_ANY;
+		} else if (file_type == CIL_KEY_FILE) {
+			genfscon->file_type = CIL_FILECON_FILE;
+		} else if (file_type == CIL_KEY_DIR) {
+			genfscon->file_type = CIL_FILECON_DIR;
+		} else if (file_type == CIL_KEY_CHAR) {
+			genfscon->file_type = CIL_FILECON_CHAR;
+		} else if (file_type == CIL_KEY_BLOCK) {
+			genfscon->file_type = CIL_FILECON_BLOCK;
+		} else if (file_type == CIL_KEY_SOCKET) {
+			genfscon->file_type = CIL_FILECON_SOCKET;
+		} else if (file_type == CIL_KEY_PIPE) {
+			genfscon->file_type = CIL_FILECON_PIPE;
+		} else if (file_type == CIL_KEY_SYMLINK) {
+			genfscon->file_type = CIL_FILECON_SYMLINK;
+		} else {
+			if (parse_current->next->next->next->cl_head) {
+				cil_log(CIL_ERR, "Expecting file type, but found a list\n");
+			} else {
+				cil_log(CIL_ERR, "Invalid file type \"%s\"\n", file_type);
+			}
+			rc = SEPOL_ERR;
+			goto exit;
+		}
+		context_node = parse_current->next->next->next->next;
 	} else {
-		cil_context_init(&genfscon->context);
+		/* (genfscon <FS_STR> <PATH_STR> ... */
+		context_node = parse_current->next->next->next;
+	}
 
-		rc = cil_fill_context(parse_current->next->next->next->cl_head, genfscon->context);
+	if (context_node->cl_head) {
+		cil_context_init(&genfscon->context);
+		rc = cil_fill_context(context_node->cl_head, genfscon->context);
 		if (rc != SEPOL_OK) {
 			goto exit;
 		}
+	} else {
+		genfscon->context_str = context_node->data;
 	}
 
 	ast_node->data = genfscon;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index fb2856d6..a7604762 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -791,6 +791,7 @@ struct cil_ipaddr {
 struct cil_genfscon {
 	char *fs_str;
 	char *path_str;
+	enum cil_filecon_types file_type;
 	char *context_str;
 	struct cil_context *context;
 };
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index 40effcdc..bebb2670 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1328,6 +1328,33 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node)
 		struct cil_genfscon *genfscon = node->data;
 		fprintf(out, "(genfscon ");
 		fprintf(out, "%s \"%s\" ", genfscon->fs_str, genfscon->path_str);
+		if (genfscon->file_type != CIL_FILECON_ANY) {
+			switch (genfscon->file_type) {
+			case CIL_FILECON_FILE:
+				fprintf(out, "%s ", CIL_KEY_FILE);
+				break;
+			case CIL_FILECON_DIR:
+				fprintf(out, "%s ", CIL_KEY_DIR);
+				break;
+			case CIL_FILECON_CHAR:
+				fprintf(out, "%s ", CIL_KEY_CHAR);
+				break;
+			case CIL_FILECON_BLOCK:
+				fprintf(out, "%s ", CIL_KEY_BLOCK);
+				break;
+			case CIL_FILECON_SOCKET:
+				fprintf(out, "%s ", CIL_KEY_SOCKET);
+				break;
+			case CIL_FILECON_PIPE:
+				fprintf(out, "%s ", CIL_KEY_PIPE);
+				break;
+			case CIL_FILECON_SYMLINK:
+				fprintf(out, "%s ", CIL_KEY_SYMLINK);
+				break;
+			default:
+				fprintf(out, "<?FILETYPE> ");
+			}
+		}
 		if (genfscon->context)
 			write_context(out, genfscon->context, CIL_TRUE);
 		else

From patchwork Wed Nov 10 14:47:26 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12612249
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 03C5AC433F5
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id E394B610A2
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232260AbhKJOuZ (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Wed, 10 Nov 2021 09:50:25 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46618 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231551AbhKJOuY (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 10 Nov 2021 09:50:24 -0500
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com
 [IPv6:2607:f8b0:4864:20::833])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC54DC061764
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:36 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id v4so2281488qtw.8
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=DD1SLL+U7omDa6qoOCacruhsKXLvRDg1jWHmYLp2aL8=;
        b=o9XUUBO5nxzi44FPr0ki8y9VpEdXg+m0ZSnR9xy3Fe7yEXv2Vfi5hnL1IvCoYM3l1s
         6u2mYO3qvbXc2NlRkoTynhF+GU2UVDGdkEQCn9DBKvyAD3tzWfJIcCNhIGxDDIWNKE7P
         G6sO2hRi+GGfdmhESwa7N0eLvZP/4Q+TOySL8YgDEfPIP4M5tiCQEoYaNPKOdqjN653t
         /E9Wh8S2B1n1JTeO6LfJKAU5p+W0bF9EFELgIR/vc+E+lWDDHMB/31JAqKmmhPwhCvsR
         D/inu9bobY5fv5oUSr9ZPB0yvq+fOUFw9LxCu/g2y+MdHwJXepe4y4XuTxZ5AJxfYP14
         rDDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=DD1SLL+U7omDa6qoOCacruhsKXLvRDg1jWHmYLp2aL8=;
        b=KIVkvRngBXuLIrV0oTSH6Z8iLBypDk9jA1paWbJ+oPoyUs4c1IIc6rw4dZQy/zTZdc
         tUJIG5UjvHthB4IaC3SmOwrAdYgSp740XdHVqdDjActcO8Py2iWl7ynm19HNrrSuxzdu
         mvdtpv1gXHRxXdDR5hL0ERyJste8HRs20ycZ5KYBYLMrbhx4NPdFtuR94sb+5qCtxDD1
         cyxWVzIFtDRPu5wdVTUmBVQt6m2/RvIENEx6dT+FjIAj7ZsWy1J5GUjUbfRLZL7xN7ya
         J7LbvBuq5OjaRtmUU+/J2VQthDW7Ow20SHNR2KdrPCXSWtMic07ejHr7AgrTFJeWUVNY
         Fh4A==
X-Gm-Message-State: AOAM531YOm6rpgskQ4khk511R7Q5bjdmXTkcfEy0OsnQG+ge8rfn+efp
        9gUXtr1z4SRhehnwKo+V81FiDmr/YQc=
X-Google-Smtp-Source: 
 ABdhPJzLX+RwzpO+okFMdfz33G0mvc/1taavxZx4HoQ9mIsSK5gQ3JniU2WIz0yW/6WgxZQ06ZOIgQ==
X-Received: by 2002:ac8:58d1:: with SMTP id u17mr118516qta.137.1636555655746;
        Wed, 10 Nov 2021 06:47:35 -0800 (PST)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id r10sm58633qta.27.2021.11.10.06.47.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 10 Nov 2021 06:47:35 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: nicolas.iooss@m4x.org, stephen.smalley.work@gmail.com,
        James Carter <jwcart2@gmail.com>
Subject: [PATCH 4/5 v2] secilc/docs: Document the optional file type for
 genfscon rules
Date: Wed, 10 Nov 2021 09:47:26 -0500
Message-Id: <20211110144727.1467744-5-jwcart2@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211110144727.1467744-1-jwcart2@gmail.com>
References: <20211110144727.1467744-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Update the CIL documentation to include the optional file type for
genfscon rules.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: No changes

 secilc/docs/cil_file_labeling_statements.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/secilc/docs/cil_file_labeling_statements.md b/secilc/docs/cil_file_labeling_statements.md
index ed7b7bf9..73f73885 100644
--- a/secilc/docs/cil_file_labeling_statements.md
+++ b/secilc/docs/cil_file_labeling_statements.md
@@ -36,11 +36,13 @@ Define entries for labeling files. The compiler will produce these entries in a
 <col width="44%" />
 <col width="55%" />
 </colgroup>
-<tbody>
+<thead>
 <tr class="odd">
 <td align="left"><p><strong>keyword</strong></p></td>
 <td align="left"><p><strong>file_contexts entry</strong></p></td>
 </tr>
+</thead>
+<tbody>
 <tr class="even">
 <td align="left"><p><code>file</code></p></td>
 <td align="left"><p><code>--</code></p></td>
@@ -185,7 +187,7 @@ Used to allocate a security context to filesystems that cannot support any of th
 **Statement definition:**
 
 ```secil
-    (genfscon fsname path context_id)
+    (genfscon fsname path [file_type] context_id)
 ```
 
 **Where:**
@@ -209,6 +211,10 @@ Used to allocate a security context to filesystems that cannot support any of th
 <td align="left"><p>If <code>fsname</code> is <code>proc</code>, then the partial path (see examples). For all other types this must be ‘<code>/</code>’.</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p><code>file_type</code></p></td>
+<td align="left"><p>Optional keyword representing a file type. Valid values are the same as in [`filecon`](cil_file_labeling_statements.md#filecon) rules.</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p><code>context_id</code></p></td>
 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
 </tr>

From patchwork Wed Nov 10 14:47:27 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 12612251
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 47552C433EF
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 2E02760EDF
	for <selinux@archiver.kernel.org>; Wed, 10 Nov 2021 14:47:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231551AbhKJOuZ (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Wed, 10 Nov 2021 09:50:25 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46624 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232204AbhKJOuZ (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 10 Nov 2021 09:50:25 -0500
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com
 [IPv6:2607:f8b0:4864:20::72d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A9B3CC061766
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:37 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id 132so2641684qkj.11
        for <selinux@vger.kernel.org>; Wed, 10 Nov 2021 06:47:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=FLde+TUN2GD7WYpi90EFLOAF2vnWrJbea/kbbF4RLUs=;
        b=RqUtdIp3o/CtzyvZlYda7cumKEKMftHjFkG/fDcf/E5Ii55YVXIQqz17HY39Sz5D1g
         Fz76L6uaU6IpRKi0raTl99sGf//rn9rRTHOh5XJ1PLmPV2PulpK84rPxatpTITEWQD+e
         Ehs6ns3EFu2BJLDiJLmnyEFJnATFCZ9nyUqPsEhcZFmv/lT6Tdt263MUYuBzjtFa+nwi
         SVr3kB4f5KnEnqTjD3MaHX1LELo4dcZqk+MeLX5V1zsmMPd10LvUP5dbxFgCqEjtjIgS
         bzQWDxgBZ/CPkYxccdPwLIa95mTWI1o59aohnRQ0SaPzS9IdV+EG/wvXWqmJVtf1WV//
         yVxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=FLde+TUN2GD7WYpi90EFLOAF2vnWrJbea/kbbF4RLUs=;
        b=mC0hw1FGrBLLvxyKHZzzhLHHRcWj3iyGwBcPRURItBDH2gQRLkO89XqIfe6OvlzESy
         gV4dyfxwXoCiyhOlDp2yTEelIosYJbt5h+g3cMy2WXKdhfmsR2YngnGpWueyRPCt3+26
         Ee16qiTgpu3tgxyrNMfSaUfWqv+MkCLXOV+PjBZmAJ79IX2tsZXnxf0wHyX9rCZwsCst
         EMEKDGK8dl6TRslBmMAIIhiVN7UB6ge9wzSck4xIz3rpBUn0yFQUCfr2oG4rfFr848yi
         W0seAJgl0PnVJU80+w+a3yeLb5TsD/s11Rx/HUVUVIZQPvlJDETWKQMaNwa1MMicYsAP
         kvRg==
X-Gm-Message-State: AOAM531hrWrYImFBCCm1byvn1PTcK6PkBQSJ8tMkaAxZ26G5EjfiWJJn
        wLQ5yzkKtmxtqEnAVqDoacvPHaRhHjw=
X-Google-Smtp-Source: 
 ABdhPJzQO5ZLGST8oRTr0kbShyotlgfXF8shrmir51qNn/CYTBzapWZwCf/lbyX4Asdn12lLD6Rz3g==
X-Received: by 2002:a37:f902:: with SMTP id l2mr176449qkj.511.1636555656710;
        Wed, 10 Nov 2021 06:47:36 -0800 (PST)
Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net.
 [73.200.157.122])
        by smtp.gmail.com with ESMTPSA id r10sm58633qta.27.2021.11.10.06.47.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 10 Nov 2021 06:47:36 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: nicolas.iooss@m4x.org, stephen.smalley.work@gmail.com,
        James Carter <jwcart2@gmail.com>
Subject: [PATCH 5/5] libsepol: Write out genfscon file type when writing out
 CIL policy
Date: Wed, 10 Nov 2021 09:47:27 -0500
Message-Id: <20211110144727.1467744-6-jwcart2@gmail.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211110144727.1467744-1-jwcart2@gmail.com>
References: <20211110144727.1467744-1-jwcart2@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

With an optional file type being added to CIL genfscon rules, it
should be used when writing out a kernel policy or module to CIL
when a genfscon rule should only apply to a single security class.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Reordered if else blocks to have consistent ordering.

 libsepol/src/kernel_to_cil.c | 35 +++++++++++++++++++++++++++++++++--
 libsepol/src/module_to_cil.c | 27 ++++++++++++++++++++++++++-
 2 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 305567a5..ad92a7bc 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -2640,6 +2640,8 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb)
 	struct ocontext *ocon;
 	struct strs *strs;
 	char *fstype, *name, *ctx;
+	uint32_t sclass;
+	const char *file_type;
 	int rc;
 
 	rc = strs_init(&strs, 32);
@@ -2652,14 +2654,43 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb)
 			fstype = genfs->fstype;
 			name = ocon->u.name;
 
+			sclass = ocon->v.sclass;
+			file_type = NULL;
+			if (sclass) {
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "file";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "dir";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "char";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "block";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "socket";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "pipe";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "symlink";
+				} else {
+					rc = -1;
+					goto exit;
+				}
+			}
+
 			ctx = context_to_str(pdb, &ocon->context[0]);
 			if (!ctx) {
 				rc = -1;
 				goto exit;
 			}
 
-			rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3,
-						 fstype, name, ctx);
+			if (file_type) {
+				rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s %s)", 4,
+										 fstype, name, file_type, ctx);
+			} else {
+				rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3,
+										 fstype, name, ctx);
+			}
 			free(ctx);
 			if (rc != 0) {
 				goto exit;
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 16e4004e..c80937e8 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2961,10 +2961,35 @@ static int genfscon_to_cil(struct policydb *pdb)
 {
 	struct genfs *genfs;
 	struct ocontext *ocon;
+	uint32_t sclass;
 
 	for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
 		for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
-			cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
+			sclass = ocon->v.sclass;
+			if (sclass) {
+				const char *file_type;
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "file";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "dir";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "char";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "block";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "socket";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "pipe";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "symlink";
+				} else {
+					return -1;
+				}
+				cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type);
+			} else {
+				cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
+			}
 			context_to_cil(pdb, &ocon->context[0]);
 			cil_printf(")\n");
 		}