| Message ID | 20220513095628.154274-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Support the 'self' keyword in type transitions | expand |
On Fri, May 13, 2022 at 5:56 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > With the addition of the anon_inode class in the kernel, 'self' > transition rules became useful, but haven't been implemented. > > This series implements the self keyword support in the CIL & TE > languages and the module policydb format. The kernel policydb format > doesn't need any changes, as type transitions are always expanded in the > kernel policydb. Since type_change and type_member rules are handled by > the same common code, these are extended with self keyword support as > well. > > The patches have been tested using the following WIP beakerlib/tmt test: > https://src.fedoraproject.org/fork/omos/tests/selinux/blob/self-in-tt/f/libsepol/self-keyword-in-type-rules > > Changes in v4: > - fix module_to_cil.c behavior for rules with the including self + other > types/attributes (James Carter) > - update the test to verify the above + also type_change and type_member > > Changes in v3: > - update commit messages and cover letter to state that other type rules > also gain self keyword support with these patches (James Carter) > - error out in case a policy module containing the newly supported rules > is downgraded to an earlier module policy version (James Carter) > > Changes in v2: > - validate the flags member of filename_trans_rule_t in > policy_validate.c (Christian Göttsche) > - add missing error check in filename_trans_rule_write() > (Christian Göttsche) > > Ondrej Mosnacek (2): > libsepol/cil: add support for self keyword in type transitions > libsepol,checkpolicy: add support for self keyword in type transitions > > checkpolicy/policy_define.c | 42 +++++- > libsepol/cil/src/cil_binary.c | 168 +++++++++++++++------ > libsepol/cil/src/cil_resolve_ast.c | 25 ++- > libsepol/include/sepol/policydb/policydb.h | 4 +- > libsepol/src/expand.c | 69 ++++++--- > libsepol/src/link.c | 1 + > libsepol/src/module_to_cil.c | 7 + > libsepol/src/policydb.c | 33 +++- > libsepol/src/policydb_validate.c | 4 + > libsepol/src/write.c | 32 +++- > secilc/test/policy.cil | 7 + > 11 files changed, 302 insertions(+), 90 deletions(-) > > -- > 2.36.1 > For the series: Acked-by: James Carter <jwcart2@gmail.com>
On Fri, May 13, 2022 at 12:39 PM James Carter <jwcart2@gmail.com> wrote: > > On Fri, May 13, 2022 at 5:56 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > With the addition of the anon_inode class in the kernel, 'self' > > transition rules became useful, but haven't been implemented. > > > > This series implements the self keyword support in the CIL & TE > > languages and the module policydb format. The kernel policydb format > > doesn't need any changes, as type transitions are always expanded in the > > kernel policydb. Since type_change and type_member rules are handled by > > the same common code, these are extended with self keyword support as > > well. > > > > The patches have been tested using the following WIP beakerlib/tmt test: > > https://src.fedoraproject.org/fork/omos/tests/selinux/blob/self-in-tt/f/libsepol/self-keyword-in-type-rules > > > > Changes in v4: > > - fix module_to_cil.c behavior for rules with the including self + other > > types/attributes (James Carter) > > - update the test to verify the above + also type_change and type_member > > > > Changes in v3: > > - update commit messages and cover letter to state that other type rules > > also gain self keyword support with these patches (James Carter) > > - error out in case a policy module containing the newly supported rules > > is downgraded to an earlier module policy version (James Carter) > > > > Changes in v2: > > - validate the flags member of filename_trans_rule_t in > > policy_validate.c (Christian Göttsche) > > - add missing error check in filename_trans_rule_write() > > (Christian Göttsche) > > > > Ondrej Mosnacek (2): > > libsepol/cil: add support for self keyword in type transitions > > libsepol,checkpolicy: add support for self keyword in type transitions > > > > checkpolicy/policy_define.c | 42 +++++- > > libsepol/cil/src/cil_binary.c | 168 +++++++++++++++------ > > libsepol/cil/src/cil_resolve_ast.c | 25 ++- > > libsepol/include/sepol/policydb/policydb.h | 4 +- > > libsepol/src/expand.c | 69 ++++++--- > > libsepol/src/link.c | 1 + > > libsepol/src/module_to_cil.c | 7 + > > libsepol/src/policydb.c | 33 +++- > > libsepol/src/policydb_validate.c | 4 + > > libsepol/src/write.c | 32 +++- > > secilc/test/policy.cil | 7 + > > 11 files changed, 302 insertions(+), 90 deletions(-) > > > > -- > > 2.36.1 > > > > For the series: > Acked-by: James Carter <jwcart2@gmail.com> This series has been merged. Thanks, Jim