From patchwork Thu Sep 8 20:30:52 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Cashman X-Patchwork-Id: 9322033 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6F6C660752 for ; Thu, 8 Sep 2016 20:34:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E53129971 for ; Thu, 8 Sep 2016 20:34:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 531BA299DC; Thu, 8 Sep 2016 20:34:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F48229971 for ; Thu, 8 Sep 2016 20:34:30 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,302,1470700800"; d="scan'208";a="17391920" IronPort-PHdr: =?us-ascii?q?9a23=3A98e2QB3xbGshnrU4smDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?segRLfad9pjvdHbS+e9qxAeQG96KsrQa0aGP7/GoGTRZp83Q6DZaKN0EfiRGoP?= =?us-ascii?q?1epxYnDs+BBB+zB9/RRAt+Iv5/UkR49WqwK0lfFZW2TVTTpnqv8WxaQU2nZkJL?= =?us-ascii?q?L+j4UrTfk96wn7jrvcaCOkMW3nHkPeI6bE3v616A7o9O2coqA51y4yOBmmFPde?= =?us-ascii?q?VSyDEgDnOotDG42P2N+oV++T9bofMr+p0Ie6z7e6MlUe4QV2x+YCgI/smjiT3v?= =?us-ascii?q?BUvKvyNdAS0qlU9TDgzE6gzqdovguSv98Oxm0W+VOtOlY6ozXGGO5qFqRRugoy?= =?us-ascii?q?4cNzsw9imDhsd5l6JeqRSJrhpz2YnVbMeeM/8oLfCVRs8TWWcUBpUZbCdGGI7p?= =?us-ascii?q?KtJXAg=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2GZBACzytFX/wHyM5BdGwEBAQMBAQEXAQEEAQGDDgEBAQE?= =?us-ascii?q?BHoFTtAiGOSCHY0wBAQEBAQEBAQIBAlsngjIEAxMFBTkQVQINXwIBAwECDxUTB?= =?us-ascii?q?gEBDCALAQIDCQEBFwghCAgDAS0DAQUBCxEOCwUYBAGIKKNHgTI+MopWhS4BAQW?= =?us-ascii?q?HWAELHQgQhBWCAQqIXgIRAYV4ji92ij6PQolPJYVnSI5CMYERVIJfDRuBbVCFN?= =?us-ascii?q?Q8XYYEnAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 08 Sep 2016 20:34:24 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u88KYM3B002279; Thu, 8 Sep 2016 16:34:22 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u88KVOCk096615 for ; Thu, 8 Sep 2016 16:31:24 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u88KVIH9001789 for ; Thu, 8 Sep 2016 16:31:23 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DJAwDkydFXfzXcVdFdHAEBBAEBgy0BAQEBAYFxtAiCLoQShhwCgV5MAQIBAQEBAQITAQEJCwsJF4UTAgEDEhUZAQE3AQ8gMTQBBQEcGSKIKKNFgTI+MopWhS4BAQWHWAEBAQEBAQQCARwIEIQVggEKiF6CeguDB44vdoo+j0KJT4YMSI5CMYERgzMNG4FtHDSFNYIuAQEB X-IPAS-Result: A1DJAwDkydFXfzXcVdFdHAEBBAEBgy0BAQEBAYFxtAiCLoQShhwCgV5MAQIBAQEBAQITAQEJCwsJF4UTAgEDEhUZAQE3AQ8gMTQBBQEcGSKIKKNFgTI+MopWhS4BAQWHWAEBAQEBAQQCARwIEIQVggEKiF6CeguDB44vdoo+j0KJT4YMSI5CMYERgzMNG4FtHDSFNYIuAQEB X-IronPort-AV: E=Sophos;i="5.30,302,1470715200"; d="scan'208";a="5693985" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 08 Sep 2016 16:31:24 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3Av7nqoha/V5FUouZqGfBLH3D/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpcq4bnLW6fgltlLVR4KTs6sC0LuP9f66EjVcsN7B6ClEK80UEUddyI?= =?us-ascii?q?0/pE8JOIa9E0r1LfrnPWQRPf9pcxtbxUy9KlVfA83kZlff8TWY5D8WHQjjZ0Iu?= =?us-ascii?q?frymUrDbg8n/7e2u4ZqbO1wO32vkJ+0oZ0zq/E2R7pBQ2to6bP5pi1PgmThhQ6?= =?us-ascii?q?xu32RmJFaezV7Xx/yb29pdyRlWoO8r7MVaUK/3LOwSRL1cCyk6YShuvJW4/UqL?= =?us-ascii?q?cQza/XYYU2MLgjJUEgPF61f8RZ63vSzk5cRn3yzPEcTwTL0wER+r9KduQRmg3C?= =?us-ascii?q?sMPiU59WjRosV2gLhcoR7nrBt6ld2HKLqJPeZzK/uONegRQnBMC55c?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FaAwBhydFXfzXcVdFdHAEBBAEBFwEBB?= =?us-ascii?q?AEBgw4BAQEBAYFxtAiCLoQShhwCgV5MAQEBAQEBAQECAQIQAQEJCwsJFzGCMhg?= =?us-ascii?q?MORBVAg1fAgEDEhUZAQE3AQ8gMTQBBQEcGSKIKKNBgTI+MopWhS4BAQWHWAEBA?= =?us-ascii?q?QEBAQQCARwIEIQVggEKiF6CeguDB44vdoo+j0KJT4YMSI5CMYERgzMNG4FtHDS?= =?us-ascii?q?FNYIuAQEB?= X-IPAS-Result: =?us-ascii?q?A0FaAwBhydFXfzXcVdFdHAEBBAEBFwEBBAEBgw4BAQEBAYF?= =?us-ascii?q?xtAiCLoQShhwCgV5MAQEBAQEBAQECAQIQAQEJCwsJFzGCMhgMORBVAg1fAgEDE?= =?us-ascii?q?hUZAQE3AQ8gMTQBBQEcGSKIKKNBgTI+MopWhS4BAQWHWAEBAQEBAQQCARwIEIQ?= =?us-ascii?q?VggEKiF6CeguDB44vdoo+j0KJT4YMSI5CMYERgzMNG4FtHDSFNYIuAQEB?= X-IronPort-AV: E=Sophos;i="5.30,302,1470700800"; d="scan'208";a="17391681" Received: from mail-pa0-f53.google.com ([209.85.220.53]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 08 Sep 2016 20:31:22 +0000 Received: by mail-pa0-f53.google.com with SMTP id cm16so20661783pac.0 for ; Thu, 08 Sep 2016 13:31:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20120917; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mM7N+zcx14Vl+44XrouQjWXBBEKhU6Y3livQdkagT1M=; b=MefklWeD1Ex2RS46CGiM6Ib8nNfN9uVo2/GOBNL1tklc/dxk/e71exIKiGlTMlhm8U CcmVCchPKeTSy/qyCcsFiq3gDkIX2k0xa/uyxbb5ov6FVL3oVA1LeR+rYVS/NOFUTIr0 BjXPRiTg/8psOoBcyYHaFmo60QszgqXmMWBLvxbRWDhYR7gNCBzpECYszh7AOlnyStFN cZkb11wI/2TDk6Tfeak1nyWNCz3slvWo6if2fQPZNcJ7biji3SB0I7CU+NGQEW2sYpnj hpO/bkTAj0vagjBI/Il+6UrYroDHZPW1nHcAL5MvVBga1xVcnWjq/4Wl5jSjatPjmiKt FpCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mM7N+zcx14Vl+44XrouQjWXBBEKhU6Y3livQdkagT1M=; b=B1bpqi9K++9OgnNADb8XckaGACSFuYjdbLXKddENRe2jHwDeWDt6Tq2WlhB/8ntjsA H17KMOYCHi7jPNSMyGEzbrzrdlfz1I+r0k8kPkMTWPzlQEa6EbJ9IdrOwxmI8BkZm1ck omPIcOphyeKt4UPUi2555WyrAMMQhNVeZzbsB21dEr4vidu3EGwpvQM8lenzDPNuVWjj 8kNH4+MolyLQ57p9hBmDH0KvnKwzY/+vw1Tg7DMaIO0OlkNCv8PbqUvuIq9ohi9T27P9 QWsfFDAqBxl60QnmhhYF5yJnG6IE9DNoL2szA+ZB5GSRLEYSqOJYOuv40+00TtSrRY8e braA== X-Gm-Message-State: AE9vXwOwr/LXN0bQ+TbauerAPJHfErXIa2zKoO/xqTw+WJ1paIC8q2/+sYaTDpRiXoRgwA== X-Received: by 10.66.25.228 with SMTP id f4mr2749717pag.157.1473366681343; Thu, 08 Sep 2016 13:31:21 -0700 (PDT) Received: from dcashman.mtv.corp.google.com ([172.22.115.19]) by smtp.gmail.com with ESMTPSA id 3sm42199731pai.48.2016.09.08.13.31.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 08 Sep 2016 13:31:20 -0700 (PDT) From: Daniel Cashman To: selinux@tycho.nsa.gov Subject: [PATCH 5/5] libsepol: cil: Add cil_constraint_expr_to_policy() Date: Thu, 8 Sep 2016 13:30:52 -0700 Message-Id: <1473366652-23929-6-git-send-email-dcashman@android.com> X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020 In-Reply-To: <1473366652-23929-5-git-send-email-dcashman@android.com> References: <1473366652-23929-1-git-send-email-dcashman@android.com> <1473366652-23929-2-git-send-email-dcashman@android.com> <1473366652-23929-3-git-send-email-dcashman@android.com> <1473366652-23929-4-git-send-email-dcashman@android.com> <1473366652-23929-5-git-send-email-dcashman@android.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: sds@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: dcashman The current cil_expr_to_policy() does not properly hanlde the case where CIL_OP is at the beginning of an expression. Create a new function, cil_constraint_expr_to_policy() rather than modifying the original, since the expression syntax for constraint expressions requires this ability, but the existing cil_expr_to_policy() function has many other consumers. Signed-off-by: Daniel Cashman --- libsepol/cil/src/cil_policy.c | 211 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 210 insertions(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index 32b6b41..e5ca091 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -84,6 +84,8 @@ struct cil_args_booleanif { int cil_expr_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *expr); +int cil_constraint_expr_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *expr); + int cil_combine_policy(FILE **file_arr, FILE *policy_file) { char temp[BUFFER]; @@ -515,7 +517,7 @@ void cil_constrain_to_policy_helper(FILE **file_arr, char *kind, struct cil_list fprintf(file_arr[CONSTRAINS], "%s %s", kind, cp->class->datum.name); cil_perms_to_policy(file_arr, CONSTRAINS, cp->perms); fprintf(file_arr[CONSTRAINS], "\n\t"); - cil_expr_to_policy(file_arr, CONSTRAINS, expr); + cil_constraint_expr_to_policy(file_arr, CONSTRAINS, expr); fprintf(file_arr[CONSTRAINS], ";\n"); } else { /* MAP */ struct cil_list_item *i = NULL; @@ -811,6 +813,195 @@ exit: return rc; } +static int cil_constraint_expr_to_string(struct cil_list *expr, char **out) +{ + int rc = SEPOL_ERR; + struct cil_list_item *curr; + const size_t CONS_DEPTH = 3; + char *stack[CONS_DEPTH] = {}; // 1 operator + 1 - 2 operands + size_t pos = 0; + size_t i; + + cil_list_for_each(curr, expr) { + if (pos >= CONS_DEPTH) { + rc = SEPOL_ERR; + goto exit; + } + switch (curr->flavor) { + case CIL_LIST: + rc = cil_constraint_expr_to_string(curr->data, &stack[pos]); + if (rc != SEPOL_OK) { + goto exit; + } + pos++; + break; + case CIL_STRING: + stack[pos] = strdup(curr->data); + if (!stack[pos]) { + cil_log(CIL_ERR, "OOM. Unable to convert cons_expr to string\n"); + rc = SEPOL_ERR; + goto exit; + } + pos++; + break; + case CIL_DATUM: + stack[pos] = strdup(((struct cil_symtab_datum *)curr->data)->name); + if (!stack[pos]) { + cil_log(CIL_ERR, "OOM. Unable to convert cons_expr to string\n"); + rc = SEPOL_ERR; + goto exit; + } + pos++; + break; + case CIL_OP: { + enum cil_flavor op_flavor = (enum cil_flavor)curr->data; + char *op_str = NULL; + + if (pos != 0) { + /* ops come before the operand(s) */ + cil_log(CIL_ERR, "CIL_OP encountered at incorrect offset\n"); + rc = SEPOL_ERR; + goto exit; + } + switch (op_flavor) { + case CIL_AND: + op_str = CIL_KEY_AND; + break; + case CIL_OR: + op_str = CIL_KEY_OR; + break; + case CIL_NOT: + op_str = CIL_KEY_NOT; + break; + case CIL_ALL: + op_str = CIL_KEY_ALL; + break; + case CIL_EQ: + op_str = CIL_KEY_EQ; + break; + case CIL_NEQ: + op_str = CIL_KEY_NEQ; + break; + case CIL_XOR: + op_str = CIL_KEY_XOR; + break; + case CIL_CONS_DOM: + op_str = CIL_KEY_CONS_DOM; + break; + case CIL_CONS_DOMBY: + op_str = CIL_KEY_CONS_DOMBY; + break; + case CIL_CONS_INCOMP: + op_str = CIL_KEY_CONS_INCOMP; + break; + default: + cil_log(CIL_ERR, "Unknown operator in expression\n"); + rc = SEPOL_ERR; + goto exit; + break; + } + stack[pos] = strdup(op_str); + if (!stack[pos]) { + cil_log(CIL_ERR, "OOM. Unable to convert cons_expr to string\n"); + rc = SEPOL_ERR; + goto exit; + } + pos++; + break; + } + case CIL_CONS_OPERAND: { + enum cil_flavor operand_flavor = (enum cil_flavor)curr->data; + char *operand_str = NULL; + switch (operand_flavor) { + case CIL_CONS_U1: + operand_str = CIL_KEY_CONS_U1; + break; + case CIL_CONS_U2: + operand_str = CIL_KEY_CONS_U2; + break; + case CIL_CONS_U3: + operand_str = CIL_KEY_CONS_U3; + break; + case CIL_CONS_T1: + operand_str = CIL_KEY_CONS_T1; + break; + case CIL_CONS_T2: + operand_str = CIL_KEY_CONS_T2; + break; + case CIL_CONS_T3: + operand_str = CIL_KEY_CONS_T3; + break; + case CIL_CONS_R1: + operand_str = CIL_KEY_CONS_R1; + break; + case CIL_CONS_R2: + operand_str = CIL_KEY_CONS_R2; + break; + case CIL_CONS_R3: + operand_str = CIL_KEY_CONS_R3; + break; + case CIL_CONS_L1: + operand_str = CIL_KEY_CONS_L1; + break; + case CIL_CONS_L2: + operand_str = CIL_KEY_CONS_L2; + break; + case CIL_CONS_H1: + operand_str = CIL_KEY_CONS_H1; + break; + case CIL_CONS_H2: + operand_str = CIL_KEY_CONS_H2; + break; + default: + cil_log(CIL_ERR, "Unknown operand in expression\n"); + goto exit; + break; + } + stack[pos] = strdup(operand_str); + if (!stack[pos]) { + cil_log(CIL_ERR, "OOM. Unable to convert cons_expr to string\n"); + rc = SEPOL_ERR; + goto exit; + } + pos++; + break; + } + default: + cil_log(CIL_ERR, "Unknown flavor in expression\n"); + rc = SEPOL_ERR; + goto exit; + break; + } + } + if (pos > 3) { + cil_log(CIL_ERR, "Illegal CIL expr: more than 3 components\n"); + rc = SEPOL_ERR; + goto exit; + } + size_t len; + char *expr_str; + if (!strcmp(stack[0], CIL_KEY_NOT)) { + /* All ops take 2 operands except for CIL_KEY_NOT */ + len = strlen(stack[0]) + strlen(stack[1]) + 4; + expr_str = cil_malloc(len); + snprintf(expr_str, len, "(%s %s)", stack[0], stack[1]); + /* free() done below */ + } else { + len = strlen(stack[0]) + strlen(stack[1]) + strlen(stack[2]) + 5; + expr_str = cil_malloc(len); + snprintf(expr_str, len, "(%s %s %s)", stack[1], stack[0], stack[2]); + /* free() done below */ + } + *out = expr_str; + rc = SEPOL_OK; +exit: + for (i = 0; i < pos; i++) { + free(stack[i]); + stack[i] = NULL; + } + return rc; +} + int cil_expr_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *expr) { int rc = SEPOL_ERR; @@ -829,6 +1020,24 @@ out: return rc; } +int cil_constraint_expr_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *expr) +{ + int rc = SEPOL_ERR; + char *str_out; + + rc = cil_constraint_expr_to_string(expr, &str_out); + if (rc != SEPOL_OK) { + goto out; + } + fprintf(file_arr[file_index], "%s", str_out); + free(str_out); + + return SEPOL_OK; + +out: + return rc; +} + int __cil_booleanif_node_helper(struct cil_tree_node *node, __attribute__((unused)) uint32_t *finished, void *extra_args) { int rc = SEPOL_ERR;