| Message ID | 20221125154952.20910-7-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | not-self neverallow support | expand |
On Fri, Nov 25, 2022 at 10:51 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Convert trivial not-self neverallow rules to CIL, e.g. > > neverallow TYPE1 ~self:CLASS1 PERM1; > > into > > (neverallow TYPE1 notself (CLASS1 (PERM1))) > > More complex targets are not yet supported in CIL and will fail to > convert, e.g.: > > neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1; > neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2; > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> I know what is needed to translate these rules to CIL, but it is going to require some reworking of how attributes are handled, so I think that it is better to take this patch for now. Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/module_to_cil.c | 30 ++++++++++++++++++++++++++---- > 1 file changed, 26 insertions(+), 4 deletions(-) > > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index b900290a..2d5d1d6d 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a > goto exit; > } > > - ts = &avrule->ttypes; > - rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); > - if (rc != 0) { > - goto exit; > + if (avrule->flags & RULE_NOTSELF) { > + if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) { > + if (avrule->source_filename) { > + log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported", > + avrule->source_filename, avrule->source_line); > + } else { > + log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported"); > + } > + rc = -1; > + goto exit; > + } > + } else { > + ts = &avrule->ttypes; > + rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); > + if (rc != 0) { > + goto exit; > + } > } > > for (s = 0; s < num_snames; s++) { > @@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a > if (rc != 0) { > goto exit; > } > + } else if (avrule->flags & RULE_NOTSELF) { > + if (avrule->specified & AVRULE_XPERMS) { > + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms); > + } else { > + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms); > + } > + if (rc != 0) { > + goto exit; > + } > } > } > > -- > 2.38.1 >
On Wed, Mar 1, 2023 at 9:35 AM James Carter <jwcart2@gmail.com> wrote: > > On Fri, Nov 25, 2022 at 10:51 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Convert trivial not-self neverallow rules to CIL, e.g. > > > > neverallow TYPE1 ~self:CLASS1 PERM1; > > > > into > > > > (neverallow TYPE1 notself (CLASS1 (PERM1))) > > > > More complex targets are not yet supported in CIL and will fail to > > convert, e.g.: > > > > neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1; > > neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2; > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > I know what is needed to translate these rules to CIL, but it is going > to require some reworking of how attributes are handled, so I think > that it is better to take this patch for now. > > Acked-by: James Carter <jwcart2@gmail.com> > This one needs to wait until my CIL notself patch is merged. Jim > > --- > > libsepol/src/module_to_cil.c | 30 ++++++++++++++++++++++++++---- > > 1 file changed, 26 insertions(+), 4 deletions(-) > > > > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > > index b900290a..2d5d1d6d 100644 > > --- a/libsepol/src/module_to_cil.c > > +++ b/libsepol/src/module_to_cil.c > > @@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a > > goto exit; > > } > > > > - ts = &avrule->ttypes; > > - rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); > > - if (rc != 0) { > > - goto exit; > > + if (avrule->flags & RULE_NOTSELF) { > > + if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) { > > + if (avrule->source_filename) { > > + log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported", > > + avrule->source_filename, avrule->source_line); > > + } else { > > + log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported"); > > + } > > + rc = -1; > > + goto exit; > > + } > > + } else { > > + ts = &avrule->ttypes; > > + rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); > > + if (rc != 0) { > > + goto exit; > > + } > > } > > > > for (s = 0; s < num_snames; s++) { > > @@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a > > if (rc != 0) { > > goto exit; > > } > > + } else if (avrule->flags & RULE_NOTSELF) { > > + if (avrule->specified & AVRULE_XPERMS) { > > + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms); > > + } else { > > + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms); > > + } > > + if (rc != 0) { > > + goto exit; > > + } > > } > > } > > > > -- > > 2.38.1 > >
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index b900290a..2d5d1d6d 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a goto exit; } - ts = &avrule->ttypes; - rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); - if (rc != 0) { - goto exit; + if (avrule->flags & RULE_NOTSELF) { + if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) { + if (avrule->source_filename) { + log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported", + avrule->source_filename, avrule->source_line); + } else { + log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported"); + } + rc = -1; + goto exit; + } + } else { + ts = &avrule->ttypes; + rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); + if (rc != 0) { + goto exit; + } } for (s = 0; s < num_snames; s++) { @@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a if (rc != 0) { goto exit; } + } else if (avrule->flags & RULE_NOTSELF) { + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms); + } + if (rc != 0) { + goto exit; + } } }
Convert trivial not-self neverallow rules to CIL, e.g. neverallow TYPE1 ~self:CLASS1 PERM1; into (neverallow TYPE1 notself (CLASS1 (PERM1))) More complex targets are not yet supported in CIL and will fail to convert, e.g.: neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1; neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2; Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/module_to_cil.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-)