@@ -64,6 +64,7 @@ extern void cil_write_policy_conf(FILE *out, struct cil_db *db);
extern int cil_write_parse_ast(FILE *out, cil_db_t *db);
extern int cil_write_build_ast(FILE *out, cil_db_t *db);
extern int cil_write_resolve_ast(FILE *out, cil_db_t *db);
+extern int cil_write_post_ast(FILE *out, cil_db_t *db);
enum cil_log_level {
CIL_ERR = 1,
@@ -687,6 +687,56 @@ exit:
return rc;
}
+int cil_write_post_ast(FILE *out, cil_db_t *db)
+{
+ int rc = SEPOL_ERR;
+
+ if (db == NULL) {
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Building AST from Parse Tree\n");
+ rc = cil_build_ast(db, db->parse->root, db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to build ast\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Destroying Parse Tree\n");
+ cil_tree_destroy(&db->parse);
+
+ cil_log(CIL_INFO, "Resolving AST\n");
+ rc = cil_resolve_ast(db, db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to resolve ast\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Qualifying Names\n");
+ rc = cil_fqn_qualify(db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to qualify names\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Compile post process\n");
+ rc = cil_post_process(db);
+ if (rc != SEPOL_OK ) {
+ cil_log(CIL_ERR, "Post process failed\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Writing Post AST\n");
+ rc = cil_write_ast(out, CIL_WRITE_AST_PHASE_POST, db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to write post ast\n");
+ goto exit;
+ }
+
+exit:
+ return rc;
+}
+
int cil_build_policydb(cil_db_t *db, sepol_policydb_t **sepol_db)
{
int rc;
@@ -38,6 +38,7 @@ enum cil_write_ast_phase {
CIL_WRITE_AST_PHASE_PARSE = 0,
CIL_WRITE_AST_PHASE_BUILD,
CIL_WRITE_AST_PHASE_RESOLVE,
+ CIL_WRITE_AST_PHASE_POST,
};
void cil_write_ast_node(FILE *out, struct cil_tree_node *node);
The function cil_write_post_ast() will write the CIL AST after post processing is done. Most post processing does not change the CIL AST, this is where deny rules are processed (because to process them, type attributes have to have been evaluated.) When processed, deny rules may add new rules and attributes and the deny rule itself will be removed from the AST, so using this new function will show the results of the deny rule processing. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/include/cil/cil.h | 1 + libsepol/cil/src/cil.c | 50 ++++++++++++++++++++++++++++++++ libsepol/cil/src/cil_write_ast.h | 1 + 3 files changed, 52 insertions(+)