| Message ID | 20250402010146.898864-1-inseob@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RESEND] libsepol: Print line markers also for allow rules | expand |
On Tue, Apr 1, 2025 at 9:04 PM Inseob Kim <inseob@google.com> wrote: > > Currently, only line markers for neverallow rules are printed. This > makes people difficult to debug a neverallow failure with cil files > generated by checkpolicy. > > This change additionally prints line markers for allow and allowxperm > statements to make debugging easier. > > Signed-off-by: Inseob Kim <inseob@google.com> > --- > libsepol/src/module_to_cil.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index ae9a2b5d..76fe4739 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -1196,7 +1196,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a > struct type_set *ts; > > for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { > - if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && > + if ((avrule->specified & (AVRULE_ALLOWED|AVRULE_XPERMS_ALLOWED|AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && > avrule->source_filename) { > cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename); > } The problem is that currently line marks (which are converted to <src_info> rules when parsed) cannot be in booleanif statements, but allow rules can be, so this can create cil files that will not compile. I suspect that that restriction was not intentional and can be relaxed, but I don't remember. The other issue is that this will produce a lot of line marks for any real policy. A lot of line marks. It would be nice if this behavior could be made optional. Jim > @@ -1264,7 +1264,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a > names_destroy(&snames, &num_snames); > names_destroy(&tnames, &num_tnames); > > - if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && > + if ((avrule->specified & (AVRULE_ALLOWED|AVRULE_XPERMS_ALLOWED|AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && > avrule->source_filename) { > cil_println(0, ";;* lme\n"); > } > -- > 2.49.0.rc1.451.g8f38331e32-goog > >
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index ae9a2b5d..76fe4739 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -1196,7 +1196,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a struct type_set *ts; for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { - if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + if ((avrule->specified & (AVRULE_ALLOWED|AVRULE_XPERMS_ALLOWED|AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && avrule->source_filename) { cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename); } @@ -1264,7 +1264,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a names_destroy(&snames, &num_snames); names_destroy(&tnames, &num_tnames); - if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + if ((avrule->specified & (AVRULE_ALLOWED|AVRULE_XPERMS_ALLOWED|AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && avrule->source_filename) { cil_println(0, ";;* lme\n"); }
Currently, only line markers for neverallow rules are printed. This makes people difficult to debug a neverallow failure with cil files generated by checkpolicy. This change additionally prints line markers for allow and allowxperm statements to make debugging easier. Signed-off-by: Inseob Kim <inseob@google.com> --- libsepol/src/module_to_cil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)