tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libsepol/cil: Make name resolution in macros work as documented

Browse source 
The CIL Reference Guide specifies how name resolution is suppose
to work within an expanded macro.
  1. Items defined inside the macro
  2. Items passed into the macro as arguments
  3. Items defined in the same namespace of the macro
  4. Items defined in the caller's namespace
  5. Items defined in the global namespace

But Lorenzo Ceragioli <lorenzo.ceragioli@phd.unipi.it> found
that the first step is not done.

So the following policy:
  (block A
    (type a)
    (macro m ()
      (type a)
      (allow a self (CLASS (PERM)))
    )
  )
  (block B
    (call A.m)
  )
will result in:
  (allow A.a self (CLASS (PERM)))
instead of the expected:
  (allow B.a self (CLASS (PERM)))

Now when an expanded call is found, the macro's namespace is
checked first. If the name is found, then the name was declared
in the macro and it is declared in the expanded call, so only the
namespace of the call up to and including the global namespace
will be searched. If the name is not found in the macro's namespace
then name resolution continues with steps 2-5 above.

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2021-05-11 09:43:22 -04:00
parent 3cef4110be
commit 788d40b0e6
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
libsepol/cil/src/cil_resolve_ast.c
View file

@ -4195,10 +4195,18 @@ static int __cil_resolve_name_with_parents(struct cil_tree_node *node, char *nam
break;
case CIL_CALL: {
struct cil_call *call = node->data;
rc = cil_resolve_name_call_args(call, name, sym_index, datum);
if (rc != SEPOL_OK) {
/* Continue search in macro's parent */
rc = __cil_resolve_name_with_parents(NODE(call->macro)->parent, name, sym_index, datum);
struct cil_macro *macro = call->macro;
symtab = &macro->symtab[sym_index];
rc = cil_symtab_get_datum(symtab, name, datum);
if (rc == SEPOL_OK) {
/* If the name was declared in the macro, just look on the call side */
rc = SEPOL_ERR;
} else {
rc = cil_resolve_name_call_args(call, name, sym_index, datum);
if (rc != SEPOL_OK) {
/* Continue search in macro's parent */
rc = __cil_resolve_name_with_parents(NODE(call->macro)->parent, name, sym_index, datum);
}
}
}
break;