libsepol: cil: Add ability to redeclare types[attributes]
Modify cil_gen_node() to check to see if the cil_db supports multiple declarations, and if so, to check whether or not the repeated symbol is eligible to share the existing, already-stored datum. The only types considered so far are CIL_TYPE and CIL_TYPEATTRIBUTE, both of which intall empty datums during AST building, so they automatically return true. Test: Build policy with multilpe type and attribute declarations, and without. Policies are binary-identical. Signed-off-by: Dan Cashman <dcashman@android.com> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
Dan Cashman
James Carter
parent
1346746d82
commit
fafe4c212b
6 changed files with 57 additions and 8 deletions
|
|
@ -50,6 +50,7 @@ extern int cil_userprefixes_to_string(cil_db_t *db, char **out, size_t *size);
|
||||||
extern int cil_selinuxusers_to_string(cil_db_t *db, char **out, size_t *size);
|
extern int cil_selinuxusers_to_string(cil_db_t *db, char **out, size_t *size);
|
||||||
extern int cil_filecons_to_string(cil_db_t *db, char **out, size_t *size);
|
extern int cil_filecons_to_string(cil_db_t *db, char **out, size_t *size);
|
||||||
extern void cil_set_disable_dontaudit(cil_db_t *db, int disable_dontaudit);
|
extern void cil_set_disable_dontaudit(cil_db_t *db, int disable_dontaudit);
|
||||||
|
extern void cil_set_multiple_decls(cil_db_t *db, int multiple_decls);
|
||||||
extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow);
|
extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow);
|
||||||
extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables);
|
extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables);
|
||||||
extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown);
|
extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown);
|
||||||
|
|
|
||||||
|
|
@ -1691,6 +1691,11 @@ void cil_set_mls(struct cil_db *db, int mls)
|
||||||
db->mls = mls;
|
db->mls = mls;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void cil_set_multiple_decls(struct cil_db *db, int multiple_decls)
|
||||||
|
{
|
||||||
|
db->multiple_decls = multiple_decls;
|
||||||
|
}
|
||||||
|
|
||||||
void cil_set_target_platform(struct cil_db *db, int target_platform)
|
void cil_set_target_platform(struct cil_db *db, int target_platform)
|
||||||
{
|
{
|
||||||
db->target_platform = target_platform;
|
db->target_platform = target_platform;
|
||||||
|
|
|
||||||
|
|
@ -82,10 +82,33 @@ exit:
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Determine whether or not multiple declarations of the same key can share a
|
||||||
|
* datum, given the new datum and the one already present in a given symtab.
|
||||||
|
*/
|
||||||
|
int cil_is_datum_multiple_decl(__attribute__((unused)) struct cil_symtab_datum *cur,
|
||||||
|
__attribute__((unused)) struct cil_symtab_datum *old,
|
||||||
|
enum cil_flavor f)
|
||||||
|
{
|
||||||
|
int rc = CIL_FALSE;
|
||||||
|
|
||||||
|
switch (f) {
|
||||||
|
case CIL_TYPE:
|
||||||
|
case CIL_TYPEATTRIBUTE:
|
||||||
|
/* type and typeattribute statements insert empty datums, ret true */
|
||||||
|
rc = CIL_TRUE;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node *ast_node, struct cil_symtab_datum *datum, hashtab_key_t key, enum cil_sym_index sflavor, enum cil_flavor nflavor)
|
int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node *ast_node, struct cil_symtab_datum *datum, hashtab_key_t key, enum cil_sym_index sflavor, enum cil_flavor nflavor)
|
||||||
{
|
{
|
||||||
int rc = SEPOL_ERR;
|
int rc = SEPOL_ERR;
|
||||||
symtab_t *symtab = NULL;
|
symtab_t *symtab = NULL;
|
||||||
|
struct cil_symtab_datum *prev;
|
||||||
|
|
||||||
rc = __cil_verify_name((const char*)key);
|
rc = __cil_verify_name((const char*)key);
|
||||||
if (rc != SEPOL_OK) {
|
if (rc != SEPOL_OK) {
|
||||||
|
|
@ -103,15 +126,26 @@ int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node
|
||||||
if (symtab != NULL) {
|
if (symtab != NULL) {
|
||||||
rc = cil_symtab_insert(symtab, (hashtab_key_t)key, datum, ast_node);
|
rc = cil_symtab_insert(symtab, (hashtab_key_t)key, datum, ast_node);
|
||||||
if (rc == SEPOL_EEXIST) {
|
if (rc == SEPOL_EEXIST) {
|
||||||
cil_log(CIL_ERR, "Re-declaration of %s %s\n",
|
if (!db->multiple_decls ||
|
||||||
cil_node_to_string(ast_node), key);
|
cil_symtab_get_datum(symtab, (hashtab_key_t)key, &prev) != SEPOL_OK ||
|
||||||
if (cil_symtab_get_datum(symtab, key, &datum) == SEPOL_OK) {
|
!cil_is_datum_multiple_decl(datum, prev, nflavor)) {
|
||||||
if (sflavor == CIL_SYM_BLOCKS) {
|
|
||||||
struct cil_tree_node *node = datum->nodes->head->data;
|
/* multiple_decls not ok, ret error */
|
||||||
cil_tree_log(node, CIL_ERR, "Previous declaration");
|
cil_log(CIL_ERR, "Re-declaration of %s %s\n",
|
||||||
|
cil_node_to_string(ast_node), key);
|
||||||
|
if (cil_symtab_get_datum(symtab, key, &datum) == SEPOL_OK) {
|
||||||
|
if (sflavor == CIL_SYM_BLOCKS) {
|
||||||
|
struct cil_tree_node *node = datum->nodes->head->data;
|
||||||
|
cil_tree_log(node, CIL_ERR, "Previous declaration");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
goto exit;
|
||||||
}
|
}
|
||||||
goto exit;
|
/* multiple_decls is enabled and works for this datum type, add node */
|
||||||
|
cil_list_append(prev->nodes, CIL_NODE, ast_node);
|
||||||
|
ast_node->data = prev;
|
||||||
|
cil_symtab_datum_destroy(datum);
|
||||||
|
free(datum);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -316,6 +316,7 @@ struct cil_db {
|
||||||
int preserve_tunables;
|
int preserve_tunables;
|
||||||
int handle_unknown;
|
int handle_unknown;
|
||||||
int mls;
|
int mls;
|
||||||
|
int multiple_decls;
|
||||||
int target_platform;
|
int target_platform;
|
||||||
int policy_version;
|
int policy_version;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@ LIBSEPOL_1.1 {
|
||||||
cil_set_mls;
|
cil_set_mls;
|
||||||
cil_set_attrs_expand_generated;
|
cil_set_attrs_expand_generated;
|
||||||
cil_set_attrs_expand_size;
|
cil_set_attrs_expand_size;
|
||||||
|
cil_set_multiple_decls;
|
||||||
cil_write_policy_conf;
|
cil_write_policy_conf;
|
||||||
sepol_ppfile_to_module_package;
|
sepol_ppfile_to_module_package;
|
||||||
sepol_module_package_to_cil;
|
sepol_module_package_to_cil;
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,7 @@ static __attribute__((__noreturn__)) void usage(const char *prog)
|
||||||
printf(" statement if present in the policy\n");
|
printf(" statement if present in the policy\n");
|
||||||
printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n");
|
printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n");
|
||||||
printf(" -P, --preserve-tunables treat tunables as booleans\n");
|
printf(" -P, --preserve-tunables treat tunables as booleans\n");
|
||||||
|
printf(" -m, --multiple-decls allow some statements to be re-declared\n");
|
||||||
printf(" -N, --disable-neverallow do not check neverallow rules\n");
|
printf(" -N, --disable-neverallow do not check neverallow rules\n");
|
||||||
printf(" -G, --expand-generated Expand and remove auto-generated attributes\n");
|
printf(" -G, --expand-generated Expand and remove auto-generated attributes\n");
|
||||||
printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n");
|
printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n");
|
||||||
|
|
@ -89,6 +90,7 @@ int main(int argc, char *argv[])
|
||||||
int target = SEPOL_TARGET_SELINUX;
|
int target = SEPOL_TARGET_SELINUX;
|
||||||
int mls = -1;
|
int mls = -1;
|
||||||
int disable_dontaudit = 0;
|
int disable_dontaudit = 0;
|
||||||
|
int multiple_decls = 0;
|
||||||
int disable_neverallow = 0;
|
int disable_neverallow = 0;
|
||||||
int preserve_tunables = 0;
|
int preserve_tunables = 0;
|
||||||
int handle_unknown = -1;
|
int handle_unknown = -1;
|
||||||
|
|
@ -108,6 +110,7 @@ int main(int argc, char *argv[])
|
||||||
{"policyversion", required_argument, 0, 'c'},
|
{"policyversion", required_argument, 0, 'c'},
|
||||||
{"handle-unknown", required_argument, 0, 'U'},
|
{"handle-unknown", required_argument, 0, 'U'},
|
||||||
{"disable-dontaudit", no_argument, 0, 'D'},
|
{"disable-dontaudit", no_argument, 0, 'D'},
|
||||||
|
{"multiple-decls", no_argument, 0, 'm'},
|
||||||
{"disable-neverallow", no_argument, 0, 'N'},
|
{"disable-neverallow", no_argument, 0, 'N'},
|
||||||
{"preserve-tunables", no_argument, 0, 'P'},
|
{"preserve-tunables", no_argument, 0, 'P'},
|
||||||
{"output", required_argument, 0, 'o'},
|
{"output", required_argument, 0, 'o'},
|
||||||
|
|
@ -119,7 +122,7 @@ int main(int argc, char *argv[])
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
while (1) {
|
while (1) {
|
||||||
opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDNc:GX:", long_opts, &opt_index);
|
opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNc:GX:", long_opts, &opt_index);
|
||||||
if (opt_char == -1) {
|
if (opt_char == -1) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
@ -175,6 +178,9 @@ int main(int argc, char *argv[])
|
||||||
case 'D':
|
case 'D':
|
||||||
disable_dontaudit = 1;
|
disable_dontaudit = 1;
|
||||||
break;
|
break;
|
||||||
|
case 'm':
|
||||||
|
multiple_decls = 1;
|
||||||
|
break;
|
||||||
case 'N':
|
case 'N':
|
||||||
disable_neverallow = 1;
|
disable_neverallow = 1;
|
||||||
break;
|
break;
|
||||||
|
|
@ -223,6 +229,7 @@ int main(int argc, char *argv[])
|
||||||
|
|
||||||
cil_db_init(&db);
|
cil_db_init(&db);
|
||||||
cil_set_disable_dontaudit(db, disable_dontaudit);
|
cil_set_disable_dontaudit(db, disable_dontaudit);
|
||||||
|
cil_set_multiple_decls(db, multiple_decls);
|
||||||
cil_set_disable_neverallow(db, disable_neverallow);
|
cil_set_disable_neverallow(db, disable_neverallow);
|
||||||
cil_set_preserve_tunables(db, preserve_tunables);
|
cil_set_preserve_tunables(db, preserve_tunables);
|
||||||
if (handle_unknown != -1) {
|
if (handle_unknown != -1) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue