|
 |
1ae9de |
From 6b6a787188804cad4f7f853e95eb0a58dea7ad62 Mon Sep 17 00:00:00 2001
|
|
|
1ae9de |
From: James Carter <jwcart2@gmail.com>
|
|
|
1ae9de |
Date: Tue, 30 Mar 2021 13:39:12 -0400
|
|
|
1ae9de |
Subject: [PATCH] libsepol/cil: Reorder checks for invalid rules when building
|
|
|
1ae9de |
AST
|
|
|
1ae9de |
|
|
|
1ae9de |
Reorder checks for invalid rules in the blocks of tunableifs,
|
|
|
1ae9de |
in-statements, macros, and booleanifs when building the AST for
|
|
|
1ae9de |
consistency.
|
|
|
1ae9de |
|
|
|
1ae9de |
Order the checks in the same order the blocks will be resolved in,
|
|
|
1ae9de |
so tuanbleif, in-statement, macro, booleanif, and then non-block
|
|
|
1ae9de |
rules.
|
|
|
1ae9de |
|
|
|
1ae9de |
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
|
1ae9de |
---
|
|
|
1ae9de |
libsepol/cil/src/cil_build_ast.c | 100 +++++++++++++++----------------
|
|
|
1ae9de |
1 file changed, 50 insertions(+), 50 deletions(-)
|
|
|
1ae9de |
|
|
|
1ae9de |
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
|
|
|
1ae9de |
index fe7b7777..6d5a57fa 100644
|
|
|
1ae9de |
--- a/libsepol/cil/src/cil_build_ast.c
|
|
|
1ae9de |
+++ b/libsepol/cil/src/cil_build_ast.c
|
|
|
1ae9de |
@@ -49,10 +49,10 @@
|
|
|
1ae9de |
struct cil_args_build {
|
|
|
1ae9de |
struct cil_tree_node *ast;
|
|
|
1ae9de |
struct cil_db *db;
|
|
|
1ae9de |
- struct cil_tree_node *macro;
|
|
|
1ae9de |
- struct cil_tree_node *boolif;
|
|
|
1ae9de |
struct cil_tree_node *tunif;
|
|
|
1ae9de |
struct cil_tree_node *in;
|
|
|
1ae9de |
+ struct cil_tree_node *macro;
|
|
|
1ae9de |
+ struct cil_tree_node *boolif;
|
|
|
1ae9de |
};
|
|
|
1ae9de |
|
|
|
1ae9de |
int cil_fill_list(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **list)
|
|
|
1ae9de |
@@ -6075,10 +6075,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
struct cil_tree_node *ast_current = NULL;
|
|
|
1ae9de |
struct cil_db *db = NULL;
|
|
|
1ae9de |
struct cil_tree_node *ast_node = NULL;
|
|
|
1ae9de |
- struct cil_tree_node *macro = NULL;
|
|
|
1ae9de |
- struct cil_tree_node *boolif = NULL;
|
|
|
1ae9de |
struct cil_tree_node *tunif = NULL;
|
|
|
1ae9de |
struct cil_tree_node *in = NULL;
|
|
|
1ae9de |
+ struct cil_tree_node *macro = NULL;
|
|
|
1ae9de |
+ struct cil_tree_node *boolif = NULL;
|
|
|
1ae9de |
int rc = SEPOL_ERR;
|
|
|
1ae9de |
|
|
|
1ae9de |
if (parse_current == NULL || finished == NULL || extra_args == NULL) {
|
|
|
1ae9de |
@@ -6088,10 +6088,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
args = extra_args;
|
|
|
1ae9de |
ast_current = args->ast;
|
|
|
1ae9de |
db = args->db;
|
|
|
1ae9de |
- macro = args->macro;
|
|
|
1ae9de |
- boolif = args->boolif;
|
|
|
1ae9de |
tunif = args->tunif;
|
|
|
1ae9de |
in = args->in;
|
|
|
1ae9de |
+ macro = args->macro;
|
|
|
1ae9de |
+ boolif = args->boolif;
|
|
|
1ae9de |
|
|
|
1ae9de |
if (parse_current->parent->cl_head != parse_current) {
|
|
|
1ae9de |
/* ignore anything that isn't following a parenthesis */
|
|
|
1ae9de |
@@ -6108,13 +6108,31 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
goto exit;
|
|
|
1ae9de |
}
|
|
|
1ae9de |
|
|
|
1ae9de |
+ if (tunif != NULL) {
|
|
|
1ae9de |
+ if (parse_current->data == CIL_KEY_TUNABLE) {
|
|
|
1ae9de |
+ rc = SEPOL_ERR;
|
|
|
1ae9de |
+ cil_tree_log(parse_current, CIL_ERR, "Found tunable");
|
|
|
1ae9de |
+ cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
|
|
|
1ae9de |
+ goto exit;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+
|
|
|
1ae9de |
+ if (in != NULL) {
|
|
|
1ae9de |
+ if (parse_current->data == CIL_KEY_IN) {
|
|
|
1ae9de |
+ rc = SEPOL_ERR;
|
|
|
1ae9de |
+ cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
|
|
|
1ae9de |
+ cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
|
|
|
1ae9de |
+ goto exit;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+
|
|
|
1ae9de |
if (macro != NULL) {
|
|
|
1ae9de |
- if (parse_current->data == CIL_KEY_MACRO ||
|
|
|
1ae9de |
- parse_current->data == CIL_KEY_TUNABLE ||
|
|
|
1ae9de |
+ if (parse_current->data == CIL_KEY_TUNABLE ||
|
|
|
1ae9de |
parse_current->data == CIL_KEY_IN ||
|
|
|
1ae9de |
parse_current->data == CIL_KEY_BLOCK ||
|
|
|
1ae9de |
parse_current->data == CIL_KEY_BLOCKINHERIT ||
|
|
|
1ae9de |
- parse_current->data == CIL_KEY_BLOCKABSTRACT) {
|
|
|
1ae9de |
+ parse_current->data == CIL_KEY_BLOCKABSTRACT ||
|
|
|
1ae9de |
+ parse_current->data == CIL_KEY_MACRO) {
|
|
|
1ae9de |
rc = SEPOL_ERR;
|
|
|
1ae9de |
cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data);
|
|
|
1ae9de |
goto exit;
|
|
|
1ae9de |
@@ -6122,15 +6140,15 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
}
|
|
|
1ae9de |
|
|
|
1ae9de |
if (boolif != NULL) {
|
|
|
1ae9de |
- if (parse_current->data != CIL_KEY_CONDTRUE &&
|
|
|
1ae9de |
+ if (parse_current->data != CIL_KEY_TUNABLEIF &&
|
|
|
1ae9de |
+ parse_current->data != CIL_KEY_CALL &&
|
|
|
1ae9de |
+ parse_current->data != CIL_KEY_CONDTRUE &&
|
|
|
1ae9de |
parse_current->data != CIL_KEY_CONDFALSE &&
|
|
|
1ae9de |
- parse_current->data != CIL_KEY_AUDITALLOW &&
|
|
|
1ae9de |
- parse_current->data != CIL_KEY_TUNABLEIF &&
|
|
|
1ae9de |
parse_current->data != CIL_KEY_ALLOW &&
|
|
|
1ae9de |
parse_current->data != CIL_KEY_DONTAUDIT &&
|
|
|
1ae9de |
+ parse_current->data != CIL_KEY_AUDITALLOW &&
|
|
|
1ae9de |
parse_current->data != CIL_KEY_TYPETRANSITION &&
|
|
|
1ae9de |
- parse_current->data != CIL_KEY_TYPECHANGE &&
|
|
|
1ae9de |
- parse_current->data != CIL_KEY_CALL) {
|
|
|
1ae9de |
+ parse_current->data != CIL_KEY_TYPECHANGE) {
|
|
|
1ae9de |
rc = SEPOL_ERR;
|
|
|
1ae9de |
cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data);
|
|
|
1ae9de |
if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
|
|
|
1ae9de |
@@ -6144,24 +6162,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
}
|
|
|
1ae9de |
}
|
|
|
1ae9de |
|
|
|
1ae9de |
- if (tunif != NULL) {
|
|
|
1ae9de |
- if (parse_current->data == CIL_KEY_TUNABLE) {
|
|
|
1ae9de |
- rc = SEPOL_ERR;
|
|
|
1ae9de |
- cil_tree_log(parse_current, CIL_ERR, "Found tunable");
|
|
|
1ae9de |
- cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
|
|
|
1ae9de |
- goto exit;
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
-
|
|
|
1ae9de |
- if (in != NULL) {
|
|
|
1ae9de |
- if (parse_current->data == CIL_KEY_IN) {
|
|
|
1ae9de |
- rc = SEPOL_ERR;
|
|
|
1ae9de |
- cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
|
|
|
1ae9de |
- cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
|
|
|
1ae9de |
- goto exit;
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
-
|
|
|
1ae9de |
cil_tree_node_init(&ast_node);
|
|
|
1ae9de |
|
|
|
1ae9de |
ast_node->parent = ast_current;
|
|
|
1ae9de |
@@ -6447,14 +6447,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
|
|
|
1ae9de |
if (rc == SEPOL_OK) {
|
|
|
1ae9de |
if (ast_current->cl_head == NULL) {
|
|
|
1ae9de |
- if (ast_current->flavor == CIL_MACRO) {
|
|
|
1ae9de |
- args->macro = ast_current;
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
-
|
|
|
1ae9de |
- if (ast_current->flavor == CIL_BOOLEANIF) {
|
|
|
1ae9de |
- args->boolif = ast_current;
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
-
|
|
|
1ae9de |
if (ast_current->flavor == CIL_TUNABLEIF) {
|
|
|
1ae9de |
args->tunif = ast_current;
|
|
|
1ae9de |
}
|
|
|
1ae9de |
@@ -6463,6 +6455,14 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
args->in = ast_current;
|
|
|
1ae9de |
}
|
|
|
1ae9de |
|
|
|
1ae9de |
+ if (ast_current->flavor == CIL_MACRO) {
|
|
|
1ae9de |
+ args->macro = ast_current;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+
|
|
|
1ae9de |
+ if (ast_current->flavor == CIL_BOOLEANIF) {
|
|
|
1ae9de |
+ args->boolif = ast_current;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+
|
|
|
1ae9de |
ast_current->cl_head = ast_node;
|
|
|
1ae9de |
} else {
|
|
|
1ae9de |
ast_current->cl_tail->next = ast_node;
|
|
|
1ae9de |
@@ -6498,14 +6498,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
|
|
|
1ae9de |
|
|
|
1ae9de |
args->ast = ast->parent;
|
|
|
1ae9de |
|
|
|
1ae9de |
- if (ast->flavor == CIL_MACRO) {
|
|
|
1ae9de |
- args->macro = NULL;
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
-
|
|
|
1ae9de |
- if (ast->flavor == CIL_BOOLEANIF) {
|
|
|
1ae9de |
- args->boolif = NULL;
|
|
|
1ae9de |
- }
|
|
|
1ae9de |
-
|
|
|
1ae9de |
if (ast->flavor == CIL_TUNABLEIF) {
|
|
|
1ae9de |
args->tunif = NULL;
|
|
|
1ae9de |
}
|
|
|
1ae9de |
@@ -6514,6 +6506,14 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
|
|
|
1ae9de |
args->in = NULL;
|
|
|
1ae9de |
}
|
|
|
1ae9de |
|
|
|
1ae9de |
+ if (ast->flavor == CIL_MACRO) {
|
|
|
1ae9de |
+ args->macro = NULL;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+
|
|
|
1ae9de |
+ if (ast->flavor == CIL_BOOLEANIF) {
|
|
|
1ae9de |
+ args->boolif = NULL;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+
|
|
|
1ae9de |
// At this point we no longer have any need for parse_current or any of its
|
|
|
1ae9de |
// siblings; they have all been converted to the appropriate AST node. The
|
|
|
1ae9de |
// full parse tree will get deleted elsewhere, but in an attempt to
|
|
|
1ae9de |
@@ -6538,10 +6538,10 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
|
|
|
1ae9de |
|
|
|
1ae9de |
extra_args.ast = ast;
|
|
|
1ae9de |
extra_args.db = db;
|
|
|
1ae9de |
- extra_args.macro = NULL;
|
|
|
1ae9de |
- extra_args.boolif = NULL;
|
|
|
1ae9de |
extra_args.tunif = NULL;
|
|
|
1ae9de |
extra_args.in = NULL;
|
|
|
1ae9de |
+ extra_args.macro = NULL;
|
|
|
1ae9de |
+ extra_args.boolif = NULL;
|
|
|
1ae9de |
|
|
|
1ae9de |
rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args);
|
|
|
1ae9de |
if (rc != SEPOL_OK) {
|
|
|
1ae9de |
--
|
|
|
1ae9de |
2.30.2
|
|
|
1ae9de |
|