|
 |
71cd55 |
From 788d40b0e61f352524660d0965d5e86f6e1e0718 Mon Sep 17 00:00:00 2001
|
|
|
71cd55 |
From: James Carter <jwcart2@gmail.com>
|
|
|
71cd55 |
Date: Tue, 11 May 2021 09:43:22 -0400
|
|
|
71cd55 |
Subject: [PATCH] libsepol/cil: Make name resolution in macros work as
|
|
|
71cd55 |
documented
|
|
|
71cd55 |
|
|
|
71cd55 |
The CIL Reference Guide specifies how name resolution is suppose
|
|
|
71cd55 |
to work within an expanded macro.
|
|
|
71cd55 |
1. Items defined inside the macro
|
|
|
71cd55 |
2. Items passed into the macro as arguments
|
|
|
71cd55 |
3. Items defined in the same namespace of the macro
|
|
|
71cd55 |
4. Items defined in the caller's namespace
|
|
|
71cd55 |
5. Items defined in the global namespace
|
|
|
71cd55 |
|
|
|
71cd55 |
But Lorenzo Ceragioli <lorenzo.ceragioli@phd.unipi.it> found
|
|
|
71cd55 |
that the first step is not done.
|
|
|
71cd55 |
|
|
|
71cd55 |
So the following policy:
|
|
|
71cd55 |
(block A
|
|
|
71cd55 |
(type a)
|
|
|
71cd55 |
(macro m ()
|
|
|
71cd55 |
(type a)
|
|
|
71cd55 |
(allow a self (CLASS (PERM)))
|
|
|
71cd55 |
)
|
|
|
71cd55 |
)
|
|
|
71cd55 |
(block B
|
|
|
71cd55 |
(call A.m)
|
|
|
71cd55 |
)
|
|
|
71cd55 |
will result in:
|
|
|
71cd55 |
(allow A.a self (CLASS (PERM)))
|
|
|
71cd55 |
instead of the expected:
|
|
|
71cd55 |
(allow B.a self (CLASS (PERM)))
|
|
|
71cd55 |
|
|
|
71cd55 |
Now when an expanded call is found, the macro's namespace is
|
|
|
71cd55 |
checked first. If the name is found, then the name was declared
|
|
|
71cd55 |
in the macro and it is declared in the expanded call, so only the
|
|
|
71cd55 |
namespace of the call up to and including the global namespace
|
|
|
71cd55 |
will be searched. If the name is not found in the macro's namespace
|
|
|
71cd55 |
then name resolution continues with steps 2-5 above.
|
|
|
71cd55 |
|
|
|
71cd55 |
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
|
71cd55 |
---
|
|
|
71cd55 |
libsepol/cil/src/cil_resolve_ast.c | 16 ++++++++++++----
|
|
|
71cd55 |
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
|
71cd55 |
|
|
|
71cd55 |
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
|
|
|
71cd55 |
index 5684b8da0f76..ae6743f92f4c 100644
|
|
|
71cd55 |
--- a/libsepol/cil/src/cil_resolve_ast.c
|
|
|
71cd55 |
+++ b/libsepol/cil/src/cil_resolve_ast.c
|
|
|
71cd55 |
@@ -4195,10 +4195,18 @@ static int __cil_resolve_name_with_parents(struct cil_tree_node *node, char *nam
|
|
|
71cd55 |
break;
|
|
|
71cd55 |
case CIL_CALL: {
|
|
|
71cd55 |
struct cil_call *call = node->data;
|
|
|
71cd55 |
- rc = cil_resolve_name_call_args(call, name, sym_index, datum);
|
|
|
71cd55 |
- if (rc != SEPOL_OK) {
|
|
|
71cd55 |
- /* Continue search in macro's parent */
|
|
|
71cd55 |
- rc = __cil_resolve_name_with_parents(NODE(call->macro)->parent, name, sym_index, datum);
|
|
|
71cd55 |
+ struct cil_macro *macro = call->macro;
|
|
|
71cd55 |
+ symtab = ¯o->symtab[sym_index];
|
|
|
71cd55 |
+ rc = cil_symtab_get_datum(symtab, name, datum);
|
|
|
71cd55 |
+ if (rc == SEPOL_OK) {
|
|
|
71cd55 |
+ /* If the name was declared in the macro, just look on the call side */
|
|
|
71cd55 |
+ rc = SEPOL_ERR;
|
|
|
71cd55 |
+ } else {
|
|
|
71cd55 |
+ rc = cil_resolve_name_call_args(call, name, sym_index, datum);
|
|
|
71cd55 |
+ if (rc != SEPOL_OK) {
|
|
|
71cd55 |
+ /* Continue search in macro's parent */
|
|
|
71cd55 |
+ rc = __cil_resolve_name_with_parents(NODE(call->macro)->parent, name, sym_index, datum);
|
|
|
71cd55 |
+ }
|
|
|
71cd55 |
}
|
|
|
71cd55 |
}
|
|
|
71cd55 |
break;
|
|
|
71cd55 |
--
|
|
|
71cd55 |
2.32.0
|
|
|
71cd55 |
|