On 01/18/2017 10:09 PM, James Carter wrote:
> On 01/18/2017 03:58 PM, Dominick Grift wrote:
>> On 01/18/2017 09:53 PM, James Carter wrote:
>>> Nicolas Iooss discovered that requiring a type in an optional block
>>> after the type has already been declared in another optional block
>>> results in a duplicate declaration error.
>>>
>>
>> from what i have been told and from experience, types cannot, reliably,
>> be declared in optional blocks.
>>
>> if the above is true, then the compiler should not allow one to declare
>> a type in an optional block in the first place
>>
>
> Well, this ordering issue reported by Nicolas would definitely cause
> their declaration to be unreliable. ;)
>
> I hope to make declaring types in optional blocks reliable.
That would be nice, but just so you know. This was not the issue i was
encountering with declaring types in optionals. So even though this
might have made things unreliable. It was not what made it unreliable
for me.
>
> Jim
>
>>> The following policy will trigger the error.
>>>
>>> optional {
>>> type T1;
>>> }
>>>
>>> optional {
>>> require { type T1; }
>>> }
>>>
>>> In this case, although symtab_insert() in libsepol properly identifies
>>> that the first T1 is a declaration while the second is a require, it
>>> will return -2 which is the return value for a duplicate declaration
>>> and expect the calling code to properly handle the situation. The
>>> caller is require_symbol() in checkpolicy and it checks if the previous
>>> declaration is in the current scope. If it is, then the require can be
>>> ignored. It also checks to see if the declaration is a type and the
>>> require an attribute or vice versa which is an error. The problem is
>>> that -2 is returned if the declaration is not in scope which is
>>> interpreted as a duplicate declaration error.
>>>
>>> The function should return 1 instead which means that they symbol was
>>> not
>>> added and needs to be freed later.
>>>
>>> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
>>> ---
>>> checkpolicy/module_compiler.c | 16 +++-------------
>>> 1 file changed, 3 insertions(+), 13 deletions(-)
>>>
>>> diff --git a/checkpolicy/module_compiler.c
>>> b/checkpolicy/module_compiler.c
>>> index 6e5483c..bb60f34 100644
>>> --- a/checkpolicy/module_compiler.c
>>> +++ b/checkpolicy/module_compiler.c
>>> @@ -647,7 +647,6 @@ int require_symbol(uint32_t symbol_type,
>>> } else if (retval == -2) {
>>> /* ignore require statements if that symbol was
>>> * previously declared and is in current scope */
>>> - int prev_declaration_ok = 0;
>>> if (is_id_in_scope(symbol_type, key)) {
>>> if (symbol_type == SYM_TYPES) {
>>> /* check that previous symbol has same
>>> @@ -661,23 +660,14 @@ int require_symbol(uint32_t symbol_type,
>>> table, key);
>>> assert(old_datum != NULL);
>>> unsigned char old_isattr = old_datum->flavor;
>>> - prev_declaration_ok =
>>> - (old_isattr == new_isattr ? 1 : 0);
>>> - } else {
>>> - prev_declaration_ok = 1;
>>> + if (old_isattr != new_isattr)
>>> + return -2;
>>> }
>>> - }
>>> - if (prev_declaration_ok) {
>>> /* ignore this require statement because it
>>> * was already declared within my scope */
>>> stack_top->require_given = 1;
>>> - return 1;
>>> - } else {
>>> - /* previous declaration was not in scope or
>>> - * had a mismatched type/attribute, so
>>> - * generate an error */
>>> - return -2;
>>> }
>>> + return 1;
>>> } else if (retval < 0) {
>>> return -3;
>>> } else { /* fall through possible if retval is 0 or 1 */
>>>
>>
>>
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to
>> Selinux-request@xxxxxxxxxxxxx.
>>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
