Looking into a bug that OSS-Fuzz found led to patch 7, Check for statements not allowed in optional blocks, which is the most important patch in this series. Working on patch 7 led to fixing some other problems with the checks for invalid rules, cleaning up some of the code, and improving the CIL documentation. Patches 1, 2, 4, 5, and 10 are doing various cleanups. Patch 3 fixes a bug that prevents the first rule in a block from being checked. Patches 6, 7, 8, and 9 update the checks for invalid rules. Patch 11 fixes a bug that prevented some error messages from being displayed. Patch 12 updates the CIL documentation. There is still work to do in this area. I am not sure why sensitivity and category statements are not allowed in blocks, but everything else is. That is why I didn't add those checks when building the AST. It is not clear if mls, handleunknown, defaultuser, defaultrole, defaulttype, defaultrange, and policycap should be restricted to the global namespace. James Carter (12): libsepol/cil: Reorder checks for invalid rules when building AST libsepol/cil: Cleanup build AST helper functions libsepol/cil: Create new first child helper function for building AST libsepol/cil: Use AST to track blocks and optionals when resolving libsepol/cil: Reorder checks for invalid rules when resolving AST libsepol/cil: Sync checks for invalid rules in booleanifs libsepol/cil: Check for statements not allowed in optional blocks libsepol/cil: Sync checks for invalid rules in macros libsepol/cil: Do not allow tunable declarations in in-statements libsepol/cil: Make invalid statement error messages consistent libsepol/cil: Use CIL_ERR for error messages in cil_compile() secilc/docs: Update the CIL documentation for various blocks libsepol/cil/src/cil.c | 8 +- libsepol/cil/src/cil_build_ast.c | 193 ++++++++++++---------- libsepol/cil/src/cil_resolve_ast.c | 174 ++++++++----------- secilc/docs/cil_call_macro_statements.md | 2 + secilc/docs/cil_conditional_statements.md | 6 + secilc/docs/cil_container_statements.md | 28 ++-- 6 files changed, 205 insertions(+), 206 deletions(-) -- 2.26.3
