On Tue, Mar 30, 2021 at 1:39 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > Looking into a bug that OSS-Fuzz found led to patch 7, Check for > statements not allowed in optional blocks, which is the most important > patch in this series. Working on patch 7 led to fixing some other > problems with the checks for invalid rules, cleaning up some of the code, > and improving the CIL documentation. > > Patches 1, 2, 4, 5, and 10 are doing various cleanups. > Patch 3 fixes a bug that prevents the first rule in a block from being checked. > Patches 6, 7, 8, and 9 update the checks for invalid rules. > Patch 11 fixes a bug that prevented some error messages from being displayed. > Patch 12 updates the CIL documentation. > > There is still work to do in this area. I am not sure why sensitivity and > category statements are not allowed in blocks, but everything else is. That > is why I didn't add those checks when building the AST. It is not clear if > mls, handleunknown, defaultuser, defaultrole, defaulttype, defaultrange, > and policycap should be restricted to the global namespace. > > James Carter (12): > libsepol/cil: Reorder checks for invalid rules when building AST > libsepol/cil: Cleanup build AST helper functions > libsepol/cil: Create new first child helper function for building AST > libsepol/cil: Use AST to track blocks and optionals when resolving > libsepol/cil: Reorder checks for invalid rules when resolving AST > libsepol/cil: Sync checks for invalid rules in booleanifs > libsepol/cil: Check for statements not allowed in optional blocks > libsepol/cil: Sync checks for invalid rules in macros > libsepol/cil: Do not allow tunable declarations in in-statements > libsepol/cil: Make invalid statement error messages consistent > libsepol/cil: Use CIL_ERR for error messages in cil_compile() > secilc/docs: Update the CIL documentation for various blocks > > libsepol/cil/src/cil.c | 8 +- > libsepol/cil/src/cil_build_ast.c | 193 ++++++++++++---------- > libsepol/cil/src/cil_resolve_ast.c | 174 ++++++++----------- > secilc/docs/cil_call_macro_statements.md | 2 + > secilc/docs/cil_conditional_statements.md | 6 + > secilc/docs/cil_container_statements.md | 28 ++-- > 6 files changed, 205 insertions(+), 206 deletions(-) > > -- > 2.26.3 > This has been applied (with the whitespace error in the last patch fixed). Jim
