On Wed, Jun 30, 2021 at 8:57 PM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote: > > On Tue, Jun 29, 2021 at 5:14 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > Qualified names have "dots" in them. They are generated when a CIL > > policy is compiled and come from declarations in blocks. If a kernel > > policy is decompiled into a CIL policy, the resulting policy could > > have declarations that use qualified names. Compiling this policy would > > result in an error because "dots" in declarations are not allowed. > > > > Qualified names in a policy are normally used to refer to the name of > > identifiers, blocks, macros, or optionals that are declared in a > > different block (that is not a parent). Name resolution is based on > > splitting a name based on the "dots", searching the parents up to the > > global namespace for the first block using the first part of the name, > > using the second part of the name to lookup the next block using the > > first block's symbol tables, looking up the third block in the second's > > symbol tables, and so on. > > > > To allow the option of using qualified names in declarations: > > > > 1) Create a field in the struct cil_db called "qualified_names" which > > is set to CIL_TRUE when qualified names are to be used. This field is > > checked in cil_verify_name() and "dots" are allowed if qualified names > > are being allowed. > > > > 2) Only allow the direct lookup of the whole name in the global symbol > > table. This means that blocks, blockinherits, blockabstracts, and in- > > statements cannot be allowed. Use the "qualified_names" field of the > > cil_db to know when using one of these should result in an error. > > > > 3) Create the function cil_set_qualified_names() that is used to set > > the "qualified_names" field. Export the function in libsepol. > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > --- > > v2: > > Fixed misspelling in commit message > > Make struct cil_db * const in cil_verify_name() > > For these 4 patches: > > Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> Applied. Thanks, Nicolas > > > > libsepol/cil/include/cil/cil.h | 1 + > > libsepol/cil/src/cil.c | 6 ++++++ > > libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++++-- > > libsepol/cil/src/cil_internal.h | 1 + > > libsepol/cil/src/cil_resolve_ast.c | 4 ++-- > > libsepol/cil/src/cil_verify.c | 19 ++++++++++++++----- > > libsepol/cil/src/cil_verify.h | 2 +- > > libsepol/src/libsepol.map.in | 1 + > > 8 files changed, 48 insertions(+), 10 deletions(-) > > > > diff --git a/libsepol/cil/include/cil/cil.h b/libsepol/cil/include/cil/cil.h > > index 92fac6e1..482ca522 100644 > > --- a/libsepol/cil/include/cil/cil.h > > +++ b/libsepol/cil/include/cil/cil.h > > @@ -51,6 +51,7 @@ extern int cil_selinuxusers_to_string(cil_db_t *db, char **out, size_t *size); > > extern int cil_filecons_to_string(cil_db_t *db, char **out, size_t *size); > > extern void cil_set_disable_dontaudit(cil_db_t *db, int disable_dontaudit); > > extern void cil_set_multiple_decls(cil_db_t *db, int multiple_decls); > > +extern void cil_set_qualified_names(struct cil_db *db, int qualified_names); > > extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow); > > extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables); > > extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown); > > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c > > index 9d5038d9..3f2e6927 100644 > > --- a/libsepol/cil/src/cil.c > > +++ b/libsepol/cil/src/cil.c > > @@ -440,6 +440,7 @@ void cil_db_init(struct cil_db **db) > > (*db)->handle_unknown = -1; > > (*db)->mls = -1; > > (*db)->multiple_decls = CIL_FALSE; > > + (*db)->qualified_names = CIL_FALSE; > > (*db)->target_platform = SEPOL_TARGET_SELINUX; > > (*db)->policy_version = POLICYDB_VERSION_MAX; > > } > > @@ -1872,6 +1873,11 @@ void cil_set_multiple_decls(struct cil_db *db, int multiple_decls) > > db->multiple_decls = multiple_decls; > > } > > > > +void cil_set_qualified_names(struct cil_db *db, int qualified_names) > > +{ > > + db->qualified_names = qualified_names; > > +} > > + > > void cil_set_target_platform(struct cil_db *db, int target_platform) > > { > > db->target_platform = target_platform; > > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c > > index baed3e58..9da90883 100644 > > --- a/libsepol/cil/src/cil_build_ast.c > > +++ b/libsepol/cil/src/cil_build_ast.c > > @@ -146,7 +146,7 @@ int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_s > > int rc = SEPOL_ERR; > > symtab_t *symtab = NULL; > > > > - rc = cil_verify_name((const char*)key, nflavor); > > + rc = cil_verify_name(db, (const char*)key, nflavor); > > if (rc != SEPOL_OK) { > > goto exit; > > } > > @@ -204,6 +204,11 @@ int cil_gen_block(struct cil_db *db, struct cil_tree_node *parse_current, struct > > goto exit; > > } > > > > + if (db->qualified_names) { > > + cil_log(CIL_ERR, "Blocks are not allowed when the option for qualified names is used\n"); > > + goto exit; > > + } > > + > > rc = __cil_verify_syntax(parse_current, syntax, syntax_len); > > if (rc != SEPOL_OK) { > > goto exit; > > @@ -274,6 +279,11 @@ int cil_gen_blockinherit(struct cil_db *db, struct cil_tree_node *parse_current, > > goto exit; > > } > > > > + if (db->qualified_names) { > > + cil_log(CIL_ERR, "Block inherit rules are not allowed when the option for qualified names is used\n"); > > + goto exit; > > + } > > + > > rc = __cil_verify_syntax(parse_current, syntax, syntax_len); > > if (rc != SEPOL_OK) { > > goto exit; > > @@ -331,6 +341,11 @@ int cil_gen_blockabstract(struct cil_db *db, struct cil_tree_node *parse_current > > goto exit; > > } > > > > + if (db->qualified_names) { > > + cil_log(CIL_ERR, "Block abstract rules are not allowed when the option for qualified names is used\n"); > > + goto exit; > > + } > > + > > rc = __cil_verify_syntax(parse_current, syntax, syntax_len); > > if (rc != SEPOL_OK) { > > goto exit; > > @@ -376,6 +391,11 @@ int cil_gen_in(struct cil_db *db, struct cil_tree_node *parse_current, struct ci > > goto exit; > > } > > > > + if (db->qualified_names) { > > + cil_log(CIL_ERR, "In-statements are not allowed when the option for qualified names is used\n"); > > + goto exit; > > + } > > + > > rc = __cil_verify_syntax(parse_current, syntax, syntax_len); > > if (rc != SEPOL_OK) { > > goto exit; > > @@ -5261,7 +5281,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct > > > > param->str = current_item->cl_head->next->data; > > > > - rc = cil_verify_name(param->str, param->flavor); > > + rc = cil_verify_name(db, param->str, param->flavor); > > if (rc != SEPOL_OK) { > > cil_destroy_param(param); > > goto exit; > > diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h > > index 8b9aeabf..f184d739 100644 > > --- a/libsepol/cil/src/cil_internal.h > > +++ b/libsepol/cil/src/cil_internal.h > > @@ -321,6 +321,7 @@ struct cil_db { > > int handle_unknown; > > int mls; > > int multiple_decls; > > + int qualified_names; > > int target_platform; > > int policy_version; > > }; > > diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c > > index 5245cc15..27efffa6 100644 > > --- a/libsepol/cil/src/cil_resolve_ast.c > > +++ b/libsepol/cil/src/cil_resolve_ast.c > > @@ -4409,8 +4409,8 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en > > > > *datum = NULL; > > > > - if (strchr(name,'.') == NULL) { > > - /* No '.' in name */ > > + if (db->qualified_names || strchr(name,'.') == NULL) { > > + /* Using qualified names or No '.' in name */ > > rc = __cil_resolve_name_helper(db, ast_node->parent, name, sym_index, datum); > > if (rc != SEPOL_OK) { > > goto exit; > > diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c > > index 59397f70..ce3fcd8c 100644 > > --- a/libsepol/cil/src/cil_verify.c > > +++ b/libsepol/cil/src/cil_verify.c > > @@ -92,7 +92,7 @@ static int __cil_is_reserved_name(const char *name, enum cil_flavor flavor) > > return CIL_FALSE; > > } > > > > -int cil_verify_name(const char *name, enum cil_flavor flavor) > > +int cil_verify_name(const struct cil_db *db, const char *name, enum cil_flavor flavor) > > { > > int rc = SEPOL_ERR; > > int len; > > @@ -116,10 +116,19 @@ int cil_verify_name(const char *name, enum cil_flavor flavor) > > goto exit; > > } > > > > - for (i = 1; i < len; i++) { > > - if (!isalnum(name[i]) && name[i] != '_' && name[i] != '-') { > > - cil_log(CIL_ERR, "Invalid character \"%c\" in %s\n", name[i], name); > > - goto exit; > > + if (db->qualified_names == CIL_FALSE) { > > + for (i = 1; i < len; i++) { > > + if (!isalnum(name[i]) && name[i] != '_' && name[i] != '-') { > > + cil_log(CIL_ERR, "Invalid character \"%c\" in %s\n", name[i], name); > > + goto exit; > > + } > > + } > > + } else { > > + for (i = 1; i < len; i++) { > > + if (!isalnum(name[i]) && name[i] != '_' && name[i] != '-' && name[i] != '.') { > > + cil_log(CIL_ERR, "Invalid character \"%c\" in %s\n", name[i], name); > > + goto exit; > > + } > > } > > } > > > > diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h > > index 4ea14f5b..26e195a9 100644 > > --- a/libsepol/cil/src/cil_verify.h > > +++ b/libsepol/cil/src/cil_verify.h > > @@ -56,7 +56,7 @@ struct cil_args_verify { > > int *pass; > > }; > > > > -int cil_verify_name(const char *name, enum cil_flavor flavor); > > +int cil_verify_name(const struct cil_db *db, const char *name, enum cil_flavor flavor); > > int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[], int len); > > int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor); > > int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor); > > diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in > > index 2e503bd1..0e05d606 100644 > > --- a/libsepol/src/libsepol.map.in > > +++ b/libsepol/src/libsepol.map.in > > @@ -272,4 +272,5 @@ LIBSEPOL_3.0 { > > cil_write_parse_ast; > > cil_write_build_ast; > > cil_write_resolve_ast; > > + cil_set_qualified_names; > > } LIBSEPOL_1.1; > > -- > > 2.31.1 > >