Re: [RFC PATCH v2 1/4] libsepol: add sepol_av_perm_to_string

James Carter <jwcart2@xxxxxxxxx> · Thu, 7 Apr 2022 10:54:41 -0400

On Tue, Feb 22, 2022 at 9:05 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Add a wrapper around the utility function sepol_av_to_string() on the
> service internal policy.  This allows callers to convert a permission
> bit set into a string representation without access to the internal
> policy structure.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

After thinking about it, I am ok with this series. All of the
functions that are being exported are used by checkpolicy or audit2why
and are from services.c.

So for these four patches:
Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/include/sepol/policydb/services.h | 9 +++++++++
>  libsepol/src/services.c                    | 6 ++++++
>  2 files changed, 15 insertions(+)
>
> diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h
> index 048f8a5a..44de3863 100644
> --- a/libsepol/include/sepol/policydb/services.h
> +++ b/libsepol/include/sepol/policydb/services.h
> @@ -103,6 +103,15 @@ extern int sepol_string_to_av_perm(sepol_security_class_t tclass,
>                                         const char *perm_name,
>                                         sepol_access_vector_t *av);
>
> +/*
> + * Return a string representation of the permission av bit associated with
> + * tclass.
> + * Returns a pointer to an internal buffer, overridden by the next call to
> + * this function or sepol_av_to_string().
> + */
> + extern const char *sepol_av_perm_to_string(sepol_security_class_t tclass,
> +                                       sepol_access_vector_t av);
> +
>  /*
>   * Compute a SID to use for labeling a new object in the
>   * class `tclass' based on a SID pair.
> diff --git a/libsepol/src/services.c b/libsepol/src/services.c
> index 7becfd1b..b2fb804e 100644
> --- a/libsepol/src/services.c
> +++ b/libsepol/src/services.c
> @@ -1233,6 +1233,12 @@ out:
>         return STATUS_ERR;
>  }
>
> + const char *sepol_av_perm_to_string(sepol_security_class_t tclass,
> +                                       sepol_access_vector_t av)
> +{
> +       return sepol_av_to_string(policydb, tclass, av);
> +}
> +
>  /*
>   * Write the security context string representation of
>   * the context associated with `sid' into a dynamically
> --
> 2.35.1
>