With the addition of the anon_inode class in the kernel, 'self' transition rules became useful, but haven't been implemented. This series implements the self keyword support in the CIL & TE languages and the module policydb format. The kernel policydb format doesn't need any changes, as type transitions are always expanded in the kernel policydb. Since type_change and type_member rules are handled by the same common code, these are extended with self keyword support as well. The patches have been tested using the following WIP beakerlib/tmt test: https://src.fedoraproject.org/fork/omos/tests/selinux/blob/self-in-tt/f/libsepol/self-keyword-in-type-transitions Changes in v3: - update commit messages and cover letter to state that other type rules also gain self keyword support with these patches (James Carter) - error out in case a policy module containing the newly supported rules is downgraded to an earlier module policy version (James Carter) Changes in v2: - validate the flags member of filename_trans_rule_t in policy_validate.c (Christian Göttsche) - add missing error check in filename_trans_rule_write() (Christian Göttsche) Ondrej Mosnacek (2): libsepol/cil: add support for self keyword in type transitions libsepol,checkpolicy: add support for self keyword in type transitions checkpolicy/policy_define.c | 42 +++++- libsepol/cil/src/cil_binary.c | 168 +++++++++++++++------ libsepol/cil/src/cil_resolve_ast.c | 25 ++- libsepol/include/sepol/policydb/policydb.h | 4 +- libsepol/src/expand.c | 69 ++++++--- libsepol/src/link.c | 1 + libsepol/src/module_to_cil.c | 30 ++-- libsepol/src/policydb.c | 33 +++- libsepol/src/policydb_validate.c | 4 + libsepol/src/write.c | 32 +++- secilc/test/policy.cil | 7 + 11 files changed, 315 insertions(+), 100 deletions(-) -- 2.35.3
