On Wed, May 11, 2022 at 4:39 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Tue, May 10, 2022 at 7:39 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > With the addition of the anon_inode class in the kernel, 'self'
> > transition rules became useful, but haven't been implemented.
> >
> > The typetransition, typemember, and typechange statements share the
> > relevant code, so this patch implements the self keyword in all of them
> > at the TE language level and adds the support to the module policydb
> > format. Note that changing the kernel policydb format is not necessary
> > at all, as type transitions are always expanded in the kernel policydb.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> > checkpolicy/policy_define.c | 42 ++++++++++++-
> > libsepol/include/sepol/policydb/policydb.h | 4 +-
> > libsepol/src/expand.c | 69 ++++++++++++++--------
> > libsepol/src/link.c | 1 +
> > libsepol/src/module_to_cil.c | 30 ++++++----
> > libsepol/src/policydb.c | 33 +++++++++--
> > libsepol/src/policydb_validate.c | 4 ++
> > libsepol/src/write.c | 32 ++++++++--
> > 8 files changed, 166 insertions(+), 49 deletions(-)
> >
[...]
> > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> > index 156a74a2..0e211c93 100644
> > --- a/libsepol/src/module_to_cil.c
> > +++ b/libsepol/src/module_to_cil.c
> > @@ -1608,20 +1608,30 @@ static int filename_trans_to_cil(int indent, struct policydb *pdb, struct filena
> > goto exit;
> > }
> >
> > - ts = &rule->ttypes;
> > - rc = process_typeset(pdb, ts, attr_list, &ttypes, &num_ttypes);
> > - if (rc != 0) {
> > - goto exit;
> > - }
> > -
> > - for (stype = 0; stype < num_stypes; stype++) {
> > - for (ttype = 0; ttype < num_ttypes; ttype++) {
> > - cil_println(indent, "(typetransition %s %s %s \"%s\" %s)",
> > - stypes[stype], ttypes[ttype],
> > + if (rule->flags & RULE_SELF) {
> > + for (stype = 0; stype < num_stypes; stype++) {
> > + cil_println(indent, "(typetransition %s self %s \"%s\" %s)",
> > + stypes[stype],
> > pdb->p_class_val_to_name[rule->tclass - 1],
> > rule->name,
> > pdb->p_type_val_to_name[rule->otype - 1]);
> > }
> > + } else {
> > + ts = &rule->ttypes;
> > + rc = process_typeset(pdb, ts, attr_list, &ttypes, &num_ttypes);
> > + if (rc != 0) {
> > + goto exit;
> > + }
> > +
> > + for (stype = 0; stype < num_stypes; stype++) {
> > + for (ttype = 0; ttype < num_ttypes; ttype++) {
> > + cil_println(indent, "(typetransition %s %s %s \"%s\" %s)",
> > + stypes[stype], ttypes[ttype],
> > + pdb->p_class_val_to_name[rule->tclass - 1],
> > + rule->name,
> > + pdb->p_type_val_to_name[rule->otype - 1]);
> > + }
> > + }
>
> Sorry, I missed this in the last version. This shouldn't be in an
> else, it needs to always be done to handle rules like "type_transition
> t1 { t2 attr1 self }:file t3 "file1";". No one really writes rules
> like that, but they are valid.
Indeed... I'll fix that and also add this form of rules into the test.
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
