On Fri, Nov 25, 2022 at 10:51 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Convert trivial not-self neverallow rules to CIL, e.g.
>
> neverallow TYPE1 ~self:CLASS1 PERM1;
>
> into
>
> (neverallow TYPE1 notself (CLASS1 (PERM1)))
>
> More complex targets are not yet supported in CIL and will fail to
> convert, e.g.:
>
> neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1;
> neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2;
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
I know what is needed to translate these rules to CIL, but it is going
to require some reworking of how attributes are handled, so I think
that it is better to take this patch for now.
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/src/module_to_cil.c | 30 ++++++++++++++++++++++++++----
> 1 file changed, 26 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index b900290a..2d5d1d6d 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
> goto exit;
> }
>
> - ts = &avrule->ttypes;
> - rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames);
> - if (rc != 0) {
> - goto exit;
> + if (avrule->flags & RULE_NOTSELF) {
> + if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) {
> + if (avrule->source_filename) {
> + log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported",
> + avrule->source_filename, avrule->source_line);
> + } else {
> + log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported");
> + }
> + rc = -1;
> + goto exit;
> + }
> + } else {
> + ts = &avrule->ttypes;
> + rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames);
> + if (rc != 0) {
> + goto exit;
> + }
> }
>
> for (s = 0; s < num_snames; s++) {
> @@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
> if (rc != 0) {
> goto exit;
> }
> + } else if (avrule->flags & RULE_NOTSELF) {
> + if (avrule->specified & AVRULE_XPERMS) {
> + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms);
> + } else {
> + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms);
> + }
> + if (rc != 0) {
> + goto exit;
> + }
> }
> }
>
> --
> 2.38.1
>
