On Wed, Mar 1, 2023 at 9:35 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Fri, Nov 25, 2022 at 10:51 AM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Convert trivial not-self neverallow rules to CIL, e.g.
> >
> > neverallow TYPE1 ~self:CLASS1 PERM1;
> >
> > into
> >
> > (neverallow TYPE1 notself (CLASS1 (PERM1)))
> >
> > More complex targets are not yet supported in CIL and will fail to
> > convert, e.g.:
> >
> > neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1;
> > neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2;
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> I know what is needed to translate these rules to CIL, but it is going
> to require some reworking of how attributes are handled, so I think
> that it is better to take this patch for now.
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
This one needs to wait until my CIL notself patch is merged.
Jim
> > ---
> > libsepol/src/module_to_cil.c | 30 ++++++++++++++++++++++++++----
> > 1 file changed, 26 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> > index b900290a..2d5d1d6d 100644
> > --- a/libsepol/src/module_to_cil.c
> > +++ b/libsepol/src/module_to_cil.c
> > @@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
> > goto exit;
> > }
> >
> > - ts = &avrule->ttypes;
> > - rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames);
> > - if (rc != 0) {
> > - goto exit;
> > + if (avrule->flags & RULE_NOTSELF) {
> > + if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) {
> > + if (avrule->source_filename) {
> > + log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported",
> > + avrule->source_filename, avrule->source_line);
> > + } else {
> > + log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported");
> > + }
> > + rc = -1;
> > + goto exit;
> > + }
> > + } else {
> > + ts = &avrule->ttypes;
> > + rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames);
> > + if (rc != 0) {
> > + goto exit;
> > + }
> > }
> >
> > for (s = 0; s < num_snames; s++) {
> > @@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
> > if (rc != 0) {
> > goto exit;
> > }
> > + } else if (avrule->flags & RULE_NOTSELF) {
> > + if (avrule->specified & AVRULE_XPERMS) {
> > + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms);
> > + } else {
> > + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms);
> > + }
> > + if (rc != 0) {
> > + goto exit;
> > + }
> > }
> > }
> >
> > --
> > 2.38.1
> >
