Re: [PATCH 3/3] checkpolicy/dismod: misc improvements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> * fix minus self formatting in neverallow rules, avoiding `~ - self`
>
> * show neverallow and neverallowxperm rules
>
> * whitespace improvements in output
>   - avoid duplicate whitespaces before permission list, since
>     sepol_av_to_string() already adds a trailing one
>   - avoid duplicate whitespace after wildcard type
>   - unify indentation for xperm rules
>
> * drop unused global variables
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  checkpolicy/test/dismod.c | 33 ++++++++++++++++++---------------
>  1 file changed, 18 insertions(+), 15 deletions(-)
>
> diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
> index a2d74d42..ebc1eec3 100644
> --- a/checkpolicy/test/dismod.c
> +++ b/checkpolicy/test/dismod.c
> @@ -54,11 +54,8 @@
>  #define DISPLAY_AVBLOCK_FILENAME_TRANS 7
>
>  static policydb_t policydb;
> -extern unsigned int ss_initialized;
>
> -int policyvers = MOD_POLICYDB_VERSION_BASE;
> -
> -static const char *symbol_labels[9] = {
> +static const char *const symbol_labels[9] = {
>         "commons",
>         "classes", "roles  ", "types  ", "users  ", "bools  ",
>         "levels ", "cats   ", "attribs"
> @@ -86,12 +83,12 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class,
>  {
>         unsigned int i;
>         char *perm;
> -       fprintf(fp, "{");
> +       fprintf(fp, " {");
>         for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
>                 if (ebitmap_get_bit(map, i)) {
>                         perm = sepol_av_to_string(p, class, UINT32_C(1) << i);
>                         if (perm)
> -                               fprintf(fp, " %s", perm);
> +                               fprintf(fp, "%s", perm);
>                 }
>         }
>         fprintf(fp, " }");
> @@ -117,7 +114,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
>         unsigned int i, num_types;
>
>         if (set->flags & TYPE_STAR) {
> -               fprintf(fp, " * ");
> +               fprintf(fp, " *");
>                 return 0;
>         } else if (set->flags & TYPE_COMP) {
>                 fprintf(fp, " ~");
> @@ -149,7 +146,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
>         }
>
>         if (num_types > 1)
> -               fprintf(fp, "{");
> +               fprintf(fp, " {");
>

This causes a problem with a type set using "~". It gets displayed
with a space between the "~" and the "{".

Thanks,
Jim


>         for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types);
>              i++) {
> @@ -170,7 +167,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
>         }
>
>         if (flags & RULE_NOTSELF) {
> -               fprintf(fp, " -self");
> +               if (set->flags & TYPE_COMP)
> +                       fprintf(fp, " self");
> +               else
> +                       fprintf(fp, " -self");
>         }
>
>         if (num_types > 1)
> @@ -234,6 +234,9 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
>                 if (avrule->specified & AVRULE_DONTAUDIT) {
>                         fprintf(fp, "  dontaudit");
>                 }
> +               if (avrule->specified & AVRULE_NEVERALLOW) {
> +                       fprintf(fp, "  neverallow");
> +               }
>         } else if (avrule->specified & AVRULE_TYPE) {
>                 if (avrule->specified & AVRULE_TRANSITION) {
>                         fprintf(fp, "  type_transition");
> @@ -244,15 +247,15 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
>                 if (avrule->specified & AVRULE_CHANGE) {
>                         fprintf(fp, "  type_change");
>                 }
> -       } else if (avrule->specified & AVRULE_NEVERALLOW) {
> -               fprintf(fp, "  neverallow");
>         } else if (avrule->specified & AVRULE_XPERMS) {
>                 if (avrule->specified & AVRULE_XPERMS_ALLOWED)
> -                       fprintf(fp, "allowxperm ");
> +                       fprintf(fp, "  allowxperm");
>                 else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
> -                       fprintf(fp, "auditallowxperm ");
> +                       fprintf(fp, "  auditallowxperm");
>                 else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
> -                       fprintf(fp, "dontauditxperm ");
> +                       fprintf(fp, "  dontauditxperm");
> +               else if (avrule->specified & AVRULE_XPERMS_NEVERALLOW)
> +                       fprintf(fp, "  neverallowxperm");
>         } else {
>                 fprintf(fp, "     ERROR: no valid rule type specified\n");
>                 return -1;
> @@ -560,7 +563,7 @@ static int display_scope_index(scope_index_t * indices, policydb_t * p,
>                                                                      p, out_fp);
>                                         } else {
>                                                 fprintf(out_fp,
> -                                                       "<no perms known>");
> +                                                       " <no perms known>");
>                                         }
>                                 }
>                         }
> --
> 2.40.0
>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux