On Fri, Mar 31, 2023 at 1:37 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> * fix minus self formatting in neverallow rules, avoiding `~ - self`
>
> * show neverallow and neverallowxperm rules
>
> * whitespace improvements in output
> - avoid duplicate whitespaces before permission list, since
> sepol_av_to_string() already adds a trailing one
> - avoid duplicate whitespace after wildcard type
> - unify indentation for xperm rules
>
> * drop unused global variables
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> checkpolicy/test/dismod.c | 33 ++++++++++++++++++---------------
> 1 file changed, 18 insertions(+), 15 deletions(-)
>
> diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
> index a2d74d42..ebc1eec3 100644
> --- a/checkpolicy/test/dismod.c
> +++ b/checkpolicy/test/dismod.c
> @@ -54,11 +54,8 @@
> #define DISPLAY_AVBLOCK_FILENAME_TRANS 7
>
> static policydb_t policydb;
> -extern unsigned int ss_initialized;
>
> -int policyvers = MOD_POLICYDB_VERSION_BASE;
> -
> -static const char *symbol_labels[9] = {
> +static const char *const symbol_labels[9] = {
> "commons",
> "classes", "roles ", "types ", "users ", "bools ",
> "levels ", "cats ", "attribs"
> @@ -86,12 +83,12 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class,
> {
> unsigned int i;
> char *perm;
> - fprintf(fp, "{");
> + fprintf(fp, " {");
> for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
> if (ebitmap_get_bit(map, i)) {
> perm = sepol_av_to_string(p, class, UINT32_C(1) << i);
> if (perm)
> - fprintf(fp, " %s", perm);
> + fprintf(fp, "%s", perm);
> }
> }
> fprintf(fp, " }");
> @@ -117,7 +114,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
> unsigned int i, num_types;
>
> if (set->flags & TYPE_STAR) {
> - fprintf(fp, " * ");
> + fprintf(fp, " *");
> return 0;
> } else if (set->flags & TYPE_COMP) {
> fprintf(fp, " ~");
> @@ -149,7 +146,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
> }
>
> if (num_types > 1)
> - fprintf(fp, "{");
> + fprintf(fp, " {");
>
This causes a problem with a type set using "~". It gets displayed
with a space between the "~" and the "{".
Thanks,
Jim
> for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types);
> i++) {
> @@ -170,7 +167,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
> }
>
> if (flags & RULE_NOTSELF) {
> - fprintf(fp, " -self");
> + if (set->flags & TYPE_COMP)
> + fprintf(fp, " self");
> + else
> + fprintf(fp, " -self");
> }
>
> if (num_types > 1)
> @@ -234,6 +234,9 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
> if (avrule->specified & AVRULE_DONTAUDIT) {
> fprintf(fp, " dontaudit");
> }
> + if (avrule->specified & AVRULE_NEVERALLOW) {
> + fprintf(fp, " neverallow");
> + }
> } else if (avrule->specified & AVRULE_TYPE) {
> if (avrule->specified & AVRULE_TRANSITION) {
> fprintf(fp, " type_transition");
> @@ -244,15 +247,15 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
> if (avrule->specified & AVRULE_CHANGE) {
> fprintf(fp, " type_change");
> }
> - } else if (avrule->specified & AVRULE_NEVERALLOW) {
> - fprintf(fp, " neverallow");
> } else if (avrule->specified & AVRULE_XPERMS) {
> if (avrule->specified & AVRULE_XPERMS_ALLOWED)
> - fprintf(fp, "allowxperm ");
> + fprintf(fp, " allowxperm");
> else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
> - fprintf(fp, "auditallowxperm ");
> + fprintf(fp, " auditallowxperm");
> else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
> - fprintf(fp, "dontauditxperm ");
> + fprintf(fp, " dontauditxperm");
> + else if (avrule->specified & AVRULE_XPERMS_NEVERALLOW)
> + fprintf(fp, " neverallowxperm");
> } else {
> fprintf(fp, " ERROR: no valid rule type specified\n");
> return -1;
> @@ -560,7 +563,7 @@ static int display_scope_index(scope_index_t * indices, policydb_t * p,
> p, out_fp);
> } else {
> fprintf(out_fp,
> - "<no perms known>");
> + " <no perms known>");
> }
> }
> }
> --
> 2.40.0
>
