Re: [PATCH 0/9 v3] Add CIL Deny Rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/13/2023 3:34 PM, James Carter wrote:

This patch series depends on the "Add support for notself and other to
CIL" patch series from April 12th.

These patches add a deny rule to CIL. Deny rules will be processed after
everything except for neverallow rules. Unlike neverallow rules, they
remove the permissions in the deny rule rather than reporting an error.

See the individual patches for an explanation of what they do.

Patches 2, 5, 6, and 7 are unchanged from v2. For the other patches, see
the patch for a list of the changes from v2.

James Carter (9):
   libsepol/cil: Parse and add deny rule to AST, but do not process
   libsepol/cil: Add cil_list_is_empty macro
   libsepol/cil: Add cil_tree_node_remove function
   libsepol/cil: Process deny rules
   libsepol/cil: Add cil_write_post_ast function
   libsepol: Export the cil_write_post_ast function
   secilc/secil2tree: Add option to write CIL AST after post processing
   secilc/test: Add deny rule tests
   secilc/docs: Add deny rule to CIL documentation

  libsepol/cil/include/cil/cil.h         |    1 +
  libsepol/cil/src/cil.c                 |   68 ++
  libsepol/cil/src/cil_build_ast.c       |   56 +
  libsepol/cil/src/cil_build_ast.h       |    2 +
  libsepol/cil/src/cil_copy_ast.c        |   19 +
  libsepol/cil/src/cil_copy_ast.h        |    1 +
  libsepol/cil/src/cil_deny.c            | 1413 ++++++++++++++++++++++++
  libsepol/cil/src/cil_deny.h            |   36 +
  libsepol/cil/src/cil_flavor.h          |    1 +
  libsepol/cil/src/cil_internal.h        |   10 +
  libsepol/cil/src/cil_list.h            |    3 +
  libsepol/cil/src/cil_post.c            |    7 +
  libsepol/cil/src/cil_reset_ast.c       |    8 +
  libsepol/cil/src/cil_resolve_ast.c     |   48 +
  libsepol/cil/src/cil_resolve_ast.h     |    1 +
  libsepol/cil/src/cil_tree.c            |   35 +
  libsepol/cil/src/cil_tree.h            |    1 +
  libsepol/cil/src/cil_verify.c          |    9 +
  libsepol/cil/src/cil_write_ast.c       |   10 +
  libsepol/cil/src/cil_write_ast.h       |    1 +
  libsepol/src/libsepol.map.in           |    5 +
  secilc/docs/cil_access_vector_rules.md |   67 ++
  secilc/secil2tree.c                    |    8 +-
  secilc/test/deny_rule_test1.cil        |  580 ++++++++++
  secilc/test/deny_rule_test2.cil        |  418 +++++++
  25 files changed, 2807 insertions(+), 1 deletion(-)
  create mode 100644 libsepol/cil/src/cil_deny.c
  create mode 100644 libsepol/cil/src/cil_deny.h
  create mode 100644 secilc/test/deny_rule_test1.cil
  create mode 100644 secilc/test/deny_rule_test2.cil


For patches 1-8:

Reviewed-by: Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx>
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux