[PATCH 0/9 v4] Add CIL Deny Rule

James Carter <jwcart2@xxxxxxxxx> · Wed, 9 Aug 2023 17:01:48 -0400

This patch series depends on the "Add support for notself and other to
CIL" patch series from August 9th

These patches add a deny rule to CIL. Deny rules will be processed after
everything except for neverallow rules. Unlike neverallow rules, they
remove the permissions in the deny rule rather than reporting an error.

See the individual patches for an explanation of what they do.

Patches 1-8 are unchanged from v3, see:
https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@xxxxxxxxx/

Previously, patch 9, as Daniel Burgener noted, did not do what it said it
was going to do. Now it does.

James Carter (9):
  libsepol/cil: Parse and add deny rule to AST, but do not process
  libsepol/cil: Add cil_list_is_empty macro
  libsepol/cil: Add cil_tree_node_remove function
  libsepol/cil: Process deny rules
  libsepol/cil: Add cil_write_post_ast function
  libsepol: Export the cil_write_post_ast function
  secilc/secil2tree: Add option to write CIL AST after post processing
  secilc/test: Add deny rule tests
  secilc/docs: Add deny rule to CIL documentation

 libsepol/cil/include/cil/cil.h         |    1 +
 libsepol/cil/src/cil.c                 |   68 ++
 libsepol/cil/src/cil_build_ast.c       |   56 +
 libsepol/cil/src/cil_build_ast.h       |    2 +
 libsepol/cil/src/cil_copy_ast.c        |   19 +
 libsepol/cil/src/cil_copy_ast.h        |    1 +
 libsepol/cil/src/cil_deny.c            | 1413 ++++++++++++++++++++++++
 libsepol/cil/src/cil_deny.h            |   36 +
 libsepol/cil/src/cil_flavor.h          |    1 +
 libsepol/cil/src/cil_internal.h        |   10 +
 libsepol/cil/src/cil_list.h            |    3 +
 libsepol/cil/src/cil_post.c            |    7 +
 libsepol/cil/src/cil_reset_ast.c       |    8 +
 libsepol/cil/src/cil_resolve_ast.c     |   48 +
 libsepol/cil/src/cil_resolve_ast.h     |    1 +
 libsepol/cil/src/cil_tree.c            |   35 +
 libsepol/cil/src/cil_tree.h            |    1 +
 libsepol/cil/src/cil_verify.c          |    9 +
 libsepol/cil/src/cil_write_ast.c       |   10 +
 libsepol/cil/src/cil_write_ast.h       |    1 +
 libsepol/src/libsepol.map.in           |    5 +
 secilc/docs/cil_access_vector_rules.md |   41 +-
 secilc/secil2tree.c                    |    8 +-
 secilc/test/deny_rule_test1.cil        |  580 ++++++++++
 secilc/test/deny_rule_test2.cil        |  418 +++++++
 25 files changed, 2780 insertions(+), 2 deletions(-)
 create mode 100644 libsepol/cil/src/cil_deny.c
 create mode 100644 libsepol/cil/src/cil_deny.h
 create mode 100644 secilc/test/deny_rule_test1.cil
 create mode 100644 secilc/test/deny_rule_test2.cil

-- 
2.41.0