James Carter <jwcart2@xxxxxxxxx> writes: > This patch series depends on the "Add support for notself and other to > CIL" patch series from August 9th > > These patches add a deny rule to CIL. Deny rules will be processed after > everything except for neverallow rules. Unlike neverallow rules, they > remove the permissions in the deny rule rather than reporting an error. > > See the individual patches for an explanation of what they do. > > Patches 1-8 are unchanged from v3, see: > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@xxxxxxxxx/ > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > was going to do. Now it does. I've pushed all 16 into https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny and I'm building it in my COPR repo - https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ I've already run some tests and it looks good. For all 16 patches - together with notself and other serie: Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx> Thanks! > James Carter (9): > libsepol/cil: Parse and add deny rule to AST, but do not process > libsepol/cil: Add cil_list_is_empty macro > libsepol/cil: Add cil_tree_node_remove function > libsepol/cil: Process deny rules > libsepol/cil: Add cil_write_post_ast function > libsepol: Export the cil_write_post_ast function > secilc/secil2tree: Add option to write CIL AST after post processing > secilc/test: Add deny rule tests > secilc/docs: Add deny rule to CIL documentation > > libsepol/cil/include/cil/cil.h | 1 + > libsepol/cil/src/cil.c | 68 ++ > libsepol/cil/src/cil_build_ast.c | 56 + > libsepol/cil/src/cil_build_ast.h | 2 + > libsepol/cil/src/cil_copy_ast.c | 19 + > libsepol/cil/src/cil_copy_ast.h | 1 + > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > libsepol/cil/src/cil_deny.h | 36 + > libsepol/cil/src/cil_flavor.h | 1 + > libsepol/cil/src/cil_internal.h | 10 + > libsepol/cil/src/cil_list.h | 3 + > libsepol/cil/src/cil_post.c | 7 + > libsepol/cil/src/cil_reset_ast.c | 8 + > libsepol/cil/src/cil_resolve_ast.c | 48 + > libsepol/cil/src/cil_resolve_ast.h | 1 + > libsepol/cil/src/cil_tree.c | 35 + > libsepol/cil/src/cil_tree.h | 1 + > libsepol/cil/src/cil_verify.c | 9 + > libsepol/cil/src/cil_write_ast.c | 10 + > libsepol/cil/src/cil_write_ast.h | 1 + > libsepol/src/libsepol.map.in | 5 + > secilc/docs/cil_access_vector_rules.md | 41 +- > secilc/secil2tree.c | 8 +- > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > secilc/test/deny_rule_test2.cil | 418 +++++++ > 25 files changed, 2780 insertions(+), 2 deletions(-) > create mode 100644 libsepol/cil/src/cil_deny.c > create mode 100644 libsepol/cil/src/cil_deny.h > create mode 100644 secilc/test/deny_rule_test1.cil > create mode 100644 secilc/test/deny_rule_test2.cil > > -- > 2.41.0
