On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > > James Carter <jwcart2@xxxxxxxxx> writes: > > > This patch series depends on the "Add support for notself and other to > > CIL" patch series from August 9th > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > everything except for neverallow rules. Unlike neverallow rules, they > > remove the permissions in the deny rule rather than reporting an error. > > > > See the individual patches for an explanation of what they do. > > > > Patches 1-8 are unchanged from v3, see: > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@xxxxxxxxx/ > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > was going to do. Now it does. > > I've pushed all 16 into > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > and I'm building it in my COPR repo - > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > I've already run some tests and it looks good. > > For all 16 patches - together with notself and other serie: > > Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx> > All 16 of the notself and deny patches have been merged. I did find a problem with an uninitialized return value at the last minute which I fixed before merging. Thanks to everyone who looked at or tested these patches. Jim > Thanks! > > > > > James Carter (9): > > libsepol/cil: Parse and add deny rule to AST, but do not process > > libsepol/cil: Add cil_list_is_empty macro > > libsepol/cil: Add cil_tree_node_remove function > > libsepol/cil: Process deny rules > > libsepol/cil: Add cil_write_post_ast function > > libsepol: Export the cil_write_post_ast function > > secilc/secil2tree: Add option to write CIL AST after post processing > > secilc/test: Add deny rule tests > > secilc/docs: Add deny rule to CIL documentation > > > > libsepol/cil/include/cil/cil.h | 1 + > > libsepol/cil/src/cil.c | 68 ++ > > libsepol/cil/src/cil_build_ast.c | 56 + > > libsepol/cil/src/cil_build_ast.h | 2 + > > libsepol/cil/src/cil_copy_ast.c | 19 + > > libsepol/cil/src/cil_copy_ast.h | 1 + > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > libsepol/cil/src/cil_deny.h | 36 + > > libsepol/cil/src/cil_flavor.h | 1 + > > libsepol/cil/src/cil_internal.h | 10 + > > libsepol/cil/src/cil_list.h | 3 + > > libsepol/cil/src/cil_post.c | 7 + > > libsepol/cil/src/cil_reset_ast.c | 8 + > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > libsepol/cil/src/cil_tree.c | 35 + > > libsepol/cil/src/cil_tree.h | 1 + > > libsepol/cil/src/cil_verify.c | 9 + > > libsepol/cil/src/cil_write_ast.c | 10 + > > libsepol/cil/src/cil_write_ast.h | 1 + > > libsepol/src/libsepol.map.in | 5 + > > secilc/docs/cil_access_vector_rules.md | 41 +- > > secilc/secil2tree.c | 8 +- > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > create mode 100644 libsepol/cil/src/cil_deny.c > > create mode 100644 libsepol/cil/src/cil_deny.h > > create mode 100644 secilc/test/deny_rule_test1.cil > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > -- > > 2.41.0 >
