On Mon, Aug 12, 2024 at 12:56 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> The function cil_gen_alias() is used to declare type, sensitivity,
> and category aliases and the function cil_gen_aliasactual() is used
> to assign an alias to the actual declared name.
>
> Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
> added "notself" and "other" as reserved words. Previously, a check
> was made in cil_gen_aliasactual() to ensure that the "self" reserved
> word was not used. With the notself patch this function was upgraded
> to call cil_verify_name() to verify that the other reserved words
> were not used as well. This change prevents the use of dotted names
> to refer to alias or actual names that are declared in blocks.
>
> The check for a reserved word being used is not needed because that
> check will be done for both the alias and the actual name when they
> are declared.
>
> Remove the call to cil_verify_name() and allow dotted names in
> aliasactual rules.
>
> Reported-by: Dominick Grift <dominick.grift@xxxxxxxxxxx>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
I plan on merging this soon.
Jim
> ---
> libsepol/cil/src/cil_build_ast.c | 10 ----------
> 1 file changed, 10 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 56dac891..6884f12c 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -3174,16 +3174,6 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
> goto exit;
> }
>
> - rc = cil_verify_name(db, parse_current->next->data, flavor);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> - rc = cil_verify_name(db, parse_current->next->next->data, flavor);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> cil_aliasactual_init(&aliasactual);
>
> aliasactual->alias_str = parse_current->next->data;
> --
> 2.46.0
>
