Re: [PATCH] libsepol/cil: Allow dotted names in aliasactual rules

James Carter <jwcart2@xxxxxxxxx> · Thu, 5 Sep 2024 15:05:07 -0400

On Wed, Sep 4, 2024 at 3:37 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, Aug 12, 2024 at 12:56 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > The function cil_gen_alias() is used to declare type, sensitivity,
> > and category aliases and the function cil_gen_aliasactual() is used
> > to assign an alias to the actual declared name.
> >
> > Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
> > added "notself" and "other" as reserved words. Previously, a check
> > was made in cil_gen_aliasactual() to ensure that the "self" reserved
> > word was not used. With the notself patch this function was upgraded
> > to call cil_verify_name() to verify that the other reserved words
> > were not used as well. This change prevents the use of dotted names
> > to refer to alias or actual names that are declared in blocks.
> >
> > The check for a reserved word being used is not needed because that
> > check will be done for both the alias and the actual name when they
> > are declared.
> >
> > Remove the call to cil_verify_name() and allow dotted names in
> > aliasactual rules.
> >
> > Reported-by: Dominick Grift <dominick.grift@xxxxxxxxxxx>
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
>
> I plan on merging this soon.
> Jim
>

This patch has been merged.
Jim

> > ---
> >  libsepol/cil/src/cil_build_ast.c | 10 ----------
> >  1 file changed, 10 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> > index 56dac891..6884f12c 100644
> > --- a/libsepol/cil/src/cil_build_ast.c
> > +++ b/libsepol/cil/src/cil_build_ast.c
> > @@ -3174,16 +3174,6 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
> >                 goto exit;
> >         }
> >
> > -       rc = cil_verify_name(db, parse_current->next->data, flavor);
> > -       if (rc != SEPOL_OK) {
> > -               goto exit;
> > -       }
> > -
> > -       rc = cil_verify_name(db, parse_current->next->next->data, flavor);
> > -       if (rc != SEPOL_OK) {
> > -               goto exit;
> > -       }
> > -
> >         cil_aliasactual_init(&aliasactual);
> >
> >         aliasactual->alias_str = parse_current->next->data;
> > --
> > 2.46.0
> >