Re: [PATCH v2] checkpolicy/dismod: misc improvements

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Lautrbach <plautrba@redhat.com>
To: "James Carter" <jwcart2@gmail.com>,
	"Christian Göttsche" <cgzones@googlemail.com>,
	selinux@vger.kernel.org
Subject: Re: [PATCH v2] checkpolicy/dismod: misc improvements
Date: Fri, 30 Jun 2023 11:59:15 +0200	[thread overview]
Message-ID: <87a5wh1dak.fsf@redhat.com> (raw)
In-Reply-To: <CAP+JOzQdRXvEBwYVGoGy+Pmbzwr0jCF6OzSb42CRkYYU_OZ56g@mail.gmail.com>

James Carter <jwcart2@gmail.com> writes:

> On Fri, May 12, 2023 at 6:12 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
>>
>> * fix minus self formatting in neverallow rules, avoiding `~ - self`
>>
>> * show neverallow and neverallowxperm rules
>>
>> * whitespace improvements in output
>>   - avoid duplicate whitespaces before permission list, since
>>     sepol_av_to_string() already adds a trailing one
>>   - avoid duplicate whitespace after wildcard type
>>   - unify indentation for xperm rules
>>
>> * drop unused global variables
>>
>> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>

merged, thanks

>> ---
>> v2:
>>    drop extra whitespace in between ~ and { for type sets
>>    (there are still some minor spacing issues like
>>        neverallow  test1_t ~ self : file { read };
>>    but they would need an overhaul of the common display_id() function)
>> ---
>>  checkpolicy/test/dismod.c | 33 +++++++++++++++++++--------------
>>  1 file changed, 19 insertions(+), 14 deletions(-)
>>
>> diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
>> index 929ee308..5ec33860 100644
>> --- a/checkpolicy/test/dismod.c
>> +++ b/checkpolicy/test/dismod.c
>> @@ -54,11 +54,8 @@
>>  #define DISPLAY_AVBLOCK_FILENAME_TRANS 7
>>
>>  static policydb_t policydb;
>> -extern unsigned int ss_initialized;
>>
>> -int policyvers = MOD_POLICYDB_VERSION_BASE;
>> -
>> -static const char *symbol_labels[9] = {
>> +static const char *const symbol_labels[9] = {
>>         "commons",
>>         "classes", "roles  ", "types  ", "users  ", "bools  ",
>>         "levels ", "cats   ", "attribs"
>> @@ -86,12 +83,12 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class,
>>  {
>>         unsigned int i;
>>         char *perm;
>> -       fprintf(fp, "{");
>> +       fprintf(fp, " {");
>>         for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
>>                 if (ebitmap_get_bit(map, i)) {
>>                         perm = sepol_av_to_string(p, class, UINT32_C(1) << i);
>>                         if (perm)
>> -                               fprintf(fp, " %s", perm);
>> +                               fprintf(fp, "%s", perm);
>>                 }
>>         }
>>         fprintf(fp, " }");
>> @@ -117,10 +114,12 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
>>         unsigned int i, num_types;
>>
>>         if (set->flags & TYPE_STAR) {
>> -               fprintf(fp, " * ");
>> +               fprintf(fp, " *");
>>                 return 0;
>>         } else if (set->flags & TYPE_COMP) {
>>                 fprintf(fp, " ~");
>> +       } else {
>> +               fprintf(fp, " ");
>>         }
>>
>>         num_types = 0;
>> @@ -170,7 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
>>         }
>>
>>         if (flags & RULE_NOTSELF) {
>> -               fprintf(fp, " -self");
>> +               if (set->flags & TYPE_COMP)
>> +                       fprintf(fp, " self");
>> +               else
>> +                       fprintf(fp, " -self");
>>         }
>>
>>         if (num_types > 1)
>> @@ -234,6 +236,9 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
>>                 if (avrule->specified & AVRULE_DONTAUDIT) {
>>                         fprintf(fp, "  dontaudit");
>>                 }
>> +               if (avrule->specified & AVRULE_NEVERALLOW) {
>> +                       fprintf(fp, "  neverallow");
>> +               }
>>         } else if (avrule->specified & AVRULE_TYPE) {
>>                 if (avrule->specified & AVRULE_TRANSITION) {
>>                         fprintf(fp, "  type_transition");
>> @@ -244,15 +249,15 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
>>                 if (avrule->specified & AVRULE_CHANGE) {
>>                         fprintf(fp, "  type_change");
>>                 }
>> -       } else if (avrule->specified & AVRULE_NEVERALLOW) {
>> -               fprintf(fp, "  neverallow");
>>         } else if (avrule->specified & AVRULE_XPERMS) {
>>                 if (avrule->specified & AVRULE_XPERMS_ALLOWED)
>> -                       fprintf(fp, "allowxperm ");
>> +                       fprintf(fp, "  allowxperm");
>>                 else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
>> -                       fprintf(fp, "auditallowxperm ");
>> +                       fprintf(fp, "  auditallowxperm");
>>                 else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
>> -                       fprintf(fp, "dontauditxperm ");
>> +                       fprintf(fp, "  dontauditxperm");
>> +               else if (avrule->specified & AVRULE_XPERMS_NEVERALLOW)
>> +                       fprintf(fp, "  neverallowxperm");
>>         } else {
>>                 fprintf(fp, "     ERROR: no valid rule type specified\n");
>>                 return -1;
>> @@ -560,7 +565,7 @@ static int display_scope_index(scope_index_t * indices, policydb_t * p,
>>                                                                      p, out_fp);
>>                                         } else {
>>                                                 fprintf(out_fp,
>> -                                                       "<no perms known>");
>> +                                                       " <no perms known>");
>>                                         }
>>                                 }
>>                         }
>> --
>> 2.40.1
>>

next prev parent reply	other threads:[~2023-06-30 10:00 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-31 17:34 [PATCH 1/3] checkpolicy: add option to skip checking neverallow rules Christian Göttsche
2023-03-31 17:34 ` [PATCH 2/3] checkpolicy/dispol: add output functions Christian Göttsche
2023-04-24 19:07   ` James Carter
2023-05-03 16:24     ` James Carter
2023-03-31 17:34 ` [PATCH 3/3] checkpolicy/dismod: misc improvements Christian Göttsche
2023-04-24 19:12   ` James Carter
2023-05-12 10:08   ` [PATCH v2] " Christian Göttsche
2023-06-08 21:00     ` James Carter
2023-06-30  9:59       ` Petr Lautrbach [this message]
2023-03-31 17:58 ` [PATCH 1/3] checkpolicy: add option to skip checking neverallow rules Daniel Burgener
2023-04-24 19:02   ` James Carter
2023-04-24 19:06 ` James Carter
2023-05-12  9:57 ` [PATCH v2] " Christian Göttsche
2023-06-08 20:59   ` James Carter
2023-06-30  9:59     ` Petr Lautrbach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87a5wh1dak.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=cgzones@googlemail.com \
    --cc=jwcart2@gmail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.