* [PATCH] libsepol/cil: Allow dotted names in aliasactual rules
@ 2024-08-12 16:56 James Carter
2024-08-12 17:01 ` Dominick Grift
2024-09-04 19:37 ` James Carter
0 siblings, 2 replies; 4+ messages in thread
From: James Carter @ 2024-08-12 16:56 UTC (permalink / raw)
To: selinux; +Cc: dominick.grift, James Carter
The function cil_gen_alias() is used to declare type, sensitivity,
and category aliases and the function cil_gen_aliasactual() is used
to assign an alias to the actual declared name.
Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
added "notself" and "other" as reserved words. Previously, a check
was made in cil_gen_aliasactual() to ensure that the "self" reserved
word was not used. With the notself patch this function was upgraded
to call cil_verify_name() to verify that the other reserved words
were not used as well. This change prevents the use of dotted names
to refer to alias or actual names that are declared in blocks.
The check for a reserved word being used is not needed because that
check will be done for both the alias and the actual name when they
are declared.
Remove the call to cil_verify_name() and allow dotted names in
aliasactual rules.
Reported-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil_build_ast.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 56dac891..6884f12c 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -3174,16 +3174,6 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
goto exit;
}
- rc = cil_verify_name(db, parse_current->next->data, flavor);
- if (rc != SEPOL_OK) {
- goto exit;
- }
-
- rc = cil_verify_name(db, parse_current->next->next->data, flavor);
- if (rc != SEPOL_OK) {
- goto exit;
- }
-
cil_aliasactual_init(&aliasactual);
aliasactual->alias_str = parse_current->next->data;
--
2.46.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] libsepol/cil: Allow dotted names in aliasactual rules
2024-08-12 16:56 [PATCH] libsepol/cil: Allow dotted names in aliasactual rules James Carter
@ 2024-08-12 17:01 ` Dominick Grift
2024-09-04 19:37 ` James Carter
1 sibling, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2024-08-12 17:01 UTC (permalink / raw)
To: James Carter; +Cc: selinux
James Carter <jwcart2@gmail.com> writes:
> The function cil_gen_alias() is used to declare type, sensitivity,
> and category aliases and the function cil_gen_aliasactual() is used
> to assign an alias to the actual declared name.
>
> Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
> added "notself" and "other" as reserved words. Previously, a check
> was made in cil_gen_aliasactual() to ensure that the "self" reserved
> word was not used. With the notself patch this function was upgraded
> to call cil_verify_name() to verify that the other reserved words
> were not used as well. This change prevents the use of dotted names
> to refer to alias or actual names that are declared in blocks.
>
> The check for a reserved word being used is not needed because that
> check will be done for both the alias and the actual name when they
> are declared.
>
> Remove the call to cil_verify_name() and allow dotted names in
> aliasactual rules.
>
> Reported-by: Dominick Grift <dominick.grift@defensec.nl>
> Signed-off-by: James Carter <jwcart2@gmail.com>
Thank you.
> ---
> libsepol/cil/src/cil_build_ast.c | 10 ----------
> 1 file changed, 10 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 56dac891..6884f12c 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -3174,16 +3174,6 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
> goto exit;
> }
>
> - rc = cil_verify_name(db, parse_current->next->data, flavor);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> - rc = cil_verify_name(db, parse_current->next->next->data, flavor);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> cil_aliasactual_init(&aliasactual);
>
> aliasactual->alias_str = parse_current->next->data;
--
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] libsepol/cil: Allow dotted names in aliasactual rules
2024-08-12 16:56 [PATCH] libsepol/cil: Allow dotted names in aliasactual rules James Carter
2024-08-12 17:01 ` Dominick Grift
@ 2024-09-04 19:37 ` James Carter
2024-09-05 19:05 ` James Carter
1 sibling, 1 reply; 4+ messages in thread
From: James Carter @ 2024-09-04 19:37 UTC (permalink / raw)
To: selinux
On Mon, Aug 12, 2024 at 12:56 PM James Carter <jwcart2@gmail.com> wrote:
>
> The function cil_gen_alias() is used to declare type, sensitivity,
> and category aliases and the function cil_gen_aliasactual() is used
> to assign an alias to the actual declared name.
>
> Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
> added "notself" and "other" as reserved words. Previously, a check
> was made in cil_gen_aliasactual() to ensure that the "self" reserved
> word was not used. With the notself patch this function was upgraded
> to call cil_verify_name() to verify that the other reserved words
> were not used as well. This change prevents the use of dotted names
> to refer to alias or actual names that are declared in blocks.
>
> The check for a reserved word being used is not needed because that
> check will be done for both the alias and the actual name when they
> are declared.
>
> Remove the call to cil_verify_name() and allow dotted names in
> aliasactual rules.
>
> Reported-by: Dominick Grift <dominick.grift@defensec.nl>
> Signed-off-by: James Carter <jwcart2@gmail.com>
I plan on merging this soon.
Jim
> ---
> libsepol/cil/src/cil_build_ast.c | 10 ----------
> 1 file changed, 10 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 56dac891..6884f12c 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -3174,16 +3174,6 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
> goto exit;
> }
>
> - rc = cil_verify_name(db, parse_current->next->data, flavor);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> - rc = cil_verify_name(db, parse_current->next->next->data, flavor);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> cil_aliasactual_init(&aliasactual);
>
> aliasactual->alias_str = parse_current->next->data;
> --
> 2.46.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] libsepol/cil: Allow dotted names in aliasactual rules
2024-09-04 19:37 ` James Carter
@ 2024-09-05 19:05 ` James Carter
0 siblings, 0 replies; 4+ messages in thread
From: James Carter @ 2024-09-05 19:05 UTC (permalink / raw)
To: selinux
On Wed, Sep 4, 2024 at 3:37 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Aug 12, 2024 at 12:56 PM James Carter <jwcart2@gmail.com> wrote:
> >
> > The function cil_gen_alias() is used to declare type, sensitivity,
> > and category aliases and the function cil_gen_aliasactual() is used
> > to assign an alias to the actual declared name.
> >
> > Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
> > added "notself" and "other" as reserved words. Previously, a check
> > was made in cil_gen_aliasactual() to ensure that the "self" reserved
> > word was not used. With the notself patch this function was upgraded
> > to call cil_verify_name() to verify that the other reserved words
> > were not used as well. This change prevents the use of dotted names
> > to refer to alias or actual names that are declared in blocks.
> >
> > The check for a reserved word being used is not needed because that
> > check will be done for both the alias and the actual name when they
> > are declared.
> >
> > Remove the call to cil_verify_name() and allow dotted names in
> > aliasactual rules.
> >
> > Reported-by: Dominick Grift <dominick.grift@defensec.nl>
> > Signed-off-by: James Carter <jwcart2@gmail.com>
>
> I plan on merging this soon.
> Jim
>
This patch has been merged.
Jim
> > ---
> > libsepol/cil/src/cil_build_ast.c | 10 ----------
> > 1 file changed, 10 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> > index 56dac891..6884f12c 100644
> > --- a/libsepol/cil/src/cil_build_ast.c
> > +++ b/libsepol/cil/src/cil_build_ast.c
> > @@ -3174,16 +3174,6 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
> > goto exit;
> > }
> >
> > - rc = cil_verify_name(db, parse_current->next->data, flavor);
> > - if (rc != SEPOL_OK) {
> > - goto exit;
> > - }
> > -
> > - rc = cil_verify_name(db, parse_current->next->next->data, flavor);
> > - if (rc != SEPOL_OK) {
> > - goto exit;
> > - }
> > -
> > cil_aliasactual_init(&aliasactual);
> >
> > aliasactual->alias_str = parse_current->next->data;
> > --
> > 2.46.0
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-09-05 19:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-12 16:56 [PATCH] libsepol/cil: Allow dotted names in aliasactual rules James Carter
2024-08-12 17:01 ` Dominick Grift
2024-09-04 19:37 ` James Carter
2024-09-05 19:05 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.