rpms
/
secilc
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SELinux userspace 3.3-rc2 release

This commit is contained in:
Petr Lautrbach 2021-09-29 20:19:44 +02:00
parent 20009509c1
commit b8172b420f
16 changed files with 11 additions and 1319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -14,3 +14,4 @@
/secilc-3.1.tar.gz
/secilc-3.2-rc1.tar.gz
/secilc-3.2.tar.gz
/secilc-3.3-rc2.tar.gz

39
0001-secilc-docs-Lists-are-now-allowed-in-constraint-expr.patch
View File

@ -1,39 +0,0 @@
From 45d7a0a563e16545fe63e8c252492daf9ec845e8 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 16 Mar 2021 15:19:10 -0400
Subject: [PATCH] secilc/docs: Lists are now allowed in constraint expressions
Update the CIL documentation to show that lists are allowed in
constraint expressions.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/docs/cil_constraint_statements.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/secilc/docs/cil_constraint_statements.md b/secilc/docs/cil_constraint_statements.md
index 2dd6e6f022db..358927d63981 100644
--- a/secilc/docs/cil_constraint_statements.md
+++ b/secilc/docs/cil_constraint_statements.md
@@ -34,12 +34,12 @@ Enable constraints to be placed on the specified permissions of the object class
<p><code> (op u1 u2)</code></p>
<p><code> (role_op r1 r2)</code></p>
<p><code> (op t1 t2)</code></p>
-<p><code> (op u1 user_id)</code></p>
-<p><code> (op u2 user_id)</code></p>
-<p><code> (op r1 role_id)</code></p>
-<p><code> (op r2 role_id)</code></p>
-<p><code> (op t1 type_id)</code></p>
-<p><code> (op t2 type_id)</code></p>
+<p><code> (op u1 user_id | (user_id ...))</code></p>
+<p><code> (op u2 user_id | (user_id ...))</code></p>
+<p><code> (op r1 role_id | (role_id ...))</code></p>
+<p><code> (op r2 role_id | (role_id ...))</code></p>
+<p><code> (op t1 type_id | (type_id ...))</code></p>
+<p><code> (op t2 type_id | (type_id ...))</code></p>
<p>where:</p>
<p><code> u1, r1, t1 = Source context: user, role or type</code></p>
<p><code> u2, r2, t2 = Target context: user, role or type</code></p>
--
2.32.0

74
0002-cil_conditional_statements.md-fix-expr-definition.patch
View File

@ -1,74 +0,0 @@
From 1e4e7f6a125af20c563f8c6932d210a8f5f902e9 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Wed, 24 Mar 2021 16:11:05 +0100
Subject: [PATCH] cil_conditional_statements.md: fix expr definition
expr "(expr (tunable_id tunable_id))" does not work but "(expr
tunable_id tunable_id)" does work
for example, this works
(tunable test1)
(tunable test2)
(tunableif (or test1 test2)
(true
(allow a b (c (d)))))
but this does not work:
(tunable test1)
(tunable test2)
(tunableif (or (test1 test2))
(true
(allow a b (c (d)))))
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
secilc/docs/cil_conditional_statements.md | 24 +++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/secilc/docs/cil_conditional_statements.md b/secilc/docs/cil_conditional_statements.md
index a55a9b6cccd6..55f0bfd65aa8 100644
--- a/secilc/docs/cil_conditional_statements.md
+++ b/secilc/docs/cil_conditional_statements.md
@@ -78,12 +78,12 @@ Contains the run time conditional statements that are instantiated in the binary
<tr class="odd">
<td align="left"><p><code>expr</code></p></td>
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
-<p><code> (and (boolean_id boolean_id))</code></p>
-<p><code> (or (boolean_id boolean_id))</code></p>
-<p><code> (xor (boolean_id boolean_id))</code></p>
-<p><code> (eq (boolean_id boolean_id))</code></p>
-<p><code> (neq (boolean_id boolean_id))</code></p>
-<p><code> (not (boolean_id))</code></p></td>
+<p><code> (and boolean_id boolean_id)</code></p>
+<p><code> (or boolean_id boolean_id)</code></p>
+<p><code> (xor boolean_id boolean_id)</code></p>
+<p><code> (eq boolean_id boolean_id)</code></p>
+<p><code> (neq boolean_id boolean_id)</code></p>
+<p><code> (not boolean_id)</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>true</code></p></td>
@@ -196,12 +196,12 @@ Compile time conditional statement that may or may not add CIL statements to be
<tr class="odd">
<td align="left"><p><code>expr</code></p></td>
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
-<p><code> (and (tunable_id tunable_id))</code></p>
-<p><code> (or (tunable_id tunable_id))</code></p>
-<p><code> (xor (tunable_id tunable_id))</code></p>
-<p><code> (eq (tunable_id tunable_id))</code></p>
-<p><code> (neq (tunable_id tunable_id))</code></p>
-<p><code> (not (tunable_id))</code></p></td>
+<p><code> (and tunable_id tunable_id)</code></p>
+<p><code> (or tunable_id tunable_id)</code></p>
+<p><code> (xor tunable_id tunable_id)</code></p>
+<p><code> (eq tunable_id tunable_id)</code></p>
+<p><code> (neq tunable_id tunable_id)</code></p>
+<p><code> (not tunable_id)</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>true</code></p></td>
--
2.32.0

36
0003-secilc.c-Don-t-fail-if-input-file-is-empty.patch
View File

@ -1,36 +0,0 @@
From d1a34d3f1df5e90c9e01fcd9791c26db89064a7e Mon Sep 17 00:00:00 2001
From: Yi-Yo Chiang <yochiang@google.com>
Date: Wed, 14 Apr 2021 22:10:27 +0800
Subject: [PATCH] secilc.c: Don't fail if input file is empty
fread(3) returns zero if |size| is zero. This confuses secilc, and
causes it to fail with a "Failure reading file" error, even though there
is no error.
Add a shortcut that closes and skips an input file if file size is zero.
Signed-off-by: Yi-Yo Chiang <yochiang@google.com>
---
secilc/secilc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 186c5a730221..9c78e42565e9 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -268,6 +268,12 @@ int main(int argc, char *argv[])
}
file_size = filedata.st_size;
+ if (!file_size) {
+ fclose(file);
+ file = NULL;
+ continue;
+ }
+
buffer = malloc(file_size);
rc = fread(buffer, file_size, 1, file);
if (rc != 1) {
--
2.32.0

132
0004-secilc-docs-Update-the-CIL-documentation-for-various.patch
View File

@ -1,132 +0,0 @@
From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Mon, 19 Apr 2021 09:06:15 -0400
Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
Update the documentation for macros, booleans, booleanifs, tunables,
tunableifs, blocks, blockabstracts, blockinherits, and optionals to
tell where these statements can be used and, for those that have
blocks, what statements are not allowed in them.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/docs/cil_call_macro_statements.md | 2 ++
secilc/docs/cil_conditional_statements.md | 6 +++++
secilc/docs/cil_container_statements.md | 28 +++++++++++++++--------
3 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
index 332eb28f4256..352a9fb06efe 100644
--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
@@ -58,6 +58,8 @@ When resolving macros the following places are checked in this order:
- Items defined in the global namespace
+[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
+
**Statement definition:**
```secil
diff --git a/secilc/docs/cil_conditional_statements.md b/secilc/docs/cil_conditional_statements.md
index 55f0bfd65aa8..9afd4153a24a 100644
--- a/secilc/docs/cil_conditional_statements.md
+++ b/secilc/docs/cil_conditional_statements.md
@@ -6,6 +6,8 @@ boolean
Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
+[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
+
**Statement definition:**
```secil
@@ -126,6 +128,8 @@ Tunables are similar to booleans, however they are used to manage areas of CIL s
Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
+Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
+
**Statement definition:**
```secil
@@ -164,6 +168,8 @@ tunableif
Compile time conditional statement that may or may not add CIL statements to be compiled.
+If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
+
**Statement definition:**
```secil
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
index 76e9da51f0bc..7a7f67cc27c4 100644
--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
@@ -4,7 +4,11 @@ Container Statements
block
-----
-Start a new namespace where any CIL statement is valid.
+Start a new namespace.
+
+Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
+
+[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
**Statement definition:**
@@ -47,6 +51,8 @@ blockabstract
Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
+Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
+
**Statement definition:**
```secil
@@ -97,6 +103,8 @@ blockinherit
Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
+
**Statement definition:**
```secil
@@ -199,15 +207,11 @@ This example contains a template `client_server` that is instantiated in two blo
optional
--------
-Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
+Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
-| | | | |
-| ------------------- | -------------- | ------------------ | ------------------ |
-| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
-| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
-| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
-| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
-| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
+Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
+
+[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
**Statement definition:**
@@ -266,7 +270,11 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
in
--
-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
+
+Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
+
+[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
**Statement definition:**
--
2.32.0

408
0005-secilc-Create-the-new-program-called-secil2tree-to-w.patch
View File

@ -1,408 +0,0 @@
From d0a07a7f1371e5c4528dcda4020bc3bc90621ec4 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 21 Apr 2021 13:21:12 -0400
Subject: [PATCH] secilc: Create the new program called secil2tree to write out
CIL AST
secil2tree is the SELinux CIL AST writer. It calls the cil functions
cil_write_parse_ast(), cil_write_build_ast(), or cil_write_resolve_ast()
to write out the parse tree, the CIL AST after the build phase, or the
CIL AST after the resolve phase.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/.gitignore | 2 +
secilc/Makefile | 20 +++-
secilc/secil2tree.8.xml | 81 ++++++++++++++++
secilc/secil2tree.c | 206 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 307 insertions(+), 2 deletions(-)
create mode 100644 secilc/secil2tree.8.xml
create mode 100644 secilc/secil2tree.c
diff --git a/secilc/.gitignore b/secilc/.gitignore
index 164523b066d6..d2a3daf1665c 100644
--- a/secilc/.gitignore
+++ b/secilc/.gitignore
@@ -2,6 +2,8 @@ secilc
secilc.8
secil2conf
secil2conf.8
+secil2tree
+secil2tree.8
policy.*
file_contexts
docs/html
diff --git a/secilc/Makefile b/secilc/Makefile
index d4a1c35a2878..94be04819447 100644
--- a/secilc/Makefile
+++ b/secilc/Makefile
@@ -10,8 +10,13 @@ SECIL2CONF = secil2conf
SECIL2CONF_SRCS := secil2conf.c
SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS))
+SECIL2TREE = secil2tree
+SECIL2TREE_SRCS := secil2tree.c
+SECIL2TREE_OBJS := $(patsubst %.c,%.o,$(SECIL2TREE_SRCS))
+
SECILC_MANPAGE = secilc.8
SECIL2CONF_MANPAGE = secil2conf.8
+SECIL2TREE_MANPAGE = secil2tree.8
XMLTO = xmlto
DIFF = diff
@@ -23,7 +28,7 @@ CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align
override CFLAGS += -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
override LDLIBS += -lsepol
-all: $(SECILC) $(SECIL2CONF) man
+all: $(SECILC) $(SECIL2CONF) $(SECIL2TREE) man
$(SECILC): $(SECILC_OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
@@ -37,7 +42,10 @@ test: $(SECILC)
$(SECIL2CONF): $(SECIL2CONF_OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
-man: $(SECILC_MANPAGE) $(SECIL2CONF_MANPAGE)
+$(SECIL2TREE): $(SECIL2TREE_OBJS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+man: $(SECILC_MANPAGE) $(SECIL2CONF_MANPAGE) $(SECIL2TREE_MANPAGE)
$(SECILC_MANPAGE): $(SECILC_MANPAGE).xml
$(XMLTO) man $(SECILC_MANPAGE).xml
@@ -45,13 +53,18 @@ $(SECILC_MANPAGE): $(SECILC_MANPAGE).xml
$(SECIL2CONF_MANPAGE): $(SECIL2CONF_MANPAGE).xml
$(XMLTO) man $(SECIL2CONF_MANPAGE).xml
+$(SECIL2TREE_MANPAGE): $(SECIL2TREE_MANPAGE).xml
+ $(XMLTO) man $(SECIL2TREE_MANPAGE).xml
+
install: all man
-mkdir -p $(DESTDIR)$(BINDIR)
-mkdir -p $(DESTDIR)$(MANDIR)/man8
install -m 755 $(SECILC) $(DESTDIR)$(BINDIR)
install -m 755 $(SECIL2CONF) $(DESTDIR)$(BINDIR)
+ install -m 755 $(SECIL2TREE) $(DESTDIR)$(BINDIR)
install -m 644 $(SECILC_MANPAGE) $(DESTDIR)$(MANDIR)/man8
install -m 644 $(SECIL2CONF_MANPAGE) $(DESTDIR)$(MANDIR)/man8
+ install -m 644 $(SECIL2TREE_MANPAGE) $(DESTDIR)$(MANDIR)/man8
doc:
$(MAKE) -C docs
@@ -61,10 +74,13 @@ clean:
rm -f $(SECILC_OBJS)
rm -f $(SECIL2CONF)
rm -f $(SECIL2CONF_OBJS)
+ rm -f $(SECIL2TREE)
+ rm -f $(SECIL2TREE_OBJS)
rm -f policy.*
rm -f file_contexts
rm -f $(SECILC_MANPAGE)
rm -f $(SECIL2CONF_MANPAGE)
+ rm -f $(SECIL2TREE_MANPAGE)
rm -f opt-actual.cil
rm -f opt-actual.bin
$(MAKE) -C docs clean
diff --git a/secilc/secil2tree.8.xml b/secilc/secil2tree.8.xml
new file mode 100644
index 000000000000..81382ffe4e42
--- /dev/null
+++ b/secilc/secil2tree.8.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry>
+ <refentryinfo>
+ <author>
+ <firstname>James</firstname><surname>Carter</surname><contrib></contrib>
+ </author>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>SECIL2TREE</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="date">05 April 2021</refmiscinfo>
+ <refmiscinfo class="source">secil2tree</refmiscinfo>
+ <refmiscinfo class="manual">SELinux CIL AST Writer</refmiscinfo>
+ </refmeta>
+ <refnamediv id="name">
+ <refname>secil2tree</refname>
+ <refpurpose>invoke the SELinux Common Intermediate Language (CIL) AST Writer </refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id="synopsis">
+ <cmdsynopsis>
+ <command>secil2tree</command>
+ <arg choice="opt" rep="repeat"><replaceable>OPTION</replaceable></arg>
+ <arg choice="plain"><replaceable>file</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="description"><title>DESCRIPTION</title>
+ <para><emphasis role="italic">secil2tree</emphasis> invokes the CIL AST Writer with the specified <emphasis role="italic">argument</emphasis>s.</para>
+ </refsect1>
+
+ <refsect1 id="options"><title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term><option>-o, --output=&lt;file></option></term>
+ <listitem><para>Write AST to <emphasis role="italic">file</emphasis> (default: stdout)</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-P, --preserve-tunables</option></term>
+ <listitem><para>Treat tunables as booleans.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-A, --ast-phase=&lt;phase></option></term>
+ <listitem><para>Write AST of phase <emphasis role="italic">phase</emphasis>. Must be <emphasis role="bold">parse</emphasis>, <emphasis role="bold">build</emphasis>, or <emphasis role="bold">resolve</emphasis>. (default: <emphasis role="bold">resolve</emphasis>)</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-v, --verbose</option></term>
+ <listitem><para>Increment verbosity level.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-h, --help</option></term>
+ <listitem><para>Display usage information.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="see_also"><title>SEE ALSO</title>
+ <para>
+ <simplelist type="inline">
+ <member><citerefentry>
+ <refentrytitle>secilc</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry></member>
+ <member><citerefentry>
+ <refentrytitle>secil2conf</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry></member>
+ </simplelist>
+ </para>
+ <para>HTML documentation describing the CIL language statements is available starting with <emphasis role="italic">docs/html/index.html</emphasis>.</para>
+ <para>PDF documentation describing the CIL language statements is available at: <emphasis role="italic">docs/pdf/CIL_Reference_Guide.pdf</emphasis>.</para>
+ </refsect1>
+</refentry>
diff --git a/secilc/secil2tree.c b/secilc/secil2tree.c
new file mode 100644
index 000000000000..218d05832854
--- /dev/null
+++ b/secilc/secil2tree.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright 2011 Tresys Technology, LLC. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * The views and conclusions contained in the software and documentation are those
+ * of the authors and should not be interpreted as representing official policies,
+ * either expressed or implied, of Tresys Technology, LLC.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <getopt.h>
+#include <sys/stat.h>
+
+#ifdef ANDROID
+#include <cil/cil.h>
+#else
+#include <sepol/cil/cil.h>
+#endif
+#include <sepol/policydb.h>
+
+enum write_ast_phase {
+ WRITE_AST_PHASE_PARSE = 0,
+ WRITE_AST_PHASE_BUILD,
+ WRITE_AST_PHASE_RESOLVE,
+};
+
+static __attribute__((__noreturn__)) void usage(const char *prog)
+{
+ printf("Usage: %s [OPTION]... FILE...\n", prog);
+ printf("\n");
+ printf("Options:\n");
+ printf(" -o, --output=<file> write AST to <file>. (default: stdout)\n");
+ printf(" -P, --preserve-tunables treat tunables as booleans\n");
+ printf(" -A, --ast-phase=<phase> write AST of phase <phase>. Phase must be parse, \n");
+ printf(" build, or resolve. (default: resolve)\n");
+ printf(" -v, --verbose increment verbosity level\n");
+ printf(" -h, --help display usage information\n");
+ exit(1);
+}
+
+int main(int argc, char *argv[])
+{
+ int rc = SEPOL_ERR;
+ FILE *file = NULL;
+ char *buffer = NULL;
+ struct stat filedata;
+ uint32_t file_size;
+ char *output = NULL;
+ struct cil_db *db = NULL;
+ int preserve_tunables = 0;
+ enum write_ast_phase write_ast = WRITE_AST_PHASE_RESOLVE;
+ int opt_char;
+ int opt_index = 0;
+ enum cil_log_level log_level = CIL_ERR;
+ static struct option long_opts[] = {
+ {"help", no_argument, 0, 'h'},
+ {"verbose", no_argument, 0, 'v'},
+ {"preserve-tunables", no_argument, 0, 'P'},
+ {"output", required_argument, 0, 'o'},
+ {"ast-phase", required_argument, 0, 'A'},
+ {0, 0, 0, 0}
+ };
+ int i;
+
+ while (1) {
+ opt_char = getopt_long(argc, argv, "o:hvPA:", long_opts, &opt_index);
+ if (opt_char == -1) {
+ break;
+ }
+ switch (opt_char) {
+ case 'v':
+ log_level++;
+ break;
+ case 'P':
+ preserve_tunables = 1;
+ break;
+ case 'o':
+ output = strdup(optarg);
+ break;
+ case 'A':
+ if (!strcasecmp(optarg, "parse")) {
+ write_ast = WRITE_AST_PHASE_PARSE;
+ } else if (!strcasecmp(optarg, "build")) {
+ write_ast = WRITE_AST_PHASE_BUILD;
+ } else if (!strcasecmp(optarg, "resolve")) {
+ write_ast = WRITE_AST_PHASE_RESOLVE;
+ } else {
+ fprintf(stderr, "Invalid AST phase: %s\n", optarg);
+ usage(argv[0]);
+ }
+ break;
+ case 'h':
+ usage(argv[0]);
+ case '?':
+ break;
+ default:
+ fprintf(stderr, "Unsupported option: %s\n", optarg);
+ usage(argv[0]);
+ }
+ }
+
+ if (optind >= argc) {
+ fprintf(stderr, "No cil files specified\n");
+ usage(argv[0]);
+ }
+
+ cil_set_log_level(log_level);
+
+ cil_db_init(&db);
+ cil_set_preserve_tunables(db, preserve_tunables);
+ cil_set_attrs_expand_generated(db, 0);
+ cil_set_attrs_expand_size(db, 0);
+
+ for (i = optind; i < argc; i++) {
+ file = fopen(argv[i], "r");
+ if (!file) {
+ fprintf(stderr, "Could not open file: %s\n", argv[i]);
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+ rc = stat(argv[i], &filedata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat file: %s\n", argv[i]);
+ goto exit;
+ }
+ file_size = filedata.st_size;
+
+ buffer = malloc(file_size);
+ rc = fread(buffer, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading file: %s\n", argv[i]);
+ goto exit;
+ }
+ fclose(file);
+ file = NULL;
+
+ rc = cil_add_file(db, argv[i], buffer, file_size);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failure adding %s\n", argv[i]);
+ goto exit;
+ }
+
+ free(buffer);
+ buffer = NULL;
+ }
+
+ if (output == NULL) {
+ file = stdout;
+ } else {
+ file = fopen(output, "w");
+ if (file == NULL) {
+ fprintf(stderr, "Failure opening file %s for writing\n", output);
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+ }
+
+ switch (write_ast) {
+ case WRITE_AST_PHASE_PARSE:
+ rc = cil_write_parse_ast(file, db);
+ break;
+ case WRITE_AST_PHASE_BUILD:
+ rc = cil_write_build_ast(file, db);
+ break;
+ case WRITE_AST_PHASE_RESOLVE:
+ rc = cil_write_resolve_ast(file, db);
+ break;
+ }
+
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write AST\n");
+ goto exit;
+ }
+
+exit:
+ if (file != NULL && file != stdin) {
+ fclose(file);
+ }
+ free(buffer);
+ free(output);
+ cil_db_destroy(&db);
+ return rc;
+}
--
2.32.0

46
0006-secilc-docs-Document-the-order-that-inherited-rules-.patch
View File

@ -1,46 +0,0 @@
From 7fec5e93d97b39ffcf66e7f26c2d9cc0e8533db2 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Thu, 6 May 2021 13:05:37 -0400
Subject: [PATCH] secilc/docs: Document the order that inherited rules are
resolved in
In the blockinherit section of the CIL documentation clearly state
the order in which inherited rules are resolved.
That order is:
1) The parent namespaces (if any) where the blockinherit rule is
located with the exception of the global namespace.
2) The parent namespaces of the block being inherited (but not that
block's namespace) with the exception of the global namespace.
3) The global namespace.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/docs/cil_container_statements.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
index 7a7f67cc27c4..41a4612cd835 100644
--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
@@ -103,6 +103,14 @@ blockinherit
Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+Inherited rules are resolved by searching namespaces in the following order:
+
+- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace.
+
+- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace.
+
+- The global namespace.
+
Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
**Statement definition:**
--
2.32.0

62
0007-secilc-docs-Relocate-and-reword-macro-call-name-reso.patch
View File

@ -1,62 +0,0 @@
From fe9f10e0ee9c1052caea63a2679d14b1acefd4b2 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 11 May 2021 14:36:29 -0400
Subject: [PATCH] secilc/docs: Relocate and reword macro call name resolution
order
The listing of the order was in the macro section, but it belongs
in the call section.
Move the listing of the order to the call section and provide a
better explanation.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/docs/cil_call_macro_statements.md | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
index 352a9fb06efe..3cc14bf86fdb 100644
--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
@@ -8,6 +8,18 @@ Instantiate a [macro](#macro) within the current namespace. There may be zero or
Each parameter passed contains an argument to be resolved by the [macro](#macro), these can be named or anonymous but must conform to the parameter types defined in the [`macro`](cil_call_macro_statements.md#macro) statement.
+Macro rules are resolved by searching in the following order:
+
+- The macro namespace (If found this means that the name was declared in the macro and is now declared in the namespace of one of the parents of the call.)
+
+- The call arguments
+
+- The parent namespaces of the macro being called (if any) with the exception of the global namespace.
+
+- The parent namespaces of the call (if any) with the exception of the global namespace.
+
+- The global namespace
+
**Statement definition:**
```secil
@@ -46,18 +58,6 @@ macro
Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
-When resolving macros the following places are checked in this order:
-
-- Items defined inside the macro
-
-- Items passed into the macro as arguments
-
-- Items defined in the same namespace of the macro
-
-- Items defined in the callers namespace
-
-- Items defined in the global namespace
-
[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
**Statement definition:**
--
2.32.0

142
0008-secilc-test-Add-test-for-anonymous-args.patch
View File

@ -1,142 +0,0 @@
From 4a60fd78d26f667c206d59a36c07bbbc12f84fb8 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 15 Jun 2021 11:37:43 -0400
Subject: [PATCH] secilc/test: Add test for anonymous args
CIL has rules that allow names to be assigned to certain objects
like MLS category sets, MLS levels, MLS ranges, IP addresses, and
class permission sets. These objects can also be named as parameters
for a macro. A call may pass in a name for one of these objects, but
it also may pass in one of the actual objects. These objects are
referred as anonymous arguments.
Add CIL policy that can be used to test whether or not anonymous
arguments are being handled properly in macros. Also test the
equivalent named arguments to help determine if the problem is with
that argument type or just with an anonymous argument of that type.
The anonymouse arguments that are tested are categoryset, level,
levelrange, ipaddr, and classpermission.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
secilc/test/anonymous_arg_test.cil | 106 +++++++++++++++++++++++++++++
1 file changed, 106 insertions(+)
create mode 100644 secilc/test/anonymous_arg_test.cil
diff --git a/secilc/test/anonymous_arg_test.cil b/secilc/test/anonymous_arg_test.cil
new file mode 100644
index 000000000000..46f8ce7342f6
--- /dev/null
+++ b/secilc/test/anonymous_arg_test.cil
@@ -0,0 +1,106 @@
+;; Test anonymous args
+
+(mls true)
+(class CLASS (PERM))
+(classorder (CLASS))
+(sid SID)
+(sidorder (SID))
+(user USER)
+(role ROLE)
+(type TYPE)
+(category CAT)
+(categoryorder (CAT))
+(sensitivity SENS)
+(sensitivityorder (SENS))
+(sensitivitycategory SENS (CAT))
+(allow TYPE self (CLASS (PERM)))
+(roletype ROLE TYPE)
+(userrole USER ROLE)
+(userlevel USER (SENS))
+(userrange USER ((SENS)(SENS (CAT))))
+(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+(category c0)
+(category c1)
+(category c2)
+(category c3)
+(categoryorder (CAT c0 c1 c2 c3))
+(categoryset cs01 (c0 c1))
+(categoryset cs03 (range c0 c3))
+
+(sensitivity s0)
+(sensitivity s1)
+(sensitivity s2)
+(sensitivity s3)
+(sensitivityorder (SENS s0 s1 s2 s3))
+
+(sensitivitycategory s0 (cs01 c2 c3))
+(sensitivitycategory s1 (c0 c1 c2 c3))
+(sensitivitycategory s2 (c0 c1 c2 c3))
+(sensitivitycategory s3 (range c0 c3))
+
+(level lvl (s0 (c0)))
+(level lvl0 (s0))
+(level lvl3 (s3 (range c0 c3)))
+
+(levelrange rng ((s0) (s3 (c0 c1 c2 c3))))
+
+(user u1)
+(user u2)
+(user u3)
+(user u4)
+
+(userrole u1 ROLE)
+(userrole u2 ROLE)
+(userrole u3 ROLE)
+(userrole u4 ROLE)
+
+; Test categoryset
+(macro m1 ((user u)(sensitivity s)(categoryset cs))
+ (userlevel u (s (cs)))
+)
+(call m1 (u1 s1 (c0 c1)))
+(call m1 (u2 s2 cs01))
+
+; Test level
+(macro m2 ((user u)(level l))
+ (userlevel u l)
+)
+(call m2 (u3 (s3 (c2))))
+(call m2 (u4 lvl))
+
+; Test levelrange
+(macro m3 ((user u)(levelrange lr))
+ (userrange u lr)
+)
+(call m3 (u1 ((s0) (s3 (range c0 c3)))))
+(call m3 (u2 (lvl0 (s3 (cs03)))))
+(call m3 (u3 (lvl0 lvl3)))
+(call m3 (u4 rng))
+
+; Test ipaddr
+(macro m4 ((user u)(ipaddr nm)(ipaddr ip))
+ (nodecon ip nm (u ROLE TYPE ((s0) (s0))))
+)
+(ipaddr nm1 255.255.255.0)
+(ipaddr ip4 1.2.3.4)
+(call m4 (u1 nm1 192.25.35.200))
+(call m4 (u2 255.255.255.0 ip4))
+
+; Test classpermission
+(type t1)
+(type t2)
+(type t3)
+
+(classpermission cp1)
+(classpermissionset cp1 (CLASS (PERM)))
+
+(classmap cm1 (cm1p))
+(classmapping cm1 cm1p (CLASS (PERM)))
+
+(macro m5 ((type t)(classpermission cp))
+ (allow t self cp)
+)
+(call m5 (t1 (CLASS (PERM))))
+(call m5 (t2 cp1))
+(call m5 (t3 (cm1 (cm1p))))
--
2.32.0

97
0009-secilc-Add-support-for-using-qualified-names-to-seci.patch
View File

@ -1,97 +0,0 @@
From f7b8b5055f0ccaf6e4611609581a2f9772c954c9 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 29 Jun 2021 11:14:00 -0400
Subject: [PATCH] secilc: Add support for using qualified names to secilc
Provide the option "-Q" or "--qualified-names" to indicate that the
policy is using qualified names.
Using qualified names means that declaration names can have "dots"
in them, but blocks, blockinherits, blockabstracts, and in-statements
are not allowed in the policy.
The libsepol function cil_set_qualified_names() is called with the
desired value for the CIL db's "qualified_names" field.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/secilc.8.xml | 5 +++++
secilc/secilc.c | 11 ++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/secilc/secilc.8.xml b/secilc/secilc.8.xml
index 2b734f09cf13..e9a121e26aee 100644
--- a/secilc/secilc.8.xml
+++ b/secilc/secilc.8.xml
@@ -75,6 +75,11 @@
<listitem><para>Treat tunables as booleans.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-Q, --qualified-names</option></term>
+ <listitem><para>Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-m, --multiple-decls</option></term>
<listitem><para>Allow some statements to be re-declared.</para></listitem>
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 9c78e42565e9..1c4f1ca07b97 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -63,6 +63,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog)
printf(" statement if present in the policy\n");
printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n");
printf(" -P, --preserve-tunables treat tunables as booleans\n");
+ printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n");
+ printf(" Blocks, blockinherits, blockabstracts, and\n");
+ printf(" in-statements will not be allowed.\n");
printf(" -m, --multiple-decls allow some statements to be re-declared\n");
printf(" -N, --disable-neverallow do not check neverallow rules\n");
printf(" -G, --expand-generated Expand and remove auto-generated attributes\n");
@@ -94,6 +97,7 @@ int main(int argc, char *argv[])
int multiple_decls = 0;
int disable_neverallow = 0;
int preserve_tunables = 0;
+ int qualified_names = 0;
int handle_unknown = -1;
int policyvers = POLICYDB_VERSION_MAX;
int attrs_expand_generated = 0;
@@ -115,6 +119,7 @@ int main(int argc, char *argv[])
{"multiple-decls", no_argument, 0, 'm'},
{"disable-neverallow", no_argument, 0, 'N'},
{"preserve-tunables", no_argument, 0, 'P'},
+ {"qualified-names", no_argument, 0, 'Q'},
{"output", required_argument, 0, 'o'},
{"filecontexts", required_argument, 0, 'f'},
{"expand-generated", no_argument, 0, 'G'},
@@ -125,7 +130,7 @@ int main(int argc, char *argv[])
int i;
while (1) {
- opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNOc:GX:n", long_opts, &opt_index);
+ opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PQDmNOc:GX:n", long_opts, &opt_index);
if (opt_char == -1) {
break;
}
@@ -190,6 +195,9 @@ int main(int argc, char *argv[])
case 'P':
preserve_tunables = 1;
break;
+ case 'Q':
+ qualified_names = 1;
+ break;
case 'o':
output = strdup(optarg);
break;
@@ -238,6 +246,7 @@ int main(int argc, char *argv[])
cil_set_multiple_decls(db, multiple_decls);
cil_set_disable_neverallow(db, disable_neverallow);
cil_set_preserve_tunables(db, preserve_tunables);
+ cil_set_qualified_names(db, qualified_names);
if (handle_unknown != -1) {
rc = cil_set_handle_unknown(db, handle_unknown);
if (rc != SEPOL_OK) {
--
2.32.0

98
0010-libsepol-cil-Add-support-for-using-qualified-names-t.patch
View File

@ -1,98 +0,0 @@
From 74c06d763f33873a33b4b83fd40fa375fe3474ea Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 29 Jun 2021 11:14:01 -0400
Subject: [PATCH] libsepol/cil: Add support for using qualified names to
secil2tree
Provide the option "-Q" or "--qualified-names" to indicate that the
policy is using qualified names.
Using qualified names means that declaration names can have "dots"
in them, but blocks, blockinherits, blockabstracts, and in-statements
are not allowed in the policy.
The libsepol function cil_set_qualified_names() is called with the
desired value for the CIL db's "qualified_names" field.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/secil2tree.8.xml | 5 +++++
secilc/secil2tree.c | 11 ++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/secilc/secil2tree.8.xml b/secilc/secil2tree.8.xml
index 81382ffe4e42..e95a8947775c 100644
--- a/secilc/secil2tree.8.xml
+++ b/secilc/secil2tree.8.xml
@@ -45,6 +45,11 @@
<listitem><para>Treat tunables as booleans.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-Q, --qualified-names</option></term>
+ <listitem><para>Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-A, --ast-phase=&lt;phase></option></term>
<listitem><para>Write AST of phase <emphasis role="italic">phase</emphasis>. Must be <emphasis role="bold">parse</emphasis>, <emphasis role="bold">build</emphasis>, or <emphasis role="bold">resolve</emphasis>. (default: <emphasis role="bold">resolve</emphasis>)</para></listitem>
diff --git a/secilc/secil2tree.c b/secilc/secil2tree.c
index 218d05832854..e5cdf6bd299c 100644
--- a/secilc/secil2tree.c
+++ b/secilc/secil2tree.c
@@ -54,6 +54,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog)
printf("Options:\n");
printf(" -o, --output=<file> write AST to <file>. (default: stdout)\n");
printf(" -P, --preserve-tunables treat tunables as booleans\n");
+ printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n");
+ printf(" Blocks, blockinherits, blockabstracts, and\n");
+ printf(" in-statements will not be allowed.\n");
printf(" -A, --ast-phase=<phase> write AST of phase <phase>. Phase must be parse, \n");
printf(" build, or resolve. (default: resolve)\n");
printf(" -v, --verbose increment verbosity level\n");
@@ -71,6 +74,7 @@ int main(int argc, char *argv[])
char *output = NULL;
struct cil_db *db = NULL;
int preserve_tunables = 0;
+ int qualified_names = 0;
enum write_ast_phase write_ast = WRITE_AST_PHASE_RESOLVE;
int opt_char;
int opt_index = 0;
@@ -79,6 +83,7 @@ int main(int argc, char *argv[])
{"help", no_argument, 0, 'h'},
{"verbose", no_argument, 0, 'v'},
{"preserve-tunables", no_argument, 0, 'P'},
+ {"qualified-names", no_argument, 0, 'Q'},
{"output", required_argument, 0, 'o'},
{"ast-phase", required_argument, 0, 'A'},
{0, 0, 0, 0}
@@ -86,7 +91,7 @@ int main(int argc, char *argv[])
int i;
while (1) {
- opt_char = getopt_long(argc, argv, "o:hvPA:", long_opts, &opt_index);
+ opt_char = getopt_long(argc, argv, "o:hvPQA:", long_opts, &opt_index);
if (opt_char == -1) {
break;
}
@@ -97,6 +102,9 @@ int main(int argc, char *argv[])
case 'P':
preserve_tunables = 1;
break;
+ case 'Q':
+ qualified_names = 1;
+ break;
case 'o':
output = strdup(optarg);
break;
@@ -131,6 +139,7 @@ int main(int argc, char *argv[])
cil_db_init(&db);
cil_set_preserve_tunables(db, preserve_tunables);
+ cil_set_qualified_names(db, qualified_names);
cil_set_attrs_expand_generated(db, 0);
cil_set_attrs_expand_size(db, 0);
--
2.32.0

97
0011-libsepol-cil-Add-support-for-using-qualified-names-t.patch
View File

@ -1,97 +0,0 @@
From 532a4cc3365a0991ded85de81b8647f056cac926 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 29 Jun 2021 11:14:02 -0400
Subject: [PATCH] libsepol/cil: Add support for using qualified names to
secil2conf
Provide the option "-Q" or "--qualified-names" to indicate that the
policy is using qualified names.
Using qualified names means that declaration names can have "dots"
in them, but blocks, blockinherits, blockabstracts, and in-statements
are not allowed in the policy.
The libsepol function cil_set_qualified_names() is called with the
desired value for the CIL db's "qualified_names" field.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/secil2conf.8.xml | 5 +++++
secilc/secil2conf.c | 11 ++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/secilc/secil2conf.8.xml b/secilc/secil2conf.8.xml
index 59d87a5496cd..33646f97739b 100644
--- a/secilc/secil2conf.8.xml
+++ b/secilc/secil2conf.8.xml
@@ -50,6 +50,11 @@
<listitem><para>Treat tunables as booleans.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-Q, --qualified-names</option></term>
+ <listitem><para>Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-v, --verbose</option></term>
<listitem><para>Increment verbosity level.</para></listitem>
diff --git a/secilc/secil2conf.c b/secilc/secil2conf.c
index 4e97dd66a436..d4103777a439 100644
--- a/secilc/secil2conf.c
+++ b/secilc/secil2conf.c
@@ -52,6 +52,9 @@ static __attribute__((__noreturn__)) void usage(const char *prog)
printf(" This will override the (mls boolean) statement\n");
printf(" if present in the policy\n");
printf(" -P, --preserve-tunables treat tunables as booleans\n");
+ printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n");
+ printf(" Blocks, blockinherits, blockabstracts, and\n");
+ printf(" in-statements will not be allowed.\n");
printf(" -v, --verbose increment verbosity level\n");
printf(" -h, --help display usage information\n");
exit(1);
@@ -68,6 +71,7 @@ int main(int argc, char *argv[])
struct cil_db *db = NULL;
int mls = -1;
int preserve_tunables = 0;
+ int qualified_names = 0;
int opt_char;
int opt_index = 0;
enum cil_log_level log_level = CIL_ERR;
@@ -76,13 +80,14 @@ int main(int argc, char *argv[])
{"verbose", no_argument, 0, 'v'},
{"mls", required_argument, 0, 'M'},
{"preserve-tunables", no_argument, 0, 'P'},
+ {"qualified-names", no_argument, 0, 'Q'},
{"output", required_argument, 0, 'o'},
{0, 0, 0, 0}
};
int i;
while (1) {
- opt_char = getopt_long(argc, argv, "o:hvM:P", long_opts, &opt_index);
+ opt_char = getopt_long(argc, argv, "o:hvM:PQ", long_opts, &opt_index);
if (opt_char == -1) {
break;
}
@@ -102,6 +107,9 @@ int main(int argc, char *argv[])
case 'P':
preserve_tunables = 1;
break;
+ case 'Q':
+ qualified_names = 1;
+ break;
case 'o':
output = strdup(optarg);
break;
@@ -123,6 +131,7 @@ int main(int argc, char *argv[])
cil_db_init(&db);
cil_set_preserve_tunables(db, preserve_tunables);
+ cil_set_qualified_names(db, qualified_names);
cil_set_mls(db, mls);
cil_set_attrs_expand_generated(db, 0);
cil_set_attrs_expand_size(db, 0);
--
2.32.0

36
0012-secilc-fix-memory-leaks-in-secilc.patch
View File

@ -1,36 +0,0 @@
From edb948fb0be62c7e8c58c1bffcc4fba8eee9d9d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 14 Jul 2021 20:13:39 +0200
Subject: [PATCH] secilc: fix memory leaks in secilc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When specifying -o or -f more than once, the previous allocations leak.
Found by scan-build.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
secilc/secilc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 1c4f1ca07b97..80d3583d75cc 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -199,9 +199,11 @@ int main(int argc, char *argv[])
qualified_names = 1;
break;
case 'o':
+ free(output);
output = strdup(optarg);
break;
case 'f':
+ free(filecontexts);
filecontexts = strdup(optarg);
break;
case 'G':
--
2.32.0

32
0013-secilc-fix-memory-leaks-in-secilc2conf.patch
View File

@ -1,32 +0,0 @@
From 6d93701f394693fc6f544647e3d491e19024188f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 14 Jul 2021 20:13:40 +0200
Subject: [PATCH] secilc: fix memory leaks in secilc2conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When specifying -o more than once, the previous allocation leaks.
Found by scan-build.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
secilc/secil2conf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/secilc/secil2conf.c b/secilc/secil2conf.c
index d4103777a439..c49522e5684c 100644
--- a/secilc/secil2conf.c
+++ b/secilc/secil2conf.c
@@ -111,6 +111,7 @@ int main(int argc, char *argv[])
qualified_names = 1;
break;
case 'o':
+ free(output);
output = strdup(optarg);
break;
case 'h':
--
2.32.0

28
secilc.spec
View File

@ -1,29 +1,16 @@
%global libsepolver 3.2-3
%global libsepolver 3.3-0.rc2
Name: secilc
Version: 3.2
Release: 4.1%{?dist}
Version: 3.3
Release: 0.rc2.1%{?dist}
Summary: The SELinux CIL Compiler
License: BSD
URL: https://github.com/SELinuxProject/selinux/wiki
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/secilc-3.2.tar.gz
# fedora-selinux/selinux: git format-patch -N 3.2 -- secilc
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3-rc2/secilc-3.3-rc2.tar.gz
# fedora-selinux/selinux: git format-patch -N 3.3-rc2 -- secilc
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-secilc-docs-Lists-are-now-allowed-in-constraint-expr.patch
Patch0002: 0002-cil_conditional_statements.md-fix-expr-definition.patch
Patch0003: 0003-secilc.c-Don-t-fail-if-input-file-is-empty.patch
Patch0004: 0004-secilc-docs-Update-the-CIL-documentation-for-various.patch
Patch0005: 0005-secilc-Create-the-new-program-called-secil2tree-to-w.patch
Patch0006: 0006-secilc-docs-Document-the-order-that-inherited-rules-.patch
Patch0007: 0007-secilc-docs-Relocate-and-reword-macro-call-name-reso.patch
Patch0008: 0008-secilc-test-Add-test-for-anonymous-args.patch
Patch0009: 0009-secilc-Add-support-for-using-qualified-names-to-seci.patch
Patch0010: 0010-libsepol-cil-Add-support-for-using-qualified-names-t.patch
Patch0011: 0011-libsepol-cil-Add-support-for-using-qualified-names-t.patch
Patch0012: 0012-secilc-fix-memory-leaks-in-secilc.patch
Patch0013: 0013-secilc-fix-memory-leaks-in-secilc2conf.patch
# Patch list end
Requires: libsepol >= %{libsepolver}
BuildRequires: gcc
@ -49,7 +36,7 @@ http://github.com/SELinuxProject/cil/wiki/
for more information about the goals and features on the CIL language.
%prep
%autosetup -p 2 -n secilc-%{version}
%autosetup -p 2 -n secilc-%{version}-rc2
%build
@ -79,6 +66,9 @@ make %{?_smp_mflags} DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LI
%license COPYING
%changelog
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Wed Aug 4 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4.1
- Require libsepol version same or bigger as it was used to build this package

2
sources
View File

@ -1 +1 @@
SHA512 (secilc-3.2.tar.gz) = ef60aaaba3a9b4d8da496ae80203a8c9595dc2f97f767432f6b3323395fda65293540ed9574e8d7d3f40854c3ad38a95a7b96939b6c689f02a3d04834b81ca45
SHA512 (secilc-3.3-rc2.tar.gz) = 5d8f638873013589d87627967830aa054266ed68df262dad8f791674cbae60ab7af5fba9b50367536ee4fac4f7ec0caf325776bae13851ea25b64d31de265248