From fbe1e526dc01f6797428c88e24881fdc3d3ec6e8 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Thu, 9 Jul 2020 10:36:36 +0200 Subject: [PATCH] Update the cil docs to match the current behaviour. Some features where dropped or change since the docs were last updated. Signed-off-by: Jonathan Hettwer Acked-by: James Carter --- secilc/docs/cil_call_macro_statements.md | 6 ++++-- secilc/docs/cil_container_statements.md | 2 +- secilc/docs/cil_reference_guide.md | 2 +- secilc/docs/cil_user_statements.md | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md index 17c46ed9c893..98b703687e44 100644 --- a/secilc/docs/cil_call_macro_statements.md +++ b/secilc/docs/cil_call_macro_statements.md @@ -44,7 +44,7 @@ macro Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro. -Note that when resolving macros the callers namespace is not checked, only the following places: +When resolving macros the following places are checked in this order: - Items defined inside the macro @@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f - Items defined in the same namespace of the macro +- Items defined in the callers namespace + - Items defined in the global namespace **Statement definition:** @@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f

param_type

Zero or more parameters that are passed to the macro. The param_type is a keyword used to determine the declaration type (e.g. type, class, categoryset).

-

The list of valid param_type entries are: type, typealias, role, user, sensitivity, sensitivityalias, category, categoryalias, categoryset (named or anonymous), level (named or anonymous), levelrange (named or anonymous), class, classpermission (named or anonymous), ipaddr (named or anonymous), block, name (a string), classmap

+

The list of valid param_type entries are: type, typealias, role, user, sensitivity, sensitivityalias, category, categoryalias, categoryset (named or anonymous), level (named or anonymous), levelrange (named or anonymous), class, classpermission (named or anonymous), ipaddr (named or anonymous), name (a string), classmap

param_id

diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md index a570cb235d7c..58b3224de211 100644 --- a/secilc/docs/cil_container_statements.md +++ b/secilc/docs/cil_container_statements.md @@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po in -- -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit). **Statement definition:** diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md index 1b1fccca5faa..3e33c5f74283 100644 --- a/secilc/docs/cil_reference_guide.md +++ b/secilc/docs/cil_reference_guide.md @@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea Expressions ----------- -Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans) +Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax: diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md index bbd76eff8645..26e45510405d 100644 --- a/secilc/docs/cil_user_statements.md +++ b/secilc/docs/cil_user_statements.md @@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml (categoryorder (c0 c1)) (sensitivity s0) (sensitivity s1) - (dominance (s0 s1)) + (sensitivityorder (s0 s1)) (sensitivitycategory s0 (c0 c1)) (level systemLow (s0)) (level systemHigh (s0 (c0 c1))) -- 2.29.2