libsepol/0013-libsepol-cil-Allow-lists-in-constraint-expressions.patch

From 48ca44c8bc3bffd276fae0e7cc8c5b04af4f8736 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 16 Mar 2021 15:18:31 -0400
Subject: [PATCH] libsepol/cil: Allow lists in constraint expressions

The expectation in CIL was to use user, role, or type attributes in
constraint expressions. The problem is that neither user nor role
attributes are part of the kernel binary policy, so when converting
from a kernel policy to CIL, that would require the creation of a
role or user attribute. The better solution is to just allow a list
to be used. In fact, the only thing preventing a list to be used
is a check in cil_verify_constraint_leaf_expr_syntax().

Remove the check and allow lists in constraint expressions.

The following is now allowed:
  (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3)))

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_verify.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 6706e21921fe..09e3daf94cc7 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl
 				cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n");
 				goto exit;
 			}
-		} else if (r_flavor == CIL_LIST) {
-			cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n");
-			goto exit;
 		}
 	} else {
 		if (r_flavor == CIL_CONS_U2) {
-- 
2.32.0
libsepol-3.2-3 Rebase on upstream commit 32611aea6543 See $ cd SELinuxProject/selinux $ git log --pretty=oneline libsepol-3.2..32611aea6543 -- libsepol 2021-07-28 10:38:25 +00:00			`From 48ca44c8bc3bffd276fae0e7cc8c5b04af4f8736 Mon Sep 17 00:00:00 2001`
			`From: James Carter <jwcart2@gmail.com>`
			`Date: Tue, 16 Mar 2021 15:18:31 -0400`
			`Subject: [PATCH] libsepol/cil: Allow lists in constraint expressions`

			`The expectation in CIL was to use user, role, or type attributes in`
			`constraint expressions. The problem is that neither user nor role`
			`attributes are part of the kernel binary policy, so when converting`
			`from a kernel policy to CIL, that would require the creation of a`
			`role or user attribute. The better solution is to just allow a list`
			`to be used. In fact, the only thing preventing a list to be used`
			`is a check in cil_verify_constraint_leaf_expr_syntax().`

			`Remove the check and allow lists in constraint expressions.`

			`The following is now allowed:`
			`(constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3)))`

			`Signed-off-by: James Carter <jwcart2@gmail.com>`
			`---`
			`libsepol/cil/src/cil_verify.c \| 3 ---`
			`1 file changed, 3 deletions(-)`

			`diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c`
			`index 6706e21921fe..09e3daf94cc7 100644`
			`--- a/libsepol/cil/src/cil_verify.c`
			`+++ b/libsepol/cil/src/cil_verify.c`
			`@@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl`
			`cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n");`
			`goto exit;`
			`}`
			`- } else if (r_flavor == CIL_LIST) {`
			`- cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n");`
			`- goto exit;`
			`}`
			`} else {`
			`if (r_flavor == CIL_CONS_U2) {`
			`--`
			`2.32.0`