c59879b8aa
Rebase on upstream commit 32611aea6543
See
$ cd SELinuxProject/selinux
$ git log --pretty=oneline libsepol-3.2..32611aea6543 -- libsepol
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
From 48ca44c8bc3bffd276fae0e7cc8c5b04af4f8736 Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Tue, 16 Mar 2021 15:18:31 -0400
|
|
Subject: [PATCH] libsepol/cil: Allow lists in constraint expressions
|
|
|
|
The expectation in CIL was to use user, role, or type attributes in
|
|
constraint expressions. The problem is that neither user nor role
|
|
attributes are part of the kernel binary policy, so when converting
|
|
from a kernel policy to CIL, that would require the creation of a
|
|
role or user attribute. The better solution is to just allow a list
|
|
to be used. In fact, the only thing preventing a list to be used
|
|
is a check in cil_verify_constraint_leaf_expr_syntax().
|
|
|
|
Remove the check and allow lists in constraint expressions.
|
|
|
|
The following is now allowed:
|
|
(constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3)))
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libsepol/cil/src/cil_verify.c | 3 ---
|
|
1 file changed, 3 deletions(-)
|
|
|
|
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
|
|
index 6706e21921fe..09e3daf94cc7 100644
|
|
--- a/libsepol/cil/src/cil_verify.c
|
|
+++ b/libsepol/cil/src/cil_verify.c
|
|
@@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl
|
|
cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n");
|
|
goto exit;
|
|
}
|
|
- } else if (r_flavor == CIL_LIST) {
|
|
- cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n");
|
|
- goto exit;
|
|
}
|
|
} else {
|
|
if (r_flavor == CIL_CONS_U2) {
|
|
--
|
|
2.32.0
|
|
|