c59879b8aa
Rebase on upstream commit 32611aea6543
See
$ cd SELinuxProject/selinux
$ git log --pretty=oneline libsepol-3.2..32611aea6543 -- libsepol
76 lines
2.6 KiB
Diff
76 lines
2.6 KiB
Diff
From 788d40b0e61f352524660d0965d5e86f6e1e0718 Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Tue, 11 May 2021 09:43:22 -0400
|
|
Subject: [PATCH] libsepol/cil: Make name resolution in macros work as
|
|
documented
|
|
|
|
The CIL Reference Guide specifies how name resolution is suppose
|
|
to work within an expanded macro.
|
|
1. Items defined inside the macro
|
|
2. Items passed into the macro as arguments
|
|
3. Items defined in the same namespace of the macro
|
|
4. Items defined in the caller's namespace
|
|
5. Items defined in the global namespace
|
|
|
|
But Lorenzo Ceragioli <lorenzo.ceragioli@phd.unipi.it> found
|
|
that the first step is not done.
|
|
|
|
So the following policy:
|
|
(block A
|
|
(type a)
|
|
(macro m ()
|
|
(type a)
|
|
(allow a self (CLASS (PERM)))
|
|
)
|
|
)
|
|
(block B
|
|
(call A.m)
|
|
)
|
|
will result in:
|
|
(allow A.a self (CLASS (PERM)))
|
|
instead of the expected:
|
|
(allow B.a self (CLASS (PERM)))
|
|
|
|
Now when an expanded call is found, the macro's namespace is
|
|
checked first. If the name is found, then the name was declared
|
|
in the macro and it is declared in the expanded call, so only the
|
|
namespace of the call up to and including the global namespace
|
|
will be searched. If the name is not found in the macro's namespace
|
|
then name resolution continues with steps 2-5 above.
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libsepol/cil/src/cil_resolve_ast.c | 16 ++++++++++++----
|
|
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
|
|
index 5684b8da0f76..ae6743f92f4c 100644
|
|
--- a/libsepol/cil/src/cil_resolve_ast.c
|
|
+++ b/libsepol/cil/src/cil_resolve_ast.c
|
|
@@ -4195,10 +4195,18 @@ static int __cil_resolve_name_with_parents(struct cil_tree_node *node, char *nam
|
|
break;
|
|
case CIL_CALL: {
|
|
struct cil_call *call = node->data;
|
|
- rc = cil_resolve_name_call_args(call, name, sym_index, datum);
|
|
- if (rc != SEPOL_OK) {
|
|
- /* Continue search in macro's parent */
|
|
- rc = __cil_resolve_name_with_parents(NODE(call->macro)->parent, name, sym_index, datum);
|
|
+ struct cil_macro *macro = call->macro;
|
|
+ symtab = ¯o->symtab[sym_index];
|
|
+ rc = cil_symtab_get_datum(symtab, name, datum);
|
|
+ if (rc == SEPOL_OK) {
|
|
+ /* If the name was declared in the macro, just look on the call side */
|
|
+ rc = SEPOL_ERR;
|
|
+ } else {
|
|
+ rc = cil_resolve_name_call_args(call, name, sym_index, datum);
|
|
+ if (rc != SEPOL_OK) {
|
|
+ /* Continue search in macro's parent */
|
|
+ rc = __cil_resolve_name_with_parents(NODE(call->macro)->parent, name, sym_index, datum);
|
|
+ }
|
|
}
|
|
}
|
|
break;
|
|
--
|
|
2.32.0
|
|
|