Re: [PATCH 0/5] Fix some cil_gen_policy() bugs.
On 09/09/2016 07:35 AM, James Carter wrote: > On 09/09/2016 08:29 AM, James Carter wrote: >> On 09/08/2016 04:37 PM, Daniel Cashman wrote: >>> On 09/08/2016 01:30 PM, Daniel Cashman wrote: From: dcashmancil_gen_policy() appears to exist to generate a policy.conf corresponding to the original SELinux HLL from a cil_db struct. All of libsepol/cil/src/cil_policy.c appears to exist to support this functionality. This patchset provides some fixes for issues encountered when trying to go from android's policy.conf to a CIL representation (via checkpolicy) and then back to the HLL representation via cil_gen_policy(). dcashman (5): libsepol: cil: Add userrole mapping to cil_gen_policy(). libsepol: cil: Remove duplicate sid policy declaration. libsepol: cil: Replace sensitivityorder statement. libsepol: cil: Fix CIL_OP data assignment. libsepol: cil: Add cil_constraint_expr_to_policy() libsepol/cil/src/cil_policy.c | 235 -- 1 file changed, 224 insertions(+), 11 deletions(-) >>> >>> I suspect that the "proper" fix here is to just remove all of >>> libsepol/cil/src/cil_policy.c, so I can put that patch together too if >>> desired. >>> >> >> Yes, that code was used early on to help with debugging the CIL >> compiler, but >> hasn't been maintained. I've wanted to go back and fix it, but there >> didn't seem >> to be any use case needing it before now. >> >> If that functionality would be valuable to you, I would be glad to >> work on this. >> >> I think the right course would be to move this out of libsepol like >> secilc is. >> > > The caffeine hadn't kicked in yet. cil_policy.c is like cil_binary.c and > should stay where it is. > > Jim > Yes, it requires access to the cil_db internals, most-importantly the ast. I'm trying to do similar processing to replace types and attributes to new attributes (what I'm calling 'attributizing') for portions of policy. Thus, I think any changes I make will also have to live in libsepol, although we'll see eventually how acceptable they are for upstream. As for the usefulness of cil_gen_policy(), my actual desire was to get some CIL -> CIL code, perhaps a cil_write_ast() used as part of a cil_gen_cil() function, that would allow me to make some AST modifications and then produce transformed CIL policy. I noticed cil_gen_policy() as a potential shortcut to allow me to postpone that further. I don't currently see a need for cil_gen_policy() outside of testing other changes, so I submitted the fixes I'd come up with before deciding to continue with another approach. Dan >> Jim >> >>> The patches in this patchset do not address all of the bugs I >>> encountered trying to go from HLL -> CIL -> HLL. Since I was using this >>> as a temporary work-around, I decided to move on and submit these, in >>> case rescuing cil_gen_policy() is desired; the additional changes needed >>> were becoming more invasive (similar to the 5th patch in this set) and >>> less bug-fix-like. >>> >>> Thank You, >>> Dan >>> >> >> > > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 0/5] Fix some cil_gen_policy() bugs.
On 09/09/2016 08:29 AM, James Carter wrote: On 09/08/2016 04:37 PM, Daniel Cashman wrote: On 09/08/2016 01:30 PM, Daniel Cashman wrote: From: dcashmancil_gen_policy() appears to exist to generate a policy.conf corresponding to the original SELinux HLL from a cil_db struct. All of libsepol/cil/src/cil_policy.c appears to exist to support this functionality. This patchset provides some fixes for issues encountered when trying to go from android's policy.conf to a CIL representation (via checkpolicy) and then back to the HLL representation via cil_gen_policy(). dcashman (5): libsepol: cil: Add userrole mapping to cil_gen_policy(). libsepol: cil: Remove duplicate sid policy declaration. libsepol: cil: Replace sensitivityorder statement. libsepol: cil: Fix CIL_OP data assignment. libsepol: cil: Add cil_constraint_expr_to_policy() libsepol/cil/src/cil_policy.c | 235 -- 1 file changed, 224 insertions(+), 11 deletions(-) I suspect that the "proper" fix here is to just remove all of libsepol/cil/src/cil_policy.c, so I can put that patch together too if desired. Yes, that code was used early on to help with debugging the CIL compiler, but hasn't been maintained. I've wanted to go back and fix it, but there didn't seem to be any use case needing it before now. If that functionality would be valuable to you, I would be glad to work on this. I think the right course would be to move this out of libsepol like secilc is. The caffeine hadn't kicked in yet. cil_policy.c is like cil_binary.c and should stay where it is. Jim Jim The patches in this patchset do not address all of the bugs I encountered trying to go from HLL -> CIL -> HLL. Since I was using this as a temporary work-around, I decided to move on and submit these, in case rescuing cil_gen_policy() is desired; the additional changes needed were becoming more invasive (similar to the 5th patch in this set) and less bug-fix-like. Thank You, Dan -- James Carter National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 0/5] Fix some cil_gen_policy() bugs.
On 09/08/2016 04:37 PM, Daniel Cashman wrote: On 09/08/2016 01:30 PM, Daniel Cashman wrote: From: dcashmancil_gen_policy() appears to exist to generate a policy.conf corresponding to the original SELinux HLL from a cil_db struct. All of libsepol/cil/src/cil_policy.c appears to exist to support this functionality. This patchset provides some fixes for issues encountered when trying to go from android's policy.conf to a CIL representation (via checkpolicy) and then back to the HLL representation via cil_gen_policy(). dcashman (5): libsepol: cil: Add userrole mapping to cil_gen_policy(). libsepol: cil: Remove duplicate sid policy declaration. libsepol: cil: Replace sensitivityorder statement. libsepol: cil: Fix CIL_OP data assignment. libsepol: cil: Add cil_constraint_expr_to_policy() libsepol/cil/src/cil_policy.c | 235 -- 1 file changed, 224 insertions(+), 11 deletions(-) I suspect that the "proper" fix here is to just remove all of libsepol/cil/src/cil_policy.c, so I can put that patch together too if desired. Yes, that code was used early on to help with debugging the CIL compiler, but hasn't been maintained. I've wanted to go back and fix it, but there didn't seem to be any use case needing it before now. If that functionality would be valuable to you, I would be glad to work on this. I think the right course would be to move this out of libsepol like secilc is. Jim The patches in this patchset do not address all of the bugs I encountered trying to go from HLL -> CIL -> HLL. Since I was using this as a temporary work-around, I decided to move on and submit these, in case rescuing cil_gen_policy() is desired; the additional changes needed were becoming more invasive (similar to the 5th patch in this set) and less bug-fix-like. Thank You, Dan -- James Carter National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 0/5] Fix some cil_gen_policy() bugs.
On 09/08/2016 01:30 PM, Daniel Cashman wrote: > From: dcashman> > cil_gen_policy() appears to exist to generate a policy.conf corresponding to > the > original SELinux HLL from a cil_db struct. All of > libsepol/cil/src/cil_policy.c > appears to exist to support this functionality. This patchset provides some > fixes for issues encountered when trying to go from android's policy.conf to a > CIL representation (via checkpolicy) and then back to the HLL representation > via > cil_gen_policy(). > > dcashman (5): > libsepol: cil: Add userrole mapping to cil_gen_policy(). > libsepol: cil: Remove duplicate sid policy declaration. > libsepol: cil: Replace sensitivityorder statement. > libsepol: cil: Fix CIL_OP data assignment. > libsepol: cil: Add cil_constraint_expr_to_policy() > > libsepol/cil/src/cil_policy.c | 235 > -- > 1 file changed, 224 insertions(+), 11 deletions(-) > I suspect that the "proper" fix here is to just remove all of libsepol/cil/src/cil_policy.c, so I can put that patch together too if desired. The patches in this patchset do not address all of the bugs I encountered trying to go from HLL -> CIL -> HLL. Since I was using this as a temporary work-around, I decided to move on and submit these, in case rescuing cil_gen_policy() is desired; the additional changes needed were becoming more invasive (similar to the 5th patch in this set) and less bug-fix-like. Thank You, Dan ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.