Commit 1089665e31a647a5f0ba2eabe8ac6232b384bed9 (Add attribute
expansion options) adds an expandattribute rule to the policy.conf
language which sets a type_datum flag. Currently the flag is used
only when writing out CIL policy from a policy.conf.
Make use of the flag when expanding policy to expand policy rules
and remove all type associations for an attribute that has
TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the
policy, but have no types associated with it.)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
v2 Just check if each attribute should be expanded in type_attr_map(). No need
to destroy the types ebitmap.
libsepol/src/expand.c | 76 ++++++++++++++++++++++++++-------------------------
libsepol/src/link.c | 8 +++---
2 files changed, 43 insertions(+), 41 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 54bf781..c55226b 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2337,13 +2337,20 @@ static int type_attr_map(hashtab_key_t key
value = type->s.value;
if (type->flavor == TYPE_ATTRIB) {
- if (ebitmap_cpy(&p->attr_type_map[value - 1], &type->types)) {
- goto oom;
- }
- ebitmap_for_each_bit(&type->types, tnode, i) {
- if (!ebitmap_node_get_bit(tnode, i))
- continue;
- if (ebitmap_set_bit(&p->type_attr_map[i], value - 1,
1)) {
+ if (!(type->flags & TYPE_FLAGS_EXPAND_ATTR_TRUE)) {
+ if (ebitmap_cpy(&p->attr_type_map[value - 1],
&type->types)) {
+ goto oom;
+ }
+ ebitmap_for_each_bit(&type->types, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (ebitmap_set_bit(&p->type_attr_map[i], value
- 1, 1)) {
+ goto oom;
+ }
+ }
+ } else {
+ /* Attribute is being expanded, so remove */
+ if (ebitmap_set_bit(&p->type_attr_map[value - 1], value
- 1, 0)) {
goto oom;
}
}
@@ -2513,46 +2520,41 @@ int type_set_expand(type_set_t * set, ebitmap_t * t,
policydb_t * p,
unsigned int i;
ebitmap_t types, neg_types;
ebitmap_node_t *tnode;
+ unsigned char expand = alwaysexpand || ebitmap_length(&set->negset) ||
set->flags;
+ type_datum_t *type;
int rc =-1;
ebitmap_init(&types);
ebitmap_init(t);
- if (alwaysexpand || ebitmap_length(&set->negset) || set->flags) {
- /* First go through the types and OR all the attributes to
types */
- ebitmap_for_each_bit(&set->types, tnode, i) {
- if (ebitmap_node_get_bit(tnode, i)) {
+ /* First go through the types and OR all the attributes to types */
+ ebitmap_for_each_bit(&set->types, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
- /*
- * invalid policies might have more types set
in the ebitmap than
- * what's available in the type_val_to_struct
mapping
- */
- if (i >= p->p_types.nprim)
- goto err_types;
+ /*
+ * invalid policies might have more types set in the ebitmap
than
+ * what's available in the type_val_to_struct mapping
+ */
+ if (i >= p->p_types.nprim)
+ goto err_types;
- if (!p->type_val_to_struct[i]) {
- goto err_types;
- }
+ type = p->type_val_to_struct[i];
- if (p->type_val_to_struct[i]->flavor ==
- TYPE_ATTRIB) {
- if (ebitmap_union
- (&types,
- &p->type_val_to_struct[i]->
- types)) {
- goto err_types;
- }
- } else {
- if (ebitmap_set_bit(&types, i, 1)) {
- goto err_types;
- }
- }
+ if (!type) {
+ goto err_types;
+ }
+
+ if (type->flavor == TYPE_ATTRIB &&
+ (expand || (type->flags & TYPE_FLAGS_EXPAND_ATTR_TRUE))) {
+ if (ebitmap_union(&types, &type->types)) {
+ goto err_types;
+ }
+ } else {
+ if (ebitmap_set_bit(&types, i, 1)) {
+ goto err_types;
}
}
- } else {
- /* No expansion of attributes, just copy the set as is. */
- if (ebitmap_cpy(&types, &set->types))
- goto err_types;
}
/* Now do the same thing for negset */
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index f211164..52770f4 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -467,8 +467,8 @@ static int type_copy_callback(hashtab_key_t key,
hashtab_datum_t datum,
state->cur_mod_name, id);
return -1;
}
- /* permissive should pass to the base type */
- base_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE);
+
+ base_type->flags |= type->flags;
} else {
if (state->verbose)
INFO(state->handle, "copying type %s", id);
@@ -890,7 +890,7 @@ static int alias_copy_callback(hashtab_key_t key,
hashtab_datum_t datum,
return -1;
}
- target_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE);
+ target_type->flags |= type->flags;
base_type = hashtab_search(state->base->p_types.table, id);
if (base_type == NULL) {
@@ -938,7 +938,7 @@ static int alias_copy_callback(hashtab_key_t key,
hashtab_datum_t datum,
base_type->flavor = TYPE_ALIAS;
base_type->primary = target_type->s.value;
- base_type->flags |= (target_type->flags &
TYPE_FLAGS_PERMISSIVE);
+ base_type->flags |= target_type->flags;
}
/* the aliases map points from its value to its primary so when this
module
--
2.9.3
