libsepol: update CIL generation for trivial not-self rules

Convert trivial not-self neverallow rules to CIL, e.g. neverallow TYPE1 ~self:CLASS1 PERM1; into (neverallow TYPE1 notself (CLASS1 (PERM1))) More complex targets are not yet supported in CIL and will fail to convert, e.g.: neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1; neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2; Signed-off-by: Christian Göttsche <[email protected]>
SELinuxProject · Nov 25, 2022 · 69b76e9 · 69b76e9
1 parent d6fe703
commit 69b76e9
Showing 1 changed file with 26 additions and 4 deletions.
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
@@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
  goto exit;
  }
 
- ts = &avrule->ttypes;
- rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames);
- if (rc != 0) {
- goto exit;
+ if (avrule->flags & RULE_NOTSELF) {
+ if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) {
+ if (avrule->source_filename) {
+ log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported",
+ avrule->source_filename, avrule->source_line);
+ } else {
+ log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported");
+ }
+ rc = -1;
+ goto exit;
+ }
+ } else {
+ ts = &avrule->ttypes;
+ rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames);
+ if (rc != 0) {
+ goto exit;
+ }
  }
 
  for (s = 0; s < num_snames; s++) {
@@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
  if (rc != 0) {
  goto exit;
  }
+ } else if (avrule->flags & RULE_NOTSELF) {
+ if (avrule->specified & AVRULE_XPERMS) {
+ rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms);
+ } else {
+ rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms);
+ }
+ if (rc != 0) {
+ goto exit;
+ }
  }
  }