From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: dburgener@linux.microsoft.com, James Carter <jwcart2@gmail.com>
Subject: [RFC PATCH 5/9 v2] libsepol/cil: Add cil_write_post_ast function
Date: Thu, 9 Mar 2023 16:51:10 -0500 [thread overview]
Message-ID: <20230309215114.357831-6-jwcart2@gmail.com> (raw)
In-Reply-To: <20230309215114.357831-1-jwcart2@gmail.com>
The function cil_write_post_ast() will write the CIL AST after
post processing is done. Most post processing does not change the
CIL AST, this is where deny rules are processed (because to process
them, type attributes have to have been evaluated.)
When processed, deny rules may add new rules and attributes and the
deny rule itself will be removed from the AST, so using this new
function will show the results of the deny rule processing.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/include/cil/cil.h | 1 +
libsepol/cil/src/cil.c | 50 ++++++++++++++++++++++++++++++++
libsepol/cil/src/cil_write_ast.h | 1 +
3 files changed, 52 insertions(+)
diff --git a/libsepol/cil/include/cil/cil.h b/libsepol/cil/include/cil/cil.h
index 482ca522..88e47e79 100644
--- a/libsepol/cil/include/cil/cil.h
+++ b/libsepol/cil/include/cil/cil.h
@@ -64,6 +64,7 @@ extern void cil_write_policy_conf(FILE *out, struct cil_db *db);
extern int cil_write_parse_ast(FILE *out, cil_db_t *db);
extern int cil_write_build_ast(FILE *out, cil_db_t *db);
extern int cil_write_resolve_ast(FILE *out, cil_db_t *db);
+extern int cil_write_post_ast(FILE *out, cil_db_t *db);
enum cil_log_level {
CIL_ERR = 1,
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 0b35ad35..bfeccb0e 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -675,6 +675,56 @@ exit:
return rc;
}
+int cil_write_post_ast(FILE *out, cil_db_t *db)
+{
+ int rc = SEPOL_ERR;
+
+ if (db == NULL) {
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Building AST from Parse Tree\n");
+ rc = cil_build_ast(db, db->parse->root, db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to build ast\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Destroying Parse Tree\n");
+ cil_tree_destroy(&db->parse);
+
+ cil_log(CIL_INFO, "Resolving AST\n");
+ rc = cil_resolve_ast(db, db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to resolve ast\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Qualifying Names\n");
+ rc = cil_fqn_qualify(db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to qualify names\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Compile post process\n");
+ rc = cil_post_process(db);
+ if (rc != SEPOL_OK ) {
+ cil_log(CIL_ERR, "Post process failed\n");
+ goto exit;
+ }
+
+ cil_log(CIL_INFO, "Writing Post AST\n");
+ rc = cil_write_ast(out, CIL_WRITE_AST_PHASE_POST, db->ast->root);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to write post ast\n");
+ goto exit;
+ }
+
+exit:
+ return rc;
+}
+
int cil_build_policydb(cil_db_t *db, sepol_policydb_t **sepol_db)
{
int rc;
diff --git a/libsepol/cil/src/cil_write_ast.h b/libsepol/cil/src/cil_write_ast.h
index 3f4b9d95..6b3274a8 100644
--- a/libsepol/cil/src/cil_write_ast.h
+++ b/libsepol/cil/src/cil_write_ast.h
@@ -38,6 +38,7 @@ enum cil_write_ast_phase {
CIL_WRITE_AST_PHASE_PARSE = 0,
CIL_WRITE_AST_PHASE_BUILD,
CIL_WRITE_AST_PHASE_RESOLVE,
+ CIL_WRITE_AST_PHASE_POST,
};
void cil_write_ast_node(FILE *out, struct cil_tree_node *node);
--
2.39.2
next prev parent reply other threads:[~2023-03-09 21:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-09 21:51 [RFC PATCH 0/9 v2] Add CIL Deny Rule James Carter
2023-03-09 21:51 ` [RFC PATCH 1/9 v2] libsepol/cil: Parse and add deny rule to AST, but do not process James Carter
2023-03-09 21:51 ` [RFC PATCH 2/9 v2] libsepol/cil: Add cil_list_is_empty macro James Carter
2023-03-09 21:51 ` [RFC PATCH 3/9 v2] libsepol/cil: Add cil_tree_node_remove function James Carter
2023-03-09 21:51 ` [RFC PATCH 4/9 v2] libsepol/cil: Process deny rules James Carter
2023-03-09 21:51 ` James Carter [this message]
2023-03-09 21:51 ` [RFC PATCH 6/9 v2] libsepol: Export the cil_write_post_ast function James Carter
2023-03-09 21:51 ` [RFC PATCH 7/9 v2] secilc/secil2tree: Add option to write CIL AST after post processing James Carter
2023-03-09 21:51 ` [RFC PATCH 8/9 v2] secilc/test: Add deny rule tests James Carter
2023-03-09 21:51 ` [RFC PATCH 9/9 v2] secilc/docs: Add deny rule to CIL documentation James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230309215114.357831-6-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=dburgener@linux.microsoft.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.