From: "Christian Göttsche" <cgzones@googlemail.com>
To: James Carter <jwcart2@gmail.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH v3 4/8] checkpolicy: add front-end support for segregate attributes
Date: Fri, 11 Aug 2023 18:38:29 +0200 [thread overview]
Message-ID: <CAJ2a_DcOeDWotazAexEKGh8rLs69F8BkRRNUu8e39mDCBmvJ1w@mail.gmail.com> (raw)
In-Reply-To: <CAP+JOzTZeqY10FX8znd0bReEkszhE33YtLB0-_JDvzfHdi6fNA@mail.gmail.com>
On Mon, 8 Aug 2022 at 19:09, James Carter <jwcart2@gmail.com> wrote:
>
> On Thu, Jul 21, 2022 at 11:11 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Support specifying segregate attributes.
> >
> > The following two blocks are equivalent:
> >
> > segregate_attributes attr1, attr2, attr3;
> >
> > segregate_attributes attr1, attr2;
> > segregate_attributes attr1, attr3;
> > segregate_attributes attr2, attr3;
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> > checkpolicy/policy_define.c | 66 +++++++++++++++++++++++++++++++++++++
> > checkpolicy/policy_define.h | 1 +
> > checkpolicy/policy_parse.y | 5 +++
> > checkpolicy/policy_scan.l | 2 ++
> > 4 files changed, 74 insertions(+)
> >
> > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> > index 8bf36859..cf6fbf08 100644
> > --- a/checkpolicy/policy_define.c
> > +++ b/checkpolicy/policy_define.c
> > @@ -1220,6 +1220,72 @@ exit:
> > return rc;
> > }
> >
> > +int define_segregate_attributes(void)
> > +{
> > + char *id = NULL;
> > + segregate_attributes_rule_t *sattr = NULL;
> > + int rc = -1;
> > +
> > + if (pass == 1) {
> > + while ((id = queue_remove(id_queue)))
> > + free(id);
> > + return 0;
> > + }
> > +
> > + sattr = malloc(sizeof(segregate_attributes_rule_t));
> > + if (!sattr) {
> > + yyerror("Out of memory!");
> > + goto exit;
> > + }
> > +
> > + ebitmap_init(&sattr->attrs);
> > +
> > + while ((id = queue_remove(id_queue))) {
> > + const type_datum_t *attr;
> > +
> > + if (!is_id_in_scope(SYM_TYPES, id)) {
> > + yyerror2("attribute %s is not within scope", id);
> > + goto exit;
> > + }
> > +
> > + attr = hashtab_search(policydbp->p_types.table, id);
> > + if (!attr) {
> > + yyerror2("attribute %s is not declared", id);
> > + goto exit;
> > + }
> > +
> > + if (attr->flavor != TYPE_ATTRIB) {
> > + yyerror2("%s is a type, not an attribute", id);
> > + goto exit;
> > + }
> > +
>
> It seems like it would be useful to check a type, so an error would be
> given if the type is associated with the attribute.
>
I am not exactly sure what you mean.
Do you like to have a policy statement like
nevertypeattribute TYPE ATTRIBUTE;
that checks at compile time a type is not associated with an attribute?
> > + if (ebitmap_get_bit(&sattr->attrs, attr->s.value - 1)) {
> > + yyerror2("attribute %s used multiple times", id);
> > + goto exit;
> > + }
> > +
> > + if (ebitmap_set_bit(&sattr->attrs, attr->s.value - 1, TRUE)) {
> > + yyerror("Out of memory!");
> > + goto exit;
> > + }
> > +
> > + free(id);
> > + }
> > +
> > + sattr->next = policydbp->segregate_attributes;
> > + policydbp->segregate_attributes = sattr;
> > +
> > + sattr = NULL;
> > + rc = 0;
> > +exit:
> > + if (sattr) {
> > + ebitmap_destroy(&sattr->attrs);
> > + free(sattr);
> > + }
> > + free(id);
> > + return rc;
> > +}
> > +
> > static int add_aliases_to_type(type_datum_t * type)
> > {
> > char *id;
> > diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
> > index 50a7ba78..f55d0b17 100644
> > --- a/checkpolicy/policy_define.h
> > +++ b/checkpolicy/policy_define.h
> > @@ -68,6 +68,7 @@ int define_type(int alias);
> > int define_user(void);
> > int define_validatetrans(constraint_expr_t *expr);
> > int expand_attrib(void);
> > +int define_segregate_attributes(void);
> > int insert_id(const char *id,int push);
> > int insert_separator(int push);
> > role_datum_t *define_role_dom(role_datum_t *r);
> > diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> > index 45f973ff..acd6096d 100644
> > --- a/checkpolicy/policy_parse.y
> > +++ b/checkpolicy/policy_parse.y
> > @@ -104,6 +104,7 @@ typedef int (* require_func_t)(int pass);
> > %token ALIAS
> > %token ATTRIBUTE
> > %token EXPANDATTRIBUTE
> > +%token SEGREGATEATTRIBUTES
> > %token BOOL
> > %token TUNABLE
> > %token IF
> > @@ -320,6 +321,7 @@ rbac_decl : attribute_role_def
> > ;
> > te_decl : attribute_def
> > | expandattribute_def
> > + | segregateattributes_def
> > | type_def
> > | typealias_def
> > | typeattribute_def
> > @@ -337,6 +339,9 @@ attribute_def : ATTRIBUTE identifier ';'
> > expandattribute_def : EXPANDATTRIBUTE names bool_val ';'
> > { if (expand_attrib()) return -1;}
> > ;
> > +segregateattributes_def : SEGREGATEATTRIBUTES identifier ',' id_comma_list ';'
> > + { if (define_segregate_attributes()) return -1;}
> > +
>
> I don't see the need for comparing more than two at a time.
>
> Something like:
> disjoint_types attr1 attr2;
That would lead to quadratic growth of statements, for example in the
Reference Policy example of
ibendport_type, packet_type, sysctl_type, device_node,
ibpkey_type, sysfs_types, domain, boolean_type, netif_type, file_type,
node_type, proc_type, port_type
Also one could see supporting more than two attributes as syntactic
sugar, which the traditional language already supports, e.g.
allow { TYPE1 TYPE2 } { TYPE3 TYPE4 } : { CLASS1 CLASS2 } perm_list;
>
> Thanks,
> Jim
>
> ;
> > type_def : TYPE identifier alias_def opt_attr_list ';'
> > {if (define_type(1)) return -1;}
> > | TYPE identifier opt_attr_list ';'
> > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> > index 9fefea7b..d865dcb6 100644
> > --- a/checkpolicy/policy_scan.l
> > +++ b/checkpolicy/policy_scan.l
> > @@ -123,6 +123,8 @@ ATTRIBUTE |
> > attribute { return(ATTRIBUTE); }
> > EXPANDATTRIBUTE |
> > expandattribute { return(EXPANDATTRIBUTE); }
> > +SEGREGATE_ATTRIBUTES |
> > +segregate_attributes { return(SEGREGATEATTRIBUTES); }
> > TYPE_TRANSITION |
> > type_transition { return(TYPE_TRANSITION); }
> > TYPE_MEMBER |
> > --
> > 2.36.1
> >
next prev parent reply other threads:[~2023-08-11 16:38 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-21 15:05 [PATCH v3 1/8] libsepol: refactor ebitmap conversion in link.c Christian Göttsche
2022-07-21 15:05 ` [PATCH v3 2/8] libsepol: add ebitmap iterator wrapper with startnode Christian Göttsche
2022-08-08 15:04 ` James Carter
2022-07-21 15:05 ` [PATCH v3 3/8] libsepol: add compile-time constraint for mutual exclusive attributes Christian Göttsche
2022-08-08 17:02 ` James Carter
2022-07-21 15:05 ` [PATCH v3 4/8] checkpolicy: add front-end support for segregate attributes Christian Göttsche
2022-08-08 17:09 ` James Carter
2023-08-11 16:38 ` Christian Göttsche [this message]
2023-08-11 19:48 ` James Carter
2022-07-21 15:05 ` [PATCH v3 5/8] libsepol/tests: add test " Christian Göttsche
2022-07-21 15:05 ` [PATCH v3 6/8] libsepol/cil: add support " Christian Göttsche
2022-08-08 17:15 ` James Carter
2022-07-21 15:05 ` [PATCH v3 7/8] secilc: run tests against development version of libsepol Christian Göttsche
2022-08-08 15:20 ` James Carter
2022-07-21 15:05 ` [PATCH v3 8/8] secilc: include segregate attributes in tests Christian Göttsche
2022-08-08 15:01 ` [PATCH v3 1/8] libsepol: refactor ebitmap conversion in link.c James Carter
2022-08-09 15:22 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ2a_DcOeDWotazAexEKGh8rLs69F8BkRRNUu8e39mDCBmvJ1w@mail.gmail.com \
--to=cgzones@googlemail.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.