* [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression
@ 2021-03-16 20:39 James Carter
2021-03-16 20:39 ` [PATCH 2/2] libsepol: Enclose identifier lists in constraint expressions James Carter
2021-03-17 9:29 ` [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression Nicolas Iooss
0 siblings, 2 replies; 4+ messages in thread
From: James Carter @ 2021-03-16 20:39 UTC (permalink / raw)
To: selinux; +Cc: James Carter
If a role attribute with no roles associated with it is used in a
constraint expression, then the role bitmap will be empty. This is
not a problem for the kernel, but does cause problems when
converting a kernel policy to policy.conf.
When creating a policy.conf from a kernel policy, if an empty bitmap
is encountered, use the string "NO_IDENTIFIER". An error will occur
if an attempt is made to compile the resulting policy, but this is
better than exiting with an error without creating a policy.conf.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/src/kernel_to_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index a22f196d..263f9639 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -186,7 +186,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
}
if (!names) {
- goto exit;
+ names = strdup("NO_IDENTIFIER");
}
new_val = create_str("%s %s %s", 3, attr1, op, names);
free(names);
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] libsepol: Enclose identifier lists in constraint expressions
2021-03-16 20:39 [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression James Carter
@ 2021-03-16 20:39 ` James Carter
2021-03-17 9:29 ` [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression Nicolas Iooss
1 sibling, 0 replies; 4+ messages in thread
From: James Carter @ 2021-03-16 20:39 UTC (permalink / raw)
To: selinux; +Cc: James Carter
When writing a policy.conf from a kernel policy, if there are
multiple users, roles, or types, then the list needs to be enclosed
by "{" and "}".
When writing a constraint expression, check to see if there are
multiple identifiers in the names string and enclose the list
with "{" and "}" if there are.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/src/kernel_to_conf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 263f9639..d385819e 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -188,7 +188,11 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!names) {
names = strdup("NO_IDENTIFIER");
}
- new_val = create_str("%s %s %s", 3, attr1, op, names);
+ if (strchr(names, ' ')) {
+ new_val = create_str("%s %s { %s }", 3, attr1, op, names);
+ } else {
+ new_val = create_str("%s %s %s", 3, attr1, op, names);
+ }
free(names);
}
} else {
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression
2021-03-16 20:39 [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression James Carter
2021-03-16 20:39 ` [PATCH 2/2] libsepol: Enclose identifier lists in constraint expressions James Carter
@ 2021-03-17 9:29 ` Nicolas Iooss
2021-03-18 14:14 ` James Carter
1 sibling, 1 reply; 4+ messages in thread
From: Nicolas Iooss @ 2021-03-17 9:29 UTC (permalink / raw)
To: James Carter; +Cc: SElinux list
On Tue, Mar 16, 2021 at 9:40 PM James Carter <jwcart2@gmail.com> wrote:
>
> If a role attribute with no roles associated with it is used in a
> constraint expression, then the role bitmap will be empty. This is
> not a problem for the kernel, but does cause problems when
> converting a kernel policy to policy.conf.
>
> When creating a policy.conf from a kernel policy, if an empty bitmap
> is encountered, use the string "NO_IDENTIFIER". An error will occur
> if an attempt is made to compile the resulting policy, but this is
> better than exiting with an error without creating a policy.conf.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>
For these 2 patches:
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
> libsepol/src/kernel_to_conf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index a22f196d..263f9639 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -186,7 +186,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
> names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
> }
> if (!names) {
> - goto exit;
> + names = strdup("NO_IDENTIFIER");
> }
> new_val = create_str("%s %s %s", 3, attr1, op, names);
> free(names);
> --
> 2.26.2
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression
2021-03-17 9:29 ` [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression Nicolas Iooss
@ 2021-03-18 14:14 ` James Carter
0 siblings, 0 replies; 4+ messages in thread
From: James Carter @ 2021-03-18 14:14 UTC (permalink / raw)
To: Nicolas Iooss; +Cc: SElinux list
On Wed, Mar 17, 2021 at 5:29 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Tue, Mar 16, 2021 at 9:40 PM James Carter <jwcart2@gmail.com> wrote:
> >
> > If a role attribute with no roles associated with it is used in a
> > constraint expression, then the role bitmap will be empty. This is
> > not a problem for the kernel, but does cause problems when
> > converting a kernel policy to policy.conf.
> >
> > When creating a policy.conf from a kernel policy, if an empty bitmap
> > is encountered, use the string "NO_IDENTIFIER". An error will occur
> > if an attempt is made to compile the resulting policy, but this is
> > better than exiting with an error without creating a policy.conf.
> >
> > Signed-off-by: James Carter <jwcart2@gmail.com>
>
> For these 2 patches:
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
These 2 patches have been merged.
Thanks,
Jim
> > ---
> > libsepol/src/kernel_to_conf.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> > index a22f196d..263f9639 100644
> > --- a/libsepol/src/kernel_to_conf.c
> > +++ b/libsepol/src/kernel_to_conf.c
> > @@ -186,7 +186,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
> > names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
> > }
> > if (!names) {
> > - goto exit;
> > + names = strdup("NO_IDENTIFIER");
> > }
> > new_val = create_str("%s %s %s", 3, attr1, op, names);
> > free(names);
> > --
> > 2.26.2
> >
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-18 14:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-16 20:39 [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression James Carter
2021-03-16 20:39 ` [PATCH 2/2] libsepol: Enclose identifier lists in constraint expressions James Carter
2021-03-17 9:29 ` [PATCH 1/2] libsepol: Write "NO_IDENTIFIER" for empty constraint expression Nicolas Iooss
2021-03-18 14:14 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).