Commit Graph

12 Commits

Author SHA1 Message Date
Steve Lawrence 7a09af2123 policycoreutils: pp: add roletype statements for both declared and required type/typeattributes
Currently, roletype statements are only added for types when they are
declared (not required). This means that in policy like:

  require {
    type foo_t;
  }
  type bar_t;
  role staff_r types foo_t, bar_t;

only bar_t is associated with staff_r. This patch moves the code that
generates roletype statements for types to outside the SCOPE_DECL check
so that roletype statements are generated for all types, regardless of
the required/declared scope. It further moves the code outside of the
type/typeattribute flavor check so that roletype statements are also
generated for typeattributes.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Tested-by: Jason Zaman <jason@perfinion.com>
2014-11-19 14:25:33 -05:00
Steve Lawrence 81d8cea807 policycoreutils: pp: define type aliases in the correct scope
Previously, type aliases were converted to CIL in the global namespace,
regardless of which scope they were actually defined in. So essentially
type aliases could never be in optionals. For the most part this worked,
however, in some small number of cases, a type alias could reference a
type defined inside an optional. If that optional was disabled, the type
would be disabled and so the type alias would fail to resolve, causing
policy to fail to build.

Unfortunately, type alises are stored in pp modules different than other
symbols (e.g. types/roles/etc) so they must be added to scopes
differently. So this patch gathers up all type aliases in a list and
keeps track of which scope each type alias is defined in. When we enter
a new scope, use that list to determine which type alias are defined
there and print the appropriate CIL statements.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-11-12 08:06:41 -05:00
Steve Lawrence 3904db5ac9 policycoreutils: pp: mimic require block support in CIL
CIL does not have any concept of require blocks. Instead, CIL relies on
whether or not all statements inside an optional block resolve to
determine if an optional block should be enabled/disabled. However, a
small number of optional statements require a type that is not actually
used in the optional block. In old style policy, this would cause the
optional block to be disabled. However, in CIL, because the type is never
used, the optional block will remain enabled.

To maintain compatibility, we modify pp2cil to create a new attribute,
cil_gen_require, and all types/roles/attributes that are required in a
pp module/optional block are associated with this attribute. Thus, if a
type is required but not used, it will still fail to resolve in the
typeattributeset statement, causing the optional to correctly be
disabled.

Note that when compiling the CIL this generated from compiling refpolicy
pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase
in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time
decreases by ~35% (26 seconds to 17 seconds).

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-11-12 08:06:41 -05:00
Steve Lawrence 84d9486eb2 policycoreutils/hll/pp: fix typo in error messages
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-06 14:51:23 -04:00
Steve Lawrence 7f16505a31 policycoreutils/hll/pp: only print certain roles when declared in base modules
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.

Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 12:10:22 -04:00
Yuli Khodorkovskiy 0a71540723 policycoreutils/hll/pp: change printing behavior of typeattribute/sets
Avrules that have the negation, star, or complement flag set for types
need typeattributes and typeattributesets that are generated. This caused
issues when these generated statements were inserted into conditionals, since
typeattributes/sets are not allowed in conditionals.

This change always prints typeattributes and typeattributesets
immediately unless the types appear inside of an avrule in conditionals or blocks.
For this special case, we print the typeattributes after the end
of each conditional/block.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:57:08 -04:00
Yuli Khodorkovskiy 836ffd988e policycoreutils/hll/pp: fix '\n' parsing in filecon statements
Some module fc files do not contain a trailing new line. This
caused contexts to have their last character to be deleted. When
parsing each line from a fc file, we only strip off the last character
if it is a new line.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:57:03 -04:00
Yuli Khodorkovskiy f42d013eec policycoreutils/hll/pp: Fix role/roletype scoping
- Create role declarations no matter if the declaration is in base or
  a module. Since CIL does not permit role re-declarations, this change
  will break existing policies that have the same role declared in multiple
  modules. To fix this, the policies will need to change the role to be
  defined in a single place.
- Pass around the avrule_decl stack rather than just the most recent
  decl. The full stack is needed to determine if identifiers are in
  scope
- Only create roletype statements for a role and a type in two cases:
   1) The role is declared/required and the type is declared/required in
      the same scope or an ancestor scope of the role
   2) The type is declared/required and the role is declared/required in
      an ancestor scope of the type

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:58 -04:00
Nicolas Iooss aad0962be2 policycoreutils/hll/pp: fix gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:31 -04:00
Nicolas Iooss 3642a57cd0 policycoreutils/hll/pp: add printf format attribute to relevant functions
log_err, cil_printf and cil_println use printf formats to process their
arguments.  Use __attribute__((format(printf,...))) to make "gcc
-Wformat -Wformat-security" detect issues.

This detected this issue several times on a x86_64 system:

  format '%lx' expects argument of type 'long unsigned int', but
  argument has type 'uint32_t'

Fix this by introducing an explicit cast to unsigned long.

While at it, constify the format string argument of each function.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:00 -04:00
Nicolas Iooss 855bfdf0ce policycoreutils/hll/pp: fix potential use of uninitialized variable
"gcc -O2 -Wall -Werror" failed with two errors when building pp due to
the use of unitialized variables.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:49 -04:00
Steve Lawrence 893851c0a1 policycoreutils: add a HLL compiler to convert policy packages (.pp) to CIL
Reads in a policy package file via stdin or via filename, and writes out
the equivilent CIL to stdout or to an output file, depending on the
parameters passed in.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 08:03:31 -04:00