mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-04 20:49:53 +00:00
aa8ac8ffaf
Lorenzo Ceragioli <lorenzo.ceragioli@phd.unipi.it> noted that the following policy: (type a) (block A (macro m ((type x)) (type a) (allow x x (file (read)))) ) (block B (call A.m(a)) ) results in the allow rule (allow B.a B.a (file(read))). This makes no sense because the "a" being passed as an argument has to be the global "a" and not the "a" defined in the macro. This behavior occurs because the call arguments are resolved AFTER the macro body has been copied and the declaration of "a" in the macro has been added to block B's namespace, so this is the "a" that the call argument resolves to, rather than the one in the global namespace. When resolving call arguments, check if the datum found belongs to a declaration in the call. If it does, then remove the datum from the symbol table, re-resolve the argument, and add the datum back into the symbol table. Signed-off-by: James Carter <jwcart2@gmail.com> |
||
---|---|---|
.. | ||
include/cil | ||
src | ||
test | ||
.gitignore |