selinux/libsepol/cil
James Carter aa8ac8ffaf libsepol/cil: Do not resolve arguments to declarations in the call
Lorenzo Ceragioli <lorenzo.ceragioli@phd.unipi.it> noted that the
following policy:
  (type a)
  (block A
    (macro m ((type x))
      (type a)
      (allow x x (file (read))))
  )
  (block B
    (call A.m(a))
  )
results in the allow rule (allow B.a B.a (file(read))). This makes
no sense because the "a" being passed as an argument has to be the
global "a" and not the "a" defined in the macro.

This behavior occurs because the call arguments are resolved AFTER
the macro body has been copied and the declaration of "a" in the
macro has been added to block B's namespace, so this is the "a"
that the call argument resolves to, rather than the one in the
global namespace.

When resolving call arguments, check if the datum found belongs to
a declaration in the call. If it does, then remove the datum from
the symbol table, re-resolve the argument, and add the datum back
into the symbol table.

Signed-off-by: James Carter <jwcart2@gmail.com>
2021-06-04 10:23:19 -04:00
..
include/cil libsepol/cil: Add functions to make use of cil_write_ast() 2021-04-21 21:45:22 +02:00
src libsepol/cil: Do not resolve arguments to declarations in the call 2021-06-04 10:23:19 -04:00
test libsepol: Move secilc out of libsepol 2015-03-31 12:31:38 -04:00
.gitignore