mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-11-23 19:49:39 +00:00
Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements in policy language and expandtypeattribute in CIL. For example, these statements resolve to false in policy language: expandattribute hal_audio true; expandattribute hal_audio false; Similarly, in CIL these also resolve to false. (expandtypeattribute (hal_audio) true) (expandtypeattribute (hal_audio) false) A warning will be issued on this conflict. Motivation When Android combines multiple .cil files from system.img and vendor.img it's possible to have conflicting expandattribute statements. This change deals with this scenario by resolving the value of the corresponding expandtypeattribute to false. The rationale behind this override is that true is used for reduce run-time lookups, while false is used for tests which must pass. Signed-off-by: Tri Vo <trong@android.com> Acked-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: William Roberts <william.c.roberts@intel.com> Acked-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
parent
0d1fad884a
commit
ea8d689b53
@ -1185,10 +1185,6 @@ int expand_attrib(void)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (attr->flags & TYPE_FLAGS_EXPAND_ATTR) {
|
||||
yyerror2("%s already has the expandattribute option specified", id);
|
||||
goto exit;
|
||||
}
|
||||
if (ebitmap_set_bit(&attrs, attr->s.value - 1, TRUE)) {
|
||||
yyerror("Out of memory!");
|
||||
goto exit;
|
||||
@ -1216,6 +1212,12 @@ int expand_attrib(void)
|
||||
attr = hashtab_search(policydbp->p_types.table,
|
||||
policydbp->sym_val_to_name[SYM_TYPES][i]);
|
||||
attr->flags |= flags;
|
||||
if ((attr->flags & TYPE_FLAGS_EXPAND_ATTR_TRUE) &&
|
||||
(attr->flags & TYPE_FLAGS_EXPAND_ATTR_FALSE)) {
|
||||
yywarn("Expandattribute option was set to both true and false. "
|
||||
"Resolving to false.");
|
||||
attr->flags &= ~TYPE_FLAGS_EXPAND_ATTR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
rc = 0;
|
||||
|
@ -269,9 +269,8 @@ exit:
|
||||
return rc;
|
||||
}
|
||||
|
||||
int cil_type_used(struct cil_symtab_datum *datum, int used)
|
||||
void cil_type_used(struct cil_symtab_datum *datum, int used)
|
||||
{
|
||||
int rc = SEPOL_ERR;
|
||||
struct cil_typeattribute *attr = NULL;
|
||||
|
||||
if (FLAVOR(datum) == CIL_TYPEATTRIBUTE) {
|
||||
@ -279,16 +278,12 @@ int cil_type_used(struct cil_symtab_datum *datum, int used)
|
||||
attr->used |= used;
|
||||
if ((attr->used & CIL_ATTR_EXPAND_TRUE) &&
|
||||
(attr->used & CIL_ATTR_EXPAND_FALSE)) {
|
||||
cil_log(CIL_ERR, "Conflicting use of expandtypeattribute. "
|
||||
"Expandtypeattribute may be set to true or false "
|
||||
"but not both. \n");
|
||||
goto exit;
|
||||
cil_log(CIL_WARN, "Conflicting use of expandtypeattribute. "
|
||||
"Expandtypeattribute was set to both true or false for %s. "
|
||||
"Resolving to false. \n", attr->datum.name);
|
||||
attr->used &= ~CIL_ATTR_EXPAND_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
return rc;
|
||||
}
|
||||
|
||||
int cil_resolve_permissionx(struct cil_tree_node *current, struct cil_permissionx *permx, void *extra_args)
|
||||
@ -488,11 +483,7 @@ int cil_resolve_expandtypeattribute(struct cil_tree_node *current, void *extra_a
|
||||
goto exit;
|
||||
}
|
||||
used = expandattr->expand ? CIL_ATTR_EXPAND_TRUE : CIL_ATTR_EXPAND_FALSE;
|
||||
rc = cil_type_used(attr_datum, used);
|
||||
if (rc != SEPOL_OK) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
cil_type_used(attr_datum, used);
|
||||
cil_list_append(expandattr->attr_datums, CIL_TYPE, attr_datum);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user