Gitiles
Code Review Sign In
review.blissroms.org / platform_external_selinux / beb01ceb49d561dfeac03898d9dd12c724ed5e1c
commitbeb01ceb49d561dfeac03898d9dd12c724ed5e1c[log] [tgz]
authorJames Carter <jwcart2@tycho.nsa.gov>Wed Jun 10 15:51:01 2015 -0400
committerJames Carter <jwcart2@tycho.nsa.gov>Mon Jun 22 10:03:16 2015 -0400
tree42a711fdeb51523779f8d85c8dec833205476a14
parentf9bdf580b8a5cb19a08f52ed740b603612e41b01 [diff]
libsepol/cil: Refactored CIL neverallow checking and reporting.

Use the libsepol neverallow checking to determine if a given neverallow
rule is violated. If a violation is found, use the function
cil_find_matching_avrule_in_ast() to find the AST node of the particular
rule that violates the neverallow. This allows CIL to provide a more
informative error message that includes the file and line number of the
node and all of its parents.

Example error report:
Neverallow check failed at line 31285 of cil.conf.neverallow
  (neverallow typeset4 self (memprotect (mmap_zero)))
    <root>
    booleanif at line 152094 of cil.conf.neverallow
    true at line 152095 of cil.conf.neverallow
    allow at line 152096 of cil.conf.neverallow
      (allow ada_t self (memprotect (mmap_zero)))

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2 files changed
tree: 42a711fdeb51523779f8d85c8dec833205476a14
  1. checkpolicy/
  2. libselinux/
  3. libsemanage/
  4. libsepol/
  5. policycoreutils/
  6. scripts/
  7. secilc/
  8. sepolgen/
  9. .gitignore
  10. Android.mk
  11. CleanSpec.mk
  12. Makefile
  13. README