SELinuxTypeEnforcement: fill typeref: field for alias kind objects

masatake · masatake · commit cb0e340d79bb · 2025-01-23T03:07:54.000+09:00
"aliased" role is added to the "type" kind.

Signed-off-by: Masatake YAMATO &lt;yamato@redhat.com&gt;
diff --git a/Units/parser-selinux-type-enforcement.r/simple.d/expected.tags b/Units/parser-selinux-type-enforcement.r/simple.d/expected.tags
@@ -3,20 +3,20 @@ dbusd_unconfined	input.te	/^attribute dbusd_unconfined;$/;"	T
 system_bus_type	input.te	/^attribute system_bus_type;$/;"	T
 dbusd_etc_t	input.te	/^type dbusd_etc_t;$/;"	t
 dbusd_exec_t	input.te	/^type dbusd_exec_t;$/;"	t
-system_dbusd_exec_t	input.te	/^typealias dbusd_exec_t alias system_dbusd_exec_t;$/;"	a
+system_dbusd_exec_t	input.te	/^typealias dbusd_exec_t alias system_dbusd_exec_t;$/;"	a	typeref:type:dbusd_exec_t
 session_dbusd_tmp_t	input.te	/^type session_dbusd_tmp_t;$/;"	t
-user_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
-staff_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
-sysadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
-auditadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a
-secadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a
+user_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a	typeref:type:session_dbusd_tmp_t
+staff_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a	typeref:type:session_dbusd_tmp_t
+sysadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a	typeref:type:session_dbusd_tmp_t
+auditadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a	typeref:type:session_dbusd_tmp_t
+secadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a	typeref:type:session_dbusd_tmp_t
 system_r	input.te	/^role system_r types system_bus_type;$/;"	r
 git_sys_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	t
-git_system_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	a
+git_system_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	a	typeref:type:git_sys_content_t
 kmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	t
-update_modules_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
-depmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
-insmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+update_modules_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a	typeref:type:kmod_t
+depmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a	typeref:type:kmod_t
+insmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a	typeref:type:kmod_t
 system_r	input.te	/^role system_r types anaconda_t;$/;"	r
 install_roles	input.te	/^attribute_role install_roles;$/;"	R
 antivirus_can_scan_system	input.te	/^gen_tunable(antivirus_can_scan_system, false)$/;"	b
diff --git a/optlib/selinux-type-enforcement.c b/optlib/selinux-type-enforcement.c
@@ -37,10 +37,16 @@ static void initializeSELinuxTypeEnforcementParser (const langType language)
 	                               "\\1", "m", "", NULL);
 	addLanguageTagMultiTableRegex (language, "main",
 	                               "^type[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*",
-	                               "\\1", "t", "{tenter=typedef}", NULL);
+	                               "\\1", "t", "{tenter=typedef}"
+		"{{\n"
+		"   .\n"
+		"}}", NULL);
 	addLanguageTagMultiTableRegex (language, "main",
 	                               "^typealias[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*",
-	                               "", "", "{tenter=typedef}", NULL);
+	                               "\\1", "t", "{_role=aliased}{tenter=typedef}"
+		"{{\n"
+		"   .\n"
+		"}}", NULL);
 	addLanguageTagMultiTableRegex (language, "main",
 	                               "^attribute[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
 	                               "\\1", "T", "", NULL);
@@ -73,7 +79,10 @@ static void initializeSELinuxTypeEnforcementParser (const langType language)
 	                               "", "", "{tenter=alias}", NULL);
 	addLanguageTagMultiTableRegex (language, "typedef",
 	                               "^;",
-	                               "", "", "{tleave}", NULL);
+	                               "", "", "{tleave}"
+		"{{\n"
+		"   pop\n"
+		"}}", NULL);
 	addLanguageTagMultiTableRegex (language, "typedef",
 	                               "^.",
 	                               "", "", "", NULL);
@@ -82,7 +91,10 @@ static void initializeSELinuxTypeEnforcementParser (const langType language)
 	                               "", "", "", NULL);
 	addLanguageTagMultiTableRegex (language, "alias",
 	                               "^([a-zA-Z0-9_]+)[[:space:]]*",
-	                               "\\1", "a", "{tleave}", NULL);
+	                               "\\1", "a", "{tleave}"
+		"{{\n"
+		"   dup :name . exch [ (type) 3 -1 roll ] typeref:\n"
+		"}}", NULL);
 	addLanguageTagMultiTableRegex (language, "alias",
 	                               "^\\{[[:space:]]*",
 	                               "", "", "{tenter=compoundalias}", NULL);
@@ -97,7 +109,10 @@ static void initializeSELinuxTypeEnforcementParser (const langType language)
 	                               "", "", "", NULL);
 	addLanguageTagMultiTableRegex (language, "compoundalias",
 	                               "^([a-zA-Z0-9_]+)[[:space:]]*",
-	                               "\\1", "a", "", NULL);
+	                               "\\1", "a", ""
+		"{{\n"
+		"   dup :name . exch [ (type) 3 -1 roll ] typeref:\n"
+		"}}", NULL);
 	addLanguageTagMultiTableRegex (language, "compoundalias",
 	                               "^\\}[[:space:]]*",
 	                               "", "", "{tleave}{_advanceTo=0start}", NULL);
@@ -133,12 +148,16 @@ extern parserDefinition* SELinuxTypeEnforcementParser (void)
 		NULL
 	};
 
+	static roleDefinition SELinuxTypeEnforcementTypeRoleTable [] = {
+		{ true, "aliased", "aliased" },
+	};
 	static kindDefinition SELinuxTypeEnforcementKindTable [] = {
 		{
 		  true, 'm', "module", "policy modules",
 		},
 		{
 		  true, 't', "type", "types",
+		  ATTACH_ROLES(SELinuxTypeEnforcementTypeRoleTable),
 		},
 		{
 		  true, 'a', "alias", "type aliases",
@@ -169,6 +188,7 @@ extern parserDefinition* SELinuxTypeEnforcementParser (void)
 	def->patterns      = patterns;
 	def->aliases       = aliases;
 	def->method        = METHOD_NOT_CRAFTED|METHOD_REGEX;
+	def->useCork       = CORK_QUEUE;
 	def->kindTable     = SELinuxTypeEnforcementKindTable;
 	def->kindCount     = ARRAY_SIZE(SELinuxTypeEnforcementKindTable);
 	def->initialize    = initializeSELinuxTypeEnforcementParser;
diff --git a/optlib/selinux-type-enforcement.ctags b/optlib/selinux-type-enforcement.ctags
@@ -22,6 +22,8 @@
 --kinddef-SELinuxTypeEnforcement=u,user,users
 # TODO: sensitivity, category, sid, class
 
+--_roledef-SELinuxTypeEnforcement.{type}=aliased,aliased
+
 --_tabledef-SELinuxTypeEnforcement=main
 --_tabledef-SELinuxTypeEnforcement=typedef
 --_tabledef-SELinuxTypeEnforcement=alias
@@ -39,8 +41,12 @@
 --_mtable-regex-SELinuxTypeEnforcement=main/policy_module\([[:blank:]]*([^,[:space:]\)]+)[^\)]*\)/\1/m/
 --_mtable-regex-SELinuxTypeEnforcement=main/module[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/m/
 
- --_mtable-regex-SELinuxTypeEnforcement=main/type[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*/\1/t/{tenter=typedef}
---_mtable-regex-SELinuxTypeEnforcement=main/typealias[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*//{tenter=typedef}
+--_mtable-regex-SELinuxTypeEnforcement=main/type[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*/\1/t/{tenter=typedef}{{
+   .
+}}
+--_mtable-regex-SELinuxTypeEnforcement=main/typealias[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*/\1/t/{_role=aliased}{tenter=typedef}{{
+   .
+}}
 --_mtable-regex-SELinuxTypeEnforcement=main/attribute[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/T/
 
 --_mtable-regex-SELinuxTypeEnforcement=main/role[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/r/
@@ -59,14 +65,18 @@
 #
 --_mtable-regex-SELinuxTypeEnforcement=typedef/[[:space:]]+//
 --_mtable-regex-SELinuxTypeEnforcement=typedef/alias[[:space:]]+//{tenter=alias}
---_mtable-regex-SELinuxTypeEnforcement=typedef/;//{tleave}
+--_mtable-regex-SELinuxTypeEnforcement=typedef/;//{tleave}{{
+   pop
+}}
 --_mtable-regex-SELinuxTypeEnforcement=typedef/.//
 
 #
 # alias
 #
 --_mtable-regex-SELinuxTypeEnforcement=alias/[[:space:]]+//
---_mtable-regex-SELinuxTypeEnforcement=alias/([a-zA-Z0-9_]+)[[:space:]]*/\1/a/{tleave}
+--_mtable-regex-SELinuxTypeEnforcement=alias/([a-zA-Z0-9_]+)[[:space:]]*/\1/a/{tleave}{{
+   dup :name . exch [ (type) 3 -1 roll ] typeref:
+}}
 --_mtable-regex-SELinuxTypeEnforcement=alias/\{[[:space:]]*//{tenter=compoundalias}
 --_mtable-regex-SELinuxTypeEnforcement=alias/\}[[:space:]]*//{tleave}
 --_mtable-regex-SELinuxTypeEnforcement=alias/.//
@@ -75,7 +85,9 @@
 # compoundalias
 #
 --_mtable-regex-SELinuxTypeEnforcement=compoundalias/[[:space:]]+//
---_mtable-regex-SELinuxTypeEnforcement=compoundalias/([a-zA-Z0-9_]+)[[:space:]]*/\1/a/
+--_mtable-regex-SELinuxTypeEnforcement=compoundalias/([a-zA-Z0-9_]+)[[:space:]]*/\1/a/{{
+   dup :name . exch [ (type) 3 -1 roll ] typeref:
+}}
 --_mtable-regex-SELinuxTypeEnforcement=compoundalias/\}[[:space:]]*//{tleave}{_advanceTo=0start}
 --_mtable-regex-SELinuxTypeEnforcement=compoundalias/.//
 
