From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH v4 3/6] checkpolicy: add not-self neverallow support
Date: Fri, 25 Nov 2022 16:49:49 +0100 [thread overview]
Message-ID: <20221125154952.20910-4-cgzones@googlemail.com> (raw)
In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com>
Add support for using negated or complemented self in the target type of
neverallow rules.
Some Refpolicy examples:
neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
neverallow domain { domain -self -dockerc_t }:dir create;
# no violations
neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
Using negated self in a complement, `~{ domain -self }`, is not
supported.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 46 ++++++++++++++++++++++++++++++++-----
checkpolicy/test/dismod.c | 6 ++++-
2 files changed, 45 insertions(+), 7 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 41e44631..74f882bb 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2075,12 +2075,17 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
- if (add == 0) {
- yyerror("-self is not supported");
+ if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) {
+ yyerror("-self is only supported in neverallow and neverallowxperm rules");
+ ret = -1;
+ goto out;
+ }
+ avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
+ if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
+ yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
- avrule->flags |= RULE_SELF;
continue;
}
if (set_types
@@ -2091,6 +2096,18 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
}
}
+ if ((avrule->ttypes.flags & TYPE_COMP)) {
+ if (avrule->flags & RULE_NOTSELF) {
+ yyerror("-self is not supported in complements");
+ ret = -1;
+ goto out;
+ }
+ if (avrule->flags & RULE_SELF) {
+ avrule->flags &= ~RULE_SELF;
+ avrule->flags |= RULE_NOTSELF;
+ }
+ }
+
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
@@ -2537,12 +2554,17 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
- if (add == 0) {
- yyerror("-self is not supported");
+ if (add == 0 && which != AVRULE_NEVERALLOW) {
+ yyerror("-self is only supported in neverallow and neverallowxperm rules");
+ ret = -1;
+ goto out;
+ }
+ avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
+ if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
+ yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
- avrule->flags |= RULE_SELF;
continue;
}
if (set_types
@@ -2553,6 +2575,18 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
}
}
+ if ((avrule->ttypes.flags & TYPE_COMP)) {
+ if (avrule->flags & RULE_NOTSELF) {
+ yyerror("-self is not supported in complements");
+ ret = -1;
+ goto out;
+ }
+ if (avrule->flags & RULE_SELF) {
+ avrule->flags &= ~RULE_SELF;
+ avrule->flags |= RULE_NOTSELF;
+ }
+ }
+
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index ec2a3e9a..a2d74d42 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -124,7 +124,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
}
num_types = 0;
- if (flags & RULE_SELF) {
+ if (flags & (RULE_SELF | RULE_NOTSELF)) {
num_types++;
}
@@ -169,6 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
fprintf(fp, " self");
}
+ if (flags & RULE_NOTSELF) {
+ fprintf(fp, " -self");
+ }
+
if (num_types > 1)
fprintf(fp, " }");
--
2.38.1
next prev parent reply other threads:[~2022-11-25 15:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-25 15:49 [RFC PATCH v4 0/6] not-self neverallow support Christian Göttsche
2022-11-25 15:49 ` [RFC PATCH v4 1/6] libsepol: Add not self support for neverallow rules Christian Göttsche
2023-03-01 14:30 ` James Carter
2023-03-30 19:41 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 2/6] libsepol/cil: Add notself and minusself support to CIL Christian Göttsche
2023-03-01 14:32 ` James Carter
2023-03-21 15:54 ` Petr Lautrbach
2023-03-21 17:42 ` James Carter
2022-11-25 15:49 ` Christian Göttsche [this message]
2023-03-01 14:32 ` [RFC PATCH v4 3/6] checkpolicy: add not-self neverallow support James Carter
2023-03-30 19:42 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 4/6] libsepol/tests: add tests for not self neverallow rules Christian Göttsche
2023-03-01 14:33 ` James Carter
2023-03-30 19:42 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 5/6] libsepol/tests: add tests for minus " Christian Göttsche
2023-03-01 14:33 ` James Carter
2023-03-30 19:43 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 6/6] libsepol: update CIL generation for trivial not-self rules Christian Göttsche
2023-03-01 14:35 ` James Carter
2023-03-30 19:44 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221125154952.20910-4-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.