From: James Carter <jwcart2@gmail.com>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH v2 2/4] libsepol: add not-self neverallow support
Date: Fri, 3 Dec 2021 17:06:18 -0500 [thread overview]
Message-ID: <CAP+JOzTcWXTu1O8t50XX3vMjabY6Vsmb9WBRiLryKTMapsw8Pw@mail.gmail.com> (raw)
In-Reply-To: <20211124190815.12757-2-cgzones@googlemail.com>
On Thu, Nov 25, 2021 at 3:03 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Add support for not-self neverallow rules. These do not trigger on allow
> rules where the source type is exactly equal to the target type.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> v2:
> - do not change the value of RULE_SELF
> ---
> libsepol/include/sepol/policydb/policydb.h | 3 +-
> libsepol/src/assertion.c | 36 ++++++++++++++++++++--
> 2 files changed, 35 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index 4bf9f05d..11637fe8 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -285,7 +285,8 @@ typedef struct avrule {
> #define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \
> AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW)
> uint32_t specified;
> -#define RULE_SELF 1
> +#define RULE_SELF (1U << 0)
> +#define RULE_NOTSELF (1U << 1)
> uint32_t flags;
> type_set_t stypes;
> type_set_t ttypes;
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index dd2749a0..efa136c8 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -241,7 +241,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
> if (rc)
> goto oom;
>
> - if (avrule->flags == RULE_SELF) {
> + if (avrule->flags & RULE_SELF) {
> rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
> if (rc)
> goto oom;
> @@ -268,6 +268,8 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
>
> ebitmap_for_each_positive_bit(&src_matches, snode, i) {
> ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
> + if ((avrule->flags & RULE_NOTSELF) && i == j)
> + continue;
> if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
> a->errors += report_assertion_extended_permissions(handle,p, avrule,
> i, j, cp, perms, k, avtab);
> @@ -402,7 +404,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
> if (rc)
> goto oom;
>
> - if (avrule->flags == RULE_SELF) {
> + if (avrule->flags & RULE_SELF) {
> rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
> &p->attr_type_map[k->target_type - 1]);
> if (rc)
> @@ -418,6 +420,18 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
> }
> }
>
> + if (avrule->flags & RULE_NOTSELF) {
> + rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
> + if (rc)
> + goto oom;
> + rc = ebitmap_and(&self_matches, &avrule->ttypes.types, &matches);
> + if (rc)
> + goto oom;
> + rc = ebitmap_subtract(&tgt_matches, &self_matches);
> + if (rc)
> + goto oom;
> + }
> +
> if (ebitmap_is_empty(&tgt_matches))
> goto exit;
>
Something is not right with how it is working with extended permissions.
I am using these types rules with the following examples.
type TYPE1;
type TYPE2;
type TYPE3;
typeattribute TYPE1 TATTR1, TATTR2;
typeattribute TYPE2 TATTR1, TATTR2;
typeattribute TYPE3 TATTR1;
For normal extended permissions.
These rules give an assertion failure as expected.
allow TATTR1 TATTR1 : CLASS4 ioctl;
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411;
These rules do not, again, as expected.
allow TATTR1 TATTR1 : CLASS4 ioctl;
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401;
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411;
For the not-self extended permissions.
These rules give an assertion failure, but they shouldn't.
allow TATTR1 TATTR1 : CLASS5 ioctl;
allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9501;
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9511;
libsepol.report_assertion_extended_permissions: neverallowxperm on
line 153 of policy.conf (or line 153 of policy.conf) violated by
allow TYPE1 TYPE2:CLASS5 { ioctl };
libsepol.report_assertion_extended_permissions: neverallowxperm on
line 153 of policy.conf (or line 153 of policy.conf) violated by
allow TYPE1 TYPE3:CLASS5 { ioctl };
Thanks,
Jim
> @@ -463,7 +477,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
> if (rc == 0)
> goto exit;
>
> - if (avrule->flags == RULE_SELF) {
> + if (avrule->flags & RULE_SELF) {
> /* If the neverallow uses SELF, then it is not enough that the
> * neverallow's source matches the src and tgt of the rule being checked.
> * It must match the same thing in the src and tgt, so AND the source
> @@ -479,6 +493,22 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
> ebitmap_destroy(&match);
> }
>
> + if (avrule->flags & RULE_NOTSELF) {
> + ebitmap_t match;
> + rc = ebitmap_cpy(&match, &p->attr_type_map[k->source_type - 1]);
> + if (rc) {
> + ebitmap_destroy(&match);
> + goto oom;
> + }
> + rc = ebitmap_subtract(&match, &p->attr_type_map[k->target_type - 1]);
> + if (rc) {
> + ebitmap_destroy(&match);
> + goto oom;
> + }
> + rc2 = ebitmap_match_any(&avrule->ttypes.types, &match);
> + ebitmap_destroy(&match);
> + }
> +
> /* neverallow may have tgts even if it uses SELF */
> rc = ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1]);
> if (rc == 0 && rc2 == 0)
> --
> 2.34.0
>
next prev parent reply other threads:[~2021-12-03 22:06 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-23 19:07 [RFC PATCH 1/3] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 2/3] libsepol: add not-self neverallow support Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 3/3] checkpolicy: " Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 2/4] libsepol: add not-self neverallow support Christian Göttsche
2021-12-03 22:06 ` James Carter [this message]
2021-11-24 19:08 ` [RFC PATCH v2 3/4] checkpolicy: " Christian Göttsche
2021-12-03 21:56 ` James Carter
2021-12-04 10:45 ` Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 4/4] libsepol: free ebitmap on end of function Christian Göttsche
2021-11-29 17:48 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() James Carter
2021-11-30 11:12 ` Christian Göttsche
2021-11-30 15:35 ` James Carter
2021-12-04 10:35 ` [RFC PATCH v3 1/5] libsepol: introduce ebitmap_relative_complement() Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 2/5] libsepol: add not-self neverallow support Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 3/5] checkpolicy: " Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 4/5] libsepol: free ebitmap on end of function Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 5/5] libsepol: pass avtab to report function Christian Göttsche
2021-12-06 18:25 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAP+JOzTcWXTu1O8t50XX3vMjabY6Vsmb9WBRiLryKTMapsw8Pw@mail.gmail.com \
--to=jwcart2@gmail.com \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.