* [PATCH] checkpolicy: allow wildcard permissions in constraints
@ 2022-02-04 13:37 Christian Göttsche
2022-02-09 20:35 ` James Carter
2022-02-10 18:38 ` [PATCH v2] " Christian Göttsche
0 siblings, 2 replies; 5+ messages in thread
From: Christian Göttsche @ 2022-02-04 13:37 UTC (permalink / raw)
To: selinux
Allow all and complement permission sets in constraints, e.g.:
constrain service ~ { status } (...);
constrain service * (...);
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index b2ae3263..ded19570 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3590,6 +3590,16 @@ int define_constraint(constraint_expr_t * expr)
cladatum = policydbp->class_val_to_struct[i];
node = cladatum->constraints;
+ if (strcmp(id, "*") == 0) {
+ node->permissions = ~UINT32_C(0);
+ continue;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ node->permissions = ~node->permissions;
+ continue;
+ }
+
perdatum =
(perm_datum_t *) hashtab_search(cladatum->
permissions.
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] checkpolicy: allow wildcard permissions in constraints
2022-02-04 13:37 [PATCH] checkpolicy: allow wildcard permissions in constraints Christian Göttsche
@ 2022-02-09 20:35 ` James Carter
2022-02-10 18:38 ` [PATCH v2] " Christian Göttsche
1 sibling, 0 replies; 5+ messages in thread
From: James Carter @ 2022-02-09 20:35 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Fri, Feb 4, 2022 at 3:04 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Allow all and complement permission sets in constraints, e.g.:
>
> constrain service ~ { status } (...);
> constrain service * (...);
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> checkpolicy/policy_define.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index b2ae3263..ded19570 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -3590,6 +3590,16 @@ int define_constraint(constraint_expr_t * expr)
> cladatum = policydbp->class_val_to_struct[i];
> node = cladatum->constraints;
>
> + if (strcmp(id, "*") == 0) {
> + node->permissions = ~UINT32_C(0);
> + continue;
> + }
> +
If the class has less than 32 permissions, then bits will be set for
non-existent permissions.
> + if (strcmp(id, "~") == 0) {
> + node->permissions = ~node->permissions;
> + continue;
> + }
> +
If "~" is used on a list of all of the classes permissions, then there
will be no permissions. If the policy is then turned back into a
policy.conf, there will be no permissions and the constraint will have
an invalid permission. (Obviously, a problem with the kernel_to_conf
routines that needs to be fixed). The right thing is to drop the
constraint in this case since it isn't valid for any permissions. (I
see now that the CIL compiler doesn't handle this correctly either.)
I am fine with the overall idea here.
Thanks,
Jim
> perdatum =
> (perm_datum_t *) hashtab_search(cladatum->
> permissions.
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] checkpolicy: allow wildcard permissions in constraints
2022-02-04 13:37 [PATCH] checkpolicy: allow wildcard permissions in constraints Christian Göttsche
2022-02-09 20:35 ` James Carter
@ 2022-02-10 18:38 ` Christian Göttsche
2022-02-11 18:40 ` James Carter
1 sibling, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2022-02-10 18:38 UTC (permalink / raw)
To: selinux
Allow all and complement permission sets in constraints, e.g.:
constrain service ~ { status } (...);
constrain service * (...);
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
- do not set invalid permission bits
- omit constrain rules with an empty permission bitset
---
checkpolicy/policy_define.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index b2ae3263..16b78346 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3477,6 +3477,8 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
return NULL;
}
+#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
+
int define_constraint(constraint_expr_t * expr)
{
struct constraint_node *node;
@@ -3590,6 +3592,22 @@ int define_constraint(constraint_expr_t * expr)
cladatum = policydbp->class_val_to_struct[i];
node = cladatum->constraints;
+ if (strcmp(id, "*") == 0) {
+ node->permissions = PERMISSION_MASK(cladatum->permissions.nprim);
+ continue;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim);
+ if (node->permissions == 0) {
+ yywarn("omitting constraint with no permission set");
+ cladatum->constraints = node->next;
+ constraint_expr_destroy(node->expr);
+ free(node);
+ }
+ continue;
+ }
+
perdatum =
(perm_datum_t *) hashtab_search(cladatum->
permissions.
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] checkpolicy: allow wildcard permissions in constraints
2022-02-10 18:38 ` [PATCH v2] " Christian Göttsche
@ 2022-02-11 18:40 ` James Carter
2022-02-18 20:05 ` James Carter
0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2022-02-11 18:40 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Fri, Feb 11, 2022 at 11:19 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Allow all and complement permission sets in constraints, e.g.:
>
> constrain service ~ { status } (...);
> constrain service * (...);
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
>
> ---
>
> v2:
> - do not set invalid permission bits
> - omit constrain rules with an empty permission bitset
> ---
> checkpolicy/policy_define.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index b2ae3263..16b78346 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -3477,6 +3477,8 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
> return NULL;
> }
>
> +#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
> +
> int define_constraint(constraint_expr_t * expr)
> {
> struct constraint_node *node;
> @@ -3590,6 +3592,22 @@ int define_constraint(constraint_expr_t * expr)
> cladatum = policydbp->class_val_to_struct[i];
> node = cladatum->constraints;
>
> + if (strcmp(id, "*") == 0) {
> + node->permissions = PERMISSION_MASK(cladatum->permissions.nprim);
> + continue;
> + }
> +
> + if (strcmp(id, "~") == 0) {
> + node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim);
> + if (node->permissions == 0) {
> + yywarn("omitting constraint with no permission set");
> + cladatum->constraints = node->next;
> + constraint_expr_destroy(node->expr);
> + free(node);
> + }
> + continue;
> + }
> +
> perdatum =
> (perm_datum_t *) hashtab_search(cladatum->
> permissions.
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] checkpolicy: allow wildcard permissions in constraints
2022-02-11 18:40 ` James Carter
@ 2022-02-18 20:05 ` James Carter
0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2022-02-18 20:05 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Fri, Feb 11, 2022 at 1:40 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Feb 11, 2022 at 11:19 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Allow all and complement permission sets in constraints, e.g.:
> >
> > constrain service ~ { status } (...);
> > constrain service * (...);
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Merged.
Thanks,
Jim
> >
> > ---
> >
> > v2:
> > - do not set invalid permission bits
> > - omit constrain rules with an empty permission bitset
> > ---
> > checkpolicy/policy_define.c | 18 ++++++++++++++++++
> > 1 file changed, 18 insertions(+)
> >
> > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> > index b2ae3263..16b78346 100644
> > --- a/checkpolicy/policy_define.c
> > +++ b/checkpolicy/policy_define.c
> > @@ -3477,6 +3477,8 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
> > return NULL;
> > }
> >
> > +#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
> > +
> > int define_constraint(constraint_expr_t * expr)
> > {
> > struct constraint_node *node;
> > @@ -3590,6 +3592,22 @@ int define_constraint(constraint_expr_t * expr)
> > cladatum = policydbp->class_val_to_struct[i];
> > node = cladatum->constraints;
> >
> > + if (strcmp(id, "*") == 0) {
> > + node->permissions = PERMISSION_MASK(cladatum->permissions.nprim);
> > + continue;
> > + }
> > +
> > + if (strcmp(id, "~") == 0) {
> > + node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim);
> > + if (node->permissions == 0) {
> > + yywarn("omitting constraint with no permission set");
> > + cladatum->constraints = node->next;
> > + constraint_expr_destroy(node->expr);
> > + free(node);
> > + }
> > + continue;
> > + }
> > +
> > perdatum =
> > (perm_datum_t *) hashtab_search(cladatum->
> > permissions.
> > --
> > 2.34.1
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-02-18 20:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-04 13:37 [PATCH] checkpolicy: allow wildcard permissions in constraints Christian Göttsche
2022-02-09 20:35 ` James Carter
2022-02-10 18:38 ` [PATCH v2] " Christian Göttsche
2022-02-11 18:40 ` James Carter
2022-02-18 20:05 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.