From: "Christian Göttsche" <cgzones@googlemail.com>
To: James Carter <jwcart2@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 0/2 RFC] libsepol: Adding support for not-self rules
Date: Fri, 11 Mar 2022 19:44:25 +0100 [thread overview]
Message-ID: <CAJ2a_DdJHS2vRj9c94rFTDHiRt9_yRqEwxfX7KR451Za2iJAsw@mail.gmail.com> (raw)
In-Reply-To: <20220111220823.596065-1-jwcart2@gmail.com>
On Tue, 11 Jan 2022 at 23:08, James Carter <jwcart2@gmail.com> wrote:
>
> These patches depend on the 16 patch set that refactors and fixes assertion checking.
>
> The first patch is based on patches by Christian Göttsche <cgzones@googlemail.com>
> sent to the list on November 23rd. His patch adding support to checkpolicy is meant
> to be used with these patches.
>
> The second patch adds support for not-self rules to CIL. Currently, it works for all
> access vector rules, but I am not sure if that is needed or wise.
Probably not caused by this patch set I noticed one inconvenience
duplicate reporting with the following example:
attribute test_a;
type test1_t, test_a;
type test2_t, test_a;
allow test_a test_a:xdp_socket ioctl;
allowxperm test_a test6_a:xdp_socket ioctl 0x0002;
neverallowxperm test1_t { test_a }:xdp_socket ioctl 0x0002;
The output looks like:
libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
allowxperm test_a test_a:xdp_socket ioctl { 0x2 };
libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
allowxperm test_a test_a:xdp_socket ioctl { 0x2 };
due to the two access permissions, one for test1_t on test1_t and one
for test1_t on test2_t.
Rebasing on to master should update validation due to ff25475c
("libsepol: validate several flags "):
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -851,6 +851,7 @@ static int validate_avrules(sepol_handle_t
*handle, avrule_t *avrule, int condit
switch(avrule->flags) {
case 0:
case RULE_SELF:
+ case RULE_NOTSELF:
break;
default:
goto bad;
Otherwise together with ("checkpolicy: add not-self neverallow support") [1]
Tested-by: Christian Göttsche <cgzones@googlemail.com>
[1]: https://patchwork.kernel.org/project/selinux/patch/20211204103516.17375-3-cgzones@googlemail.com/
>
> James Carter (2):
> libsepol: Add not self support for neverallow rules
> libsepol/cil: Add notself and minusself support to CIL
>
> libsepol/cil/src/cil.c | 12 ++
> libsepol/cil/src/cil_binary.c | 91 ++++++++-
> libsepol/cil/src/cil_build_ast.c | 10 +-
> libsepol/cil/src/cil_find.c | 206 ++++++++++++++++++---
> libsepol/cil/src/cil_internal.h | 4 +
> libsepol/cil/src/cil_resolve_ast.c | 4 +
> libsepol/cil/src/cil_verify.c | 3 +-
> libsepol/include/sepol/policydb/policydb.h | 3 +-
> libsepol/src/assertion.c | 144 +++++++++++---
> 9 files changed, 467 insertions(+), 64 deletions(-)
>
> --
> 2.31.1
>
prev parent reply other threads:[~2022-03-11 18:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-11 22:08 [PATCH 0/2 RFC] libsepol: Adding support for not-self rules James Carter
2022-01-11 22:08 ` [PATCH 1/2 RFC] libsepol: Add not self support for neverallow rules James Carter
2022-01-11 22:08 ` [PATCH 2/2 RFC] libsepol/cil: Add notself and minusself support to CIL James Carter
2022-03-11 18:44 ` Christian Göttsche [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ2a_DdJHS2vRj9c94rFTDHiRt9_yRqEwxfX7KR451Za2iJAsw@mail.gmail.com \
--to=cgzones@googlemail.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.