Re: [PATCH 0/2 RFC] libsepol: Adding support for not-self rules

From: "Christian Göttsche" <cgzones@googlemail.com>
To: James Carter <jwcart2@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 0/2 RFC] libsepol: Adding support for not-self rules
Date: Fri, 11 Mar 2022 19:44:25 +0100	[thread overview]
Message-ID: <CAJ2a_DdJHS2vRj9c94rFTDHiRt9_yRqEwxfX7KR451Za2iJAsw@mail.gmail.com> (raw)
In-Reply-To: <20220111220823.596065-1-jwcart2@gmail.com>

On Tue, 11 Jan 2022 at 23:08, James Carter <jwcart2@gmail.com> wrote:
>
> These patches depend on the 16 patch set that refactors and fixes assertion checking.
>
> The first patch is based on patches by Christian Göttsche <cgzones@googlemail.com>
> sent to the list on November 23rd. His patch adding support to checkpolicy is meant
> to be used with these patches.
>
> The second patch adds support for not-self rules to CIL. Currently, it works for all
> access vector rules, but I am not sure if that is needed or wise.

Probably not caused by this patch set I noticed one inconvenience
duplicate reporting with the following example:

    attribute test_a;
    type test1_t, test_a;
    type test2_t, test_a;
    allow test_a test_a:xdp_socket ioctl;
    allowxperm test_a test6_a:xdp_socket ioctl 0x0002;
    neverallowxperm test1_t { test_a }:xdp_socket ioctl 0x0002;

The output looks like:

    libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
    allowxperm test_a test_a:xdp_socket ioctl { 0x2 };
    libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
    allowxperm test_a test_a:xdp_socket ioctl { 0x2 };

due to the two access permissions, one for test1_t on test1_t and one
for test1_t on test2_t.


Rebasing on to master should update validation due to ff25475c
("libsepol: validate several flags "):

--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -851,6 +851,7 @@ static int validate_avrules(sepol_handle_t
*handle, avrule_t *avrule, int condit
               switch(avrule->flags) {
               case 0:
               case RULE_SELF:
+               case RULE_NOTSELF:
                       break;
               default:
                       goto bad;

Otherwise together with ("checkpolicy: add not-self neverallow support") [1]

Tested-by: Christian Göttsche <cgzones@googlemail.com>


[1]: https://patchwork.kernel.org/project/selinux/patch/20211204103516.17375-3-cgzones@googlemail.com/

>
> James Carter (2):
>   libsepol: Add not self support for neverallow rules
>   libsepol/cil: Add notself and minusself support to CIL
>
>  libsepol/cil/src/cil.c                     |  12 ++
>  libsepol/cil/src/cil_binary.c              |  91 ++++++++-
>  libsepol/cil/src/cil_build_ast.c           |  10 +-
>  libsepol/cil/src/cil_find.c                | 206 ++++++++++++++++++---
>  libsepol/cil/src/cil_internal.h            |   4 +
>  libsepol/cil/src/cil_resolve_ast.c         |   4 +
>  libsepol/cil/src/cil_verify.c              |   3 +-
>  libsepol/include/sepol/policydb/policydb.h |   3 +-
>  libsepol/src/assertion.c                   | 144 +++++++++++---
>  9 files changed, 467 insertions(+), 64 deletions(-)
>
> --
> 2.31.1
>
