* [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding
@ 2021-11-30 11:00 Christian Göttsche
2021-11-30 11:00 ` [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement Christian Göttsche
2021-12-09 20:30 ` [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding James Carter
0 siblings, 2 replies; 5+ messages in thread
From: Christian Göttsche @ 2021-11-30 11:00 UTC (permalink / raw)
To: selinux
Accept IPv4 addresses embedded in IPv6, like `::ffff:127.0.0.1`.
This allows using those in nodecon statements leading to fine grained
access control:
type=AVC msg=audit(11/29/21 20:27:44.437:419) : avc: granted { node_bind } for pid=27500 comm=intercept saddr=::ffff:127.0.0.1 src=46293 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
This does effect policies in the traditional language due to CIL usage
in semodule(8).
Also print on conversion failures the address in question.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/cil/src/cil_build_ast.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 9c34be23..eccb331b 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -5668,10 +5668,10 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
goto exit;
}
- if (strchr(addr_node->data, '.') != NULL) {
- addr->family = AF_INET;
- } else {
+ if (strchr(addr_node->data, ':') != NULL) {
addr->family = AF_INET6;
+ } else {
+ addr->family = AF_INET;
}
rc = inet_pton(addr->family, addr_node->data, &addr->ip);
@@ -5683,7 +5683,7 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
return SEPOL_OK;
exit:
- cil_log(CIL_ERR, "Bad ip address or netmask\n");
+ cil_log(CIL_ERR, "Bad ip address or netmask: %s\n", (addr_node && addr_node->data) ? (const char *)addr_node->data : "n/a");
return rc;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement
2021-11-30 11:00 [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding Christian Göttsche
@ 2021-11-30 11:00 ` Christian Göttsche
2021-12-09 20:31 ` James Carter
2021-12-09 20:30 ` [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding James Carter
1 sibling, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2021-11-30 11:00 UTC (permalink / raw)
To: selinux
Warn if the netmask is not contiguous or the address has host bits set,
e.g.:
127.0.0.0 255.255.245.0
127.0.0.1 255.255.255.0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 50 +++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index d3eb6111..b2ae3263 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -5290,6 +5290,14 @@ int define_ipv4_node_context()
goto out;
}
+ if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
+ yywarn("ipv4 mask is not contiguous");
+ }
+
+ if ((~mask.s_addr & addr.s_addr) != 0) {
+ yywarn("host bits in ipv4 address set");
+ }
+
newc = malloc(sizeof(ocontext_t));
if (!newc) {
yyerror("out of memory");
@@ -5325,6 +5333,40 @@ out:
return rc;
}
+static int ipv6_is_mask_contiguous(const struct in6_addr *mask)
+{
+ int filled = 1;
+ unsigned i;
+
+ for (i = 0; i < 16; i++) {
+ if ((((~mask->s6_addr[i] & 0xFF) + 1) & (~mask->s6_addr[i] & 0xFF)) != 0) {
+ return 0;
+ }
+ if (!filled && mask->s6_addr[i] != 0) {
+ return 0;
+ }
+
+ if (filled && mask->s6_addr[i] != 0xFF) {
+ filled = 0;
+ }
+ }
+
+ return 1;
+}
+
+static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask)
+{
+ unsigned i;
+
+ for (i = 0; i < 16; i++) {
+ if ((addr->s6_addr[i] & ~mask->s6_addr[i]) != 0) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
int define_ipv6_node_context(void)
{
char *id;
@@ -5376,6 +5418,14 @@ int define_ipv6_node_context(void)
goto out;
}
+ if (!ipv6_is_mask_contiguous(&mask)) {
+ yywarn("ipv6 mask is not contiguous");
+ }
+
+ if (ipv6_has_host_bits_set(&addr, &mask)) {
+ yywarn("host bits in ipv6 address set");
+ }
+
newc = malloc(sizeof(ocontext_t));
if (!newc) {
yyerror("out of memory");
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding
2021-11-30 11:00 [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding Christian Göttsche
2021-11-30 11:00 ` [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement Christian Göttsche
@ 2021-12-09 20:30 ` James Carter
2021-12-17 13:57 ` James Carter
1 sibling, 1 reply; 5+ messages in thread
From: James Carter @ 2021-12-09 20:30 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Nov 30, 2021 at 4:51 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Accept IPv4 addresses embedded in IPv6, like `::ffff:127.0.0.1`.
> This allows using those in nodecon statements leading to fine grained
> access control:
>
> type=AVC msg=audit(11/29/21 20:27:44.437:419) : avc: granted { node_bind } for pid=27500 comm=intercept saddr=::ffff:127.0.0.1 src=46293 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
>
> This does effect policies in the traditional language due to CIL usage
> in semodule(8).
>
> Also print on conversion failures the address in question.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/cil/src/cil_build_ast.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 9c34be23..eccb331b 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -5668,10 +5668,10 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
> goto exit;
> }
>
> - if (strchr(addr_node->data, '.') != NULL) {
> - addr->family = AF_INET;
> - } else {
> + if (strchr(addr_node->data, ':') != NULL) {
> addr->family = AF_INET6;
> + } else {
> + addr->family = AF_INET;
> }
>
> rc = inet_pton(addr->family, addr_node->data, &addr->ip);
> @@ -5683,7 +5683,7 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
> return SEPOL_OK;
>
> exit:
> - cil_log(CIL_ERR, "Bad ip address or netmask\n");
> + cil_log(CIL_ERR, "Bad ip address or netmask: %s\n", (addr_node && addr_node->data) ? (const char *)addr_node->data : "n/a");
> return rc;
> }
>
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement
2021-11-30 11:00 ` [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement Christian Göttsche
@ 2021-12-09 20:31 ` James Carter
0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2021-12-09 20:31 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Nov 30, 2021 at 4:50 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Warn if the netmask is not contiguous or the address has host bits set,
> e.g.:
>
> 127.0.0.0 255.255.245.0
> 127.0.0.1 255.255.255.0
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> checkpolicy/policy_define.c | 50 +++++++++++++++++++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index d3eb6111..b2ae3263 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5290,6 +5290,14 @@ int define_ipv4_node_context()
> goto out;
> }
>
> + if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
> + yywarn("ipv4 mask is not contiguous");
> + }
> +
> + if ((~mask.s_addr & addr.s_addr) != 0) {
> + yywarn("host bits in ipv4 address set");
> + }
> +
> newc = malloc(sizeof(ocontext_t));
> if (!newc) {
> yyerror("out of memory");
> @@ -5325,6 +5333,40 @@ out:
> return rc;
> }
>
> +static int ipv6_is_mask_contiguous(const struct in6_addr *mask)
> +{
> + int filled = 1;
> + unsigned i;
> +
> + for (i = 0; i < 16; i++) {
> + if ((((~mask->s6_addr[i] & 0xFF) + 1) & (~mask->s6_addr[i] & 0xFF)) != 0) {
> + return 0;
> + }
> + if (!filled && mask->s6_addr[i] != 0) {
> + return 0;
> + }
> +
> + if (filled && mask->s6_addr[i] != 0xFF) {
> + filled = 0;
> + }
> + }
> +
> + return 1;
> +}
> +
> +static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask)
> +{
> + unsigned i;
> +
> + for (i = 0; i < 16; i++) {
> + if ((addr->s6_addr[i] & ~mask->s6_addr[i]) != 0) {
> + return 1;
> + }
> + }
> +
> + return 0;
> +}
> +
> int define_ipv6_node_context(void)
> {
> char *id;
> @@ -5376,6 +5418,14 @@ int define_ipv6_node_context(void)
> goto out;
> }
>
> + if (!ipv6_is_mask_contiguous(&mask)) {
> + yywarn("ipv6 mask is not contiguous");
> + }
> +
> + if (ipv6_has_host_bits_set(&addr, &mask)) {
> + yywarn("host bits in ipv6 address set");
> + }
> +
> newc = malloc(sizeof(ocontext_t));
> if (!newc) {
> yyerror("out of memory");
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding
2021-12-09 20:30 ` [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding James Carter
@ 2021-12-17 13:57 ` James Carter
0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2021-12-17 13:57 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Thu, Dec 9, 2021 at 3:30 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Nov 30, 2021 at 4:51 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Accept IPv4 addresses embedded in IPv6, like `::ffff:127.0.0.1`.
> > This allows using those in nodecon statements leading to fine grained
> > access control:
> >
> > type=AVC msg=audit(11/29/21 20:27:44.437:419) : avc: granted { node_bind } for pid=27500 comm=intercept saddr=::ffff:127.0.0.1 src=46293 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
> >
> > This does effect policies in the traditional language due to CIL usage
> > in semodule(8).
> >
> > Also print on conversion failures the address in question.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Both of these have been merged.
Thanks,
Jim
> > ---
> > libsepol/cil/src/cil_build_ast.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> > index 9c34be23..eccb331b 100644
> > --- a/libsepol/cil/src/cil_build_ast.c
> > +++ b/libsepol/cil/src/cil_build_ast.c
> > @@ -5668,10 +5668,10 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
> > goto exit;
> > }
> >
> > - if (strchr(addr_node->data, '.') != NULL) {
> > - addr->family = AF_INET;
> > - } else {
> > + if (strchr(addr_node->data, ':') != NULL) {
> > addr->family = AF_INET6;
> > + } else {
> > + addr->family = AF_INET;
> > }
> >
> > rc = inet_pton(addr->family, addr_node->data, &addr->ip);
> > @@ -5683,7 +5683,7 @@ int cil_fill_ipaddr(struct cil_tree_node *addr_node, struct cil_ipaddr *addr)
> > return SEPOL_OK;
> >
> > exit:
> > - cil_log(CIL_ERR, "Bad ip address or netmask\n");
> > + cil_log(CIL_ERR, "Bad ip address or netmask: %s\n", (addr_node && addr_node->data) ? (const char *)addr_node->data : "n/a");
> > return rc;
> > }
> >
> > --
> > 2.34.1
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-12-17 13:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-30 11:00 [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding Christian Göttsche
2021-11-30 11:00 ` [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement Christian Göttsche
2021-12-09 20:31 ` James Carter
2021-12-09 20:30 ` [PATCH 1/2] libsepol/cil: support IPv4/IPv6 address embedding James Carter
2021-12-17 13:57 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.