From: James Carter <jwcart2@gmail.com>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH v3 5/5] libsepol: pass avtab to report function
Date: Mon, 6 Dec 2021 13:25:30 -0500 [thread overview]
Message-ID: <CAP+JOzTOtHbFYp0aU=w9dKcaDHxFzQFFzHqS7HRNX4LBnKE+-A@mail.gmail.com> (raw)
In-Reply-To: <20211204103516.17375-5-cgzones@googlemail.com>
[-- Attachment #1: Type: text/plain, Size: 2030 bytes --]
On Sat, Dec 4, 2021 at 5:35 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Populate the avtab member before passing as argument to the report
> function. Without the avtab avtab_search_node() is unable to find
> allowxperm rules and this results in false-positive reports, e.g. on:
>
> allow TATTR1 TATTR1 : CLASS1 ioctl;
> allowxperm TATTR1 TATTR1 : CLASS1 ioctl 0x9501;
> neverallowxperm TYPE1 ~self : CLASS1 0x9501;
>
> Reported-by: James Carter <jwcart2@gmail.com>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
No longer getting the false positives, but now I am seeing false negatives.
allow TATTR1 TATTR1 : CLASS4 ioctl;
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401;
neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421;
These rules are being caught as they should:
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421;
allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421;
These rules are not being caught.
allowxperm TYPE1 self : CLASS4 ioctl 0x9421;
allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9421;
allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9421;
allowxperm TATTR1 self : CLASS4 ioctl 0x9421;
I've attached the policy.conf that I am testing with.
Thanks,
Jim
> ---
> libsepol/src/assertion.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index 4600be41..a0eebb93 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -304,10 +304,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru
> args.avrule = avrule;
> args.errors = 0;
>
> + args.avtab = &p->te_avtab;
> rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args);
> if (rc)
> goto oom;
>
> + args.avtab = &p->te_cond_avtab;
> rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args);
> if (rc)
> goto oom;
> --
> 2.34.1
>
[-- Attachment #2: policy.conf --]
[-- Type: text/plain, Size: 9397 bytes --]
class CLASS1
class CLASS2
class CLASS3
class CLASS4
class CLASS5
class CLASS6
sid kernel
class CLASS1 { PERM1A PERM1B PERM1C PERM1D }
class CLASS2 { PERM2A PERM2B PERM2C PERM2D }
class CLASS3 { PERM3A PERM3B PERM3C PERM3D }
class CLASS4 { ioctl }
class CLASS5 { ioctl }
class CLASS6 { ioctl }
sensitivity SENS1;
dominance { SENS1 }
category CAT1;
level SENS1:CAT1;
mlsconstrain CLASS1 { PERM1A } (h1 dom h2 and l1 domby h1);
mlsvalidatetrans CLASS1 (l1 == l2 or l1 incomp l2);
attribute TATTR1;
attribute TATTR2;
type TYPE1;
type TYPE2;
type TYPE3;
typeattribute TYPE1 TATTR1, TATTR2;
typeattribute TYPE2 TATTR1, TATTR2;
typeattribute TYPE3 TATTR1;
# Test self neverallow
#allow TYPE1 self : CLASS1 PERM1A; # neverallow violation
#allow TYPE1 TYPE1 : CLASS1 PERM1A; # neverallow violation
#allow TYPE1 TATTR1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS1 PERM1A; # neverallow violation
neverallow TYPE1 self : CLASS1 PERM1A;
#allow TYPE1 self : CLASS1 PERM1B; # neverallow violation
#allow TYPE1 TYPE1 : CLASS1 PERM1B; # neverallow violation
#allow TYPE1 TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1 TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1 TATTR2 : CLASS1 PERM1B; # neverallow violation
allow TYPE1 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation
neverallow TATTR1 self : CLASS1 PERM1B;
# Test allow rule in module, neverallow in base
#allow TYPE1 self : CLASS1 PERM1C; # neverallow violation
neverallow TYPE1 self : CLASS1 PERM1C;
# Test neverallow in module, allow rule in base
#allow TYPE1 self : CLASS1 PERM1D; # neverallow violation
neverallow TYPE1 self : CLASS1 PERM1D;
# Test ~self neverallow
allow TYPE1 self : CLASS2 PERM2A; # Not neverallow violation
allow TYPE1 TYPE1 : CLASS2 PERM2A; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS2 PERM2A; # neverallow violation
#allow TYPE1 TATTR1 : CLASS2 PERM2A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS2 PERM2A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS2 PERM2A; # neverallow violation
neverallow TYPE1 ~self : CLASS2 PERM2A;
allow TYPE1 self : CLASS2 PERM2B; # Not neverallow violation
allow TYPE2 TYPE2 : CLASS2 PERM2B; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS2 PERM2B; # neverallow violation
#allow TYPE1 TATTR1 : CLASS2 PERM2B; # neverallow violation
#allow TATTR1 TATTR1 : CLASS2 PERM2B; # neverallow violation
#allow TATTR1 TATTR2 : CLASS2 PERM2B; # neverallow violation
neverallow TATTR1 ~self : CLASS2 PERM2B;
# Test allow rules in module, neverallow in base
allow TYPE1 self : CLASS2 PERM2C; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS2 PERM2C; # neverallow violation
neverallow TYPE1 ~self : CLASS2 PERM2C;
# Test neverallow in module, allow rule in base
allow TYPE1 self : CLASS2 PERM2D; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS2 PERM2D; # neverallow violation
neverallow TYPE1 ~self : CLASS2 PERM2D;
# Test -self neverallow
allow TYPE1 self : CLASS3 PERM3A; # Not neverallow violation
allow TYPE2 TYPE2 : CLASS3 PERM3A; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS3 PERM3A; # neverallow violation
#allow TYPE1 TATTR1 : CLASS3 PERM3A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS3 PERM3A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS3 PERM3A; # neverallow violation
neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3A;
allow TYPE1 self : CLASS3 PERM3B; # Not neverallow violation
allow TYPE2 TYPE2 : CLASS3 PERM3B; # Not neverallow violation
allow TYPE1 TYPE3 : CLASS3 PERM3B; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS3 PERM3B; # neverallow violation
#allow TYPE1 TATTR1 : CLASS3 PERM3B; # neverallow violation
#allow TATTR1 TATTR1 : CLASS3 PERM3B; # neverallow violation
#allow TATTR1 TATTR2 : CLASS3 PERM3B; # neverallow violation
neverallow TATTR1 { TATTR2 -self } : CLASS3 PERM3B;
# Test allow rules in module, neverallow in base
allow TYPE1 self : CLASS3 PERM3C; # Not neverallow violation
neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3C;
# Test neverallow in module, allow rule in base
allow TYPE1 self : CLASS3 PERM3D; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS3 PERM3D; # neverallow violation
neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3D;
# Test self neverallowxperm
allow TATTR1 TATTR1 : CLASS4 ioctl;
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401;
#allowxperm TYPE1 self : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 self : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9411; # neverallowxperm violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411;
#allowxperm TYPE1 self : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 self : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421; # neverallowxperm violation
allowxperm TYPE1 TYPE2 : CLASS4 ioctl 0x9421; # NOT neverallowxperm violation
neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421;
# Test allow rules in module, neverallowxperm in base
#allowxperm TYPE1 self : CLASS4 ioctl 0x9431; # neverallowxperm violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9431;
# Test neverallow in module, allow rule in base
#allowxperm TYPE1 self : CLASS4 ioctl 0x9441; # neverallow violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9441;
# Test ~self neverallowxperm
allow TATTR1 TATTR1 : CLASS5 ioctl;
allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9501;
allowxperm TYPE1 self : CLASS5 ioctl 0x9511; # Not neverallowxperm violation
allowxperm TYPE1 TYPE1 : CLASS5 ioctl 0x9511; # Not neverallowxperm violation
#allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9511; # neverallowxperm violation
#allowxperm TYPE1 TATTR1 : CLASS5 ioctl 0x9511; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9511; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS5 ioctl 0x9511; # neverallowxperm violation
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9511;
allowxperm TYPE1 self : CLASS5 ioctl 0x9521; # Not neverallowxperm violation
allowxperm TYPE2 TYPE2 : CLASS5 ioctl 0x9521; # Not neverallowxperm violation
#allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9521; # neverallowxperm violation
#allowxperm TYPE1 TATTR1 : CLASS5 ioctl 0x9521; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9521; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS5 ioctl 0x9521; # neverallowxperm violation
neverallowxperm TATTR1 ~self : CLASS5 ioctl 0x9521;
# Test allow rules in module, neverallowxperm in base
allowxperm TYPE1 self : CLASS5 ioctl 0x9531; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9531; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9531;
# Test neverallow in module, allow rule in base
allowxperm TYPE1 self : CLASS5 ioctl 0x9541; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9541; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9541;
# Test -self neverallowxperm
allow TATTR1 TATTR1 : CLASS6 ioctl;
allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9601;
allowxperm TYPE1 self : CLASS6 ioctl 0x9611; # Not neverallowxperm violation
allowxperm TYPE2 TYPE2 : CLASS6 ioctl 0x9611; # Not neverallowxperm violation
#allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9611; # neverallowxperm violation
#allowxperm TYPE1 TATTR1 : CLASS6 ioctl 0x9611; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9611; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS6 ioctl 0x9611; # neverallowxperm violation
neverallowxperm TATTR1 { TATTR1 -self } : CLASS6 ioctl 0x9611;
allowxperm TYPE1 self : CLASS6 ioctl 0x9621; # Not neverallowxperm violation
allowxperm TYPE2 TYPE2 : CLASS6 ioctl 0x9621; # Not neverallowxperm violation
allowxperm TYPE1 TYPE3 : CLASS6 ioctl 0x9621; # Not neverallowxperm violation
#allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9621; # neverallowxperm violation
#allowxperm TYPE1 TATTR1 : CLASS6 ioctl 0x9621; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9621; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS6 ioctl 0x9621; # neverallowxperm violation
neverallowxperm TATTR1 { TATTR2 -self } : CLASS6 ioctl 0x9621;
# Test allow rules in module, neverallowxperm in base
allowxperm TYPE1 self : CLASS6 ioctl 0x9631; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9631; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS6 ioctl 0x9631;
# Test neverallow in module, allow rule in base
allowxperm TYPE1 self : CLASS6 ioctl 0x9641; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9641; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS6 ioctl 0x9641;
role ROLE1;
role ROLE1 types TYPE1;
user USER1 roles ROLE1 level SENS1 range SENS1 - SENS1:CAT1;
sid kernel USER1:ROLE1:TYPE1:SENS1 - SENS1
prev parent reply other threads:[~2021-12-06 18:25 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-23 19:07 [RFC PATCH 1/3] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 2/3] libsepol: add not-self neverallow support Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 3/3] checkpolicy: " Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 2/4] libsepol: add not-self neverallow support Christian Göttsche
2021-12-03 22:06 ` James Carter
2021-11-24 19:08 ` [RFC PATCH v2 3/4] checkpolicy: " Christian Göttsche
2021-12-03 21:56 ` James Carter
2021-12-04 10:45 ` Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 4/4] libsepol: free ebitmap on end of function Christian Göttsche
2021-11-29 17:48 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() James Carter
2021-11-30 11:12 ` Christian Göttsche
2021-11-30 15:35 ` James Carter
2021-12-04 10:35 ` [RFC PATCH v3 1/5] libsepol: introduce ebitmap_relative_complement() Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 2/5] libsepol: add not-self neverallow support Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 3/5] checkpolicy: " Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 4/5] libsepol: free ebitmap on end of function Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 5/5] libsepol: pass avtab to report function Christian Göttsche
2021-12-06 18:25 ` James Carter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP+JOzTOtHbFYp0aU=w9dKcaDHxFzQFFzHqS7HRNX4LBnKE+-A@mail.gmail.com' \
--to=jwcart2@gmail.com \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.