From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: cgzones@googlemail.com, James Carter <jwcart2@gmail.com>
Subject: [PATCH 06/16 v2] libsepol: Move check of target types to before check for self
Date: Tue, 11 Jan 2022 16:54:36 -0500 [thread overview]
Message-ID: <20220111215446.595516-7-jwcart2@gmail.com> (raw)
In-Reply-To: <20220111215446.595516-1-jwcart2@gmail.com>
If a neverallow has target types as well as using self and a match
is found with the target types, then self does not even need to
be checked, since the rule is already in violation of the assertion.
So move the check for a match of the target types before dealing with
self.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/src/assertion.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index bd0dc4ed..7a1c4a5e 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -457,26 +457,28 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
if (!ebitmap_match_any(&avrule->stypes.types, &p->attr_type_map[k->source_type - 1]))
goto nomatch;
- if (avrule->flags == RULE_SELF) {
- /* If the neverallow uses SELF, then it is not enough that the
- * neverallow's source matches the src and tgt of the rule being checked.
- * It must match the same thing in the src and tgt, so AND the source
- * and target together and check for a match on the result.
- */
- ebitmap_t match;
- rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
- if (rc) {
- ebitmap_destroy(&match);
- goto oom;
- }
- rc2 = ebitmap_match_any(&avrule->stypes.types, &match);
- ebitmap_destroy(&match);
- }
-
/* neverallow may have tgts even if it uses SELF */
if (!ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1])) {
- if (rc2 == 0)
+ if (avrule->flags == RULE_SELF) {
+ /* If the neverallow uses SELF, then it is not enough that the
+ * neverallow's source matches the src and tgt of the rule being checked.
+ * It must match the same thing in the src and tgt, so AND the source
+ * and target together and check for a match on the result.
+ */
+ ebitmap_t match;
+ rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
+ if (rc) {
+ ebitmap_destroy(&match);
+ goto oom;
+ }
+ if (!ebitmap_match_any(&avrule->stypes.types, &match)) {
+ ebitmap_destroy(&match);
+ goto nomatch;
+ }
+ ebitmap_destroy(&match);
+ } else {
goto nomatch;
+ }
}
if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
--
2.31.1
next prev parent reply other threads:[~2022-01-11 21:55 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-11 21:54 [PATCH 00/16 v2] Refactor and fix assertion checking James Carter
2022-01-11 21:54 ` [PATCH 01/16 v2] libsepol: Return an error if check_assertion() returns an error James Carter
2022-01-11 21:54 ` [PATCH 02/16 v2] libsepol: Change label in check_assertion_avtab_match() James Carter
2022-01-11 21:54 ` [PATCH 03/16 v2] libsepol: Remove uneeded error messages in assertion checking James Carter
2022-01-11 21:54 ` [PATCH 04/16 v2] libsepol: Check for error from check_assertion_extended_permissions() James Carter
2022-01-11 21:54 ` [PATCH 05/16 v2] libsepol: Use consistent return checking style James Carter
2022-01-11 21:54 ` James Carter [this message]
2022-01-11 21:54 ` [PATCH 07/16 v2] libsepol: Create function check_assertion_self_match() and use it James Carter
2022-01-11 21:54 ` [PATCH 08/16 v2] libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions James Carter
2022-01-11 21:54 ` [PATCH 09/16 v2] libsepol: Remove unnessesary check for matching class James Carter
2022-01-11 21:54 ` [PATCH 10/16 v2] libsepol: Move assigning outer loop index out of inner loop James Carter
2022-01-11 21:54 ` [PATCH 11/16 v2] libsepol: Make use of previously created ebitmap when checking self James Carter
2022-01-11 21:54 ` [PATCH 12/16 v2] libsepol: Refactor match_any_class_permissions() to be clearer James Carter
2022-01-11 21:54 ` [PATCH 13/16 v2] libsepol: Make return value clearer when reporting neverallowx errors James Carter
2022-01-11 21:54 ` [PATCH 14/16 v2] libsepol: The src and tgt must be the same if neverallow uses self James Carter
2022-01-11 21:54 ` [PATCH 15/16 v2] libsepol: Set args avtab pointer when reporting assertion violations James Carter
2022-01-11 21:54 ` [PATCH 16/16 v2] libsepol: Fix two problems with neverallowxperm reporting James Carter
2022-02-18 21:16 ` [PATCH 00/16 v2] Refactor and fix assertion checking James Carter
2022-02-24 21:07 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220111215446.595516-7-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.