any reason why a class mapping is not able to solve permissionx?

any reason why a class mapping is not able to solve permissionx?

[Dominick Grift]

For example this:

(permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
(classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
(classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)

(allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR))) 

Say's:

<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
Failed to resolve classmapping statement at policy/base/class_maps.cil:994
Problem at policy/base/class_maps.cil:994
Pass 14 of resolution failed
Failed to resolve ast
Failed to compile cildb: -2
make: *** [Makefile:30: policy.32] Error 254

Am i doing something wrong or is this unsupported?

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Re: any reason why a class mapping is not able to solve permissionx?

[Dominick Grift]

On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
> For example this:
> 
> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
> 
> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR))) 
> 
> Say's:
> 
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
> Problem at policy/base/class_maps.cil:994
> Pass 14 of resolution failed
> Failed to resolve ast
> Failed to compile cildb: -2
> make: *** [Makefile:30: policy.32] Error 254
> 
> Am i doing something wrong or is this unsupported?

Are we supposed to be able to use allowx rules in macros?

This works when the tunable is set false:

(tunable no_mac_addr true)

(block bla1
        (blockinherit system_agent_template)

        (macro stuff ((type ARG1))
                (tunableif no_mac_addr
                  (true
                      (allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
                      (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
                  (false
                      (allow ARG1 self create_tcp_stream_socket_perms)))))

(block blah2
        (blockinherit system_agent_template)

        (call bla1.stuff (subj)))

But when the tunable is set true:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?

[jwcart2]

On 1/17/20 1:24 PM, Dominick Grift wrote:
> On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
>> For example this:
>>
>> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
>> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
>> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>>
>> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>>
>> Say's:
>>
>> <snip>
>> Building AST from Parse Tree
>> Destroying Parse Tree
>> Resolving AST
>> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
>> Problem at policy/base/class_maps.cil:994
>> Pass 14 of resolution failed
>> Failed to resolve ast
>> Failed to compile cildb: -2
>> make: *** [Makefile:30: policy.32] Error 254
>>
>> Am i doing something wrong or is this unsupported?
> 

Class maps only support normal permissions, they do not support extended 
permissions.

> Are we supposed to be able to use allowx rules in macros?
> 

allowx rules are allowed in macros. I will see if I can reproduce the error 
below and figure out what's going wrong.

Jim

> This works when the tunable is set false:
> 
> (tunable no_mac_addr true)
> 
> (block bla1
>          (blockinherit system_agent_template)
> 
>          (macro stuff ((type ARG1))
>                  (tunableif no_mac_addr
>                    (true
>                        (allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
>                        (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
>                    (false
>                        (allow ARG1 self create_tcp_stream_socket_perms)))))
> 
> (block blah2
>          (blockinherit system_agent_template)
> 
>          (call bla1.stuff (subj)))
> 
> But when the tunable is set true:
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
> 


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?

[jwcart2]

On 1/17/20 1:24 PM, Dominick Grift wrote:
> On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
>> For example this:
>>
>> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
>> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
>> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>>
>> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>>
>> Say's:
>>
>> <snip>
>> Building AST from Parse Tree
>> Destroying Parse Tree
>> Resolving AST
>> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
>> Problem at policy/base/class_maps.cil:994
>> Pass 14 of resolution failed
>> Failed to resolve ast
>> Failed to compile cildb: -2
>> make: *** [Makefile:30: policy.32] Error 254
>>
>> Am i doing something wrong or is this unsupported?
> 
> Are we supposed to be able to use allowx rules in macros?
> 

Yes, allowx rules can be used in macros.

> This works when the tunable is set false:
> 
> (tunable no_mac_addr true)
> 
> (block bla1
>          (blockinherit system_agent_template)
> 
>          (macro stuff ((type ARG1))
>                  (tunableif no_mac_addr
>                    (true
>                        (allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
>                        (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
>                    (false
>                        (allow ARG1 self create_tcp_stream_socket_perms)))))
> 
> (block blah2
>          (blockinherit system_agent_template)
> 
>          (call bla1.stuff (subj)))
> 
> But when the tunable is set true:
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
> 

Still trying to figure out the exact issue, but it is the use of the named 
permissionx that is causing the seg fault.

Jim

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?

[jwcart2]

On 1/21/20 11:26 AM, jwcart2 wrote:
> On 1/17/20 1:24 PM, Dominick Grift wrote:
>> On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
>>> For example this:
>>>
>>> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and 
>>> (all) (not (0x8927)))))
>>> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
>>> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR 
>>> alg_socket_ioctl_except_SIOCGIFHWADDR)
>>>
>>> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>>>
>>> Say's:
>>>
>>> <snip>
>>> Building AST from Parse Tree
>>> Destroying Parse Tree
>>> Resolving AST
>>> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
>>> Problem at policy/base/class_maps.cil:994
>>> Pass 14 of resolution failed
>>> Failed to resolve ast
>>> Failed to compile cildb: -2
>>> make: *** [Makefile:30: policy.32] Error 254
>>>
>>> Am i doing something wrong or is this unsupported?
>>
>> Are we supposed to be able to use allowx rules in macros?
>>
> 
> Yes, allowx rules can be used in macros.
> 
>> This works when the tunable is set false:
>>
>> (tunable no_mac_addr true)
>>
>> (block bla1
>>          (blockinherit system_agent_template)
>>
>>          (macro stuff ((type ARG1))
>>                  (tunableif no_mac_addr
>>                    (true
>>                        (allow ARG1 self 
>> create_except_ioctl_tcp_stream_socket_perms)
>>                        (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
>>                    (false
>>                        (allow ARG1 self create_tcp_stream_socket_perms)))))
>>
>> (block blah2
>>          (blockinherit system_agent_template)
>>
>>          (call bla1.stuff (subj)))
>>
>> But when the tunable is set true:
>> <snip>
>> Building AST from Parse Tree
>> Destroying Parse Tree
>> Resolving AST
>> make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
>>
> 
> Still trying to figure out the exact issue, but it is the use of the named 
> permissionx that is causing the seg fault.
> 

There was an error in the code to copy a permissionx. I sent a patch to the list 
to fix this issue.
Jim

> Jim
> 


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2743 bytes --]

On Thu, Jan 23, 2020 at 03:41:30PM -0500, jwcart2 wrote:
> On 1/21/20 11:26 AM, jwcart2 wrote:
> > On 1/17/20 1:24 PM, Dominick Grift wrote:
> > > On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
> > > > For example this:
> > > > 
> > > > (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl
> > > > alg_socket (and (all) (not (0x8927)))))
> > > > (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
> > > > (classmapping all_sockets ioctl_except_SIOCGIFHWADDR
> > > > alg_socket_ioctl_except_SIOCGIFHWADDR)
> > > > 
> > > > (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
> > > > 
> > > > Say's:
> > > > 
> > > > <snip>
> > > > Building AST from Parse Tree
> > > > Destroying Parse Tree
> > > > Resolving AST
> > > > Failed to resolve classmapping statement at policy/base/class_maps.cil:994
> > > > Problem at policy/base/class_maps.cil:994
> > > > Pass 14 of resolution failed
> > > > Failed to resolve ast
> > > > Failed to compile cildb: -2
> > > > make: *** [Makefile:30: policy.32] Error 254
> > > > 
> > > > Am i doing something wrong or is this unsupported?
> > > 
> > > Are we supposed to be able to use allowx rules in macros?
> > > 
> > 
> > Yes, allowx rules can be used in macros.
> > 
> > > This works when the tunable is set false:
> > > 
> > > (tunable no_mac_addr true)
> > > 
> > > (block bla1
> > >          (blockinherit system_agent_template)
> > > 
> > >          (macro stuff ((type ARG1))
> > >                  (tunableif no_mac_addr
> > >                    (true
> > >                        (allow ARG1 self
> > > create_except_ioctl_tcp_stream_socket_perms)
> > >                        (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
> > >                    (false
> > >                        (allow ARG1 self create_tcp_stream_socket_perms)))))
> > > 
> > > (block blah2
> > >          (blockinherit system_agent_template)
> > > 
> > >          (call bla1.stuff (subj)))
> > > 
> > > But when the tunable is set true:
> > > <snip>
> > > Building AST from Parse Tree
> > > Destroying Parse Tree
> > > Resolving AST
> > > make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
> > > 
> > 
> > Still trying to figure out the exact issue, but it is the use of the
> > named permissionx that is causing the seg fault.
> > 
> 
> There was an error in the code to copy a permissionx. I sent a patch to the
> list to fix this issue.
> Jim

Thanks!

> 
> > Jim
> > 
> 
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]