From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH v3 2/5] libsepol: add not-self neverallow support
Date: Sat, 4 Dec 2021 11:35:13 +0100 [thread overview]
Message-ID: <20211204103516.17375-2-cgzones@googlemail.com> (raw)
In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com>
Add support for not-self neverallow rules. These do not trigger on allow
rules where the source type is exactly equal to the target type.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- use renamed ebitmap_relative_complement(), see previous commit
- cache not-self status of avrules and add loop shortcut on target and
source type match
v2:
- do not change the value of RULE_SELF
---
libsepol/include/sepol/policydb/policydb.h | 3 +-
libsepol/src/assertion.c | 41 ++++++++++++++++++++--
2 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 4bf9f05d..11637fe8 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -285,7 +285,8 @@ typedef struct avrule {
#define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \
AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW)
uint32_t specified;
-#define RULE_SELF 1
+#define RULE_SELF (1U << 0)
+#define RULE_NOTSELF (1U << 1)
uint32_t flags;
type_set_t stypes;
type_set_t ttypes;
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index dd2749a0..fe6b88ae 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -216,6 +216,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
uint32_t perms;
ebitmap_t src_matches, tgt_matches, self_matches, matches;
ebitmap_node_t *snode, *tnode;
+ const int is_avrule_notself = (avrule->flags & RULE_NOTSELF) != 0;
unsigned int i, j;
if ((k->specified & AVTAB_ALLOWED) == 0)
@@ -241,7 +242,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
if (rc)
goto oom;
- if (avrule->flags == RULE_SELF) {
+ if (avrule->flags & RULE_SELF) {
rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
if (rc)
goto oom;
@@ -268,6 +269,8 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
ebitmap_for_each_positive_bit(&src_matches, snode, i) {
ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
+ if (is_avrule_notself && i == j)
+ continue;
if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
a->errors += report_assertion_extended_permissions(handle,p, avrule,
i, j, cp, perms, k, avtab);
@@ -381,6 +384,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
unsigned int i, j;
ebitmap_node_t *snode, *tnode;
class_perm_node_t *cp;
+ const int is_avrule_notself = (avrule->flags & RULE_NOTSELF) != 0;
int rc;
int ret = 1;
@@ -402,7 +406,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
if (rc)
goto oom;
- if (avrule->flags == RULE_SELF) {
+ if (avrule->flags & RULE_SELF) {
rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
&p->attr_type_map[k->target_type - 1]);
if (rc)
@@ -418,6 +422,18 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
}
}
+ if (is_avrule_notself) {
+ rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
+ if (rc)
+ goto oom;
+ rc = ebitmap_and(&self_matches, &avrule->ttypes.types, &matches);
+ if (rc)
+ goto oom;
+ rc = ebitmap_relative_complement(&tgt_matches, &self_matches);
+ if (rc)
+ goto oom;
+ }
+
if (ebitmap_is_empty(&tgt_matches))
goto exit;
@@ -426,6 +442,9 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
continue;
ebitmap_for_each_positive_bit(&src_matches, snode, i) {
ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
+ if (is_avrule_notself && i == j)
+ continue;
+
ret = check_assertion_extended_permissions_avtab(
avrule, avtab, i, j, k, p);
if (ret)
@@ -463,7 +482,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
if (rc == 0)
goto exit;
- if (avrule->flags == RULE_SELF) {
+ if (avrule->flags & RULE_SELF) {
/* If the neverallow uses SELF, then it is not enough that the
* neverallow's source matches the src and tgt of the rule being checked.
* It must match the same thing in the src and tgt, so AND the source
@@ -479,6 +498,22 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
ebitmap_destroy(&match);
}
+ if (avrule->flags & RULE_NOTSELF) {
+ ebitmap_t match;
+ rc = ebitmap_cpy(&match, &p->attr_type_map[k->source_type - 1]);
+ if (rc) {
+ ebitmap_destroy(&match);
+ goto oom;
+ }
+ rc = ebitmap_relative_complement(&match, &p->attr_type_map[k->target_type - 1]);
+ if (rc) {
+ ebitmap_destroy(&match);
+ goto oom;
+ }
+ rc2 = ebitmap_match_any(&avrule->ttypes.types, &match);
+ ebitmap_destroy(&match);
+ }
+
/* neverallow may have tgts even if it uses SELF */
rc = ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1]);
if (rc == 0 && rc2 == 0)
--
2.34.1
next prev parent reply other threads:[~2021-12-04 10:35 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-23 19:07 [RFC PATCH 1/3] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 2/3] libsepol: add not-self neverallow support Christian Göttsche
2021-11-23 19:07 ` [RFC PATCH 3/3] checkpolicy: " Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 2/4] libsepol: add not-self neverallow support Christian Göttsche
2021-12-03 22:06 ` James Carter
2021-11-24 19:08 ` [RFC PATCH v2 3/4] checkpolicy: " Christian Göttsche
2021-12-03 21:56 ` James Carter
2021-12-04 10:45 ` Christian Göttsche
2021-11-24 19:08 ` [RFC PATCH v2 4/4] libsepol: free ebitmap on end of function Christian Göttsche
2021-11-29 17:48 ` [RFC PATCH v2 1/4] libsepol: introduce ebitmap_subtract() James Carter
2021-11-30 11:12 ` Christian Göttsche
2021-11-30 15:35 ` James Carter
2021-12-04 10:35 ` [RFC PATCH v3 1/5] libsepol: introduce ebitmap_relative_complement() Christian Göttsche
2021-12-04 10:35 ` Christian Göttsche [this message]
2021-12-04 10:35 ` [RFC PATCH v3 3/5] checkpolicy: add not-self neverallow support Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 4/5] libsepol: free ebitmap on end of function Christian Göttsche
2021-12-04 10:35 ` [RFC PATCH v3 5/5] libsepol: pass avtab to report function Christian Göttsche
2021-12-06 18:25 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211204103516.17375-2-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).