selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH v4 0/6] not-self neverallow support
Date: Fri, 25 Nov 2022 16:49:46 +0100	[thread overview]
Message-ID: <20221125154952.20910-1-cgzones@googlemail.com> (raw)

Add support for using negated or complemented self in the target type of
neverallow rules.

Some Refpolicy examples:

    neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
    neverallow domain { domain -self -dockerc_t }:dir create;
    # no violations

    neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

    neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

Using negated self in a complement, `~{ domain -self }`, is not supported.

Initial CIL support in the form of

    (allow TYPE1 notself (CLASS (PERM)))
    (allow TYPE1 minusself (CLASS (PERM)))

is included from a patchset by James Carter.

More complex targets are not yet supported in CIL and generating a CIL
policy file from modular policies including such rules will fail with an
appropriate message.


RFC v3: https://lore.kernel.org/selinux/20211204103516.17375-2-cgzones@googlemail.com/
Improved rebase and initial CIL work by James Carter: https://lore.kernel.org/selinux/20220111220823.596065-1-jwcart2@gmail.com/

Christian Göttsche (5):
  libsepol: Add not self support for neverallow rules
  checkpolicy: add not-self neverallow support
  libsepol/tests: add tests for not self neverallow rules
  libsepol/tests: add tests for minus self neverallow rules
  libsepol: update CIL generation for trivial not-self rules

James Carter (1):
  libsepol/cil: Add notself and minusself support to CIL

 checkpolicy/policy_define.c                   |  46 ++-
 checkpolicy/test/dismod.c                     |   6 +-
 libsepol/cil/src/cil.c                        |  12 +
 libsepol/cil/src/cil_binary.c                 |  91 ++++-
 libsepol/cil/src/cil_build_ast.c              |  10 +-
 libsepol/cil/src/cil_find.c                   | 206 ++++++++--
 libsepol/cil/src/cil_internal.h               |   4 +
 libsepol/cil/src/cil_resolve_ast.c            |   4 +
 libsepol/cil/src/cil_verify.c                 |   3 +-
 libsepol/include/sepol/policydb/policydb.h    |   3 +-
 libsepol/src/assertion.c                      | 144 +++++--
 libsepol/src/module_to_cil.c                  |  30 +-
 libsepol/src/policydb_validate.c              |   9 +
 .../test-neverallow/policy_minus_self.conf    | 369 +++++++++++++++++
 .../test-neverallow/policy_not_self.conf      | 370 ++++++++++++++++++
 libsepol/tests/test-neverallow.c              | 149 +++++++
 16 files changed, 1388 insertions(+), 68 deletions(-)
 create mode 100644 libsepol/tests/policies/test-neverallow/policy_minus_self.conf
 create mode 100644 libsepol/tests/policies/test-neverallow/policy_not_self.conf

-- 
2.38.1


             reply	other threads:[~2022-11-25 15:50 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-25 15:49 Christian Göttsche [this message]
2022-11-25 15:49 ` [RFC PATCH v4 1/6] libsepol: Add not self support for neverallow rules Christian Göttsche
2023-03-01 14:30   ` James Carter
2023-03-30 19:41     ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 2/6] libsepol/cil: Add notself and minusself support to CIL Christian Göttsche
2023-03-01 14:32   ` James Carter
2023-03-21 15:54     ` Petr Lautrbach
2023-03-21 17:42       ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 3/6] checkpolicy: add not-self neverallow support Christian Göttsche
2023-03-01 14:32   ` James Carter
2023-03-30 19:42     ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 4/6] libsepol/tests: add tests for not self neverallow rules Christian Göttsche
2023-03-01 14:33   ` James Carter
2023-03-30 19:42     ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 5/6] libsepol/tests: add tests for minus " Christian Göttsche
2023-03-01 14:33   ` James Carter
2023-03-30 19:43     ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 6/6] libsepol: update CIL generation for trivial not-self rules Christian Göttsche
2023-03-01 14:35   ` James Carter
2023-03-30 19:44     ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221125154952.20910-1-cgzones@googlemail.com \
    --to=cgzones@googlemail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).