From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH v4 3/6] checkpolicy: add not-self neverallow support
Date: Fri, 25 Nov 2022 16:49:49 +0100 [thread overview]
Message-ID: <20221125154952.20910-4-cgzones@googlemail.com> (raw)
In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com>
Add support for using negated or complemented self in the target type of
neverallow rules.
Some Refpolicy examples:
neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
neverallow domain { domain -self -dockerc_t }:dir create;
# no violations
neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
Using negated self in a complement, `~{ domain -self }`, is not
supported.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 46 ++++++++++++++++++++++++++++++++-----
checkpolicy/test/dismod.c | 6 ++++-
2 files changed, 45 insertions(+), 7 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 41e44631..74f882bb 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2075,12 +2075,17 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
- if (add == 0) {
- yyerror("-self is not supported");
+ if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) {
+ yyerror("-self is only supported in neverallow and neverallowxperm rules");
+ ret = -1;
+ goto out;
+ }
+ avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
+ if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
+ yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
- avrule->flags |= RULE_SELF;
continue;
}
if (set_types
@@ -2091,6 +2096,18 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
}
}
+ if ((avrule->ttypes.flags & TYPE_COMP)) {
+ if (avrule->flags & RULE_NOTSELF) {
+ yyerror("-self is not supported in complements");
+ ret = -1;
+ goto out;
+ }
+ if (avrule->flags & RULE_SELF) {
+ avrule->flags &= ~RULE_SELF;
+ avrule->flags |= RULE_NOTSELF;
+ }
+ }
+
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
@@ -2537,12 +2554,17 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
- if (add == 0) {
- yyerror("-self is not supported");
+ if (add == 0 && which != AVRULE_NEVERALLOW) {
+ yyerror("-self is only supported in neverallow and neverallowxperm rules");
+ ret = -1;
+ goto out;
+ }
+ avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
+ if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
+ yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
- avrule->flags |= RULE_SELF;
continue;
}
if (set_types
@@ -2553,6 +2575,18 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
}
}
+ if ((avrule->ttypes.flags & TYPE_COMP)) {
+ if (avrule->flags & RULE_NOTSELF) {
+ yyerror("-self is not supported in complements");
+ ret = -1;
+ goto out;
+ }
+ if (avrule->flags & RULE_SELF) {
+ avrule->flags &= ~RULE_SELF;
+ avrule->flags |= RULE_NOTSELF;
+ }
+ }
+
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index ec2a3e9a..a2d74d42 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -124,7 +124,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
}
num_types = 0;
- if (flags & RULE_SELF) {
+ if (flags & (RULE_SELF | RULE_NOTSELF)) {
num_types++;
}
@@ -169,6 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
fprintf(fp, " self");
}
+ if (flags & RULE_NOTSELF) {
+ fprintf(fp, " -self");
+ }
+
if (num_types > 1)
fprintf(fp, " }");
--
2.38.1
next prev parent reply other threads:[~2022-11-25 15:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-25 15:49 [RFC PATCH v4 0/6] not-self neverallow support Christian Göttsche
2022-11-25 15:49 ` [RFC PATCH v4 1/6] libsepol: Add not self support for neverallow rules Christian Göttsche
2023-03-01 14:30 ` James Carter
2023-03-30 19:41 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 2/6] libsepol/cil: Add notself and minusself support to CIL Christian Göttsche
2023-03-01 14:32 ` James Carter
2023-03-21 15:54 ` Petr Lautrbach
2023-03-21 17:42 ` James Carter
2022-11-25 15:49 ` Christian Göttsche [this message]
2023-03-01 14:32 ` [RFC PATCH v4 3/6] checkpolicy: add not-self neverallow support James Carter
2023-03-30 19:42 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 4/6] libsepol/tests: add tests for not self neverallow rules Christian Göttsche
2023-03-01 14:33 ` James Carter
2023-03-30 19:42 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 5/6] libsepol/tests: add tests for minus " Christian Göttsche
2023-03-01 14:33 ` James Carter
2023-03-30 19:43 ` James Carter
2022-11-25 15:49 ` [RFC PATCH v4 6/6] libsepol: update CIL generation for trivial not-self rules Christian Göttsche
2023-03-01 14:35 ` James Carter
2023-03-30 19:44 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221125154952.20910-4-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).