| Message ID | 20210309213640.120117-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol: Properly handle types associated to role attributes | expand |
On Tue, Mar 9, 2021 at 10:37 PM James Carter <jwcart2@gmail.com> wrote: > > Types associated to role attributes in optional blocks are not > associated with the roles that have that attribute. The problem > is that role_fix_callback is called before the avrule_decls are > walked. > > Example/ > class CLASS1 > sid kernel > class CLASS1 { PERM1 } > type TYPE1; > type TYPE1A; > allow TYPE1 self : CLASS1 PERM1; > attribute_role ROLE_ATTR1A; > role ROLE1; > role ROLE1A; > roleattribute ROLE1A ROLE_ATTR1A; > role ROLE1 types TYPE1; > optional { > require { > class CLASS1 PERM1; > } > role ROLE_ATTR1A types TYPE1A; > } > user USER1 roles ROLE1; > sid kernel USER1:ROLE1:TYPE1 > > In this example ROLE1A will not have TYPE1A associated to it. > > Call role_fix_callback() after the avrule_decls are walked. > > Signed-off-by: James Carter <jwcart2@gmail.com> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> Thanks! Nicolas > --- > libsepol/src/expand.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index eac7e450..1ee3e48f 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle, > if (hashtab_map(state.base->p_roles.table, > role_bounds_copy_callback, &state)) > goto cleanup; > - /* escalate the type_set_t in a role attribute to all regular roles > - * that belongs to it. */ > - if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) > - goto cleanup; > > /* copy MLS's sensitivity level and categories - this needs to be done > * before expanding users (they need to be indexed too) */ > @@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle, > goto cleanup; > } > > + /* escalate the type_set_t in a role attribute to all regular roles > + * that belongs to it. */ > + if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) > + goto cleanup; > + > if (copy_and_expand_avrule_block(&state) < 0) { > ERR(handle, "Error during expand"); > goto cleanup; > -- > 2.26.2 >
On Sun, Mar 14, 2021 at 8:44 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Tue, Mar 9, 2021 at 10:37 PM James Carter <jwcart2@gmail.com> wrote: > > > > Types associated to role attributes in optional blocks are not > > associated with the roles that have that attribute. The problem > > is that role_fix_callback is called before the avrule_decls are > > walked. > > > > Example/ > > class CLASS1 > > sid kernel > > class CLASS1 { PERM1 } > > type TYPE1; > > type TYPE1A; > > allow TYPE1 self : CLASS1 PERM1; > > attribute_role ROLE_ATTR1A; > > role ROLE1; > > role ROLE1A; > > roleattribute ROLE1A ROLE_ATTR1A; > > role ROLE1 types TYPE1; > > optional { > > require { > > class CLASS1 PERM1; > > } > > role ROLE_ATTR1A types TYPE1A; > > } > > user USER1 roles ROLE1; > > sid kernel USER1:ROLE1:TYPE1 > > > > In this example ROLE1A will not have TYPE1A associated to it. > > > > Call role_fix_callback() after the avrule_decls are walked. > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> Merged. Thanks! Nicolas > > --- > > libsepol/src/expand.c | 9 +++++---- > > 1 file changed, 5 insertions(+), 4 deletions(-) > > > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > > index eac7e450..1ee3e48f 100644 > > --- a/libsepol/src/expand.c > > +++ b/libsepol/src/expand.c > > @@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle, > > if (hashtab_map(state.base->p_roles.table, > > role_bounds_copy_callback, &state)) > > goto cleanup; > > - /* escalate the type_set_t in a role attribute to all regular roles > > - * that belongs to it. */ > > - if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) > > - goto cleanup; > > > > /* copy MLS's sensitivity level and categories - this needs to be done > > * before expanding users (they need to be indexed too) */ > > @@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle, > > goto cleanup; > > } > > > > + /* escalate the type_set_t in a role attribute to all regular roles > > + * that belongs to it. */ > > + if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) > > + goto cleanup; > > + > > if (copy_and_expand_avrule_block(&state) < 0) { > > ERR(handle, "Error during expand"); > > goto cleanup; > > -- > > 2.26.2 > >
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index eac7e450..1ee3e48f 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle, if (hashtab_map(state.base->p_roles.table, role_bounds_copy_callback, &state)) goto cleanup; - /* escalate the type_set_t in a role attribute to all regular roles - * that belongs to it. */ - if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) - goto cleanup; /* copy MLS's sensitivity level and categories - this needs to be done * before expanding users (they need to be indexed too) */ @@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle, goto cleanup; } + /* escalate the type_set_t in a role attribute to all regular roles + * that belongs to it. */ + if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) + goto cleanup; + if (copy_and_expand_avrule_block(&state) < 0) { ERR(handle, "Error during expand"); goto cleanup;
Types associated to role attributes in optional blocks are not associated with the roles that have that attribute. The problem is that role_fix_callback is called before the avrule_decls are walked. Example/ class CLASS1 sid kernel class CLASS1 { PERM1 } type TYPE1; type TYPE1A; allow TYPE1 self : CLASS1 PERM1; attribute_role ROLE_ATTR1A; role ROLE1; role ROLE1A; roleattribute ROLE1A ROLE_ATTR1A; role ROLE1 types TYPE1; optional { require { class CLASS1 PERM1; } role ROLE_ATTR1A types TYPE1A; } user USER1 roles ROLE1; sid kernel USER1:ROLE1:TYPE1 In this example ROLE1A will not have TYPE1A associated to it. Call role_fix_callback() after the avrule_decls are walked. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/src/expand.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)