From patchwork Sat Nov 21 16:26:48 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 7674661 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1731D9F1C2 for ; Sat, 21 Nov 2015 16:30:28 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 277E9203B8 for ; Sat, 21 Nov 2015 16:30:26 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B72C1203A9 for ; Sat, 21 Nov 2015 16:30:24 +0000 (UTC) X-TM-IMSS-Message-ID: <46b9142f00029638@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1) id 46b9142f00029638 ; Sat, 21 Nov 2015 11:29:36 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tALGRMjK011238; Sat, 21 Nov 2015 11:27:36 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id tALGRHBX277551 for ; Sat, 21 Nov 2015 11:27:17 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tALGRGRp011234 for ; Sat, 21 Nov 2015 11:27:17 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DXAAABmlBWnNIAFEFeGQEDDwEBAoRNvHeEAwoXhXiBMUwBAQEBAQESAQEBAQEGDQkJIYRmKhkBATcBgVCIGAEDEgSueIVUAQWBBIoIJwaERIlhgVV/ghQMQYExllWcGI1kgi06I4FdcoNhgUoBAQE X-IPAS-Result: A1DXAAABmlBWnNIAFEFeGQEDDwEBAoRNvHeEAwoXhXiBMUwBAQEBAQESAQEBAQEGDQkJIYRmKhkBATcBgVCIGAEDEgSueIVUAQWBBIoIJwaERIlhgVV/ghQMQYExllWcGI1kgi06I4FdcoNhgUoBAQE X-IronPort-AV: E=Sophos;i="5.20,328,1444708800"; d="scan'208";a="4954796" Received: from emvm-gh1-uea08.nsa.gov ([63.239.67.9]) by goalie.tycho.ncsc.mil with ESMTP; 21 Nov 2015 11:27:06 -0500 X-TM-IMSS-Message-ID: <46beac780002980b@nsa.gov> Received: from rgout0304.bt.lon5.cpcloud.co.uk (rgout0304.bt.lon5.cpcloud.co.uk [65.20.0.210]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1) id 46beac780002980b ; Sat, 21 Nov 2015 11:26:55 -0500 X-OWM-Source-IP: 86.153.163.17 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-CTCH-RefID: str=0001.0A090203.56509B58.002A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-Junkmail-Premium-Raw: score=27/50, refid=2.7.2:2015.11.21.154517:17:27.888, ip=86.153.163.17, rules=__HAS_FROM, __PHISH_FROM2, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __URI_NO_PATH, BODY_SIZE_1300_1399, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, __URI_NS, SXL_IP_DYNAMIC[17.163.153.86.fur], HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __PHISH_FROM, __PHISH_SPEAR_STRUCTURE_1, BODY_SIZE_2000_LESS, RDNS_SUSP, __FRAUD_WEBMAIL, BODY_SIZE_7000_LESS, NO_URI_HTTPS X-CTCH-Spam: Unknown Received: from localhost.localdomain (86.153.163.17) by rgout03.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as richard_c_haines@btinternet.com) id 564F66C20015711E; Sat, 21 Nov 2015 16:27:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1448123225; bh=PX/QY0zCHLtFe5wC+wYqaOWojDTXQ3VJQPLUD19CDg4=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=mmPxtkhwrjwylD7lzGY875jhEF6IG7GyrjmHJBl9KkU/1NehDh5w8qqfi9qrTc0g1D9DqD/8PXY/HoslRT8HKKKGNjAADYt7sZUk1TX7ct1WJJ6qwHh8wFaJiA0Jiiv80436rHNiKKDrDnf6rxtko8WFdxxgZYI3tz9rm7pTza4= From: Richard Haines To: selinux@tycho.nsa.gov Subject: [PATCH] libsepol: Fully expand neverallowxperm rules Date: Sat, 21 Nov 2015 16:26:48 +0000 Message-Id: <1448123208-5557-1-git-send-email-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.5.0 X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Currently neverallowxperm rules will be resolved correctly when building policy, however they are not detectable when using tools such as an updated version of setools. This patch will allow these to be viewed in the same way as neverallow rules are in a text based kernel policy file (e.g. policy.conf). Signed-off-by: Richard Haines Acked-by: Jeff Vander Stoep --- libsepol/src/expand.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 9047c6d..9cb7965 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle, if (handle && handle->disable_dontaudit) return EXPAND_RULE_SUCCESS; spec = AVTAB_XPERMS_DONTAUDIT; + } else if (specified & AVRULE_XPERMS_NEVERALLOW) { + spec = AVTAB_XPERMS_NEVERALLOW; } else { assert(0); /* unreachable */ } @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle, if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) return EXPAND_RULE_SUCCESS; - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW) + if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW) return EXPAND_RULE_SUCCESS; ebitmap_init(&stypes);