From patchwork Mon Dec  7 16:00:44 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Lawrence <slawrence@tresys.com>
X-Patchwork-Id: 7787691
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 544269F1C2
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  7 Dec 2015 16:05:03 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 41BBD202E5
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  7 Dec 2015 16:05:02 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 36D5B202B8
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  7 Dec 2015 16:05:00 +0000 (UTC)
X-TM-IMSS-Message-ID: <3d2849110001ebb8@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	3d2849110001ebb8 ; Mon, 7 Dec 2015 11:01:59 -0500
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7G0t60008043;
	Mon, 7 Dec 2015 11:01:05 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	tB7G0pYA261730 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 7 Dec 2015 11:00:51 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB7G0pIG008035
	for <selinux@tycho.nsa.gov>; Mon, 7 Dec 2015 11:00:51 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1C8AABYrGVWl6u/HtheGQEBAg8BAQEBhEu7F4QNCReIBQEBAQEBARIBAQEBAQgWB4UxghATiC+fcKBqhlSMOgxBgTEFjSl2iEKNPI5tjgCCdBYHgXQgNIQnJYEjAQEB
X-IPAS-Result: 
 A1C8AABYrGVWl6u/HtheGQEBAg8BAQEBhEu7F4QNCReIBQEBAQEBARIBAQEBAQgWB4UxghATiC+fcKBqhlSMOgxBgTEFjSl2iEKNPI5tjgCCdBYHgXQgNIQnJYEjAQEB
X-IronPort-AV: E=Sophos;i="5.20,395,1444708800"; d="scan'208";a="5003424"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 07 Dec 2015 11:00:48 -0500
X-TM-IMSS-Message-ID: <3d272b450001e9d5@nsa.gov>
Received: from exchange10.columbia.tresys.com (exchange10.columbia.tresys.com
	[216.30.191.171]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES256-SHA (256/256)) id 3d272b450001e9d5 ;
	Mon, 7 Dec 2015 11:00:46 -0500
Received: from amos.columbia.tresys.com (10.1.12.120) by
	Exchange10.columbia.tresys.com (192.168.243.126) with Microsoft SMTP
	Server (TLS) id 14.1.438.0; Mon, 7 Dec 2015 11:00:47 -0500
From: Steve Lawrence <slawrence@tresys.com>
To: SELinux List <selinux@tycho.nsa.gov>
Subject: [PATCH] libsepol/cil: Validate extended avrules and permissionxs
Date: Mon, 7 Dec 2015 11:00:44 -0500
Message-ID: <1449504044-11175-1-git-send-email-slawrence@tresys.com>
X-Mailer: git-send-email 2.4.3
MIME-Version: 1.0
X-TM-AS-MML: disable
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Classes used in extended avrules and permissionxs must have an "ioctl"
permission. Add validation to ensure that is the case, or print an error
message otherwise.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
---
 libsepol/cil/src/cil_verify.c | 60 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index c2d5ce9..36ec45a 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -43,6 +43,7 @@
 #include "cil_mem.h"
 #include "cil_tree.h"
 #include "cil_list.h"
+#include "cil_find.h"
 
 #include "cil_verify.h"
 
@@ -1226,6 +1227,59 @@ exit:
 	return rc;
 }
 
+int __cil_verify_permissionx(struct cil_permissionx *permx, struct cil_tree_node *node)
+{
+	int rc;
+	struct cil_list *classes = NULL;
+	struct cil_list_item *item;
+	struct cil_class *class;
+	struct cil_symtab_datum *perm_datum;
+	char *kind_str;
+
+	switch (permx->kind) {
+		case CIL_PERMX_KIND_IOCTL:
+			kind_str = CIL_KEY_IOCTL;
+			break;
+		default:
+			cil_log(CIL_ERR, "Invalid permissionx kind (%d) at line %d of %s\n", permx->kind, node->line, node->path);
+			rc = SEPOL_ERR;
+			goto exit;
+	}
+
+	classes = cil_expand_class(permx->obj);
+
+	cil_list_for_each(item, classes) {
+		class = item->data;
+		rc = cil_symtab_get_datum(&class->perms, kind_str, &perm_datum);
+		if (rc == SEPOL_ENOENT) {
+			if (class->common != NULL) {
+				rc = cil_symtab_get_datum(&class->common->perms, kind_str, &perm_datum);
+			}
+
+			if (rc == SEPOL_ENOENT) {
+				cil_log(CIL_ERR, "Invalid permissionx at line %d of %s: %s is not a permission of class %s\n", node->line, node->path, kind_str, class->datum.name);
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+		}
+	}
+
+	rc = SEPOL_OK;
+
+exit:
+	if (classes != NULL) {
+		cil_list_destroy(&classes, CIL_FALSE);
+	}
+
+	return rc;
+}
+
+int __cil_verify_avrulex(struct cil_tree_node *node)
+{
+	struct cil_avrule *avrulex = node->data;
+	return __cil_verify_permissionx(avrulex->perms.x.permx, node);
+}
+
 int __cil_verify_class(struct cil_tree_node *node)
 {
 	int rc = SEPOL_ERR;
@@ -1420,6 +1474,12 @@ int __cil_verify_helper(struct cil_tree_node *node, uint32_t *finished, void *ex
 		case CIL_FSUSE:
 			rc = __cil_verify_fsuse(db, node);
 			break;
+		case CIL_AVRULEX:
+			rc = __cil_verify_avrulex(node);
+			break;
+		case CIL_PERMISSIONX:
+			rc = __cil_verify_permissionx(node->data, node);
+			break;
 		case CIL_RANGETRANSITION:
 			rc = SEPOL_OK;
 			break;