[0/2,RFC] libsepol: Adding support for not-self rules

Message ID	20220111220823.596065-1-jwcart2@gmail.com (mailing list archive)
Headers	show Return-Path: <selinux-owner@kernel.org> From: James Carter <jwcart2@gmail.com> To: selinux@vger.kernel.org Cc: cgzones@googlemail.com, James Carter <jwcart2@gmail.com> Subject: [PATCH 0/2 RFC] libsepol: Adding support for not-self rules Date: Tue, 11 Jan 2022 17:08:21 -0500 Message-Id: <20220111220823.596065-1-jwcart2@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	libsepol: Adding support for not-self rules \| expand [0/2,RFC] libsepol: Adding support for not-self rules [1/2,RFC] libsepol: Add not self support for neverallow rules [2/2,RFC] libsepol/cil: Add notself and minusself support to CIL

Message ID

20220111220823.596065-1-jwcart2@gmail.com (mailing list archive)

Headers

From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: cgzones@googlemail.com, James Carter <jwcart2@gmail.com>
Subject: [PATCH 0/2 RFC] libsepol: Adding support for not-self rules
Date: Tue, 11 Jan 2022 17:08:21 -0500
Message-Id: <20220111220823.596065-1-jwcart2@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

libsepol: Adding support for not-self rules | expand

Message

James Carter Jan. 11, 2022, 10:08 p.m. UTC

These patches depend on the 16 patch set that refactors and fixes assertion checking.

The first patch is based on patches by Christian Göttsche <cgzones@googlemail.com>
sent to the list on November 23rd. His patch adding support to checkpolicy is meant
to be used with these patches.

The second patch adds support for not-self rules to CIL. Currently, it works for all
access vector rules, but I am not sure if that is needed or wise.

James Carter (2):
  libsepol: Add not self support for neverallow rules
  libsepol/cil: Add notself and minusself support to CIL

 libsepol/cil/src/cil.c                     |  12 ++
 libsepol/cil/src/cil_binary.c              |  91 ++++++++-
 libsepol/cil/src/cil_build_ast.c           |  10 +-
 libsepol/cil/src/cil_find.c                | 206 ++++++++++++++++++---
 libsepol/cil/src/cil_internal.h            |   4 +
 libsepol/cil/src/cil_resolve_ast.c         |   4 +
 libsepol/cil/src/cil_verify.c              |   3 +-
 libsepol/include/sepol/policydb/policydb.h |   3 +-
 libsepol/src/assertion.c                   | 144 +++++++++++---
 9 files changed, 467 insertions(+), 64 deletions(-)

Comments

Christian Göttsche March 11, 2022, 6:44 p.m. UTC | #1

On Tue, 11 Jan 2022 at 23:08, James Carter <jwcart2@gmail.com> wrote:
>
> These patches depend on the 16 patch set that refactors and fixes assertion checking.
>
> The first patch is based on patches by Christian Göttsche <cgzones@googlemail.com>
> sent to the list on November 23rd. His patch adding support to checkpolicy is meant
> to be used with these patches.
>
> The second patch adds support for not-self rules to CIL. Currently, it works for all
> access vector rules, but I am not sure if that is needed or wise.

Probably not caused by this patch set I noticed one inconvenience
duplicate reporting with the following example:

    attribute test_a;
    type test1_t, test_a;
    type test2_t, test_a;
    allow test_a test_a:xdp_socket ioctl;
    allowxperm test_a test6_a:xdp_socket ioctl 0x0002;
    neverallowxperm test1_t { test_a }:xdp_socket ioctl 0x0002;

The output looks like:

    libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
    allowxperm test_a test_a:xdp_socket ioctl { 0x2 };
    libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
    allowxperm test_a test_a:xdp_socket ioctl { 0x2 };

due to the two access permissions, one for test1_t on test1_t and one
for test1_t on test2_t.


Rebasing on to master should update validation due to ff25475c
("libsepol: validate several flags "):

--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -851,6 +851,7 @@ static int validate_avrules(sepol_handle_t
*handle, avrule_t *avrule, int condit
               switch(avrule->flags) {
               case 0:
               case RULE_SELF:
+               case RULE_NOTSELF:
                       break;
               default:
                       goto bad;

Otherwise together with ("checkpolicy: add not-self neverallow support") [1]

Tested-by: Christian Göttsche <cgzones@googlemail.com>


[1]: https://patchwork.kernel.org/project/selinux/patch/20211204103516.17375-3-cgzones@googlemail.com/

>
> James Carter (2):
>   libsepol: Add not self support for neverallow rules
>   libsepol/cil: Add notself and minusself support to CIL
>
>  libsepol/cil/src/cil.c                     |  12 ++
>  libsepol/cil/src/cil_binary.c              |  91 ++++++++-
>  libsepol/cil/src/cil_build_ast.c           |  10 +-
>  libsepol/cil/src/cil_find.c                | 206 ++++++++++++++++++---
>  libsepol/cil/src/cil_internal.h            |   4 +
>  libsepol/cil/src/cil_resolve_ast.c         |   4 +
>  libsepol/cil/src/cil_verify.c              |   3 +-
>  libsepol/include/sepol/policydb/policydb.h |   3 +-
>  libsepol/src/assertion.c                   | 144 +++++++++++---
>  9 files changed, 467 insertions(+), 64 deletions(-)
>
> --
> 2.31.1
>