From patchwork Wed Apr 20 20:49:49 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeffrey Vander Stoep <jeffv@google.com>
X-Patchwork-Id: 8895061
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 483D79F39A
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 20 Apr 2016 20:52:42 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 6C5DB202EC
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 20 Apr 2016 20:52:41 +0000 (UTC)
Received: from emvm-gh1-uea09.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id C33B6202BE
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 20 Apr 2016 20:52:39 +0000 (UTC)
X-TM-IMSS-Message-ID: <a46501b40006f8d7@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	a46501b40006f8d7 ; Wed, 20 Apr 2016 16:50:23 -0400
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3KKo2in012314;
	Wed, 20 Apr 2016 16:50:10 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u3KKo1Nw073478 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 20 Apr 2016 16:50:01 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3KKo1ws012228
	for <selinux@tycho.nsa.gov>; Wed, 20 Apr 2016 16:50:01 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1ArAAAj6hdXj7PAVdFeHYRst2GDMAVSCBeFd4IcAQEBAQEBEwEBAQEHCwsJIYRzARUVGQEBNwGBFAEFATUiiAigMYExPjGKT4UoAQSMRQEBAQEGAhgGCoQNggqLUgtAgkOHeYZTiUiENYlfAokphWMCjXAvgQ6CWQ0RCYFqHDCIRwEBAQ
X-IPAS-Result: 
 A1ArAAAj6hdXj7PAVdFeHYRst2GDMAVSCBeFd4IcAQEBAQEBEwEBAQEHCwsJIYRzARUVGQEBNwGBFAEFATUiiAigMYExPjGKT4UoAQSMRQEBAQEGAhgGCoQNggqLUgtAgkOHeYZTiUiENYlfAokphWMCjXAvgQ6CWQ0RCYFqHDCIRwEBAQ
X-IronPort-AV: E=Sophos;i="5.24,511,1454994000"; d="scan'208";a="5397219"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 20 Apr 2016 16:50:01 -0400
X-TM-IMSS-Message-ID: <5885e5a00007ed58@nsa.gov>
Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com
	[209.85.192.179]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5885e5a00007ed58 ;
	Wed, 20 Apr 2016 16:49:25 -0400
Received: by mail-pf0-f179.google.com with SMTP id e128so21748955pfe.3
	for <selinux@tycho.nsa.gov>; Wed, 20 Apr 2016 13:49:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20120113; h=from:to:cc:subject:date:message-id;
	bh=E6e+nXtQysZUFSD90WzF4whoTgKEPSyopu2O6BFoY5Q=;
	b=WHXM0OQ5vU2hdSZlhg9R0P4G6untJJC04WSDXQ/gUwrtpfs9y2UmkgPweugK3oH/EL
	B6sQYQWorEualoAzppwu5CFm4jf5f8iBLke63me3xb3emLD98ikcN5A47oFmDZAVfc39
	DRv22XackeX82E5OW6MZZPBVtetbR3G+CGlEZyYmfnXAkF0/jcXO3e8OLPiPxQ/3H5CH
	tswAah0eQpUIl5eLl08rFmFEZK0r7akC8hN26wGVIwHecnCZ2wOrn29upXyOmxfPn5Cc
	E+gmb+x1SDp+OWxq9pZig6sah47dyeAiffAk+N9Iex1mkAzp07DYy941DWW8K1lbRhGQ
	Lk9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=E6e+nXtQysZUFSD90WzF4whoTgKEPSyopu2O6BFoY5Q=;
	b=TeQTy4leckkUWbvFZ1ONbl34v7SwTcqAQP6KB7vzaPIl40puLZ29iLSrm21A3ZH1xx
	o7oGSm+GF5Byj87re7RUrRnCPkmt7r1dEQ420zjaz3QIzwoTz41y9ZSuvA4sBkAeKPtF
	Hsmk+opQ8GBCnu23vCkdLAmZKEJGQbE3FcCTDhTEDKj4CKCWLpGf8pJrkb36MAYXKrC4
	RRY7EDPrOEgzWK/nnhdFENV7v0N1o8bWMtSZlrRAmu/BiKwg4cw/eiqL2S/Q2ogHiC+f
	K+q3Js3K60YeK36t3iKyUAwgdVc+A5WtyxfNd0AHwNukgXibTm7hrCfKLW4pBYZBHKCD
	S7Ww==
X-Gm-Message-State: 
 AOPr4FVkIb7c4L03Oeb4rHD9BssURq1pRFvQto0ges7WA8v9E+OPzkI1Jcl/GZs6lQ+xq5/O
X-Received: by 10.98.89.194 with SMTP id k63mr14984557pfj.135.1461185398688;
	Wed, 20 Apr 2016 13:49:58 -0700 (PDT)
Received: from jeffv-linux.mtv.corp.google.com ([172.22.112.85])
	by smtp.gmail.com with ESMTPSA id
	f66sm100367870pff.8.2016.04.20.13.49.57
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Apr 2016 13:49:57 -0700 (PDT)
From: Jeff Vander Stoep <jeffv@google.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] Fix extended permissions neverallow checking
Date: Wed, 20 Apr 2016 13:49:49 -0700
Message-Id: <1461185389-3133-1-git-send-email-jeffv@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
X-TM-AS-MML: disable
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: sds@tycho.nsa.gov
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit 99fc177b "Add neverallow support for ioctl extended permissions"
first checks to see if the ioctl permission is granted, then checks to
see if the same source/target violates a neverallowed ioctl command.
Unfortunately this does not address the case where the ioctl permission
and extended permissions are granted on different attributes. Example,
the following will incorrectly cause a neverallow violation.

allow untrusted_app self:tcp_socket ioctl;
allowxperm domain domain:tcp_socket unpriv_sock_ioctls;
neverallowxperm untrusted_app domain:tcp_socket ~unpriv_sock_ioctls;

The fix is to enumerate over the source and target attributes when
looking for extended permission violations.

Note: The bug this addresses incorrectly asserts that a violation has
occurred. Actual neverallow violations are always caught.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Tested-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/assertion.c | 93 +++++++++++++++++++++++++++++++-----------------
 1 file changed, 60 insertions(+), 33 deletions(-)

diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index fbf397f..f4429ad 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -147,36 +147,49 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
 	avtab_key_t tmp_key;
 	avtab_extended_perms_t *xperms;
 	avtab_extended_perms_t error;
+	ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
+	ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
+	ebitmap_node_t *snode, *tnode;
+	unsigned int i, j;
 	int rc = 1;
 	int ret = 0;
 
 	memcpy(&tmp_key, k, sizeof(avtab_key_t));
 	tmp_key.specified = AVTAB_XPERMS_ALLOWED;
 
-	for (node = avtab_search_node(avtab, &tmp_key);
-	     node;
-	     node = avtab_search_node_next(node, tmp_key.specified)) {
-		xperms = node->datum.xperms;
-		if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
-				&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+	ebitmap_for_each_bit(sattr, snode, i) {
+		if (!ebitmap_node_get_bit(snode, i))
 			continue;
+		ebitmap_for_each_bit(tattr, tnode, j) {
+			if (!ebitmap_node_get_bit(tnode, j))
+				continue;
+			tmp_key.source_type = i + 1;
+			tmp_key.target_type = j + 1;
+			for (node = avtab_search_node(avtab, &tmp_key);
+			     node;
+			     node = avtab_search_node_next(node, tmp_key.specified)) {
+				xperms = node->datum.xperms;
+				if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
+						&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+					continue;
 
-		rc = check_extended_permissions(avrule->xperms, xperms);
-		/* failure on the extended permission check_extended_permissionss */
-		if (rc) {
-			extended_permissions_violated(&error, avrule->xperms, xperms);
-			ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
-					"allowxperm %s %s:%s %s;",
-					avrule->source_line, avrule->source_filename, avrule->line,
-					p->p_type_val_to_name[stype],
-					p->p_type_val_to_name[ttype],
-					p->p_class_val_to_name[curperm->tclass - 1],
-					sepol_extended_perms_to_string(&error));
-
-			rc = 0;
-			ret++;
+				rc = check_extended_permissions(avrule->xperms, xperms);
+				/* failure on the extended permission check_extended_permissionss */
+				if (rc) {
+					extended_permissions_violated(&error, avrule->xperms, xperms);
+					ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
+							"allowxperm %s %s:%s %s;",
+							avrule->source_line, avrule->source_filename, avrule->line,
+							p->p_type_val_to_name[stype],
+							p->p_type_val_to_name[ttype],
+							p->p_class_val_to_name[curperm->tclass - 1],
+							sepol_extended_perms_to_string(&error));
+
+					rc = 0;
+					ret++;
+				}
+			}
 		}
-
 	}
 
 	/* failure on the regular permissions */
@@ -319,28 +332,42 @@ oom:
  *    granted
  */
 static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
-						avtab_key_t *k)
+						avtab_key_t *k, policydb_t *p)
 {
 	avtab_ptr_t node;
 	avtab_key_t tmp_key;
 	avtab_extended_perms_t *xperms;
 	av_extended_perms_t *neverallow_xperms = avrule->xperms;
+	ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
+	ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
+	ebitmap_node_t *snode, *tnode;
+	unsigned int i, j;
 	int rc = 1;
 
 	memcpy(&tmp_key, k, sizeof(avtab_key_t));
 	tmp_key.specified = AVTAB_XPERMS_ALLOWED;
 
-	for (node = avtab_search_node(avtab, &tmp_key);
-	     node;
-	     node = avtab_search_node_next(node, tmp_key.specified)) {
-		xperms = node->datum.xperms;
-		if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
-				&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+	ebitmap_for_each_bit(sattr, snode, i) {
+		if (!ebitmap_node_get_bit(snode, i))
 			continue;
-
-		rc = check_extended_permissions(neverallow_xperms, xperms);
-		if (rc)
-			break;
+		ebitmap_for_each_bit(tattr, tnode, j) {
+			if (!ebitmap_node_get_bit(tnode, j))
+				continue;
+			tmp_key.source_type = i + 1;
+			tmp_key.target_type = j + 1;
+			for (node = avtab_search_node(avtab, &tmp_key);
+			     node;
+			     node = avtab_search_node_next(node, tmp_key.specified)) {
+				xperms = node->datum.xperms;
+
+				if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
+						&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+					continue;
+				rc = check_extended_permissions(neverallow_xperms, xperms);
+				if (rc)
+					break;
+			}
+		}
 	}
 
 	return rc;
@@ -386,7 +413,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
 		goto exit;
 
 	if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
-		rc = check_assertion_extended_permissions(avrule, avtab, k);
+		rc = check_assertion_extended_permissions(avrule, avtab, k, p);
 		if (rc == 0)
 			goto exit;
 	}