From patchwork Tue May 3 20:28:32 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 9008041 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 3EF059F372 for ; Tue, 3 May 2016 20:27:45 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 5D8342035D for ; Tue, 3 May 2016 20:27:44 +0000 (UTC) Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 483392035B for ; Tue, 3 May 2016 20:27:43 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,574,1454976000"; d="scan'208";a="15848923" IronPort-PHdr: =?us-ascii?q?9a23=3Al8XoxBBvSEVN5qwakuPhUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP7+r8bcNUDSrc9gkEXOFd2CrakU2qyO6+u5AzNIyK3CmU5BWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/nhqbqo9aKOVoArQH+SI0xBS3+lR/WuMgSjNkqAYcK4TyNnEF1ff?= =?us-ascii?q?9Lz3hjP1OZkkW0zM6x+Jl+73YY4Kp5pIZ9S6GyQ4AUBfwdVmxnYCgJ45jwuB3C?= =?us-ascii?q?SxafzmcNWWUR1BxTCk7K6w+pcI32t37Yv+9ww2GxNNfqQKp8DTa95K5xVEXAlD?= =?us-ascii?q?YMNzl/9nrezMN3kvQI81qauxVjztuMM8muP/1kc/aYJ4sX?= X-IPAS-Result: =?us-ascii?q?A2FNBQBPCSlX/wHyM5BeHAGDG4FBD7wcH4c9TAEBAQEBAQI?= =?us-ascii?q?CYieCLYIcAiQTFCAECgMJAhcpCAgDAS0VHwsFGASICb0cjn4RAYV1BZgWjhgCi?= =?us-ascii?q?VCFPgKPMmKBQoJFUIcHgTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 May 2016 20:27:41 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u43KQsGq002707; Tue, 3 May 2016 16:27:00 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u43KQpbb281802 for ; Tue, 3 May 2016 16:26:51 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u43KQpOe002705 for ; Tue, 3 May 2016 16:26:51 -0400 From: James Carter To: selinux@tycho.nsa.gov Subject: [PATCH] libsepol: Change logic of bounds checking Date: Tue, 3 May 2016 16:28:32 -0400 Message-Id: <1462307312-4220-1-git-send-email-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Change logic of bounds checking to match kernel's bound checking. The following explanation is taken from Stephen Smalley's kernel patch. Under the new logic, if the source type and target types are both bounded, then the parent of the source type must be allowed the same permissions to the parent of the target type. If only the source type is bounded, then the parent of the source type must be allowed the same permissions to the target type. Examples of the new logic and comparisons with the old logic: 1. If we have: typebounds A B; then: allow B self:process ; will satisfy the bounds constraint iff: allow A self:process ; is also allowed in policy. Under the old logic, the allow rule on B satisfies the bounds constraint if any of the following three are allowed: allow A B:process ; or allow B A:process ; or allow A self:process ; However, either of the first two ultimately require the third to satisfy the bounds constraint under the old logic, and therefore this degenerates to the same result (but is more efficient - we only need to perform one compute_av call). 2. If we have: typebounds A B; typebounds A_exec B_exec; then: allow B B_exec:file ; will satisfy the bounds constraint iff: allow A A_exec:file ; is also allowed in policy. This is essentially the same as #1; it is merely included as an example of dealing with object types related to a bounded domain in a manner that satisfies the bounds relationship. Note that this approach is preferable to leaving B_exec unbounded and having: allow A B_exec:file ; in policy because that would allow B's entrypoints to be used to enter A. Similarly for _tmp or other related types. 3. If we have: typebounds A B; and an unbounded type T, then: allow B T:file ; will satisfy the bounds constraint iff: allow A T:file ; is allowed in policy. The old logic would have been identical for this example. 4. If we have: typebounds A B; and an unbounded domain D, then: allow D B:unix_stream_socket ; is not subject to any bounds constraints under the new logic because D is not bounded. This is desirable so that we can allow a domain to e.g. connectto a child domain without having to allow it to do the same to its parent. The old logic would have required: allow D A:unix_stream_socket ; to also be allowed in policy. Signed-off-by: James Carter Acked-by: Stephen Smalley --- libsepol/src/hierarchy.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c index b24b39e..778541a 100644 --- a/libsepol/src/hierarchy.c +++ b/libsepol/src/hierarchy.c @@ -301,20 +301,21 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p, ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) { if (!ebitmap_node_get_bit(tnode, i)) continue; - avtab_key.target_type = i + 1; - d = bounds_not_covered(global_avtab, cur_avtab, - &avtab_key, data); - if (!d) continue; td = p->type_val_to_struct[i]; if (td && td->bounds) { avtab_key.target_type = td->bounds; d = bounds_not_covered(global_avtab, cur_avtab, &avtab_key, data); - if (!d) continue; + } else { + avtab_key.target_type = i + 1; + d = bounds_not_covered(global_avtab, cur_avtab, + &avtab_key, data); + } + if (d) { + (*numbad)++; + rc = bounds_add_bad(handle, child, i+1, class, d, bad); + if (rc) goto exit; } - (*numbad)++; - rc = bounds_add_bad(handle, child, i+1, class, d, bad); - if (rc) goto exit; } }