From patchwork Mon Oct 3 19:52:03 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 9360893 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CA72F6075E for ; Mon, 3 Oct 2016 19:51:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B04ED287FA for ; Mon, 3 Oct 2016 19:51:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A52BA288F7; Mon, 3 Oct 2016 19:51:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id ACC72287FA for ; Mon, 3 Oct 2016 19:51:50 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="18228023" IronPort-PHdr: =?us-ascii?q?9a23=3Ad0gX3RIPptp3WDk/PNmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgUL/7xwZ3uMQTl6Ol3ixeRBMOAuqgC0bed6vq/EUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuS9SU1Zn8jrrts7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?= =?us-ascii?q?kFjUlhJFaUggqurpzopM0rzj5U884F24YAFP+iPvdwcbsNFzkiMmYo9OX3pBLD?= =?us-ascii?q?Sk2J/XJaXWIIwTRSBA2Qzhj/U4y5mSLgqudnkH2YIsb/V6xucSiz5KdsDhnzgW?= =?us-ascii?q?EIMCBvozKfsdB5kK8O+EHpnBd42YOBJdvNOQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HgBADItfJX/wHyM5BeHAEBBAEBCgEBGAYMgxMBAQEBAR6?= =?us-ascii?q?BRA+6VCCHcUwBAQEBAQEBAQIBAlsngjIEAxMFghgCJBMUIA4DCQIXKQgIAwEtF?= =?us-ascii?q?R8LBRgEiCy8U48jEQGFegWZdgKPcQKJfYVxApBsVIJagk5WhTV4gSgBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 03 Oct 2016 19:51:47 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93JovSt030426; Mon, 3 Oct 2016 15:51:09 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u93JotGD120274 for ; Mon, 3 Oct 2016 15:50:55 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93JotcA030424 for ; Mon, 3 Oct 2016 15:50:55 -0400 From: James Carter To: selinux@tycho.nsa.gov Subject: [PATCH] libsepol: Add support for converting extended permissions to CIL Date: Mon, 3 Oct 2016 15:52:03 -0400 Message-Id: <1475524323-29138-1-git-send-email-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Checkpolicy has an option to produce CIL output and is dependent on the policydb-to-CIL conversion in libsepol for that option. Add support for converting extended permissions to CIL so that checlpolicy can generate CIL. Signed-off-by: James Carter --- libsepol/src/module_to_cil.c | 115 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 111 insertions(+), 4 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 508a861..556d11e 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -609,6 +609,103 @@ exit: return rc; } +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) + +static int xperms_to_cil(const av_extended_perms_t *xperms) +{ + uint16_t value; + uint16_t low_bit; + uint16_t low_value; + unsigned int bit; + unsigned int in_range = 0; + int first = 1; + + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + return -1; + + for (bit = 0; bit < sizeof(xperms->perms)*8; bit++) { + if (!xperm_test(bit, xperms->perms)) + continue; + + if (in_range && next_bit_in_range(bit, xperms->perms)) { + /* continue until high value found */ + continue; + } else if (next_bit_in_range(bit, xperms->perms)) { + /* low value */ + low_bit = bit; + in_range = 1; + continue; + } + + if (!first) + cil_printf(" "); + else + first = 0; + + if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { + value = xperms->driver<<8 | bit; + low_value = xperms->driver<<8 | low_bit; + if (in_range) { + cil_printf("(range 0x%hx 0x%hx)", low_value, value); + in_range = 0; + } else { + cil_printf("0x%hx", value); + } + } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { + value = bit << 8; + low_value = low_bit << 8; + if (in_range) { + cil_printf("(range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff)); + in_range = 0; + } else { + cil_printf("(range 0x%hx 0x%hx)", value, (uint16_t) (value|0xff)); + } + } + } + + return 0; +} + +static int avrulex_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const class_perm_node_t *classperms, const av_extended_perms_t *xperms) +{ + int rc = -1; + const char *rule; + const struct class_perm_node *classperm; + + switch (type) { + case AVRULE_XPERMS_ALLOWED: + rule = "allowxperm"; + break; + case AVRULE_XPERMS_AUDITALLOW: + rule = "auditallowxperm"; + break; + case AVRULE_XPERMS_DONTAUDIT: + rule = "dontauditxperm"; + break; + case AVRULE_XPERMS_NEVERALLOW: + rule = "neverallowxperm"; + break; + default: + log_err("Unknown avrule xperm type: %i", type); + rc = -1; + goto exit; + } + + for (classperm = classperms; classperm != NULL; classperm = classperm->next) { + cil_indent(indent); + cil_printf("(%s %s %s %s (%s (", rule, src, tgt, + "ioctl", pdb->p_class_val_to_name[classperm->tclass - 1]); + xperms_to_cil(xperms); + cil_printf("))\n"); + } + + return 0; + +exit: + return rc; +} + static int num_digits(int n) { int num = 1; @@ -1077,7 +1174,8 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a struct type_set *ts; for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { - if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) { + if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + avrule->source_filename) { cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename); } @@ -1095,14 +1193,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a for (s = 0; s < num_snames; s++) { for (t = 0; t < num_tnames; t++) { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); + } if (rc != 0) { goto exit; } } if (avrule->flags & RULE_SELF) { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); + } if (rc != 0) { goto exit; } @@ -1112,7 +1218,8 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a names_destroy(&snames, &num_snames); names_destroy(&tnames, &num_tnames); - if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) { + if ((avrule->specified & (AVRULE_NEVERALLOW|AVRULE_XPERMS_NEVERALLOW)) && + avrule->source_filename) { cil_println(0, ";;* lme\n"); } }