[RFC,v3,5/5] libsepol: pass avtab to report function

Message ID	20211204103516.17375-5-cgzones@googlemail.com (mailing list archive)
State	Superseded, archived
Headers	show Return-Path: <selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Cc: James Carter <jwcart2@gmail.com> Subject: [RFC PATCH v3 5/5] libsepol: pass avtab to report function Date: Sat, 4 Dec 2021 11:35:16 +0100 Message-Id: <20211204103516.17375-5-cgzones@googlemail.com> In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com> References: <20211124190815.12757-1-cgzones@googlemail.com> <20211204103516.17375-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[RFC,v3,1/5] libsepol: introduce ebitmap_relative_complement() \| expand [RFC,v3,1/5] libsepol: introduce ebitmap_relative_complement() [RFC,v3,2/5] libsepol: add not-self neverallow support [RFC,v3,3/5] checkpolicy: add not-self neverallow support [RFC,v3,4/5] libsepol: free ebitmap on end of function [RFC,v3,5/5] libsepol: pass avtab to report function

On Sat, Dec 4, 2021 at 5:35 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Populate the avtab member before passing as argument to the report > function. Without the avtab avtab_search_node() is unable to find > allowxperm rules and this results in false-positive reports, e.g. on: > > allow TATTR1 TATTR1 : CLASS1 ioctl; > allowxperm TATTR1 TATTR1 : CLASS1 ioctl 0x9501; > neverallowxperm TYPE1 ~self : CLASS1 0x9501; > > Reported-by: James Carter <jwcart2@gmail.com> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> No longer getting the false positives, but now I am seeing false negatives. allow TATTR1 TATTR1 : CLASS4 ioctl; allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401; neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421; These rules are being caught as they should: allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421; allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421; These rules are not being caught. allowxperm TYPE1 self : CLASS4 ioctl 0x9421; allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9421; allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9421; allowxperm TATTR1 self : CLASS4 ioctl 0x9421; I've attached the policy.conf that I am testing with. Thanks, Jim > --- > libsepol/src/assertion.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c > index 4600be41..a0eebb93 100644 > --- a/libsepol/src/assertion.c > +++ b/libsepol/src/assertion.c > @@ -304,10 +304,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru > args.avrule = avrule; > args.errors = 0; > > + args.avtab = &p->te_avtab; > rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args); > if (rc) > goto oom; > > + args.avtab = &p->te_cond_avtab; > rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args); > if (rc) > goto oom; > -- > 2.34.1 > class CLASS1 class CLASS2 class CLASS3 class CLASS4 class CLASS5 class CLASS6 sid kernel class CLASS1 { PERM1A PERM1B PERM1C PERM1D } class CLASS2 { PERM2A PERM2B PERM2C PERM2D } class CLASS3 { PERM3A PERM3B PERM3C PERM3D } class CLASS4 { ioctl } class CLASS5 { ioctl } class CLASS6 { ioctl } sensitivity SENS1; dominance { SENS1 } category CAT1; level SENS1:CAT1; mlsconstrain CLASS1 { PERM1A } (h1 dom h2 and l1 domby h1); mlsvalidatetrans CLASS1 (l1 == l2 or l1 incomp l2); attribute TATTR1; attribute TATTR2; type TYPE1; type TYPE2; type TYPE3; typeattribute TYPE1 TATTR1, TATTR2; typeattribute TYPE2 TATTR1, TATTR2; typeattribute TYPE3 TATTR1; # Test self neverallow #allow TYPE1 self : CLASS1 PERM1A; # neverallow violation #allow TYPE1 TYPE1 : CLASS1 PERM1A; # neverallow violation #allow TYPE1 TATTR1 : CLASS1 PERM1A; # neverallow violation #allow TATTR1 TATTR1 : CLASS1 PERM1A; # neverallow violation #allow TATTR1 TATTR2 : CLASS1 PERM1A; # neverallow violation neverallow TYPE1 self : CLASS1 PERM1A; #allow TYPE1 self : CLASS1 PERM1B; # neverallow violation #allow TYPE1 TYPE1 : CLASS1 PERM1B; # neverallow violation #allow TYPE1 TATTR1 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TATTR1 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TATTR2 : CLASS1 PERM1B; # neverallow violation allow TYPE1 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation neverallow TATTR1 self : CLASS1 PERM1B; # Test allow rule in module, neverallow in base #allow TYPE1 self : CLASS1 PERM1C; # neverallow violation neverallow TYPE1 self : CLASS1 PERM1C; # Test neverallow in module, allow rule in base #allow TYPE1 self : CLASS1 PERM1D; # neverallow violation neverallow TYPE1 self : CLASS1 PERM1D; # Test ~self neverallow allow TYPE1 self : CLASS2 PERM2A; # Not neverallow violation allow TYPE1 TYPE1 : CLASS2 PERM2A; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS2 PERM2A; # neverallow violation #allow TYPE1 TATTR1 : CLASS2 PERM2A; # neverallow violation #allow TATTR1 TATTR1 : CLASS2 PERM2A; # neverallow violation #allow TATTR1 TATTR2 : CLASS2 PERM2A; # neverallow violation neverallow TYPE1 ~self : CLASS2 PERM2A; allow TYPE1 self : CLASS2 PERM2B; # Not neverallow violation allow TYPE2 TYPE2 : CLASS2 PERM2B; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS2 PERM2B; # neverallow violation #allow TYPE1 TATTR1 : CLASS2 PERM2B; # neverallow violation #allow TATTR1 TATTR1 : CLASS2 PERM2B; # neverallow violation #allow TATTR1 TATTR2 : CLASS2 PERM2B; # neverallow violation neverallow TATTR1 ~self : CLASS2 PERM2B; # Test allow rules in module, neverallow in base allow TYPE1 self : CLASS2 PERM2C; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS2 PERM2C; # neverallow violation neverallow TYPE1 ~self : CLASS2 PERM2C; # Test neverallow in module, allow rule in base allow TYPE1 self : CLASS2 PERM2D; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS2 PERM2D; # neverallow violation neverallow TYPE1 ~self : CLASS2 PERM2D; # Test -self neverallow allow TYPE1 self : CLASS3 PERM3A; # Not neverallow violation allow TYPE2 TYPE2 : CLASS3 PERM3A; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS3 PERM3A; # neverallow violation #allow TYPE1 TATTR1 : CLASS3 PERM3A; # neverallow violation #allow TATTR1 TATTR1 : CLASS3 PERM3A; # neverallow violation #allow TATTR1 TATTR2 : CLASS3 PERM3A; # neverallow violation neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3A; allow TYPE1 self : CLASS3 PERM3B; # Not neverallow violation allow TYPE2 TYPE2 : CLASS3 PERM3B; # Not neverallow violation allow TYPE1 TYPE3 : CLASS3 PERM3B; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS3 PERM3B; # neverallow violation #allow TYPE1 TATTR1 : CLASS3 PERM3B; # neverallow violation #allow TATTR1 TATTR1 : CLASS3 PERM3B; # neverallow violation #allow TATTR1 TATTR2 : CLASS3 PERM3B; # neverallow violation neverallow TATTR1 { TATTR2 -self } : CLASS3 PERM3B; # Test allow rules in module, neverallow in base allow TYPE1 self : CLASS3 PERM3C; # Not neverallow violation neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3C; # Test neverallow in module, allow rule in base allow TYPE1 self : CLASS3 PERM3D; # Not neverallow violation #allow TYPE1 TYPE2 : CLASS3 PERM3D; # neverallow violation neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3D; # Test self neverallowxperm allow TATTR1 TATTR1 : CLASS4 ioctl; allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401; #allowxperm TYPE1 self : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 self : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9411; # neverallowxperm violation neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411; #allowxperm TYPE1 self : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 self : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421; # neverallowxperm violation allowxperm TYPE1 TYPE2 : CLASS4 ioctl 0x9421; # NOT neverallowxperm violation neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421; # Test allow rules in module, neverallowxperm in base #allowxperm TYPE1 self : CLASS4 ioctl 0x9431; # neverallowxperm violation neverallowxperm TYPE1 self : CLASS4 ioctl 0x9431; # Test neverallow in module, allow rule in base #allowxperm TYPE1 self : CLASS4 ioctl 0x9441; # neverallow violation neverallowxperm TYPE1 self : CLASS4 ioctl 0x9441; # Test ~self neverallowxperm allow TATTR1 TATTR1 : CLASS5 ioctl; allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9501; allowxperm TYPE1 self : CLASS5 ioctl 0x9511; # Not neverallowxperm violation allowxperm TYPE1 TYPE1 : CLASS5 ioctl 0x9511; # Not neverallowxperm violation #allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9511; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS5 ioctl 0x9511; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9511; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS5 ioctl 0x9511; # neverallowxperm violation neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9511; allowxperm TYPE1 self : CLASS5 ioctl 0x9521; # Not neverallowxperm violation allowxperm TYPE2 TYPE2 : CLASS5 ioctl 0x9521; # Not neverallowxperm violation #allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9521; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS5 ioctl 0x9521; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9521; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS5 ioctl 0x9521; # neverallowxperm violation neverallowxperm TATTR1 ~self : CLASS5 ioctl 0x9521; # Test allow rules in module, neverallowxperm in base allowxperm TYPE1 self : CLASS5 ioctl 0x9531; # Not neverallow violation #allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9531; # neverallow violation neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9531; # Test neverallow in module, allow rule in base allowxperm TYPE1 self : CLASS5 ioctl 0x9541; # Not neverallow violation #allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9541; # neverallow violation neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9541; # Test -self neverallowxperm allow TATTR1 TATTR1 : CLASS6 ioctl; allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9601; allowxperm TYPE1 self : CLASS6 ioctl 0x9611; # Not neverallowxperm violation allowxperm TYPE2 TYPE2 : CLASS6 ioctl 0x9611; # Not neverallowxperm violation #allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9611; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS6 ioctl 0x9611; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9611; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS6 ioctl 0x9611; # neverallowxperm violation neverallowxperm TATTR1 { TATTR1 -self } : CLASS6 ioctl 0x9611; allowxperm TYPE1 self : CLASS6 ioctl 0x9621; # Not neverallowxperm violation allowxperm TYPE2 TYPE2 : CLASS6 ioctl 0x9621; # Not neverallowxperm violation allowxperm TYPE1 TYPE3 : CLASS6 ioctl 0x9621; # Not neverallowxperm violation #allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9621; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS6 ioctl 0x9621; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9621; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS6 ioctl 0x9621; # neverallowxperm violation neverallowxperm TATTR1 { TATTR2 -self } : CLASS6 ioctl 0x9621; # Test allow rules in module, neverallowxperm in base allowxperm TYPE1 self : CLASS6 ioctl 0x9631; # Not neverallow violation #allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9631; # neverallow violation neverallowxperm TYPE1 ~self : CLASS6 ioctl 0x9631; # Test neverallow in module, allow rule in base allowxperm TYPE1 self : CLASS6 ioctl 0x9641; # Not neverallow violation #allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9641; # neverallow violation neverallowxperm TYPE1 ~self : CLASS6 ioctl 0x9641; role ROLE1; role ROLE1 types TYPE1; user USER1 roles ROLE1 level SENS1 range SENS1 - SENS1:CAT1; sid kernel USER1:ROLE1:TYPE1:SENS1 - SENS1

[RFC,v3,5/5] libsepol: pass avtab to report function

Commit Message

Comments

Patch