| Message ID | 20220204133717.27793-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | checkpolicy: allow wildcard permissions in constraints | expand |
On Fri, Feb 4, 2022 at 3:04 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Allow all and complement permission sets in constraints, e.g.: > > constrain service ~ { status } (...); > constrain service * (...); > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > checkpolicy/policy_define.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index b2ae3263..ded19570 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -3590,6 +3590,16 @@ int define_constraint(constraint_expr_t * expr) > cladatum = policydbp->class_val_to_struct[i]; > node = cladatum->constraints; > > + if (strcmp(id, "*") == 0) { > + node->permissions = ~UINT32_C(0); > + continue; > + } > + If the class has less than 32 permissions, then bits will be set for non-existent permissions. > + if (strcmp(id, "~") == 0) { > + node->permissions = ~node->permissions; > + continue; > + } > + If "~" is used on a list of all of the classes permissions, then there will be no permissions. If the policy is then turned back into a policy.conf, there will be no permissions and the constraint will have an invalid permission. (Obviously, a problem with the kernel_to_conf routines that needs to be fixed). The right thing is to drop the constraint in this case since it isn't valid for any permissions. (I see now that the CIL compiler doesn't handle this correctly either.) I am fine with the overall idea here. Thanks, Jim > perdatum = > (perm_datum_t *) hashtab_search(cladatum-> > permissions. > -- > 2.34.1 >
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index b2ae3263..ded19570 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -3590,6 +3590,16 @@ int define_constraint(constraint_expr_t * expr) cladatum = policydbp->class_val_to_struct[i]; node = cladatum->constraints; + if (strcmp(id, "*") == 0) { + node->permissions = ~UINT32_C(0); + continue; + } + + if (strcmp(id, "~") == 0) { + node->permissions = ~node->permissions; + continue; + } + perdatum = (perm_datum_t *) hashtab_search(cladatum-> permissions.
Allow all and complement permission sets in constraints, e.g.: constrain service ~ { status } (...); constrain service * (...); Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- checkpolicy/policy_define.c | 10 ++++++++++ 1 file changed, 10 insertions(+)