@@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext
} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
rc = extended_permissions_and(neverallow->perms, allow->perms);
+ } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
+ && (allow->specified == AVTAB_XPERMS_NLMSG)) {
+ if (neverallow->driver == allow->driver)
+ rc = extended_permissions_and(neverallow->perms, allow->perms);
}
return rc;
@@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result,
result->specified = AVTAB_XPERMS_IOCTLDRIVER;
for (i = 0; i < EXTENDED_PERMS_LEN; i++)
result->perms[i] = neverallow->perms[i] & allow->perms[i];
+ } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
+ && (allow->specified == AVTAB_XPERMS_NLMSG)) {
+ result->specified = AVTAB_XPERMS_NLMSG;
+ result->driver = allow->driver;
+ for (i = 0; i < EXTENDED_PERMS_LEN; i++)
+ result->perms[i] = neverallow->perms[i] & allow->perms[i];
}
}
@@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
node = avtab_search_node_next(node, tmp_key.specified)) {
xperms = node->datum.xperms;
if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
- && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+ && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
+ && (xperms->specified != AVTAB_XPERMS_NLMSG))
continue;
found_xperm = 1;
rc = check_extended_permissions(avrule->xperms, xperms);
@@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t
xperms = node->datum.xperms;
if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
- && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+ && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
+ && (xperms->specified != AVTAB_XPERMS_NLMSG))
continue;
rc = check_extended_permissions(neverallow_xperms, xperms);
if (rc)
@@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified,
if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER)
return process_xperms(x1->perms, x2->perms);
+ } else if (x1->specified == AVTAB_XPERMS_NLMSG
+ && x2->specified == AVTAB_XPERMS_NLMSG) {
+ if (x1->driver != x2->driver)
+ return 0;
+ return process_xperms(x1->perms, x2->perms);
}
return 0;
}
commit ba7945a250c added support for nlmsg extended permissions in the policy. The assertion validation was not updated which lead to false positives when evaluated. The optimization update was also missing. Add support for the new extended permission for optimization and assertions. Fixes: ba7945a250c0794837f94ee1fb124426166bbc6e Signed-off-by: ThiƩbaud Weksteen <tweek@google.com> --- libsepol/src/assertion.c | 16 ++++++++++++++-- libsepol/src/optimize.c | 5 +++++ 2 files changed, 19 insertions(+), 2 deletions(-)