From patchwork Mon Jul 18 09:29:14 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Inamdar Sharif X-Patchwork-Id: 9234573 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5A32D60756 for ; Mon, 18 Jul 2016 13:08:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 42CA12522B for ; Mon, 18 Jul 2016 13:08:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3765F26AE3; Mon, 18 Jul 2016 13:08:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D42E72522B for ; Mon, 18 Jul 2016 13:08:47 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,384,1464652800"; d="scan'208";a="15660622" IronPort-PHdr: =?us-ascii?q?9a23=3AqmDYmhBIFjqk/vGsbTdMUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSPj/ocbcNUDSrc9gkEXOFd2CrakV06yK4uu9BCQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd+KyZjmnL3vs7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?= =?us-ascii?q?kFjUlhJFaUggqurpzopM0rzj5U884F24YAFPyiPvdwcLpDET5zM3wp/J+s8gHZ?= =?us-ascii?q?Sg6C+nsRT35QkxxGBBPI51fmT5zxtW38vfF2niybOYrzRLEwXD2kqKBzVB7vjj?= =?us-ascii?q?xALDM98WfKmp9NirlGqkekrh1734mGe4yRNfxjbubHcMoHSHFddtpAXCxGRIWn?= =?us-ascii?q?Zs0ACPRWJvtSrYT2uw4TqwCjDxKnHuLlx2x0gSrNwaAi0+knWTrD1QgkEsNG5G?= =?us-ascii?q?/Yt/3pJawSVqaz16COwjLdObcekyzw7InObwAJveCHXbU2d9HYj0YoCUmN2k6d?= =?us-ascii?q?rY3jIiO9yvUGs2/d6fFpE+2olTh0hRt2p22OwM4phoDTzrkVw0rF+20twZ01LM?= =?us-ascii?q?e5RmZ9f9+oEZIWvCafYdglCvg+Sn1l7X5pgoYNvoS2KW1TkJk=3D?= X-IPAS-Result: =?us-ascii?q?A2GMAwBO1IxX/wHyM5BbGQEBAQEBgnQtgVIGumQhhgMCgTR?= =?us-ascii?q?MAQEBAQEBAgJiJ4IyBAIBEIITAQEBAQMBAjcMCAIeCwMDAQIDAwEBAQEICwIBA?= =?us-ascii?q?wQBAR8IAQcDAS0BFAkIAgQBBwsFAxUEiA8BBL45AQEBAQEBAQECAQEBAQEBAQE?= =?us-ascii?q?BAQEchiqETYQSEQGFdwEEiB+RBY5YgXKEWYMjhVCQcoNzboYJNn8BAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 18 Jul 2016 13:08:43 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6ID5tUo019687; Mon, 18 Jul 2016 09:05:55 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u6I9TZqD178007 for ; Mon, 18 Jul 2016 05:29:35 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6I9TZ0K026639; Mon, 18 Jul 2016 05:29:35 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BkAQBKoIxXe0F55NhcGgEBAQGCdIF/BrZkhAiGGgKBMUwBAQEBAQETAQELCwoIIYULAQEBAQM6PwwEAgEICwMDBAEBHwkHMhQJCAIEAQ0FCIgoAQS/DQEBAQEGAQEBAQEBAQEBHoYqhE2EEhEBhXcFiB+RBY5YgXKEWYhzkB6ER26GCTZ/AQEB X-IPAS-Result: A1BkAQBKoIxXe0F55NhcGgEBAQGCdIF/BrZkhAiGGgKBMUwBAQEBAQETAQELCwoIIYULAQEBAQM6PwwEAgEICwMDBAEBHwkHMhQJCAIEAQ0FCIgoAQS/DQEBAQEGAQEBAQEBAQEBHoYqhE2EEhEBhXcFiB+RBY5YgXKEWYhzkB6ER26GCTZ/AQEB X-IronPort-AV: E=Sophos;i="5.28,383,1464667200"; d="scan'208";a="5586235" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 18 Jul 2016 05:29:28 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3Ai6WI+RRKDvhrI4kKmKq8U5gwk9psv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa64bRON2/xhgRfzUJnB7Loc0qyN4vimBT1LuMzJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/mj6buqtaKOU1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD86Fpy8kVarn3Z6Q1S/RjCT0iN20krJnwuQLr?= =?us-ascii?q?URqE5nxaVH4f1BVPHV6BpFvhU5PwtDbqnvZs0ymde8vtRPY7Xirop/NwRRvpjj?= =?us-ascii?q?oXHyIo+2HQzMprheRUpwz39DJlxIuBQYecMfZ3ZOvmfdoARGQJCsdKVyVbA42U?= =?us-ascii?q?aZUOA+sIe+1fqt+u9BM1sRKiCFz0V6vUwThSiyqu0A=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HfAgC+oIxXe0F55NhcGgEBAQGCdIF/B?= =?us-ascii?q?rZkhAiGGgKBMUwBAQEBAQECAg8BAQsLEiEvgjIVghUBAQEBAzo/DAQCAQgLAwM?= =?us-ascii?q?EAQEfCQcyFAkIAgQBDQUIiCgBBL8NAQEBAQYBAQEBAQEBAQEehiqETYQSEQGFd?= =?us-ascii?q?wWIH5EFjliBcoRZiHOQHoRHboYJNn8BAQE?= X-IPAS-Result: =?us-ascii?q?A0HfAgC+oIxXe0F55NhcGgEBAQGCdIF/BrZkhAiGGgKBMUw?= =?us-ascii?q?BAQEBAQECAg8BAQsLEiEvgjIVghUBAQEBAzo/DAQCAQgLAwMEAQEfCQcyFAkIA?= =?us-ascii?q?gQBDQUIiCgBBL8NAQEBAQYBAQEBAQEBAQEehiqETYQSEQGFdwWIH5EFjliBcoR?= =?us-ascii?q?ZiHOQHoRHboYJNn8BAQE?= X-IronPort-AV: E=Sophos;i="5.28,383,1464652800"; d="scan'208";a="15653317" Received: from hqemgate16.nvidia.com ([216.228.121.65]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jul 2016 09:29:27 +0000 Received: from hqpgpgate101.nvidia.com (Not Verified[216.228.121.13]) by hqemgate16.nvidia.com id ; Mon, 18 Jul 2016 02:28:26 -0700 Received: from HQMAIL101.nvidia.com ([172.20.12.94]) by hqpgpgate101.nvidia.com (PGP Universal service); Mon, 18 Jul 2016 02:29:26 -0700 X-PGP-Universal: processed; by hqpgpgate101.nvidia.com on Mon, 18 Jul 2016 02:29:26 -0700 Received: from BGMAIL102.nvidia.com (10.25.59.11) by HQMAIL101.nvidia.com (172.20.187.10) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 18 Jul 2016 09:29:18 +0000 Received: from BGMAIL101.nvidia.com (10.25.59.10) by bgmail102.nvidia.com (10.25.59.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 18 Jul 2016 09:29:15 +0000 Received: from BGMAIL101.nvidia.com ([fe80::b1bc:13a8:5037:fd70]) by bgmail101.nvidia.com ([fe80::b1bc:13a8:5037:fd70%19]) with mapi id 15.00.1210.000; Mon, 18 Jul 2016 09:29:15 +0000 From: Inamdar Sharif To: Stephen Smalley , "selinux@tycho.nsa.gov" Subject: RE: [PATCH] Extend checkpolicy pathname matching. Thread-Topic: [PATCH] Extend checkpolicy pathname matching. Thread-Index: AQHR3ebgNZ2aUoclI0eadKNHwUTm4aAd8bQA Date: Mon, 18 Jul 2016 09:29:14 +0000 Message-ID: References: <1468511275-23946-1-git-send-email-sds@tycho.nsa.gov> In-Reply-To: <1468511275-23946-1-git-send-email-sds@tycho.nsa.gov> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.251.54] MIME-Version: 1.0 Content-Language: en-US X-MIME-Autoconverted: from quoted-printable to 8bit by prometheus.infosec.tycho.ncsc.mil id u6I9TZqD178007 X-Mailman-Approved-At: Mon, 18 Jul 2016 08:45:58 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "seandroid-list@tycho.nsa.gov" Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Thanks Stephen. That works. -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, July 14, 2016 9:18 PM To: selinux@tycho.nsa.gov Cc: Inamdar Sharif; seandroid-list@tycho.nsa.gov; Stephen Smalley Subject: [PATCH] Extend checkpolicy pathname matching. checkpolicy currently imposes arbitrary limits on pathnames used in genfscon and other statements. This prevents specifying certain paths in /proc such as those containing comma (,) characters. Generalize the PATH, QPATH, and FILENAME patterns to support most legal pathnames. For simplicity, we do not support pathnames containing newlines or quotes. Reported-by: Inamdar Sharif Signed-off-by: Stephen Smalley --- checkpolicy/policy_scan.l | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.5.5 ----------------------------------------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ----------------------------------------------------------------------------------- diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 22da338..2f7f221 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -249,9 +249,9 @@ high | HIGH { return(HIGH); } low | LOW { return(LOW); } -"/"({alnum}|[_\.\-/])* { return(PATH); } -\""/"[ !#-~]*\" { return(QPATH); } -\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } +"/"[^ \n\r\t\f]* { return(PATH); } +\""/"[^\"\n]*\" { return(QPATH); } +\"[^"/"\"\n]+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {alnum}*{letter}{alnum}* { return(FILESYSTEM); }