From patchwork Sat Dec 4 10:35:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12656443 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F711C433F5 for ; Sat, 4 Dec 2021 10:35:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233289AbhLDKiz (ORCPT ); Sat, 4 Dec 2021 05:38:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229982AbhLDKiz (ORCPT ); Sat, 4 Dec 2021 05:38:55 -0500 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE0F1C061751 for ; Sat, 4 Dec 2021 02:35:29 -0800 (PST) Received: by mail-ed1-x534.google.com with SMTP id x6so21752912edr.5 for ; Sat, 04 Dec 2021 02:35:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=jnET9FsEAJtRNz6d9+elQT9sQrcQIGpA5a9I58c9zck=; b=J6BnhHXo1/WyrkiReM9A5KQEWyGnCG4zRmdab+xa0d1xoM2O8vOdA3rnoatsBdJ2HB 9hc35OFUWsapOUfWbt+a3+XU/XtsM4t7gPI3c5S9q97VWNOGyXYZOmclU3z2j5ABXHGK 36ypZPNSikfK4QCj4iflXzfhyj9VVx18miw9rWPFsxPjhbUFfuTeOnGm3zcTG5BP7Vp1 GYUleYZwmbT32/y7z7bo5rblxevb4HMIl54dDNzG5k7470J524Cn40SvYGwInd7DgZrF pliDIXHjhtkcs9zFgM8EQHVolrPZqaP5xf32nMbxV4v26JNC9E49VmE0urioc3hwdYrS XhCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jnET9FsEAJtRNz6d9+elQT9sQrcQIGpA5a9I58c9zck=; b=7WgYd5Zm3rYeNrK9aWbdtngMH+Ms28E8mX1tY25eVfKFuRGNm+AIgAINuQ0UOd/pNB m5R5v2z4gHAJlmB3YwImelAUJJ3RBb4LJjgxPkX0wrOlpFOpiKHvzHhHHOV9Mazhie1g YD1qFIHFdCV4rmgv+cyOkBQgf52qO8Vclf/k/qUIS0SWwNtqE4hwfDxOVl4opdK7fD2y MAN+yuaMO2Co3D9WX81RnoiDHDW3TKhLUUv7+R8aIx4DjQ/A2xZYtATObIyrdqzpio8F cTYJrooGtBfzIc3PggrMN9Crax3OXGn9V+GsvoM/1sMFijXIzF7Tv2tixDNN20wLdWEv e9TA== X-Gm-Message-State: AOAM530ggYfTKKVVrGoKgVkmUSu2c+t1VUStAX6NP9BpPNfYTn5mHbfk L2HHAxp85FKXCwvA44/Dx9vLbZi4hpA= X-Google-Smtp-Source: ABdhPJzA4Bkg4xmB7q7TsFSLqWFUNoFDI7rvdeQ2Vk8cBBOFuxoWlorqf9o3/FarRc+xc6X2064cBQ== X-Received: by 2002:a17:906:5d09:: with SMTP id g9mr1351983ejt.3.1638614128470; Sat, 04 Dec 2021 02:35:28 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-006-110-042.77.6.pool.telefonica.de. [77.6.110.42]) by smtp.gmail.com with ESMTPSA id hc16sm3192756ejc.12.2021.12.04.02.35.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Dec 2021 02:35:28 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v3 1/5] libsepol: introduce ebitmap_relative_complement() Date: Sat, 4 Dec 2021 11:35:12 +0100 Message-Id: <20211204103516.17375-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211124190815.12757-1-cgzones@googlemail.com> References: <20211124190815.12757-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a method for ebitmaps that computes the relative complement. All bits set in the second ebitmap are set to zero in the first one. Signed-off-by: Christian Göttsche --- v3: - rename from ebitmap_subtract() to ebitmap_relative_complement() v2: - add shortcut for empty ebitmaps --- libsepol/include/sepol/policydb/ebitmap.h | 1 + libsepol/src/ebitmap.c | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/libsepol/include/sepol/policydb/ebitmap.h b/libsepol/include/sepol/policydb/ebitmap.h index 81d0c7a6..076b9341 100644 --- a/libsepol/include/sepol/policydb/ebitmap.h +++ b/libsepol/include/sepol/policydb/ebitmap.h @@ -83,6 +83,7 @@ static inline int ebitmap_node_get_bit(const ebitmap_node_t * n, unsigned int bi extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1); +extern int ebitmap_relative_complement(ebitmap_t *dst, const ebitmap_t *e1); extern int ebitmap_and(ebitmap_t *dst, const ebitmap_t *e1, const ebitmap_t *e2); extern int ebitmap_xor(ebitmap_t *dst, const ebitmap_t *e1, const ebitmap_t *e2); extern int ebitmap_not(ebitmap_t *dst, const ebitmap_t *e1, unsigned int maxbit); diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c index 1de3816a..5f166e8c 100644 --- a/libsepol/src/ebitmap.c +++ b/libsepol/src/ebitmap.c @@ -72,6 +72,24 @@ int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1) return 0; } +int ebitmap_relative_complement(ebitmap_t *dst, const ebitmap_t *e1) +{ + unsigned int i, length; + + if (ebitmap_is_empty(dst) || ebitmap_is_empty(e1)) + return 0; + + length = min(ebitmap_length(dst), ebitmap_length(e1)); + for (i=0; i < length; i++) { + if (ebitmap_get_bit(e1, i)) { + int rc = ebitmap_set_bit(dst, i, 0); + if (rc < 0) + return rc; + } + } + return 0; +} + int ebitmap_and(ebitmap_t *dst, const ebitmap_t *e1, const ebitmap_t *e2) { unsigned int i, length = min(ebitmap_length(e1), ebitmap_length(e2)); From patchwork Sat Dec 4 10:35:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12656445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22862C433EF for ; Sat, 4 Dec 2021 10:35:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229982AbhLDKi4 (ORCPT ); Sat, 4 Dec 2021 05:38:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233760AbhLDKiz (ORCPT ); Sat, 4 Dec 2021 05:38:55 -0500 Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 79FF6C061354 for ; Sat, 4 Dec 2021 02:35:30 -0800 (PST) Received: by mail-ed1-x52c.google.com with SMTP id l25so21799841eda.11 for ; Sat, 04 Dec 2021 02:35:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=BSzVqEHQArCQJRZFOLvUMnwPXoWHlMnGm9yud/mfpfk=; b=Eky2LaHzkRBKL0LmVOymsv/4f+QkBFjlnnWH8g028KliVI25z3+Odfz/5ZJ7aZISy5 nmogQKp37ZJZLVgXGs5CcW0KEU6eCvZQmDmAz+lWrsxodtxyNKt/+GQjuJtX5Nfp/hDv 9G0LbPhQtTt805fenfECHnqMwPrDORThAd57PH5z29XVYC7/3MtnmnBjyM3U5T4EAy/3 quBSnB6aT4mmlEv+AjcNvFFpWVTlge25rAGXlFfANOaDHbYjv2jFwEVIfVCzzfwxKHft VlZPF/Nk/AZlvsD+P09Xx04p+edwea1EQSenL7oTDcwXi8EhTkCoOLg9A/rxzAgqoNYw m+Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BSzVqEHQArCQJRZFOLvUMnwPXoWHlMnGm9yud/mfpfk=; b=aoE1nrvy/tJN5HYBsM6cp8+YzF06RfR+woWGVhWULn1HF7ll3z6YCeTTJmgzFwXVhW BcV3B9r4F5bnqWSO71oxgbYLMWpaAyZTbxcSF4mnUveezVT3Ji4Y4fsrzlyrRG92f9kk p4j5hxtnyezivQdKb7a9N6NJ4/sEx4LIwkUdik8xOA9NlkVokuj4YEXIhRfr+Ug5+0xt VNTK/ezS8CyjV2u8LUPsc+f7k0HNOl2ZYZcbfjolOVBl5rlhLKm/t2h3Ic29OIqCBmb2 SoGpsXrT4J6A9NIox1oSDEfpDa7CMYpobmZh2MGt9EjLWFh62F2W6/AUbSbkiTmepN5N ymvw== X-Gm-Message-State: AOAM530LAOqcO76loT2BCfVkBwhn+AXTecq6xCB60xzSS2shbNlj+VvY KFYKg8FNTeGDfr6ENyF7s7KmDtfp7Q8= X-Google-Smtp-Source: ABdhPJxIkhIfQ2OpdAZyFSgA709GK52EX3Jz63idKvw64sYa++3oN9zEO5Wz6LmlDFsWPAAlxLKuqg== X-Received: by 2002:a17:907:7f0f:: with SMTP id qf15mr31306233ejc.560.1638614128994; Sat, 04 Dec 2021 02:35:28 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-006-110-042.77.6.pool.telefonica.de. [77.6.110.42]) by smtp.gmail.com with ESMTPSA id hc16sm3192756ejc.12.2021.12.04.02.35.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Dec 2021 02:35:28 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v3 2/5] libsepol: add not-self neverallow support Date: Sat, 4 Dec 2021 11:35:13 +0100 Message-Id: <20211204103516.17375-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com> References: <20211124190815.12757-1-cgzones@googlemail.com> <20211204103516.17375-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add support for not-self neverallow rules. These do not trigger on allow rules where the source type is exactly equal to the target type. Signed-off-by: Christian Göttsche --- v3: - use renamed ebitmap_relative_complement(), see previous commit - cache not-self status of avrules and add loop shortcut on target and source type match v2: - do not change the value of RULE_SELF --- libsepol/include/sepol/policydb/policydb.h | 3 +- libsepol/src/assertion.c | 41 ++++++++++++++++++++-- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 4bf9f05d..11637fe8 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -285,7 +285,8 @@ typedef struct avrule { #define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \ AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW) uint32_t specified; -#define RULE_SELF 1 +#define RULE_SELF (1U << 0) +#define RULE_NOTSELF (1U << 1) uint32_t flags; type_set_t stypes; type_set_t ttypes; diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index dd2749a0..fe6b88ae 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -216,6 +216,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void uint32_t perms; ebitmap_t src_matches, tgt_matches, self_matches, matches; ebitmap_node_t *snode, *tnode; + const int is_avrule_notself = (avrule->flags & RULE_NOTSELF) != 0; unsigned int i, j; if ((k->specified & AVTAB_ALLOWED) == 0) @@ -241,7 +242,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void if (rc) goto oom; - if (avrule->flags == RULE_SELF) { + if (avrule->flags & RULE_SELF) { rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]); if (rc) goto oom; @@ -268,6 +269,8 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void ebitmap_for_each_positive_bit(&src_matches, snode, i) { ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) { + if (is_avrule_notself && i == j) + continue; if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) { a->errors += report_assertion_extended_permissions(handle,p, avrule, i, j, cp, perms, k, avtab); @@ -381,6 +384,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab unsigned int i, j; ebitmap_node_t *snode, *tnode; class_perm_node_t *cp; + const int is_avrule_notself = (avrule->flags & RULE_NOTSELF) != 0; int rc; int ret = 1; @@ -402,7 +406,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab if (rc) goto oom; - if (avrule->flags == RULE_SELF) { + if (avrule->flags & RULE_SELF) { rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]); if (rc) @@ -418,6 +422,18 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab } } + if (is_avrule_notself) { + rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]); + if (rc) + goto oom; + rc = ebitmap_and(&self_matches, &avrule->ttypes.types, &matches); + if (rc) + goto oom; + rc = ebitmap_relative_complement(&tgt_matches, &self_matches); + if (rc) + goto oom; + } + if (ebitmap_is_empty(&tgt_matches)) goto exit; @@ -426,6 +442,9 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab continue; ebitmap_for_each_positive_bit(&src_matches, snode, i) { ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) { + if (is_avrule_notself && i == j) + continue; + ret = check_assertion_extended_permissions_avtab( avrule, avtab, i, j, k, p); if (ret) @@ -463,7 +482,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a if (rc == 0) goto exit; - if (avrule->flags == RULE_SELF) { + if (avrule->flags & RULE_SELF) { /* If the neverallow uses SELF, then it is not enough that the * neverallow's source matches the src and tgt of the rule being checked. * It must match the same thing in the src and tgt, so AND the source @@ -479,6 +498,22 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a ebitmap_destroy(&match); } + if (avrule->flags & RULE_NOTSELF) { + ebitmap_t match; + rc = ebitmap_cpy(&match, &p->attr_type_map[k->source_type - 1]); + if (rc) { + ebitmap_destroy(&match); + goto oom; + } + rc = ebitmap_relative_complement(&match, &p->attr_type_map[k->target_type - 1]); + if (rc) { + ebitmap_destroy(&match); + goto oom; + } + rc2 = ebitmap_match_any(&avrule->ttypes.types, &match); + ebitmap_destroy(&match); + } + /* neverallow may have tgts even if it uses SELF */ rc = ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1]); if (rc == 0 && rc2 == 0) From patchwork Sat Dec 4 10:35:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12656449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3779FC433EF for ; Sat, 4 Dec 2021 10:35:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233760AbhLDKi6 (ORCPT ); Sat, 4 Dec 2021 05:38:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235417AbhLDKi5 (ORCPT ); Sat, 4 Dec 2021 05:38:57 -0500 Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B90A7C061354 for ; Sat, 4 Dec 2021 02:35:31 -0800 (PST) Received: by mail-ed1-x536.google.com with SMTP id y12so21586997eda.12 for ; Sat, 04 Dec 2021 02:35:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=gkNuQU9ms7EgFT+DKwpoPdhHGJZYoVyol9y2DeXm44k=; b=V5O8V9FuPrjEUPaS33aW1KHJ7p2qfzcRvEcldLhaVEPWVmRcUkUKT6CFsERbF0sT2s wk7I+uzFbgeBBaI//dWv6LmSoFqS781K2yaStEf/lTQnsgJbVXyd12+e9B8z3QqrHEMT J84DggH7ljBeOe9aRCjlEWBycA+6KTA0ntcjVWsV6U/HEr/WnhlV/WixkWM0W9r0pXop gicooqWIiO/JvEmA2FkRvLsupzjkQNEBOd0usd28nmSXkq3IuO+Rad9pPBAiBtOFMvPA mGb20MhqtVOrv5PcWWPwAe/uWNOwIlUgVjrRRsZTy7DhnUnpBBxajLU/CnyqneWtZUbT byYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gkNuQU9ms7EgFT+DKwpoPdhHGJZYoVyol9y2DeXm44k=; b=3EhoMzKoQ3id1zTkzFCWuJJK/6foJl2N5f4QQOy8rRgQRKjoIFu41hnbgWD2ck3FFP 7exS6gYoQvgyQTVyxnxM31+n95rEvvTsbSYUd9IR/y9fhCLo/NV/9A0yefjpmzK3CmhH H+l+TimkyIsHZjy2VMqyn7NzumwH/UaSIlUFRc0/Ji3grMvPnHecTOQ60w2vj4386BWG Y54oaYawoVZacdq4yJOSI7wV5fZuPNpixxGYm8O3YVC4XGVK+CBm2xPv0awxkPfrANol yYJZrowGcWUec/0wKPCwHt5aaNi1FPYqKZFpKLjwBSC4Unm6WfKTAixAwe0aH8yJ01gj pnfg== X-Gm-Message-State: AOAM533LHJ8gBMEjguk2KClfmWK4v7iTn8brhnTw685fAM/VZ2aBDSpx /NeMHwYm8N8CzySzTtwo+YTObNG2G+o= X-Google-Smtp-Source: ABdhPJzC4qQHG+39XbXv0dfxkAWbitjmSIVb0x2eYlxdIh0R/geZjOrxLzqzbELIXK/brYm8tbT+PA== X-Received: by 2002:a17:907:a426:: with SMTP id sg38mr30738654ejc.392.1638614129508; Sat, 04 Dec 2021 02:35:29 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-006-110-042.77.6.pool.telefonica.de. [77.6.110.42]) by smtp.gmail.com with ESMTPSA id hc16sm3192756ejc.12.2021.12.04.02.35.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Dec 2021 02:35:29 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v3 3/5] checkpolicy: add not-self neverallow support Date: Sat, 4 Dec 2021 11:35:14 +0100 Message-Id: <20211204103516.17375-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com> References: <20211124190815.12757-1-cgzones@googlemail.com> <20211204103516.17375-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add support for using negated or complemented self in the target type of neverallow rules. Some refpolicy examples: neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *; # no violations neverallow domain domain:file ~{ append read_file_perms write }; libsepol.report_failure: neverallow on line 565 of policy/modules/kernel/kernel.te (or line 30300 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename }; libsepol.report_failure: neverallow on line 565 of policy/modules/kernel/kernel.te (or line 30300 of policy.conf) violated by allow chromium_t chromium_t:file { create }; libsepol.report_failure: neverallow on line 564 of policy/modules/kernel/kernel.te (or line 30299 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create }; neverallow domain { domain -self }:file ~{ append read_file_perms write }; libsepol.report_failure: neverallow on line 565 of policy/modules/kernel/kernel.te (or line 30300 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename }; libsepol.report_failure: neverallow on line 564 of policy/modules/kernel/kernel.te (or line 30299 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create }; Using negated self in a complement `~{ domain -self }` is not supported. Signed-off-by: Christian Göttsche --- v3: - mention both neverallow rule types when using -self within an unsupported rule type v2: - fix neverallowxperm usage Signed-off-by: Christian Göttsche --- checkpolicy/policy_define.c | 46 ++++++++++++++++++++++++++++++++----- checkpolicy/test/dismod.c | 6 ++++- 2 files changed, 45 insertions(+), 7 deletions(-) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index d3eb6111..e74b1a9a 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -2067,12 +2067,17 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule) while ((id = queue_remove(id_queue))) { if (strcmp(id, "self") == 0) { free(id); - if (add == 0) { - yyerror("-self is not supported"); + if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) { + yyerror("-self is only supported in neverallow and neverallowxperm rules"); + ret = -1; + goto out; + } + avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF); + if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) { + yyerror("self and -self is not supported"); ret = -1; goto out; } - avrule->flags |= RULE_SELF; continue; } if (set_types @@ -2083,6 +2088,18 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule) } } + if ((avrule->ttypes.flags & TYPE_COMP)) { + if (avrule->flags & RULE_NOTSELF) { + yyerror("-self is not supported in complements"); + ret = -1; + goto out; + } + if (avrule->flags & RULE_SELF) { + avrule->flags &= ~RULE_SELF; + avrule->flags |= RULE_NOTSELF; + } + } + ebitmap_init(&tclasses); ret = read_classes(&tclasses); if (ret) @@ -2528,12 +2545,17 @@ static int define_te_avtab_helper(int which, avrule_t ** rule) while ((id = queue_remove(id_queue))) { if (strcmp(id, "self") == 0) { free(id); - if (add == 0) { - yyerror("-self is not supported"); + if (add == 0 && which != AVRULE_NEVERALLOW) { + yyerror("-self is only supported in neverallow and neverallowxperm rules"); + ret = -1; + goto out; + } + avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF); + if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) { + yyerror("self and -self is not supported"); ret = -1; goto out; } - avrule->flags |= RULE_SELF; continue; } if (set_types @@ -2544,6 +2566,18 @@ static int define_te_avtab_helper(int which, avrule_t ** rule) } } + if ((avrule->ttypes.flags & TYPE_COMP)) { + if (avrule->flags & RULE_NOTSELF) { + yyerror("-self is not supported in complements"); + ret = -1; + goto out; + } + if (avrule->flags & RULE_SELF) { + avrule->flags &= ~RULE_SELF; + avrule->flags |= RULE_NOTSELF; + } + } + ebitmap_init(&tclasses); ret = read_classes(&tclasses); if (ret) diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index ec2a3e9a..a2d74d42 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -124,7 +124,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic } num_types = 0; - if (flags & RULE_SELF) { + if (flags & (RULE_SELF | RULE_NOTSELF)) { num_types++; } @@ -169,6 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic fprintf(fp, " self"); } + if (flags & RULE_NOTSELF) { + fprintf(fp, " -self"); + } + if (num_types > 1) fprintf(fp, " }"); From patchwork Sat Dec 4 10:35:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12656447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D497C433F5 for ; Sat, 4 Dec 2021 10:35:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236411AbhLDKi6 (ORCPT ); Sat, 4 Dec 2021 05:38:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233760AbhLDKi5 (ORCPT ); Sat, 4 Dec 2021 05:38:57 -0500 Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E260C061751 for ; Sat, 4 Dec 2021 02:35:31 -0800 (PST) Received: by mail-ed1-x52c.google.com with SMTP id y12so21587069eda.12 for ; Sat, 04 Dec 2021 02:35:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=QWgGrkFDgatjSy86S3rlLuRx6M4kWAYtj4lxNA8zols=; b=qpGDey4ljBYsT+x4bChMRgRmwTsjhFxORng2aeCDZMq72oPlbZR0GkjsTEp5vNmsnm g5smkrdw9CU4YHohJ3LCaY7FVM04rEDINtdyPny+m06ZmrXdx76VpMylw03iFZikn3A6 sxSqX+zyrakj9FXuWFCyLkgVaaMKsKJQ9Jl83kmsQ9ISDxskPwiwD0a944k21ivH5oAj oEQxxfBNYhCh7P8tB+8mhNvcK9d7s4FPPIoX403vBWm9rgwepYiJ9cAOkmOQ/wLQ4WZ5 nwB0DdI+LHhs2tUJAZTLscPUV+/CUcvf2JxsnKyRK6RHoNFb2CGX41aKV65AcnLhrg7d 7e8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QWgGrkFDgatjSy86S3rlLuRx6M4kWAYtj4lxNA8zols=; b=z76thNpayzzXNDom8rFXEH1iLFP7n76CZ5IkZRd3ts8+R59SEKuTFl3Rs6Vo+1AfD5 awYN4fYqqcy1J9cdt3mOyf++N80qJgiOnhiBByE8RTMFZcDNGiOWLWQZqX9oZxi1kQxD 9QytgcULx8+28sYsanzMqDgKE0FCBbcQV6kQGrlx/kStTPK1yZD3Qc3rR+0Do4VzrPVS LEt07CToOLc9u96K0OVZimZdT5FEJQOBqasspEqraG1I7jZg3rHUXTe+09NApadUZR8V /Jf9iZPX/4ilKrmq/g/k9T2Wct7+8o8JrYJluYyk8RPMvznObgXBR4MegPLRCAxZM1o1 LlKg== X-Gm-Message-State: AOAM533lZy5FGsXO6GD9hjdesCR2r0OSj6jiC6CzzN14r0UvYT/oYAnu 96OpwpKgyejs1QunberRAXRPHbtN68c= X-Google-Smtp-Source: ABdhPJz24NkQ2Zq4jO+X6uP3xfTqBX+0wTLvxYHgLLjiEISx3dAqjcPZymTSm6Sozj4oRmThJ/NRcg== X-Received: by 2002:a05:6402:710:: with SMTP id w16mr34806956edx.218.1638614130141; Sat, 04 Dec 2021 02:35:30 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-006-110-042.77.6.pool.telefonica.de. [77.6.110.42]) by smtp.gmail.com with ESMTPSA id hc16sm3192756ejc.12.2021.12.04.02.35.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Dec 2021 02:35:29 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v3 4/5] libsepol: free ebitmap on end of function Date: Sat, 4 Dec 2021 11:35:15 +0100 Message-Id: <20211204103516.17375-4-cgzones@googlemail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com> References: <20211124190815.12757-1-cgzones@googlemail.com> <20211204103516.17375-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Christian Göttsche --- libsepol/src/assertion.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index fe6b88ae..4600be41 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -460,6 +460,7 @@ oom: exit: ebitmap_destroy(&src_matches); ebitmap_destroy(&tgt_matches); + ebitmap_destroy(&self_matches); ebitmap_destroy(&matches); return ret; } From patchwork Sat Dec 4 10:35:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12656451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62645C433FE for ; Sat, 4 Dec 2021 10:35:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235417AbhLDKi7 (ORCPT ); Sat, 4 Dec 2021 05:38:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235954AbhLDKi5 (ORCPT ); Sat, 4 Dec 2021 05:38:57 -0500 Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25CDCC061359 for ; Sat, 4 Dec 2021 02:35:32 -0800 (PST) Received: by mail-ed1-x529.google.com with SMTP id r25so21698648edq.7 for ; Sat, 04 Dec 2021 02:35:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=d1WmDh1cJv8QCLCqmGr3r0sl/OFP6mPHXCEXM+PmEjc=; b=lIUPYoVEkOtwK33wAyB/BwdZcQu5ltCsLZKTJUTPckmafhUCnTHJ0+rgQmP35Ce5cz //COtJZMegpWP3Z6Poi5x/aXxshM7/m6jh4G0Imjm31A5Cp/e/CXIufdqlLBhlY6T6x8 iAT7agjGzZCzfMLCAq6iaYwxePARiS1yEcnbHPS4NQzVx0DYSUZbhM+wUA2rmRa2chAu WRSI7HwStt0AOGZvaXK8cniBP5Ff/EsOH0k1LznqWN4U8BG35rJCVv4U0ed+b4zVNmvF 5vpXGndmM8x+zZCP2GklaTGCpgSNvmKOy31jY09LpcV2n+cKo5Ct9ihVWucbJR52PM+/ GA7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=d1WmDh1cJv8QCLCqmGr3r0sl/OFP6mPHXCEXM+PmEjc=; b=s0Pp8GkWA9sLnAW1mn9oQXb62sBUT/2LrvDW28BKoM4F3aT5dw9u6WvLeVEgi34XWL 4rfiJaNs3D8D2ZPVRWxSyKHKUDZTCcbpfilSixNrFfPvrB8np80dWpS4v89h0EBIq0lK 0PIyRgn/EwuknnX9eWFTejgh5LYgsjdDTteUGSpqJPhToNQroC3IvadbW3p/WcU8W+FG iniypL0BVHzWZljX0+o+5NXCF+SuqFkUiQsqqEuG0JrQJ5Ilktu6TrhKKUXeHEJZ1Zg4 goHh7STVgJunX0JY7Ug2QYAROG2VXrS3HEui9TZWYcbSqU+HOUbkENegSNQ9gVYVzJwt Ixdw== X-Gm-Message-State: AOAM531DAsSq0iTI6P8nCtJneF8dEt2hyGeEd8D1X+UBAi86kFiiZQDS JOayE98xqvWK4XqYl4lVQMr97kcOL+0= X-Google-Smtp-Source: ABdhPJwrQjLpaoOAXGOBcOVw9n0L51tWkGPeFSJAQpfDE9fG89ZHWTPeO2eCm12rypSophut3sUfFg== X-Received: by 2002:a17:907:868e:: with SMTP id qa14mr31334371ejc.564.1638614130676; Sat, 04 Dec 2021 02:35:30 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-006-110-042.77.6.pool.telefonica.de. [77.6.110.42]) by smtp.gmail.com with ESMTPSA id hc16sm3192756ejc.12.2021.12.04.02.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Dec 2021 02:35:30 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: James Carter Subject: [RFC PATCH v3 5/5] libsepol: pass avtab to report function Date: Sat, 4 Dec 2021 11:35:16 +0100 Message-Id: <20211204103516.17375-5-cgzones@googlemail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211204103516.17375-1-cgzones@googlemail.com> References: <20211124190815.12757-1-cgzones@googlemail.com> <20211204103516.17375-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Populate the avtab member before passing as argument to the report function. Without the avtab avtab_search_node() is unable to find allowxperm rules and this results in false-positive reports, e.g. on: allow TATTR1 TATTR1 : CLASS1 ioctl; allowxperm TATTR1 TATTR1 : CLASS1 ioctl 0x9501; neverallowxperm TYPE1 ~self : CLASS1 0x9501; Reported-by: James Carter Signed-off-by: Christian Göttsche --- libsepol/src/assertion.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index 4600be41..a0eebb93 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -304,10 +304,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru args.avrule = avrule; args.errors = 0; + args.avtab = &p->te_avtab; rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args); if (rc) goto oom; + args.avtab = &p->te_cond_avtab; rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args); if (rc) goto oom;