From patchwork Thu Jul 21 15:05:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925338 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 088FBC433EF for ; Thu, 21 Jul 2022 15:05:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231314AbiGUPF3 (ORCPT ); Thu, 21 Jul 2022 11:05:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231193AbiGUPFZ (ORCPT ); Thu, 21 Jul 2022 11:05:25 -0400 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74C07E032 for ; Thu, 21 Jul 2022 08:05:23 -0700 (PDT) Received: by mail-ej1-x629.google.com with SMTP id bp15so3673144ejb.6 for ; Thu, 21 Jul 2022 08:05:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=9dcZ2AtcqOsdWps0nDzaRZDUGLstrpKouR5oIz5maUQ=; b=mNJYwv7A+c0j4UnefJb5VSNbwzYTsuIc6dzneET+A3dNKJ41C/D55DI0npU0wMXWqU MmFFpn+WxoAWo5uMpmw1KkuhK1VVHvxoASfee5vK2qs0trHZHnUaTpzGv0S3oF/WS7ho YqiWOF4VTuhsZMgO4onl3th0fabOttFdX/7h72u2OA8262+2m9NTKH1nFhajBAnCsn4+ FmTHXFH+/eAm4rLFQYp+qJg/eAsYjEQTBdr0IbE8Rkq6oyHxEQh5U4M29Y6ltwGTDfBU +Ab1DiNegskumT/Bnv71BR9Tp0nTaRgk3inPK/Xnh3kzdkVZFoKqqSgQbYPQO5rdwDlG 2ekQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=9dcZ2AtcqOsdWps0nDzaRZDUGLstrpKouR5oIz5maUQ=; b=GigZyvlBWDLE2CGDZTwcQYcUsJWnRMh+2zPmx2BeKL5IGfQYP1ldgovZbTWXu/2dsy a1JXlNKqrTaBbKPTs8utBtuCcog/HobOHFbvf3A6/JweRgI/X7Ign0DcOgS0VhYDFMSd XaGbxa5xh/GLBhohSWGEc35AeUXBIjq150cD45mbHAlih4jRxyKnmBOyRzILBz48uHJZ GmLCn6gZF+Sh4Yi4ET2fGqBzyTW+VwfAxxPsSR8QX2ODRUfwo1pQTPXaQ6TD8QY0NzDk Umgz66eedLHSRyldpvLgRCxVVf+3ss/gwOCdF94hsbSAnxDPsvaNoVW5gstnfi5iSNZg UHNg== X-Gm-Message-State: AJIora8d0mAvMo5Mn4ThC12TVP+elqNCcIu2voPtXX+YAyZfYzWzQmOR N6lR/p9DZRx0LM77hbiEzOK65PuvNGY/IQ== X-Google-Smtp-Source: AGRyM1t4Fm+WmokfsAe79Xu/2B9nix7Hcgy0UMuJEURtWbDkXqNg4w/ZWNr4OXW5wvrorCpFoUWXqQ== X-Received: by 2002:a17:907:2c77:b0:72b:1154:33da with SMTP id ib23-20020a1709072c7700b0072b115433damr41595522ejc.27.1658415921961; Thu, 21 Jul 2022 08:05:21 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:21 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 1/8] libsepol: refactor ebitmap conversion in link.c Date: Thu, 21 Jul 2022 17:05:08 +0200 Message-Id: <20220721150515.19843-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Refactor the ebitmap conversions in link.c into its own function. Do not log an OOM message twice on type_set_or_convert() failure. Drop the now unused state parameter from type_set_or_convert() and type_set_convert(). Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/src/link.c | 140 +++++++++++++++----------------------------- 1 file changed, 47 insertions(+), 93 deletions(-) diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 7e8313cb..cbe4cea4 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -958,26 +958,28 @@ static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum, /*********** callbacks that fix bitmaps ***********/ -static int type_set_convert(type_set_t * types, type_set_t * dst, - policy_module_t * mod, link_state_t * state - __attribute__ ((unused))) +static int ebitmap_convert(const ebitmap_t *src, ebitmap_t *dst, const uint32_t *map) { - unsigned int i; - ebitmap_node_t *tnode; - ebitmap_for_each_positive_bit(&types->types, tnode, i) { - assert(mod->map[SYM_TYPES][i]); - if (ebitmap_set_bit - (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { - goto cleanup; - } - } - ebitmap_for_each_positive_bit(&types->negset, tnode, i) { - assert(mod->map[SYM_TYPES][i]); - if (ebitmap_set_bit - (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { - goto cleanup; - } + unsigned int bit; + ebitmap_node_t *node; + ebitmap_for_each_positive_bit(src, node, bit) { + assert(map[bit]); + if (ebitmap_set_bit(dst, map[bit] - 1, 1)) + return -1; } + + return 0; +} + +static int type_set_convert(const type_set_t * types, type_set_t * dst, + const policy_module_t * mod) +{ + if (ebitmap_convert(&types->types, &dst->types, mod->map[SYM_TYPES])) + goto cleanup; + + if (ebitmap_convert(&types->negset, &dst->negset, mod->map[SYM_TYPES])) + goto cleanup; + dst->flags = types->flags; return 0; @@ -988,13 +990,13 @@ static int type_set_convert(type_set_t * types, type_set_t * dst, /* OR 2 typemaps together and at the same time map the src types to * the correct values in the dst typeset. */ -static int type_set_or_convert(type_set_t * types, type_set_t * dst, - policy_module_t * mod, link_state_t * state) +static int type_set_or_convert(const type_set_t * types, type_set_t * dst, + const policy_module_t * mod) { type_set_t ts_tmp; type_set_init(&ts_tmp); - if (type_set_convert(types, &ts_tmp, mod, state) == -1) { + if (type_set_convert(types, &ts_tmp, mod) == -1) { goto cleanup; } if (type_set_or_eq(dst, &ts_tmp)) { @@ -1004,7 +1006,6 @@ static int type_set_or_convert(type_set_t * types, type_set_t * dst, return 0; cleanup: - ERR(state->handle, "Out of memory!"); type_set_destroy(&ts_tmp); return -1; } @@ -1012,18 +1013,11 @@ static int type_set_or_convert(type_set_t * types, type_set_t * dst, static int role_set_or_convert(role_set_t * roles, role_set_t * dst, policy_module_t * mod, link_state_t * state) { - unsigned int i; ebitmap_t tmp; - ebitmap_node_t *rnode; ebitmap_init(&tmp); - ebitmap_for_each_positive_bit(&roles->roles, rnode, i) { - assert(mod->map[SYM_ROLES][i]); - if (ebitmap_set_bit - (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { - goto cleanup; - } - } + if (ebitmap_convert(&roles->roles, &tmp, mod->map[SYM_ROLES])) + goto cleanup; if (ebitmap_union(&dst->roles, &tmp)) { goto cleanup; } @@ -1088,13 +1082,11 @@ static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { - unsigned int i; char *id = key; role_datum_t *role, *dest_role = NULL; link_state_t *state = (link_state_t *) data; ebitmap_t e_tmp; policy_module_t *mod = state->cur; - ebitmap_node_t *rnode; hashtab_t role_tab; role = (role_datum_t *) datum; @@ -1111,30 +1103,20 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_init(&e_tmp); - ebitmap_for_each_positive_bit(&role->dominates, rnode, i) { - assert(mod->map[SYM_ROLES][i]); - if (ebitmap_set_bit - (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { - goto cleanup; - } - } + if (ebitmap_convert(&role->dominates, &e_tmp, mod->map[SYM_ROLES])) + goto cleanup; if (ebitmap_union(&dest_role->dominates, &e_tmp)) { goto cleanup; } - if (type_set_or_convert(&role->types, &dest_role->types, mod, state)) { + if (type_set_or_convert(&role->types, &dest_role->types, mod)) { goto cleanup; } ebitmap_destroy(&e_tmp); if (role->flavor == ROLE_ATTRIB) { ebitmap_init(&e_tmp); - ebitmap_for_each_positive_bit(&role->roles, rnode, i) { - assert(mod->map[SYM_ROLES][i]); - if (ebitmap_set_bit - (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { - goto cleanup; - } - } + if (ebitmap_convert(&role->roles, &e_tmp, mod->map[SYM_ROLES])) + goto cleanup; if (ebitmap_union(&dest_role->roles, &e_tmp)) { goto cleanup; } @@ -1152,13 +1134,11 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { - unsigned int i; char *id = key; type_datum_t *type, *new_type = NULL; link_state_t *state = (link_state_t *) data; ebitmap_t e_tmp; policy_module_t *mod = state->cur; - ebitmap_node_t *tnode; symtab_t *typetab; type = (type_datum_t *) datum; @@ -1181,13 +1161,8 @@ static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_init(&e_tmp); - ebitmap_for_each_positive_bit(&type->types, tnode, i) { - assert(mod->map[SYM_TYPES][i]); - if (ebitmap_set_bit - (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { - goto cleanup; - } - } + if (ebitmap_convert(&type->types, &e_tmp, mod->map[SYM_TYPES])) + goto cleanup; if (ebitmap_union(&new_type->types, &e_tmp)) { goto cleanup; } @@ -1269,9 +1244,8 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, new_rule->specified = cur->specified; new_rule->flags = cur->flags; if (type_set_convert - (&cur->stypes, &new_rule->stypes, module, state) == -1 - || type_set_convert(&cur->ttypes, &new_rule->ttypes, module, - state) == -1) { + (&cur->stypes, &new_rule->stypes, module) == -1 + || type_set_convert(&cur->ttypes, &new_rule->ttypes, module) == -1) { goto cleanup; } @@ -1355,8 +1329,6 @@ static int copy_role_trans_list(role_trans_rule_t * list, policy_module_t * module, link_state_t * state) { role_trans_rule_t *cur, *new_rule = NULL, *tail; - unsigned int i; - ebitmap_node_t *cnode; cur = list; tail = *dst; @@ -1374,19 +1346,12 @@ static int copy_role_trans_list(role_trans_rule_t * list, if (role_set_or_convert (&cur->roles, &new_rule->roles, module, state) || type_set_or_convert(&cur->types, &new_rule->types, - module, state)) { + module)) { goto cleanup; } - ebitmap_for_each_positive_bit(&cur->classes, cnode, i) { - assert(module->map[SYM_CLASSES][i]); - if (ebitmap_set_bit(&new_rule->classes, - module-> - map[SYM_CLASSES][i] - 1, - 1)) { - goto cleanup; - } - } + if (ebitmap_convert(&cur->classes, &new_rule->classes, module->map[SYM_CLASSES])) + goto cleanup; new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1]; @@ -1476,8 +1441,8 @@ static int copy_filename_trans_list(filename_trans_rule_t * list, if (!new_rule->name) goto err; - if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) || - type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state)) + if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module) || + type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module)) goto err; new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1]; @@ -1497,8 +1462,6 @@ static int copy_range_trans_list(range_trans_rule_t * rules, policy_module_t * mod, link_state_t * state) { range_trans_rule_t *rule, *new_rule = NULL; - unsigned int i; - ebitmap_node_t *cnode; for (rule = rules; rule; rule = rule->next) { new_rule = @@ -1512,21 +1475,15 @@ static int copy_range_trans_list(range_trans_rule_t * rules, *dst = new_rule; if (type_set_convert(&rule->stypes, &new_rule->stypes, - mod, state)) + mod)) goto cleanup; if (type_set_convert(&rule->ttypes, &new_rule->ttypes, - mod, state)) + mod)) goto cleanup; - ebitmap_for_each_positive_bit(&rule->tclasses, cnode, i) { - assert(mod->map[SYM_CLASSES][i]); - if (ebitmap_set_bit - (&new_rule->tclasses, - mod->map[SYM_CLASSES][i] - 1, 1)) { - goto cleanup; - } - } + if (ebitmap_convert(&rule->tclasses, &new_rule->tclasses, mod->map[SYM_CLASSES])) + goto cleanup; if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state)) goto cleanup; @@ -1688,15 +1645,12 @@ static int copy_scope_index(scope_index_t * src, scope_index_t * dest, } dest->class_perms_len = largest_mapped_class_value; for (i = 0; i < src->class_perms_len; i++) { - ebitmap_t *srcmap = src->class_perms_map + i; + const ebitmap_t *srcmap = src->class_perms_map + i; ebitmap_t *destmap = dest->class_perms_map + module->map[SYM_CLASSES][i] - 1; - ebitmap_for_each_positive_bit(srcmap, node, j) { - if (ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, - 1)) { - goto cleanup; - } - } + + if (ebitmap_convert(srcmap, destmap, module->perm_map[i])) + goto cleanup; } return 0; From patchwork Thu Jul 21 15:05:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C1D5C43334 for ; Thu, 21 Jul 2022 15:05:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231349AbiGUPF3 (ORCPT ); Thu, 21 Jul 2022 11:05:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231394AbiGUPF1 (ORCPT ); Thu, 21 Jul 2022 11:05:27 -0400 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D8BB11A2A for ; Thu, 21 Jul 2022 08:05:24 -0700 (PDT) Received: by mail-ej1-x633.google.com with SMTP id z23so3656429eju.8 for ; Thu, 21 Jul 2022 08:05:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=7FHemlDb0HMjO1ZMLiH8Xt0H2UQ5CSY1zrfs602rxQ8=; b=oLoXFxWXJpFgC0+M1CUVi0RnPRG6L/ZrGaHC97QWbab/oUDR8pIVIxtolcuNEyGSoW eR/RpQWCMCJI0HVU0NRt20Thas1Q0zsV1DDajDc4hzyjpvH/pfsYdkJSKcQgBmirT+uy xZAmlL8X8t2B358+nryzMf+Snry/klxi6Eo+PlWZi2YMIqW42MR+wUCeLL4eTCLaAyiJ JDpP80PQHo6VfuwdyaclZ0CMGYZ0YfZnbwpyRkLFAc9tYMo5ZujsYvDbqnw8gZqqaIjl AG4FMIMKDELkpoLa42UIzXEEluz13cig0KzeIQo7EcafpcnS7k7LGXNovtHz9Bv1jEcy tuJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7FHemlDb0HMjO1ZMLiH8Xt0H2UQ5CSY1zrfs602rxQ8=; b=0OZFiyzzy/yREwe7PJ+lub6hy8xFhyu5PaKsvBdxUYe9CxHnPtl5pJva/EWrXbiSI6 m6BIMEkDxecY1cgN/14jqPH5qtty3wO3xSSSNcv9wGiqlKojl0MEfx03Jqpqw9bo5QUm kh8QDqBjMaAaAVRTS/ME40vggOIe3mkpvsNHHoEqhvWwIXYSPyO/S1+/2U2PrWrpgOPm nmBT7hRwLfBRCON5aMYLaIgTTzxSdunsdJdogu0H4YQ1W893m61V8TiVVLWiBvsPqG1p pXR/SAndq0yxFThTZ9LATE1OwT4bLeEyTp39gHqvM2SOJc0JbhJvUqgzlPZMgGyI95wg 0kpA== X-Gm-Message-State: AJIora+wuDpiyRIX3jBHBQ+tA4b2Kp3j65m5MIAFIV4bWoG1gQaV09FC Xs62SVj1CyQd+TGZ4pdjBq6u3Ylq5CIUug== X-Google-Smtp-Source: AGRyM1tvqndE5ltiTuc5yWCPSa1OR8YsOYM0mkY0lm/FZk2jqnhRRLfIB/TR82EBhr7KAQkCV5SEHQ== X-Received: by 2002:a17:907:9693:b0:72f:9cc:63d7 with SMTP id hd19-20020a170907969300b0072f09cc63d7mr27558401ejc.661.1658415922656; Thu, 21 Jul 2022 08:05:22 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:22 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 2/8] libsepol: add ebitmap iterator wrapper with startnode Date: Thu, 21 Jul 2022 17:05:09 +0200 Message-Id: <20220721150515.19843-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Similar like ebitmap_for_each_bit() iterates over all bits of an ebitmap add ebitmap_for_each_bit_starting() iterating over all bits starting from a specific node and bit, which can be from an outer iteration. Signed-off-by: Christian Göttsche --- v2: * use _after suffix * reorder parameters --- libsepol/include/sepol/policydb/ebitmap.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libsepol/include/sepol/policydb/ebitmap.h b/libsepol/include/sepol/policydb/ebitmap.h index 81d0c7a6..4696805f 100644 --- a/libsepol/include/sepol/policydb/ebitmap.h +++ b/libsepol/include/sepol/policydb/ebitmap.h @@ -80,6 +80,13 @@ static inline int ebitmap_node_get_bit(const ebitmap_node_t * n, unsigned int bi #define ebitmap_for_each_positive_bit(e, n, bit) \ ebitmap_for_each_bit(e, n, bit) if (ebitmap_node_get_bit(n, bit)) \ +#define ebitmap_for_each_bit_after(e, n, bit, startnode, startbit) \ + n = startnode; \ + for (bit = ebitmap_next(&n, startbit); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \ + +#define ebitmap_for_each_positive_bit_after(e, n, bit, startnode, startbit) \ + ebitmap_for_each_bit_after(e, n, bit, startnode, startbit) if (ebitmap_node_get_bit(n, bit)) \ + extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1); From patchwork Thu Jul 21 15:05:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925339 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 784F3CCA488 for ; Thu, 21 Jul 2022 15:05:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231193AbiGUPFa (ORCPT ); Thu, 21 Jul 2022 11:05:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231470AbiGUPF2 (ORCPT ); Thu, 21 Jul 2022 11:05:28 -0400 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AD061276E for ; Thu, 21 Jul 2022 08:05:25 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id ss3so3599273ejc.11 for ; Thu, 21 Jul 2022 08:05:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=I2pjEZKi3YN9/tCoiKl1+mGLsWzgLkTV/pN9wXFBnVQ=; b=i5tixb45LbFbSLvAwagPpwOLl1P6jiBKWowa35VQTk8c604XC9z9GozsJMmlEOQ28L TpjZDjz3tuYHmH9lN//ACwWTPKOcWvZrHXo4eVv8ZVABdlxM8BHIlZsBz2q1klPhYFfH iOHLGe+CSrkWwTO1lD0JFRbDTtlDXhNuCgWe3R87+HiSv0Jiph5M8obP4L0dDsHEmEBq T6QeaPvSfHy56/Wmdb4To5VQm1YLXy/nHtRXwqqsGyHe0Hgqrxz+Ji7hxYb1Cd5SR0p1 G5mcrAwHAYw0KtkrFoPCngGS0E4SIaZ7iOion9KF7n3aQRh47APFEkz3fJWl8lz+m+RA xZcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=I2pjEZKi3YN9/tCoiKl1+mGLsWzgLkTV/pN9wXFBnVQ=; b=3J8mNZR7IFdqO+8Yb5Btv76nYNNipgoGd3LXobrXXGa90IuD6WxGT0V2dcNUm6IiAu cjaQiIq0wFrrJuSHyZeSJIdixFeecfsh8MxjsDaRghFcf3sBcKpTg/spTMHhf4gTpd8p 3PdPPUdXt/VL3XSG9VihfsIYgT4FQ+1Tl3VQUmv0M5QHBH36VpLWOoPT02YNPoQWotX7 SW1ssf08T9feT7oW6mrrt6OHCZctB7wx8hU46BE0FjKfgWb55D0xD9jptLqEaQhKx/MF CcIQJzAPfS6vdSEMKXaTYqzFaLbRBIwfNjSp4Ogpy/+460BSv6y3D2wWd4AcEuHfGEDs 5Qxw== X-Gm-Message-State: AJIora8IKWuomjLdnlkmQOkE6ibtybHZpetvJZusmWRlyYWb0i1lRJiR D9/jereOKZmMamLmRIt+lSSUyXeDNDiqTg== X-Google-Smtp-Source: AGRyM1vgFUpqd9v3yL3BuFKhpKKNYTeKjtzWqVHv7ybsP5+c3JLni82xy+O/syqgVPjxE8cX4ERWtA== X-Received: by 2002:a17:907:b04:b0:72b:5cf4:4631 with SMTP id h4-20020a1709070b0400b0072b5cf44631mr42061969ejl.180.1658415923551; Thu, 21 Jul 2022 08:05:23 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:23 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 3/8] libsepol: add compile-time constraint for mutual exclusive attributes Date: Thu, 21 Jul 2022 17:05:10 +0200 Message-Id: <20220721150515.19843-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a new compile-time constraint, similar to neverallow, which enables to specify two or more type attributes to be mutual exclusive. This means no type can be associated with more than one of them. The constraints are stored as a linked-list in the policy for modular policies, by a new modular policy version, and are discarded in kernel policies, not needing any kernel support. Some Reference Policy examples: unpriv_userdomain, admindomain: client_packet_type, server_packet_type: auth_file_type, non_auth_file_type: pseudofs, xattrfs, noxattrfs: reserved_port_type, unreserved_port_type: security_file_type, non_security_file_type: libsepol.check_segregate_attributes: Segregate Attributes violation, type dnssec_t associated with attributes security_file_type and non_security_file_type ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type, sysfs_types, domain, boolean_type, netif_type, file_type, node_type, proc_type, port_type: libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_fs_t associated with attributes sysctl_type and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_t associated with attributes sysctl_type and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_content_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type initrc_devpts_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type qemu_image_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type user_devpts_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type cardmgr_dev_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type bootloader_tmp_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_image_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_prot_exec_image_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_devpts_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_image_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_image_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type container_file_t associated with attributes device_node and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type cpu_online_t associated with attributes sysfs_types and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type sysfs_t associated with attributes sysfs_types and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type dockerc_t associated with attributes domain and file_type libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_t associated with attributes file_type and proc_type libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_xen_t associated with attributes file_type and proc_type libsepol.check_assertions: 20 Segregate Attributes failures occurred Closes: https://github.com/SELinuxProject/selinux/issues/42 Signed-off-by: Christian Göttsche --- v3: - drop source location information: this information was already lost for binary modular policies and CIL policies; also typeattribute statements have none and the few segregate_attributes statements can be easily grepped - misc renaming v2: rebase onto _after suffix change --- libsepol/include/sepol/policydb/policydb.h | 15 ++++- libsepol/src/assertion.c | 57 +++++++++++++--- libsepol/src/expand.c | 45 ++++++++++++- libsepol/src/kernel_to_conf.c | 38 ++++++++++- libsepol/src/link.c | 44 +++++++++++++ libsepol/src/policydb.c | 76 ++++++++++++++++++++++ libsepol/src/policydb_validate.c | 29 +++++++++ libsepol/src/write.c | 34 +++++++++- 8 files changed, 325 insertions(+), 13 deletions(-) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index de0068a6..d62d030c 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -192,6 +192,12 @@ typedef struct type_datum { uint32_t bounds; /* bounds type, if exist */ } type_datum_t; +/* Mutual exclusive attributes */ +typedef struct segregate_attributes_rule { + ebitmap_t attrs; /* mutual exclusive attributes */ + struct segregate_attributes_rule *next; +} segregate_attributes_rule_t; + /* * Properties of type_datum * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY @@ -605,6 +611,10 @@ typedef struct policydb { bitmaps. Someday the 0 bit may be used for global permissive */ ebitmap_t permissive_map; + /* mutual exclusive attributes (not preserved in kernel policy). + stored as linked list */ + segregate_attributes_rule_t *segregate_attributes; + unsigned policyvers; unsigned handle_unknown; @@ -696,6 +706,8 @@ extern void level_datum_init(level_datum_t * x); extern void level_datum_destroy(level_datum_t * x); extern void cat_datum_init(cat_datum_t * x); extern void cat_datum_destroy(cat_datum_t * x); +extern void segregate_attributes_rule_init(segregate_attributes_rule_t * x); +extern void segregate_attributes_rule_destroy(segregate_attributes_rule_t * x); extern int check_assertion(policydb_t *p, avrule_t *avrule); extern int check_assertions(sepol_handle_t * handle, policydb_t * p, avrule_t * avrules); @@ -783,9 +795,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_INFINIBAND 19 #define MOD_POLICYDB_VERSION_GLBLUB 20 #define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21 +#define MOD_POLICYDB_VERSION_SEGREGATE_ATTRIBUTES 22 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_SELF_TYPETRANS +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_SEGREGATE_ATTRIBUTES #define POLICYDB_CONFIG_MLS 1 diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index 161874c3..a6dda570 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -36,7 +36,7 @@ struct avtab_match_args { unsigned long errors; }; -static const char* policy_name(policydb_t *p) { +static const char* policy_name(const policydb_t *p) { const char *policy_file = "policy.conf"; if (p->name) { policy_file = p->name; @@ -535,6 +535,44 @@ int check_assertion(policydb_t *p, avrule_t *avrule) return rc; } +static int check_segregate_attributes(sepol_handle_t *handle, const policydb_t *p) +{ + const segregate_attributes_rule_t *sattr; + int errors = 0, rc; + + for (sattr = p->segregate_attributes; sattr; sattr = sattr->next) { + ebitmap_node_t *first_node; + unsigned int first_bit; + + ebitmap_for_each_positive_bit(&sattr->attrs, first_node, first_bit) { + ebitmap_node_t *second_node; + unsigned int second_bit; + + ebitmap_for_each_positive_bit_after(&sattr->attrs, second_node, second_bit, first_node, first_bit) { + ebitmap_t attr_union; + ebitmap_node_t *type_node; + unsigned int type_bit; + + rc = ebitmap_and(&attr_union, &p->attr_type_map[first_bit], &p->attr_type_map[second_bit]); + if (rc < 0) + return rc; + + ebitmap_for_each_positive_bit(&attr_union, type_node, type_bit) { + ERR(handle, "Segregate Attributes violation, type %s associated with attributes %s and %s", + p->p_type_val_to_name[type_bit], + p->p_type_val_to_name[first_bit], + p->p_type_val_to_name[second_bit]); + errors++; + } + + ebitmap_destroy(&attr_union); + } + } + } + + return errors; +} + int check_assertions(sepol_handle_t * handle, policydb_t * p, avrule_t * avrules) { @@ -542,13 +580,6 @@ int check_assertions(sepol_handle_t * handle, policydb_t * p, avrule_t *a; unsigned long errors = 0; - if (!avrules) { - /* Since assertions are stored in avrules, if it is NULL - there won't be any to check. This also prevents an invalid - free if the avtabs are never initialized */ - return 0; - } - for (a = avrules; a != NULL; a = a->next) { if (!(a->specified & (AVRULE_NEVERALLOW | AVRULE_XPERMS_NEVERALLOW))) continue; @@ -570,5 +601,15 @@ int check_assertions(sepol_handle_t * handle, policydb_t * p, if (errors) ERR(handle, "%lu neverallow failures occurred", errors); + rc = check_segregate_attributes(handle, p); + if (rc < 0) { + ERR(handle, "Error occurred while checking Segregate Attributes"); + return -1; + } + if (rc) { + ERR(handle, "%d Segregate Attributes failures occurred", rc); + errors += rc; + } + return errors ? -1 : 0; } diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 8d19850e..6f52d1ff 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -56,7 +56,7 @@ static void expand_state_init(expand_state_t * state) memset(state, 0, sizeof(expand_state_t)); } -static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map) +static int map_ebitmap(const ebitmap_t * src, ebitmap_t * dst, const uint32_t * map) { unsigned int i; ebitmap_node_t *tnode; @@ -2341,6 +2341,45 @@ static int genfs_copy(expand_state_t * state) return 0; } +static int segregate_attributes_copy(expand_state_t *state) +{ + const segregate_attributes_rule_t *old; + segregate_attributes_rule_t *list = NULL; + + for (old = state->base->segregate_attributes; old; old = old->next) { + segregate_attributes_rule_t *new; + + new = malloc(sizeof(segregate_attributes_rule_t)); + if (!new) { + ERR(state->handle, "Out of memory!"); + return -1; + } + + segregate_attributes_rule_init(new); + + if (map_ebitmap(&old->attrs, &new->attrs, state->typemap)) { + ERR(state->handle, "out of memory"); + ebitmap_destroy(&new->attrs); + free(new); + return -1; + } + + if (list) + list->next = new; + else { + if (state->out->segregate_attributes) { + segregate_attributes_rule_t *s; + for (s = state->out->segregate_attributes; s->next; s = s->next) {} + s->next = new; + } else + state->out->segregate_attributes = new; + } + list = new; + } + + return 0; +} + static int type_attr_map(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *ptr) @@ -3173,6 +3212,10 @@ int expand_module(sepol_handle_t * handle, if (genfs_copy(&state)) goto cleanup; + /* copy segregate attributes */ + if (segregate_attributes_copy(&state)) + goto cleanup; + /* Build the type<->attribute maps and remove attributes. */ state.out->attr_type_map = calloc(state.out->p_types.nprim, sizeof(ebitmap_t)); diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 63dffd9b..f119d572 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -1839,6 +1839,33 @@ exit: return rc; } +static int write_segregate_attributes_to_conf(FILE *out, const struct policydb *pdb) +{ + const segregate_attributes_rule_t *sattr; + + for (sattr = pdb->segregate_attributes; sattr; sattr = sattr->next) { + struct ebitmap_node *node; + unsigned int bit; + int first = 1; + + sepol_printf(out, "segregate_attributes "); + + ebitmap_for_each_positive_bit(&sattr->attrs, node, bit) { + if (first) { + first = 0; + } else { + sepol_printf(out, ", "); + } + + sepol_printf(out, "%s", pdb->p_type_val_to_name[bit - 1]); + } + + sepol_printf(out, ";\n"); + } + + return 0; +} + struct map_filename_trans_args { struct policydb *pdb; struct strs *strs; @@ -3200,7 +3227,16 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb) if (rc != 0) { goto exit; } - write_filename_trans_rules_to_conf(out, pdb); + + rc = write_segregate_attributes_to_conf(out, pdb); + if (rc != 0) { + goto exit; + } + + rc = write_filename_trans_rules_to_conf(out, pdb); + if (rc != 0) { + goto exit; + } if (pdb->mls) { rc = write_range_trans_rules_to_conf(out, pdb); diff --git a/libsepol/src/link.c b/libsepol/src/link.c index cbe4cea4..1650a9c0 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1857,6 +1857,45 @@ static int scope_copy_callback(hashtab_key_t key, hashtab_datum_t datum, return -1; } +static int copy_segregate_attributes(link_state_t * state, const policy_module_t *module) +{ + const segregate_attributes_rule_t *src_sattr; + segregate_attributes_rule_t *list = NULL; + + for (src_sattr = module->policy->segregate_attributes; src_sattr; src_sattr = src_sattr->next) { + segregate_attributes_rule_t *new_sattr; + + new_sattr = malloc(sizeof(segregate_attributes_rule_t)); + if (!new_sattr) { + ERR(state->handle, "Out of memory!"); + return -1; + } + + segregate_attributes_rule_init(new_sattr); + + if (ebitmap_convert(&src_sattr->attrs, &new_sattr->attrs, module->map[SYM_TYPES])) { + ebitmap_destroy(&new_sattr->attrs); + free(new_sattr); + ERR(state->handle, "Out of memory!"); + return -1; + } + + if (list) + list->next = new_sattr; + else { + if (state->base->segregate_attributes) { + segregate_attributes_rule_t *s; + for (s = state->base->segregate_attributes; s->next; s = s->next) {} + s->next = new_sattr; + } else + state->base->segregate_attributes = new_sattr; + } + list = new_sattr; + } + + return 0; +} + /* Copy a module over to a base, remapping all values within. After * all identifiers and rules are done, copy the scoping information. * This is when it checks for duplicate declarations. */ @@ -1891,6 +1930,11 @@ static int copy_module(link_state_t * state, policy_module_t * module) } } + ret = copy_segregate_attributes(state, module); + if (ret) { + return ret; + } + return 0; } diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index fc260eb6..9dbb9f44 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -334,6 +334,13 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = OCON_IBENDPORT + 1, .target_platform = SEPOL_TARGET_SELINUX, }, + { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_SEGREGATE_ATTRIBUTES, + .sym_num = SYM_NUM, + .ocon_num = OCON_IBENDPORT + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, @@ -460,6 +467,13 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, + { + .type = POLICY_MOD, + .version = MOD_POLICYDB_VERSION_SEGREGATE_ATTRIBUTES, + .sym_num = SYM_NUM, + .ocon_num = 0, + .target_platform = SEPOL_TARGET_SELINUX, + }, }; #if 0 @@ -760,6 +774,20 @@ void avrule_list_destroy(avrule_t * x) } } +void segregate_attributes_rule_init(segregate_attributes_rule_t * x) +{ + ebitmap_init(&x->attrs); + x->next = NULL; +} + + +void segregate_attributes_rule_destroy(segregate_attributes_rule_t * x) +{ + if (!x) + return; + ebitmap_destroy(&x->attrs); +} + /* * Initialize the role table by implicitly adding role 'object_r'. If * the policy is a module, set object_r's scope to be SCOPE_REQ, @@ -1492,6 +1520,7 @@ void policydb_destroy(policydb_t * p) unsigned int i; role_allow_t *ra, *lra = NULL; role_trans_t *tr, *ltr = NULL; + segregate_attributes_rule_t *sattr, *sattr_next; if (!p) return; @@ -1585,6 +1614,12 @@ void policydb_destroy(policydb_t * p) free(p->attr_type_map); } + for (sattr = p->segregate_attributes; sattr; sattr = sattr_next) { + sattr_next = sattr->next; + segregate_attributes_rule_destroy(sattr); + free(sattr); + } + return; } @@ -4174,6 +4209,41 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp) return -1; } +static int segregate_attributes_read(policydb_t * p, struct policy_file *fp) +{ + segregate_attributes_rule_t *list = NULL; + uint32_t buf, nel, i; + int rc; + + rc = next_entry(&buf, fp, sizeof(uint32_t)); + if (rc < 0) + return -1; + nel = le32_to_cpu(buf); + for (i = 0; i < nel; i++) { + segregate_attributes_rule_t *sattr; + + sattr = malloc(sizeof(segregate_attributes_rule_t)); + if (!sattr) + return -1; + + segregate_attributes_rule_init(sattr); + + if (ebitmap_read(&sattr->attrs, fp) < 0) { + ebitmap_destroy(&sattr->attrs); + free(sattr); + return -1; + } + + if (list) + list->next = sattr; + else + p->segregate_attributes = sattr; + list = sattr; + } + + return 0; +} + static sepol_security_class_t policydb_string_to_security_class( struct policydb *policydb, const char *class_name) @@ -4570,6 +4640,12 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) } } + if (p->policyvers >= MOD_POLICYDB_VERSION_SEGREGATE_ATTRIBUTES && + p->policy_type != POLICY_KERN) { + if (segregate_attributes_read(p, fp)) + return POLICYDB_ERROR; + } + if (validate_policydb(fp->handle, p)) goto bad; diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 99d4eb7f..6331c3ce 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -1270,6 +1270,32 @@ bad: return -1; } +static int validate_segregate_attributes(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) +{ + segregate_attributes_rule_t *sattr; + ebitmap_node_t *node; + unsigned int i; + + for (sattr = p->segregate_attributes; sattr; sattr = sattr->next) { + if (ebitmap_cardinality(&sattr->attrs) < 2) + goto bad; + + if (validate_ebitmap(&sattr->attrs, &flavors[SYM_TYPES])) + goto bad; + + ebitmap_for_each_positive_bit(&sattr->attrs, node, i) { + if (p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) + goto bad; + } + } + + return 0; + +bad: + ERR(handle, "Invalid segregate attributes definition"); + return -1; +} + static int validate_properties(sepol_handle_t *handle, policydb_t *p) { switch (p->policy_type) { @@ -1376,6 +1402,9 @@ int validate_policydb(sepol_handle_t *handle, policydb_t *p) if (validate_permissives(handle, p, flavors)) goto bad; + if (validate_segregate_attributes(handle, p, flavors)) + goto bad; + validate_array_destroy(flavors); return 0; diff --git a/libsepol/src/write.c b/libsepol/src/write.c index a9fdf93a..81323df9 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -58,9 +58,9 @@ struct policy_data { static int avrule_write_list(policydb_t *p, avrule_t * avrules, struct policy_file *fp); -static int ebitmap_write(ebitmap_t * e, struct policy_file *fp) +static int ebitmap_write(const ebitmap_t * e, struct policy_file *fp) { - ebitmap_node_t *n; + const ebitmap_node_t *n; uint32_t buf[32], bit, count; uint64_t map; size_t items; @@ -2191,6 +2191,30 @@ static int role_attr_uncount(hashtab_key_t key __attribute__ ((unused)), return 0; } +static int segregate_attributes_write(const policydb_t *p, struct policy_file *fp) +{ + const segregate_attributes_rule_t *sattr; + size_t items; + uint32_t buf, count = 0; + + for (sattr = p->segregate_attributes; sattr; sattr = sattr->next) { + if (__builtin_add_overflow(count, 1, &count)) + return POLICYDB_ERROR; + } + + buf = cpu_to_le32(count); + items = put_entry(&buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + + for (sattr = p->segregate_attributes; sattr; sattr = sattr->next) { + if (ebitmap_write(&sattr->attrs, fp)) + return POLICYDB_ERROR; + } + + return POLICYDB_SUCCESS; +} + /* * Write the configuration data in a policy database * structure to a policy database binary representation @@ -2413,5 +2437,11 @@ int policydb_write(policydb_t * p, struct policy_file *fp) } } + if (p->policyvers >= MOD_POLICYDB_VERSION_SEGREGATE_ATTRIBUTES && + p->policy_type != POLICY_KERN) { + if (segregate_attributes_write(p, fp)) + return POLICYDB_ERROR; + } + return POLICYDB_SUCCESS; } From patchwork Thu Jul 21 15:05:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925336 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDBA0CCA48A for ; Thu, 21 Jul 2022 15:05:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229475AbiGUPFb (ORCPT ); Thu, 21 Jul 2022 11:05:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231497AbiGUPF2 (ORCPT ); Thu, 21 Jul 2022 11:05:28 -0400 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90BB59FFB for ; Thu, 21 Jul 2022 08:05:26 -0700 (PDT) Received: by mail-ed1-x52a.google.com with SMTP id m8so2513649edd.9 for ; Thu, 21 Jul 2022 08:05:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=YwBQH7wecA99fS23bg/tAycE9d7BB96fbZ1PFmxJwYk=; b=RMcTwk2+/dSxN7F99G9oWAJe9+03BciUrLaRBXn3UffEK7W1Kl9NPKWQytH4hx/X7I tIUqSZiZib74dIcpgRmgC2juPuSbj1zk7EoByJS7dxXs5TqBUTtyU2t/4K/+nt7PdlJt m8y8fUE+AnolRQ9k1YPlKBoMUt9WMR/B+bCPCpRO9fgUgchgOC5HZVi1BzYTlStHmHLQ fmW7qlH0fOUeVSa+9RcUcY6saHWjLpwfepYor9vd2xZ32JepY9ph6vnSCOHVV+9ox3oV x3+9TrAldmfwb8BBCISJf7SCEGfKipjNYoKT/dFsKWRmhPY7w8vBRRc1orVarxh94ini WFrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YwBQH7wecA99fS23bg/tAycE9d7BB96fbZ1PFmxJwYk=; b=F9qLI68RUwW0LoQihF5VB8cxpcrbC7/q73xL57O/OG5IFcO706DWJGP9fvIKksNljn +KJl8dfPaBJPv2/zBeADe57Rw8HMsvDkrCHoUXP/uSH0mChSXaNZl+AaFBlNdypR8OXt nQ5jfpvJSw+z3kvkQxNw8Tu3+yrhq1P6ePi+tCsOnrJ94sRJM8z/JjTcIEKwWqYP80xb ux4FjqmLlkYHJBou1S+BWMlqhbcoQZ+VJO31UTZSlx7rLKfiq+J++c7zREyFGjMEODhW F2y+cg+7Ag5pLlO1S8qHphdMIh9NQJYQe/anVCrG/0g1CzUjiIGyDOKXJqN6Sm0Kcvz3 ehWw== X-Gm-Message-State: AJIora/mJJ1vSscNrLLci7ovlhdVtJVxVt/rPVFTiMlyVX97tdljuGyT 9fpNSwh5+La+EKtXxvxElZcxSftBaKHIJQ== X-Google-Smtp-Source: AGRyM1vaO8xVbDZi/6w0Ng4JnW1U+1IlCW8jTwBwtnimTrEZSg+OJlil6PzyAPb8diiEZnqQDoe2rg== X-Received: by 2002:a05:6402:510e:b0:43a:c671:7cd0 with SMTP id m14-20020a056402510e00b0043ac6717cd0mr57904188edd.103.1658415924802; Thu, 21 Jul 2022 08:05:24 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:23 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 4/8] checkpolicy: add front-end support for segregate attributes Date: Thu, 21 Jul 2022 17:05:11 +0200 Message-Id: <20220721150515.19843-4-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Support specifying segregate attributes. The following two blocks are equivalent: segregate_attributes attr1, attr2, attr3; segregate_attributes attr1, attr2; segregate_attributes attr1, attr3; segregate_attributes attr2, attr3; Signed-off-by: Christian Göttsche --- checkpolicy/policy_define.c | 66 +++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 1 + checkpolicy/policy_parse.y | 5 +++ checkpolicy/policy_scan.l | 2 ++ 4 files changed, 74 insertions(+) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 8bf36859..cf6fbf08 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -1220,6 +1220,72 @@ exit: return rc; } +int define_segregate_attributes(void) +{ + char *id = NULL; + segregate_attributes_rule_t *sattr = NULL; + int rc = -1; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + + sattr = malloc(sizeof(segregate_attributes_rule_t)); + if (!sattr) { + yyerror("Out of memory!"); + goto exit; + } + + ebitmap_init(&sattr->attrs); + + while ((id = queue_remove(id_queue))) { + const type_datum_t *attr; + + if (!is_id_in_scope(SYM_TYPES, id)) { + yyerror2("attribute %s is not within scope", id); + goto exit; + } + + attr = hashtab_search(policydbp->p_types.table, id); + if (!attr) { + yyerror2("attribute %s is not declared", id); + goto exit; + } + + if (attr->flavor != TYPE_ATTRIB) { + yyerror2("%s is a type, not an attribute", id); + goto exit; + } + + if (ebitmap_get_bit(&sattr->attrs, attr->s.value - 1)) { + yyerror2("attribute %s used multiple times", id); + goto exit; + } + + if (ebitmap_set_bit(&sattr->attrs, attr->s.value - 1, TRUE)) { + yyerror("Out of memory!"); + goto exit; + } + + free(id); + } + + sattr->next = policydbp->segregate_attributes; + policydbp->segregate_attributes = sattr; + + sattr = NULL; + rc = 0; +exit: + if (sattr) { + ebitmap_destroy(&sattr->attrs); + free(sattr); + } + free(id); + return rc; +} + static int add_aliases_to_type(type_datum_t * type) { char *id; diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h index 50a7ba78..f55d0b17 100644 --- a/checkpolicy/policy_define.h +++ b/checkpolicy/policy_define.h @@ -68,6 +68,7 @@ int define_type(int alias); int define_user(void); int define_validatetrans(constraint_expr_t *expr); int expand_attrib(void); +int define_segregate_attributes(void); int insert_id(const char *id,int push); int insert_separator(int push); role_datum_t *define_role_dom(role_datum_t *r); diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 45f973ff..acd6096d 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -104,6 +104,7 @@ typedef int (* require_func_t)(int pass); %token ALIAS %token ATTRIBUTE %token EXPANDATTRIBUTE +%token SEGREGATEATTRIBUTES %token BOOL %token TUNABLE %token IF @@ -320,6 +321,7 @@ rbac_decl : attribute_role_def ; te_decl : attribute_def | expandattribute_def + | segregateattributes_def | type_def | typealias_def | typeattribute_def @@ -337,6 +339,9 @@ attribute_def : ATTRIBUTE identifier ';' expandattribute_def : EXPANDATTRIBUTE names bool_val ';' { if (expand_attrib()) return -1;} ; +segregateattributes_def : SEGREGATEATTRIBUTES identifier ',' id_comma_list ';' + { if (define_segregate_attributes()) return -1;} + ; type_def : TYPE identifier alias_def opt_attr_list ';' {if (define_type(1)) return -1;} | TYPE identifier opt_attr_list ';' diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 9fefea7b..d865dcb6 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -123,6 +123,8 @@ ATTRIBUTE | attribute { return(ATTRIBUTE); } EXPANDATTRIBUTE | expandattribute { return(EXPANDATTRIBUTE); } +SEGREGATE_ATTRIBUTES | +segregate_attributes { return(SEGREGATEATTRIBUTES); } TYPE_TRANSITION | type_transition { return(TYPE_TRANSITION); } TYPE_MEMBER | From patchwork Thu Jul 21 15:05:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925340 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4B0ECCA48B for ; Thu, 21 Jul 2022 15:05:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231470AbiGUPFc (ORCPT ); Thu, 21 Jul 2022 11:05:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231514AbiGUPF2 (ORCPT ); Thu, 21 Jul 2022 11:05:28 -0400 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31E73103C for ; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) Received: by mail-ej1-x62f.google.com with SMTP id tk8so3657729ejc.7 for ; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=HPb0WywPmHCsodz3CE1XuwT7afX8HUvoV56PY6zvrcI=; b=m1Rn83iwGLHtWcGM1JAJYUHGqCcaNNvd3Q820LBSEVsZ6bCvX804p1rEwRALfW+tG7 IJ3OH3OZn7+sqw4Rlgp1Uf9efR6DV+hcZ/OrV4/nLiueKR7b/XETbqBZqUsty0MVHpir Q3tCRY3NQWQiX3Y8eBhWU4Tlu0nfKpMCb3byw/9FogtdoGE1B8nmPESm2u/DWjakVizP hdPGSDsOR/hGI83zClFbIsLHuSAtsijw32Z3Z7siQ7hIiujgoYxR5KcgRZtAvtg2CjSQ duK2f7Z9H1iR1/ck3OgyG/n7NpHhM6yJ4iR6Crd5EdhkQPj8YTxL+d9WNfutMR37tF3y mB7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HPb0WywPmHCsodz3CE1XuwT7afX8HUvoV56PY6zvrcI=; b=TSTiyy0XfGxFP+PihGh4/t9PYvXQ8tianCy8Nu2kXoAjh9y4LIxXhb++qDAbVSvqoj RqUDHUMD7DKZnYi4K94g7noYi8rQ/ujoAPOYYkt21pjWR8hvFaDq3iM+Z//vNW8j3wAC HULumdNIwR+w20wyFSbP7Ja1xJF/aE6HcTx2HoUZy43TVn/m3/icWZcO7lvYMoTe6Y+B iky3jW4gvRqbF5CMX4euoTm+0WRDhKmUAQt+1HULNJPqcZ1vvCpg/bMQyJLpuOm+fC96 IBnaUN6nUw/Fd28fipVQebVY1yRbM982hInkl8v1YxGrWHkCISoLQg6mwuauG1Cauiwl x+4Q== X-Gm-Message-State: AJIora/rNF6oRjRCt6oMyL4kuSwNLpa+lMiUIiTzYj6WZX9Mg2KtqxRH KogXfri3ow6LjLj8ZnVvl2orlnfCELTRtg== X-Google-Smtp-Source: AGRyM1tH7nIcO4wbTlABBwAVepw8iJg5/ziMHkF2U5xEXvg5jqebKCpI1VP2VeTnZDIPazlwt0i9bg== X-Received: by 2002:a17:907:2d12:b0:72b:67fb:89a5 with SMTP id gs18-20020a1709072d1200b0072b67fb89a5mr39709219ejc.507.1658415925479; Thu, 21 Jul 2022 08:05:25 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:25 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 5/8] libsepol/tests: add test for segregate attributes Date: Thu, 21 Jul 2022 17:05:12 +0200 Message-Id: <20220721150515.19843-5-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Christian Göttsche --- libsepol/tests/libsepol-tests.c | 2 + .../tests/policies/test-sattrs/single.conf | 87 ++++++++ .../policies/test-sattrs/split_base.conf | 53 +++++ .../policies/test-sattrs/split_module1.conf | 9 + .../policies/test-sattrs/split_module2.conf | 9 + .../policies/test-sattrs/split_module3.conf | 9 + libsepol/tests/test-segregateattributes.c | 197 ++++++++++++++++++ libsepol/tests/test-segregateattributes.h | 10 + 8 files changed, 376 insertions(+) create mode 100644 libsepol/tests/policies/test-sattrs/single.conf create mode 100644 libsepol/tests/policies/test-sattrs/split_base.conf create mode 100644 libsepol/tests/policies/test-sattrs/split_module1.conf create mode 100644 libsepol/tests/policies/test-sattrs/split_module2.conf create mode 100644 libsepol/tests/policies/test-sattrs/split_module3.conf create mode 100644 libsepol/tests/test-segregateattributes.c create mode 100644 libsepol/tests/test-segregateattributes.h diff --git a/libsepol/tests/libsepol-tests.c b/libsepol/tests/libsepol-tests.c index dc8fd5ce..989c7cd3 100644 --- a/libsepol/tests/libsepol-tests.c +++ b/libsepol/tests/libsepol-tests.c @@ -23,6 +23,7 @@ #include "test-expander.h" #include "test-deps.h" #include "test-downgrade.h" +#include "test-segregateattributes.h" #include #include @@ -69,6 +70,7 @@ static bool do_tests(int interactive, int verbose) DECLARE_SUITE(expander); DECLARE_SUITE(deps); DECLARE_SUITE(downgrade); + DECLARE_SUITE(sattrs); if (verbose) CU_basic_set_mode(CU_BRM_VERBOSE); diff --git a/libsepol/tests/policies/test-sattrs/single.conf b/libsepol/tests/policies/test-sattrs/single.conf new file mode 100644 index 00000000..1666f842 --- /dev/null +++ b/libsepol/tests/policies/test-sattrs/single.conf @@ -0,0 +1,87 @@ +class process +class blk_file +class chr_file +class dir +class fifo_file +class file +class lnk_file +class sock_file + +sid kernel +sid security +sid unlabeled +sid file +sid port +sid netif +sid netmsg +sid node +sid devnull + +class process { dyntransition transition } +class file { write } + +ifdef(`enable_mls',` +sensitivity s0; +dominance { s0 } +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; + +level s0:c0.c23; + +mlsconstrain file { write } ( h1 dom h2 ); +') + +# +# Test start +# + +attribute test1_attr1; +attribute test1_attr2; +type test1_type; +typeattribute test1_type test1_attr1; +typeattribute test1_type test1_attr2; +segregate_attributes test1_attr1, test1_attr2; + + +attribute test2_attr1; +attribute test2_attr2; +attribute test2_attr3; +type test2_type1; +type test2_type2; +type test2_type3; +type test2_type4; +typeattribute test2_type1 test2_attr1; +typeattribute test2_type1 test2_attr2; +typeattribute test2_type2 test2_attr1; +typeattribute test2_type2 test2_attr3; +typeattribute test2_type3 test2_attr2; +typeattribute test2_type3 test2_attr3; +typeattribute test2_type4 test2_attr1; +typeattribute test2_type4 test2_attr2; +typeattribute test2_type4 test2_attr3; +segregate_attributes test2_attr1, test2_attr2, test2_attr3; + +# +# Test End +# + +type sys_isid; +allow sys_isid self : process { dyntransition transition }; +role sys_role; +role sys_role types sys_isid; +gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) +sid kernel gen_context(sys_user:sys_role:sys_isid, s0) +sid security gen_context(sys_user:sys_role:sys_isid, s0) +sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) +sid file gen_context(sys_user:sys_role:sys_isid, s0) +sid port gen_context(sys_user:sys_role:sys_isid, s0) +sid netif gen_context(sys_user:sys_role:sys_isid, s0) +sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) +sid node gen_context(sys_user:sys_role:sys_isid, s0) +sid devnull gen_context(sys_user:sys_role:sys_isid, s0) +fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); +fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); diff --git a/libsepol/tests/policies/test-sattrs/split_base.conf b/libsepol/tests/policies/test-sattrs/split_base.conf new file mode 100644 index 00000000..6fba8cdd --- /dev/null +++ b/libsepol/tests/policies/test-sattrs/split_base.conf @@ -0,0 +1,53 @@ +class process +class blk_file +class chr_file +class dir +class fifo_file +class file +class lnk_file +class sock_file + +sid kernel +sid security +sid unlabeled +sid file +sid port +sid netif +sid netmsg +sid node +sid devnull + +class process { dyntransition transition } +class file { write } + +ifdef(`enable_mls',` +sensitivity s0; +dominance { s0 } +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; + +level s0:c0.c23; + +mlsconstrain file { write } ( h1 dom h2 ); +') + +type sys_isid; +allow sys_isid self : process { dyntransition transition }; +role sys_role; +role sys_role types sys_isid; +gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) +sid kernel gen_context(sys_user:sys_role:sys_isid, s0) +sid security gen_context(sys_user:sys_role:sys_isid, s0) +sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) +sid file gen_context(sys_user:sys_role:sys_isid, s0) +sid port gen_context(sys_user:sys_role:sys_isid, s0) +sid netif gen_context(sys_user:sys_role:sys_isid, s0) +sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) +sid node gen_context(sys_user:sys_role:sys_isid, s0) +sid devnull gen_context(sys_user:sys_role:sys_isid, s0) +fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); +fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); diff --git a/libsepol/tests/policies/test-sattrs/split_module1.conf b/libsepol/tests/policies/test-sattrs/split_module1.conf new file mode 100644 index 00000000..52b5f248 --- /dev/null +++ b/libsepol/tests/policies/test-sattrs/split_module1.conf @@ -0,0 +1,9 @@ +module sattrs_test_1 1.0; + +require { + type test_type_t; +} + +attribute attr1; + +typeattribute test_type_t attr1; diff --git a/libsepol/tests/policies/test-sattrs/split_module2.conf b/libsepol/tests/policies/test-sattrs/split_module2.conf new file mode 100644 index 00000000..6b6128f7 --- /dev/null +++ b/libsepol/tests/policies/test-sattrs/split_module2.conf @@ -0,0 +1,9 @@ +module sattrs_test_2 1.0; + +require { + type test_type_t; +} + +attribute attr2; + +typeattribute test_type_t attr2; diff --git a/libsepol/tests/policies/test-sattrs/split_module3.conf b/libsepol/tests/policies/test-sattrs/split_module3.conf new file mode 100644 index 00000000..050b9228 --- /dev/null +++ b/libsepol/tests/policies/test-sattrs/split_module3.conf @@ -0,0 +1,9 @@ +module sattrs_test_3 1.0; + +require { + attribute attr1, attr2; +} + +type test_type_t; + +segregate_attributes attr1, attr2; diff --git a/libsepol/tests/test-segregateattributes.c b/libsepol/tests/test-segregateattributes.c new file mode 100644 index 00000000..4a21fb06 --- /dev/null +++ b/libsepol/tests/test-segregateattributes.c @@ -0,0 +1,197 @@ +#define _GNU_SOURCE + +#include "test-segregateattributes.h" + +#include "helpers.h" +#include "test-common.h" + +#include +#include +#include + +#include +#include + +extern int mls; + +int sattrs_test_init(void) +{ + return 0; +} + +int sattrs_test_cleanup(void) +{ + return 0; +} + +static struct msg_list { + char *msg; + struct msg_list *next; +} *messages; + +static void messages_clean(void) +{ + while (messages) { + struct msg_list *n = messages->next; + free(messages->msg); + free(messages); + messages = n; + } +} + +static void messages_check(unsigned count, const char *const expected[count]) +{ + unsigned i; + const struct msg_list *m = messages; + + for (i = 0; i < count; i++, m = m->next) { + if (!m) { + CU_FAIL("less messages than expected"); + return; + } + + if (strcmp(expected[i], m->msg) != 0) { + CU_FAIL("messages differs from expected"); + fprintf(stderr, "\n\n", expected[i], m->msg); + } + } + + if (m) { + CU_FAIL("more messages than expected"); + fprintf(stderr, "\n\n", m->msg); + } +} + +#ifdef __GNUC__ +__attribute__ ((format(printf, 3, 4))) +#endif +static void msg_handler(void *varg __attribute__ ((unused)), + sepol_handle_t * handle, + const char *fmt, ...) +{ + char *msg; + va_list ap; + + va_start(ap, fmt); + vasprintf(&msg, fmt, ap); + va_end(ap); + + struct msg_list *new = malloc(sizeof(struct msg_list)); + new->msg = msg; + new->next = messages; + messages = new; +} + +#define ARRAY_SIZE(a) (sizeof(a) / sizeof(*a)) + +static void test_sattrs_single(void) +{ + policydb_t basemod, base_expanded; + sepol_handle_t *handle; + const char *const expected_messages[] = { + "7 Segregate Attributes failures occurred", + "Segregate Attributes violation, type test1_type associated with attributes test1_attr1 and test1_attr2", + "Segregate Attributes violation, type test2_type3 associated with attributes test2_attr2 and test2_attr3", + "Segregate Attributes violation, type test2_type4 associated with attributes test2_attr2 and test2_attr3", + "Segregate Attributes violation, type test2_type2 associated with attributes test2_attr1 and test2_attr3", + "Segregate Attributes violation, type test2_type4 associated with attributes test2_attr1 and test2_attr3", + "Segregate Attributes violation, type test2_type1 associated with attributes test2_attr1 and test2_attr2", + "Segregate Attributes violation, type test2_type4 associated with attributes test2_attr1 and test2_attr2", + }; + + if (policydb_init(&base_expanded)) + CU_FAIL_FATAL("Failed to initialize policy"); + + if (test_load_policy(&basemod, POLICY_BASE, mls, "test-sattrs", "single.conf")) + CU_FAIL_FATAL("Failed to load policy"); + + if (link_modules(NULL, &basemod, NULL, 0, 0)) + CU_FAIL_FATAL("Failed to link base module"); + + if (expand_module(NULL, &basemod, &base_expanded, 0, 0)) + CU_FAIL_FATAL("Failed to expand policy"); + + if ((handle = sepol_handle_create()) == NULL) + CU_FAIL_FATAL("Failed to initialize handle"); + + sepol_msg_set_callback(handle, msg_handler, NULL); + + if (check_assertions(handle, &base_expanded, NULL) != -1) + CU_FAIL("Assertions did not trigger"); + + messages_check(ARRAY_SIZE(expected_messages), expected_messages); + + sepol_handle_destroy(handle); + messages_clean(); + policydb_destroy(&basemod); + policydb_destroy(&base_expanded); +} + +#define NUM_MODS 3 + +static void test_sattrs_split(void) +{ + policydb_t basemod, base_expanded; + policydb_t *modules[NUM_MODS]; + const char *policies[NUM_MODS] = { "split_module1.conf", "split_module2.conf", "split_module3.conf" }; + sepol_handle_t *handle; + const char *const expected_messages[] = { + "1 Segregate Attributes failures occurred", + "Segregate Attributes violation, type test_type_t associated with attributes attr1 and attr2", + }; + unsigned i; + + if (policydb_init(&base_expanded)) + CU_FAIL_FATAL("Failed to initialize policy"); + + if (test_load_policy(&basemod, POLICY_BASE, mls, "test-sattrs", "split_base.conf")) + CU_FAIL_FATAL("Failed to load policy"); + + for (i = 0; i < NUM_MODS; i++) { + modules[i] = calloc(1, sizeof(*modules[i])); + if (!modules[i]) + CU_FAIL_FATAL("Failed to allocate module"); + + if (test_load_policy(modules[i], POLICY_MOD, mls, "test-sattrs", policies[i])) + CU_FAIL_FATAL("Failed to load module"); + } + + if (link_modules(NULL, &basemod, modules, 3, 0)) + CU_FAIL_FATAL("Failed to link base module"); + + if (expand_module(NULL, &basemod, &base_expanded, 0, 0)) + CU_FAIL_FATAL("Failed to expand policy"); + + if ((handle = sepol_handle_create()) == NULL) + CU_FAIL_FATAL("Failed to initialize handle"); + + sepol_msg_set_callback(handle, msg_handler, NULL); + + if (check_assertions(handle, &base_expanded, NULL) != -1) + CU_FAIL("Assertions did not trigger"); + + messages_check(ARRAY_SIZE(expected_messages), expected_messages); + + sepol_handle_destroy(handle); + messages_clean(); + for (i = 0; i < NUM_MODS; i++) { + policydb_destroy(modules[i]); + free(modules[i]); + } + policydb_destroy(&basemod); + policydb_destroy(&base_expanded); +} + +int sattrs_add_tests(CU_pSuite suite) +{ + if (NULL == CU_add_test(suite, "sattrs_single", test_sattrs_single)) { + CU_cleanup_registry(); + return CU_get_error(); + } + if (NULL == CU_add_test(suite, "sattrs_split", test_sattrs_split)) { + CU_cleanup_registry(); + return CU_get_error(); + } + + return 0; +} diff --git a/libsepol/tests/test-segregateattributes.h b/libsepol/tests/test-segregateattributes.h new file mode 100644 index 00000000..a63c59f4 --- /dev/null +++ b/libsepol/tests/test-segregateattributes.h @@ -0,0 +1,10 @@ +#ifndef TEST_SEGREGATEATTRIBUTES_H__ +#define TEST_SEGREGATEATTRIBUTES_H__ + +#include + +int sattrs_test_init(void); +int sattrs_test_cleanup(void); +int sattrs_add_tests(CU_pSuite suite); + +#endif /* TEST_SEGREGATEATTRIBUTES_H__ */ From patchwork Thu Jul 21 15:05:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925342 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07B92CCA48D for ; Thu, 21 Jul 2022 15:05:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231497AbiGUPFc (ORCPT ); Thu, 21 Jul 2022 11:05:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52570 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231503AbiGUPFa (ORCPT ); Thu, 21 Jul 2022 11:05:30 -0400 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE0A713CF6 for ; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) Received: by mail-ej1-x62f.google.com with SMTP id va17so3725395ejb.0 for ; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=yUyNwXeOZPUcZE3O3R/KJFa91mJuvG5xcxHODidsA7Y=; b=C94A7wOWO9b/h+gOkZ4DhltStYkgGNdfXPOHvsAPQyhwFbuQeK9J4flDcgN2ZOL7Yo qhqWyENsp3Ob4VSCnwtrwqSAcc9HVbZNqDCOsHFzK97oW2ok2hoYlUl7aQmCbQ6uj4zg OVbltil64MgPz7BYV4wHt+CcuneLlYUTHsVNbn5tD3QUlYyZfic1jni7+9zIO8Dh2dwg xfhi7kdzjs+7MCkUj7+OzDiZ3bw78sxNgqlA3hH3ZU2VakHtqN38dvo9XjbJD2hFW3+O I/97CdZJxlGwFxW1S0UfYqdpbtUJBMbv8O3+KvUQF0JHxFFRODN+lRHlHzTq3Z+NMl20 6Jiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yUyNwXeOZPUcZE3O3R/KJFa91mJuvG5xcxHODidsA7Y=; b=N1X7rWqtc3gW9wdMZVJbXK4oX7OfWuP3XY7GGlILjfbWKLmUJ15C9udmQx5lsap9R1 Yzp7u6th3+BT63N15Ne/NivJC3c74D0zppK/vGFXXI3K6c9t9qdssMqfovNP9blvRyVt p9ORKV7qg1KDO6pY/YAFeVNnXDyPui0I9FVfBNaN0dLraF1b3tm7Q8OoOgmxvRYc11Vg fpnQ8u9d0cWQEaLRjJT49Bsv39F+9s/5xe7vZ8sLNG7+upK6y52/YOY/yEf/V/goJlnT vPR4zaAzSHodtLTl896i8HYtKugv7SAbqgCLUYhh1I0FEH1Gi10rNho0pIzKSTUZJYXP vUBQ== X-Gm-Message-State: AJIora+Zd6t4OFhJnadXNlXIntKc1rBNDM7kuvBvdVrz9H5CCUXeXEFD WWQ1yH1UN/7q6yIKswj8mCezDr+Ei2pCIg== X-Google-Smtp-Source: AGRyM1u00JzAxnbbDGLNwet/F7hr/dTXRWns+Vv3bRJQcVsYoduaA3AigUL28J6gKjjlIze+6BHe8g== X-Received: by 2002:a17:906:9c84:b0:6e0:7c75:6f01 with SMTP id fj4-20020a1709069c8400b006e07c756f01mr41603719ejc.103.1658415926219; Thu, 21 Jul 2022 08:05:26 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:25 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 6/8] libsepol/cil: add support for segregate attributes Date: Thu, 21 Jul 2022 17:05:13 +0200 Message-Id: <20220721150515.19843-6-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Support the compile time constraint with the following syntax: (segregateattributes (attr1 attr2 [...])) and reports like: ... Qualifying Names Compile post process Building policy binary Checking Neverallows Checking Segregate Attributes Segregate Attributes violation, type test_type associated with attributes attr1 attr2 Checking User Bounds Checking Role Bounds Checking Type Bounds Failed to generate binary Failed to build policydb Signed-off-by: Christian Göttsche --- libsepol/cil/src/cil.c | 17 +++++++ libsepol/cil/src/cil_binary.c | 75 ++++++++++++++++++++++++++++++ libsepol/cil/src/cil_build_ast.c | 58 +++++++++++++++++++++++ libsepol/cil/src/cil_build_ast.h | 2 + libsepol/cil/src/cil_copy_ast.c | 18 +++++++ libsepol/cil/src/cil_flavor.h | 1 + libsepol/cil/src/cil_internal.h | 8 ++++ libsepol/cil/src/cil_policy.c | 26 +++++++++++ libsepol/cil/src/cil_reset_ast.c | 8 ++++ libsepol/cil/src/cil_resolve_ast.c | 38 +++++++++++++++ libsepol/cil/src/cil_resolve_ast.h | 1 + libsepol/cil/src/cil_write_ast.c | 11 +++++ libsepol/src/kernel_to_cil.c | 32 +++++++++++++ secilc/docs/README.md | 1 + secilc/docs/cil_type_statements.md | 50 ++++++++++++++++++++ 15 files changed, 346 insertions(+) diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 38edcf8e..cc6adb90 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -225,6 +225,7 @@ char *CIL_KEY_SRC_CIL; char *CIL_KEY_SRC_HLL_LMS; char *CIL_KEY_SRC_HLL_LMX; char *CIL_KEY_SRC_HLL_LME; +char *CIL_KEY_SEGREGATEATTRIBUTES; static void cil_init_keys(void) { @@ -394,6 +395,7 @@ static void cil_init_keys(void) CIL_KEY_SRC_HLL_LMS = cil_strpool_add("lms"); CIL_KEY_SRC_HLL_LMX = cil_strpool_add("lmx"); CIL_KEY_SRC_HLL_LME = cil_strpool_add("lme"); + CIL_KEY_SEGREGATEATTRIBUTES = cil_strpool_add("segregateattributes"); } void cil_db_init(struct cil_db **db) @@ -426,6 +428,7 @@ void cil_db_init(struct cil_db **db) cil_list_init(&(*db)->userprefixes, CIL_LIST_ITEM); cil_list_init(&(*db)->selinuxusers, CIL_LIST_ITEM); cil_list_init(&(*db)->names, CIL_LIST_ITEM); + cil_list_init(&(*db)->segregateattributes, CIL_LIST_ITEM); cil_type_init(&(*db)->selftype); (*db)->selftype->datum.name = CIL_KEY_SELF; @@ -481,6 +484,7 @@ void cil_db_destroy(struct cil_db **db) cil_list_destroy(&(*db)->userprefixes, CIL_FALSE); cil_list_destroy(&(*db)->selinuxusers, CIL_FALSE); cil_list_destroy(&(*db)->names, CIL_TRUE); + cil_list_destroy(&(*db)->segregateattributes, CIL_FALSE); cil_destroy_type((*db)->selftype); @@ -1005,6 +1009,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) case CIL_SRC_INFO: cil_destroy_src_info(*data); break; + case CIL_SEGREGATEATTRIBUTES: + cil_destroy_segregateattributes(*data); + break; case CIL_OP: case CIL_CONS_OPERAND: break; @@ -1413,6 +1420,8 @@ const char * cil_node_to_string(struct cil_tree_node *node) return CIL_KEY_CONS_H1; case CIL_CONS_H2: return CIL_KEY_CONS_H2; + case CIL_SEGREGATEATTRIBUTES: + return CIL_KEY_SEGREGATEATTRIBUTES; default: break; @@ -2904,3 +2913,11 @@ void cil_src_info_init(struct cil_src_info **info) (*info)->hll_line = 0; (*info)->path = NULL; } + +void cil_segregateattributes_init(struct cil_segregateattributes **sattrs) +{ + *sattrs = cil_malloc(sizeof(**sattrs)); + + (*sattrs)->str_expr = NULL; + (*sattrs)->datum_expr = NULL; +} diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 40615db2..0301d739 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -3818,6 +3818,38 @@ exit: return SEPOL_ERR; } +static int cil_segregateattributes_to_policydb(policydb_t *pdb, const struct cil_segregateattributes *sattrs) +{ + segregate_attributes_rule_t *sattr; + struct cil_list_item *curr; + type_datum_t *sepol_type; + int rc = SEPOL_ERR; + + sattr = cil_malloc(sizeof(segregate_attributes_rule_t)); + ebitmap_init(&sattr->attrs); + + cil_list_for_each(curr, sattrs->datum_expr) { + rc = __cil_get_sepol_type_datum(pdb, DATUM(curr->data), &sepol_type); + if (rc != SEPOL_OK) goto exit; + + if (ebitmap_set_bit(&sattr->attrs, sepol_type->s.value - 1, 1)) { + goto exit; + } + } + + sattr->next = pdb->segregate_attributes; + pdb->segregate_attributes = sattr; + + return SEPOL_OK; + +exit: + if (sattr) { + ebitmap_destroy(&sattr->attrs); + free(sattr); + } + return rc; +} + static int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) { int rc = SEPOL_OK; @@ -3960,6 +3992,9 @@ static int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) case CIL_DEFAULTRANGE: rc = cil_defaultrange_to_policydb(pdb, node->data); break; + case CIL_SEGREGATEATTRIBUTES: + rc = cil_segregateattributes_to_policydb(pdb, node->data); + break; default: break; } @@ -4890,6 +4925,42 @@ exit: return rc; } +static int cil_check_segregateattributes(const policydb_t *pdb, int *violation) +{ + const segregate_attributes_rule_t *sattr; + + for (sattr = pdb->segregate_attributes; sattr; sattr = sattr->next) { + ebitmap_node_t *first_node; + unsigned int first_bit; + + ebitmap_for_each_positive_bit(&sattr->attrs, first_node, first_bit) { + ebitmap_node_t *second_node; + unsigned int second_bit; + + ebitmap_for_each_positive_bit_after(&sattr->attrs, second_node, second_bit, first_node, first_bit) { + ebitmap_t attr_union; + ebitmap_node_t *type_node; + unsigned int type_bit; + + if (ebitmap_and(&attr_union, &pdb->attr_type_map[first_bit], &pdb->attr_type_map[second_bit])) + return SEPOL_ERR; + + ebitmap_for_each_positive_bit(&attr_union, type_node, type_bit) { + cil_log(CIL_ERR, "Segregate Attributes violation, type %s associated with attributes %s and %s\n", + pdb->p_type_val_to_name[type_bit], + pdb->p_type_val_to_name[first_bit], + pdb->p_type_val_to_name[second_bit]); + *violation = CIL_TRUE; + } + + ebitmap_destroy(&attr_union); + } + } + } + + return SEPOL_OK; +} + static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[]) { struct cil_classperms *cp; @@ -5160,6 +5231,10 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p rc = cil_check_neverallows(db, pdb, neverallows, &violation); if (rc != SEPOL_OK) goto exit; + cil_log(CIL_INFO, "Checking Segregate Attributes\n"); + rc = cil_check_segregateattributes(pdb, &violation); + if (rc != SEPOL_OK) goto exit; + cil_log(CIL_INFO, "Checking User Bounds\n"); rc = bounds_check_users(NULL, pdb); if (rc) { diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 4177c9f6..611aade8 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -6164,6 +6164,62 @@ void cil_destroy_src_info(struct cil_src_info *info) free(info); } +int cil_gen_segregateattributes(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node) +{ + enum cil_syntax syntax[] = { + CIL_SYN_STRING, + CIL_SYN_LIST, + CIL_SYN_END + }; + size_t syntax_len = sizeof(syntax)/sizeof(*syntax); + struct cil_segregateattributes *sattrs = NULL; + int rc = SEPOL_ERR; + + if (db == NULL || parse_current == NULL || ast_node == NULL) { + goto exit; + } + + rc = __cil_verify_syntax(parse_current, syntax, syntax_len); + if (rc != SEPOL_OK) { + goto exit; + } + + cil_segregateattributes_init(&sattrs); + + rc = cil_gen_expr(parse_current->next, CIL_TYPEATTRIBUTE, &sattrs->str_expr); + if (rc != SEPOL_OK) { + goto exit; + } + + /* require at least two attributes */ + if (sattrs->str_expr->head == sattrs->str_expr->tail) { + rc = SEPOL_ERR; + goto exit; + } + + ast_node->data = sattrs; + ast_node->flavor = CIL_SEGREGATEATTRIBUTES; + + return SEPOL_OK; + +exit: + cil_tree_log(parse_current, CIL_ERR, "Bad segregate attributes declaration"); + cil_destroy_segregateattributes(sattrs); + return rc; +} + +void cil_destroy_segregateattributes(struct cil_segregateattributes *sattrs) +{ + if (sattrs == NULL) { + return; + } + + cil_list_destroy(&sattrs->str_expr, CIL_TRUE); + cil_list_destroy(&sattrs->datum_expr, CIL_FALSE); + + free(sattrs); +} + static int check_for_illegal_statement(struct cil_tree_node *parse_current, struct cil_args_build *args) { if (args->tunif != NULL) { @@ -6455,6 +6511,8 @@ static struct cil_tree_node * parse_statement(struct cil_db *db, struct cil_tree rc = cil_gen_mls(parse_current, new_ast_node); } else if (parse_current->data == CIL_KEY_SRC_INFO) { rc = cil_gen_src_info(parse_current, new_ast_node); + } else if (parse_current->data == CIL_KEY_SEGREGATEATTRIBUTES) { + rc = cil_gen_segregateattributes(db, parse_current, new_ast_node); } else { cil_log(CIL_ERR, "Error: Unknown keyword %s\n", (char *)parse_current->data); rc = SEPOL_ERR; diff --git a/libsepol/cil/src/cil_build_ast.h b/libsepol/cil/src/cil_build_ast.h index fd9053ce..d815a22f 100644 --- a/libsepol/cil/src/cil_build_ast.h +++ b/libsepol/cil/src/cil_build_ast.h @@ -225,6 +225,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no void cil_destroy_defaultrange(struct cil_defaultrange *def); int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *ast_node); void cil_destroy_src_info(struct cil_src_info *info); +int cil_gen_segregateattributes(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node); +void cil_destroy_segregateattributes(struct cil_segregateattributes *sattrs); int cil_fill_cats(struct cil_tree_node *curr, struct cil_cats **cats); void cil_destroy_cats(struct cil_cats *cats); diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c index 17f05021..e0f3ba4f 100644 --- a/libsepol/cil/src/cil_copy_ast.c +++ b/libsepol/cil/src/cil_copy_ast.c @@ -1697,6 +1697,21 @@ static int cil_copy_src_info(__attribute__((unused)) struct cil_db *db, void *da return SEPOL_OK; } +static int cil_copy_segregateattributes(__attribute__((unused)) struct cil_db *db, void *data, void **copy, __attribute__((unused)) symtab_t *symtab) +{ + struct cil_segregateattributes *orig = data; + struct cil_segregateattributes *new = NULL; + + cil_segregateattributes_init(&new); + + cil_copy_expr(db, orig->str_expr, &new->str_expr); + cil_copy_expr(db, orig->datum_expr, &new->datum_expr); + + *copy = new; + + return SEPOL_OK; +} + static int __cil_copy_node_helper(struct cil_tree_node *orig, uint32_t *finished, void *extra_args) { int rc = SEPOL_ERR; @@ -1990,6 +2005,9 @@ static int __cil_copy_node_helper(struct cil_tree_node *orig, uint32_t *finished case CIL_SRC_INFO: copy_func = &cil_copy_src_info; break; + case CIL_SEGREGATEATTRIBUTES: + copy_func = &cil_copy_segregateattributes; + break; default: goto exit; } diff --git a/libsepol/cil/src/cil_flavor.h b/libsepol/cil/src/cil_flavor.h index c2f0cee7..ffbd5877 100644 --- a/libsepol/cil/src/cil_flavor.h +++ b/libsepol/cil/src/cil_flavor.h @@ -115,6 +115,7 @@ enum cil_flavor { CIL_SRC_INFO, CIL_IBPKEYCON, CIL_IBENDPORTCON, + CIL_SEGREGATEATTRIBUTES, /* * boolean constraint set catset diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index a7604762..e22c2f87 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -242,6 +242,7 @@ extern char *CIL_KEY_SRC_CIL; extern char *CIL_KEY_SRC_HLL_LMS; extern char *CIL_KEY_SRC_HLL_LMX; extern char *CIL_KEY_SRC_HLL_LME; +extern char *CIL_KEY_SEGREGATEATTRIBUTES; /* Symbol Table Array Indices @@ -309,6 +310,7 @@ struct cil_db { struct cil_list *userprefixes; struct cil_list *selinuxusers; struct cil_list *names; + struct cil_list *segregateattributes; int num_types_and_attrs; int num_classes; int num_cats; @@ -975,6 +977,11 @@ struct cil_src_info { char *path; }; +struct cil_segregateattributes { + struct cil_list *str_expr; + struct cil_list *datum_expr; +}; + void cil_db_init(struct cil_db **db); void cil_db_destroy(struct cil_db **db); @@ -1085,5 +1092,6 @@ void cil_mls_init(struct cil_mls **mls); void cil_src_info_init(struct cil_src_info **info); void cil_userattribute_init(struct cil_userattribute **attribute); void cil_userattributeset_init(struct cil_userattributeset **attrset); +void cil_segregateattributes_init(struct cil_segregateattributes **sattrs); #endif diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index 7c543c47..36f6780d 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -69,6 +69,7 @@ enum cil_statement_list { CIL_LIST_USER, CIL_LIST_CONSTRAINT, CIL_LIST_VALIDATETRANS, + CIL_LIST_SEGREGATEATTRIBUTES, CIL_LIST_NUM_LISTS }; @@ -168,6 +169,9 @@ static int __cil_gather_statements_helper(struct cil_tree_node *node, uint32_t * case CIL_VALIDATETRANS: kind = CIL_LIST_VALIDATETRANS; break; + case CIL_SEGREGATEATTRIBUTES: + kind = CIL_LIST_SEGREGATEATTRIBUTES; + break; default: break; } @@ -1911,6 +1915,27 @@ static void cil_devicetreecons_to_policy(FILE *out, struct cil_sort *devicetreec } } +static void cil_segregateattributes_to_policy(FILE *out, struct cil_list *sattrs_list) +{ + struct cil_list_item *curr_sattrs, *curr_attr; + struct cil_segregateattributes *sattrs; + int first = 1; + + cil_list_for_each(curr_sattrs, sattrs_list) { + sattrs = curr_sattrs->data; + fprintf(out, "segregate_attriutes "); + cil_list_for_each(curr_attr, sattrs->datum_expr) { + if (!first) { + first = 0; + } else { + fprintf(out, ", "); + } + fprintf(out, "%s", DATUM(curr_attr->data)->fqn); + } + fprintf(out, ";\n"); + } +} + void cil_gen_policy(FILE *out, struct cil_db *db) { unsigned i; @@ -1956,6 +1981,7 @@ void cil_gen_policy(FILE *out, struct cil_db *db) cil_typebounds_to_policy(out, lists[CIL_LIST_TYPE]); cil_typeattributes_to_policy(out, lists[CIL_LIST_TYPE], lists[CIL_LIST_TYPEATTRIBUTE]); cil_te_rules_to_policy(out, head, db->mls); + cil_segregateattributes_to_policy(out, db->segregateattributes); cil_roles_to_policy(out, lists[CIL_LIST_ROLE]); cil_role_types_to_policy(out, lists[CIL_LIST_ROLE], lists[CIL_LIST_TYPE]); diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c index 0864d7ef..c5ac83c8 100644 --- a/libsepol/cil/src/cil_reset_ast.c +++ b/libsepol/cil/src/cil_reset_ast.c @@ -475,6 +475,11 @@ static void cil_reset_booleanif(struct cil_booleanif *bif) cil_list_destroy(&bif->datum_expr, CIL_FALSE); } +static void cil_reset_segregateattributes(struct cil_segregateattributes *sattrs) +{ + cil_list_destroy(&sattrs->datum_expr, CIL_FALSE); +} + static int __cil_reset_node(struct cil_tree_node *node, __attribute__((unused)) uint32_t *finished, __attribute__((unused)) void *extra_args) { switch (node->flavor) { @@ -630,6 +635,9 @@ static int __cil_reset_node(struct cil_tree_node *node, __attribute__((unused)) case CIL_BOOLEANIF: cil_reset_booleanif(node->data); break; + case CIL_SEGREGATEATTRIBUTES: + cil_reset_segregateattributes(node->data); + break; case CIL_TUNABLEIF: case CIL_CALL: break; /* Not effected by optional block disabling */ diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index f5e22c97..36a96199 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -3265,6 +3265,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc sym_index = CIL_SYM_TUNABLES; break; case CIL_TYPE: + case CIL_TYPEATTRIBUTE: sym_index = CIL_SYM_TYPES; break; case CIL_ROLE: @@ -3312,6 +3313,13 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc } else { if (sym_index == CIL_SYM_TYPES && (expr_type == CIL_CONSTRAIN || expr_type == CIL_VALIDATETRANS)) { cil_type_used(res_datum, CIL_ATTR_CONSTRAINT); + } else if (expr_type == CIL_SEGREGATEATTRIBUTES) { + if (FLAVOR(res_datum) != CIL_TYPEATTRIBUTE) { + cil_tree_log(parent, CIL_ERR, "Type or type alias not supported in segregate attributes declaration"); + rc = SEPOL_ERR; + goto exit; + } + cil_type_used(res_datum, CIL_ATTR_NEVERALLOW); } cil_list_append(*datum_expr, CIL_DATUM, res_datum); } @@ -3508,6 +3516,33 @@ exit: return rc; } +int cil_resolve_segregateattributes(struct cil_tree_node *current, void *extra_args) +{ + struct cil_segregateattributes *sattrs = current->data; + struct cil_list_item *first, *second; + int rc; + + rc = cil_resolve_expr(CIL_SEGREGATEATTRIBUTES, sattrs->str_expr, &sattrs->datum_expr, current, extra_args); + if (rc != SEPOL_OK) { + goto exit; + } + + cil_list_for_each(first, sattrs->datum_expr) { + for (second = first->next; second; second = second->next) { + if (first->data == second->data) { + cil_tree_log(current, CIL_ERR, "Repeated attribute in segregate attributes declaration"); + rc = SEPOL_ERR; + goto exit; + } + } + } + + return SEPOL_OK; + +exit: + return rc; +} + /* * Degenerate inheritance leads to exponential growth of the policy * It can take many forms, but here is one example. @@ -3888,6 +3923,9 @@ static int __cil_resolve_ast_node(struct cil_tree_node *node, void *extra_args) case CIL_USERATTRIBUTESET: rc = cil_resolve_userattributeset(node, args); break; + case CIL_SEGREGATEATTRIBUTES: + rc = cil_resolve_segregateattributes(node, args); + break; default: break; } diff --git a/libsepol/cil/src/cil_resolve_ast.h b/libsepol/cil/src/cil_resolve_ast.h index 1d971fd6..31594954 100644 --- a/libsepol/cil/src/cil_resolve_ast.h +++ b/libsepol/cil/src/cil_resolve_ast.h @@ -96,6 +96,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc int cil_resolve_boolif(struct cil_tree_node *current, void *extra_args); int cil_evaluate_expr(struct cil_list *datum_expr, uint16_t *result); int cil_resolve_tunif(struct cil_tree_node *current, void *extra_args); +int cil_resolve_segregateattributes(struct cil_tree_node *current, void *extra_args); int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current); int cil_resolve_name(struct cil_tree_node *ast_node, char *name, enum cil_sym_index sym_index, void *extra_args, struct cil_symtab_datum **datum); diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c index b75784ef..d0fb555b 100644 --- a/libsepol/cil/src/cil_write_ast.c +++ b/libsepol/cil/src/cil_write_ast.c @@ -1474,7 +1474,18 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node) fprintf(out, "(ipaddr %s %s)\n", datum_to_str(&ipaddr->datum), buf); break; } + case CIL_SEGREGATEATTRIBUTES: { + struct cil_segregateattributes *sattrs = node->data; + fprintf(out, "(segregateattributes "); + if (sattrs->datum_expr) + write_expr(out, sattrs->datum_expr); + else + write_expr(out, sattrs->str_expr); + fprintf(out, ")\n"); + break; + } default : + cil_log(CIL_ERR, "Unsupported flavor: %d\n", node->flavor); fprintf(out, "()\n", cil_node_to_string(node)); break; } diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 9128ac55..4b99208d 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -1906,6 +1906,33 @@ static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg) return 0; } +static int write_segregate_attributes_to_cil(FILE *out, const struct policydb *pdb) +{ + const segregate_attributes_rule_t *sattr; + + for (sattr = pdb->segregate_attributes; sattr; sattr = sattr->next) { + struct ebitmap_node *node; + unsigned int bit; + int first = 1; + + sepol_printf(out, "(segregateattributes ("); + + ebitmap_for_each_positive_bit(&sattr->attrs, node, bit) { + if (first) { + first = 0; + } else { + sepol_printf(out, " "); + } + + sepol_printf(out, "%s", pdb->p_type_val_to_name[bit - 1]); + } + + sepol_printf(out, "))\n"); + } + + return 0; +} + static int write_filename_trans_rules_to_cil(FILE *out, struct policydb *pdb) { struct map_filename_trans_args args; @@ -3329,6 +3356,11 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb) goto exit; } + rc = write_segregate_attributes_to_cil(out, pdb); + if (rc != 0) { + goto exit; + } + rc = write_filename_trans_rules_to_cil(out, pdb); if (rc != 0) { goto exit; diff --git a/secilc/docs/README.md b/secilc/docs/README.md index efab2a71..8f584019 100644 --- a/secilc/docs/README.md +++ b/secilc/docs/README.md @@ -132,6 +132,7 @@ CIL (Common Intermediate Language) * [typemember](cil_type_statements.md#typemember) * [typetransition](cil_type_statements.md#typetransition) * [typepermissive](cil_type_statements.md#typepermissive) + * [segregateattributes](cil_type_statements.md#segregateattributes) * [User Statements](cil_user_statements.md#user-statements) * [user](cil_user_statements.md#user) diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md index 19438417..56533eea 100644 --- a/secilc/docs/cil_type_statements.md +++ b/secilc/docs/cil_type_statements.md @@ -601,3 +601,53 @@ This example will allow SELinux to run the `healthd.process` domain in permissiv (allow ...) ) ``` + +segregateattributes +------------------- + +Libsepol and secilc version 3.5 introduced the segregateattributes statement +to mark two or more type attributes mutual exclusive. This is a compiler +enforced action that will stop compilation until the offending associations +are modified. + +Note that these constraints can be over-ridden by the CIL compiler command +line parameter `-N` or `--disable-neverallow` flags. + +**Statement definition:** + +```secil + (segregateattributes (typeattribute_id typeattribute_id...)) +``` + +**Where:** + + ++++ + + + + + + + + + + +

segregateattributes

The segregateattributes keyword.

typeattribute_id

At least two previously declared typeattribute identifier.

+

Note that the same typeattribute identifier must not be repeated.

+ +**Example:** + +This example will not compile as `type_1` is associated with type attributes `attr_1` and `attr_2`: + +```secil + (type type_1) + (typeattribute attr_1) + (typeattribute attr_2) + (typeattributeset attr_1 (type_1)) + (typeattributeset attr_2 (type_1)) + (segregateattributes (attr_1 attr_2)) +``` From patchwork Thu Jul 21 15:05:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925337 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66383C43334 for ; Thu, 21 Jul 2022 15:05:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231394AbiGUPFb (ORCPT ); Thu, 21 Jul 2022 11:05:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230439AbiGUPF2 (ORCPT ); Thu, 21 Jul 2022 11:05:28 -0400 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FD9F13CF4 for ; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) Received: by mail-ej1-x633.google.com with SMTP id z23so3656814eju.8 for ; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=hi6jPaXouB/1D7rTQLM7doOPdIZe/Co24uh16MQ4VXc=; b=qpRlmBoeIZkGlugIAfB1F4rsVB2z50hr9c+tOmI4L40u7lcCn+u/aI0IOamzheVg7C K777pzWrQ/WzHEjxc3/B/0tEKMBdNGVwbFIvY6MT3XZERUEKB+e/yeKwW0bVHykcTER1 AurlnA2EMdVKDEILPshAdmI46Tun9A4rtzg4Z5IU/gtyRpvSKP4re5xm9B/YKJe08UoL JQ82dbhbpRn1KnbcOvLr9+4EjQYE33I2qL/D0djYsMTHeQmGJg3bLOHEN1FTmOSHX2Gw hCOk2HmlpdCeRK5NNsanshZ4zC/prn+SUIGKCrDpRB2dgFaooFadpYyzleJLkfZ2VEty eyVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hi6jPaXouB/1D7rTQLM7doOPdIZe/Co24uh16MQ4VXc=; b=DjJ2Wpxop2zJ1yMfDSXCrYilk48ooy2y+bsGVuiNX3p51NNjIgWzQJYvyvEOQXRgEY +jiIucslmlWhiZoivvZawX5fQDH8rrpZphVPR1Il2UlbUwrVZQnpTSdaH+aGCCDhi/WV grrdZn0Xh/P7rOOdmmgWWpsXpOSRftxXmXp6/o5API9XTAqvHqElGCwLNwlWAtiNBe7U 5I01iHtM2gUTrAg/1r057AFwfjQ3vtFk1DTSICZvzQrcgzZUPvECEbEFMqLLZHcT72Z1 jTgIOxR1RlmJKmHPZjxWHl9xMx/dRbGudKLxt/qSLx/M9sODcFl6ecAu0/jCJZZJe15l kUog== X-Gm-Message-State: AJIora8KOJnOl6XRboY2EmqwjrgRsJwtb0mSXBBtE6sg3fB7fx3vc7xZ v+OOWya1MegWt6rs8PCGsvQGDQuYsLxKww== X-Google-Smtp-Source: AGRyM1ssj7BuslFUf1PBAdeRzPBtV3THFM1MG8tbW0Ze1yWEiX3UBWU2KbnQRWqnZgTTbFOdy0k/gQ== X-Received: by 2002:a17:907:1c11:b0:72f:20:e1ea with SMTP id nc17-20020a1709071c1100b0072f0020e1eamr29646197ejc.427.1658415926781; Thu, 21 Jul 2022 08:05:26 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:26 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 7/8] secilc: run tests against development version of libsepol Date: Thu, 21 Jul 2022 17:05:14 +0200 Message-Id: <20220721150515.19843-7-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Since secilc is dynamically linked against libsepol do not run tests against the system version of libsepol to support new features currently in development. Signed-off-by: Christian Göttsche --- secilc/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secilc/Makefile b/secilc/Makefile index 94be0481..543df43b 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -34,8 +34,8 @@ $(SECILC): $(SECILC_OBJS) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) test: $(SECILC) - ./$(SECILC) test/policy.cil - ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil + env LD_LIBRARY_PATH="$(DESTDIR)/lib:$(DESTDIR)/usr/lib" ./$(SECILC) test/policy.cil + env LD_LIBRARY_PATH="$(DESTDIR)/lib:$(DESTDIR)/usr/lib" ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null $(DIFF) test/opt-expected.cil opt-actual.cil From patchwork Thu Jul 21 15:05:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12925341 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3189CCA489 for ; Thu, 21 Jul 2022 15:05:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230439AbiGUPFc (ORCPT ); Thu, 21 Jul 2022 11:05:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231521AbiGUPFa (ORCPT ); Thu, 21 Jul 2022 11:05:30 -0400 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B86211A2A for ; Thu, 21 Jul 2022 08:05:29 -0700 (PDT) Received: by mail-ej1-x629.google.com with SMTP id z23so3656864eju.8 for ; Thu, 21 Jul 2022 08:05:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Skx4w+WSZoUBe0VansEN520eMgtHIQeTD+HGsMbcmPM=; b=I3hMm40b7qYw/b+MS/i7raETkNVmNNhFg5sqFO6rTPiA1o1c7ijyhZYoOOXGvujJXJ mj4SZN0R3pow8L3ozfZAVSBzaY3lCv2zGG/CY65b9aFXu1cAGxsb3vNlfZXYY7rkEE1X HLBpXGSKTFPQuRxAs5inwfiOreTCDykr8ctOqeFF6f8yUPPT9zl8sR3FMbEg5+A4XpUg R2LkbkrMOVs54njHWWH174B1lmYfpyk6bqx+6OFBEc6eTeek9bVIk3CNPWX7kL9kYlp2 +qCFUGLkUhGCfnZ/XUTIdr2lLfwSKTBGImWY+yVNw1oAADZVFDFaHD4CGog8ugbf5IDr 9tHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Skx4w+WSZoUBe0VansEN520eMgtHIQeTD+HGsMbcmPM=; b=D3z60wNSFiiy0KHGC/Znp8ib9q1KcIUfZXSC66Xfx7Ql8aO0aMIYdvYZ6K4nv4S8Xz NTkQWawiAzvrH4uO99u7lD+PcZPZsW2vGTHuHnAvXYOC4K0u4tYzheGtdbuDcKnQJ5Vh VXvMJyXo0hx3r24bVtphaZ/1fJ3jobJ2oW34OqYKpycXRGclwXalWsMGRNVXMIQgH2+t hs4eP+oJuNMd6EtCerlNFMEqAQXxB84b0Sypy36Aa8YZKUwaeIkkdf/eVl/SLYRKlJ5J Lj/pFa0+1iPIWhDMqQcVQEnq88RZ86y7vnEWQQPHwS97ZGBI1EWBCqErISHtT+dpZpmZ 0wAQ== X-Gm-Message-State: AJIora8mj6GqdQCfzpyB46Um8Kdd279cv3YMu56pyRDdwbywfH19Ot/a W1UBdbmH1oMHdrr8S6HbnAnBfuezv6aqqQ== X-Google-Smtp-Source: AGRyM1t+6ipkclUyI7Kaz3BeiwENzwKHZm18C5TG3REpxUaV1u8MUjaqGHJBA7ASYQUUtzte4htj4A== X-Received: by 2002:a17:906:9b0a:b0:72b:4f33:b247 with SMTP id eo10-20020a1709069b0a00b0072b4f33b247mr41524141ejc.267.1658415927496; Thu, 21 Jul 2022 08:05:27 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-000-209-027.77.0.pool.telefonica.de. [77.0.209.27]) by smtp.gmail.com with ESMTPSA id s7-20020aa7c547000000b0043a1255bc68sm1120992edr.94.2022.07.21.08.05.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Jul 2022 08:05:27 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v3 8/8] secilc: include segregate attributes in tests Date: Thu, 21 Jul 2022 17:05:15 +0200 Message-Id: <20220721150515.19843-8-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220721150515.19843-1-cgzones@googlemail.com> References: <20220721150515.19843-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Christian Göttsche --- secilc/test/policy.cil | 3 +++ 1 file changed, 3 insertions(+) diff --git a/secilc/test/policy.cil b/secilc/test/policy.cil index e6b78618..4e1d6b61 100644 --- a/secilc/test/policy.cil +++ b/secilc/test/policy.cil @@ -118,13 +118,16 @@ (typeattribute foo_type) (typeattribute bar_type) (typeattribute baz_type) + (typeattribute bad_type) (typeattribute not_bad_type) (typeattributeset exec_type (or bin_t kernel_t)) (typeattributeset foo_type (and exec_type kernel_t)) (typeattributeset bar_type (xor exec_type foo_type)) (typeattributeset baz_type (not bin_t)) (typeattributeset baz_type (and exec_type (and bar_type bin_t))) + (typeattributeset bad_type (bad_t)) (typeattributeset not_bad_type (not bad_t)) + (segregateattributes (bad_type not_bad_type)) (typealias sbin_t) (typealiasactual sbin_t bin_t) (typepermissive device_t)