From patchwork Thu Jan 5 17:13:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13090230 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CF03C54EBF for ; Thu, 5 Jan 2023 17:22:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234503AbjAERVl (ORCPT ); Thu, 5 Jan 2023 12:21:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234806AbjAERVD (ORCPT ); Thu, 5 Jan 2023 12:21:03 -0500 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 456771EADC for ; Thu, 5 Jan 2023 09:13:48 -0800 (PST) Received: by mail-ej1-x62f.google.com with SMTP id jo4so91576125ejb.7 for ; Thu, 05 Jan 2023 09:13:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=5Tp+O4FotLLNEYzR5qFIBQhm82P+di5aQZ3JKRiOrSs=; b=XtmMrNI6eSUrmJSMKrZ8mpBq3W5mpJuP3XZtf+z/4JaMhjLs7GgoEFLL21lyw+S1LT sdlxvepOww8XlQ4cQiviY9UAltZj/foi0584TEgktuQp4S4HskFzWMTFjM1aLXJhTivN Frtp2vPWeoxUSg24Q4O5jLqv7Qw8yUWyJkrux5rIVhHiGLPLt6+ZVyZF+dIG+3osOgsS Pc2z7lIqDq3ntO3ykMYgonWA6dU9eG1gm+CkZLXVWJnfvmjDom41hzIxHJ8I1vyjiJsk rz0vL+LGuy5ye5p4bpHGURS9JhSqQAGMjWV5Qx9WzP7Jk6jytq9dIMkEUvhOFINeTVss dptw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5Tp+O4FotLLNEYzR5qFIBQhm82P+di5aQZ3JKRiOrSs=; b=UXK/o/Vb4QMdeC0MgVdUXkRWrPV0HkoXiRrDlB9Lw86hb1KrFED8Qv4KdQy65JnNF4 nJm2tInAvcDjN7uLfOvUryh4/k3W99ENgvxwd0zi9ObELtKXQquaoQSirBTd5TGKqdPV pDqQqYJNQqaaPA6jX6QBHBjeS1idcNtFbkoVH1whcPw+2KnmopuPvvNf1XeeQKKZOPQk s8j07+Fi0rjZf0GHTisH8W9BUyjolSHptUxX2IlQS5W2CWIaM0D5ISUTAgjO6j2pyF8J mgMDo0g8V+7EWMaBYnOdxrCHHopjNWopG0lvEWmR76xANtHD7CvU2E8jG2/stqI6Qh+I MD3g== X-Gm-Message-State: AFqh2kpa3n4qnuuxHlzWETU/7h1HJ2fqIavY/y/E51n7WAZAT165Lx46 FWcRQiejcaO1HhzIooleoguY7W5o8rblkA== X-Google-Smtp-Source: AMrXdXvxNmcaeTXzKsvVD8p/qfffos7RdrJUK3WHEM3J0qhOMyWqfqzoH/kIVjfue4sf0s7H1JH1qQ== X-Received: by 2002:a17:907:8c86:b0:7c1:1adc:46fd with SMTP id td6-20020a1709078c8600b007c11adc46fdmr48508770ejc.34.1672938826884; Thu, 05 Jan 2023 09:13:46 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-010-153-041.77.10.pool.telefonica.de. [77.10.153.41]) by smtp.gmail.com with ESMTPSA id v1-20020a170906292100b0073c10031dc9sm16585182ejd.80.2023.01.05.09.13.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Jan 2023 09:13:46 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 1/2] libsepol: do not write empty class definitions Date: Thu, 5 Jan 2023 18:13:39 +0100 Message-Id: <20230105171340.18444-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.39.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Do not write class definitions for classes without any permission and any inherited common class. The classes are already declared in write_class_decl_rules_to_conf(). Skipping those empty definitions, which are equal to the corresponding class declarations, will enable to parse the generated policy conf file with checkpolicy, as checkpolicy does not accept class declarations after initial sid declarations. This will enable simple round-trip tests with checkpolicy. Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/src/kernel_to_conf.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 63dffd9b..73b72b5d 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) class = pdb->class_val_to_struct[i]; if (!class) continue; name = pdb->p_class_val_to_name[i]; - sepol_printf(out, "class %s", name); - if (class->comkey) { - sepol_printf(out, " inherits %s", class->comkey); - } perms = class_or_common_perms_to_str(&class->permissions); - if (perms) { - sepol_printf(out, " { %s }", perms); - free(perms); + /* Do not write empty classes, their declaration was alreedy + * printed in write_class_decl_rules_to_conf() */ + if (perms || class->comkey) { + sepol_printf(out, "class %s", name); + if (class->comkey) { + sepol_printf(out, " inherits %s", class->comkey); + } + + if (perms) { + sepol_printf(out, " { %s }", perms); + free(perms); + } + sepol_printf(out, "\n"); } - sepol_printf(out, "\n"); } exit: From patchwork Thu Jan 5 17:13:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13090228 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2769C54EBD for ; Thu, 5 Jan 2023 17:22:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234381AbjAERVk (ORCPT ); Thu, 5 Jan 2023 12:21:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234222AbjAERVD (ORCPT ); Thu, 5 Jan 2023 12:21:03 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F10F5564CC for ; Thu, 5 Jan 2023 09:13:48 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id qk9so91364812ejc.3 for ; Thu, 05 Jan 2023 09:13:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Agz5gCn9j4yyqOjfETzpJ3M/PpGVgpQ3czZumZXo7dM=; b=m0tHO8IkiZOEobR7C5DfiPZ/OZx43GxQL5jXKD1f7EEzg0DaOSTBTfQWDP2PbmED5E tXcc/0pnXdN07pyZXPR/N7x3VQOmuuES5pP5DEc/1JFgRjeWbtVTpBQcq9aD+QJdOXlX O50TEPzgZRk9SEIkLhXToYhmOC7xAwfrwVzMgAenIJxYbKPRDlqAh9+JxBNrEtiewhqX vgIHfKRLTEps2Bygdis8HrXuaXCNs+4g8B/So3yHIfsUc4IftSHrQRNPMdCFZdYGe1Ok MbTX0GA9iHa/1O4+3BIn9l/p179Npl7ymmtYuOMMuam7HxAG/61tj96v0Iyuz6Xy/oFP qAlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Agz5gCn9j4yyqOjfETzpJ3M/PpGVgpQ3czZumZXo7dM=; b=cnHQtqbxi5O0ga92VdTHxMPYPaQ8Mc7p02RWRBS29SkmTjyKnF79Joj5XfD77/enKM hbxumK223A/JU1R+bJ1OfwVkeD4pIw7oBu2hwJmU7Y562U9JIIhKadYHNmtkfbk25119 ahGvVUbJ0GQUKbkfFKiQH9wH5vCvWjwqqhLvpB5T3jNnTX8tlNiOyuQ3zK4rk2CzfdQt 7u3Gk/VcWZd3Kv73Gvn7zJFFpOW6hbZTb8k4VQf4Hl7AKHeOUAYvWU46GoQ7oKFBNuhG 3eB9gTsQxXglSF38qdlOfUEQNTxZInWAOT05RRVpNue0ueT3iEXJ1FDCnzxG07n+l/lr vafg== X-Gm-Message-State: AFqh2kokHg/JmqmRvz7pnv/1d6NCRMUxRQgenml62WmnOfiV3e/VbMyk 48hWItTJwLWhXBPWc43BxYmF6/teHpOvGg== X-Google-Smtp-Source: AMrXdXsZYSmLdYFHELe6b7NLnOhFR0Pp7ISoL+eFZr9wNLGOO4bmUDOS/fRoMXkf753rp/NTV/PWtw== X-Received: by 2002:a17:906:85d9:b0:842:1627:77b4 with SMTP id i25-20020a17090685d900b00842162777b4mr45543227ejy.3.1672938827488; Thu, 05 Jan 2023 09:13:47 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-010-153-041.77.10.pool.telefonica.de. [77.10.153.41]) by smtp.gmail.com with ESMTPSA id v1-20020a170906292100b0073c10031dc9sm16585182ejd.80.2023.01.05.09.13.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Jan 2023 09:13:47 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 2/2] checkpolicy: add simple round-trip test Date: Thu, 5 Jan 2023 18:13:40 +0100 Message-Id: <20230105171340.18444-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230105171340.18444-1-cgzones@googlemail.com> References: <20230105171340.18444-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add simple round-trip tests on a minimal standard and MLS policy. Signed-off-by: Christian Göttsche --- checkpolicy/.gitignore | 2 + checkpolicy/Makefile | 6 +- checkpolicy/tests/polmin.conf | 81 +++++++++++++++++++++++++++ checkpolicy/tests/polmin.mls.conf | 85 +++++++++++++++++++++++++++++ checkpolicy/tests/test_roundtrip.sh | 33 +++++++++++ 5 files changed, 206 insertions(+), 1 deletion(-) create mode 100644 checkpolicy/tests/polmin.conf create mode 100644 checkpolicy/tests/polmin.mls.conf create mode 100755 checkpolicy/tests/test_roundtrip.sh diff --git a/checkpolicy/.gitignore b/checkpolicy/.gitignore index a7bd076d..01a694d4 100644 --- a/checkpolicy/.gitignore +++ b/checkpolicy/.gitignore @@ -3,3 +3,5 @@ checkpolicy lex.yy.c y.tab.c y.tab.h +tests/testpol.bin +tests/testpol.conf diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile index f9e1fc7c..86c4a197 100644 --- a/checkpolicy/Makefile +++ b/checkpolicy/Makefile @@ -50,6 +50,10 @@ y.tab.c: policy_parse.y lex.yy.c: policy_scan.l y.tab.c $(LEX) policy_scan.l +.PHONY: test +test: checkpolicy + ./tests/test_roundtrip.sh + install: all -mkdir -p $(DESTDIR)$(BINDIR) -mkdir -p $(DESTDIR)$(MANDIR)/man8 @@ -68,7 +72,7 @@ relabel: install /sbin/restorecon $(DESTDIR)$(BINDIR)/checkmodule clean: - -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c + -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c tests/testpol.conf tests/testpol.bin $(MAKE) -C test clean indent: diff --git a/checkpolicy/tests/polmin.conf b/checkpolicy/tests/polmin.conf new file mode 100644 index 00000000..7a652de8 --- /dev/null +++ b/checkpolicy/tests/polmin.conf @@ -0,0 +1,81 @@ +# handle_unknown deny +class process +class blk_file +class chr_file +class dir +class fifo_file +class file +class lnk_file +class sock_file +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull +class process { dyntransition transition } +default_role { blk_file } source; +default_role { chr_file } source; +default_role { dir } source; +default_role { fifo_file } source; +default_role { file } source; +default_role { lnk_file } source; +default_role { sock_file } source; +type sys_isid; +typealias sys_isid alias dpkg_script_t; +typealias sys_isid alias rpm_script_t; +allow sys_isid self:process { dyntransition transition }; +role sys_role; +role sys_role types { sys_isid }; +user sys_user roles sys_role; +constrain process { transition } u1 == u2; +sid kernel sys_user:sys_role:sys_isid +sid security sys_user:sys_role:sys_isid +sid unlabeled sys_user:sys_role:sys_isid +sid fs sys_user:sys_role:sys_isid +sid file sys_user:sys_role:sys_isid +sid file_labels sys_user:sys_role:sys_isid +sid init sys_user:sys_role:sys_isid +sid any_socket sys_user:sys_role:sys_isid +sid port sys_user:sys_role:sys_isid +sid netif sys_user:sys_role:sys_isid +sid netmsg sys_user:sys_role:sys_isid +sid node sys_user:sys_role:sys_isid +sid igmp_packet sys_user:sys_role:sys_isid +sid icmp_socket sys_user:sys_role:sys_isid +sid tcp_socket sys_user:sys_role:sys_isid +sid sysctl_modprobe sys_user:sys_role:sys_isid +sid sysctl sys_user:sys_role:sys_isid +sid sysctl_fs sys_user:sys_role:sys_isid +sid sysctl_kernel sys_user:sys_role:sys_isid +sid sysctl_net sys_user:sys_role:sys_isid +sid sysctl_net_unix sys_user:sys_role:sys_isid +sid sysctl_vm sys_user:sys_role:sys_isid +sid sysctl_dev sys_user:sys_role:sys_isid +sid kmod sys_user:sys_role:sys_isid +sid policy sys_user:sys_role:sys_isid +sid scmp_packet sys_user:sys_role:sys_isid +sid devnull sys_user:sys_role:sys_isid +fs_use_trans devpts sys_user:sys_role:sys_isid; +fs_use_trans devtmpfs sys_user:sys_role:sys_isid; diff --git a/checkpolicy/tests/polmin.mls.conf b/checkpolicy/tests/polmin.mls.conf new file mode 100644 index 00000000..b045a60f --- /dev/null +++ b/checkpolicy/tests/polmin.mls.conf @@ -0,0 +1,85 @@ +# handle_unknown deny +class process +class blk_file +class chr_file +class dir +class fifo_file +class file +class lnk_file +class sock_file +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull +class process { dyntransition transition } +default_role { blk_file } source; +default_role { chr_file } source; +default_role { dir } source; +default_role { fifo_file } source; +default_role { file } source; +default_role { lnk_file } source; +default_role { sock_file } source; +sensitivity s0; +dominance { s0 } +category c0; +level s0:c0; +mlsconstrain process { transition } l1 == l2; +type sys_isid; +typealias sys_isid alias dpkg_script_t; +typealias sys_isid alias rpm_script_t; +allow sys_isid self:process { dyntransition transition }; +role sys_role; +role sys_role types { sys_isid }; +user sys_user roles sys_role level s0 range s0 - s0:c0; +sid kernel sys_user:sys_role:sys_isid:s0 - s0 +sid security sys_user:sys_role:sys_isid:s0 - s0 +sid unlabeled sys_user:sys_role:sys_isid:s0 - s0 +sid fs sys_user:sys_role:sys_isid:s0 - s0 +sid file sys_user:sys_role:sys_isid:s0 - s0 +sid file_labels sys_user:sys_role:sys_isid:s0 - s0 +sid init sys_user:sys_role:sys_isid:s0 - s0 +sid any_socket sys_user:sys_role:sys_isid:s0 - s0 +sid port sys_user:sys_role:sys_isid:s0 - s0 +sid netif sys_user:sys_role:sys_isid:s0 - s0 +sid netmsg sys_user:sys_role:sys_isid:s0 - s0 +sid node sys_user:sys_role:sys_isid:s0 - s0 +sid igmp_packet sys_user:sys_role:sys_isid:s0 - s0 +sid icmp_socket sys_user:sys_role:sys_isid:s0 - s0 +sid tcp_socket sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_modprobe sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_fs sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_kernel sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_net sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_net_unix sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_vm sys_user:sys_role:sys_isid:s0 - s0 +sid sysctl_dev sys_user:sys_role:sys_isid:s0 - s0 +sid kmod sys_user:sys_role:sys_isid:s0 - s0 +sid policy sys_user:sys_role:sys_isid:s0 - s0 +sid scmp_packet sys_user:sys_role:sys_isid:s0 - s0 +sid devnull sys_user:sys_role:sys_isid:s0 - s0 +fs_use_trans devpts sys_user:sys_role:sys_isid:s0 - s0; +fs_use_trans devtmpfs sys_user:sys_role:sys_isid:s0 - s0; diff --git a/checkpolicy/tests/test_roundtrip.sh b/checkpolicy/tests/test_roundtrip.sh new file mode 100755 index 00000000..15b1b3bc --- /dev/null +++ b/checkpolicy/tests/test_roundtrip.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +set -eu + +BASEDIR=$(dirname "$0") +CHECKPOLICY="${BASEDIR}/../checkpolicy" + +check_policy() { + POLICY=$1 + MLS=$2 + + if [ "$MLS" = 'mls' ]; then + OPT='-M' + else + OPT= + fi + + echo "==== Testing ${1}" + + ${CHECKPOLICY} ${OPT} -E "${BASEDIR}/${POLICY}" -o "${BASEDIR}/testpol.bin" + ${CHECKPOLICY} ${OPT} -E -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf" + diff -u "${BASEDIR}/${POLICY}" "${BASEDIR}/testpol.conf" + + ${CHECKPOLICY} ${OPT} -S -O -E "${BASEDIR}/${POLICY}" -o "${BASEDIR}/testpol.bin" + ${CHECKPOLICY} ${OPT} -S -O -E -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf" + diff -u "${BASEDIR}/${POLICY}" "${BASEDIR}/testpol.conf" + + echo "==== ${1} success" +} + + +check_policy polmin.conf std +check_policy polmin.mls.conf mls