From patchwork Fri May 12 09:23:08 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 13238930
X-Patchwork-Delegate: plautrba@redhat.com
Return-Path: <selinux-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 88954C77B75
	for <selinux@archiver.kernel.org>; Fri, 12 May 2023 09:23:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239963AbjELJXW (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Fri, 12 May 2023 05:23:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52772 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240134AbjELJXV (ORCPT
        <rfc822;selinux@vger.kernel.org>); Fri, 12 May 2023 05:23:21 -0400
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com
 [IPv6:2a00:1450:4864:20::62d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E6B1E702
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:20 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id
 a640c23a62f3a-965ab8ed1c0so1597852466b.2
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20221208; t=1683883398; x=1686475398;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=ZJRImihViRtxLkLyyQjnpBc4bhOKrp7RsdW83/Maleg=;
        b=MJ9xgv/Wq0fPLBEZLUqQieO4aFI6izMJE+gDysP4Ya+sfsF4I3N4obXQ7XuyvAr+Go
         hMGIu31j8iDPg8oWbxdnKYGs+eT8hqhLTQn8TKQ8ttYDpFMet9Bi04AH0fdy549fHUwk
         qMGlZALZFGQr4tx9dyJbGlhJXEIrn8oaL5LBNBA6y9uHb5suQT30Irb6UyO7P3dqdNOB
         VSXNlKb8LjCliIRgF/7hx/7k2dheq+N1cqWwtOFE38uLXsqwgQKzFHz5pyclmm4a++oD
         fmB5p3O/skOCDRp7lT5QOgAA1oIYaDqTl6GJMW6xLMtvsOkfH/gcuVdwkOGN/IhIe0LZ
         nrgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683883398; x=1686475398;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=ZJRImihViRtxLkLyyQjnpBc4bhOKrp7RsdW83/Maleg=;
        b=R8J6+9dMZp27qbvJag73GFu9b0vc8k7HZgeJgbhWG1XgVwxYsWziK3LV0+Fu4+sDhM
         jwTJpbKCl8R7EPu0hB0m/AE9YXAKeM6bCRLrOrPkGBoCcS1V4tn8QOtqmXouFY1rBu+q
         wDOKrLgiPuPgJsCGY6CW6x5I4nrXxh5CxWTE1sngbfX+xlwZyzmlnPqrW9UP+aMHrXxK
         t/SWauNt1a3VvJA2z7oi/ep+yHzWuTejA+i82z1YMHkq7IqyS/STPUlBqNm9GKa1Jt9i
         N86ov92a6b1cOoWbHMETfG0ZgYixIkr3m+WiJtqyr+fyBw0sLJ+tghS3cM8FIOFfzea2
         uWxQ==
X-Gm-Message-State: AC+VfDyOdJfdByKka8Jt0bf7mS7P0vYAbuv86jbDFIFtqPtdlNFy7uwp
        WKYe8n45sBXkVky9rAVlZhs8ej8nBPp1nA==
X-Google-Smtp-Source: 
 ACHHUZ56Ef5eHOn1NYYRN1XQ+/Jh+3/YJR4iI2YVpJmu2QFErDYPThi4Hxj1qg04S3xifG+cwa/36A==
X-Received: by 2002:a17:907:7b8b:b0:962:ec98:cd75 with SMTP id
 ne11-20020a1709077b8b00b00962ec98cd75mr25216982ejc.67.1683883398291;
        Fri, 12 May 2023 02:23:18 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-095-116-181-041.95.116.pool.telefonica.de. [95.116.181.41])
        by smtp.gmail.com with ESMTPSA id
 de25-20020a1709069bd900b0096664376ec9sm5186040ejc.55.2023.05.12.02.23.17
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 May 2023 02:23:17 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 1/4] checkpolicy: drop unused token CLONE
Date: Fri, 12 May 2023 11:23:08 +0200
Message-Id: <20230512092311.42583-1-cgzones@googlemail.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

The token CLONE is never used in the grammar; drop it.

As side effect `clone` and `CLONE` become available as identifier names.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 checkpolicy/policy_parse.y | 1 -
 checkpolicy/policy_scan.l  | 2 --
 2 files changed, 3 deletions(-)

diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 45f973ff..da32a776 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -85,7 +85,6 @@ typedef int (* require_func_t)(int pass);
 %token PATH
 %token QPATH
 %token FILENAME
-%token CLONE
 %token COMMON
 %token CLASS
 %token CONSTRAIN
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 9fefea7b..2c025b61 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -77,8 +77,6 @@ hexval	[0-9A-Fa-f]
 				      source_lineno++;
 				  yyless(1);
 				}
-CLONE |
-clone				{ return(CLONE); }
 COMMON |
 common				{ return(COMMON); }
 CLASS |

From patchwork Fri May 12 09:23:09 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 13238931
X-Patchwork-Delegate: plautrba@redhat.com
Return-Path: <selinux-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1E2FDC77B7C
	for <selinux@archiver.kernel.org>; Fri, 12 May 2023 09:23:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240230AbjELJXY (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Fri, 12 May 2023 05:23:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52798 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240224AbjELJXX (ORCPT
        <rfc822;selinux@vger.kernel.org>); Fri, 12 May 2023 05:23:23 -0400
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com
 [IPv6:2a00:1450:4864:20::52c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3D7B106D3
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:20 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id
 4fb4d7f45d1cf-50db91640d3so6824171a12.0
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20221208; t=1683883399; x=1686475399;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=/bv6sLPbYptRsTVEg6bG72SrsVKBv8YWDQDS+Ak2hso=;
        b=JCKcQVeP/MSnn54eZ5c7933wEtGqxaWpnyQ0mzIFqXrz0cE7/Dnj0TNvIAzYOLaTNG
         bUEuEW8hQs5YM0fZRB0Pur52uj2a67//1AuEkjMLmaIiuedLwO66TPhz3ty0EcstNZnb
         CjMQj/tXdp21CrCafxHitz64axoXfqrPQAR9O1DNco0ZDjWLm9SfxLeTimeaMMPWA/9q
         7RbnbSiAgzqZrj6brxm0wAVXASqRF0Eu9yxFrRgI2p26NjCD9MkB2Sw1gOb/TXPhdM4a
         WcdgeSjbsDLmKWnGIBs8s9tFsUjfofKIMJKr2vzfGjdMdpYt8jL4s7/IWhTk8mvJ6kPc
         ug4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683883399; x=1686475399;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/bv6sLPbYptRsTVEg6bG72SrsVKBv8YWDQDS+Ak2hso=;
        b=UfuXbUV7dSSM9VBdG0N2HVgXfOuKMi7plPbkNvQC9/P/laeFruAvdFm1YRpqVKFCo/
         Lpba5XAUXWaZmNyyHMBCpmdn7G52RNPrKhBuoZ0PgelTTTF0cKzTyq0pKKqOo9JKmjuZ
         aQYdkAIuOBatkpXQcb8Koj2zvioMfw6bze2Yx6kTxt1qCGROnyinvRMA2c22CN2wuIV2
         0gBq95nnKdTY2zGwjPeIUI7q1k0RWW7hN4NWYq1PZF5DnRv/jjAu3m5sZRzJFXjd9B8G
         Luwoil95vi1Q92sgZUJadSI65zt2Cun/2fU29kXVB3ubHA8n1jU98wIjrhu1D1Zj0qMB
         LUpw==
X-Gm-Message-State: AC+VfDxd+lR2SdDYd1BV0y6rs5FzX7Zye/3kQU/MbtCw1V0QfLYK+6bg
        S1irQQgDJFxSs3nP56KIs12+Zr1AndGDhA==
X-Google-Smtp-Source: 
 ACHHUZ6KvRtb5VBqFQamo6jN9dQ/uTPfArFROwk2ReQMyzKcrIVjj9uZG3sGoZDh6+733anNv9vB7w==
X-Received: by 2002:a17:906:da88:b0:93a:353d:e38b with SMTP id
 xh8-20020a170906da8800b0093a353de38bmr22887390ejb.37.1683883398984;
        Fri, 12 May 2023 02:23:18 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-095-116-181-041.95.116.pool.telefonica.de. [95.116.181.41])
        by smtp.gmail.com with ESMTPSA id
 de25-20020a1709069bd900b0096664376ec9sm5186040ejc.55.2023.05.12.02.23.18
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 May 2023 02:23:18 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 2/4] checkpolicy: reject condition with bool and tunable in
 expression
Date: Fri, 12 May 2023 11:23:09 +0200
Message-Id: <20230512092311.42583-2-cgzones@googlemail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230512092311.42583-1-cgzones@googlemail.com>
References: <20230512092311.42583-1-cgzones@googlemail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

If tunables are not preserved (the mode unconditionally used by
checkpolicy) an expression must not consist of booleans and tunables,
since such expressions are not supported during expansion (see expand.c:
discard_tunables()).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/policy_define.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index d4e376ad..95cd5c85 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3964,8 +3964,9 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
 int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
 {
 	cond_expr_t *e;
-	int depth;
+	int depth, booleans, tunables;
 	cond_node_t cn, *cn_old;
+	const cond_bool_datum_t *bool_var;
 
 	/* expression cannot be NULL */
 	if (!expr) {
@@ -3990,6 +3991,8 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
 
 	/* verify expression */
 	depth = -1;
+	booleans = 0;
+	tunables = 0;
 	for (e = expr; e; e = e->next) {
 		switch (e->expr_type) {
 		case COND_NOT:
@@ -4018,6 +4021,14 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
 				return -1;
 			}
 			depth++;
+
+			bool_var = policydbp->bool_val_to_struct[e->boolean - 1];
+			if (bool_var->flags & COND_BOOL_FLAGS_TUNABLE) {
+				tunables = 1;
+			} else {
+				booleans = 1;
+			}
+
 			break;
 		default:
 			yyerror("illegal conditional expression");
@@ -4028,6 +4039,10 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
 		yyerror("illegal conditional expression");
 		return -1;
 	}
+	if (booleans && tunables) {
+		yyerror("illegal conditional expression; Contains boolean and tunable");
+		return -1;
+	}
 
 	/*  use tmp conditional node to partially build new node */
 	memset(&cn, 0, sizeof(cn));

From patchwork Fri May 12 09:23:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 13238932
X-Patchwork-Delegate: plautrba@redhat.com
Return-Path: <selinux-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1344BC77B75
	for <selinux@archiver.kernel.org>; Fri, 12 May 2023 09:23:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240224AbjELJXY (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Fri, 12 May 2023 05:23:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52800 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240134AbjELJXX (ORCPT
        <rfc822;selinux@vger.kernel.org>); Fri, 12 May 2023 05:23:23 -0400
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com
 [IPv6:2a00:1450:4864:20::52b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47976100D2
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:21 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id
 4fb4d7f45d1cf-50bcb00a4c2so14936378a12.1
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20221208; t=1683883400; x=1686475400;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=aoMrW3V/A9N7wPCXJJGIbTzi79/73RaSfdPxcPy3rCc=;
        b=rALDDYIdW92Kx1brJwGeGf69M5BpKy8pnfFd/K+OhOoilAWpiv1l9vu5RgfTW7WySG
         PiNPNxxeDsScWOKNKRoCq93NJr/PITLKNPAE2fswsyO4ro28N2o+X0O15qZrNMOHjLXk
         mGFqfcZH+t8zvc8GKweF9KNGFCYT1ERZicWcVQIpXg/yhYA/FwCZu3RiqWn65N8uwFSa
         VoacHHUTzyrBplfzIOLNDDR0n5L2P+/o+eBU7FBJNkqP+LVvOcSLJnhZPiq/zy5EpCI0
         iJjq8SeFPBkP5GkdX7tmz6tThuqiku7gevDQ3Pw40hrPRWWJzbUqrDi/p7OpbZKIvrWm
         I3nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683883400; x=1686475400;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aoMrW3V/A9N7wPCXJJGIbTzi79/73RaSfdPxcPy3rCc=;
        b=BzI+mk9XwnEm158Tx06uSktjmUemYFROH9iNKQmiS8fVsD/pxoqa4dndNx/z6eHaUa
         akxmmrXYvYQWOPAjCs6aV/G4E15O8VWhjTnvjODuSu903gXkPZSk/gurac74vxn/bpa4
         3oe3anbzYUikmiHwU1nr2gJdaE/a2CAt/WC2d9E9TvtH68IGCzH+7lhLRvaLUgSCadCO
         PGPVnqXTSo0v0PiwzPJAEsi9T39dFV7vA6sYMUOguWvOM9acnPLFgv0l/OK1xF8K3bnn
         yNmtgi2VP5j3HLrpQImGs5biO7s8rVpflq4VR2uprbo0/F6eS3YNMnymGzI34D7S7EvP
         Nv6g==
X-Gm-Message-State: AC+VfDzw5EIzsFTgB/LVPF0PoFoJpLwcvBoqIFS5FLfbCNgwK9ruPPlE
        zU+3ewDZ3ra/5NFVaEGwfS7XNK14YwU58A==
X-Google-Smtp-Source: 
 ACHHUZ5X7xBj+5Ozo5y2oOCfDEjZ1eG5F5tJaRg0bm2fO83/RPqLOxNW4eCQIxS8rhAytulrkGc7JQ==
X-Received: by 2002:a17:906:ee8e:b0:95e:c549:9ace with SMTP id
 wt14-20020a170906ee8e00b0095ec5499acemr20711828ejb.62.1683883399607;
        Fri, 12 May 2023 02:23:19 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-095-116-181-041.95.116.pool.telefonica.de. [95.116.181.41])
        by smtp.gmail.com with ESMTPSA id
 de25-20020a1709069bd900b0096664376ec9sm5186040ejc.55.2023.05.12.02.23.19
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 May 2023 02:23:19 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 3/4] checkpolicy: only set declared permission bits for
 wildcards
Date: Fri, 12 May 2023 11:23:10 +0200
Message-Id: <20230512092311.42583-3-cgzones@googlemail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230512092311.42583-1-cgzones@googlemail.com>
References: <20230512092311.42583-1-cgzones@googlemail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

When setting permission bits from a wildcard or complement only set the
bits for permissions actually declared for the associated class.  This
helps optimizing the policy later, since only rules are dropped with a
complete empty permission bitset.  Example policy:

    class CLASS1
    sid kernel
    class CLASS1 { PERM1 }
    type TYPE1;
    bool BOOL1 true;
    allow TYPE1 self : CLASS1 { PERM1 };
    role ROLE1;
    role ROLE1 types { TYPE1 };
    if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
    user USER1 roles ROLE1;
    sid kernel USER1:ROLE1:TYPE1

Also emit a warning if a rule will have an empty permission bitset due
to an exhausting complement.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/policy_define.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 95cd5c85..cef8f3c4 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2511,6 +2511,8 @@ int define_te_avtab_extended_perms(int which)
 	return rc;
 }
 
+#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
+
 static int define_te_avtab_helper(int which, avrule_t ** rule)
 {
 	char *id;
@@ -2616,8 +2618,8 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
 			cladatum = policydbp->class_val_to_struct[i];
 
 			if (strcmp(id, "*") == 0) {
-				/* set all permissions in the class */
-				cur_perms->data = ~0U;
+				/* set all declared permissions in the class */
+				cur_perms->data = PERMISSION_MASK(cladatum->permissions.nprim);
 				goto next;
 			}
 
@@ -2625,7 +2627,16 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
 				/* complement the set */
 				if (which == AVRULE_DONTAUDIT)
 					yywarn("dontaudit rule with a ~?");
-				cur_perms->data = ~cur_perms->data;
+				cur_perms->data = ~cur_perms->data & PERMISSION_MASK(cladatum->permissions.nprim);
+				if (cur_perms->data == 0) {
+					class_perm_node_t *tmp = cur_perms;
+					yywarn("omitting avrule with no permission set");
+					if (perms == cur_perms)
+						perms = cur_perms->next;
+					cur_perms = cur_perms->next;
+					free(tmp);
+					continue;
+				}
 				goto next;
 			}
 
@@ -3549,8 +3560,6 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
 	return NULL;
 }
 
-#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
-
 int define_constraint(constraint_expr_t * expr)
 {
 	struct constraint_node *node;

From patchwork Fri May 12 09:23:11 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 13238933
X-Patchwork-Delegate: plautrba@redhat.com
Return-Path: <selinux-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75FD4C7EE25
	for <selinux@archiver.kernel.org>; Fri, 12 May 2023 09:23:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240134AbjELJXZ (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Fri, 12 May 2023 05:23:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52802 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240227AbjELJXX (ORCPT
        <rfc822;selinux@vger.kernel.org>); Fri, 12 May 2023 05:23:23 -0400
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com
 [IPv6:2a00:1450:4864:20::632])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC0156A7A
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:21 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id
 a640c23a62f3a-96598a7c5e0so1559051266b.3
        for <selinux@vger.kernel.org>; Fri, 12 May 2023 02:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20221208; t=1683883400; x=1686475400;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=/PunSpvLc/O3lE1N5MSExjNWtTnHWuSutBxFu4fOrRk=;
        b=BGrUQ4PIVorOjGjj1jhbj5fMI8QV7VWzHdJrz9p1TNQk4Vt9RNCHARJu8e3dmASS21
         DS19ezLw1WGtK10WYuoCgOxoJ6YLqW/Uq3Chwz3nXYcy7blHOrEj2p8OtrMTw3daizH1
         ITEPxYmwsTGVCjEcrFEm7EAe35cJ936V45W+F+n/3zIqz9REK3RolT8Ct/qcJEMZ/m0O
         qG721hHUlB8wBSy2JJLq8MB7va5ik/Uu699F65PUDtYWPvadlc+6ZLvdvpxerM10X9zm
         el+BisouO4AM/H0mBTatwzLFoAz2wf0XT+9wAv7kgY7qugrSQGpOkWXsdUYpvmzdriZ2
         GwEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683883400; x=1686475400;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/PunSpvLc/O3lE1N5MSExjNWtTnHWuSutBxFu4fOrRk=;
        b=bvajFMF1KII/x6GNHU9sbCWLNH1O1Gh1fB+rAvMGghf3p8+MSBifeqvx0f736xM9fJ
         MgarvGlSkT803Q+qh4n4ojBN0xHPzk6quiW1BjoUgaoJykjN2UAMSNbh2VAzJ3AqlmJC
         478+bGb07/frR1by3oY4od4kyKK2QLVyKMLHY/bR9WEyZ8+VyHc/0/pSRJ2M40dYNgq7
         Lom9Okkx+8/lDkSc1a8qTbwq7wtKnnNLUgA2eVFeDtmUrdCMukpBBKTDb1VT3pVGWTgV
         8JUItvcL2qIpiDndkr9Sll6YdZg0QF4PHZ9sC40oTYnVbshq2HWxzZ2PGkm0DF38kKPF
         Ib+g==
X-Gm-Message-State: AC+VfDyUDRd8SwlyJpoTRFAehv4305uNtnzOtpwiDk/xV/2t4Sv68Jh3
        f+jGp9F5MCWh9/Q8H72+dIRNVjTaWab0gw==
X-Google-Smtp-Source: 
 ACHHUZ44Icu/AJ48ovPRC1DKg3It8mGk8+FF+uTCCTRn01tlHCCSTCPkfwHdosROw0LL/hbO7+XzCw==
X-Received: by 2002:a17:906:ef06:b0:960:d9d:ffb5 with SMTP id
 f6-20020a170906ef0600b009600d9dffb5mr20572193ejs.41.1683883400264;
        Fri, 12 May 2023 02:23:20 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-095-116-181-041.95.116.pool.telefonica.de. [95.116.181.41])
        by smtp.gmail.com with ESMTPSA id
 de25-20020a1709069bd900b0096664376ec9sm5186040ejc.55.2023.05.12.02.23.19
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 May 2023 02:23:19 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 4/4] libsepol: dump non-mls validatetrans rules as such
Date: Fri, 12 May 2023 11:23:11 +0200
Message-Id: <20230512092311.42583-4-cgzones@googlemail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230512092311.42583-1-cgzones@googlemail.com>
References: <20230512092311.42583-1-cgzones@googlemail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

The functions constraint_expr_to_str() prepare a string representation
for validatetrans and mlsvalidatetrans rules.  To decide what keyword to
use the type of expression is consulted.  Currently the extra target
type (CEXPR_XTARGET) is considered to be an MLS statement while its not,
e.g.:

    validatetrans CLASS1 t3 == ATTR1;

Actually check for MLS expression types only.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/kernel_to_cil.c  | 2 +-
 libsepol/src/kernel_to_conf.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index e9cd89c2..7e279e3f 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -172,7 +172,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 				goto exit;
 			}
 
-			if (curr->attr >= CEXPR_XTARGET) {
+			if (curr->attr >= CEXPR_L1L2) {
 				*use_mls = 1;
 			}
 
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index c48a7114..4c93cc10 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -169,7 +169,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 				goto exit;
 			}
 
-			if (curr->attr >= CEXPR_XTARGET) {
+			if (curr->attr >= CEXPR_L1L2) {
 				*use_mls = 1;
 			}