| Message ID | 20220210183823.39187-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v2] checkpolicy: allow wildcard permissions in constraints | expand |
On Fri, Feb 11, 2022 at 11:19 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Allow all and complement permission sets in constraints, e.g.: > > constrain service ~ { status } (...); > constrain service * (...); > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > > --- > > v2: > - do not set invalid permission bits > - omit constrain rules with an empty permission bitset > --- > checkpolicy/policy_define.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index b2ae3263..16b78346 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -3477,6 +3477,8 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr) > return NULL; > } > > +#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1)) > + > int define_constraint(constraint_expr_t * expr) > { > struct constraint_node *node; > @@ -3590,6 +3592,22 @@ int define_constraint(constraint_expr_t * expr) > cladatum = policydbp->class_val_to_struct[i]; > node = cladatum->constraints; > > + if (strcmp(id, "*") == 0) { > + node->permissions = PERMISSION_MASK(cladatum->permissions.nprim); > + continue; > + } > + > + if (strcmp(id, "~") == 0) { > + node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim); > + if (node->permissions == 0) { > + yywarn("omitting constraint with no permission set"); > + cladatum->constraints = node->next; > + constraint_expr_destroy(node->expr); > + free(node); > + } > + continue; > + } > + > perdatum = > (perm_datum_t *) hashtab_search(cladatum-> > permissions. > -- > 2.34.1 >
On Fri, Feb 11, 2022 at 1:40 PM James Carter <jwcart2@gmail.com> wrote: > > On Fri, Feb 11, 2022 at 11:19 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Allow all and complement permission sets in constraints, e.g.: > > > > constrain service ~ { status } (...); > > constrain service * (...); > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > > > --- > > > > v2: > > - do not set invalid permission bits > > - omit constrain rules with an empty permission bitset > > --- > > checkpolicy/policy_define.c | 18 ++++++++++++++++++ > > 1 file changed, 18 insertions(+) > > > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > > index b2ae3263..16b78346 100644 > > --- a/checkpolicy/policy_define.c > > +++ b/checkpolicy/policy_define.c > > @@ -3477,6 +3477,8 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr) > > return NULL; > > } > > > > +#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1)) > > + > > int define_constraint(constraint_expr_t * expr) > > { > > struct constraint_node *node; > > @@ -3590,6 +3592,22 @@ int define_constraint(constraint_expr_t * expr) > > cladatum = policydbp->class_val_to_struct[i]; > > node = cladatum->constraints; > > > > + if (strcmp(id, "*") == 0) { > > + node->permissions = PERMISSION_MASK(cladatum->permissions.nprim); > > + continue; > > + } > > + > > + if (strcmp(id, "~") == 0) { > > + node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim); > > + if (node->permissions == 0) { > > + yywarn("omitting constraint with no permission set"); > > + cladatum->constraints = node->next; > > + constraint_expr_destroy(node->expr); > > + free(node); > > + } > > + continue; > > + } > > + > > perdatum = > > (perm_datum_t *) hashtab_search(cladatum-> > > permissions. > > -- > > 2.34.1 > >
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index b2ae3263..16b78346 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -3477,6 +3477,8 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr) return NULL; } +#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1)) + int define_constraint(constraint_expr_t * expr) { struct constraint_node *node; @@ -3590,6 +3592,22 @@ int define_constraint(constraint_expr_t * expr) cladatum = policydbp->class_val_to_struct[i]; node = cladatum->constraints; + if (strcmp(id, "*") == 0) { + node->permissions = PERMISSION_MASK(cladatum->permissions.nprim); + continue; + } + + if (strcmp(id, "~") == 0) { + node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim); + if (node->permissions == 0) { + yywarn("omitting constraint with no permission set"); + cladatum->constraints = node->next; + constraint_expr_destroy(node->expr); + free(node); + } + continue; + } + perdatum = (perm_datum_t *) hashtab_search(cladatum-> permissions.
Allow all and complement permission sets in constraints, e.g.: constrain service ~ { status } (...); constrain service * (...); Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v2: - do not set invalid permission bits - omit constrain rules with an empty permission bitset --- checkpolicy/policy_define.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)