| Message ID | 20241021231201.2638151-1-tweek@google.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | b33da68f7a67 |
| Headers | show |
| Series | libsepol: Support nlmsg xperms in assertions | expand |
On Mon, Oct 21, 2024 at 7:12 PM Thiébaud Weksteen <tweek@google.com> wrote: > > commit ba7945a250c added support for nlmsg extended permissions in the > policy. The assertion validation was not updated which lead to false > positives when evaluated. The optimization update was also missing. Add > support for the new extended permission for optimization and assertions. > > Fixes: ba7945a250c0794837f94ee1fb124426166bbc6e > Signed-off-by: Thiébaud Weksteen <tweek@google.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/assertion.c | 16 ++++++++++++++-- > libsepol/src/optimize.c | 5 +++++ > 2 files changed, 19 insertions(+), 2 deletions(-) > > diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c > index 3076babe..5e129883 100644 > --- a/libsepol/src/assertion.c > +++ b/libsepol/src/assertion.c > @@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext > } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER) > && (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) { > rc = extended_permissions_and(neverallow->perms, allow->perms); > + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) > + && (allow->specified == AVTAB_XPERMS_NLMSG)) { > + if (neverallow->driver == allow->driver) > + rc = extended_permissions_and(neverallow->perms, allow->perms); > } > > return rc; > @@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result, > result->specified = AVTAB_XPERMS_IOCTLDRIVER; > for (i = 0; i < EXTENDED_PERMS_LEN; i++) > result->perms[i] = neverallow->perms[i] & allow->perms[i]; > + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) > + && (allow->specified == AVTAB_XPERMS_NLMSG)) { > + result->specified = AVTAB_XPERMS_NLMSG; > + result->driver = allow->driver; > + for (i = 0; i < EXTENDED_PERMS_LEN; i++) > + result->perms[i] = neverallow->perms[i] & allow->perms[i]; > } > } > > @@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, > node = avtab_search_node_next(node, tmp_key.specified)) { > xperms = node->datum.xperms; > if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) > - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) > + && (xperms->specified != AVTAB_XPERMS_NLMSG)) > continue; > found_xperm = 1; > rc = check_extended_permissions(avrule->xperms, xperms); > @@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t > xperms = node->datum.xperms; > > if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) > - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) > + && (xperms->specified != AVTAB_XPERMS_NLMSG)) > continue; > rc = check_extended_permissions(neverallow_xperms, xperms); > if (rc) > diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c > index a38025ec..8a0b70fe 100644 > --- a/libsepol/src/optimize.c > +++ b/libsepol/src/optimize.c > @@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified, > > if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER) > return process_xperms(x1->perms, x2->perms); > + } else if (x1->specified == AVTAB_XPERMS_NLMSG > + && x2->specified == AVTAB_XPERMS_NLMSG) { > + if (x1->driver != x2->driver) > + return 0; > + return process_xperms(x1->perms, x2->perms); > } > return 0; > } > -- > 2.47.0.105.g07ac214952-goog > >
On Wed, Oct 23, 2024 at 2:13 PM James Carter <jwcart2@gmail.com> wrote: > > On Mon, Oct 21, 2024 at 7:12 PM Thiébaud Weksteen <tweek@google.com> wrote: > > > > commit ba7945a250c added support for nlmsg extended permissions in the > > policy. The assertion validation was not updated which lead to false > > positives when evaluated. The optimization update was also missing. Add > > support for the new extended permission for optimization and assertions. > > > > Fixes: ba7945a250c0794837f94ee1fb124426166bbc6e > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libsepol/src/assertion.c | 16 ++++++++++++++-- > > libsepol/src/optimize.c | 5 +++++ > > 2 files changed, 19 insertions(+), 2 deletions(-) > > > > diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c > > index 3076babe..5e129883 100644 > > --- a/libsepol/src/assertion.c > > +++ b/libsepol/src/assertion.c > > @@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext > > } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER) > > && (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) { > > rc = extended_permissions_and(neverallow->perms, allow->perms); > > + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) > > + && (allow->specified == AVTAB_XPERMS_NLMSG)) { > > + if (neverallow->driver == allow->driver) > > + rc = extended_permissions_and(neverallow->perms, allow->perms); > > } > > > > return rc; > > @@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result, > > result->specified = AVTAB_XPERMS_IOCTLDRIVER; > > for (i = 0; i < EXTENDED_PERMS_LEN; i++) > > result->perms[i] = neverallow->perms[i] & allow->perms[i]; > > + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) > > + && (allow->specified == AVTAB_XPERMS_NLMSG)) { > > + result->specified = AVTAB_XPERMS_NLMSG; > > + result->driver = allow->driver; > > + for (i = 0; i < EXTENDED_PERMS_LEN; i++) > > + result->perms[i] = neverallow->perms[i] & allow->perms[i]; > > } > > } > > > > @@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, > > node = avtab_search_node_next(node, tmp_key.specified)) { > > xperms = node->datum.xperms; > > if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) > > - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) > > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) > > + && (xperms->specified != AVTAB_XPERMS_NLMSG)) > > continue; > > found_xperm = 1; > > rc = check_extended_permissions(avrule->xperms, xperms); > > @@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t > > xperms = node->datum.xperms; > > > > if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) > > - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) > > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) > > + && (xperms->specified != AVTAB_XPERMS_NLMSG)) > > continue; > > rc = check_extended_permissions(neverallow_xperms, xperms); > > if (rc) > > diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c > > index a38025ec..8a0b70fe 100644 > > --- a/libsepol/src/optimize.c > > +++ b/libsepol/src/optimize.c > > @@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified, > > > > if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER) > > return process_xperms(x1->perms, x2->perms); > > + } else if (x1->specified == AVTAB_XPERMS_NLMSG > > + && x2->specified == AVTAB_XPERMS_NLMSG) { > > + if (x1->driver != x2->driver) > > + return 0; > > + return process_xperms(x1->perms, x2->perms); > > } > > return 0; > > } > > -- > > 2.47.0.105.g07ac214952-goog > > > >
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index 3076babe..5e129883 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER) && (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) { rc = extended_permissions_and(neverallow->perms, allow->perms); + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) + && (allow->specified == AVTAB_XPERMS_NLMSG)) { + if (neverallow->driver == allow->driver) + rc = extended_permissions_and(neverallow->perms, allow->perms); } return rc; @@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result, result->specified = AVTAB_XPERMS_IOCTLDRIVER; for (i = 0; i < EXTENDED_PERMS_LEN; i++) result->perms[i] = neverallow->perms[i] & allow->perms[i]; + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) + && (allow->specified == AVTAB_XPERMS_NLMSG)) { + result->specified = AVTAB_XPERMS_NLMSG; + result->driver = allow->driver; + for (i = 0; i < EXTENDED_PERMS_LEN; i++) + result->perms[i] = neverallow->perms[i] & allow->perms[i]; } } @@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, node = avtab_search_node_next(node, tmp_key.specified)) { xperms = node->datum.xperms; if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) + && (xperms->specified != AVTAB_XPERMS_NLMSG)) continue; found_xperm = 1; rc = check_extended_permissions(avrule->xperms, xperms); @@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t xperms = node->datum.xperms; if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) + && (xperms->specified != AVTAB_XPERMS_NLMSG)) continue; rc = check_extended_permissions(neverallow_xperms, xperms); if (rc) diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c index a38025ec..8a0b70fe 100644 --- a/libsepol/src/optimize.c +++ b/libsepol/src/optimize.c @@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified, if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER) return process_xperms(x1->perms, x2->perms); + } else if (x1->specified == AVTAB_XPERMS_NLMSG + && x2->specified == AVTAB_XPERMS_NLMSG) { + if (x1->driver != x2->driver) + return 0; + return process_xperms(x1->perms, x2->perms); } return 0; }
commit ba7945a250c added support for nlmsg extended permissions in the policy. The assertion validation was not updated which lead to false positives when evaluated. The optimization update was also missing. Add support for the new extended permission for optimization and assertions. Fixes: ba7945a250c0794837f94ee1fb124426166bbc6e Signed-off-by: Thiébaud Weksteen <tweek@google.com> --- libsepol/src/assertion.c | 16 ++++++++++++++-- libsepol/src/optimize.c | 5 +++++ 2 files changed, 19 insertions(+), 2 deletions(-)