From patchwork Wed Apr 20 20:49:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeffrey Vander Stoep X-Patchwork-Id: 8895061 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 483D79F39A for ; Wed, 20 Apr 2016 20:52:42 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6C5DB202EC for ; Wed, 20 Apr 2016 20:52:41 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C33B6202BE for ; Wed, 20 Apr 2016 20:52:39 +0000 (UTC) X-TM-IMSS-Message-ID: Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id a46501b40006f8d7 ; Wed, 20 Apr 2016 16:50:23 -0400 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3KKo2in012314; Wed, 20 Apr 2016 16:50:10 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3KKo1Nw073478 for ; Wed, 20 Apr 2016 16:50:01 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3KKo1ws012228 for ; Wed, 20 Apr 2016 16:50:01 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1ArAAAj6hdXj7PAVdFeHYRst2GDMAVSCBeFd4IcAQEBAQEBEwEBAQEHCwsJIYRzARUVGQEBNwGBFAEFATUiiAigMYExPjGKT4UoAQSMRQEBAQEGAhgGCoQNggqLUgtAgkOHeYZTiUiENYlfAokphWMCjXAvgQ6CWQ0RCYFqHDCIRwEBAQ X-IPAS-Result: A1ArAAAj6hdXj7PAVdFeHYRst2GDMAVSCBeFd4IcAQEBAQEBEwEBAQEHCwsJIYRzARUVGQEBNwGBFAEFATUiiAigMYExPjGKT4UoAQSMRQEBAQEGAhgGCoQNggqLUgtAgkOHeYZTiUiENYlfAokphWMCjXAvgQ6CWQ0RCYFqHDCIRwEBAQ X-IronPort-AV: E=Sophos;i="5.24,511,1454994000"; d="scan'208";a="5397219" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 20 Apr 2016 16:50:01 -0400 X-TM-IMSS-Message-ID: <5885e5a00007ed58@nsa.gov> Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com [209.85.192.179]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5885e5a00007ed58 ; Wed, 20 Apr 2016 16:49:25 -0400 Received: by mail-pf0-f179.google.com with SMTP id e128so21748955pfe.3 for ; Wed, 20 Apr 2016 13:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=E6e+nXtQysZUFSD90WzF4whoTgKEPSyopu2O6BFoY5Q=; b=WHXM0OQ5vU2hdSZlhg9R0P4G6untJJC04WSDXQ/gUwrtpfs9y2UmkgPweugK3oH/EL B6sQYQWorEualoAzppwu5CFm4jf5f8iBLke63me3xb3emLD98ikcN5A47oFmDZAVfc39 DRv22XackeX82E5OW6MZZPBVtetbR3G+CGlEZyYmfnXAkF0/jcXO3e8OLPiPxQ/3H5CH tswAah0eQpUIl5eLl08rFmFEZK0r7akC8hN26wGVIwHecnCZ2wOrn29upXyOmxfPn5Cc E+gmb+x1SDp+OWxq9pZig6sah47dyeAiffAk+N9Iex1mkAzp07DYy941DWW8K1lbRhGQ Lk9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=E6e+nXtQysZUFSD90WzF4whoTgKEPSyopu2O6BFoY5Q=; b=TeQTy4leckkUWbvFZ1ONbl34v7SwTcqAQP6KB7vzaPIl40puLZ29iLSrm21A3ZH1xx o7oGSm+GF5Byj87re7RUrRnCPkmt7r1dEQ420zjaz3QIzwoTz41y9ZSuvA4sBkAeKPtF Hsmk+opQ8GBCnu23vCkdLAmZKEJGQbE3FcCTDhTEDKj4CKCWLpGf8pJrkb36MAYXKrC4 RRY7EDPrOEgzWK/nnhdFENV7v0N1o8bWMtSZlrRAmu/BiKwg4cw/eiqL2S/Q2ogHiC+f K+q3Js3K60YeK36t3iKyUAwgdVc+A5WtyxfNd0AHwNukgXibTm7hrCfKLW4pBYZBHKCD S7Ww== X-Gm-Message-State: AOPr4FVkIb7c4L03Oeb4rHD9BssURq1pRFvQto0ges7WA8v9E+OPzkI1Jcl/GZs6lQ+xq5/O X-Received: by 10.98.89.194 with SMTP id k63mr14984557pfj.135.1461185398688; Wed, 20 Apr 2016 13:49:58 -0700 (PDT) Received: from jeffv-linux.mtv.corp.google.com ([172.22.112.85]) by smtp.gmail.com with ESMTPSA id f66sm100367870pff.8.2016.04.20.13.49.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Apr 2016 13:49:57 -0700 (PDT) From: Jeff Vander Stoep To: selinux@tycho.nsa.gov Subject: [PATCH] Fix extended permissions neverallow checking Date: Wed, 20 Apr 2016 13:49:49 -0700 Message-Id: <1461185389-3133-1-git-send-email-jeffv@google.com> X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020 X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: sds@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Commit 99fc177b "Add neverallow support for ioctl extended permissions" first checks to see if the ioctl permission is granted, then checks to see if the same source/target violates a neverallowed ioctl command. Unfortunately this does not address the case where the ioctl permission and extended permissions are granted on different attributes. Example, the following will incorrectly cause a neverallow violation. allow untrusted_app self:tcp_socket ioctl; allowxperm domain domain:tcp_socket unpriv_sock_ioctls; neverallowxperm untrusted_app domain:tcp_socket ~unpriv_sock_ioctls; The fix is to enumerate over the source and target attributes when looking for extended permission violations. Note: The bug this addresses incorrectly asserts that a violation has occurred. Actual neverallow violations are always caught. Signed-off-by: Jeff Vander Stoep Tested-by: William Roberts --- libsepol/src/assertion.c | 93 +++++++++++++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 33 deletions(-) diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index fbf397f..f4429ad 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -147,36 +147,49 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, avtab_key_t tmp_key; avtab_extended_perms_t *xperms; avtab_extended_perms_t error; + ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1]; + ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1]; + ebitmap_node_t *snode, *tnode; + unsigned int i, j; int rc = 1; int ret = 0; memcpy(&tmp_key, k, sizeof(avtab_key_t)); tmp_key.specified = AVTAB_XPERMS_ALLOWED; - for (node = avtab_search_node(avtab, &tmp_key); - node; - node = avtab_search_node_next(node, tmp_key.specified)) { - xperms = node->datum.xperms; - if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) continue; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + tmp_key.source_type = i + 1; + tmp_key.target_type = j + 1; + for (node = avtab_search_node(avtab, &tmp_key); + node; + node = avtab_search_node_next(node, tmp_key.specified)) { + xperms = node->datum.xperms; + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + continue; - rc = check_extended_permissions(avrule->xperms, xperms); - /* failure on the extended permission check_extended_permissionss */ - if (rc) { - extended_permissions_violated(&error, avrule->xperms, xperms); - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" - "allowxperm %s %s:%s %s;", - avrule->source_line, avrule->source_filename, avrule->line, - p->p_type_val_to_name[stype], - p->p_type_val_to_name[ttype], - p->p_class_val_to_name[curperm->tclass - 1], - sepol_extended_perms_to_string(&error)); - - rc = 0; - ret++; + rc = check_extended_permissions(avrule->xperms, xperms); + /* failure on the extended permission check_extended_permissionss */ + if (rc) { + extended_permissions_violated(&error, avrule->xperms, xperms); + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" + "allowxperm %s %s:%s %s;", + avrule->source_line, avrule->source_filename, avrule->line, + p->p_type_val_to_name[stype], + p->p_type_val_to_name[ttype], + p->p_class_val_to_name[curperm->tclass - 1], + sepol_extended_perms_to_string(&error)); + + rc = 0; + ret++; + } + } } - } /* failure on the regular permissions */ @@ -319,28 +332,42 @@ oom: * granted */ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab, - avtab_key_t *k) + avtab_key_t *k, policydb_t *p) { avtab_ptr_t node; avtab_key_t tmp_key; avtab_extended_perms_t *xperms; av_extended_perms_t *neverallow_xperms = avrule->xperms; + ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1]; + ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1]; + ebitmap_node_t *snode, *tnode; + unsigned int i, j; int rc = 1; memcpy(&tmp_key, k, sizeof(avtab_key_t)); tmp_key.specified = AVTAB_XPERMS_ALLOWED; - for (node = avtab_search_node(avtab, &tmp_key); - node; - node = avtab_search_node_next(node, tmp_key.specified)) { - xperms = node->datum.xperms; - if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) continue; - - rc = check_extended_permissions(neverallow_xperms, xperms); - if (rc) - break; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + tmp_key.source_type = i + 1; + tmp_key.target_type = j + 1; + for (node = avtab_search_node(avtab, &tmp_key); + node; + node = avtab_search_node_next(node, tmp_key.specified)) { + xperms = node->datum.xperms; + + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) + continue; + rc = check_extended_permissions(neverallow_xperms, xperms); + if (rc) + break; + } + } } return rc; @@ -386,7 +413,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a goto exit; if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) { - rc = check_assertion_extended_permissions(avrule, avtab, k); + rc = check_assertion_extended_permissions(avrule, avtab, k, p); if (rc == 0) goto exit; }