From patchwork Wed May 18 21:53:13 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeffrey Vander Stoep <jeffv@google.com>
X-Patchwork-Id: 9122711
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 5E0709F37F
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 18 May 2016 21:55:10 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 6A03220145
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 18 May 2016 21:55:09 +0000 (UTC)
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 3329320120
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 18 May 2016 21:55:08 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.26,330,1459814400"; d="scan'208";a="16260899"
IronPort-PHdr: =?us-ascii?q?9a23=3ANJydUB1+mXqaIh7rsmDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?segTLPad9pjvdHbS+e9qxAeQG96LurQf0qGO7ujJYi8p39WoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd6DyZ/unLjvs7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?=
	=?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYhuglv/Jkfe26Ov1gDO8QMDNzKG0x5cv2pTHf?=
	=?us-ascii?q?XACP4T0aSWxQnR1WUCbf6xSvfJr/vGPEv+xx1TPSBtHxQKh8DTav4al1YBDvjy?=
	=?us-ascii?q?gDOngy92SB2Z84t75SvB/0/083+IXTeozAcaMmcw=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2FUAQBD5DxX/wHyM5BdHAGDGoFUux8FGDofh0BMAQEBAQE?=
	=?us-ascii?q?BAgJiJ4ItCQE5DDABAQEBAQEBAQEBAQEBARsCRCoBBAIPFRMGAQEMIAsBAgMJA?=
	=?us-ascii?q?hcpCAgDAS0DAQUBCx8LBRgEAYgNpCyBMT4xilSFKAEBBY0MAQoBAQEbCBCEC4I?=
	=?us-ascii?q?KiF4RAYV1jlmJV4Q5iWcCiTAlhUECjgowgQ9iggYcgWtOhlGBNQEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	18 May 2016 21:55:05 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u4ILrvlA010265;
	Wed, 18 May 2016 17:54:07 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u4ILrs57009355 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 18 May 2016 17:53:54 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u4ILrs58010258
	for <selinux@tycho.nsa.gov>; Wed, 18 May 2016 17:53:54 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1A8AABD5DxXfy/cVdFdhQu3bIMzBVIIF4V6gUZMAQEBAQEBEwEBCQsLCSGEdAEVFRkBATcBgRQBBQE1IogNpCyBMT4xilSFKAEBBY0MAQEBAQYCHQgQhAuCCotUC0CCRo5ZiVeEOYlnAokwhWYCjgowgQ+CWw0cgWscMogGAQEB
X-IPAS-Result: 
 A1A8AABD5DxXfy/cVdFdhQu3bIMzBVIIF4V6gUZMAQEBAQEBEwEBCQsLCSGEdAEVFRkBATcBgRQBBQE1IogNpCyBMT4xilSFKAEBBY0MAQEBAQYCHQgQhAuCCotUC0CCRo5ZiVeEOYlnAokwhWYCjgowgQ+CWw0cgWscMogGAQEB
X-IronPort-AV: E=Sophos;i="5.26,330,1459828800"; d="scan'208";a="5456419"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 18 May 2016 17:53:20 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3A/UPYTBDs4nFawxkNXY3HUyQJP3N1i/DPJgcQr6Af?=
	=?us-ascii?q?oPdwSP7/psbcNUDSrc9gkEXOFd2CrakU2qyN6uu4BCQp2tWojjMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JTmkbvrsMWOKyxzxxODIppKZC2sqgvQssREyaBDEY0WjiXzn31TZu?=
	=?us-ascii?q?5NznlpL1/A1zz158O34YIxu38I46FppIZ8VvDhcqA5S6FIJCg3OGAyosvwvF/M?=
	=?us-ascii?q?ShXcyGEbVzA0nxRGSzbM6h33RN/Kriz3rqIp2iSUM9PeQrczVjCvqaxsTUm722?=
	=?us-ascii?q?88Kzcl/TSP2YRLh6VBrUf5qg=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EmAADn4jxXfy/cVdFdhQu3bIMzBRg6C?=
	=?us-ascii?q?BeFeoFGTAEBAQEBAQICDwEBCQsLCSEvgi0JATkMMAEBAQEBAQEBAQEBAQEBGwJ?=
	=?us-ascii?q?EKgEVFRkBATcBgRQBBQE1IogNpDCBMT4xilSFKAEBBY0MAQEBAQYBAQEBGwgQh?=
	=?us-ascii?q?AuCCotUC0CCRo5ZiVeEOYlnAokwhWYCjgowgQ+CWw0cgWscMogGAQEB?=
X-IPAS-Result: =?us-ascii?q?A0EmAADn4jxXfy/cVdFdhQu3bIMzBRg6CBeFeoFGTAEBAQE?=
	=?us-ascii?q?BAQICDwEBCQsLCSEvgi0JATkMMAEBAQEBAQEBAQEBAQEBGwJEKgEVFRkBATcBg?=
	=?us-ascii?q?RQBBQE1IogNpDCBMT4xilSFKAEBBY0MAQEBAQYBAQEBGwgQhAuCCotUC0CCRo5?=
	=?us-ascii?q?ZiVeEOYlnAokwhWYCjgowgQ+CWw0cgWscMogGAQEB?=
X-IronPort-AV: E=Sophos;i="5.26,330,1459814400"; d="scan'208";a="16260885"
Received: from mail-pa0-f47.google.com ([209.85.220.47])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256;
	18 May 2016 21:53:20 +0000
Received: by mail-pa0-f47.google.com with SMTP id bt5so21579588pac.3
	for <selinux@tycho.nsa.gov>; Wed, 18 May 2016 14:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20120113; h=from:to:cc:subject:date:message-id;
	bh=940yodYwNvTk+53dbZ4wPv1g2pae5BNTl9xAHkViZ8Y=;
	b=h4IXU0ybzP1woi1j8umjtq7YaC1TvoXsSlsrSfs/ace3TGPcxJS2mFA98Xk8HntArH
	kF+3PFJfYsy3huwXoaseB3oR0NTvrDnHRLZYdhFjdtbfIvlDH6JxlxxXqdEK/CXdPk3f
	Aj9vd8TIyeErtYUjy1/peUbyL8kwJBVnsocOF3tYFr1dDbRlGPVHzaAb8SenfSh6Jcch
	7I1wbqYG3XbVaaKuxN0g8bnWeXP/zSNKs8RHMU07x5bOls37nEEX0OWp9PSL5UFsFt32
	rLYju/omnt80C2qU8pQPlZnEhEJBarthyLwKE12xGAywK3WIT9m/32i5M2hktwJMtJHm
	v4NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=940yodYwNvTk+53dbZ4wPv1g2pae5BNTl9xAHkViZ8Y=;
	b=Miv5FZtsWSW43Lpk+e+d1UajjzdHqlcYeHQ16XJzwHDzDjUqnlRKfj8iP8C58/tQnh
	s4kNmsJmErjM7Q3+wZx2Wy+I6iwrtka8oe0LDBfA6/HeY/bvzqemGX6L0/11euZoov7k
	PSbMcvXrqVRYFRb3QH7ZxLBnyNmF46JX8i98dnogwnl+ft3kf2Y6uh9TiQvTSFdlrH7T
	Y2Bb1r1fEYU2an/BHNq12hsRUK0MvE2AkuDGiPoOlBXGQA302mdlBaRF/Bc3fJZyLWvO
	g2XzEgDPxVUsmk9pOYiygy3nDOpBQZPBQpW3tFRzWWdlh4zxMcVpOhnxp05N00e7Uxiy
	Jg8Q==
X-Gm-Message-State: 
 AOPr4FVZXET7VMKrvUQTzcELBos1H0MfynRj7R1JgriMoqnLOncjtuXE/i+tZznTJizWu7cy
X-Received: by 10.66.150.70 with SMTP id ug6mr14352728pab.132.1463608399049;
	Wed, 18 May 2016 14:53:19 -0700 (PDT)
Received: from jeffv-linux.mtv.corp.google.com ([172.22.112.85])
	by smtp.gmail.com with ESMTPSA id
	lz5sm14518621pab.34.2016.05.18.14.53.18
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 18 May 2016 14:53:18 -0700 (PDT)
From: Jeff Vander Stoep <jeffv@google.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] Fix neverallowxperm checking on attributes
Date: Wed, 18 May 2016 14:53:13 -0700
Message-Id: <1463608393-37966-1-git-send-email-jeffv@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: sds@tycho.nsa.gov
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The following test incorrectly asserts a neverallowxperm failure.

	attribute test1_attr1;
	attribute test1_attr2;
	type test1_type1, test1_attr1, test1_attr2;

	allow test1_type1 test1_attr1:socket ioctl;
	allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
	neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }

To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
 libsepol/src/assertion.c | 117 ++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 95 insertions(+), 22 deletions(-)

diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index f4429ad..a4be880 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -147,8 +147,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
 	avtab_key_t tmp_key;
 	avtab_extended_perms_t *xperms;
 	avtab_extended_perms_t error;
-	ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
-	ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
+	ebitmap_t *sattr = &p->type_attr_map[stype];
+	ebitmap_t *tattr = &p->type_attr_map[ttype];
 	ebitmap_node_t *snode, *tnode;
 	unsigned int i, j;
 	int rc = 1;
@@ -174,14 +174,14 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
 					continue;
 
 				rc = check_extended_permissions(avrule->xperms, xperms);
-				/* failure on the extended permission check_extended_permissionss */
+				/* failure on the extended permission check_extended_permissions */
 				if (rc) {
 					extended_permissions_violated(&error, avrule->xperms, xperms);
 					ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
 							"allowxperm %s %s:%s %s;",
 							avrule->source_line, avrule->source_filename, avrule->line,
-							p->p_type_val_to_name[stype],
-							p->p_type_val_to_name[ttype],
+							p->p_type_val_to_name[i],
+							p->p_type_val_to_name[j],
 							p->p_class_val_to_name[curperm->tclass - 1],
 							sepol_extended_perms_to_string(&error));
 
@@ -317,29 +317,19 @@ oom:
 }
 
 /*
- * If the ioctl permission is granted in check_assertion_avtab_match for the
- * source/target/class matching the current avrule neverallow, a lookup is
- * performed to determine if extended permissions exist for the source/target/class.
- *
- * Four scenarios of interest:
- * 1. PASS - the ioctl permission is not granted for this source/target/class
- *    This case is handled in check_assertion_avtab_match
- * 2. PASS - The ioctl permission is granted AND the extended permission
- *    is NOT granted
- * 3. FAIL - The ioctl permission is granted AND no extended permissions
- *    exist
- * 4. FAIL - The ioctl permission is granted AND the extended permission is
- *    granted
+ * Look up the extended permissions in avtab and verify that neverallowed
+ * permissions are not granted.
  */
-static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
+static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t *avtab,
+						unsigned int stype, unsigned int ttype,
 						avtab_key_t *k, policydb_t *p)
 {
 	avtab_ptr_t node;
 	avtab_key_t tmp_key;
 	avtab_extended_perms_t *xperms;
 	av_extended_perms_t *neverallow_xperms = avrule->xperms;
-	ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
-	ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
+	ebitmap_t *sattr = &p->type_attr_map[stype];
+	ebitmap_t *tattr = &p->type_attr_map[ttype];
 	ebitmap_node_t *snode, *tnode;
 	unsigned int i, j;
 	int rc = 1;
@@ -373,6 +363,89 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
 	return rc;
 }
 
+/*
+ * When the ioctl permission is granted on an avtab entry that matches an
+ * avrule neverallowxperm entry, enumerate over the matching
+ * source/target/class sets to determine if the extended permissions exist
+ * and if the neverallowed ioctls are granted.
+ *
+ * Four scenarios of interest:
+ * 1. PASS - the ioctl permission is not granted for this source/target/class
+ *    This case is handled in check_assertion_avtab_match
+ * 2. PASS - The ioctl permission is granted AND the extended permission
+ *    is NOT granted
+ * 3. FAIL - The ioctl permission is granted AND no extended permissions
+ *    exist
+ * 4. FAIL - The ioctl permission is granted AND the extended permission is
+ *    granted
+ */
+static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
+						avtab_key_t *k, policydb_t *p)
+{
+	ebitmap_t src_matches, tgt_matches, matches;
+	unsigned int i, j;
+	ebitmap_node_t *snode, *tnode;
+	class_perm_node_t *cp;
+	int rc;
+	int ret = 1;
+
+	ebitmap_init(&src_matches);
+	ebitmap_init(&tgt_matches);
+	ebitmap_init(&matches);
+	rc = ebitmap_and(&src_matches, &avrule->stypes.types,
+			 &p->attr_type_map[k->source_type - 1]);
+	if (rc)
+		goto oom;
+
+	if (ebitmap_length(&src_matches) == 0)
+		goto exit;
+
+	if (avrule->flags == RULE_SELF) {
+		rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
+				&p->attr_type_map[k->target_type - 1]);
+		if (rc)
+			goto oom;
+		rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
+		if (rc)
+			goto oom;
+	} else {
+		rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types,
+				&p->attr_type_map[k->target_type -1]);
+		if (rc)
+			goto oom;
+	}
+
+	if (ebitmap_length(&tgt_matches) == 0)
+		goto exit;
+
+	for (cp = avrule->perms; cp; cp = cp->next) {
+		if (cp->tclass != k->target_class)
+			continue;
+		ebitmap_for_each_bit(&src_matches, snode, i) {
+			if (!ebitmap_node_get_bit(snode, i))
+				continue;
+			ebitmap_for_each_bit(&tgt_matches, tnode, j) {
+				if (!ebitmap_node_get_bit(tnode, j))
+					continue;
+
+				ret = check_assertion_extended_permissions_avtab(
+						avrule, avtab, i, j, k, p);
+				if (ret)
+					goto exit;
+			}
+		}
+	}
+	goto exit;
+
+oom:
+	ERR(NULL, "Out of memory - unable to check neverallows");
+
+exit:
+	ebitmap_destroy(&src_matches);
+	ebitmap_destroy(&tgt_matches);
+	ebitmap_destroy(&matches);
+	return ret;
+}
 
 static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *args)
 {
@@ -382,7 +455,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
 	avrule_t *avrule = a->avrule;
 	avtab_t *avtab = a->avtab;
 
-	if (k->specified != AVTAB_ALLOWED && k->specified != AVTAB_XPERMS_ALLOWED)
+	if (k->specified != AVTAB_ALLOWED)
 		goto exit;
 
 	if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))