From patchwork Sat Sep 12 13:14:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 11771885 X-Patchwork-Delegate: jwcart2@tycho.nsa.gov Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BFC9F1580 for ; Sat, 12 Sep 2020 13:14:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 43DC620796 for ; Sat, 12 Sep 2020 13:14:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="J5WZWMVQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725857AbgILNOs (ORCPT ); Sat, 12 Sep 2020 09:14:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725848AbgILNOi (ORCPT ); Sat, 12 Sep 2020 09:14:38 -0400 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5B42DC061573 for ; Sat, 12 Sep 2020 06:14:36 -0700 (PDT) Received: from localhost.localdomain (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 6F4FC2A1003; Sat, 12 Sep 2020 15:14:23 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 6F4FC2A1003 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1599916463; bh=Ob7t9IXXo3NgG/9mGrWROXZW4Jfzj+PY3fJ6wfC5pRI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J5WZWMVQWRBhHRaTRW4Aj3kgppM1965czoJizoOlsrHe4ws9EBX4uVy2AASVNGWkp zQsbFm/HarFdtM8C+hbpNaCW5XNkCUBll18r527/3LPUmRDsj1F4xH2BiGf63xQai8 a+AF5Kw23vdtbAJPdNYp/VKJgj/Im+mZ5eFDS8u4= From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [PATCH v4] cil_access_vector_rules: allowx, auditallowx and dontauditx fixes Date: Sat, 12 Sep 2020 15:14:11 +0200 Message-Id: <20200912131411.1213573-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200910113244.818506-1-dominick.grift@defensec.nl> References: <20200910113244.818506-1-dominick.grift@defensec.nl> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org allowx requires a equivalent "allow ioctl" rule to be present auditallowx requires a equivalent "auditallow" ioctl rule to be present dontauditx requires atleast one equivalent "allowx" rule to be present (can be a random irrelevant ioctlcmd) Signed-off-by: Dominick Grift Acked-by: Nicolas Iooss --- v4: add a "proper" clarification for dontauditx This just can't be how it was designed to behave, but it "works". There seem to be no logic to this at all and allowx, auditallowx and dontauditx should probably work the same as neverallowx. regardless, this behavior should be documented because people will lose their sanity if they have to figure this out on their own. secilc/docs/cil_access_vector_rules.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md index 9c03c710..683cc28c 100644 --- a/secilc/docs/cil_access_vector_rules.md +++ b/secilc/docs/cil_access_vector_rules.md @@ -238,6 +238,8 @@ allowx Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx). +Note that for this to work there must *also* be valid equivalent [`allow`](cil_access_vector_rules.md#allow) rules present. + **Rule definition:** (allowx source_id target_id|self permissionx_id) @@ -274,18 +276,21 @@ Specifies the access allowed between a source and target type using extended per These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules: + (allow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF))) (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010)))) + (allow type_3 type_4 (udp_socket (ioctl))) ;; pre-requisite (allowx type_3 type_4 ioctl_nodebug) - auditallowx ----------- Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event. +Note that for this to work there must *also* be valid equivalent [`auditallow`](cil_access_vector_rules.md#auditallow) rules present. + **Rule definition:** (auditallowx source_id target_id|self permissionx_id) @@ -324,6 +329,7 @@ This example will log an audit event whenever the corresponding [`allowx`](cil_a (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF))) + (auditallow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite (auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010))) @@ -332,6 +338,8 @@ dontauditx Do not audit the access rights defined when access denied. This stops excessive log entries for known events. +Note that for this to work there must *also* be atleast one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type. + Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags. **Rule definition:** @@ -370,6 +378,7 @@ Note that these rules can be omitted by the CIL compiler command line parameter This example will not audit the denied access: + (allowx type_1 type_2 (ioctl tcp_socket (0x1))) ;; pre-requisite, just some irrelevant random ioctl (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF))) @@ -392,7 +401,7 @@ Note that these rules can be over-ridden by the CIL compiler command line parame -

neverallows

+

neverallowx

The neverallowx keyword.