From patchwork Wed May 31 11:49:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juraj Marcin X-Patchwork-Id: 13262088 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3AB3C7EE31 for ; Wed, 31 May 2023 11:50:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232620AbjEaLu0 (ORCPT ); Wed, 31 May 2023 07:50:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232018AbjEaLuZ (ORCPT ); Wed, 31 May 2023 07:50:25 -0400 Received: from sender11-of-o52.zoho.eu (sender11-of-o52.zoho.eu [31.186.226.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80777E5 for ; Wed, 31 May 2023 04:50:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685533815; cv=none; d=zohomail.eu; s=zohoarc; b=lO+iBJk5fC4/MHkSTKwH4lE3ncpo+3eTM7MmQqv3CwYoYGInjdTC1inTIa1PWTY9fxNn9qqQbuowxmCcWumVQy9VoztAO5Fmykr9zaJ5W5tcnCdfiq9JAP13qAoxj0/cQv0lQdlbXwFynBn6oun5Ue6WXYLzKDaYYP4VMtUOTwU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1685533815; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=yBU36yOK9+tCU5olXnzQYkHqKvuEnqLKUIGP9xo/zps=; b=iensHXrCwiMCyygT++Ml4Nq7jNaYznkx2tWjyoiqlgMyZqnAcLRdU7oPTkqJrdlZrAL1Wk2kVZZDhfj7VozSnOdvPTj4wlw6YCPUJliCJF5Fs0JEUEYP1GbTJVmmDqBEUz4jAnLSCNt2jHu8n2zEdIAkZN0l0TLEBx1HEhMqPBk= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=jurajmarcin.com; spf=pass smtp.mailfrom=juraj@jurajmarcin.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1685533815; s=zoho; d=jurajmarcin.com; i=juraj@jurajmarcin.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=yBU36yOK9+tCU5olXnzQYkHqKvuEnqLKUIGP9xo/zps=; b=HPa89lUpSQJMeqFN0R0sljrfuPo4YAEUXWvBWuti0+pM4jrK8sn1HA6wzgqwZCMu vh0LIwk4zK81CUcZGCn2EYQl738Fq9KzV8UBEr36Pukh8x9i9gEGMT+E7DfxyKOMy3T 3rlWJaEbE55KjAmYljITyAAYpGngXARNWFj8JUyc= Received: from morty01.jurajmarcin.com (129.159.244.31 [129.159.244.31]) by mx.zoho.eu with SMTPS id 1685533814166302.004426577255; Wed, 31 May 2023 13:50:14 +0200 (CEST) Received: from jmarcin-t14s-01.redhat.com (unknown [147.251.183.113]) by morty01.jurajmarcin.com (Postfix) with ESMTPSA id 99C712081F76; Wed, 31 May 2023 11:50:13 +0000 (UTC) From: Juraj Marcin To: selinux@vger.kernel.org Cc: Stephen Smalley , Ondrej Mosnacek Subject: [PATCH 8/8] libsepol/cil: add support for prefix/suffix filename transtions to CIL Date: Wed, 31 May 2023 13:49:14 +0200 Message-Id: <20230531114914.2237609-9-juraj@jurajmarcin.com> In-Reply-To: <20230531114914.2237609-1-juraj@jurajmarcin.com> References: <20230531114914.2237609-1-juraj@jurajmarcin.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This patch implements the support for prefix/suffix filename transitions in CIL structures as well as to CIL policy parser. Reviewed-by: Ondrej Mosnacek Signed-off-by: Juraj Marcin --- libsepol/cil/src/cil.c | 8 ++++++++ libsepol/cil/src/cil_binary.c | 8 ++++---- libsepol/cil/src/cil_build_ast.c | 25 +++++++++++++++++++------ libsepol/cil/src/cil_copy_ast.c | 1 + libsepol/cil/src/cil_internal.h | 5 +++++ libsepol/cil/src/cil_policy.c | 17 ++++++++++++++++- libsepol/cil/src/cil_resolve_ast.c | 10 ++++++++++ libsepol/cil/src/cil_write_ast.c | 2 ++ 8 files changed, 65 insertions(+), 11 deletions(-) diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 38edcf8e..3b086de9 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -95,6 +95,9 @@ char *CIL_KEY_TUNABLEIF; char *CIL_KEY_ALLOW; char *CIL_KEY_DONTAUDIT; char *CIL_KEY_TYPETRANSITION; +char *CIL_KEY_MATCH_EXACT; +char *CIL_KEY_MATCH_PREFIX; +char *CIL_KEY_MATCH_SUFFIX; char *CIL_KEY_TYPECHANGE; char *CIL_KEY_CALL; char *CIL_KEY_TUNABLE; @@ -264,6 +267,9 @@ static void cil_init_keys(void) CIL_KEY_ALLOW = cil_strpool_add("allow"); CIL_KEY_DONTAUDIT = cil_strpool_add("dontaudit"); CIL_KEY_TYPETRANSITION = cil_strpool_add("typetransition"); + CIL_KEY_MATCH_EXACT = cil_strpool_add("match_exact"); + CIL_KEY_MATCH_PREFIX = cil_strpool_add("match_prefix"); + CIL_KEY_MATCH_SUFFIX = cil_strpool_add("match_suffix"); CIL_KEY_TYPECHANGE = cil_strpool_add("typechange"); CIL_KEY_CALL = cil_strpool_add("call"); CIL_KEY_TUNABLE = cil_strpool_add("tunable"); @@ -2387,6 +2393,8 @@ void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans) (*nametypetrans)->obj = NULL; (*nametypetrans)->name_str = NULL; (*nametypetrans)->name = NULL; + (*nametypetrans)->name_match_str = NULL; + (*nametypetrans)->name_match = NAME_TRANS_MATCH_EXACT; (*nametypetrans)->result_str = NULL; (*nametypetrans)->result = NULL; } diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index ffa44be7..ea0cef32 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1193,7 +1193,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb, type_datum_t *sepol_src, type_datum_t *sepol_tgt, struct cil_list *class_list, - char *name, + char *name, uint8_t name_match, type_datum_t *sepol_result) { int rc; @@ -1211,7 +1211,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb, avt_key.target_type = sepol_tgt->s.value; avt_key.target_class = sepol_obj->s.value; rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key, - sepol_result->s.value, name, NAME_TRANS_MATCH_EXACT, + sepol_result->s.value, name, name_match, &otype); if (rc != SEPOL_OK) { if (rc == SEPOL_EEXIST) { @@ -1280,7 +1280,7 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d rc = __cil_typetransition_to_avtab_helper( pdb, sepol_src, sepol_src, class_list, - name, sepol_result + name, typetrans->name_match, sepol_result ); if (rc != SEPOL_OK) goto exit; } @@ -1298,7 +1298,7 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d rc = __cil_typetransition_to_avtab_helper( pdb, sepol_src, sepol_tgt, class_list, - name, sepol_result + name, typetrans->name_match, sepol_result ); if (rc != SEPOL_OK) goto exit; } diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 4177c9f6..47513f92 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -3334,10 +3334,11 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren CIL_SYN_STRING, CIL_SYN_STRING, CIL_SYN_STRING | CIL_SYN_END, - CIL_SYN_END + CIL_SYN_STRING | CIL_SYN_END, + CIL_SYN_END, }; size_t syntax_len = sizeof(syntax)/sizeof(*syntax); - char *s1, *s2, *s3, *s4, *s5; + char *s1, *s2, *s3, *s4, *s5, *s6; if (db == NULL || parse_current == NULL || ast_node == NULL ) { goto exit; @@ -3353,16 +3354,27 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren s3 = parse_current->next->next->next->data; s4 = parse_current->next->next->next->next->data; s5 = NULL; + s6 = NULL; if (parse_current->next->next->next->next->next) { if (s4 == CIL_KEY_STAR) { - s4 = parse_current->next->next->next->next->next->data; + if (parse_current->next->next->next->next->next->next) { + s4 = parse_current->next->next->next->next->next->next->data; + } else { + s4 = parse_current->next->next->next->next->next->data; + } } else { - s5 = parse_current->next->next->next->next->next->data; + if (parse_current->next->next->next->next->next->next) { + s5 = parse_current->next->next->next->next->next->data; + s6 = parse_current->next->next->next->next->next->next->data; + } else { + s5 = CIL_KEY_MATCH_EXACT; + s6 = parse_current->next->next->next->next->next->data; + } } } - if (s5) { + if (s6) { struct cil_nametypetransition *nametypetrans = NULL; cil_nametypetransition_init(&nametypetrans); @@ -3370,8 +3382,9 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren nametypetrans->src_str = s1; nametypetrans->tgt_str = s2; nametypetrans->obj_str = s3; - nametypetrans->result_str = s5; + nametypetrans->result_str = s6; nametypetrans->name_str = s4; + nametypetrans->name_match_str = s5; ast_node->data = nametypetrans; ast_node->flavor = CIL_NAMETYPETRANSITION; diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c index 17f05021..a2d2fe40 100644 --- a/libsepol/cil/src/cil_copy_ast.c +++ b/libsepol/cil/src/cil_copy_ast.c @@ -726,6 +726,7 @@ int cil_copy_nametypetransition(__attribute__((unused)) struct cil_db *db, void new->tgt_str = orig->tgt_str; new->obj_str = orig->obj_str; new->name_str = orig->name_str; + new->name_match_str = orig->name_match_str; new->result_str = orig->result_str; diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index a7604762..f7a8d0f7 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -112,6 +112,9 @@ extern char *CIL_KEY_TUNABLEIF; extern char *CIL_KEY_ALLOW; extern char *CIL_KEY_DONTAUDIT; extern char *CIL_KEY_TYPETRANSITION; +extern char *CIL_KEY_MATCH_EXACT; +extern char *CIL_KEY_MATCH_PREFIX; +extern char *CIL_KEY_MATCH_SUFFIX; extern char *CIL_KEY_TYPECHANGE; extern char *CIL_KEY_CALL; extern char *CIL_KEY_TUNABLE; @@ -575,6 +578,8 @@ struct cil_nametypetransition { struct cil_class *obj; char *name_str; struct cil_name *name; + char *name_match_str; + uint8_t name_match; char *result_str; void *result; /* type or alias */ diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index feb97868..c8253818 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -1260,6 +1260,7 @@ static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetrans struct cil_name *name; struct cil_list *class_list; struct cil_list_item *i1; + const char *name_match_str = ""; src = trans->src; tgt = trans->tgt; @@ -1268,7 +1269,21 @@ static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetrans class_list = cil_expand_class(trans->obj); cil_list_for_each(i1, class_list) { - fprintf(out, "type_transition %s %s : %s %s \"%s\";\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn); + switch (trans->name_match) { + case NAME_TRANS_MATCH_EXACT: + name_match_str = ""; + break; + case NAME_TRANS_MATCH_PREFIX: + name_match_str = " MATCH_PREFIX"; + break; + case NAME_TRANS_MATCH_SUFFIX: + name_match_str = " MATCH_SUFFIX"; + break; + default: + name_match_str = "???"; + break; + } + fprintf(out, "type_transition %s %s : %s %s \"%s\"%s;\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn, name_match_str); } cil_list_destroy(&class_list, CIL_FALSE); } diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index d2bfdc81..fbb0fdcc 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -668,6 +668,16 @@ int cil_resolve_nametypetransition(struct cil_tree_node *current, void *extra_ar nametypetrans->name = (struct cil_name *)name_datum; } + if (nametypetrans->name_match_str == CIL_KEY_MATCH_EXACT) { + nametypetrans->name_match = NAME_TRANS_MATCH_EXACT; + } else if (nametypetrans->name_match_str == CIL_KEY_MATCH_PREFIX) { + nametypetrans->name_match = NAME_TRANS_MATCH_PREFIX; + } else if (nametypetrans->name_match_str == CIL_KEY_MATCH_SUFFIX) { + nametypetrans->name_match = NAME_TRANS_MATCH_SUFFIX; + } else { + cil_tree_log(current, CIL_ERR, "Invalid name match type \"%s\"", nametypetrans->name_match_str); + } + rc = cil_resolve_name(current, nametypetrans->result_str, CIL_SYM_TYPES, extra_args, &result_datum); if (rc != SEPOL_OK) { goto exit; diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c index b75784ef..d96f6c39 100644 --- a/libsepol/cil/src/cil_write_ast.c +++ b/libsepol/cil/src/cil_write_ast.c @@ -1168,6 +1168,8 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node) fprintf(out, "%s ", datum_or_str(DATUM(rule->tgt), rule->tgt_str)); fprintf(out, "%s ", datum_or_str(DATUM(rule->obj), rule->obj_str)); fprintf(out, "\"%s\" ", datum_or_str(DATUM(rule->name), rule->name_str)); + if (rule->name_match != NAME_TRANS_MATCH_EXACT) + fprintf(out, "%s ", rule->name_match_str); fprintf(out, "%s", datum_or_str(DATUM(rule->result), rule->result_str)); fprintf(out, ")\n"); break;