From patchwork Fri Nov 25 15:49:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13056100 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41308C4167B for ; Fri, 25 Nov 2022 15:50:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229611AbiKYPuE (ORCPT ); Fri, 25 Nov 2022 10:50:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37178 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229632AbiKYPuC (ORCPT ); Fri, 25 Nov 2022 10:50:02 -0500 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A10752FFD7 for ; Fri, 25 Nov 2022 07:50:00 -0800 (PST) Received: by mail-ej1-x630.google.com with SMTP id ho10so11231415ejc.1 for ; Fri, 25 Nov 2022 07:50:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bpxfNS5H2f3MDOgS3AH+v2xwVje7iyLDHr1hQ2K1fNE=; b=ZocoP7o/fyLk1N4y84IX92lW8zPeu1ZbKmij6og9vH+fUxhkC/spv0hl1AOtnvkyyT zg+/h5ee8zy/fVL2eh4Oy6IngOnTR+voBni8nsQCHtxSMp0au3fbM9+O8r29NSL3sB0L xhK6MhiZjDqcuzGVb5ap2e+eWNkSsjnNLMoixnK6ofrRJk48XEsS2Iu1QTRL3/geUEBY FqKhG9R9BAyyOdRe8smHpGOR9qZIR2Fh3ecSyVsoPF9YCo9ldjD2Y7r2yZUEk5CPsO7k VAxxu1gSkpE593Te4zy+hRWVGvB9V1U5CUa9UWKa/i5VpxB8K1/oTGpup8lsUbl+yxxO ttfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bpxfNS5H2f3MDOgS3AH+v2xwVje7iyLDHr1hQ2K1fNE=; b=ewWW3N2qvMZ2+1EmInuNE4TjDI3RxFgcGh7nELOUd4uFrvgRWEK5sGQf3UH7VbOG0f CnIiJvb5Bqh3fsj3Hvne3NP/wS1YwJVWd/JT0CyKmK0Ug+1qRuqNgaaoxAY7GMI0E2lW 6ZZCFLWMGyMoeOwu6SlWvPIWTMKx9MvFmehXvuHOFK/izikP6W4QfgK54x/uycbMM+vk 2rk3ykOAgE+Mk8IwETY3vFJbKs9cRkYvUbM33noFJ41bSLZoD5z85HM6wmGX0XGIIpEq bJsPw13gFYopCgFPqLdMw2+ag9FWFNdH/h5cUmpVL6i9CeOKjAm+MNLO5JeWUFl6kqaX fo2g== X-Gm-Message-State: ANoB5plfBEZ+zR04TJ2f6TMDO/eZ+fOcwh//ezpx2xy4ldWZtXaLbykn RsLnCM/Lfgrkcybh+TUN3onlRM7wgmg= X-Google-Smtp-Source: AA0mqf5eKEsWJf0XBQYW/9KCdLfi32DT32vMJ89rU5QunJjMoF8zYWkSE79jmKdwNQAzeC9XnYI34w== X-Received: by 2002:a17:906:2e82:b0:7ae:44b2:cb7f with SMTP id o2-20020a1709062e8200b007ae44b2cb7fmr18387798eji.437.1669391399099; Fri, 25 Nov 2022 07:49:59 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-154-194.77.3.pool.telefonica.de. [77.3.154.194]) by smtp.gmail.com with ESMTPSA id b14-20020a17090630ce00b0078df26efb7dsm1677136ejb.107.2022.11.25.07.49.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:49:58 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v4 1/6] libsepol: Add not self support for neverallow rules Date: Fri, 25 Nov 2022 16:49:47 +0100 Message-Id: <20221125154952.20910-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com> References: <20221125154952.20910-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add not self support for neverallow rules. Example 1 allow TYPE1 TYPE1 : CLASS1 PERM1; # Rule 1 allow TYPE1 TYPE2 : CLASS1 PERM1; # Rule 2 neverallow TYPE1 ~self : CLASS1 PERM1; Rule 1 is not a violation of the neverallow. Rule 2 is. Example 2 allow TYPE1 TYPE1 : CLASS2 PERM2; # Rule 1 allow TYPE1 TYPE2 : CLASS2 PERM2; # Rule 2 allow TYPE1 TYPE3 : CLASS2 PERM2; # Rule 3 neverallow ATTR1 { ATTR2 -self } : CLASS2 PERM2; Assuming TYPE1 has attribute ATTR1 and TYPE1 and TYPE2 have attribute ATTR2, then rule 1 and 3 are not violations of the neverallow while rule 2 is. Rule 3 is not a violation because TYPE3 does not have attribute ATTR2. Adopted improvements from James Carter Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/include/sepol/policydb/policydb.h | 3 +- libsepol/src/assertion.c | 144 +++++++++++++++++---- libsepol/src/policydb_validate.c | 9 ++ 3 files changed, 129 insertions(+), 27 deletions(-) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index ef1a014a..b014b7a8 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -285,7 +285,8 @@ typedef struct avrule { #define AVRULE_XPERMS (AVRULE_XPERMS_ALLOWED | AVRULE_XPERMS_AUDITALLOW | \ AVRULE_XPERMS_DONTAUDIT | AVRULE_XPERMS_NEVERALLOW) uint32_t specified; -#define RULE_SELF 1 +#define RULE_SELF (1U << 0) +#define RULE_NOTSELF (1U << 1) uint32_t flags; type_set_t stypes; type_set_t ttypes; diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index 161874c3..11185253 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -223,6 +223,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void ebitmap_node_t *snode, *tnode; unsigned int i, j; const int is_avrule_self = (avrule->flags & RULE_SELF) != 0; + const int is_avrule_notself = (avrule->flags & RULE_NOTSELF) != 0; if ((k->specified & AVTAB_ALLOWED) == 0) return 0; @@ -242,19 +243,31 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void if (ebitmap_is_empty(&src_matches)) goto exit; - rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type -1]); - if (rc < 0) - goto oom; - - if (is_avrule_self) { - rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]); + if (is_avrule_notself) { + if (ebitmap_is_empty(&avrule->ttypes.types)) { + /* avrule tgt is of the form ~self */ + rc = ebitmap_cpy(&tgt_matches, &p->attr_type_map[k->target_type -1]); + } else { + /* avrule tgt is of the form {ATTR -self} */ + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type - 1]); + } + if (rc) + goto oom; + } else { + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type -1]); if (rc < 0) goto oom; - if (!ebitmap_is_empty(&self_matches)) { - rc = ebitmap_union(&tgt_matches, &self_matches); + if (is_avrule_self) { + rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]); if (rc < 0) goto oom; + + if (!ebitmap_is_empty(&self_matches)) { + rc = ebitmap_union(&tgt_matches, &self_matches); + if (rc < 0) + goto oom; + } } } @@ -272,6 +285,8 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) { if (is_avrule_self && i != j) continue; + if (is_avrule_notself && i == j) + continue; if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) { a->errors += report_assertion_extended_permissions(handle,p, avrule, i, j, cp, perms, k, avtab); @@ -383,6 +398,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab unsigned int i, j; ebitmap_node_t *snode, *tnode; const int is_avrule_self = (avrule->flags & RULE_SELF) != 0; + const int is_avrule_notself = (avrule->flags & RULE_NOTSELF) != 0; int rc; ebitmap_init(&src_matches); @@ -399,20 +415,31 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab goto exit; } - rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, - &p->attr_type_map[k->target_type -1]); - if (rc < 0) - goto oom; - - if (is_avrule_self) { - rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]); + if (is_avrule_notself) { + if (ebitmap_is_empty(&avrule->ttypes.types)) { + /* avrule tgt is of the form ~self */ + rc = ebitmap_cpy(&tgt_matches, &p->attr_type_map[k->target_type -1]); + } else { + /* avrule tgt is of the form {ATTR -self} */ + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type - 1]); + } + if (rc < 0) + goto oom; + } else { + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type -1]); if (rc < 0) goto oom; - if (!ebitmap_is_empty(&self_matches)) { - rc = ebitmap_union(&tgt_matches, &self_matches); + if (is_avrule_self) { + rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]); if (rc < 0) goto oom; + + if (!ebitmap_is_empty(&self_matches)) { + rc = ebitmap_union(&tgt_matches, &self_matches); + if (rc < 0) + goto oom; + } } } @@ -425,6 +452,8 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) { if (is_avrule_self && i != j) continue; + if (is_avrule_notself && i == j) + continue; if (check_assertion_extended_permissions_avtab(avrule, avtab, i, j, k, p)) { rc = 1; goto exit; @@ -442,6 +471,61 @@ exit: return rc; } +static int check_assertion_notself_match(avtab_key_t *k, avrule_t *avrule, policydb_t *p) +{ + ebitmap_t src_matches, tgt_matches; + unsigned int num_src_matches, num_tgt_matches; + int rc; + + ebitmap_init(&src_matches); + ebitmap_init(&tgt_matches); + + rc = ebitmap_and(&src_matches, &avrule->stypes.types, &p->attr_type_map[k->source_type - 1]); + if (rc < 0) + goto oom; + + if (ebitmap_is_empty(&avrule->ttypes.types)) { + /* avrule tgt is of the form ~self */ + rc = ebitmap_cpy(&tgt_matches, &p->attr_type_map[k->target_type - 1]); + } else { + /* avrule tgt is of the form {ATTR -self} */ + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type - 1]); + } + if (rc < 0) + goto oom; + + num_src_matches = ebitmap_cardinality(&src_matches); + num_tgt_matches = ebitmap_cardinality(&tgt_matches); + if (num_src_matches == 0 || num_tgt_matches == 0) { + rc = 0; + goto nomatch; + } + if (num_src_matches == 1 && num_tgt_matches == 1) { + ebitmap_t matches; + unsigned int num_matches; + rc = ebitmap_and(&matches, &src_matches, &tgt_matches); + if (rc < 0) { + ebitmap_destroy(&matches); + goto oom; + } + num_matches = ebitmap_cardinality(&matches); + ebitmap_destroy(&matches); + if (num_matches == 1) { + /* The only non-match is of the form TYPE TYPE */ + rc = 0; + goto nomatch; + } + } + + rc = 1; + +oom: +nomatch: + ebitmap_destroy(&src_matches); + ebitmap_destroy(&tgt_matches); + return rc; +} + static int check_assertion_self_match(avtab_key_t *k, avrule_t *avrule, policydb_t *p) { ebitmap_t src_matches; @@ -485,16 +569,24 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a if (!ebitmap_match_any(&avrule->stypes.types, &p->attr_type_map[k->source_type - 1])) goto nomatch; - /* neverallow may have tgts even if it uses SELF */ - if (!ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1])) { - if (avrule->flags == RULE_SELF) { - rc = check_assertion_self_match(k, avrule, p); - if (rc < 0) - goto oom; - if (rc == 0) - goto nomatch; - } else { + if (avrule->flags & RULE_NOTSELF) { + rc = check_assertion_notself_match(k, avrule, p); + if (rc < 0) + goto oom; + if (rc == 0) goto nomatch; + } else { + /* neverallow may have tgts even if it uses SELF */ + if (!ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1])) { + if (avrule->flags == RULE_SELF) { + rc = check_assertion_self_match(k, avrule, p); + if (rc < 0) + goto oom; + if (rc == 0) + goto nomatch; + } else { + goto nomatch; + } } } diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 521ea4ff..3d51fb68 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -916,6 +916,15 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int case 0: case RULE_SELF: break; + case RULE_NOTSELF: + switch(avrule->specified) { + case AVRULE_NEVERALLOW: + case AVRULE_XPERMS_NEVERALLOW: + break; + default: + goto bad; + } + break; default: goto bad; } From patchwork Fri Nov 25 15:49:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13056103 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB758C4332F for ; Fri, 25 Nov 2022 15:50:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229623AbiKYPuF (ORCPT ); Fri, 25 Nov 2022 10:50:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229668AbiKYPuD (ORCPT ); Fri, 25 Nov 2022 10:50:03 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 805F847333 for ; Fri, 25 Nov 2022 07:50:01 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id e27so11153391ejc.12 for ; Fri, 25 Nov 2022 07:50:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bsjh+UqfF7FkOUnRv1VDPr5SdC//cnCnu7Oafn+3Cc4=; b=abzVr6HF/agbvAlhSHYtlAdZJxhkSGsy1f3B60wxyIychq+dGOtUYG+JzLWf0KaPjW i/2xbPJNMZd8G2UJTSGdt0Y1RfzC73B/KvdEmXPRNpQGmOVKmhxYjpa4N/2NfCDfL7cs TU3ST09w3wZlJg2vtTbDCKSDADSkuXW1JYtE+F3rZtVBva7V5KcXmWxKBgitxusiBKhY lsuaPiDdW+K16yYFbvboXVGzMI0NXmPHvdS0G0DlXqf3O6SZ6Y9bQOX4tpybL6nVmxQD 5u9lndzQkFu52ZtzL76RxAjv63Sui79VTwqbQtGhfjqJySahCPwa1BLFhI1SAB5bcS1L 9RXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bsjh+UqfF7FkOUnRv1VDPr5SdC//cnCnu7Oafn+3Cc4=; b=GE0pKdzRLheNqr1/zakrNNkTaqmMRhxugv+PkBHFvVuBPr7190OmCmPUtHUBAMtMKE 67PjAGDbsX9WJ1tb6Gj9ndZS9b2pWgjP/isf2oVyIztL0DMPrSy7TR/BIFIg8chIT6TS s9q206wYzcJE1feAfhYSvtFjoIswkr3ADnwT/vYiGUMJ3m5GzxuirAehG2UX20YPjNES Tf9Z4nZ+C/nU2rEmNaMKUs/2NBQDhu9KP3PnsOaUYBL8rdcTWYtG/qUFyRLhZGAXjpAD eHZY9jTWAiI1UkjVZl5Z428RKsINbv3UF/fy8JSs5CkXOtU/uI0zXfyFp1dxY8edUnzC NRGQ== X-Gm-Message-State: ANoB5pnFBpF9uPR4MnqTbaC2MTyPhrEaizCGWJT3/WVZwS0HjvlZceKB 0i2ieTQAo7NaAFWAnxZDRVk65aGGnjM= X-Google-Smtp-Source: AA0mqf4cF5dYJ5Xl17faTBIDbx/D1ZRrHS/caU0pZ7OEu7kxYoUFq+4RdAOwiEuVQd0FuvcMq4TtoQ== X-Received: by 2002:a17:906:2817:b0:7ba:da1f:a727 with SMTP id r23-20020a170906281700b007bada1fa727mr8526863ejc.276.1669391399796; Fri, 25 Nov 2022 07:49:59 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-154-194.77.3.pool.telefonica.de. [77.3.154.194]) by smtp.gmail.com with ESMTPSA id b14-20020a17090630ce00b0078df26efb7dsm1677136ejb.107.2022.11.25.07.49.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:49:59 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: James Carter Subject: [RFC PATCH v4 2/6] libsepol/cil: Add notself and minusself support to CIL Date: Fri, 25 Nov 2022 16:49:48 +0100 Message-Id: <20221125154952.20910-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com> References: <20221125154952.20910-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: James Carter Like "self", both of these reserved words can be used as a target in an access vector rule. "notself" means all types other than the source type. "minuself" is meant to be used with an attribute and its use results in the rule being expanded with each type of the attribute being used as the source type with each of the other types being used as the target type. Using "minusself" with just a type will result in no rule. Example 1 (allow TYPE1 notself (CLASS (PERM))) This rule is expanded to a number of rules with TYPE1 as the source and every type except for TYPE1 as the target. Example 2 (allow ATTR1 notself (CLASS (PERM))) Like Example 1, this rule will be expanded to each type in ATTR1 being the source with every type except for the type used as the source being the target. Example 3 (allow TYPE1 minusself (CLASS (PERM))) This expands to no rule. Example 4 (allow ATTR1 minusself (CLASS (PERM))) Like Example 2, but the target types will be limited to the types in the attribute ATTR1 instead of all types. So if ATTR1 has the type t1, t2, and t3, then this rule expands to the following rules. (allow t1 t2 (CLASS (PERM))) (allow t1 t3 (CLASS (PERM))) (allow t2 t1 (CLASS (PERM))) (allow t2 t3 (CLASS (PERM))) (allow t3 t1 (CLASS (PERM))) (allow t3 t2 (CLASS (PERM))) Original patch from James Carter Signed-off-by: Christian Göttsche --- libsepol/cil/src/cil.c | 12 ++ libsepol/cil/src/cil_binary.c | 91 ++++++++++++- libsepol/cil/src/cil_build_ast.c | 10 +- libsepol/cil/src/cil_find.c | 206 +++++++++++++++++++++++++---- libsepol/cil/src/cil_internal.h | 4 + libsepol/cil/src/cil_resolve_ast.c | 4 + libsepol/cil/src/cil_verify.c | 3 +- 7 files changed, 300 insertions(+), 30 deletions(-) diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 38edcf8e..d807a2c4 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -84,6 +84,8 @@ char *CIL_KEY_CONS_INCOMP; char *CIL_KEY_CONDTRUE; char *CIL_KEY_CONDFALSE; char *CIL_KEY_SELF; +char *CIL_KEY_NOTSELF; +char *CIL_KEY_MINUSSELF; char *CIL_KEY_OBJECT_R; char *CIL_KEY_STAR; char *CIL_KEY_TCP; @@ -253,6 +255,8 @@ static void cil_init_keys(void) CIL_KEY_CONDTRUE = cil_strpool_add("true"); CIL_KEY_CONDFALSE = cil_strpool_add("false"); CIL_KEY_SELF = cil_strpool_add("self"); + CIL_KEY_NOTSELF = cil_strpool_add("notself"); + CIL_KEY_MINUSSELF = cil_strpool_add("minusself"); CIL_KEY_OBJECT_R = cil_strpool_add("object_r"); CIL_KEY_STAR = cil_strpool_add("*"); CIL_KEY_UDP = cil_strpool_add("udp"); @@ -430,6 +434,12 @@ void cil_db_init(struct cil_db **db) cil_type_init(&(*db)->selftype); (*db)->selftype->datum.name = CIL_KEY_SELF; (*db)->selftype->datum.fqn = CIL_KEY_SELF; + cil_type_init(&(*db)->notselftype); + (*db)->notselftype->datum.name = CIL_KEY_NOTSELF; + (*db)->notselftype->datum.fqn = CIL_KEY_NOTSELF; + cil_type_init(&(*db)->minusselftype); + (*db)->minusselftype->datum.name = CIL_KEY_MINUSSELF; + (*db)->minusselftype->datum.fqn = CIL_KEY_MINUSSELF; (*db)->num_types_and_attrs = 0; (*db)->num_classes = 0; (*db)->num_types = 0; @@ -483,6 +493,8 @@ void cil_db_destroy(struct cil_db **db) cil_list_destroy(&(*db)->names, CIL_TRUE); cil_destroy_type((*db)->selftype); + cil_destroy_type((*db)->notselftype); + cil_destroy_type((*db)->minusselftype); cil_strpool_destroy(); free((*db)->val_to_type); diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 40615db2..29b00336 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1519,6 +1519,46 @@ static int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struc } } ebitmap_destroy(&src_bitmap); + } else if (tgt->fqn == CIL_KEY_NOTSELF) { + rc = __cil_expand_type(src, &src_bitmap); + if (rc != SEPOL_OK) { + goto exit; + } + + ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + src = DATUM(db->val_to_type[s]); + for (t = 0; t < (unsigned int)db->num_types; t++) { + if (s != t) { + tgt = DATUM(db->val_to_type[t]); + rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor); + if (rc != SEPOL_OK) { + ebitmap_destroy(&src_bitmap); + goto exit; + } + } + } + } + ebitmap_destroy(&src_bitmap); + } else if (tgt->fqn == CIL_KEY_MINUSSELF) { + rc = __cil_expand_type(src, &src_bitmap); + if (rc != SEPOL_OK) { + goto exit; + } + + ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + src = DATUM(db->val_to_type[s]); + ebitmap_for_each_positive_bit(&src_bitmap, tnode, t) { + if (s != t) { + tgt = DATUM(db->val_to_type[t]); + rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor); + if (rc != SEPOL_OK) { + ebitmap_destroy(&src_bitmap); + goto exit; + } + } + } + } + ebitmap_destroy(&src_bitmap); } else { int expand_src = __cil_should_expand_attribute(db, src); int expand_tgt = __cil_should_expand_attribute(db, tgt); @@ -1875,10 +1915,51 @@ static int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, st src = DATUM(db->val_to_type[s]); rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, src, cil_avrulex->perms.x.permx, args); if (rc != SEPOL_OK) { + ebitmap_destroy(&src_bitmap); goto exit; } } ebitmap_destroy(&src_bitmap); + } else if (tgt->fqn == CIL_KEY_NOTSELF) { + rc = __cil_expand_type(src, &src_bitmap); + if (rc != SEPOL_OK) { + goto exit; + } + + ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + src = DATUM(db->val_to_type[s]); + for (t = 0; t < (unsigned int)db->num_types; t++) { + if (s != t) { + tgt = DATUM(db->val_to_type[t]); + rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args); + if (rc != SEPOL_OK) { + ebitmap_destroy(&src_bitmap); + goto exit; + } + } + } + } + ebitmap_destroy(&src_bitmap); + } else if (tgt->fqn == CIL_KEY_MINUSSELF) { + rc = __cil_expand_type(src, &src_bitmap); + if (rc != SEPOL_OK) { + goto exit; + } + + ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + src = DATUM(db->val_to_type[s]); + ebitmap_for_each_positive_bit(&src_bitmap, tnode, t) { + if (s != t) { + tgt = DATUM(db->val_to_type[t]); + rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args); + if (rc != SEPOL_OK) { + ebitmap_destroy(&src_bitmap); + goto exit; + } + } + } + } + ebitmap_destroy(&src_bitmap); } else { int expand_src = __cil_should_expand_attribute(db, src); int expand_tgt = __cil_should_expand_attribute(db, tgt); @@ -4813,8 +4894,16 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct if (tgt->fqn == CIL_KEY_SELF) { rule->flags = RULE_SELF; + } else if (tgt->fqn == CIL_KEY_NOTSELF) { + rule->flags = RULE_NOTSELF; + } else if (tgt->fqn == CIL_KEY_MINUSSELF) { + rule->flags = RULE_NOTSELF; + rc = __cil_add_sepol_type(pdb, db, cil_rule->src, &rule->ttypes.types); + if (rc != SEPOL_OK) { + goto exit; + } } else { - rc = __cil_add_sepol_type(pdb, db, cil_rule->tgt, &rule->ttypes.types); + rc = __cil_add_sepol_type(pdb, db, tgt, &rule->ttypes.types); if (rc != SEPOL_OK) { goto exit; } diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 4177c9f6..ca9f80c7 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -3126,9 +3126,13 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current, goto exit; } - if ((flavor == CIL_TYPEALIAS && parse_current->next->data == CIL_KEY_SELF) || parse_current->next->next->data == CIL_KEY_SELF) { - cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF); - rc = SEPOL_ERR; + rc = cil_verify_name(db, parse_current->next->data, flavor); + if (rc != SEPOL_OK) { + goto exit; + } + + rc = cil_verify_name(db, parse_current->next->next->data, flavor); + if (rc != SEPOL_OK) { goto exit; } diff --git a/libsepol/cil/src/cil_find.c b/libsepol/cil/src/cil_find.c index 8b755277..1518d33d 100644 --- a/libsepol/cil/src/cil_find.c +++ b/libsepol/cil/src/cil_find.c @@ -115,12 +115,13 @@ static int cil_type_matches(ebitmap_t *matches, struct cil_symtab_datum *d1, str /* s1 is the src type that is matched with a self * s2, and t2 are the source and type of the other rule + * Assumes there is a match between s1 and s2 */ static int cil_self_match_any(struct cil_symtab_datum *s1, struct cil_symtab_datum *s2, struct cil_symtab_datum *t2) { int rc; - struct cil_tree_node *n1 = NODE(s1); - if (n1->flavor != CIL_TYPEATTRIBUTE) { + + if (FLAVOR(s1) != CIL_TYPEATTRIBUTE) { rc = cil_type_match_any(s1, t2); } else { struct cil_typeattribute *a = (struct cil_typeattribute *)s1; @@ -129,20 +130,149 @@ static int cil_self_match_any(struct cil_symtab_datum *s1, struct cil_symtab_dat rc = cil_type_matches(&map, s2, t2); if (rc < 0) { ebitmap_destroy(&map); - goto exit; + return rc; } - if (map.node == NULL) { - rc = CIL_FALSE; - goto exit; + if (!ebitmap_startnode(&map)) { + ebitmap_destroy(&map); + return CIL_FALSE; } rc = ebitmap_match_any(&map, a->types); ebitmap_destroy(&map); } -exit: return rc; } +/* s1 is the src type that is matched with a notself + * s2 and t2 are the source and type of the other rule + * Assumes there is a match between s1 and s2 + */ +static int cil_notself_match_any(struct cil_symtab_datum *s1, struct cil_symtab_datum *s2, struct cil_symtab_datum *t2) +{ + int rc; + ebitmap_node_t *snode, *tnode; + unsigned int s,t; + + if (FLAVOR(s1) != CIL_TYPEATTRIBUTE) { + struct cil_type *ts1 = (struct cil_type *)s1; + if (FLAVOR(t2) != CIL_TYPEATTRIBUTE) { + struct cil_type *tt2 = (struct cil_type *)t2; + if (ts1->value != tt2->value) { + return CIL_TRUE; + } + } else { + struct cil_typeattribute *at2 = (struct cil_typeattribute *)t2; + ebitmap_for_each_positive_bit(at2->types, tnode, t) { + if (t != (unsigned int)ts1->value) { + return CIL_TRUE; + } + } + } + } else { + ebitmap_t smap; + ebitmap_init(&smap); + rc = cil_type_matches(&smap, s1, s2); + if (rc < 0) { + ebitmap_destroy(&smap); + return rc; + } + if (!ebitmap_startnode(&smap)) { + ebitmap_destroy(&smap); + return CIL_FALSE; + } + if (FLAVOR(t2) != CIL_TYPEATTRIBUTE) { + struct cil_type *tt2 = (struct cil_type *)t2; + ebitmap_for_each_positive_bit(&smap, snode, s) { + if (s != (unsigned int)tt2->value) { + ebitmap_destroy(&smap); + return CIL_TRUE; + } + } + } else { + struct cil_typeattribute *at2 = (struct cil_typeattribute *)t2; + ebitmap_for_each_positive_bit(&smap, snode, s) { + ebitmap_for_each_positive_bit(at2->types, tnode, t) { + if (s != t) { + ebitmap_destroy(&smap); + return CIL_TRUE; + } + } + } + } + ebitmap_destroy(&smap); + } + + return CIL_FALSE; +} + +/* s1 is the src type that is matched with a minusself + * s2, and t2 are the source and type of the other rule + * Assumes there is a match between s1 and s2 + */ +static int cil_minusself_match_any(struct cil_symtab_datum *s1, struct cil_symtab_datum *s2, struct cil_symtab_datum *t2) +{ + int rc; + + if (FLAVOR(s1) != CIL_TYPEATTRIBUTE) { + return CIL_FALSE; + } else { + ebitmap_t smap, tmap; + ebitmap_node_t *snode, *tnode; + unsigned int s,t; + + ebitmap_init(&smap); + rc = cil_type_matches(&smap, s1, s2); + if (rc < 0) { + ebitmap_destroy(&smap); + return rc; + } + + ebitmap_init(&tmap); + rc = cil_type_matches(&tmap, s1, t2); + if (rc < 0) { + ebitmap_destroy(&smap); + ebitmap_destroy(&tmap); + return rc; + } + + if (!ebitmap_startnode(&smap) || !ebitmap_startnode(&tmap)) { + ebitmap_destroy(&smap); + ebitmap_destroy(&tmap); + return CIL_FALSE; + } + + ebitmap_for_each_positive_bit(&smap, snode, s) { + ebitmap_for_each_positive_bit(&tmap, tnode, t) { + if (s != t) { + ebitmap_destroy(&smap); + ebitmap_destroy(&tmap); + return CIL_TRUE; + } + } + } + + ebitmap_destroy(&smap); + ebitmap_destroy(&tmap); + } + + return CIL_FALSE; +} + +/* s2 is the src type that is matched with a minusself + * Assumes there is a match between s1 and s2 + * s1 is not needed, since it is known that there is a match + */ +static int cil_notself_minusself_match_any(struct cil_symtab_datum *s2) +{ + if (FLAVOR(s2) == CIL_TYPEATTRIBUTE) { + struct cil_typeattribute *as2 = (struct cil_typeattribute *)s2; + if (ebitmap_cardinality(as2->types) > 1) { + return CIL_TRUE; + } + } + return CIL_FALSE; +} + static int cil_classperms_match_any(struct cil_classperms *cp1, struct cil_classperms *cp2) { struct cil_class *c1 = cp1->class; @@ -308,30 +438,56 @@ static int cil_find_matching_avrule(struct cil_tree_node *node, struct cil_avrul if (!cil_type_match_any(s1, s2)) goto exit; - if (t1->fqn != CIL_KEY_SELF && t2->fqn != CIL_KEY_SELF) { - if (!cil_type_match_any(t1, t2)) goto exit; - } else { - if (t1->fqn == CIL_KEY_SELF && t2->fqn == CIL_KEY_SELF) { + if (t1->fqn == CIL_KEY_SELF) { + if (t2->fqn == CIL_KEY_SELF) { /* The earlier check whether s1 and s2 matches is all that is needed */ - } else if (t1->fqn == CIL_KEY_SELF) { + rc = CIL_TRUE; + } else if (t2->fqn == CIL_KEY_NOTSELF || t2->fqn == CIL_KEY_MINUSSELF) { + rc = CIL_FALSE; + } else { rc = cil_self_match_any(s1, s2, t2); - if (rc < 0) { - goto exit; - } else if (rc == CIL_FALSE) { - rc = SEPOL_OK; - goto exit; - } - } else if (t2->fqn == CIL_KEY_SELF) { + } + } else if (t1->fqn == CIL_KEY_NOTSELF) { + if (t2->fqn == CIL_KEY_SELF) { + rc = CIL_FALSE; + } else if (t2->fqn == CIL_KEY_NOTSELF) { + /* The earlier check whether s1 and s2 matches is all that is needed */ + rc = CIL_TRUE; + } else if (t2->fqn == CIL_KEY_MINUSSELF) { + rc = cil_notself_minusself_match_any(s2); + } else { + rc = cil_notself_match_any(s1, s2, t2); + } + } else if (t1->fqn == CIL_KEY_MINUSSELF) { + if (t2->fqn == CIL_KEY_SELF) { + rc = CIL_FALSE; + } else if (t2->fqn == CIL_KEY_NOTSELF) { + rc = cil_notself_minusself_match_any(s1); + } else if (t2->fqn == CIL_KEY_MINUSSELF) { + /* The earlier check whether s1 and s2 matches is all that is needed */ + rc = CIL_TRUE; + } else { + rc = cil_minusself_match_any(s1, s2, t2); + } + } else { + if (t2->fqn == CIL_KEY_SELF) { rc = cil_self_match_any(s2, s1, t1); - if (rc < 0) { - goto exit; - } else if (rc == CIL_FALSE) { - rc = SEPOL_OK; - goto exit; - } + } else if (t2->fqn == CIL_KEY_NOTSELF) { + rc = cil_notself_match_any(s2, s1, t1); + } else if (t2->fqn == CIL_KEY_MINUSSELF) { + rc = cil_minusself_match_any(s2, s1, t1); + } else { + rc = cil_type_match_any(t1, t2); } } + if (rc < 0) { + goto exit; + } else if (rc == CIL_FALSE) { + rc = SEPOL_OK; + goto exit; + } + if (!target->is_extended) { if (cil_classperms_list_match_any(avrule->perms.classperms, target->perms.classperms)) { cil_list_append(matching, CIL_NODE, node); diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index a7604762..d293b9ba 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -101,6 +101,8 @@ extern char *CIL_KEY_CONS_INCOMP; extern char *CIL_KEY_CONDTRUE; extern char *CIL_KEY_CONDFALSE; extern char *CIL_KEY_SELF; +extern char *CIL_KEY_NOTSELF; +extern char *CIL_KEY_MINUSSELF; extern char *CIL_KEY_OBJECT_R; extern char *CIL_KEY_STAR; extern char *CIL_KEY_TCP; @@ -289,6 +291,8 @@ struct cil_db { struct cil_tree *parse; struct cil_tree *ast; struct cil_type *selftype; + struct cil_type *notselftype; + struct cil_type *minusselftype; struct cil_list *sidorder; struct cil_list *classorder; struct cil_list *catorder; diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index f5e22c97..9065fe09 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -333,6 +333,10 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args) if (rule->tgt_str == CIL_KEY_SELF) { rule->tgt = db->selftype; + } else if (rule->tgt_str == CIL_KEY_NOTSELF) { + rule->tgt = db->notselftype; + } else if (rule->tgt_str == CIL_KEY_MINUSSELF) { + rule->tgt = db->minusselftype; } else { rc = cil_resolve_name(current, rule->tgt_str, CIL_SYM_TYPES, args, &tgt_datum); if (rc != SEPOL_OK) { diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 4640dc59..1706fbf2 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -68,7 +68,8 @@ static int __cil_is_reserved_name(const char *name, enum cil_flavor flavor) case CIL_TYPE: case CIL_TYPEATTRIBUTE: case CIL_TYPEALIAS: - if ((name == CIL_KEY_ALL) || (name == CIL_KEY_SELF)) + if ((name == CIL_KEY_ALL) || (name == CIL_KEY_SELF) || (name == CIL_KEY_NOTSELF) + || (name == CIL_KEY_MINUSSELF)) return CIL_TRUE; break; case CIL_CAT: From patchwork Fri Nov 25 15:49:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13056101 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDBAFC43217 for ; Fri, 25 Nov 2022 15:50:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229642AbiKYPuE (ORCPT ); Fri, 25 Nov 2022 10:50:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbiKYPuD (ORCPT ); Fri, 25 Nov 2022 10:50:03 -0500 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0D0B47336 for ; Fri, 25 Nov 2022 07:50:01 -0800 (PST) Received: by mail-ed1-x531.google.com with SMTP id x102so6976034ede.0 for ; Fri, 25 Nov 2022 07:50:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uVTuNFpHztIyORdD18oCfjqXBOolqRppRvl8UGbssPU=; b=UFpbcLxDXSEx0Trm/zFAQfj1evf9QCtSpbnSHVTUn4yWhA7WGgFGbHxhX5ojmM9mq2 CFXkTQ35OwbuPFjivKGj5lTBB4aiOdiMh/UnQN3/8EZpg1YIeuFqVsn6JEGt3spwZl6m 29JriqGrtAjnnbrPnUZOk4i5UL5tlk2sMfrt/1BErHDVX7vISYmLLCu14yc6obSsX2AH K6Bs0SyVmUVKcDWMOi6Gf4yQx1t/04Oe3zvtvP+QnL7esTewbyULnRrVU9upPohbumIo Yk7zjB1cwNmRHt4xQxA2nKpSFIznNxUUVMFT/7wOgmwZGsA31Zt16SL1xmsiNSWSpax3 dj/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uVTuNFpHztIyORdD18oCfjqXBOolqRppRvl8UGbssPU=; b=cy1TIncYLHfCjn0+hp8TzVQfyiDkOb5akp9S8+rFFg0NrBsdWAQ9zpJ4mgVMrF9bdD FZ4HlRUIaHWJfD1wOFhMDpCF/49YJu2Qz/vJHehvG47D1o5/ROhPjsAJETllbf0vJOP1 iy5b9K5zsDVDMHB3E1Gd6ihgnTrYGu+rVzPbF0cJWbPJT0rBMRlrfgfLkCp4yQkDFEpR F8A5fqyz/NCa74tBiQhTNo79I8OvV2nOlhsOMp0KDvGmnnT5Wp8tKwrWecgQVjybq2Es WbA0JGb9kQpqkkLnpULKKqwjBTaJAixXUuBfRCsuc9Gt5lIJju3K86yGKy6sj2JcSlNb A6HQ== X-Gm-Message-State: ANoB5pnzoln6/SCx9WsAeRZ6mLsW6Ipiy8U5EjVLKQryxWYhsnHjgqwZ 0kBKmaxlWWaqP+Rd6iWM8s70AyTF1wo= X-Google-Smtp-Source: AA0mqf4djIo/hoIV6Mo8PP2sip1f9+7SbueeKbnWquZiPFvqohP7j8gJIB+nVs5hvc4Sdn2kkCbxFA== X-Received: by 2002:aa7:dd45:0:b0:45a:3c66:b0e4 with SMTP id o5-20020aa7dd45000000b0045a3c66b0e4mr36524180edw.33.1669391400402; Fri, 25 Nov 2022 07:50:00 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-154-194.77.3.pool.telefonica.de. [77.3.154.194]) by smtp.gmail.com with ESMTPSA id b14-20020a17090630ce00b0078df26efb7dsm1677136ejb.107.2022.11.25.07.49.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:50:00 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v4 3/6] checkpolicy: add not-self neverallow support Date: Fri, 25 Nov 2022 16:49:49 +0100 Message-Id: <20221125154952.20910-4-cgzones@googlemail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com> References: <20221125154952.20910-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add support for using negated or complemented self in the target type of neverallow rules. Some Refpolicy examples: neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *; neverallow domain { domain -self -dockerc_t }:dir create; # no violations neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create }; libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create }; neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write }; libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename }; libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create }; Using negated self in a complement, `~{ domain -self }`, is not supported. Signed-off-by: Christian Göttsche Acked-by: James Carter --- checkpolicy/policy_define.c | 46 ++++++++++++++++++++++++++++++++----- checkpolicy/test/dismod.c | 6 ++++- 2 files changed, 45 insertions(+), 7 deletions(-) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 41e44631..74f882bb 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -2075,12 +2075,17 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule) while ((id = queue_remove(id_queue))) { if (strcmp(id, "self") == 0) { free(id); - if (add == 0) { - yyerror("-self is not supported"); + if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) { + yyerror("-self is only supported in neverallow and neverallowxperm rules"); + ret = -1; + goto out; + } + avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF); + if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) { + yyerror("self and -self are mutual exclusive"); ret = -1; goto out; } - avrule->flags |= RULE_SELF; continue; } if (set_types @@ -2091,6 +2096,18 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule) } } + if ((avrule->ttypes.flags & TYPE_COMP)) { + if (avrule->flags & RULE_NOTSELF) { + yyerror("-self is not supported in complements"); + ret = -1; + goto out; + } + if (avrule->flags & RULE_SELF) { + avrule->flags &= ~RULE_SELF; + avrule->flags |= RULE_NOTSELF; + } + } + ebitmap_init(&tclasses); ret = read_classes(&tclasses); if (ret) @@ -2537,12 +2554,17 @@ static int define_te_avtab_helper(int which, avrule_t ** rule) while ((id = queue_remove(id_queue))) { if (strcmp(id, "self") == 0) { free(id); - if (add == 0) { - yyerror("-self is not supported"); + if (add == 0 && which != AVRULE_NEVERALLOW) { + yyerror("-self is only supported in neverallow and neverallowxperm rules"); + ret = -1; + goto out; + } + avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF); + if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) { + yyerror("self and -self are mutual exclusive"); ret = -1; goto out; } - avrule->flags |= RULE_SELF; continue; } if (set_types @@ -2553,6 +2575,18 @@ static int define_te_avtab_helper(int which, avrule_t ** rule) } } + if ((avrule->ttypes.flags & TYPE_COMP)) { + if (avrule->flags & RULE_NOTSELF) { + yyerror("-self is not supported in complements"); + ret = -1; + goto out; + } + if (avrule->flags & RULE_SELF) { + avrule->flags &= ~RULE_SELF; + avrule->flags |= RULE_NOTSELF; + } + } + ebitmap_init(&tclasses); ret = read_classes(&tclasses); if (ret) diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index ec2a3e9a..a2d74d42 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -124,7 +124,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic } num_types = 0; - if (flags & RULE_SELF) { + if (flags & (RULE_SELF | RULE_NOTSELF)) { num_types++; } @@ -169,6 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic fprintf(fp, " self"); } + if (flags & RULE_NOTSELF) { + fprintf(fp, " -self"); + } + if (num_types > 1) fprintf(fp, " }"); From patchwork Fri Nov 25 15:49:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13056104 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88372C46467 for ; Fri, 25 Nov 2022 15:50:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229661AbiKYPuG (ORCPT ); Fri, 25 Nov 2022 10:50:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229495AbiKYPuF (ORCPT ); Fri, 25 Nov 2022 10:50:05 -0500 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB06B23EB5 for ; Fri, 25 Nov 2022 07:50:02 -0800 (PST) Received: by mail-ej1-x62f.google.com with SMTP id n20so11310380ejh.0 for ; Fri, 25 Nov 2022 07:50:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RnPUJMNIcrWkulTFMMgeaCYIfBt32ujP8syf8kXojc8=; b=Bly1yZH8vabvZ+n/l5jcH3E3vQ0YayQlesfBlh3KUCYT4nDqFnslL28hQ5pLMvH8aA 4cgyskrOriDN8GoO02yio0e64oNIbBKIIDObaMe8QvRig8fibxprp2H08tG9EF3O1rHR UuUbuYrE6gzj9iv6SXtVyt950h1Pr04oaMLG04R8TN5eX6IC93hcy9O/H2gvd+8823sD Xplk13otG8M7jl+y0MYPPYwZuR5+lisMnMUUhH3NopBB9nxDIQ9B0PLdvZKg5gFn+3An KoFVQdONm/P1z2wDWLFIkQz/84rBnFp6/2qZI7Av9e7oJDeo+VxIuJMIjxIsIkfRe1y1 TkqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RnPUJMNIcrWkulTFMMgeaCYIfBt32ujP8syf8kXojc8=; b=j113Up0xR3mX720sSDxIY3PhiNWXkm9C2xj6HrA68fWGzM2UW8qKXrsjcMyZxQ+hRE ST14DEooRQYfaPEVr13so5G7jqw3mnJPxHHy/VX1UmdLWa1n+5kVVHQOOrKb6nxJMC/4 Wgo+12Zaq6gGx1iLqYWuHIMZ4iLkLIgswht2HG4g6LyXddjmwc45ZnViVFkqGGKqr+/P uUSc9zh5nq0mlFMr0Sio0ebDX4tYehmzI8dTp3c61y00nmV0g+W1Ya/S/zyFA+WbaYYg qKh9+Bq33RdJSkHjRK/aBknNgPbE+vzhDnh36GG9U2l+DViVuMY/Bw6L+Tz95haw+SjM +GAQ== X-Gm-Message-State: ANoB5pk3i68Sd52aRhdt0fTWlTs+fiuAMw1TMfs+QI+dHWoNl16vkmLW IAdf/2E4BiMZYfKN2j2dGxva13xiH9w= X-Google-Smtp-Source: AA0mqf5GinregL6GbLJo4anFFr8Lz83To28URRFYOSQUjaMzE3FR/6PPX75ElQ7WRU844T4Sh2k/VA== X-Received: by 2002:a17:906:c1d0:b0:7b4:64d3:e6f4 with SMTP id bw16-20020a170906c1d000b007b464d3e6f4mr18186218ejb.594.1669391401055; Fri, 25 Nov 2022 07:50:01 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-154-194.77.3.pool.telefonica.de. [77.3.154.194]) by smtp.gmail.com with ESMTPSA id b14-20020a17090630ce00b0078df26efb7dsm1677136ejb.107.2022.11.25.07.50.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:50:00 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v4 4/6] libsepol/tests: add tests for not self neverallow rules Date: Fri, 25 Nov 2022 16:49:50 +0100 Message-Id: <20221125154952.20910-5-cgzones@googlemail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com> References: <20221125154952.20910-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Christian Göttsche Acked-by: James Carter --- .../test-neverallow/policy_not_self.conf | 370 ++++++++++++++++++ libsepol/tests/test-neverallow.c | 75 ++++ 2 files changed, 445 insertions(+) create mode 100644 libsepol/tests/policies/test-neverallow/policy_not_self.conf diff --git a/libsepol/tests/policies/test-neverallow/policy_not_self.conf b/libsepol/tests/policies/test-neverallow/policy_not_self.conf new file mode 100644 index 00000000..da2cc69b --- /dev/null +++ b/libsepol/tests/policies/test-neverallow/policy_not_self.conf @@ -0,0 +1,370 @@ +class process +class blk_file +class chr_file +class dir +class fifo_file +class file +class lnk_file +class sock_file + +class class5 +class class6 +class class7 +class class17 + +sid kernel +sid security +sid unlabeled +sid file +sid port +sid netif +sid netmsg +sid node +sid devnull + +class process { dyntransition transition } +class file { ioctl read write } + +class class5 { perm } +class class6 { perm } +class class7 { perm } +class class17 { ioctl } + +ifdef(`enable_mls',` +sensitivity s0; +dominance { s0 } +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; + +level s0:c0.c23; + +mlsconstrain file { write } ( h1 dom h2 ); +') + + +######################################## +# +# Test start +# +######################################## + + +## Test 1 (single type) + +type test1_t; +allow test1_t test1_t : file read; +neverallow test1_t ~self : file read; # nofail + + +## Test 2 (single type) + +type test2_t; +allow test2_t self : file read; +neverallow test2_t ~self : file read; # nofail + + +## Test 3 (single type) + +type test3_1_t; +type test3_2_t; +allow test3_1_t test3_2_t : file read; +neverallow test3_1_t ~self : file read; + + +## Test 4 (two types I) + +type test4_1_t; +type test4_2_t; +allow { test4_1_t test4_2_t } { test4_1_t test4_2_t } : file read; +neverallow test4_1_t ~self : file read; + + +## Test 5 (two types II) + +type test5_1_t; +type test5_2_t; +allow { test5_1_t test5_2_t } { test5_1_t test5_2_t } : class5 perm; +neverallow * ~self : class5 perm; + + +## Test 6 (two types III) + +type test6_1_t; +type test6_2_t; +allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : class6 perm; +neverallow * ~{ self test6_1_t } : class6 perm; + + +## Test 7 (two types IV) + +type test7_1_t; +type test7_2_t; +allow { test7_1_t test7_2_t } { test7_1_t test7_2_t } : class7 perm; +neverallow * ~{ self test7_1_t test7_2_t } : class7 perm; # nofail + + +## Test 8 (attribute violates type I) + +attribute test8_a; +type test8_1_t, test8_a; +type test8_2_t, test8_a; +allow test8_a test8_a : file read; +neverallow test8_1_t ~self : file *; + + +## Test 9 (attribute violates type II) + +attribute test9_a; +type test9_1_t, test9_a; +type test9_2_t, test9_a; +allow test9_1_t test9_a : file read; +neverallow test9_1_t ~self : file *; + + +## Test 10 (attribute violates type III) + +attribute test10_1_a; +attribute test10_2_a; +type test10_1_t, test10_1_a, test10_1_a; +type test10_2_t, test10_1_a, test10_1_a; +allow test10_1_a test10_1_a : file read; +neverallow test10_1_t ~self : file *; + + +## Test 11 (attribute violates attribute I) + +attribute test11_1_a; +attribute test11_2_a; +type test11_1_t, test11_1_a, test11_2_a; +type test11_2_t, test11_1_a, test11_2_a; +allow test11_1_t self : file read; +allow test11_2_t test11_2_t : file read; +neverallow test11_1_a ~self : file *; # nofail + + +## Test 12 (attribute violates attribute II) + +attribute test12_a; +type test12_1_t, test12_a; +type test12_2_t, test12_a; +allow test12_1_t test12_2_t : file read; +neverallow test12_a ~self : file *; + + +## Test 13 (attribute violates attribute III) + +attribute test13_a; +type test13_1_t, test13_a; +type test13_2_t, test13_a; +allow test13_1_t test13_a : file read; +neverallow test13_a ~self : file *; + + +## Test 14 (attribute violates attribute IV) + +attribute test14_a; +type test14_1_t, test14_a; +type test14_2_t, test14_a; +allow test14_a test14_a : file read; +neverallow test14_a ~self : file *; + + +## Test 15 (attribute violates attribute V) + +attribute test13_1_a; +attribute test13_2_a; +type test13_t, test13_1_a, test13_2_a; +allow test13_1_a test13_2_a : file read; +neverallow test13_a ~self : file *; + + +## Test 16 (types violate attribute) + +attribute test16_a; +type test16_1_t, test16_a; +type test16_2_t, test16_a; +allow { test16_1_t test16_2_t } { test16_1_t test16_2_t } : file read; +neverallow test16_a ~self : file ~write; + + +## Test 17 (extended permissions I) + +type test17_1_t; +type test17_2_t; +allow { test17_1_t test17_2_t } { test17_1_t test17_2_t } : class17 ioctl; +neverallowxperm ~test17_2_t ~self : class17 ioctl 0x1111; + + +## Test 18 (extended permissions II) + +type test18_1_t; +type test18_2_t; +allow { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl; +allowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl 0x1111; +neverallowxperm test18_1_t ~self : file ioctl 0x2222; # nofail + + +## Test 19 (extended permissions III) + +type test19_1_t; +type test19_2_t; +allow { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl; +allowxperm { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl { 0x0100 - 0x0102 }; +neverallowxperm test19_2_t ~self : file ioctl { 0x0101 - 0x0104 }; + + +## Test 20 (extended permissions IV) + +type test20_1_t; +type test20_2_t; +allow { test20_1_t test20_2_t } { test20_1_t test20_2_t } : file ioctl; +allowxperm test20_1_t test20_1_t : file ioctl 0x0101; +allowxperm test20_1_t test20_2_t : file ioctl 0x0102; +allowxperm test20_2_t test20_1_t : file ioctl 0x0103; +allowxperm test20_2_t test20_2_t : file ioctl 0x0104; +neverallowxperm { test20_1_t test20_2_t } ~self : file ioctl { 0x0000 - 0x9000 }; + + +## Test 21 (extended permissions V) + +attribute test21_a; +type test21_1_t, test21_a; +type test21_2_t, test21_a; +allow test21_a test21_a : file ioctl; +allowxperm test21_a test21_a : file ioctl 0x9501; +neverallowxperm test21_1_t ~self : file ioctl 0x9511; # nofail + + +## Test 22 (extended permissions VI) + +type test22_t; +allow test22_t self : file ioctl; +allowxperm test22_t self : file ioctl 0x9501; +allowxperm test22_t self : file ioctl 0x9511; +neverallowxperm test22_t ~self : file ioctl 0x9511; # nofail + + +## Test 23 (extended permissions VII) + +attribute test23_a; +type test23_1_t, test23_a; +type test23_2_t, test23_a; +allow test23_a test23_a : file ioctl; +allowxperm test23_a test23_a : file ioctl 0x9501; +allowxperm test23_1_t test23_2_t : file ioctl 0x9511; +neverallowxperm test23_1_t ~self : file ioctl 0x9511; + + +## Test 24 (extended permissions VII) + +attribute test24_a; +type test24_1_t, test24_a; +type test24_2_t, test24_a; +allow test24_a test24_a : file ioctl; +allowxperm test24_a test24_a : file ioctl 0x9501; +allowxperm test24_1_t test24_a : file ioctl 0x9511; +neverallowxperm test24_1_t ~self : file ioctl 0x9511; + + +## Test 25 (extended permissions IX) + +attribute test25_a; +type test25_1_t, test25_a; +type test25_2_t, test25_a; +allow test25_a test25_a : file ioctl; +allowxperm test25_a test25_a : file ioctl 0x9501; +allowxperm test25_a test25_a : file ioctl 0x9511; +neverallowxperm test25_1_t ~self : file ioctl 0x9511; + + +## Test 26 (extended permissions X) + +attribute test26_1_a; +attribute test26_2_a; +type test26_1_t, test26_1_a, test26_2_a; +type test26_2_t, test26_1_a, test26_2_a; +allow { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl; +allowxperm { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl 0x9501; +allowxperm test26_1_a test26_2_a : file ioctl 0x9511; +neverallowxperm test26_1_t ~self : file ioctl 0x9511; + + +## Test 27 (extended permissions attribute violation I) + +attribute test27_a; +type test27_1_t, test27_a; +type test27_2_t, test27_a; +allow test27_a test27_a : file ioctl; +allowxperm test27_a test27_a : file ioctl 0x9501; +allowxperm test27_1_t self : file ioctl 0x9521; +allowxperm test27_2_t test27_2_t : file ioctl 0x9521; +neverallowxperm test27_a ~self : file ioctl 0x9521; # nofail + + +## Test 28 (extended permissions attribute violation II) + +attribute test28_a; +type test28_1_t, test28_a; +type test28_2_t, test28_a; +allow test28_a test28_a : file ioctl; +allowxperm test28_1_t test28_2_t : file ioctl 0x9521; +neverallowxperm test28_a ~self : file ioctl 0x9521; + + +## Test 29 (extended permissions attribute violation III) + +attribute test29_a; +type test29_1_t, test29_a; +type test29_2_t, test29_a; +allow test29_a test29_a : file ioctl; +allowxperm test29_1_t test29_a : file ioctl 0x9521; +neverallowxperm test29_a ~self : file ioctl 0x9521; + + +## Test 30 (extended permissions attribute violation IV) + +attribute test30_a; +type test30_1_t, test30_a; +type test30_2_t, test30_a; +allow test30_a test30_a : file ioctl; +allowxperm test30_a test30_a : file ioctl 0x9521; +neverallowxperm test30_a ~self : file ioctl 0x9521; + + +## Test 31 (extended permissions attribute violation V) + +attribute test31_1_a; +attribute test31_2_a; +type test31_1_t, test31_1_a, test31_2_a; +type test31_2_t, test31_1_a, test31_2_a; +allow test31_1_a test31_1_a : file ioctl; +allowxperm test31_1_a test31_2_a : file ioctl 0x9521; +neverallowxperm test31_1_a ~self : file ioctl 0x9521; + + +######################################## +# +# Test End +# +######################################## + + +type sys_isid; +role sys_role; +role sys_role types sys_isid; +gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) +sid kernel gen_context(sys_user:sys_role:sys_isid, s0) +sid security gen_context(sys_user:sys_role:sys_isid, s0) +sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) +sid file gen_context(sys_user:sys_role:sys_isid, s0) +sid port gen_context(sys_user:sys_role:sys_isid, s0) +sid netif gen_context(sys_user:sys_role:sys_isid, s0) +sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) +sid node gen_context(sys_user:sys_role:sys_isid, s0) +sid devnull gen_context(sys_user:sys_role:sys_isid, s0) +fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); +fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); diff --git a/libsepol/tests/test-neverallow.c b/libsepol/tests/test-neverallow.c index d973a0e3..c6518ebb 100644 --- a/libsepol/tests/test-neverallow.c +++ b/libsepol/tests/test-neverallow.c @@ -154,6 +154,76 @@ static void test_neverallow_basic(void) policydb_destroy(&base_expanded); } +static void test_neverallow_not_self(void) +{ + policydb_t basemod, base_expanded; + sepol_handle_t *handle; + static const char *const expected_messages[] = { + "34 neverallow failures occurred", + "neverallow on line 78 of policies/test-neverallow/policy_not_self.conf.std (or line 78 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test3_1_t test3_2_t:file { read };", + "neverallow on line 86 of policies/test-neverallow/policy_not_self.conf.std (or line 86 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test4_1_t test4_2_t:file { read };", + "neverallow on line 94 of policies/test-neverallow/policy_not_self.conf.std (or line 94 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test5_1_t test5_2_t:class5 { perm };", + "neverallow on line 94 of policies/test-neverallow/policy_not_self.conf.std (or line 94 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test5_2_t test5_1_t:class5 { perm };", + "neverallow on line 102 of policies/test-neverallow/policy_not_self.conf.std (or line 102 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test6_1_t test6_2_t:class6 { perm };", + "neverallow on line 119 of policies/test-neverallow/policy_not_self.conf.std (or line 119 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test8_1_t test8_2_t:file { read };", + "neverallow on line 128 of policies/test-neverallow/policy_not_self.conf.std (or line 128 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test9_1_t test9_2_t:file { read };", + "neverallow on line 138 of policies/test-neverallow/policy_not_self.conf.std (or line 138 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test10_1_t test10_2_t:file { read };", + "neverallow on line 158 of policies/test-neverallow/policy_not_self.conf.std (or line 158 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test12_1_t test12_2_t:file { read };", + "neverallow on line 167 of policies/test-neverallow/policy_not_self.conf.std (or line 167 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test13_1_t test13_2_t:file { read };", + "neverallow on line 176 of policies/test-neverallow/policy_not_self.conf.std (or line 176 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test14_1_t test14_2_t:file { read };", + "neverallow on line 176 of policies/test-neverallow/policy_not_self.conf.std (or line 176 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test14_2_t test14_1_t:file { read };", + "neverallow on line 185 of policies/test-neverallow/policy_not_self.conf.std (or line 185 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test13_1_t test13_2_t:file { read };", + "neverallow on line 194 of policies/test-neverallow/policy_not_self.conf.std (or line 194 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test16_1_t test16_2_t:file { read };", + "neverallow on line 194 of policies/test-neverallow/policy_not_self.conf.std (or line 194 of policies/test-neverallow/policy_not_self.conf.std) violated by allow test16_2_t test16_1_t:file { read };", + "neverallowxperm on line 202 of policies/test-neverallow/policy_not_self.conf.std (or line 202 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallow test17_1_t test17_2_t:class17 { ioctl };", + "neverallowxperm on line 220 of policies/test-neverallow/policy_not_self.conf.std (or line 220 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test19_2_t test19_1_t:file ioctl { 0x101-0x102 };", + "neverallowxperm on line 232 of policies/test-neverallow/policy_not_self.conf.std (or line 232 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test20_1_t test20_2_t:file ioctl { 0x102 };", + "neverallowxperm on line 232 of policies/test-neverallow/policy_not_self.conf.std (or line 232 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test20_2_t test20_1_t:file ioctl { 0x103 };", + "neverallowxperm on line 262 of policies/test-neverallow/policy_not_self.conf.std (or line 262 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test23_1_t test23_2_t:file ioctl { 0x9511 };", + "neverallowxperm on line 273 of policies/test-neverallow/policy_not_self.conf.std (or line 273 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test24_1_t test24_a:file ioctl { 0x9511 };", + "neverallowxperm on line 284 of policies/test-neverallow/policy_not_self.conf.std (or line 284 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test25_a test25_a:file ioctl { 0x9511 };", + "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 296 of policies/test-neverallow/policy_not_self.conf.std (or line 296 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 318 of policies/test-neverallow/policy_not_self.conf.std (or line 318 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test28_1_t test28_2_t:file ioctl { 0x9521 };", + "neverallowxperm on line 318 of policies/test-neverallow/policy_not_self.conf.std (or line 318 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallow test28_2_t test28_1_t:file { ioctl };", + "neverallowxperm on line 328 of policies/test-neverallow/policy_not_self.conf.std (or line 328 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test29_1_t test29_a:file ioctl { 0x9521 };", + "neverallowxperm on line 328 of policies/test-neverallow/policy_not_self.conf.std (or line 328 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallow test29_2_t test29_1_t:file { ioctl };", + "neverallowxperm on line 338 of policies/test-neverallow/policy_not_self.conf.std (or line 338 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };", + "neverallowxperm on line 338 of policies/test-neverallow/policy_not_self.conf.std (or line 338 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };", + "neverallowxperm on line 349 of policies/test-neverallow/policy_not_self.conf.std (or line 349 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };", + "neverallowxperm on line 349 of policies/test-neverallow/policy_not_self.conf.std (or line 349 of policies/test-neverallow/policy_not_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };", + }; + + if (policydb_init(&base_expanded)) + CU_FAIL_FATAL("Failed to initialize policy"); + + if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy_not_self.conf")) + CU_FAIL_FATAL("Failed to load policy"); + + if (link_modules(NULL, &basemod, NULL, 0, 0)) + CU_FAIL_FATAL("Failed to link base module"); + + if (expand_module(NULL, &basemod, &base_expanded, 0, 0)) + CU_FAIL_FATAL("Failed to expand policy"); + + if ((handle = sepol_handle_create()) == NULL) + CU_FAIL_FATAL("Failed to initialize handle"); + + sepol_msg_set_callback(handle, msg_handler, NULL); + + if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1) + CU_FAIL("Assertions did not trigger"); + + messages_check(ARRAY_SIZE(expected_messages), expected_messages); + + sepol_handle_destroy(handle); + messages_clean(); + policydb_destroy(&basemod); + policydb_destroy(&base_expanded); +} + int neverallow_add_tests(CU_pSuite suite) { /* @@ -168,5 +238,10 @@ int neverallow_add_tests(CU_pSuite suite) return CU_get_error(); } + if (NULL == CU_add_test(suite, "neverallow_not_self", test_neverallow_not_self)) { + CU_cleanup_registry(); + return CU_get_error(); + } + return 0; } From patchwork Fri Nov 25 15:49:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13056105 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A23BC43217 for ; Fri, 25 Nov 2022 15:50:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229580AbiKYPuH (ORCPT ); Fri, 25 Nov 2022 10:50:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbiKYPuG (ORCPT ); Fri, 25 Nov 2022 10:50:06 -0500 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5BC8823BE7 for ; Fri, 25 Nov 2022 07:50:03 -0800 (PST) Received: by mail-ed1-x532.google.com with SMTP id m19so5680408edj.8 for ; Fri, 25 Nov 2022 07:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IxD54J+GUsHU04sgsA02on4dYdVMtR+ExK1e4lRBiBI=; b=bXKWcP8ci3sT3sAk0c6u4IOm1WaUPgpEm/Yqf4To7CodScYKwQKZLu3hlUwoj8M6It TtsZ/uqgTMJyWueRltZw0wPRSE/AFIWem0K2y6iHBSRrfItPlVA4OUPsXhHWjJlvMBT6 T/Pk9gnsVBO/5zPNSWXqO9cwYKsgnvJ7EnCCaFm8rpwotDWu3MliIZlWQp4KN7Vb5g03 IdZa+HQ2oC8ej0kH/owYVucf1FliRy9vuJq8iaSbr1YGaLwR5nxldtDXQLJsHQhV0038 eCg3iGtaiadTAHFgSzAKDYGKRzrZmWw2ASAHH/VuAYCdfbMG3+A5Ff2hO/+eq+KI7IJQ T5UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IxD54J+GUsHU04sgsA02on4dYdVMtR+ExK1e4lRBiBI=; b=CiTJgUDLvgFyA+pTlbXgMsU50x5i2S1xMBjuZ3mDkNZvl7i0BKX/MtHBYUMZe9DV2e ZbA3im6AO7H0Nj9OhmM+ZM6NBXc6IHFeOpz1Z8XAWYd16zESSOJ3V0B9FEshJe6Gn61D YLrlDCN2Oa3kHIHiEQT8aqTD4qQ2zH8yQwf0xZ/hiVTzzWyYvz1mEImraj46cMAqrB3i EQygLiZD8O5R2WHtGCJNxOEouvfLgQCnnUvUg8lq7/Qdtav2uMuOcdUqxVRlK00bTsUY PbP+Ye6wiJau8ERJgBJtLXDt69Z8FruUbI0ntf+e1hZqpjDS089PJ62cKQrpZrNNem5T CmBQ== X-Gm-Message-State: ANoB5pkCTUjDyMiRbK46qQ5iMPBsdcTNWJDfM1lRvyscLQVOVp5c9rt1 PTu1CXXMEf24031iR4Wjkhb1pJleDvs= X-Google-Smtp-Source: AA0mqf7cTMRgtVCn7+ZAPc7B60oIm7/0xVGTj0/2JEvcpX5F/TJ7svWFxpxE7XIghUyRjNic/krF4g== X-Received: by 2002:a05:6402:143:b0:463:f8aa:d2bf with SMTP id s3-20020a056402014300b00463f8aad2bfmr36164849edu.358.1669391401729; Fri, 25 Nov 2022 07:50:01 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-154-194.77.3.pool.telefonica.de. [77.3.154.194]) by smtp.gmail.com with ESMTPSA id b14-20020a17090630ce00b0078df26efb7dsm1677136ejb.107.2022.11.25.07.50.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:50:01 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v4 5/6] libsepol/tests: add tests for minus self neverallow rules Date: Fri, 25 Nov 2022 16:49:51 +0100 Message-Id: <20221125154952.20910-6-cgzones@googlemail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com> References: <20221125154952.20910-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Christian Göttsche Acked-by: James Carter --- .../test-neverallow/policy_minus_self.conf | 369 ++++++++++++++++++ libsepol/tests/test-neverallow.c | 74 ++++ 2 files changed, 443 insertions(+) create mode 100644 libsepol/tests/policies/test-neverallow/policy_minus_self.conf diff --git a/libsepol/tests/policies/test-neverallow/policy_minus_self.conf b/libsepol/tests/policies/test-neverallow/policy_minus_self.conf new file mode 100644 index 00000000..58a71059 --- /dev/null +++ b/libsepol/tests/policies/test-neverallow/policy_minus_self.conf @@ -0,0 +1,369 @@ +class process +class blk_file +class chr_file +class dir +class fifo_file +class file +class lnk_file +class sock_file + +class class5 +class class6 +class class7 +class class17 + +sid kernel +sid security +sid unlabeled +sid file +sid port +sid netif +sid netmsg +sid node +sid devnull + +class process { dyntransition transition } +class file { ioctl read write } + +class class5 { perm } +class class6 { perm } +class class7 { perm } +class class17 { ioctl } + +ifdef(`enable_mls',` +sensitivity s0; +dominance { s0 } +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; + +level s0:c0.c23; + +mlsconstrain file { write } ( h1 dom h2 ); +') + + +######################################## +# +# Test start +# +######################################## + + +## Test 1 (single type) + +type test1_t; +allow test1_t test1_t : file read; +neverallow test1_t { test1_t -self } : file read; # nofail + + +## Test 2 (single type) + +type test2_t; +allow test2_t self : file read; +neverallow test2_t { test1_t -self } : file read; # nofail + +## Test 3 (single type) + +type test3_1_t; +type test3_2_t; +allow test3_1_t test3_2_t : file read; +neverallow test3_1_t { test3_2_t -self } : file read; + + +## Test 4 (two types I) + +type test4_1_t; +type test4_2_t; +allow { test4_1_t test4_2_t } { test4_1_t test4_2_t } : file read; +neverallow test4_1_t { test4_1_t test4_2_t -self } : file read; + + +## Test 5 (two types II) + +type test5_1_t; +type test5_2_t; +allow { test5_1_t test5_2_t } { test5_1_t test5_2_t } : class5 perm; +neverallow * { test5_1_t test5_2_t -self } : class5 perm; + + +## Test 6 (two types III) + +type test6_1_t; +type test6_2_t; +allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : class6 perm; +neverallow * { test6_2_t -self } : class6 perm; + + +## Test 7 (two types IV) + +type test7_1_t; +type test7_2_t; +allow { test7_1_t test7_2_t } test7_2_t : class7 perm; +neverallow * { test7_1_t -self } : class7 perm; # nofail + + +## Test 8 (attribute violates type I) + +attribute test8_a; +type test8_1_t, test8_a; +type test8_2_t, test8_a; +allow test8_a test8_a : file read; +neverallow test8_1_t { test8_a -self } : file *; + + +## Test 9 (attribute violates type II) + +attribute test9_a; +type test9_1_t, test9_a; +type test9_2_t, test9_a; +allow test9_1_t test9_a : file read; +neverallow test9_1_t { test9_a -self } : file *; + + +## Test 10 (attribute violates type III) + +attribute test10_1_a; +attribute test10_2_a; +type test10_1_t, test10_1_a, test10_1_a; +type test10_2_t, test10_1_a, test10_1_a; +allow test10_1_a test10_1_a : file read; +neverallow test10_1_t { test10_2_a -self } : file *; + + +## Test 11 (attribute violates attribute I) + +attribute test11_1_a; +attribute test11_2_a; +type test11_1_t, test11_1_a, test11_2_a; +type test11_2_t, test11_1_a, test11_2_a; +allow test11_1_t self : file read; +allow test11_2_t test11_2_t : file read; +neverallow test11_1_a { test11_2_a -self } : file *; # nofail + + +## Test 12 (attribute violates attribute II) + +attribute test12_a; +type test12_1_t, test12_a; +type test12_2_t, test12_a; +allow test12_1_t test12_2_t : file read; +neverallow test12_a { test12_a -self } : file *; + + +## Test 13 (attribute violates attribute III) + +attribute test13_a; +type test13_1_t, test13_a; +type test13_2_t, test13_a; +allow test13_1_t test13_a : file read; +neverallow test13_a { test13_a -self } : file *; + + +## Test 14 (attribute violates attribute IV) + +attribute test14_a; +type test14_1_t, test14_a; +type test14_2_t, test14_a; +allow test14_a test14_a : file read; +neverallow test14_a { test14_a -self } : file *; + + +# ## Test 15 (attribute violates attribute V) + +attribute test13_1_a; +attribute test13_2_a; +type test13_t, test13_1_a, test13_2_a; +allow test13_1_a test13_2_a : file read; +neverallow test13_a { test13_2_a -self } : file *; + + +## Test 16 (types violate attribute) + +attribute test16_a; +type test16_1_t, test16_a; +type test16_2_t, test16_a; +allow { test16_1_t test16_2_t } { test16_1_t test16_2_t } : file read; +neverallow test16_a { test16_a -self } : file ~write; + + +## Test 17 (extended permissions I) + +type test17_1_t; +type test17_2_t; +allow { test17_1_t test17_2_t } { test17_1_t test17_2_t } : class17 ioctl; +neverallowxperm ~test17_2_t { test17_1_t test17_2_t -self } : class17 ioctl 0x1111; + + +## Test 18 (extended permissions II) + +type test18_1_t; +type test18_2_t; +allow { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl; +allowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl 0x1111; +neverallowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t -self } : file ioctl 0x2222; # nofail + + +## Test 19 (extended permissions III) + +type test19_1_t; +type test19_2_t; +allow { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl; +allowxperm { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl { 0x0100 - 0x0102 }; +neverallowxperm test19_2_t { test19_1_t test19_2_t -self } : file ioctl { 0x0101 - 0x0104 }; + + +## Test 20 (extended permissions IV) + +type test20_1_t; +type test20_2_t; +allow { test20_1_t test20_2_t } { test20_1_t test20_2_t } : file ioctl; +allowxperm test20_1_t test20_1_t : file ioctl 0x0101; +allowxperm test20_1_t test20_2_t : file ioctl 0x0102; +allowxperm test20_2_t test20_1_t : file ioctl 0x0103; +allowxperm test20_2_t test20_2_t : file ioctl 0x0104; +neverallowxperm { test20_1_t test20_2_t } { test20_1_t test20_2_t -self } : file ioctl { 0x0000 - 0x9000 }; + + +## Test 21 (extended permissions V) + +attribute test21_a; +type test21_1_t, test21_a; +type test21_2_t, test21_a; +allow test21_a test21_a : file ioctl; +allowxperm test21_a test21_a : file ioctl 0x9501; +neverallowxperm test21_1_t { test21_a -self } : file ioctl 0x9511; # nofail + + +## Test 22 (extended permissions VI) + +type test22_t; +allow test22_t self : file ioctl; +allowxperm test22_t self : file ioctl 0x9501; +allowxperm test22_t self : file ioctl 0x9511; +neverallowxperm test22_t { test22_t -self } : file ioctl 0x9511; # nofail + + +## Test 23 (extended permissions VII) + +attribute test23_a; +type test23_1_t, test23_a; +type test23_2_t, test23_a; +allow test23_a test23_a : file ioctl; +allowxperm test23_a test23_a : file ioctl 0x9501; +allowxperm test23_1_t test23_2_t : file ioctl 0x9511; +neverallowxperm test23_1_t { test23_a -self } : file ioctl 0x9511; + + +## Test 24 (extended permissions VII) + +attribute test24_a; +type test24_1_t, test24_a; +type test24_2_t, test24_a; +allow test24_a test24_a : file ioctl; +allowxperm test24_a test24_a : file ioctl 0x9501; +allowxperm test24_1_t test24_a : file ioctl 0x9511; +neverallowxperm test24_1_t { test24_a -self } : file ioctl 0x9511; + + +## Test 25 (extended permissions IX) + +attribute test25_a; +type test25_1_t, test25_a; +type test25_2_t, test25_a; +allow test25_a test25_a : file ioctl; +allowxperm test25_a test25_a : file ioctl 0x9501; +allowxperm test25_a test25_a : file ioctl 0x9511; +neverallowxperm test25_1_t { test25_a -self } : file ioctl 0x9511; + + +## Test 26 (extended permissions X) + +attribute test26_1_a; +attribute test26_2_a; +type test26_1_t, test26_1_a, test26_2_a; +type test26_2_t, test26_1_a, test26_2_a; +allow { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl; +allowxperm { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl 0x9501; +allowxperm test26_1_a test26_2_a : file ioctl 0x9511; +neverallowxperm test26_1_t { test26_2_a -self } : file ioctl 0x9511; + + +# ## Test 27 (extended permissions attribute violation I) + +attribute test27_a; +type test27_1_t, test27_a; +type test27_2_t, test27_a; +allow test27_a test27_a : file ioctl; +allowxperm test27_a test27_a : file ioctl 0x9501; +allowxperm test27_1_t self : file ioctl 0x9521; +allowxperm test27_2_t test27_2_t : file ioctl 0x9521; +neverallowxperm test27_a { test27_a -self } : file ioctl 0x9521; # nofail + + +# ## Test 28 (extended permissions attribute violation II) + +attribute test28_a; +type test28_1_t, test28_a; +type test28_2_t, test28_a; +allow test28_a test28_a : file ioctl; +allowxperm test28_1_t test28_2_t : file ioctl 0x9521; +neverallowxperm test28_a { test28_a -self } : file ioctl 0x9521; + + +## Test 29 (extended permissions attribute violation III) + +attribute test29_a; +type test29_1_t, test29_a; +type test29_2_t, test29_a; +allow test29_a test29_a : file ioctl; +allowxperm test29_1_t test29_a : file ioctl 0x9521; +neverallowxperm test29_a { test29_a -self } : file ioctl 0x9521; + + +## Test 30 (extended permissions attribute violation IV) + +attribute test30_a; +type test30_1_t, test30_a; +type test30_2_t, test30_a; +allow test30_a test30_a : file ioctl; +allowxperm test30_a test30_a : file ioctl 0x9521; +neverallowxperm test30_a { test30_a -self } : file ioctl 0x9521; + + +## Test 31 (extended permissions attribute violation V) + +attribute test31_1_a; +attribute test31_2_a; +type test31_1_t, test31_1_a, test31_2_a; +type test31_2_t, test31_1_a, test31_2_a; +allow test31_1_a test31_1_a : file ioctl; +allowxperm test31_1_a test31_2_a : file ioctl 0x9521; +neverallowxperm test31_1_a { test31_2_a -self } : file ioctl 0x9521; + + +######################################## +# +# Test End +# +######################################## + + +type sys_isid; +role sys_role; +role sys_role types sys_isid; +gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) +sid kernel gen_context(sys_user:sys_role:sys_isid, s0) +sid security gen_context(sys_user:sys_role:sys_isid, s0) +sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) +sid file gen_context(sys_user:sys_role:sys_isid, s0) +sid port gen_context(sys_user:sys_role:sys_isid, s0) +sid netif gen_context(sys_user:sys_role:sys_isid, s0) +sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) +sid node gen_context(sys_user:sys_role:sys_isid, s0) +sid devnull gen_context(sys_user:sys_role:sys_isid, s0) +fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); +fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); diff --git a/libsepol/tests/test-neverallow.c b/libsepol/tests/test-neverallow.c index c6518ebb..c0a2bfa8 100644 --- a/libsepol/tests/test-neverallow.c +++ b/libsepol/tests/test-neverallow.c @@ -154,6 +154,75 @@ static void test_neverallow_basic(void) policydb_destroy(&base_expanded); } +static void test_neverallow_minus_self(void) +{ + policydb_t basemod, base_expanded; + sepol_handle_t *handle; + static const char *const expected_messages[] = { + "33 neverallow failures occurred", + "neverallow on line 77 of policies/test-neverallow/policy_minus_self.conf.std (or line 77 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test3_1_t test3_2_t:file { read };", + "neverallow on line 85 of policies/test-neverallow/policy_minus_self.conf.std (or line 85 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test4_1_t test4_2_t:file { read };", + "neverallow on line 93 of policies/test-neverallow/policy_minus_self.conf.std (or line 93 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test5_1_t test5_2_t:class5 { perm };", + "neverallow on line 93 of policies/test-neverallow/policy_minus_self.conf.std (or line 93 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test5_2_t test5_1_t:class5 { perm };", + "neverallow on line 101 of policies/test-neverallow/policy_minus_self.conf.std (or line 101 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test6_1_t test6_2_t:class6 { perm };", + "neverallow on line 118 of policies/test-neverallow/policy_minus_self.conf.std (or line 118 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test8_1_t test8_2_t:file { read };", + "neverallow on line 127 of policies/test-neverallow/policy_minus_self.conf.std (or line 127 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test9_1_t test9_2_t:file { read };", + "neverallow on line 137 of policies/test-neverallow/policy_minus_self.conf.std (or line 137 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test10_1_t test10_2_t:file { read };", + "neverallow on line 157 of policies/test-neverallow/policy_minus_self.conf.std (or line 157 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test12_1_t test12_2_t:file { read };", + "neverallow on line 166 of policies/test-neverallow/policy_minus_self.conf.std (or line 166 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test13_1_t test13_2_t:file { read };", + "neverallow on line 175 of policies/test-neverallow/policy_minus_self.conf.std (or line 175 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test14_1_t test14_2_t:file { read };", + "neverallow on line 175 of policies/test-neverallow/policy_minus_self.conf.std (or line 175 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test14_2_t test14_1_t:file { read };", + "neverallow on line 193 of policies/test-neverallow/policy_minus_self.conf.std (or line 193 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test16_1_t test16_2_t:file { read };", + "neverallow on line 193 of policies/test-neverallow/policy_minus_self.conf.std (or line 193 of policies/test-neverallow/policy_minus_self.conf.std) violated by allow test16_2_t test16_1_t:file { read };", + "neverallowxperm on line 201 of policies/test-neverallow/policy_minus_self.conf.std (or line 201 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallow test17_1_t test17_2_t:class17 { ioctl };", + "neverallowxperm on line 219 of policies/test-neverallow/policy_minus_self.conf.std (or line 219 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test19_2_t test19_1_t:file ioctl { 0x101-0x102 };", + "neverallowxperm on line 231 of policies/test-neverallow/policy_minus_self.conf.std (or line 231 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test20_1_t test20_2_t:file ioctl { 0x102 };", + "neverallowxperm on line 231 of policies/test-neverallow/policy_minus_self.conf.std (or line 231 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test20_2_t test20_1_t:file ioctl { 0x103 };", + "neverallowxperm on line 261 of policies/test-neverallow/policy_minus_self.conf.std (or line 261 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test23_1_t test23_2_t:file ioctl { 0x9511 };", + "neverallowxperm on line 272 of policies/test-neverallow/policy_minus_self.conf.std (or line 272 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test24_1_t test24_a:file ioctl { 0x9511 };", + "neverallowxperm on line 283 of policies/test-neverallow/policy_minus_self.conf.std (or line 283 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test25_a test25_a:file ioctl { 0x9511 };", + "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 295 of policies/test-neverallow/policy_minus_self.conf.std (or line 295 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test26_1_a test26_2_a:file ioctl { 0x9511 };", + "neverallowxperm on line 317 of policies/test-neverallow/policy_minus_self.conf.std (or line 317 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test28_1_t test28_2_t:file ioctl { 0x9521 };", + "neverallowxperm on line 317 of policies/test-neverallow/policy_minus_self.conf.std (or line 317 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallow test28_2_t test28_1_t:file { ioctl };", + "neverallowxperm on line 327 of policies/test-neverallow/policy_minus_self.conf.std (or line 327 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test29_1_t test29_a:file ioctl { 0x9521 };", + "neverallowxperm on line 327 of policies/test-neverallow/policy_minus_self.conf.std (or line 327 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallow test29_2_t test29_1_t:file { ioctl };", + "neverallowxperm on line 337 of policies/test-neverallow/policy_minus_self.conf.std (or line 337 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };", + "neverallowxperm on line 337 of policies/test-neverallow/policy_minus_self.conf.std (or line 337 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test30_a test30_a:file ioctl { 0x9521 };", + "neverallowxperm on line 348 of policies/test-neverallow/policy_minus_self.conf.std (or line 348 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };", + "neverallowxperm on line 348 of policies/test-neverallow/policy_minus_self.conf.std (or line 348 of policies/test-neverallow/policy_minus_self.conf.std) violated by\nallowxperm test31_1_a test31_2_a:file ioctl { 0x9521 };", + }; + + if (policydb_init(&base_expanded)) + CU_FAIL_FATAL("Failed to initialize policy"); + + if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy_minus_self.conf")) + CU_FAIL_FATAL("Failed to load policy"); + + if (link_modules(NULL, &basemod, NULL, 0, 0)) + CU_FAIL_FATAL("Failed to link base module"); + + if (expand_module(NULL, &basemod, &base_expanded, 0, 0)) + CU_FAIL_FATAL("Failed to expand policy"); + + if ((handle = sepol_handle_create()) == NULL) + CU_FAIL_FATAL("Failed to initialize handle"); + + sepol_msg_set_callback(handle, msg_handler, NULL); + + if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1) + CU_FAIL("Assertions did not trigger"); + + messages_check(ARRAY_SIZE(expected_messages), expected_messages); + + sepol_handle_destroy(handle); + messages_clean(); + policydb_destroy(&basemod); + policydb_destroy(&base_expanded); +} + static void test_neverallow_not_self(void) { policydb_t basemod, base_expanded; @@ -243,5 +312,10 @@ int neverallow_add_tests(CU_pSuite suite) return CU_get_error(); } + if (NULL == CU_add_test(suite, "neverallow_minus_self", test_neverallow_minus_self)) { + CU_cleanup_registry(); + return CU_get_error(); + } + return 0; } From patchwork Fri Nov 25 15:49:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13056102 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE344C4167B for ; Fri, 25 Nov 2022 15:50:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229495AbiKYPuG (ORCPT ); Fri, 25 Nov 2022 10:50:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229673AbiKYPuF (ORCPT ); Fri, 25 Nov 2022 10:50:05 -0500 Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6A1547336 for ; Fri, 25 Nov 2022 07:50:03 -0800 (PST) Received: by mail-ed1-x536.google.com with SMTP id e13so6908701edj.7 for ; Fri, 25 Nov 2022 07:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Q4vy3eFLQqP4wvv1ZE71PHa7+htMdMw/1aLRojabWOE=; b=l8msLN/++udlBmuxkrcDP63FS+dSb9B8t1A2YJYwvqIUOD79C1boy/YLbyLYMJS2Uo i/TTH4Tv7MCTq/OjMDqymGEtVOY92DhR/88/ir+kPBouOM0odzmj0qpu6hKcNNTkOEWK E4Mwif0mX31zs8f4LNy2J054SV/t1Yg1X0GsRoN1FH5HoIJo/gJyEfZ9DN5CGSxxPErY A1F0Tl1PxUaXn6nSwgd6nAorVp5o2oxCZIQW7wu5dUem2SGvDrTxY9QL5Y2tjuwfwNns g79m8j3peTvU5Fw57kIfiU+L8VgAhHgu/iBPGkcqJk/r+lM3Q5XM9kb//aon/CNp+KXI 9UXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q4vy3eFLQqP4wvv1ZE71PHa7+htMdMw/1aLRojabWOE=; b=7OyN0jyaECn+sYcB5N+BfHRc128kazllytuOJFqDAQ2QAP4GAH4f0EF/y69eMut0QR d6+bonZ/HUF8oOfjNXMyq4ofz4QSXAKIRS6zAJgTMkDfOG4F7GsWi4mJZbyE8eKNxX10 jzm+oEhcipVv4nVa0NdbG7G0fHmvoVpWTSck6KqGpdVpKxsHLf9icN0Bx0FmfpqPRqw+ HGXo1JGSSp7/V538tKviI3hoJh6PsO5QY90N7Os+48n8SG2tyrG2p6lcDgUKUeDJdXCw 44PsNmV9HHw7WqXyWhb83md/LFsQDX6UvZFDZbVYnJFHLfCyfUoPjUuY0KGq/F3kd06O G1sA== X-Gm-Message-State: ANoB5plsa9OOO0kEc/lxKtLqvVXzxHyKl3fU76ddwLt4oQXth0mp5+5d TyUZUVb5Q5XGB8eofCxpmJDO3OCCROk= X-Google-Smtp-Source: AA0mqf7WTS51myGF7RSB9gFd6mDlGcTYIy7YQ2d1ziqNZTDSeo2Sr6mgp1uV2Ihu029nJ2BTvXEEjA== X-Received: by 2002:aa7:d816:0:b0:458:4868:814 with SMTP id v22-20020aa7d816000000b0045848680814mr36027727edq.190.1669391402309; Fri, 25 Nov 2022 07:50:02 -0800 (PST) Received: from debianHome.localdomain (dynamic-077-003-154-194.77.3.pool.telefonica.de. [77.3.154.194]) by smtp.gmail.com with ESMTPSA id b14-20020a17090630ce00b0078df26efb7dsm1677136ejb.107.2022.11.25.07.50.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:50:01 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH v4 6/6] libsepol: update CIL generation for trivial not-self rules Date: Fri, 25 Nov 2022 16:49:52 +0100 Message-Id: <20221125154952.20910-7-cgzones@googlemail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221125154952.20910-1-cgzones@googlemail.com> References: <20221125154952.20910-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Convert trivial not-self neverallow rules to CIL, e.g. neverallow TYPE1 ~self:CLASS1 PERM1; into (neverallow TYPE1 notself (CLASS1 (PERM1))) More complex targets are not yet supported in CIL and will fail to convert, e.g.: neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1; neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2; Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/src/module_to_cil.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index b900290a..2d5d1d6d 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -1201,10 +1201,23 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a goto exit; } - ts = &avrule->ttypes; - rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); - if (rc != 0) { - goto exit; + if (avrule->flags & RULE_NOTSELF) { + if (!ebitmap_is_empty(&avrule->ttypes.types) || !ebitmap_is_empty(&avrule->ttypes.negset)) { + if (avrule->source_filename) { + log_err("%s:%lu: Non-trivial neverallow rules with targets containing not or minus self not yet supported", + avrule->source_filename, avrule->source_line); + } else { + log_err("Non-trivial neverallow rules with targets containing not or minus self not yet supported"); + } + rc = -1; + goto exit; + } + } else { + ts = &avrule->ttypes; + rc = process_typeset(pdb, ts, attr_list, &tnames, &num_tnames); + if (rc != 0) { + goto exit; + } } for (s = 0; s < num_snames; s++) { @@ -1228,6 +1241,15 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a if (rc != 0) { goto exit; } + } else if (avrule->flags & RULE_NOTSELF) { + if (avrule->specified & AVRULE_XPERMS) { + rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms, avrule->xperms); + } else { + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "notself", avrule->perms); + } + if (rc != 0) { + goto exit; + } } }