Hi All,
I am trying to document the semantics of bounded types, and I am puzzled
by two things:
1/ The rationale for type boundaries on *target* types
I understand type boundaries on source types: the idea is that, if typeA
is bounded by typeB, then typeA can not exert more permissions than
typeB. This would be declared with the following statement in the source
policy:
TYPEBOUND typeB typeA
What is a good use case for type boundaries on target types ?
2/ The logic of type_attribute_bounds_av in ss/services.c (kernel side)
This method is invoked to filter/limit an access vector according to the
type boundaries. Its logic goes as follows:
if(source type has a bound){ // SOURCE
../..
if(the bound is not violated)
return
../..
}
if(target type has a bound){ // TARGET
../..
if(the bound is not violated)
return
../..
}
if(target and source types have a bound){ // BOTH
../..
if(these bounds are not violated)
return
../..
}
if(there was a violation){
send audit message to user space
}
The early return statements seem to violate the intent of the code. For
instance, suppose that the source type is bounded and no access bits
violates these bounds, then the code will never evaluate whether bounds
on the target type are violated.
It seems to me that the logic should be:
// BOTH
else // SOURCE
else // TARGET
Instead of:
// SOURCE
// TARGET
// BOTH
I am looking forward to your replies.
Best,
Jacques
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
