Use the libsepol bounds checking to check for and report user and
role bounds violations.
For type bounds checking, use libsepol bounds checking to determine
if there is a violation for a given type. For each violation display
an error message that includes the CIL AST from the root node to the
node of the rule causing the violation.
Example error report:
Child type b_t3_c exceeds bounds of parent b_t3
(allow b_t3_c b_tc (file (write)))
<root>
booleanif at line 148633 of cil.conf.bounds
true at line 148634 of cil.conf.bounds
allow at line 148636 of cil.conf.bounds
(allow b_t3_c b_tc (file (read write)))
Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
---
libsepol/cil/src/cil_binary.c | 135 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 135 insertions(+)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 066184a..6d095db 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -3903,6 +3903,130 @@ exit:
return rc;
}
+static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
+{
+ struct cil_classperms *cp;
+ struct cil_list *cp_list;
+ class_datum_t *sepol_class = pdb->class_val_to_struct[class - 1];
+ unsigned i;
+
+ cil_classperms_init(&cp);
+
+ cp->class = class_value_to_cil[class];
+ if (!cp->class) goto exit;
+
+ cil_list_init(&cp->perms, CIL_PERM);
+ for (i = 0; i < sepol_class->permissions.nprim; i++) {
+ struct cil_perm *perm;
+ if ((data & (1 << i)) == 0) continue;
+ perm = perm_value_to_cil[class][i+1];
+ if (!perm) goto exit;
+ cil_list_append(cp->perms, CIL_PERM, perm);
+ }
+
+ cil_list_init(&cp_list, CIL_CLASSPERMS);
+ cil_list_append(cp_list, CIL_CLASSPERMS, cp);
+
+ return cp_list;
+
+exit:
+ cil_log(CIL_ERR,"Failed to create CIL class-permissions from sepol values\n");
+ return NULL;
+}
+
+static int cil_avrule_from_sepol(policydb_t *pdb, avtab_ptr_t sepol_rule, struct cil_avrule *cil_rule, void *type_value_to_cil[], struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
+{
+ int rc = SEPOL_ERR;
+ avtab_key_t *k = &sepol_rule->key;
+ avtab_datum_t *d = &sepol_rule->datum;
+ cil_rule->src = type_value_to_cil[k->source_type];
+ if (!cil_rule->src) goto exit;
+
+ cil_rule->tgt = type_value_to_cil[k->target_type];
+ if (!cil_rule->tgt) goto exit;
+
+ cil_rule->classperms = cil_classperms_from_sepol(pdb, k->target_class, d->data, class_value_to_cil, perm_value_to_cil);
+ if (!cil_rule->classperms) goto exit;
+
+ return SEPOL_OK;
+
+exit:
+ cil_log(CIL_ERR,"Failed to create CIL AV rule from sepol values\n");
+ return rc;
+}
+
+static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void *type_value_to_cil, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
+{
+ int rc = SEPOL_OK;
+ int i;
+
+ for (i = 0; i < db->num_types; i++) {
+ type_datum_t *child;
+ type_datum_t *parent;
+ avtab_ptr_t bad = NULL;
+ int numbad = 0;
+ struct cil_type *t = db->val_to_type[i];
+
+ if (!t->bounds) continue;
+
+ rc = __cil_get_sepol_type_datum(pdb, DATUM(t), &child);
+ if (rc != SEPOL_OK) goto exit;
+
+ rc = __cil_get_sepol_type_datum(pdb, DATUM(t->bounds), &parent);
+ if (rc != SEPOL_OK) goto exit;
+
+ rc = bounds_check_type(NULL, pdb, child->s.value, parent->s.value, &bad, &numbad);
+ if (rc != SEPOL_OK) goto exit;
+
+ if (bad) {
+ avtab_ptr_t cur;
+ struct cil_avrule target;
+
+ target.rule_kind = CIL_AVRULE_ALLOWED;
+ target.src_str = NULL;
+ target.tgt_str = NULL;
+
+ cil_log(CIL_ERR, "Child type %s exceeds bounds of parent %s\n",
+ t->datum.fqn, t->bounds->datum.fqn);
+ for (cur = bad; cur; cur = cur->next) {
+ struct cil_list_item *i2;
+ struct cil_list *matching;
+ struct cil_tree_node *n;
+
+ rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed to convert sepol avrule to CIL\n");
+ goto exit;
+ }
+ __cil_print_rule(" ", "allow", &target);
+ cil_list_init(&matching, CIL_NODE);
+ rc = cil_find_matching_avrule_in_ast(db->ast->root, CIL_AVRULE, &target, matching, CIL_FALSE);
+ if (rc) {
+ cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
+ cil_list_destroy(&matching, CIL_FALSE);
+ cil_list_destroy(&target.classperms, CIL_TRUE);
+ bounds_destroy_bad(bad);
+ goto exit;
+ }
+
+ cil_list_for_each(i2, matching) {
+ __cil_print_parents(" ", (struct cil_tree_node *)i2->data);
+ }
+ i2 = matching->tail;
+ n = i2->data;
+ __cil_print_rule(" ", "allow", n->data);
+ cil_log(CIL_ERR,"\n");
+ cil_list_destroy(&matching, CIL_FALSE);
+ cil_list_destroy(&target.classperms, CIL_TRUE);
+ }
+ bounds_destroy_bad(bad);
+ }
+ }
+
+exit:
+ return rc;
+}
+
// assumes policydb is already allocated and initialized properly with things
// like policy type set to kernel and version set appropriately
int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *policydb)
@@ -4022,6 +4146,17 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
cil_log(CIL_INFO, "Checking Neverallows\n");
rc = cil_check_neverallows(db, pdb, neverallows);
if (rc != SEPOL_OK) goto exit;
+
+ cil_log(CIL_INFO, "Checking User Bounds\n");
+ bounds_check_users(NULL, pdb);
+
+ cil_log(CIL_INFO, "Checking Role Bounds\n");
+ bounds_check_roles(NULL, pdb);
+
+ cil_log(CIL_INFO, "Checking Type Bounds\n");
+ rc = cil_check_type_bounds(db, pdb, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
+ if (rc != SEPOL_OK) goto exit;
+
}
rc = SEPOL_OK;
--
1.9.3
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
