Commit 99fc177b "Add neverallow support for ioctl extended permissions"
first checks to see if the ioctl permission is granted, then checks to
see if the same source/target violates a neverallowed ioctl command.
Unfortunately this does not address the case where the ioctl permission
and extended permissions are granted on different attributes. Example,
the following will incorrectly cause a neverallow violation.
allow untrusted_app self:tcp_socket ioctl;
allowxperm domain domain:tcp_socket unpriv_sock_ioctls;
neverallowxperm untrusted_app domain:tcp_socket ~unpriv_sock_ioctls;
The fix is to enumerate over the source and target attributes when
looking for extended permission violations.
Note: The bug this addresses incorrectly asserts that a violation has
occurred. Actual neverallow violations are always caught.
Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
---
libsepol/src/assertion.c | 93 +++++++++++++++++++++++++++++++-----------------
1 file changed, 60 insertions(+), 33 deletions(-)
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index fbf397f..f4429ad 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -147,36 +147,49 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
avtab_key_t tmp_key;
avtab_extended_perms_t *xperms;
avtab_extended_perms_t error;
+ ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
+ ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
int rc = 1;
int ret = 0;
memcpy(&tmp_key, k, sizeof(avtab_key_t));
tmp_key.specified = AVTAB_XPERMS_ALLOWED;
- for (node = avtab_search_node(avtab, &tmp_key);
- node;
- node = avtab_search_node_next(node, tmp_key.specified)) {
- xperms = node->datum.xperms;
- if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
- && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ tmp_key.source_type = i + 1;
+ tmp_key.target_type = j + 1;
+ for (node = avtab_search_node(avtab, &tmp_key);
+ node;
+ node = avtab_search_node_next(node, tmp_key.specified)) {
+ xperms = node->datum.xperms;
+ if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
+ && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+ continue;
- rc = check_extended_permissions(avrule->xperms, xperms);
- /* failure on the extended permission check_extended_permissionss */
- if (rc) {
- extended_permissions_violated(&error, avrule->xperms, xperms);
- ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
- "allowxperm %s %s:%s %s;",
- avrule->source_line, avrule->source_filename, avrule->line,
- p->p_type_val_to_name[stype],
- p->p_type_val_to_name[ttype],
- p->p_class_val_to_name[curperm->tclass - 1],
- sepol_extended_perms_to_string(&error));
-
- rc = 0;
- ret++;
+ rc = check_extended_permissions(avrule->xperms, xperms);
+ /* failure on the extended permission check_extended_permissionss */
+ if (rc) {
+ extended_permissions_violated(&error, avrule->xperms, xperms);
+ ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
+ "allowxperm %s %s:%s %s;",
+ avrule->source_line, avrule->source_filename, avrule->line,
+ p->p_type_val_to_name[stype],
+ p->p_type_val_to_name[ttype],
+ p->p_class_val_to_name[curperm->tclass - 1],
+ sepol_extended_perms_to_string(&error));
+
+ rc = 0;
+ ret++;
+ }
+ }
}
-
}
/* failure on the regular permissions */
@@ -319,28 +332,42 @@ oom:
* granted
*/
static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
- avtab_key_t *k)
+ avtab_key_t *k, policydb_t *p)
{
avtab_ptr_t node;
avtab_key_t tmp_key;
avtab_extended_perms_t *xperms;
av_extended_perms_t *neverallow_xperms = avrule->xperms;
+ ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
+ ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
int rc = 1;
memcpy(&tmp_key, k, sizeof(avtab_key_t));
tmp_key.specified = AVTAB_XPERMS_ALLOWED;
- for (node = avtab_search_node(avtab, &tmp_key);
- node;
- node = avtab_search_node_next(node, tmp_key.specified)) {
- xperms = node->datum.xperms;
- if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
- && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
continue;
-
- rc = check_extended_permissions(neverallow_xperms, xperms);
- if (rc)
- break;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ tmp_key.source_type = i + 1;
+ tmp_key.target_type = j + 1;
+ for (node = avtab_search_node(avtab, &tmp_key);
+ node;
+ node = avtab_search_node_next(node, tmp_key.specified)) {
+ xperms = node->datum.xperms;
+
+ if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
+ && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
+ continue;
+ rc = check_extended_permissions(neverallow_xperms, xperms);
+ if (rc)
+ break;
+ }
+ }
}
return rc;
@@ -386,7 +413,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
goto exit;
if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
- rc = check_assertion_extended_permissions(avrule, avtab, k);
+ rc = check_assertion_extended_permissions(avrule, avtab, k, p);
if (rc == 0)
goto exit;
}
--
2.8.0.rc3.226.g39d4020
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
