On 04/29/2016 03:53 PM, James Carter wrote:
> The current bounds checking of both source and target types
> requires allowing any domain that has access to the child domain
> to also have the same permissions to the parent, which is undesirable.
> Drop the target bounds expansion and checking.
>
> Making this change fully functional requires a corresponding kernel
> change; this change only allows one to build policies that would
> otherwise violate the bounds checking on target type. The kernel
> change is required to allow the permissions at runtime.
>
> Based on patch by Stephen Smalley.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> libsepol/src/hierarchy.c | 37 -------------------------------------
> 1 file changed, 37 deletions(-)
>
> diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
> index 6f73195..b24b39e 100644
> --- a/libsepol/src/hierarchy.c
> +++ b/libsepol/src/hierarchy.c
> @@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
> }
> }
>
> - if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], parent - 1)) {
> - avtab_key.target_type = parent;
> - ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
> - if (!ebitmap_node_get_bit(tnode, i))
> - continue;
> - avtab_key.source_type = i + 1;
> - rc = bounds_insert_rule(handle, avtab, global, other,
> - &avtab_key, &datum);
> - if (rc) goto exit;
> - }
> - }
> -
> exit:
> return rc;
> }
> @@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
> if (rc) goto exit;
> }
> }
> - if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
> - avtab_key.target_type = parent;
> - ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
> - if (!ebitmap_node_get_bit(tnode, i))
> - continue;
> - avtab_key.source_type = i + 1;
> - if (avtab_key.source_type == child) {
> - /* Checked above */
> - continue;
> - }
> - d = bounds_not_covered(global_avtab, cur_avtab,
> - &avtab_key, data);
> - if (!d) continue;
> - td = p->type_val_to_struct[i];
> - if (td && td->bounds) {
> - avtab_key.source_type = td->bounds;
> - d = bounds_not_covered(global_avtab, cur_avtab,
> - &avtab_key, data);
> - if (!d) continue;
> - }
> - (*numbad)++;
> - rc = bounds_add_bad(handle, i+1, child, class, d, bad);
> - if (rc) goto exit;
> - }
> - }
>
> exit:
> return rc;
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
