On 05/18/2016 05:53 PM, Jeff Vander Stoep wrote:
> The following test incorrectly asserts a neverallowxperm failure.
>
> attribute test1_attr1;
> attribute test1_attr2;
> type test1_type1, test1_attr1, test1_attr2;
>
> allow test1_type1 test1_attr1:socket ioctl;
> allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
> neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }
>
> To handle attributes correctly, the neverallowxperm checking has been
> modified. Now when the ioctl permission is granted on an avtab entry
> that matches an avrule neverallowxperm entry, the assertion checking
> first determines the matching source/target/class sets between the
> avtab entry and the neverallowxperm entry. Only the matching sets are
> enumerated over to determine if the neverallowed extended permissions
> exist and if they are granted. This is similar to how
> report_assertion_avtab_matches() reports neverallow failures.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
Thanks, applied.
> ---
> libsepol/src/assertion.c | 117 ++++++++++++++++++++++++++++++++++++++---------
> 1 file changed, 95 insertions(+), 22 deletions(-)
>
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index f4429ad..a4be880 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -147,8 +147,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
> avtab_key_t tmp_key;
> avtab_extended_perms_t *xperms;
> avtab_extended_perms_t error;
> - ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
> - ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
> + ebitmap_t *sattr = &p->type_attr_map[stype];
> + ebitmap_t *tattr = &p->type_attr_map[ttype];
> ebitmap_node_t *snode, *tnode;
> unsigned int i, j;
> int rc = 1;
> @@ -174,14 +174,14 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
> continue;
>
> rc = check_extended_permissions(avrule->xperms, xperms);
> - /* failure on the extended permission check_extended_permissionss */
> + /* failure on the extended permission check_extended_permissions */
> if (rc) {
> extended_permissions_violated(&error, avrule->xperms, xperms);
> ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> "allowxperm %s %s:%s %s;",
> avrule->source_line, avrule->source_filename, avrule->line,
> - p->p_type_val_to_name[stype],
> - p->p_type_val_to_name[ttype],
> + p->p_type_val_to_name[i],
> + p->p_type_val_to_name[j],
> p->p_class_val_to_name[curperm->tclass - 1],
> sepol_extended_perms_to_string(&error));
>
> @@ -317,29 +317,19 @@ oom:
> }
>
> /*
> - * If the ioctl permission is granted in check_assertion_avtab_match for the
> - * source/target/class matching the current avrule neverallow, a lookup is
> - * performed to determine if extended permissions exist for the source/target/class.
> - *
> - * Four scenarios of interest:
> - * 1. PASS - the ioctl permission is not granted for this source/target/class
> - * This case is handled in check_assertion_avtab_match
> - * 2. PASS - The ioctl permission is granted AND the extended permission
> - * is NOT granted
> - * 3. FAIL - The ioctl permission is granted AND no extended permissions
> - * exist
> - * 4. FAIL - The ioctl permission is granted AND the extended permission is
> - * granted
> + * Look up the extended permissions in avtab and verify that neverallowed
> + * permissions are not granted.
> */
> -static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
> +static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t *avtab,
> + unsigned int stype, unsigned int ttype,
> avtab_key_t *k, policydb_t *p)
> {
> avtab_ptr_t node;
> avtab_key_t tmp_key;
> avtab_extended_perms_t *xperms;
> av_extended_perms_t *neverallow_xperms = avrule->xperms;
> - ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
> - ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
> + ebitmap_t *sattr = &p->type_attr_map[stype];
> + ebitmap_t *tattr = &p->type_attr_map[ttype];
> ebitmap_node_t *snode, *tnode;
> unsigned int i, j;
> int rc = 1;
> @@ -373,6 +363,89 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
> return rc;
> }
>
> +/*
> + * When the ioctl permission is granted on an avtab entry that matches an
> + * avrule neverallowxperm entry, enumerate over the matching
> + * source/target/class sets to determine if the extended permissions exist
> + * and if the neverallowed ioctls are granted.
> + *
> + * Four scenarios of interest:
> + * 1. PASS - the ioctl permission is not granted for this source/target/class
> + * This case is handled in check_assertion_avtab_match
> + * 2. PASS - The ioctl permission is granted AND the extended permission
> + * is NOT granted
> + * 3. FAIL - The ioctl permission is granted AND no extended permissions
> + * exist
> + * 4. FAIL - The ioctl permission is granted AND the extended permission is
> + * granted
> + */
> +static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
> + avtab_key_t *k, policydb_t *p)
> +{
> + ebitmap_t src_matches, tgt_matches, matches;
> + unsigned int i, j;
> + ebitmap_node_t *snode, *tnode;
> + class_perm_node_t *cp;
> + int rc;
> + int ret = 1;
> +
> + ebitmap_init(&src_matches);
> + ebitmap_init(&tgt_matches);
> + ebitmap_init(&matches);
> + rc = ebitmap_and(&src_matches, &avrule->stypes.types,
> + &p->attr_type_map[k->source_type - 1]);
> + if (rc)
> + goto oom;
> +
> + if (ebitmap_length(&src_matches) == 0)
> + goto exit;
> +
> + if (avrule->flags == RULE_SELF) {
> + rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
> + &p->attr_type_map[k->target_type - 1]);
> + if (rc)
> + goto oom;
> + rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
> + if (rc)
> + goto oom;
> + } else {
> + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types,
> + &p->attr_type_map[k->target_type -1]);
> + if (rc)
> + goto oom;
> + }
> +
> + if (ebitmap_length(&tgt_matches) == 0)
> + goto exit;
> +
> + for (cp = avrule->perms; cp; cp = cp->next) {
> + if (cp->tclass != k->target_class)
> + continue;
> + ebitmap_for_each_bit(&src_matches, snode, i) {
> + if (!ebitmap_node_get_bit(snode, i))
> + continue;
> + ebitmap_for_each_bit(&tgt_matches, tnode, j) {
> + if (!ebitmap_node_get_bit(tnode, j))
> + continue;
> +
> + ret = check_assertion_extended_permissions_avtab(
> + avrule, avtab, i, j, k, p);
> + if (ret)
> + goto exit;
> + }
> + }
> + }
> + goto exit;
> +
> +oom:
> + ERR(NULL, "Out of memory - unable to check neverallows");
> +
> +exit:
> + ebitmap_destroy(&src_matches);
> + ebitmap_destroy(&tgt_matches);
> + ebitmap_destroy(&matches);
> + return ret;
> +}
>
> static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *args)
> {
> @@ -382,7 +455,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
> avrule_t *avrule = a->avrule;
> avtab_t *avtab = a->avtab;
>
> - if (k->specified != AVTAB_ALLOWED && k->specified != AVTAB_XPERMS_ALLOWED)
> + if (k->specified != AVTAB_ALLOWED)
> goto exit;
>
> if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
