On 1/17/20 1:24 PM, Dominick Grift wrote:
On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
For example this:
(permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
(classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
(classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
(allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
Say's:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
Failed to resolve classmapping statement at policy/base/class_maps.cil:994
Problem at policy/base/class_maps.cil:994
Pass 14 of resolution failed
Failed to resolve ast
Failed to compile cildb: -2
make: *** [Makefile:30: policy.32] Error 254
Am i doing something wrong or is this unsupported?
Class maps only support normal permissions, they do not support extended
permissions.
Are we supposed to be able to use allowx rules in macros?
allowx rules are allowed in macros. I will see if I can reproduce the error
below and figure out what's going wrong.
Jim
This works when the tunable is set false:
(tunable no_mac_addr true)
(block bla1
(blockinherit system_agent_template)
(macro stuff ((type ARG1))
(tunableif no_mac_addr
(true
(allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
(allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
(false
(allow ARG1 self create_tcp_stream_socket_perms)))))
(block blah2
(blockinherit system_agent_template)
(call bla1.stuff (subj)))
But when the tunable is set true:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
