On Thu, Jan 23, 2020 at 03:41:30PM -0500, jwcart2 wrote: > On 1/21/20 11:26 AM, jwcart2 wrote: > > On 1/17/20 1:24 PM, Dominick Grift wrote: > > > On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote: > > > > For example this: > > > > > > > > (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl > > > > alg_socket (and (all) (not (0x8927))))) > > > > (classmap all_sockets (ioctl_except_SIOCGIFHWADDR)) > > > > (classmapping all_sockets ioctl_except_SIOCGIFHWADDR > > > > alg_socket_ioctl_except_SIOCGIFHWADDR) > > > > > > > > (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR))) > > > > > > > > Say's: > > > > > > > > <snip> > > > > Building AST from Parse Tree > > > > Destroying Parse Tree > > > > Resolving AST > > > > Failed to resolve classmapping statement at policy/base/class_maps.cil:994 > > > > Problem at policy/base/class_maps.cil:994 > > > > Pass 14 of resolution failed > > > > Failed to resolve ast > > > > Failed to compile cildb: -2 > > > > make: *** [Makefile:30: policy.32] Error 254 > > > > > > > > Am i doing something wrong or is this unsupported? > > > > > > Are we supposed to be able to use allowx rules in macros? > > > > > > > Yes, allowx rules can be used in macros. > > > > > This works when the tunable is set false: > > > > > > (tunable no_mac_addr true) > > > > > > (block bla1 > > > (blockinherit system_agent_template) > > > > > > (macro stuff ((type ARG1)) > > > (tunableif no_mac_addr > > > (true > > > (allow ARG1 self > > > create_except_ioctl_tcp_stream_socket_perms) > > > (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR)) > > > (false > > > (allow ARG1 self create_tcp_stream_socket_perms))))) > > > > > > (block blah2 > > > (blockinherit system_agent_template) > > > > > > (call bla1.stuff (subj))) > > > > > > But when the tunable is set true: > > > <snip> > > > Building AST from Parse Tree > > > Destroying Parse Tree > > > Resolving AST > > > make: *** [Makefile:30: policy.32] Segmentation fault (core dumped) > > > > > > > Still trying to figure out the exact issue, but it is the use of the > > named permissionx that is causing the seg fault. > > > > There was an error in the code to copy a permissionx. I sent a patch to the > list to fix this issue. > Jim Thanks! > > > Jim > > > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
