Re: [PATCH] libsepol: Properly handle types associated to role attributes

Nicolas Iooss <nicolas.iooss@xxxxxxx> · Sun, 14 Mar 2021 20:44:11 +0100

On Tue, Mar 9, 2021 at 10:37 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> Types associated to role attributes in optional blocks are not
> associated with the roles that have that attribute. The problem
> is that role_fix_callback is called before the avrule_decls are
> walked.
>
> Example/
>   class CLASS1
>   sid kernel
>   class CLASS1 { PERM1 }
>   type TYPE1;
>   type TYPE1A;
>   allow TYPE1 self : CLASS1 PERM1;
>   attribute_role ROLE_ATTR1A;
>   role ROLE1;
>   role ROLE1A;
>   roleattribute ROLE1A ROLE_ATTR1A;
>   role ROLE1 types TYPE1;
>   optional {
>     require {
>       class CLASS1 PERM1;
>     }
>     role ROLE_ATTR1A types TYPE1A;
>   }
>   user USER1 roles ROLE1;
>   sid kernel USER1:ROLE1:TYPE1
>
> In this example ROLE1A will not have TYPE1A associated to it.
>
> Call role_fix_callback() after the avrule_decls are walked.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>

Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>

Thanks!
Nicolas

> ---
>  libsepol/src/expand.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index eac7e450..1ee3e48f 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle,
>         if (hashtab_map(state.base->p_roles.table,
>                         role_bounds_copy_callback, &state))
>                 goto cleanup;
> -       /* escalate the type_set_t in a role attribute to all regular roles
> -        * that belongs to it. */
> -       if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
> -               goto cleanup;
>
>         /* copy MLS's sensitivity level and categories - this needs to be done
>          * before expanding users (they need to be indexed too) */
> @@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle,
>                 goto cleanup;
>         }
>
> +       /* escalate the type_set_t in a role attribute to all regular roles
> +        * that belongs to it. */
> +       if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
> +               goto cleanup;
> +
>         if (copy_and_expand_avrule_block(&state) < 0) {
>                 ERR(handle, "Error during expand");
>                 goto cleanup;
> --
> 2.26.2
>