Re: [PATCH] libsepol: Properly handle types associated to role attributes

Nicolas Iooss <nicolas.iooss@xxxxxxx> · Mon, 15 Mar 2021 22:07:46 +0100

On Sun, Mar 14, 2021 at 8:44 PM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> On Tue, Mar 9, 2021 at 10:37 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > Types associated to role attributes in optional blocks are not
> > associated with the roles that have that attribute. The problem
> > is that role_fix_callback is called before the avrule_decls are
> > walked.
> >
> > Example/
> >   class CLASS1
> >   sid kernel
> >   class CLASS1 { PERM1 }
> >   type TYPE1;
> >   type TYPE1A;
> >   allow TYPE1 self : CLASS1 PERM1;
> >   attribute_role ROLE_ATTR1A;
> >   role ROLE1;
> >   role ROLE1A;
> >   roleattribute ROLE1A ROLE_ATTR1A;
> >   role ROLE1 types TYPE1;
> >   optional {
> >     require {
> >       class CLASS1 PERM1;
> >     }
> >     role ROLE_ATTR1A types TYPE1A;
> >   }
> >   user USER1 roles ROLE1;
> >   sid kernel USER1:ROLE1:TYPE1
> >
> > In this example ROLE1A will not have TYPE1A associated to it.
> >
> > Call role_fix_callback() after the avrule_decls are walked.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
>
> Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>

Merged.

Thanks!
Nicolas

> > ---
> >  libsepol/src/expand.c | 9 +++++----
> >  1 file changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> > index eac7e450..1ee3e48f 100644
> > --- a/libsepol/src/expand.c
> > +++ b/libsepol/src/expand.c
> > @@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle,
> >         if (hashtab_map(state.base->p_roles.table,
> >                         role_bounds_copy_callback, &state))
> >                 goto cleanup;
> > -       /* escalate the type_set_t in a role attribute to all regular roles
> > -        * that belongs to it. */
> > -       if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
> > -               goto cleanup;
> >
> >         /* copy MLS's sensitivity level and categories - this needs to be done
> >          * before expanding users (they need to be indexed too) */
> > @@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle,
> >                 goto cleanup;
> >         }
> >
> > +       /* escalate the type_set_t in a role attribute to all regular roles
> > +        * that belongs to it. */
> > +       if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
> > +               goto cleanup;
> > +
> >         if (copy_and_expand_avrule_block(&state) < 0) {
> >                 ERR(handle, "Error during expand");
> >                 goto cleanup;
> > --
> > 2.26.2
> >