Re: [PATCH] libsepol/cil: Allow permission expressions when using map classes

James Carter <jwcart2@xxxxxxxxx> · Mon, 22 Mar 2021 12:50:20 -0400

Oops, sorry for the duplicate.
Jim

On Mon, Mar 22, 2021 at 12:47 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> The following policy will cause a segfault:
>   (class CLASS (PERM))
>   (class C (P1 P2 P3))
>   (classorder (CLASS C))
>   (sid SID)
>   (sidorder (SID))
>   (user USER)
>   (role ROLE)
>   (type TYPE)
>   (category CAT)
>   (categoryorder (CAT))
>   (sensitivity SENS)
>   (sensitivityorder (SENS))
>   (sensitivitycategory SENS (CAT))
>   (allow TYPE self (CLASS (PERM)))
>   (roletype ROLE TYPE)
>   (userrole USER ROLE)
>   (userlevel USER (SENS))
>   (userrange USER ((SENS)(SENS (CAT))))
>   (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
>
>   (classmap CM (PM1 PM2 PM3))
>   (classmapping CM PM1 (C (P1)))
>   (classmapping CM PM2 (C (P2)))
>   (classmapping CM PM3 (C (P3)))
>   (allow TYPE self (CM (and (all) (not PM2))))
>
> The problem is that, while permission expressions are allowed for
> normal classes, map classes are expected to only have permission
> lists and no check is done to verify that only a permission list
> is being used.
>
> When the above policy is parsed, the "and" and "all" are seen as
> expression operators, but when the map permissions are converted to
> normal class and permissions, the permission expression is assumed
> to be a list of datums and since the operators are not datums a
> segfault is the result.
>
> There is no reason to limit map classes to only using a list of
> permissions and, in fact, it would be better to be able to use them
> in the same way normal classes are used.
>
> Allow permissions expressions to be used for map classes by first
> evaluating the permission expression and then converting the
> resulting list to normal classes and permissions.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> ---
>  libsepol/cil/src/cil_post.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> index d2ecbd43..6990fc07 100644
> --- a/libsepol/cil/src/cil_post.c
> +++ b/libsepol/cil/src/cil_post.c
> @@ -2130,6 +2130,10 @@ static int __evaluate_classperms_list(struct cil_list *classperms, struct cil_db
>                                 }
>                         } else { /* MAP */
>                                 struct cil_list_item *i = NULL;
> +                               rc = __evaluate_classperms(cp, db);
> +                               if (rc != SEPOL_OK) {
> +                                       goto exit;
> +                               }
>                                 cil_list_for_each(i, cp->perms) {
>                                         struct cil_perm *cmp = i->data;
>                                         rc = __evaluate_classperms_list(cmp->classperms, db);
> --
> 2.26.2
>