Re: [RFC PATCH v3 5/5] libsepol: pass avtab to report function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Dec 4, 2021 at 5:35 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Populate the avtab member before passing as argument to the report
> function. Without the avtab avtab_search_node() is unable to find
> allowxperm rules and this results in false-positive reports, e.g. on:
>
>     allow TATTR1 TATTR1 : CLASS1 ioctl;
>     allowxperm TATTR1 TATTR1 : CLASS1 ioctl 0x9501;
>     neverallowxperm TYPE1 ~self : CLASS1 0x9501;
>
> Reported-by: James Carter <jwcart2@xxxxxxxxx>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

No longer getting the false positives, but now I am seeing false negatives.

allow TATTR1 TATTR1 : CLASS4 ioctl;
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401;
neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421;

These rules are being caught as they should:
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421;
allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421;

These rules are not being caught.
allowxperm TYPE1    self : CLASS4 ioctl 0x9421;
allowxperm TYPE1   TYPE1 : CLASS4 ioctl 0x9421;
allowxperm TYPE1  TATTR1 : CLASS4 ioctl 0x9421;
allowxperm TATTR1   self : CLASS4 ioctl 0x9421;

I've attached the policy.conf that I am testing with.

Thanks,
Jim


> ---
>  libsepol/src/assertion.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index 4600be41..a0eebb93 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -304,10 +304,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru
>         args.avrule = avrule;
>         args.errors = 0;
>
> +       args.avtab = &p->te_avtab;
>         rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args);
>         if (rc)
>                 goto oom;
>
> +       args.avtab = &p->te_cond_avtab;
>         rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args);
>         if (rc)
>                 goto oom;
> --
> 2.34.1
>
class CLASS1
class CLASS2
class CLASS3
class CLASS4
class CLASS5
class CLASS6
sid kernel
class CLASS1 { PERM1A PERM1B PERM1C PERM1D }
class CLASS2 { PERM2A PERM2B PERM2C PERM2D }
class CLASS3 { PERM3A PERM3B PERM3C PERM3D }
class CLASS4 { ioctl }
class CLASS5 { ioctl }
class CLASS6 { ioctl }
sensitivity SENS1;
dominance { SENS1 }
category CAT1;
level SENS1:CAT1;
mlsconstrain CLASS1 { PERM1A } (h1 dom h2 and l1 domby h1);
mlsvalidatetrans CLASS1 (l1 == l2 or l1 incomp l2);
attribute TATTR1;
attribute TATTR2;
type TYPE1;
type TYPE2;
type TYPE3;
typeattribute TYPE1 TATTR1, TATTR2;
typeattribute TYPE2 TATTR1, TATTR2;
typeattribute TYPE3 TATTR1;


# Test self neverallow

#allow TYPE1    self : CLASS1 PERM1A; # neverallow violation
#allow TYPE1   TYPE1 : CLASS1 PERM1A; # neverallow violation
#allow TYPE1  TATTR1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS1 PERM1A; # neverallow violation
neverallow TYPE1 self : CLASS1 PERM1A;

#allow TYPE1    self : CLASS1 PERM1B; # neverallow violation
#allow TYPE1   TYPE1 : CLASS1 PERM1B; # neverallow violation
#allow TYPE1  TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1 TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1 TATTR2 : CLASS1 PERM1B; # neverallow violation
allow TYPE1 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation
neverallow TATTR1 self : CLASS1 PERM1B;

# Test allow rule in module, neverallow in base
#allow TYPE1 self : CLASS1 PERM1C; # neverallow violation
neverallow TYPE1 self : CLASS1 PERM1C;

# Test neverallow in module, allow rule in base
#allow TYPE1 self : CLASS1 PERM1D; # neverallow violation
neverallow TYPE1 self : CLASS1 PERM1D;


# Test ~self neverallow

allow TYPE1  self : CLASS2 PERM2A; # Not neverallow violation
allow TYPE1 TYPE1 : CLASS2 PERM2A; # Not neverallow violation
#allow TYPE1   TYPE2 : CLASS2 PERM2A; # neverallow violation
#allow TYPE1  TATTR1 : CLASS2 PERM2A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS2 PERM2A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS2 PERM2A; # neverallow violation
neverallow TYPE1 ~self : CLASS2 PERM2A;

allow TYPE1  self : CLASS2 PERM2B; # Not neverallow violation
allow TYPE2 TYPE2 : CLASS2 PERM2B; # Not neverallow violation
#allow TYPE1   TYPE2  : CLASS2 PERM2B; # neverallow violation
#allow TYPE1  TATTR1  : CLASS2 PERM2B; # neverallow violation
#allow TATTR1 TATTR1  : CLASS2 PERM2B; # neverallow violation
#allow TATTR1 TATTR2  : CLASS2 PERM2B; # neverallow violation
neverallow TATTR1 ~self : CLASS2 PERM2B;

# Test allow rules in module, neverallow in base
allow TYPE1 self : CLASS2 PERM2C;   # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS2 PERM2C; # neverallow violation
neverallow TYPE1 ~self : CLASS2 PERM2C;

# Test neverallow in module, allow rule in base
allow TYPE1 self : CLASS2 PERM2D;   # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS2 PERM2D; # neverallow violation
neverallow TYPE1 ~self : CLASS2 PERM2D;


# Test -self neverallow

allow TYPE1  self : CLASS3 PERM3A; # Not neverallow violation
allow TYPE2 TYPE2 : CLASS3 PERM3A; # Not neverallow violation
#allow TYPE1   TYPE2 : CLASS3 PERM3A; # neverallow violation
#allow TYPE1  TATTR1 : CLASS3 PERM3A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS3 PERM3A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS3 PERM3A; # neverallow violation
neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3A;

allow TYPE1  self : CLASS3 PERM3B; # Not neverallow violation
allow TYPE2 TYPE2 : CLASS3 PERM3B; # Not neverallow violation
allow TYPE1 TYPE3 : CLASS3 PERM3B; # Not neverallow violation
#allow TYPE1   TYPE2 : CLASS3 PERM3B; # neverallow violation
#allow TYPE1  TATTR1 : CLASS3 PERM3B; # neverallow violation
#allow TATTR1 TATTR1 : CLASS3 PERM3B; # neverallow violation
#allow TATTR1 TATTR2 : CLASS3 PERM3B; # neverallow violation
neverallow TATTR1 { TATTR2 -self } : CLASS3 PERM3B;

# Test allow rules in module, neverallow in base
allow TYPE1 self : CLASS3 PERM3C; # Not neverallow violation
neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3C;

# Test neverallow in module, allow rule in base
allow TYPE1 self : CLASS3 PERM3D; # Not neverallow violation
#allow TYPE1 TYPE2 : CLASS3 PERM3D; # neverallow violation
neverallow TATTR1 { TATTR1 -self } : CLASS3 PERM3D;


# Test self neverallowxperm

allow TATTR1 TATTR1 : CLASS4 ioctl;
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401;

#allowxperm TYPE1    self : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TYPE1   TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1   self : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9411; # neverallowxperm violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411;

#allowxperm TYPE1    self : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE1   TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1   self : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421; # neverallowxperm violation
allowxperm TYPE1 TYPE2 : CLASS4 ioctl 0x9421; # NOT neverallowxperm violation
neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421;

# Test allow rules in module, neverallowxperm in base
#allowxperm TYPE1  self : CLASS4 ioctl 0x9431; # neverallowxperm violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9431;

# Test neverallow in module, allow rule in base
#allowxperm TYPE1 self : CLASS4 ioctl 0x9441; # neverallow violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9441;

# Test ~self neverallowxperm

allow TATTR1 TATTR1 : CLASS5 ioctl;
allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9501;

allowxperm TYPE1  self : CLASS5 ioctl 0x9511; # Not neverallowxperm violation
allowxperm TYPE1 TYPE1 : CLASS5 ioctl 0x9511; # Not neverallowxperm violation
#allowxperm TYPE1   TYPE2 : CLASS5 ioctl 0x9511; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS5 ioctl 0x9511; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9511; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS5 ioctl 0x9511; # neverallowxperm violation
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9511;

allowxperm TYPE1  self : CLASS5 ioctl 0x9521; # Not neverallowxperm violation
allowxperm TYPE2 TYPE2 : CLASS5 ioctl 0x9521; # Not neverallowxperm violation
#allowxperm TYPE1   TYPE2 : CLASS5 ioctl 0x9521; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS5 ioctl 0x9521; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS5 ioctl 0x9521; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS5 ioctl 0x9521; # neverallowxperm violation
neverallowxperm TATTR1 ~self : CLASS5 ioctl 0x9521;

# Test allow rules in module, neverallowxperm in base
allowxperm TYPE1  self : CLASS5 ioctl 0x9531; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9531; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9531;

# Test neverallow in module, allow rule in base
allowxperm TYPE1 self : CLASS5 ioctl 0x9541; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS5 ioctl 0x9541; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS5 ioctl 0x9541;


# Test -self neverallowxperm

allow TATTR1 TATTR1 : CLASS6 ioctl;
allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9601;

allowxperm TYPE1  self : CLASS6 ioctl 0x9611; # Not neverallowxperm violation
allowxperm TYPE2 TYPE2 : CLASS6 ioctl 0x9611; # Not neverallowxperm violation
#allowxperm TYPE1   TYPE2 : CLASS6 ioctl 0x9611; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS6 ioctl 0x9611; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9611; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS6 ioctl 0x9611; # neverallowxperm violation
neverallowxperm TATTR1 { TATTR1 -self } : CLASS6 ioctl 0x9611;

allowxperm TYPE1  self : CLASS6 ioctl 0x9621; # Not neverallowxperm violation
allowxperm TYPE2 TYPE2 : CLASS6 ioctl 0x9621; # Not neverallowxperm violation
allowxperm TYPE1 TYPE3 : CLASS6 ioctl 0x9621; # Not neverallowxperm violation
#allowxperm TYPE1   TYPE2 : CLASS6 ioctl 0x9621; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS6 ioctl 0x9621; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS6 ioctl 0x9621; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS6 ioctl 0x9621; # neverallowxperm violation
neverallowxperm TATTR1 { TATTR2 -self } : CLASS6 ioctl 0x9621;

# Test allow rules in module, neverallowxperm in base
allowxperm TYPE1  self : CLASS6 ioctl 0x9631; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9631; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS6 ioctl 0x9631;

# Test neverallow in module, allow rule in base
allowxperm TYPE1 self : CLASS6 ioctl 0x9641; # Not neverallow violation
#allowxperm TYPE1 TYPE2 : CLASS6 ioctl 0x9641; # neverallow violation
neverallowxperm TYPE1 ~self : CLASS6 ioctl 0x9641;


role ROLE1;
role ROLE1 types TYPE1;
user USER1 roles ROLE1 level SENS1 range SENS1 - SENS1:CAT1;
sid kernel USER1:ROLE1:TYPE1:SENS1 - SENS1

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux