[PATCH 14/16] libsepol: The src and tgt must be the same if neverallow uses self

James Carter <jwcart2@xxxxxxxxx> · Fri, 17 Dec 2021 13:19:11 -0500

When checking for violations of neverallow rules, if the neverallow
uses self, then the src and tgt must be the same when checking
extended permissions and when reporting violations.

Example:
  allow attr attr : CLASS PERM;
  neverallow attr self : CLASS PERM;

If the types t1 and t2 have attribute attr, then the violations
that would be reported would be:
  allow t1 t1 : CLASS PERM;
  allow t1 t2 : CLASS PERM;
  allow t2 t1 : CLASS PERM;
  allow t2 t2 : CLASS PERM;
instead of:
  allow t1 t1 : CLASS PERM;
  allow t2 t2 : CLASS PERM;

Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
 libsepol/src/assertion.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index b8fe8b21..ae3c18be 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -213,6 +213,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
 	ebitmap_t src_matches, tgt_matches, self_matches;
 	ebitmap_node_t *snode, *tnode;
 	unsigned int i, j;
+	const int is_avrule_self = (avrule->flags & RULE_SELF) != 0;
 
 	if ((k->specified & AVTAB_ALLOWED) == 0)
 		return 0;
@@ -236,7 +237,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
 	if (rc < 0)
 		goto oom;
 
-	if (avrule->flags == RULE_SELF) {
+	if (is_avrule_self) {
 		rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]);
 		if (rc < 0)
 			goto oom;
@@ -260,6 +261,8 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
 
 		ebitmap_for_each_positive_bit(&src_matches, snode, i) {
 			ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
+				if (is_avrule_self && i != j)
+					continue;
 				if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
 					a->errors += report_assertion_extended_permissions(handle,p, avrule,
 											i, j, cp, perms, k, avtab);
@@ -368,6 +371,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
 	ebitmap_t src_matches, tgt_matches, self_matches;
 	unsigned int i, j;
 	ebitmap_node_t *snode, *tnode;
+	const int is_avrule_self = (avrule->flags & RULE_SELF) != 0;
 	int rc;
 
 	ebitmap_init(&src_matches);
@@ -389,7 +393,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
 	if (rc < 0)
 		goto oom;
 
-	if (avrule->flags == RULE_SELF) {
+	if (is_avrule_self) {
 		rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]);
 		if (rc < 0)
 			goto oom;
@@ -408,6 +412,8 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
 
 	ebitmap_for_each_positive_bit(&src_matches, snode, i) {
 		ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
+			if (is_avrule_self && i != j)
+				continue;
 			if (check_assertion_extended_permissions_avtab(avrule, avtab, i, j, k, p)) {
 				rc = 1;
 				goto exit;
-- 
2.31.1







