If you want to test any of this, attached is a policy to do that. Jim On Fri, Dec 17, 2021 at 1:19 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > The first 13 patches refactor and cleanup the neverallow and > neverallowxperm checking code to make it easier to understand. > > The last 3 patches fixes errors in the assertion checking code. > > This series is to prepare for adding not-self support to assertion > checking. > > James Carter (16): > libsepol: Return an error if check_assertion() returns an error. > libsepol: Change label in check_assertion_avtab_match() > libsepol: Remove uneeded error messages in assertion checking > libsepol: Check for error from check_assertion_extended_permissions() > libsepol: Use consistent return checking style > libsepol: Move check of target types to before check for self > libsepol: Create function check_assertion_self_match() and use it > libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions > libsepol: Remove unnessesary check for matching class > libsepol: Move assigning outer loop index out of inner loop > libsepol: Make use of previously created ebitmap when checking self > libsepol: Refactor match_any_class_permissions() to be clearer > libsepol: Make return value clearer when reporting neverallowx errors > libsepol: The src and tgt must be the same if neverallow uses self > libsepol: Set args avtab pointer when reporting assertion violations > libsepol: Fix two problems with neverallowxperm reporting > > libsepol/src/assertion.c | 193 +++++++++++++++++++++------------------ > 1 file changed, 102 insertions(+), 91 deletions(-) > > -- > 2.31.1 >
class CLASS1 class CLASS2 class CLASS3 class CLASS4 class CLASS5 class CLASS6 sid kernel class CLASS1 { PERM1A PERM1B PERM1C PERM1D } class CLASS2 { PERM2A PERM2B PERM2C PERM2D } class CLASS3 { PERM3A PERM3B PERM3C PERM3D } class CLASS4 { ioctl } class CLASS5 { ioctl } class CLASS6 { ioctl } sensitivity SENS1; dominance { SENS1 } category CAT1; level SENS1:CAT1; mlsconstrain CLASS1 { PERM1A } (h1 dom h2 and l1 domby h1); mlsvalidatetrans CLASS1 (l1 == l2 or l1 incomp l2); attribute TATTR1; attribute TATTR2; type TYPE1; type TYPE2; type TYPE3; typeattribute TYPE1 TATTR1, TATTR2; typeattribute TYPE2 TATTR1, TATTR2; typeattribute TYPE3 TATTR1; # Test self neverallow #allow TYPE1 self : CLASS1 PERM1A; # neverallow violation #allow TYPE1 TYPE1 : CLASS1 PERM1A; # neverallow violation #allow TYPE1 TATTR1 : CLASS1 PERM1A; # neverallow violation #allow TATTR1 self : CLASS1 PERM1A; # neverallow violation #allow TATTR1 TYPE1 : CLASS1 PERM1A; # neverallow violation #allow TATTR1 TATTR1 : CLASS1 PERM1A; # neverallow violation #allow TATTR1 TATTR2 : CLASS1 PERM1A; # neverallow violation allow TYPE1 TYPE2 : CLASS1 PERM1A; # NOT a neverallow violation allow TYPE1 TYPE3 : CLASS1 PERM1A; # NOT a neverallow violation allow TYPE2 TYPE1 : CLASS1 PERM1A; # NOT a neverallow violation allow TYPE2 TYPE3 : CLASS1 PERM1A; # NOT a neverallow violation allow TYPE3 TYPE1 : CLASS1 PERM1A; # NOT a neverallow violation allow TYPE3 TYPE2 : CLASS1 PERM1A; # NOT a neverallow violation neverallow TYPE1 self : CLASS1 PERM1A; #allow TYPE1 self : CLASS1 PERM1B; # neverallow violation #allow TYPE2 self : CLASS1 PERM1B; # neverallow violation #allow TYPE3 self : CLASS1 PERM1B; # neverallow violation #allow TYPE1 TYPE1 : CLASS1 PERM1B; # neverallow violation #allow TYPE2 TYPE2 : CLASS1 PERM1B; # neverallow violation #allow TYPE3 TYPE3 : CLASS1 PERM1B; # neverallow violation #allow TYPE1 TATTR1 : CLASS1 PERM1B; # neverallow violation #allow TYPE2 TATTR1 : CLASS1 PERM1B; # neverallow violation #allow TYPE3 TATTR1 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 self : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TYPE1 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TYPE2 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TYPE3 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TATTR1 : CLASS1 PERM1B; # neverallow violation #allow TATTR1 TATTR2 : CLASS1 PERM1B; # neverallow violation allow TYPE1 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation allow TYPE1 TYPE3 : CLASS1 PERM1B; # NOT a neverallow violation allow TYPE2 TYPE1 : CLASS1 PERM1B; # NOT a neverallow violation allow TYPE2 TYPE3 : CLASS1 PERM1B; # NOT a neverallow violation allow TYPE3 TYPE1 : CLASS1 PERM1B; # NOT a neverallow violation allow TYPE3 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation neverallow TATTR1 self : CLASS1 PERM1B; # Test self neverallowxperm allow TATTR1 TATTR1 : CLASS4 ioctl; allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401; #allowxperm TYPE1 self : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 self : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9411; # neverallowxperm violation allowxperm TYPE1 TYPE2 : CLASS4 ioctl 0x9411; # Not a violation allowxperm TYPE1 TYPE3 : CLASS4 ioctl 0x9411; # Not a violation allowxperm TYPE2 TYPE1 : CLASS4 ioctl 0x9411; # Not a violation allowxperm TYPE2 TYPE3 : CLASS4 ioctl 0x9411; # Not a violation allowxperm TYPE3 TYPE1 : CLASS4 ioctl 0x9411; # Not a violation allowxperm TYPE3 TYPE2 : CLASS4 ioctl 0x9411; # Not a violation neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411; #allowxperm TYPE1 self : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE1 TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE2 TYPE2 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE3 TYPE3 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE2 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TYPE3 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 self : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TYPE2 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TYPE3 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation #allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421; # neverallowxperm violation allowxperm TYPE1 TYPE2 : CLASS4 ioctl 0x9421; # NOT a violation allowxperm TYPE1 TYPE3 : CLASS4 ioctl 0x9421; # NOT a violation allowxperm TYPE2 TYPE1 : CLASS4 ioctl 0x9421; # NOT a violation allowxperm TYPE2 TYPE3 : CLASS4 ioctl 0x9421; # NOT a violation allowxperm TYPE3 TYPE1 : CLASS4 ioctl 0x9421; # NOT a violation allowxperm TYPE3 TYPE2 : CLASS4 ioctl 0x9421; # NOT a violation neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421; role ROLE1; role ROLE1 types TYPE1; user USER1 roles ROLE1 level SENS1 range SENS1 - SENS1:CAT1; sid kernel USER1:ROLE1:TYPE1:SENS1 - SENS1