Re: [PATCH 00/16] Refactor and fix assertion checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you want to test any of this, attached is a policy to do that.
Jim

On Fri, Dec 17, 2021 at 1:19 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> The first 13 patches refactor and cleanup the neverallow and
> neverallowxperm checking code to make it easier to understand.
>
> The last 3 patches fixes errors in the assertion checking code.
>
> This series is to prepare for adding not-self support to assertion
> checking.
>
> James Carter (16):
>   libsepol: Return an error if check_assertion() returns an error.
>   libsepol: Change label in check_assertion_avtab_match()
>   libsepol: Remove uneeded error messages in assertion checking
>   libsepol: Check for error from check_assertion_extended_permissions()
>   libsepol: Use consistent return checking style
>   libsepol: Move check of target types to before check for self
>   libsepol: Create function check_assertion_self_match() and use it
>   libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions
>   libsepol: Remove unnessesary check for matching class
>   libsepol: Move assigning outer loop index out of inner loop
>   libsepol: Make use of previously created ebitmap when checking self
>   libsepol: Refactor match_any_class_permissions() to be clearer
>   libsepol: Make return value clearer when reporting neverallowx errors
>   libsepol: The src and tgt must be the same if neverallow uses self
>   libsepol: Set args avtab pointer when reporting assertion violations
>   libsepol: Fix two problems with neverallowxperm reporting
>
>  libsepol/src/assertion.c | 193 +++++++++++++++++++++------------------
>  1 file changed, 102 insertions(+), 91 deletions(-)
>
> --
> 2.31.1
>
class CLASS1
class CLASS2
class CLASS3
class CLASS4
class CLASS5
class CLASS6
sid kernel
class CLASS1 { PERM1A PERM1B PERM1C PERM1D }
class CLASS2 { PERM2A PERM2B PERM2C PERM2D }
class CLASS3 { PERM3A PERM3B PERM3C PERM3D }
class CLASS4 { ioctl }
class CLASS5 { ioctl }
class CLASS6 { ioctl }
sensitivity SENS1;
dominance { SENS1 }
category CAT1;
level SENS1:CAT1;
mlsconstrain CLASS1 { PERM1A } (h1 dom h2 and l1 domby h1);
mlsvalidatetrans CLASS1 (l1 == l2 or l1 incomp l2);
attribute TATTR1;
attribute TATTR2;
type TYPE1;
type TYPE2;
type TYPE3;
typeattribute TYPE1 TATTR1, TATTR2;
typeattribute TYPE2 TATTR1, TATTR2;
typeattribute TYPE3 TATTR1;


# Test self neverallow

#allow TYPE1    self : CLASS1 PERM1A; # neverallow violation
#allow TYPE1   TYPE1 : CLASS1 PERM1A; # neverallow violation
#allow TYPE1  TATTR1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1   self : CLASS1 PERM1A; # neverallow violation
#allow TATTR1  TYPE1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1 TATTR1 : CLASS1 PERM1A; # neverallow violation
#allow TATTR1 TATTR2 : CLASS1 PERM1A; # neverallow violation
allow TYPE1 TYPE2 : CLASS1 PERM1A; # NOT a neverallow violation
allow TYPE1 TYPE3 : CLASS1 PERM1A; # NOT a neverallow violation
allow TYPE2 TYPE1 : CLASS1 PERM1A; # NOT a neverallow violation
allow TYPE2 TYPE3 : CLASS1 PERM1A; # NOT a neverallow violation
allow TYPE3 TYPE1 : CLASS1 PERM1A; # NOT a neverallow violation
allow TYPE3 TYPE2 : CLASS1 PERM1A; # NOT a neverallow violation
neverallow TYPE1 self : CLASS1 PERM1A;

#allow TYPE1    self : CLASS1 PERM1B; # neverallow violation
#allow TYPE2    self : CLASS1 PERM1B; # neverallow violation
#allow TYPE3    self : CLASS1 PERM1B; # neverallow violation
#allow TYPE1   TYPE1 : CLASS1 PERM1B; # neverallow violation
#allow TYPE2   TYPE2 : CLASS1 PERM1B; # neverallow violation
#allow TYPE3   TYPE3 : CLASS1 PERM1B; # neverallow violation
#allow TYPE1  TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TYPE2  TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TYPE3  TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1   self : CLASS1 PERM1B; # neverallow violation
#allow TATTR1  TYPE1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1  TYPE2 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1  TYPE3 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1 TATTR1 : CLASS1 PERM1B; # neverallow violation
#allow TATTR1 TATTR2 : CLASS1 PERM1B; # neverallow violation
allow TYPE1 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation
allow TYPE1 TYPE3 : CLASS1 PERM1B; # NOT a neverallow violation
allow TYPE2 TYPE1 : CLASS1 PERM1B; # NOT a neverallow violation
allow TYPE2 TYPE3 : CLASS1 PERM1B; # NOT a neverallow violation
allow TYPE3 TYPE1 : CLASS1 PERM1B; # NOT a neverallow violation
allow TYPE3 TYPE2 : CLASS1 PERM1B; # NOT a neverallow violation
neverallow TATTR1 self : CLASS1 PERM1B;


# Test self neverallowxperm

allow TATTR1 TATTR1 : CLASS4 ioctl;
allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9401;

#allowxperm TYPE1    self : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TYPE1   TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1   self : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1  TYPE1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9411; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9411; # neverallowxperm violation
allowxperm TYPE1   TYPE2 : CLASS4 ioctl 0x9411; # Not a violation
allowxperm TYPE1   TYPE3 : CLASS4 ioctl 0x9411; # Not a violation
allowxperm TYPE2   TYPE1 : CLASS4 ioctl 0x9411; # Not a violation
allowxperm TYPE2   TYPE3 : CLASS4 ioctl 0x9411; # Not a violation
allowxperm TYPE3   TYPE1 : CLASS4 ioctl 0x9411; # Not a violation
allowxperm TYPE3   TYPE2 : CLASS4 ioctl 0x9411; # Not a violation
neverallowxperm TYPE1 self : CLASS4 ioctl 0x9411;


#allowxperm TYPE1    self : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE1   TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE2   TYPE2 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE3   TYPE3 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE1  TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE2  TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TYPE3  TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1   self : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1  TYPE1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1  TYPE2 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1  TYPE3 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 TATTR1 : CLASS4 ioctl 0x9421; # neverallowxperm violation
#allowxperm TATTR1 TATTR2 : CLASS4 ioctl 0x9421; # neverallowxperm violation
allowxperm TYPE1 TYPE2 : CLASS4 ioctl 0x9421; # NOT a violation
allowxperm TYPE1 TYPE3 : CLASS4 ioctl 0x9421; # NOT a violation
allowxperm TYPE2 TYPE1 : CLASS4 ioctl 0x9421; # NOT a violation
allowxperm TYPE2 TYPE3 : CLASS4 ioctl 0x9421; # NOT a violation
allowxperm TYPE3 TYPE1 : CLASS4 ioctl 0x9421; # NOT a violation
allowxperm TYPE3 TYPE2 : CLASS4 ioctl 0x9421; # NOT a violation
neverallowxperm TATTR1 self : CLASS4 ioctl 0x9421;



role ROLE1;
role ROLE1 types TYPE1;
user USER1 roles ROLE1 level SENS1 range SENS1 - SENS1:CAT1;
sid kernel USER1:ROLE1:TYPE1:SENS1 - SENS1

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux