On Fri, Feb 4, 2022 at 3:04 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Allow all and complement permission sets in constraints, e.g.:
>
> constrain service ~ { status } (...);
> constrain service * (...);
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> checkpolicy/policy_define.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index b2ae3263..ded19570 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -3590,6 +3590,16 @@ int define_constraint(constraint_expr_t * expr)
> cladatum = policydbp->class_val_to_struct[i];
> node = cladatum->constraints;
>
> + if (strcmp(id, "*") == 0) {
> + node->permissions = ~UINT32_C(0);
> + continue;
> + }
> +
If the class has less than 32 permissions, then bits will be set for
non-existent permissions.
> + if (strcmp(id, "~") == 0) {
> + node->permissions = ~node->permissions;
> + continue;
> + }
> +
If "~" is used on a list of all of the classes permissions, then there
will be no permissions. If the policy is then turned back into a
policy.conf, there will be no permissions and the constraint will have
an invalid permission. (Obviously, a problem with the kernel_to_conf
routines that needs to be fixed). The right thing is to drop the
constraint in this case since it isn't valid for any permissions. (I
see now that the CIL compiler doesn't handle this correctly either.)
I am fine with the overall idea here.
Thanks,
Jim
> perdatum =
> (perm_datum_t *) hashtab_search(cladatum->
> permissions.
> --
> 2.34.1
>
