On Tue, 11 Jan 2022 at 23:08, James Carter <jwcart2@xxxxxxxxx> wrote:
>
> These patches depend on the 16 patch set that refactors and fixes assertion checking.
>
> The first patch is based on patches by Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> sent to the list on November 23rd. His patch adding support to checkpolicy is meant
> to be used with these patches.
>
> The second patch adds support for not-self rules to CIL. Currently, it works for all
> access vector rules, but I am not sure if that is needed or wise.
Probably not caused by this patch set I noticed one inconvenience
duplicate reporting with the following example:
attribute test_a;
type test1_t, test_a;
type test2_t, test_a;
allow test_a test_a:xdp_socket ioctl;
allowxperm test_a test6_a:xdp_socket ioctl 0x0002;
neverallowxperm test1_t { test_a }:xdp_socket ioctl 0x0002;
The output looks like:
libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
allowxperm test_a test_a:xdp_socket ioctl { 0x2 };
libsepol.report_assertion_extended_permissions: neverallowxperm on
line 534 of policy/modules/kernel/kernel.te (or line 49039 of
policy.conf) violated by
allowxperm test_a test_a:xdp_socket ioctl { 0x2 };
due to the two access permissions, one for test1_t on test1_t and one
for test1_t on test2_t.
Rebasing on to master should update validation due to ff25475c
("libsepol: validate several flags "):
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -851,6 +851,7 @@ static int validate_avrules(sepol_handle_t
*handle, avrule_t *avrule, int condit
switch(avrule->flags) {
case 0:
case RULE_SELF:
+ case RULE_NOTSELF:
break;
default:
goto bad;
Otherwise together with ("checkpolicy: add not-self neverallow support") [1]
Tested-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
[1]: https://patchwork.kernel.org/project/selinux/patch/20211204103516.17375-3-cgzones@xxxxxxxxxxxxxx/
>
> James Carter (2):
> libsepol: Add not self support for neverallow rules
> libsepol/cil: Add notself and minusself support to CIL
>
> libsepol/cil/src/cil.c | 12 ++
> libsepol/cil/src/cil_binary.c | 91 ++++++++-
> libsepol/cil/src/cil_build_ast.c | 10 +-
> libsepol/cil/src/cil_find.c | 206 ++++++++++++++++++---
> libsepol/cil/src/cil_internal.h | 4 +
> libsepol/cil/src/cil_resolve_ast.c | 4 +
> libsepol/cil/src/cil_verify.c | 3 +-
> libsepol/include/sepol/policydb/policydb.h | 3 +-
> libsepol/src/assertion.c | 144 +++++++++++---
> 9 files changed, 467 insertions(+), 64 deletions(-)
>
> --
> 2.31.1
>
