On Thu, Jun 16, 2022 at 3:14 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Add a new compile-time constraint, similar to neverallow, which enables > to specify two or more type attributes to be mutual exclusive. This > means no type can be associated with more than one of them. > > The constraints are stored as a linked-list in the policy for modular > policies, by a new modular policy version, and are discarded in kernel > policies, not needing any kernel support. > > Some Reference Policy examples: > > unpriv_userdomain, admindomain: > > <no violations> > > client_packet_type, server_packet_type: > > <no violations> > > auth_file_type, non_auth_file_type: > > <no violations> > > pseudofs, xattrfs, noxattrfs: > > <no violations> > > reserved_port_type, unreserved_port_type: > > <no violations> > > security_file_type, non_security_file_type: > > libsepol.check_segregate_attributes: segregate_attributes violated by type dnssec_t associated with attributes security_file_type and non_security_file_type > > ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type, > sysfs_types, domain, boolean_type, netif_type, file_type, node_type, > proc_type, port_type: > > libsepol.check_segregate_attributes: segregate_attributes violated by type virt_content_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_fs_t associated with attributes sysctl_type and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type initrc_devpts_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type qemu_image_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type user_devpts_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type dockerc_t associated with attributes domain and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type cpu_online_t associated with attributes sysfs_types and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type cardmgr_dev_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_t associated with attributes sysctl_type and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type bootloader_tmp_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type xen_image_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_prot_exec_image_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type xen_devpts_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type proc_t associated with attributes file_type and proc_type > libsepol.check_segregate_attributes: segregate_attributes violated by type sysfs_t associated with attributes sysfs_types and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type proc_xen_t associated with attributes file_type and proc_type > libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_image_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type virt_image_t associated with attributes device_node and file_type > libsepol.check_segregate_attributes: segregate_attributes violated by type container_file_t associated with attributes device_node and file_type > > libsepol.check_assertions: 20 segregate attribute failures occurred > > Closes: https://github.com/SELinuxProject/selinux/issues/42 > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Hello, Thanks for your patches. This feature seems to be interesting to help ensuring using a sane policy at compile-time. The example you gave based on refpolicy clearly show a nice use-case of this feature. The code looks good and quite simple. It nevertheless lacks some tests to ensure this feature is implemented in a way which is the intended one. I know that libsepol/tests/ is probably not the most developer-friendly test framework, but it can help catch issues caused by future code refactoring. In order to apply these patches, I would expect at least a test with a policy which uses some attributes in a correct way and a test with a policy which triggers a violation. Moreover, your changes are only about the .te policy compiler and (unless I missed something) ignore the CIL support. It makes sense for a feature which mainly targets the Reference Policy, but the issue it solves can probably also be found in policies written in CIL or in languages which compile to CIL. Would it make sense to link segregate_attributes with the CIL compiler too? (I do not have a clear opinion on this question) Cheers, Nicolas
