Add support for using negated or complemented self in the target type of
neverallow rules.
Some Refpolicy examples:
neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
neverallow domain { domain -self -dockerc_t }:dir create;
# no violations
neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
Using negated self in a complement, `~{ domain -self }`, is not supported.
Initial CIL support in the form of
(allow TYPE1 notself (CLASS (PERM)))
(allow TYPE1 minusself (CLASS (PERM)))
is included from a patchset by James Carter.
More complex targets are not yet supported in CIL and generating a CIL
policy file from modular policies including such rules will fail with an
appropriate message.
RFC v3: https://lore.kernel.org/selinux/20211204103516.17375-2-cgzones@xxxxxxxxxxxxxx/
Improved rebase and initial CIL work by James Carter: https://lore.kernel.org/selinux/20220111220823.596065-1-jwcart2@xxxxxxxxx/
Christian Göttsche (5):
libsepol: Add not self support for neverallow rules
checkpolicy: add not-self neverallow support
libsepol/tests: add tests for not self neverallow rules
libsepol/tests: add tests for minus self neverallow rules
libsepol: update CIL generation for trivial not-self rules
James Carter (1):
libsepol/cil: Add notself and minusself support to CIL
checkpolicy/policy_define.c | 46 ++-
checkpolicy/test/dismod.c | 6 +-
libsepol/cil/src/cil.c | 12 +
libsepol/cil/src/cil_binary.c | 91 ++++-
libsepol/cil/src/cil_build_ast.c | 10 +-
libsepol/cil/src/cil_find.c | 206 ++++++++--
libsepol/cil/src/cil_internal.h | 4 +
libsepol/cil/src/cil_resolve_ast.c | 4 +
libsepol/cil/src/cil_verify.c | 3 +-
libsepol/include/sepol/policydb/policydb.h | 3 +-
libsepol/src/assertion.c | 144 +++++--
libsepol/src/module_to_cil.c | 30 +-
libsepol/src/policydb_validate.c | 9 +
.../test-neverallow/policy_minus_self.conf | 369 +++++++++++++++++
.../test-neverallow/policy_not_self.conf | 370 ++++++++++++++++++
libsepol/tests/test-neverallow.c | 149 +++++++
16 files changed, 1388 insertions(+), 68 deletions(-)
create mode 100644 libsepol/tests/policies/test-neverallow/policy_minus_self.conf
create mode 100644 libsepol/tests/policies/test-neverallow/policy_not_self.conf
--
2.38.1
