On Fri, Feb 3, 2023 at 5:54 PM Daniel Burgener
<dburgener@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 12/15/2022 4:34 PM, James Carter wrote:
> > A deny rule is like a neverallow rule, except that permissions are
> > removed rather than an error reported.
> >
> > (allow S1 T1 P1)
> > (deny S2 T2 P2)
> >
> > In general what is needed is:
> > 1) Allow permissions that do not match the deny rule
> > P3 = P1 and not P2
> > (allow S1 T1 P3)
> > 2) Allow source types that do not match the deny rule
> > S3 = S1 and not S2
> > (allow S3 T1 P1)
> > 3) Allow target types that do not match the deny rule
> > T3 = T1 and not T2
> > (allow S1 T3 P1)
> >
> > If a self rule is involved then
> > If S1 is an attribute then
> > If T1 is self and T2 is not self then
> > S3 = S1 and not (S2 and T2)
> > else if T1 is not self and T2 is self then
> > S3 = S1 and not (T1 and S2)
> > else if T1 is self and T2 is self then
> > S3 = S1 and not S2
> > (allow S3 T1 P1)
> > If T1 is an attribute then
> > If T2 is self then
> > T3 = T1 and not (S1 and S2)
> > (allow S1 T3 P1)
> > If S1 is attribute and S2 is attribute and T2 is self then
> > # In addition to any rules involving S3 and T3 above
> > SX = S1 and S2 and T1
> > For S in SX do
> > T = SX and not S
> > (allow S T P1)
> >
> > In all cases, do not create a rule that has an empty set
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> > ---
> > libsepol/cil/src/cil_deny.c | 957 ++++++++++++++++++++++++++++++++++++
> > libsepol/cil/src/cil_deny.h | 34 ++
> > libsepol/cil/src/cil_post.c | 7 +
> > 3 files changed, 998 insertions(+)
> > create mode 100644 libsepol/cil/src/cil_deny.c
> > create mode 100644 libsepol/cil/src/cil_deny.h
> >
> > diff --git a/libsepol/cil/src/cil_deny.c b/libsepol/cil/src/cil_deny.c
> > new file mode 100644
> > index 00000000..43043c37
> > --- /dev/null
> > +++ b/libsepol/cil/src/cil_deny.c
> > @@ -0,0 +1,957 @@
> > +/*
> > + * This file is public domain software, i.e. not copyrighted.
> > + *
> > + * Warranty Exclusion
> > + * ------------------
> > + * You agree that this software is a non-commercially developed program
> > + * that may contain "bugs" (as that term is used in the industry) and
> > + * that it may not function as intended. The software is licensed
> > + * "as is". NSA makes no, and hereby expressly disclaims all, warranties,
> > + * express, implied, statutory, or otherwise with respect to the software,
> > + * including noninfringement and the implied warranties of merchantability
> > + * and fitness for a particular purpose.
> > + *
> > + * Limitation of Liability
> > + *-----------------------
> > + * In no event will NSA be liable for any damages, including loss of data,
> > + * lost profits, cost of cover, or other special, incidental, consequential,
> > + * direct or indirect damages arising from the software or the use thereof,
> > + * however caused and on any theory of liability. This limitation will apply
> > + * even if NSA has been advised of the possibility of such damage. You
> > + * acknowledge that this is a reasonable allocation of risk.
> > + *
> > + * Original author: James Carter
> > + */
> > +
> > +#include <sepol/policydb/ebitmap.h>
> > +
> > +#include "cil_internal.h"
> > +#include "cil_find.h"
> > +#include "cil_flavor.h"
> > +#include "cil_list.h"
> > +#include "cil_strpool.h"
> > +#include "cil_log.h"
> > +#include "cil_symtab.h"
> > +#include "cil_build_ast.h"
> > +#include "cil_copy_ast.h"
> > +#include "cil_deny.h"
> > +
> > +#define CIL_DENY_ATTR_PREFIX "deny_rule_attr"
> > +
> > +/*
> > + * A deny rule will remove the specified permissions from the CIL AST.
> > + *
> > + * (allow S1 T1 P1)
> > + * (deny S2 T2 P2)
> > + *
> > + * In general what is needed is:
> > + * 1) Allow permissions that do not match the deny rule
> > + * P3 = P1 and not P2
> > + * (allow S1 T1 P3)
> > + * 2) Allow source types that do not match the deny rule
> > + * S3 = S1 and not S2
> > + * (allow S3 T1 P1)
> > + * 3) Allow target types that do not match the deny rule
> > + * T3 = T1 and not T2
> > + * (allow S1 T3 P1)
> > + *
> > + * If a self rule is involved then
> > + * If S1 is an attribute then
> > + * If T1 is self and T2 is not self then
> > + * S3 = S1 and not (S2 and T2)
> > + * else if T1 is not self and T2 is self then
> > + * S3 = S1 and not (T1 and S2)
> > + * else if T1 is self and T2 is self then
> > + * S3 = S1 and not S2
> > + * (allow S3 T1 P1)
> > + * If T1 is an attribute then
> > + * If T2 is self then
> > + * T3 = T1 and not (S1 and S2)
> > + * (allow S1 T3 P1)
> > + * If S1 is attribute and S2 is attribute and T2 is self then
>
> nit: The rest of the lines refer to "an" attribute, and this one drops
> the article.
>
> BTW, thanks for this description of the cases. It's very helpful
> working through the logic.
>
The logic will be changing. I've been looking into eliminating all the overlap.
> > + * # In addition to any rules involving S3 and T3 above
> > + * SX = S1 and S2 and T1
> > + * For S in SX do
> > + * T = SX and not S
> > + * (allow S T P1)
> > + *
> > + * Do not create a rule that has an empty set
> > + */
> > +
> > +static int cil_perm_match(const struct cil_perm *p1, const struct cil_list *pl2)
> > +{
> > + struct cil_list_item *curr;
> > +
> > + cil_list_for_each(curr, pl2) {
> > + struct cil_perm *p = curr->data;
> > + if (p == p1) {
> > + return CIL_TRUE;
> > + }
>
> Why are we comparing the pointers rather than the value fields?
>
There is only one struct cil_perm for each permission, so there will
never be a case where the pointers are not equal, but it is the same
permission.
Every declared object in CIL has a struct cil_symtab_datum datum as
its first field. The symbol table points to the datum (which is at the
same address as the enclosing struct).
If you are searching for a declared object, then you only need to
check the pointers.
> > + }
> > + return CIL_FALSE;
> > +}
> > +
> > +static int cil_class_perm_match(const struct cil_class *c1, const struct cil_perm *p1, const struct cil_list *cpl2)
> > +{
> > + struct cil_list_item *curr;
> > +
> > + cil_list_for_each(curr, cpl2) {
> > + if (curr->flavor == CIL_CLASSPERMS) {
> > + struct cil_classperms *cp = curr->data;
> > + if (FLAVOR(cp->class) == CIL_CLASS) {
> > + if (cp->class == c1) {
> > + if (cil_perm_match(p1, cp->perms)) {
> > + return CIL_TRUE;
> > + }
> > + }
> > + } else { /* MAP */
> > + struct cil_list_item *p;
> > + cil_list_for_each(p, cp->perms) {
> > + struct cil_perm *cmp = p->data;
> > + if (cil_class_perm_match(c1, p1, cmp->classperms)) {
> > + return CIL_TRUE;
> > + }
> > + }
> > + }
> > + } else { /* SET */
> > + struct cil_classperms_set *cp_set = curr->data;
> > + struct cil_classpermission *cp = cp_set->set;
> > + if (cil_class_perm_match(c1, p1, cp->classperms)) {
> > + return CIL_TRUE;
> > + }
> > + }
> > + }
> > + return CIL_FALSE;
> > +}
> > +
> > +static int cil_classperms_match(const struct cil_classperms *cp1, const struct cil_list *cpl2)
> > +{
> > + struct cil_list_item *curr;
> > +
> > + cil_list_for_each(curr, cp1->perms) {
> > + struct cil_perm *perm = curr->data;
> > + if (cil_class_perm_match(cp1->class, perm, cpl2)) {
> > + return CIL_TRUE;
> > + }
> > + }
> > + return CIL_FALSE;
> > +}
> > +
> > +int cil_classperms_list_match(const struct cil_list *cpl1, const struct cil_list *cpl2)
> > +{
> > + struct cil_list_item *curr;
> > +
> > + if (!cpl1 || !cpl2) {
> > + return (!cpl1 && !cpl2) ? CIL_TRUE : CIL_FALSE;
> > + }
> > +
> > + cil_list_for_each(curr, cpl1) {
> > + if (curr->flavor == CIL_CLASSPERMS) {
> > + struct cil_classperms *cp = curr->data;
> > + if (FLAVOR(cp->class) == CIL_CLASS) {
> > + if (cil_classperms_match(cp, cpl2)) {
> > + return CIL_TRUE;
> > + }
> > + } else { /* MAP */
> > + struct cil_list_item *p;
> > + cil_list_for_each(p, cp->perms) {
> > + struct cil_perm *cmp = p->data;
> > + if (cil_classperms_list_match(cmp->classperms, cpl2)) {
> > + return CIL_TRUE;
> > + }
> > + }
> > + }
> > + } else { /* SET */
> > + struct cil_classperms_set *cp_set = curr->data;
> > + struct cil_classpermission *cp = cp_set->set;
> > + if (cil_classperms_list_match(cp->classperms, cpl2)) {
> > + return CIL_TRUE;
> > + }
> > + }
> > + }
> > + return CIL_FALSE;
> > +}
> > +
> > +static void cil_classperms_copy(struct cil_classperms **new, const struct cil_classperms *old)
> > +{
> > + cil_classperms_init(new);
> > + (*new)->class_str = old->class_str;
> > + (*new)->class = old->class;
> > + cil_copy_list(old->perm_strs, &(*new)->perm_strs);
> > + cil_copy_list(old->perms, &(*new)->perms);
> > +}
> > +
> > +static void cil_classperms_set_copy(struct cil_classperms_set **new, const struct cil_classperms_set *old)
> > +{
> > + cil_classperms_set_init(new);
> > + (*new)->set_str = old->set_str;
> > + (*new)->set = old->set;
> > +}
> > +
> > +void cil_classperms_list_copy(struct cil_list **new, const struct cil_list *old)
> > +{
> > + struct cil_list_item *curr;
> > +
> > + if (!new) {
> > + return;
> > + }
> > +
> > + if (!old) {
> > + *new = NULL;
> > + return;
> > + }
> > +
> > + cil_list_init(new, CIL_LIST);
> > +
> > + cil_list_for_each(curr, old) {
> > + if (curr->flavor == CIL_CLASSPERMS) {
> > + struct cil_classperms *new_cp;
> > + cil_classperms_copy(&new_cp, curr->data);
> > + cil_list_append(*new, CIL_CLASSPERMS, new_cp);
> > + } else { /* SET */
> > + struct cil_classperms_set *new_cps;
> > + cil_classperms_set_copy(&new_cps, curr->data);
> > + cil_list_append(*new, CIL_CLASSPERMS_SET, new_cps);
> > + }
> > + }
> > +
> > + if (cil_list_is_empty(*new)) {
> > + cil_list_destroy(new, CIL_FALSE);
> > + }
> > +}
> > +
> > +/* Append cp1 and not cpl2 to result */
> > +static void cil_classperms_andnot(struct cil_list **result, const struct cil_classperms *cp1, const struct cil_list *cpl2)
> > +{
> > + struct cil_classperms *new_cp = NULL;
> > + struct cil_list_item *curr;
> > +
> > + if (!cil_classperms_match(cp1, cpl2)) {
> > + cil_classperms_copy(&new_cp, cp1);
> > + cil_list_append(*result, CIL_CLASSPERMS, new_cp);
> > + return;
> > + }
> > +
> > + cil_list_for_each(curr, cp1->perms) {
> > + struct cil_perm *perm = curr->data;
> > + if (!cil_class_perm_match(cp1->class, perm, cpl2)) {
> > + if (new_cp == NULL) {
> > + cil_classperms_init(&new_cp);
> > + new_cp->class_str = cp1->class_str;
> > + new_cp->class = cp1->class;
> > + cil_list_init(&new_cp->perm_strs, CIL_PERM);
> > + cil_list_init(&new_cp->perms, CIL_PERM);
> > + cil_list_append(*result, CIL_CLASSPERMS, new_cp) > + }
> > + cil_list_append(new_cp->perm_strs, CIL_STRING, perm->datum.fqn);
> > + cil_list_append(new_cp->perms, CIL_DATUM, perm);
>
> Why can't you just use cil_classperms_copy() here?
>
Because I am not copying every permission. I don't want to initialize
the new classperms struct if there are no matches, so I wait until the
first match to initialize it. Immediately appending the new struct
might be confusing. As soon as there is a match I know that the new
classperms struct is going to be appended to the results, but
permissions will continue to be added to it even after it has been
appended.
> > + }
> > + }
> > +}
> > +
> > +/* Append cp1 and not cpl2 to result */
> > +static void cil_classperms_map_andnot(struct cil_list **result, const struct cil_classperms *cp1, const struct cil_list *cpl2)
> > +{
> > + struct cil_classperms *new_cp = NULL;
> > + struct cil_list_item *p;
> > +
> > + cil_list_for_each(p, cp1->perms) {
> > + struct cil_perm *map_perm = p->data;
> > + if (!cil_classperms_list_match(map_perm->classperms, cpl2)) {
> > + if (new_cp == NULL) {
> > + cil_classperms_init(&new_cp);
> > + new_cp->class_str = cp1->class_str;
> > + new_cp->class = cp1->class;
> > + cil_list_init(&new_cp->perm_strs, CIL_PERM);
> > + cil_list_init(&new_cp->perms, CIL_PERM);
> > + cil_list_append(*result, CIL_CLASSPERMS, new_cp);
> > + }
> > + cil_list_append(new_cp->perm_strs, CIL_STRING, map_perm->datum.fqn);
> > + cil_list_append(new_cp->perms, CIL_DATUM, map_perm);
>
> Same question about cil_classperms_copy().
>
Same thing here.
> > + } else {
> > + struct cil_list *new_cpl = NULL;
> > + cil_classperms_list_andnot(&new_cpl, map_perm->classperms, cpl2);
> > + if (new_cpl) {
> > + struct cil_list_item *i;
> > + cil_list_for_each(i, new_cpl) {
> > + cil_list_append(*result, i->flavor, i->data);
> > + }
> > + cil_list_destroy(&new_cpl, CIL_FALSE);
> > + }
> > + }
> > + }
> > +}
> > +
> > +/* Append cps1 and not cpl2 to result */
> > +static void cil_classperms_set_andnot(struct cil_list **result, const struct cil_classperms_set *cps1, const struct cil_list *cpl2)
> > +{
> > + struct cil_classpermission *cp = cps1->set;
> > +
> > + if (!cil_classperms_list_match(cp->classperms, cpl2)) {
> > + struct cil_classperms_set *new_cps;
> > + cil_classperms_set_copy(&new_cps, cps1);
> > + cil_list_append(*result, CIL_CLASSPERMS_SET, new_cps);
> > + } else {
> > + struct cil_list *new_cpl;
> > + cil_classperms_list_andnot(&new_cpl, cp->classperms, cpl2);
> > + if (new_cpl) {
> > + struct cil_list_item *i;
> > + cil_list_for_each(i, new_cpl) {
> > + cil_list_append(*result, i->flavor, i->data);
> > + }
> > + cil_list_destroy(&new_cpl, CIL_FALSE);
> > + }
> > + }
> > +}
> > +
> > +/* result = cpl1 and not cpl2 */
> > +void cil_classperms_list_andnot(struct cil_list **result, const struct cil_list *cpl1, const struct cil_list *cpl2)
> > +{
> > + struct cil_list_item *curr;
> > +
> > + if (!result) {
> > + return;
> > + }
> > +
> > + if (!cpl1) {
> > + *result = NULL;
> > + return;
> > + }
> > +
> > + cil_list_init(result, CIL_LIST);
> > +
> > + if (!cpl2 || !cil_classperms_list_match(cpl1, cpl2)) {
> > + cil_classperms_list_copy(result, cpl1);
> > + return;
> > + }
> > +
> > + cil_list_for_each(curr, cpl1) {
> > + if (curr->flavor == CIL_CLASSPERMS) {
> > + struct cil_classperms *cp = curr->data;
> > + if (FLAVOR(cp->class) == CIL_CLASS) {
> > + cil_classperms_andnot(result, cp, cpl2);
> > + } else { /* MAP */
> > + cil_classperms_map_andnot(result, cp, cpl2);
> > + }
> > + } else { /* SET */
> > + struct cil_classperms_set *cps = curr->data;
> > + cil_classperms_set_andnot(result, cps, cpl2);
> > + }
> > + }
> > +
> > + if (cil_list_is_empty(*result)) {
> > + cil_list_destroy(result, CIL_FALSE);
> > + }
> > +}
> > +
> > +/* result = d1 and d2 */
> > +static int cil_datums_and(ebitmap_t *result, const struct cil_symtab_datum *d1, const struct cil_symtab_datum *d2)
> > +{
> > + int rc = SEPOL_OK;
> > + enum cil_flavor f1 = FLAVOR(d1);
> > + enum cil_flavor f2 = FLAVOR(d2);
> > +
> > + if (f1 != CIL_TYPEATTRIBUTE && f2 != CIL_TYPEATTRIBUTE) {
> > + struct cil_type *t1 = (struct cil_type *)d1;
> > + struct cil_type *t2 = (struct cil_type *)d2;
> > + ebitmap_init(result);
> > + if (t1->value == t2->value) {
> > + rc = ebitmap_set_bit(result, t1->value, 1);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > + } else if (f1 == CIL_TYPEATTRIBUTE && f2 != CIL_TYPEATTRIBUTE) {
> > + struct cil_typeattribute *a1 = (struct cil_typeattribute *)d1;
> > + struct cil_type *t2 = (struct cil_type *)d2;
> > + ebitmap_init(result);
> > + if (ebitmap_get_bit(a1->types, t2->value)) {
> > + rc = ebitmap_set_bit(result, t2->value, 1);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > + } else if (f1 != CIL_TYPEATTRIBUTE && f2 == CIL_TYPEATTRIBUTE) {
> > + struct cil_type *t1 = (struct cil_type *)d1;
> > + struct cil_typeattribute *a2 = (struct cil_typeattribute *)d2;
> > + ebitmap_init(result);
> > + if (ebitmap_get_bit(a2->types, t1->value)) {
> > + rc = ebitmap_set_bit(result, t1->value, 1);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > + } else {
> > + /* Both are attributes */
> > + struct cil_typeattribute *a1 = (struct cil_typeattribute *)d1;
> > + struct cil_typeattribute *a2 = (struct cil_typeattribute *)d2;
> > + rc = ebitmap_and(result, a1->types, a2->types);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > +exit:
> > + return rc;
> > +}
> > +
> > +/* result = d1 and not d2 */
> > +static int cil_datums_andnot(ebitmap_t *result, const struct cil_symtab_datum *d1, const struct cil_symtab_datum *d2)
> > +{
> > + int rc = SEPOL_OK;
> > + enum cil_flavor f1 = FLAVOR(d1);
> > + enum cil_flavor f2 = FLAVOR(d2);
> > +
> > + if (f1 != CIL_TYPEATTRIBUTE && f2 != CIL_TYPEATTRIBUTE) {
> > + struct cil_type *t1 = (struct cil_type *)d1;
> > + struct cil_type *t2 = (struct cil_type *)d2;
> > + ebitmap_init(result);
> > + if (t1->value != t2->value) {
> > + rc = ebitmap_set_bit(result, t1->value, 1);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > + } else if (f1 == CIL_TYPEATTRIBUTE && f2 != CIL_TYPEATTRIBUTE) {
> > + struct cil_typeattribute *a1 = (struct cil_typeattribute *)d1;
> > + struct cil_type *t2 = (struct cil_type *)d2;
> > + rc = ebitmap_cpy(result, a1->types);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + rc = ebitmap_set_bit(result, t2->value, 0);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + } else if (f1 != CIL_TYPEATTRIBUTE && f2 == CIL_TYPEATTRIBUTE) {
> > + struct cil_type *t1 = (struct cil_type *)d1;
> > + struct cil_typeattribute *a2 = (struct cil_typeattribute *)d2;
> > + ebitmap_init(result);
> > + if (!ebitmap_get_bit(a2->types, t1->value)) {
> > + rc = ebitmap_set_bit(result, t1->value, 1);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > + } else {
> > + /* Both are attributes */
> > + struct cil_typeattribute *a1 = (struct cil_typeattribute *)d1;
> > + struct cil_typeattribute *a2 = (struct cil_typeattribute *)d2;
> > + rc = ebitmap_andnot(result, a1->types, a2->types, a1->types->highbit);
> > + if (rc != SEPOL_OK) {
> > + ebitmap_destroy(result);
> > + goto exit;
> > + }
> > + }
> > +exit:
> > + return rc;
> > +}
> > +
> > +static size_t num_digits(unsigned n)
> > +{
> > + size_t num = 1;
> > + while (n >= 10) {
> > + n /= 10;
> > + num++;
> > + }
> > + return num;
> > +}
> > +
> > +static char *cil_create_new_attribute_name(unsigned num)
> > +{
> > + char *s1 = NULL;
> > + char *s2 = NULL;
> > + size_t len_num = num_digits(num);
> > + size_t len = strlen(CIL_DENY_ATTR_PREFIX) + 1 + len_num + 1;
> > + int rc;
> > +
> > + if (len >= CIL_MAX_NAME_LENGTH) {
> > + cil_log(CIL_ERR, "Name length greater than max name length of %d",
> > + CIL_MAX_NAME_LENGTH);
> > + goto exit;
> > + }
> > +
> > + s1 = cil_malloc(len);
> > + rc = snprintf(s1, len, "%s_%u", CIL_DENY_ATTR_PREFIX, num);
> > + if (rc < 0 || (size_t)rc >= len) {
> > + cil_log(CIL_ERR, "Error creating new attribute name");
> > + free(s1);
> > + goto exit;
> > + }
> > +
> > + s2 = cil_strpool_add(s1);
> > + free(s1);
> > +
> > +exit:
> > + return s2;
> > +}
> > +
> > +static struct cil_list *cil_create_and_expr_list(enum cil_flavor flavor, void *v1, void *v2)
> > +{
> > + struct cil_list *expr;
> > +
> > + cil_list_init(&expr, CIL_TYPE);
> > + cil_list_append(expr, CIL_OP, (void *)CIL_AND);
> > + cil_list_append(expr, flavor, v1);
> > + cil_list_append(expr, flavor, v2);
> > +
> > + return expr;
> > +}
> > +
> > +static struct cil_list *cil_create_andnot_expr_list(enum cil_flavor flavor, void *v1, void *v2)
> > +{
> > + struct cil_list *expr, *sub_expr;
> > +
> > + cil_list_init(&expr, CIL_TYPE);
> > + cil_list_append(expr, CIL_OP, (void *)CIL_AND);
> > + cil_list_append(expr, flavor, v1);
> > + cil_list_init(&sub_expr, CIL_TYPE);
> > + cil_list_append(sub_expr, CIL_OP, (void *)CIL_NOT);
> > + cil_list_append(sub_expr, flavor, v2);
> > + cil_list_append(expr, CIL_LIST, sub_expr);
> > +
> > + return expr;
> > +}
> > +
> > +static struct cil_tree_node *cil_create_and_insert_node(struct cil_tree_node *prev, enum cil_flavor flavor, void *data)
> > +{
> > + struct cil_tree_node *new;
> > +
> > + cil_tree_node_init(&new);
> > + new->parent = prev->parent;
> > + new->line = prev->line;
> > + new->hll_offset = prev->hll_offset;
> > + new->flavor = flavor;
> > + new->data = data;
> > + new->next = prev->next;
> > + prev->next = new;
> > +
> > + return new;
> > +}
> > +
> > +static int cil_create_and_insert_attribute_and_set(struct cil_db *db, struct cil_tree_node *prev, struct cil_list *str_expr, struct cil_list *datum_expr, ebitmap_t *types, struct cil_symtab_datum **d)
> > +{
> > + struct cil_tree_node *attr_node = NULL;
> > + char *name;
> > + struct cil_typeattribute *attr = NULL;
> > + struct cil_tree_node *attrset_node = NULL;
> > + struct cil_typeattributeset *attrset = NULL;
> > + symtab_t *symtab = NULL;
> > + int rc = SEPOL_ERR;
> > +
> > + name = cil_create_new_attribute_name(db->num_types_and_attrs);
> > + if (!name) {
> > + goto exit;
> > + }
> > +
> > + cil_typeattributeset_init(&attrset);
> > + attrset->attr_str = name;
> > + attrset->str_expr = str_expr;
> > + attrset->datum_expr = datum_expr;
> > +
> > + cil_typeattribute_init(&attr);
> > + cil_list_init(&attr->expr_list, CIL_TYPE);
> > + cil_list_append(attr->expr_list, CIL_LIST, datum_expr);
> > + attr->types = types;
> > + attr->used = CIL_ATTR_AVRULE;
> > + attr->keep = (ebitmap_cardinality(types) < db->attrs_expand_size) ? CIL_FALSE : CIL_TRUE;
> > +
> > + attr_node = cil_create_and_insert_node(prev, CIL_TYPEATTRIBUTE, attr);
> > + attrset_node = cil_create_and_insert_node(attr_node, CIL_TYPEATTRIBUTESET, attrset);
> > +
> > + rc = cil_get_symtab(prev->parent, &symtab, CIL_SYM_TYPES);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > +
> > + rc = cil_symtab_insert(symtab, name, &attr->datum, attr_node);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > +
> > + db->num_types_and_attrs++;
> > +
> > + *d = &attr->datum;
> > +
> > + return SEPOL_OK;
> > +
> > +exit:
> > + if (attrset_node) {
> > + prev->next = attrset_node->next;
> > + cil_destroy_typeattribute(attr_node->data);
> > + free(attr_node);
> > + cil_destroy_typeattributeset(attrset_node->data);
> > + free(attrset_node);
> > + }
> > + return rc;
> > +}
> > +
> > +static int cil_create_attribute_d1_and_not_d2(struct cil_db *db, struct cil_tree_node *prev, struct cil_symtab_datum *d1, struct cil_symtab_datum *d2, struct cil_symtab_datum **d3)
> > +{
> > + struct cil_list *str_expr;
> > + struct cil_list *datum_expr;
> > + ebitmap_t *types;
> > + int rc;
> > +
> > + *d3 = NULL;
> > +
> > + if (d1 == d2) {
> > + return SEPOL_OK;
> > + }
> > +
> > + str_expr = cil_create_andnot_expr_list(CIL_STRING, d1->fqn, d2->fqn);
> > + datum_expr = cil_create_andnot_expr_list(CIL_DATUM, d1, d2);
> > +
> > + types = cil_malloc(sizeof(*types));
> > + rc = cil_datums_andnot(types, d1, d2);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (ebitmap_is_empty(types)) {
> > + rc = SEPOL_OK;
> > + goto exit;
> > + }
> > +
> > + if (ebitmap_cardinality(types) == 1) {
> > + unsigned i = ebitmap_highest_set_bit(types);
> > + *d3 = DATUM(db->val_to_type[i]);
> > + ebitmap_destroy(types);
> > + rc = SEPOL_OK;
> > + goto exit;
> > + }
> > +
> > + return cil_create_and_insert_attribute_and_set(db, prev, str_expr, datum_expr, types, d3);
> > +
> > +exit:
> > + cil_list_destroy(&str_expr, CIL_FALSE);
> > + cil_list_destroy(&datum_expr, CIL_FALSE);
> > + free(types);
> > + return rc;
> > +}
> > +
> > +static int cil_create_attribute_d1_and_d2(struct cil_db *db, struct cil_tree_node *prev, struct cil_symtab_datum *d1, struct cil_symtab_datum *d2, struct cil_symtab_datum **d3)
> > +{
> > + struct cil_list *str_expr;
> > + struct cil_list *datum_expr;
> > + ebitmap_t *types;
> > + int rc;
> > +
> > + if (d1 == d2) {
> > + *d3 = d1;
> > + return SEPOL_OK;
> > + }
> > +
> > + *d3 = NULL;
> > +
> > + str_expr = cil_create_and_expr_list(CIL_STRING, d1->fqn, d2->fqn);
> > + datum_expr = cil_create_and_expr_list(CIL_DATUM, d1, d2);
> > +
> > + types = cil_malloc(sizeof(*types));
> > + rc = cil_datums_and(types, d1, d2);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (ebitmap_is_empty(types)) {
> > + rc = SEPOL_OK;
> > + goto exit;
> > + }
> > +
> > + if (ebitmap_cardinality(types) == 1) {
> > + unsigned i = ebitmap_highest_set_bit(types);
> > + *d3 = DATUM(db->val_to_type[i]);
> > + ebitmap_destroy(types);
> > + rc = SEPOL_OK;
> > + goto exit;
> > + }
> > +
> > + rc = cil_create_and_insert_attribute_and_set(db, prev, str_expr, datum_expr, types, d3);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
>
> This and the and_not variant above differ in this error handling. The
> and_not one trusts cil_create_and_insert_attribute_and_set() to do the
> cleanup, and this one does its own cleanup.
>
> I think they're both potentially wrong, as
> cil_create_and_insert_attribute_and_set() calls
> cil_destroy_typeattributeset() which does the same cleanup only if it
> makes it halfway through the function. So if
> cil_create_new_attribute_name() fails, then this case works correctly
> and the and_not case doesn't free str_expr and datum_expr. On the other
> hand, if something later in cil_create_and_insert_attribute_and_set()
> fails, then the and_not case is correct, and this one will double free
> str_expr and datum_expr.
>
Yes. I really don't want to call cil_destroy_typeattributeset(), I
want the calling functions to deal with str_expr and datum_expr, since
they passed them in.
> > +
> > + return SEPOL_OK;
> > +
> > +exit:
> > + cil_list_destroy(&str_expr, CIL_FALSE);
> > + cil_list_destroy(&datum_expr, CIL_FALSE);
> > + free(types);
> > + return rc;
> > +}
> > +
> > +static struct cil_avrule *cil_create_avrule(struct cil_symtab_datum *src, struct cil_symtab_datum *tgt, struct cil_list *classperms)
> > +{
> > + struct cil_avrule *new;
> > +
> > + cil_avrule_init(&new);
> > + new->is_extended = CIL_FALSE;
> > + new->rule_kind = CIL_AVRULE_ALLOWED;
> > + new->src_str = src->name;
> > + new->src = src;
> > + new->tgt_str = tgt->name;
> > + new->tgt = tgt;
> > + new->perms.classperms = classperms;
> > +
> > + return new;
> > +}
> > +
> > +static struct cil_tree_node *cil_create_and_add_avrule(struct cil_tree_node *curr, struct cil_symtab_datum *src, struct cil_symtab_datum *tgt, struct cil_list *classperms)
> > +{
> > + struct cil_avrule *new_avrule;
> > +
> > + new_avrule = cil_create_avrule(src, tgt, classperms);
> > + return cil_create_and_insert_node(curr, CIL_AVRULE, new_avrule);
> > +}
> > +
> > +static int cil_remove_permissions_from_rule(struct cil_db *db, struct cil_tree_node *allow_node, const struct cil_tree_node *deny_node)
> > +{
> > + struct cil_avrule *allow_rule = allow_node->data;
> > + struct cil_deny_rule *deny_rule = deny_node->data;
> > + struct cil_symtab_datum *s1 = allow_rule->src;
> > + struct cil_symtab_datum *t1 = allow_rule->tgt;
> > + struct cil_list *p1 = allow_rule->perms.classperms;
> > + struct cil_symtab_datum *s2 = deny_rule->src;
> > + struct cil_symtab_datum *t2 = deny_rule->tgt;
> > + struct cil_list *p2 = deny_rule->classperms;
> > + struct cil_list *p3 = NULL;
> > + struct cil_tree_node *curr = allow_node;
> > + int rc;
> > +
> > + cil_classperms_list_andnot(&p3, p1, p2);
> > +
> > + if (!cil_list_is_empty(p3)) {;
> > + curr = cil_create_and_add_avrule(curr, s1, t1, p3);
> > + } else {
> > + cil_destroy_classperms_list(&p3);
> > + p3 = NULL;
> > + }
> > +
> > + if (FLAVOR(s1) == CIL_TYPEATTRIBUTE) {
> > + struct cil_symtab_datum *s3 = NULL;
> > + struct cil_symtab_datum *d = NULL > + struct cil_list *cp = NULL;
> > + if (t1->fqn == CIL_KEY_SELF && t2->fqn != CIL_KEY_SELF) {
> > + /* S3 = S1 and not (S2 and T2) */
> > + rc = cil_create_attribute_d1_and_d2(db, NODE(s2), s2, t2, &d);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (d) {
> > + rc = cil_create_attribute_d1_and_not_d2(db, NODE(s1), s1, d, &s3);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + }
> > + } else if (t1->fqn != CIL_KEY_SELF && t2->fqn == CIL_KEY_SELF) {
> > + /* S3 = S1 and not (T1 and S2) */
> > + rc = cil_create_attribute_d1_and_d2(db, NODE(t1), t1, s2, &d);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (d) {
> > + rc = cil_create_attribute_d1_and_not_d2(db, NODE(s1), s1, d, &s3);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + }
> > + } else {
> > + /* S3 = S1 and not S2 */
> > + rc = cil_create_attribute_d1_and_not_d2(db, NODE(s1), s1, s2, &s3);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + }
> > + if (s3) {
> > + cil_classperms_list_copy(&cp, p1);
> > + curr = cil_create_and_add_avrule(curr, s3, t1, cp);
> > + }
> > + }
> > +
> > + if (t1->fqn != CIL_KEY_SELF && FLAVOR(t1) == CIL_TYPEATTRIBUTE) {
> > + struct cil_symtab_datum *t3 = NULL;
> > + struct cil_symtab_datum *d = NULL;
> > + struct cil_list *cp = NULL;
> > + if (t2->fqn == CIL_KEY_SELF) {
> > + /* T3 = T1 and not (S1 AND S2) */
> > + rc = cil_create_attribute_d1_and_d2(db, NODE(s1), s1, s2, &d);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (d) {
> > + rc = cil_create_attribute_d1_and_not_d2(db, NODE(t1), t1, d, &t3);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + }
> > + } else {
> > + /* S3 = T1 and not T2 */
> > + rc = cil_create_attribute_d1_and_not_d2(db, NODE(t1), t1, t2, &t3);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + }
> > + if (t3) {
> > + cil_classperms_list_copy(&cp, p1);
> > + curr = cil_create_and_add_avrule(curr, s1, t3, cp);
> > + }
> > +
> > + if (FLAVOR(s1) == CIL_TYPEATTRIBUTE && FLAVOR(s2) == CIL_TYPEATTRIBUTE &&
> > + t2->fqn == CIL_KEY_SELF) {
> > + /* Really special case */
> > + /* FLAVOR(t1) == CIL_TYPEATTRIBUTE */
> > + /* SX = S1 and S2 and T1 */
> > + struct cil_symtab_datum *sx = NULL;
> > + struct cil_typeattribute *sx_attr = NULL;
> > +
> > + d = NULL;
> > + cp = NULL;
> > +
> > + rc = cil_create_attribute_d1_and_d2(db, NODE(s2), s2, t1, &d);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (d) {
> > + rc = cil_create_attribute_d1_and_d2(db, NODE(s1), s1, d, &sx);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + sx_attr = (struct cil_typeattribute *)sx;
> > + }
> > + if (sx && ebitmap_cardinality(sx_attr->types) > 1) {
> > + struct cil_symtab_datum *s = NULL;
> > + struct cil_symtab_datum *t = NULL;
> > + ebitmap_node_t *n;
> > + unsigned i;
> > + ebitmap_for_each_positive_bit(sx_attr->types, n, i) {
> > + s = DATUM(db->val_to_type[i]);
> > + rc = cil_create_attribute_d1_and_not_d2(db, NODE(sx), sx, s, &t);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + if (t) {
> > + cil_classperms_list_copy(&cp, p1);
> > + curr = cil_create_and_add_avrule(curr, s, t, cp);
> > + }
> > + }
> > + }
> > + }
> > + }
> > +
> > +exit:
> > + return rc;
> > +}
>
> As I mentioned briefly back in December, it might be in the attributes
> case to only grant p2 rather than p3. I *think* that's safe, since the
> initial allow rule grants everything p3, so the only things needed to be
> added back in the attributes are the denied permissions (p2).
>
Not p2, but p1 and p2
So the new logic that I am looking at is (for the general case):
P3 = P1 and not P2
(allow S1 T1 P3)
P4 = P1 and P2
S3 = S1 and not S2
(allow S3 T1 P4) ; T1 is attribute, type, self, notself, or other
S4 = S1 and S2
T3 = T1 and not T2 ; Only if T1 is attribute, otherwise there are
different rules
(allow S4 T3 P4)
I am also looking at how adding "notself" and "other" (previously
called "minusself") will effect things. Using "other" actually makes
some cases easier.
Thanks for the thorough review,
Jim
> > +
> > +static int cil_find_matching_allow_rules(struct cil_list *matching, struct cil_tree_node *start, struct cil_tree_node *deny_node)
> > +{
> > + struct cil_deny_rule *deny_rule = deny_node->data;
> > + struct cil_avrule target;
> > +
> > + target.rule_kind = CIL_AVRULE_ALLOWED;
> > + target.is_extended = CIL_FALSE;
> > + target.src = deny_rule->src;
> > + target.tgt = deny_rule->tgt;
> > + target.perms.classperms = deny_rule->classperms;
> > +
> > + return cil_find_matching_avrule_in_ast(start, CIL_AVRULE, &target, matching, CIL_FALSE);
> > +}
> > +
> > +static int cil_process_deny_rule(struct cil_db *db, struct cil_tree_node *start, struct cil_tree_node *deny_node)
> > +{
> > + struct cil_list *matching;
> > + struct cil_list_item *item;
> > + int rc;
> > +
> > + cil_list_init(&matching, CIL_NODE);
> > +
> > + rc = cil_find_matching_allow_rules(matching, start, deny_node);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > +
> > + cil_list_for_each(item, matching) {
> > + struct cil_tree_node *allow_node = item->data;
> > + rc = cil_remove_permissions_from_rule(db, allow_node, deny_node);
> > + cil_tree_remove_node(allow_node);
> > + cil_tree_node_destroy(&allow_node);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > +
> > + }
> > +
> > +exit:
> > + cil_list_destroy(&matching, CIL_FALSE);
> > + return rc;
> > +}
> > +
> > +static int cil_process_deny_rules(struct cil_db *db, struct cil_tree_node *start, struct cil_list *deny_rules)
> > +{
> > + struct cil_list_item *item;
> > + int rc;
> > +
> > + cil_list_for_each(item, deny_rules) {
> > + struct cil_tree_node *deny_node = item->data;
> > + rc = cil_process_deny_rule(db, start, deny_node);
> > + if (rc != SEPOL_OK) {
> > + goto exit;
> > + }
> > + cil_tree_remove_node(deny_node);
> > + cil_tree_node_destroy(&deny_node);
> > + }
> > +
> > +exit:
> > + return rc;
> > +}
> > +
> > +static int __cil_find_deny_rules(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
> > +{
> > + struct cil_list *deny_rules = extra_args;
> > +
> > + if (node->flavor == CIL_BLOCK) {
> > + struct cil_block *block = node->data;
> > + if (block->is_abstract == CIL_TRUE) {
> > + *finished = CIL_TREE_SKIP_HEAD;
> > + }
> > + } else if (node->flavor == CIL_MACRO) {
> > + *finished = CIL_TREE_SKIP_HEAD;
> > + } else if (node->flavor == CIL_DENY_RULE) {
> > + cil_list_append(deny_rules, CIL_DENY_RULE, node);
> > + }
> > + return SEPOL_OK;
> > +}
> > +
> > +int cil_process_deny_rules_in_ast(struct cil_db *db)
> > +{
> > + struct cil_tree_node *start;
> > + struct cil_list *deny_rules;
> > + int rc = SEPOL_ERR;
> > +
> > + cil_list_init(&deny_rules, CIL_DENY_RULE);
> > +
> > + if (!db) {
> > + cil_log(CIL_ERR, "No CIL db provided to process deny rules\n");
> > + goto exit;
> > + }
> > +
> > + start = db->ast->root;
> > + rc = cil_tree_walk(start, __cil_find_deny_rules, NULL, NULL, deny_rules);
> > + if (rc != SEPOL_OK) {
> > + cil_log(CIL_ERR, "An error occurred while getting deny rules\n");
> > + goto exit;
> > + }
> > +
> > + rc = cil_process_deny_rules(db, start, deny_rules);
> > + if (rc != SEPOL_OK) {
> > + cil_log(CIL_ERR, "An error occurred while processing deny rules\n");
> > + goto exit;
> > + }
> > +
> > +exit:
> > + cil_list_destroy(&deny_rules, CIL_FALSE);
> > + return rc;
> > +}
> > diff --git a/libsepol/cil/src/cil_deny.h b/libsepol/cil/src/cil_deny.h
> > new file mode 100644
> > index 00000000..4a9e92d1
> > --- /dev/null
> > +++ b/libsepol/cil/src/cil_deny.h
> > @@ -0,0 +1,34 @@
> > +/*
> > + * This file is public domain software, i.e. not copyrighted.
> > + *
> > + * Warranty Exclusion
> > + * ------------------
> > + * You agree that this software is a non-commercially developed program
> > + * that may contain "bugs" (as that term is used in the industry) and
> > + * that it may not function as intended. The software is licensed
> > + * "as is". NSA makes no, and hereby expressly disclaims all, warranties,
> > + * express, implied, statutory, or otherwise with respect to the software,
> > + * including noninfringement and the implied warranties of merchantability
> > + * and fitness for a particular purpose.
> > + *
> > + * Limitation of Liability
> > + *-----------------------
> > + * In no event will NSA be liable for any damages, including loss of data,
> > + * lost profits, cost of cover, or other special, incidental, consequential,
> > + * direct or indirect damages arising from the software or the use thereof,
> > + * however caused and on any theory of liability. This limitation will apply
> > + * even if NSA has been advised of the possibility of such damage. You
> > + * acknowledge that this is a reasonable allocation of risk.
> > + *
> > + * Original author: James Carter
> > + */
> > +
> > +#ifndef CIL_DENY_H_
> > +#define CIL_DENY_H_
> > +
> > +int cil_classperms_list_match(const struct cil_list *cpl1, const struct cil_list *cpl2);
> > +void cil_classperms_list_copy(struct cil_list **new, const struct cil_list *old);
> > +void cil_classperms_list_andnot(struct cil_list **result, const struct cil_list *cpl1, const struct cil_list *cpl2);
> > +int cil_process_deny_rules_in_ast(struct cil_db *db);
> > +
> > +#endif /* CIL_DENY_H_ */
> > diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> > index 11e572e2..fb7eec2d 100644
> > --- a/libsepol/cil/src/cil_post.c
> > +++ b/libsepol/cil/src/cil_post.c
> > @@ -47,6 +47,7 @@
> > #include "cil_policy.h"
> > #include "cil_verify.h"
> > #include "cil_symtab.h"
> > +#include "cil_deny.h"
> >
> > #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */
> > #define TYPEATTR_INFIX "_typeattr_" /* Also in libsepol/src/module_to_cil.c */
> > @@ -2551,6 +2552,12 @@ int cil_post_process(struct cil_db *db)
> > goto exit;
> > }
> >
> > + rc = cil_process_deny_rules_in_ast(db);
> > + if (rc != SEPOL_OK) {
> > + cil_log(CIL_ERR, "Failed to process deny rules\n");
> > + goto exit;
> > + }
> > +
> > rc = cil_post_verify(db);
> > if (rc != SEPOL_OK) {
> > cil_log(CIL_ERR, "Failed to verify cil database\n");
>
