Re: [PATCH] libsepol: Support nlmsg xperms in assertions

James Carter <jwcart2@xxxxxxxxx> · Wed, 23 Oct 2024 14:13:19 -0400



On Mon, Oct 21, 2024 at 7:12 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
>
> commit ba7945a250c added support for nlmsg extended permissions in the
> policy. The assertion validation was not updated which lead to false
> positives when evaluated. The optimization update was also missing. Add
> support for the new extended permission for optimization and assertions.
>
> Fixes: ba7945a250c0794837f94ee1fb124426166bbc6e
> Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/src/assertion.c | 16 ++++++++++++++--
>  libsepol/src/optimize.c  |  5 +++++
>  2 files changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index 3076babe..5e129883 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext
>         } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
>                         && (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
>                 rc = extended_permissions_and(neverallow->perms, allow->perms);
> +       } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
> +                       && (allow->specified == AVTAB_XPERMS_NLMSG)) {
> +               if (neverallow->driver == allow->driver)
> +                       rc = extended_permissions_and(neverallow->perms, allow->perms);
>         }
>
>         return rc;
> @@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result,
>                 result->specified = AVTAB_XPERMS_IOCTLDRIVER;
>                 for (i = 0; i < EXTENDED_PERMS_LEN; i++)
>                         result->perms[i] = neverallow->perms[i] & allow->perms[i];
> +       } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
> +                       && (allow->specified == AVTAB_XPERMS_NLMSG)) {
> +               result->specified = AVTAB_XPERMS_NLMSG;
> +               result->driver = allow->driver;
> +               for (i = 0; i < EXTENDED_PERMS_LEN; i++)
> +                       result->perms[i] = neverallow->perms[i] & allow->perms[i];
>         }
>  }
>
> @@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
>                              node = avtab_search_node_next(node, tmp_key.specified)) {
>                                 xperms = node->datum.xperms;
>                                 if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
> -                                               && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
> +                                               && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
> +                                               && (xperms->specified != AVTAB_XPERMS_NLMSG))
>                                         continue;
>                                 found_xperm = 1;
>                                 rc = check_extended_permissions(avrule->xperms, xperms);
> @@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t
>                                 xperms = node->datum.xperms;
>
>                                 if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
> -                                               && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
> +                                               && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
> +                                               && (xperms->specified != AVTAB_XPERMS_NLMSG))
>                                         continue;
>                                 rc = check_extended_permissions(neverallow_xperms, xperms);
>                                 if (rc)
> diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
> index a38025ec..8a0b70fe 100644
> --- a/libsepol/src/optimize.c
> +++ b/libsepol/src/optimize.c
> @@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified,
>
>                         if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER)
>                                 return process_xperms(x1->perms, x2->perms);
> +               } else if (x1->specified == AVTAB_XPERMS_NLMSG
> +                               && x2->specified == AVTAB_XPERMS_NLMSG) {
> +                       if (x1->driver != x2->driver)
> +                               return 0;
> +                       return process_xperms(x1->perms, x2->perms);
>                 }
>                 return 0;
>         }
> --
> 2.47.0.105.g07ac214952-goog
>
>