On Wed, Oct 23, 2024 at 2:13 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, Oct 21, 2024 at 7:12 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
> >
> > commit ba7945a250c added support for nlmsg extended permissions in the
> > policy. The assertion validation was not updated which lead to false
> > positives when evaluated. The optimization update was also missing. Add
> > support for the new extended permission for optimization and assertions.
> >
> > Fixes: ba7945a250c0794837f94ee1fb124426166bbc6e
> > Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
Merged.
Thanks,
Jim
> > ---
> > libsepol/src/assertion.c | 16 ++++++++++++++--
> > libsepol/src/optimize.c | 5 +++++
> > 2 files changed, 19 insertions(+), 2 deletions(-)
> >
> > diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> > index 3076babe..5e129883 100644
> > --- a/libsepol/src/assertion.c
> > +++ b/libsepol/src/assertion.c
> > @@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext
> > } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
> > && (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
> > rc = extended_permissions_and(neverallow->perms, allow->perms);
> > + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
> > + && (allow->specified == AVTAB_XPERMS_NLMSG)) {
> > + if (neverallow->driver == allow->driver)
> > + rc = extended_permissions_and(neverallow->perms, allow->perms);
> > }
> >
> > return rc;
> > @@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result,
> > result->specified = AVTAB_XPERMS_IOCTLDRIVER;
> > for (i = 0; i < EXTENDED_PERMS_LEN; i++)
> > result->perms[i] = neverallow->perms[i] & allow->perms[i];
> > + } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
> > + && (allow->specified == AVTAB_XPERMS_NLMSG)) {
> > + result->specified = AVTAB_XPERMS_NLMSG;
> > + result->driver = allow->driver;
> > + for (i = 0; i < EXTENDED_PERMS_LEN; i++)
> > + result->perms[i] = neverallow->perms[i] & allow->perms[i];
> > }
> > }
> >
> > @@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
> > node = avtab_search_node_next(node, tmp_key.specified)) {
> > xperms = node->datum.xperms;
> > if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
> > - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
> > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
> > + && (xperms->specified != AVTAB_XPERMS_NLMSG))
> > continue;
> > found_xperm = 1;
> > rc = check_extended_permissions(avrule->xperms, xperms);
> > @@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t
> > xperms = node->datum.xperms;
> >
> > if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
> > - && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
> > + && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
> > + && (xperms->specified != AVTAB_XPERMS_NLMSG))
> > continue;
> > rc = check_extended_permissions(neverallow_xperms, xperms);
> > if (rc)
> > diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
> > index a38025ec..8a0b70fe 100644
> > --- a/libsepol/src/optimize.c
> > +++ b/libsepol/src/optimize.c
> > @@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified,
> >
> > if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER)
> > return process_xperms(x1->perms, x2->perms);
> > + } else if (x1->specified == AVTAB_XPERMS_NLMSG
> > + && x2->specified == AVTAB_XPERMS_NLMSG) {
> > + if (x1->driver != x2->driver)
> > + return 0;
> > + return process_xperms(x1->perms, x2->perms);
> > }
> > return 0;
> > }
> > --
> > 2.47.0.105.g07ac214952-goog
> >
> >
