tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

checkpolicy: treat -self as an error

Browse source 
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.

This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.

This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2016-11-18 11:09:38 -05:00
parent a609434b95
commit 49bfee8562
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
checkpolicy/policy_define.c
View file

@ -1978,6 +1978,11 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
if (add == 0) {
yyerror("-self is not supported");
ret = -1;
goto out;
}
avrule->flags |= RULE_SELF;
continue;
}
@ -2437,6 +2442,11 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
if (add == 0) {
yyerror("-self is not supported");
ret = -1;
goto out;
}
avrule->flags |= RULE_SELF;
continue;
}