tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libsepol/cil: add support for self keyword in type transitions

Browse source 
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the CIL level. It also adds basic coverage for the such 'self' rules
to the secilc test policy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Ondrej Mosnacek 2022-05-13 11:56:27 +02:00 committed by James Carter
parent 0c407c3f1d
commit 539b066036
3 changed files with 153 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

194
libsepol/cil/src/cil_binary.c
View file

@ -1063,24 +1063,53 @@ exit:
return rc;
}
static int __cil_type_rule_to_avtab_helper(policydb_t *pdb,
type_datum_t *sepol_src,
type_datum_t *sepol_tgt,
struct cil_list *class_list,
type_datum_t *sepol_result,
struct cil_type_rule *cil_rule,
cond_node_t *cond_node,
enum cil_flavor cond_flavor)
{
int rc;
class_datum_t *sepol_obj = NULL;
struct cil_list_item *c;
cil_list_for_each(c, class_list) {
rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
if (rc != SEPOL_OK) return rc;
rc = __cil_insert_type_rule(
pdb, cil_rule->rule_kind, sepol_src->s.value,
sepol_tgt->s.value, sepol_obj->s.value,
sepol_result->s.value, cil_rule, cond_node, cond_flavor
);
if (rc != SEPOL_OK) return rc;
}
return SEPOL_OK;
}
static int __cil_type_rule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_type_rule *cil_rule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
{
int rc = SEPOL_ERR;
uint16_t kind = cil_rule->rule_kind;
struct cil_symtab_datum *src = NULL;
struct cil_symtab_datum *tgt = NULL;
type_datum_t *sepol_src = NULL;
type_datum_t *sepol_tgt = NULL;
class_datum_t *sepol_obj = NULL;
struct cil_list *class_list = NULL;
type_datum_t *sepol_result = NULL;
ebitmap_t src_bitmap, tgt_bitmap;
ebitmap_node_t *node1, *node2;
unsigned int i, j;
struct cil_list_item *c;
rc = __cil_expand_type(cil_rule->src, &src_bitmap);
if (rc != SEPOL_OK) goto exit;
ebitmap_init(&src_bitmap);
ebitmap_init(&tgt_bitmap);
rc = __cil_expand_type(cil_rule->tgt, &tgt_bitmap);
src = cil_rule->src;
tgt = cil_rule->tgt;
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) goto exit;
class_list = cil_expand_class(cil_rule->obj);
@ -1088,6 +1117,21 @@ static int __cil_type_rule_to_avtab(policydb_t *pdb, const struct cil_db *db, st
rc = __cil_get_sepol_type_datum(pdb, DATUM(cil_rule->result), &sepol_result);
if (rc != SEPOL_OK) goto exit;
if (tgt->fqn == CIL_KEY_SELF) {
ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
rc = __cil_type_rule_to_avtab_helper(
pdb, sepol_src, sepol_src, class_list,
sepol_result, cil_rule, cond_node, cond_flavor
);
if (rc != SEPOL_OK) goto exit;
}
} else {
rc = __cil_expand_type(tgt, &tgt_bitmap);
if (rc != SEPOL_OK) goto exit;
ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
@ -1096,11 +1140,11 @@ static int __cil_type_rule_to_avtab(policydb_t *pdb, const struct cil_db *db, st
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
cil_list_for_each(c, class_list) {
rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
if (rc != SEPOL_OK) goto exit;
rc = __cil_insert_type_rule(pdb, kind, sepol_src->s.value, sepol_tgt->s.value, sepol_obj->s.value, sepol_result->s.value, cil_rule, cond_node, cond_flavor);
rc = __cil_type_rule_to_avtab_helper(
pdb, sepol_src, sepol_tgt, class_list,
sepol_result, cil_rule, cond_node,
cond_flavor
);
if (rc != SEPOL_OK) goto exit;
}
}
@ -1120,57 +1164,21 @@ int cil_type_rule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
return __cil_type_rule_to_avtab(pdb, db, cil_rule, NULL, CIL_FALSE);
}
static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_nametypetransition *typetrans, cond_node_t *cond_node, enum cil_flavor cond_flavor)
static int __cil_typetransition_to_avtab_helper(policydb_t *pdb,
type_datum_t *sepol_src,
type_datum_t *sepol_tgt,
struct cil_list *class_list,
char *name,
type_datum_t *sepol_result)
{
int rc = SEPOL_ERR;
type_datum_t *sepol_src = NULL;
type_datum_t *sepol_tgt = NULL;
int rc;
class_datum_t *sepol_obj = NULL;
struct cil_list *class_list = NULL;
type_datum_t *sepol_result = NULL;
ebitmap_t src_bitmap, tgt_bitmap;
ebitmap_node_t *node1, *node2;
unsigned int i, j;
uint32_t otype;
struct cil_list_item *c;
char *name = DATUM(typetrans->name)->name;
if (name == CIL_KEY_STAR) {
struct cil_type_rule trans;
trans.rule_kind = CIL_TYPE_TRANSITION;
trans.src = typetrans->src;
trans.tgt = typetrans->tgt;
trans.obj = typetrans->obj;
trans.result = typetrans->result;
trans.src_str = typetrans->src_str;
trans.tgt_str = typetrans->tgt_str;
trans.obj_str = typetrans->obj_str;
trans.result_str = typetrans->result_str;
return __cil_type_rule_to_avtab(pdb, db, &trans, cond_node, cond_flavor);
}
rc = __cil_expand_type(typetrans->src, &src_bitmap);
if (rc != SEPOL_OK) goto exit;
rc = __cil_expand_type(typetrans->tgt, &tgt_bitmap);
if (rc != SEPOL_OK) goto exit;
class_list = cil_expand_class(typetrans->obj);
rc = __cil_get_sepol_type_datum(pdb, DATUM(typetrans->result), &sepol_result);
if (rc != SEPOL_OK) goto exit;
ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
cil_list_for_each(c, class_list) {
rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
if (rc != SEPOL_OK) goto exit;
if (rc != SEPOL_OK) return rc;
rc = policydb_filetrans_insert(
pdb, sepol_src->s.value, sepol_tgt->s.value,
@ -1188,10 +1196,84 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d
cil_log(CIL_ERR, "Out of memory\n");
}
if (rc != SEPOL_OK) {
goto exit;
return rc;
}
}
}
return SEPOL_OK;
}
static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_nametypetransition *typetrans, cond_node_t *cond_node, enum cil_flavor cond_flavor)
{
int rc = SEPOL_ERR;
struct cil_symtab_datum *src = NULL;
struct cil_symtab_datum *tgt = NULL;
type_datum_t *sepol_src = NULL;
type_datum_t *sepol_tgt = NULL;
struct cil_list *class_list = NULL;
type_datum_t *sepol_result = NULL;
ebitmap_t src_bitmap, tgt_bitmap;
ebitmap_node_t *node1, *node2;
unsigned int i, j;
char *name = DATUM(typetrans->name)->name;
if (name == CIL_KEY_STAR) {
struct cil_type_rule trans;
trans.rule_kind = CIL_TYPE_TRANSITION;
trans.src = typetrans->src;
trans.tgt = typetrans->tgt;
trans.obj = typetrans->obj;
trans.result = typetrans->result;
trans.src_str = typetrans->src_str;
trans.tgt_str = typetrans->tgt_str;
trans.obj_str = typetrans->obj_str;
trans.result_str = typetrans->result_str;
return __cil_type_rule_to_avtab(pdb, db, &trans, cond_node, cond_flavor);
}
ebitmap_init(&src_bitmap);
ebitmap_init(&tgt_bitmap);
src = typetrans->src;
tgt = typetrans->tgt;
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) goto exit;
class_list = cil_expand_class(typetrans->obj);
rc = __cil_get_sepol_type_datum(pdb, DATUM(typetrans->result), &sepol_result);
if (rc != SEPOL_OK) goto exit;
if (tgt->fqn == CIL_KEY_SELF) {
ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
rc = __cil_typetransition_to_avtab_helper(
pdb, sepol_src, sepol_src, class_list,
name, sepol_result
);
if (rc != SEPOL_OK) goto exit;
}
} else {
rc = __cil_expand_type(tgt, &tgt_bitmap);
if (rc != SEPOL_OK) goto exit;
ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) {
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
rc = __cil_typetransition_to_avtab_helper(
pdb, sepol_src, sepol_tgt, class_list,
name, sepol_result
);
if (rc != SEPOL_OK) goto exit;
}
}
}

9
libsepol/cil/src/cil_resolve_ast.c
View file

@ -373,6 +373,7 @@ exit:
int cil_resolve_type_rule(struct cil_tree_node *current, void *extra_args)
{
struct cil_args_resolve *args = extra_args;
struct cil_type_rule *rule = current->data;
struct cil_symtab_datum *src_datum = NULL;
struct cil_symtab_datum *tgt_datum = NULL;
@ -387,11 +388,15 @@ int cil_resolve_type_rule(struct cil_tree_node *current, void *extra_args)
}
rule->src = src_datum;
if (rule->tgt_str == CIL_KEY_SELF) {
rule->tgt = args->db->selftype;
} else {
rc = cil_resolve_name(current, rule->tgt_str, CIL_SYM_TYPES, extra_args, &tgt_datum);
if (rc != SEPOL_OK) {
goto exit;
}
rule->tgt = tgt_datum;
}
rc = cil_resolve_name(current, rule->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
if (rc != SEPOL_OK) {
@ -638,11 +643,15 @@ int cil_resolve_nametypetransition(struct cil_tree_node *current, void *extra_ar
}
nametypetrans->src = src_datum;
if (nametypetrans->tgt_str == CIL_KEY_SELF) {
nametypetrans->tgt = args->db->selftype;
} else {
rc = cil_resolve_name(current, nametypetrans->tgt_str, CIL_SYM_TYPES, extra_args, &tgt_datum);
if (rc != SEPOL_OK) {
goto exit;
}
nametypetrans->tgt = tgt_datum;
}
rc = cil_resolve_name(current, nametypetrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
if (rc != SEPOL_OK) {

7
secilc/test/policy.cil
View file

@ -129,7 +129,14 @@
(typealiasactual sbin_t bin_t)
(typepermissive device_t)
(typemember device_t bin_t file exec_t)
(typemember exec_type self file exec_t)
(typetransition device_t console_t files console_device_t)
(typetransition device_t exec_type files console_device_t)
(typetransition exec_type self files console_device_t)
(typetransition exec_type self files "filename" console_device_t)
(typechange console_device_t device_t file user_tty_device_t)
(typechange exec_type device_t file user_tty_device_t)
(typechange exec_type self file console_device_t)
(roleattribute exec_role)
(roleattribute foo_role)