mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-21 06:27:02 +00:00
TERulesDifference: Fix bug with unioning permissions.
Unit tests did not correctly test this scenario.
This commit is contained in:
Chris PeBenito
parent
d0288fa861
commit
5200f0c666
@ -1,4 +1,5 @@
|
||||
# Copyright 2015-2016, Tresys Technology, LLC
|
||||
# Copyright 2016, Chris PeBenito <pebenito@ieee.org>
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
@ -34,6 +35,35 @@ modified_avrule_record = namedtuple("modified_avrule", ["rule",
|
||||
modified_terule_record = namedtuple("modified_terule", ["rule", "added_default", "removed_default"])
|
||||
|
||||
|
||||
def _avrule_expand_generator(rule_list, Wrapper, perms_container):
|
||||
"""
|
||||
Generator that yields wrapped, expanded, av(x) rules with
|
||||
unioned permission sets.
|
||||
"""
|
||||
items = dict()
|
||||
|
||||
# create a hash table (dict) with the rule hash
|
||||
# as the keys. Rules where permission sets should
|
||||
# be unioned together have the same hash.
|
||||
for unexpanded_rule in rule_list:
|
||||
for expanded_rule in unexpanded_rule.expand():
|
||||
rule = Wrapper(expanded_rule)
|
||||
|
||||
try:
|
||||
items[rule].append(rule)
|
||||
except KeyError:
|
||||
items[rule] = [rule]
|
||||
|
||||
# Go over rule lists and union permissions
|
||||
for wrapped_unioned_rule, origins in items.items():
|
||||
perms = perms_container()
|
||||
for r in origins:
|
||||
perms |= r.origin.perms
|
||||
|
||||
wrapped_unioned_rule.origin.perms = perms
|
||||
yield wrapped_unioned_rule
|
||||
|
||||
|
||||
def av_diff_template(ruletype):
|
||||
|
||||
"""
|
||||
@ -55,8 +85,8 @@ def av_diff_template(ruletype):
|
||||
self._create_te_rule_lists()
|
||||
|
||||
added, removed, matched = self._set_diff(
|
||||
self._expand_generator(self._left_te_rules[ruletype], AVRuleWrapper),
|
||||
self._expand_generator(self._right_te_rules[ruletype], AVRuleWrapper))
|
||||
_avrule_expand_generator(self._left_te_rules[ruletype], AVRuleWrapper, set),
|
||||
_avrule_expand_generator(self._right_te_rules[ruletype], AVRuleWrapper, set))
|
||||
|
||||
modified = []
|
||||
for left_rule, right_rule in matched:
|
||||
@ -102,8 +132,10 @@ def avx_diff_template(ruletype):
|
||||
self._create_te_rule_lists()
|
||||
|
||||
added, removed, matched = self._set_diff(
|
||||
self._expand_generator(self._left_te_rules[ruletype], AVRuleXpermWrapper),
|
||||
self._expand_generator(self._right_te_rules[ruletype], AVRuleXpermWrapper))
|
||||
_avrule_expand_generator(self._left_te_rules[ruletype],
|
||||
AVRuleXpermWrapper, IoctlSet),
|
||||
_avrule_expand_generator(self._right_te_rules[ruletype],
|
||||
AVRuleXpermWrapper, IoctlSet))
|
||||
|
||||
modified = []
|
||||
for left_rule, right_rule in matched:
|
||||
|
||||
@ -50,12 +50,17 @@ def expanded_te_rule_factory(original, source, target):
|
||||
target The target type of the expanded rule.
|
||||
"""
|
||||
|
||||
# for AV and AVXperm rules, copy the perms into the
|
||||
# expanded rule, so PolicyDifference can build single expanded
|
||||
# rules with unioned permission sets
|
||||
if isinstance(original, (ExpandedAVRule, ExpandedAVRuleXperm, ExpandedTERule)):
|
||||
return original
|
||||
elif isinstance(original, AVRuleXperm):
|
||||
rule = ExpandedAVRuleXperm(original.policy, original.qpol_symbol)
|
||||
rule.perms = original.perms
|
||||
elif isinstance(original, AVRule):
|
||||
rule = ExpandedAVRule(original.policy, original.qpol_symbol)
|
||||
rule.perms = original.perms
|
||||
elif isinstance(original, TERule):
|
||||
rule = ExpandedTERule(original.policy, original.qpol_symbol)
|
||||
else:
|
||||
@ -353,14 +358,14 @@ class ExpandedAVRule(AVRule):
|
||||
|
||||
"""An expanded access vector type enforcement rule."""
|
||||
|
||||
__slots__ = ("source", "target", "origin")
|
||||
__slots__ = ("source", "target", "perms", "origin")
|
||||
|
||||
|
||||
class ExpandedAVRuleXperm(AVRuleXperm):
|
||||
|
||||
"""An expanded extended permission access vector type enforcement rule."""
|
||||
|
||||
__slots__ = ("source", "target", "origin")
|
||||
__slots__ = ("source", "target", "perms", "origin")
|
||||
|
||||
|
||||
class ExpandedTERule(TERule):
|
||||
|
||||
@ -259,12 +259,12 @@ type match_rule_by_attr_A_t, match_rule_by_attr;
|
||||
type match_rule_by_attr_B_t, match_rule_by_attr;
|
||||
allow match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
|
||||
allow unioned_perm_via_attr self:infoflow2 super_w;
|
||||
allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute union_perm_a;
|
||||
attribute union_perm_b;
|
||||
attribute union_perm_c;
|
||||
type union_perm_source, union_perm_a, union_perm_c;
|
||||
type union_perm_target, union_perm_b;
|
||||
allow union_perm_source union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# Auditallow rule differences
|
||||
type aa_matched_source;
|
||||
@ -313,12 +313,12 @@ type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
|
||||
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
|
||||
auditallow aa_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
|
||||
auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute aa_union_perm_a;
|
||||
attribute aa_union_perm_b;
|
||||
attribute aa_union_perm_c;
|
||||
type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
|
||||
type aa_union_perm_target, aa_union_perm_b;
|
||||
auditallow aa_union_perm_source aa_union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# Dontaudit rule differences
|
||||
type da_matched_source;
|
||||
@ -367,12 +367,12 @@ type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
|
||||
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
|
||||
dontaudit da_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
|
||||
dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute da_union_perm_a;
|
||||
attribute da_union_perm_b;
|
||||
attribute da_union_perm_c;
|
||||
type da_union_perm_source, da_union_perm_a, da_union_perm_c;
|
||||
type da_union_perm_target, da_union_perm_b;
|
||||
dontaudit da_union_perm_source da_union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# Neverallow rule differences
|
||||
type na_matched_source;
|
||||
@ -402,12 +402,12 @@ type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
|
||||
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
|
||||
neverallow na_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
|
||||
neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute na_union_perm_a;
|
||||
attribute na_union_perm_b;
|
||||
attribute na_union_perm_c;
|
||||
type na_union_perm_source, na_union_perm_a, na_union_perm_c;
|
||||
type na_union_perm_target, na_union_perm_b;
|
||||
neverallow na_union_perm_source na_union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# type_transition rule differences
|
||||
type tt_matched_source;
|
||||
@ -663,12 +663,12 @@ type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
||||
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
||||
allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute ax_union_perm_a;
|
||||
attribute ax_union_perm_b;
|
||||
attribute ax_union_perm_c;
|
||||
type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
|
||||
type ax_union_perm_target, ax_union_perm_b;
|
||||
allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
# Auditallowxperm rule differences
|
||||
type aax_matched_source;
|
||||
@ -698,12 +698,12 @@ type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
||||
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
||||
auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute aax_union_perm_a;
|
||||
attribute aax_union_perm_b;
|
||||
attribute aax_union_perm_c;
|
||||
type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
|
||||
type aax_union_perm_target, aax_union_perm_b;
|
||||
auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
# Neverallowxperm rule differences
|
||||
type nax_matched_source;
|
||||
@ -733,12 +733,12 @@ type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
||||
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
||||
neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute nax_union_perm_a;
|
||||
attribute nax_union_perm_b;
|
||||
attribute nax_union_perm_c;
|
||||
type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
|
||||
type nax_union_perm_target, nax_union_perm_b;
|
||||
neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
# Dontauditxperm rule differences
|
||||
type dax_matched_source;
|
||||
@ -768,12 +768,12 @@ type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
||||
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
||||
dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute dax_union_perm_a;
|
||||
attribute dax_union_perm_b;
|
||||
attribute dax_union_perm_c;
|
||||
type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
|
||||
type dax_union_perm_target, dax_union_perm_b;
|
||||
dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
################################################################################
|
||||
# matching typebounds
|
||||
|
||||
@ -194,12 +194,12 @@ type match_rule_by_attr_A_t, match_rule_by_attr;
|
||||
type match_rule_by_attr_B_t, match_rule_by_attr;
|
||||
allow match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
|
||||
allow unioned_perm_via_attr self:infoflow2 super_w;
|
||||
allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute union_perm_a;
|
||||
attribute union_perm_b;
|
||||
attribute union_perm_c;
|
||||
type union_perm_source, union_perm_a, union_perm_c;
|
||||
type union_perm_target, union_perm_b;
|
||||
allow union_perm_source union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# Auditallow rule differences
|
||||
type aa_matched_source;
|
||||
@ -248,12 +248,12 @@ type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
|
||||
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
|
||||
auditallow aa_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
|
||||
auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute aa_union_perm_a;
|
||||
attribute aa_union_perm_b;
|
||||
attribute aa_union_perm_c;
|
||||
type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
|
||||
type aa_union_perm_target, aa_union_perm_b;
|
||||
auditallow aa_union_perm_source aa_union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# Dontaudit rule differences
|
||||
type da_matched_source;
|
||||
@ -302,12 +302,12 @@ type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
|
||||
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
|
||||
dontaudit da_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
|
||||
dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute da_union_perm_a;
|
||||
attribute da_union_perm_b;
|
||||
attribute da_union_perm_c;
|
||||
type da_union_perm_source, da_union_perm_a, da_union_perm_c;
|
||||
type da_union_perm_target, da_union_perm_b;
|
||||
dontaudit da_union_perm_source da_union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# Neverallow rule differences
|
||||
type na_matched_source;
|
||||
@ -337,12 +337,12 @@ type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
|
||||
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
|
||||
neverallow na_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
|
||||
neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
attribute na_union_perm_a;
|
||||
attribute na_union_perm_b;
|
||||
attribute na_union_perm_c;
|
||||
type na_union_perm_source, na_union_perm_a, na_union_perm_c;
|
||||
type na_union_perm_target, na_union_perm_b;
|
||||
neverallow na_union_perm_source na_union_perm_target:infoflow { hi_w med_w low_w };
|
||||
|
||||
# type_transition rule differences
|
||||
type tt_matched_source;
|
||||
@ -585,12 +585,12 @@ type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
||||
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
||||
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
||||
allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute ax_union_perm_a;
|
||||
attribute ax_union_perm_b;
|
||||
attribute ax_union_perm_c;
|
||||
type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
|
||||
type ax_union_perm_target, ax_union_perm_b;
|
||||
allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
# Auditallowxperm rule differences
|
||||
type aax_matched_source;
|
||||
@ -620,12 +620,12 @@ type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
||||
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
||||
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
||||
auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute aax_union_perm_a;
|
||||
attribute aax_union_perm_b;
|
||||
attribute aax_union_perm_c;
|
||||
type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
|
||||
type aax_union_perm_target, aax_union_perm_b;
|
||||
auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
# Neverallowxperm rule differences
|
||||
type nax_matched_source;
|
||||
@ -655,12 +655,12 @@ type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
||||
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
||||
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
||||
neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute nax_union_perm_a;
|
||||
attribute nax_union_perm_b;
|
||||
attribute nax_union_perm_c;
|
||||
type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
|
||||
type nax_union_perm_target, nax_union_perm_b;
|
||||
neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
# Dontauditxperm rule differences
|
||||
type dax_matched_source;
|
||||
@ -690,12 +690,12 @@ type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
||||
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
||||
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
||||
dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
||||
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
||||
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
||||
attribute dax_union_perm_a;
|
||||
attribute dax_union_perm_b;
|
||||
attribute dax_union_perm_c;
|
||||
type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
|
||||
type dax_union_perm_target, dax_union_perm_b;
|
||||
dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl { 0x1-0x3 };
|
||||
|
||||
################################################################################
|
||||
# matching typebounds
|
||||
|
||||
@ -260,11 +260,14 @@ type match_rule_by_attr_B_t, match_rule_by_attr;
|
||||
allow match_rule_by_attr_A_t self:infoflow2 super_w;
|
||||
allow match_rule_by_attr_B_t self:infoflow2 super_w;
|
||||
|
||||
attribute unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
|
||||
allow unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
|
||||
allow unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
|
||||
attribute union_perm_a;
|
||||
attribute union_perm_b;
|
||||
attribute union_perm_c;
|
||||
type union_perm_source, union_perm_a, union_perm_c;
|
||||
type union_perm_target, union_perm_b;
|
||||
allow union_perm_a union_perm_b:infoflow hi_w;
|
||||
allow union_perm_c union_perm_target:infoflow med_w;
|
||||
allow union_perm_source union_perm_target:infoflow low_w;
|
||||
|
||||
# Auditallow rule differences
|
||||
type aa_matched_source;
|
||||
@ -314,11 +317,14 @@ type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
|
||||
auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
|
||||
auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;
|
||||
|
||||
attribute aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
|
||||
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
|
||||
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
|
||||
attribute aa_union_perm_a;
|
||||
attribute aa_union_perm_b;
|
||||
attribute aa_union_perm_c;
|
||||
type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
|
||||
type aa_union_perm_target, aa_union_perm_b;
|
||||
auditallow aa_union_perm_a aa_union_perm_b:infoflow hi_w;
|
||||
auditallow aa_union_perm_c aa_union_perm_target:infoflow med_w;
|
||||
auditallow aa_union_perm_source aa_union_perm_target:infoflow low_w;
|
||||
|
||||
# Dontaudit rule differences
|
||||
type da_matched_source;
|
||||
@ -368,11 +374,14 @@ type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
|
||||
dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
|
||||
dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;
|
||||
|
||||
attribute da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
|
||||
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
|
||||
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
|
||||
attribute da_union_perm_a;
|
||||
attribute da_union_perm_b;
|
||||
attribute da_union_perm_c;
|
||||
type da_union_perm_source, da_union_perm_a, da_union_perm_c;
|
||||
type da_union_perm_target, da_union_perm_b;
|
||||
dontaudit da_union_perm_a da_union_perm_b:infoflow hi_w;
|
||||
dontaudit da_union_perm_c da_union_perm_target:infoflow med_w;
|
||||
dontaudit da_union_perm_source da_union_perm_target:infoflow low_w;
|
||||
|
||||
# Neverallow rule differences
|
||||
type na_matched_source;
|
||||
@ -403,11 +412,14 @@ type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
|
||||
neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
|
||||
neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;
|
||||
|
||||
attribute na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
|
||||
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
|
||||
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
|
||||
attribute na_union_perm_a;
|
||||
attribute na_union_perm_b;
|
||||
attribute na_union_perm_c;
|
||||
type na_union_perm_source, na_union_perm_a, na_union_perm_c;
|
||||
type na_union_perm_target, na_union_perm_b;
|
||||
neverallow na_union_perm_a na_union_perm_b:infoflow hi_w;
|
||||
neverallow na_union_perm_c na_union_perm_target:infoflow med_w;
|
||||
neverallow na_union_perm_source na_union_perm_target:infoflow low_w;
|
||||
|
||||
# type_transition rule differences
|
||||
type tt_matched_source;
|
||||
@ -664,11 +676,14 @@ type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
||||
allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
||||
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
||||
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
attribute ax_union_perm_a;
|
||||
attribute ax_union_perm_b;
|
||||
attribute ax_union_perm_c;
|
||||
type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
|
||||
type ax_union_perm_target, ax_union_perm_b;
|
||||
allowxperm ax_union_perm_a ax_union_perm_b:infoflow ioctl 0x1;
|
||||
allowxperm ax_union_perm_c ax_union_perm_target:infoflow ioctl 0x2;
|
||||
allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl 0x3;
|
||||
|
||||
# Auditallowxperm rule differences
|
||||
type aax_matched_source;
|
||||
@ -699,11 +714,14 @@ type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
||||
auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
||||
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
||||
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
attribute aax_union_perm_a;
|
||||
attribute aax_union_perm_b;
|
||||
attribute aax_union_perm_c;
|
||||
type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
|
||||
type aax_union_perm_target, aax_union_perm_b;
|
||||
auditallowxperm aax_union_perm_a aax_union_perm_b:infoflow ioctl 0x1;
|
||||
auditallowxperm aax_union_perm_c aax_union_perm_target:infoflow ioctl 0x2;
|
||||
auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl 0x3;
|
||||
|
||||
# Neverallowxperm rule differences
|
||||
type nax_matched_source;
|
||||
@ -734,11 +752,14 @@ type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
||||
neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
||||
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
||||
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
attribute nax_union_perm_a;
|
||||
attribute nax_union_perm_b;
|
||||
attribute nax_union_perm_c;
|
||||
type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
|
||||
type nax_union_perm_target, nax_union_perm_b;
|
||||
neverallowxperm nax_union_perm_a nax_union_perm_b:infoflow ioctl 0x1;
|
||||
neverallowxperm nax_union_perm_c nax_union_perm_target:infoflow ioctl 0x2;
|
||||
neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl 0x3;
|
||||
|
||||
# Dontauditxperm rule differences
|
||||
type dax_matched_source;
|
||||
@ -769,11 +790,14 @@ type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
||||
dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
||||
dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
||||
|
||||
attribute dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
||||
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
||||
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
|
||||
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
|
||||
attribute dax_union_perm_a;
|
||||
attribute dax_union_perm_b;
|
||||
attribute dax_union_perm_c;
|
||||
type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
|
||||
type dax_union_perm_target, dax_union_perm_b;
|
||||
dontauditxperm dax_union_perm_a dax_union_perm_b:infoflow ioctl 0x1;
|
||||
dontauditxperm dax_union_perm_c dax_union_perm_target:infoflow ioctl 0x2;
|
||||
dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl 0x3;
|
||||
|
||||
################################################################################
|
||||
# matching typebounds
|
||||
|
||||
Loading…
Reference in New Issue
Block a user