AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER.

Closes #74 Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2025-03-25 04:26:28 +00:00 · 2022-08-30 13:58:54 -04:00 · 2022-08-30 13:58:54 -04:00 · f78476ab65
commit f78476ab65
parent 1612addc60
3 changed files with 189 additions and 4 deletions
--- a/setools/policyrep/terule.pxi
+++ b/setools/policyrep/terule.pxi
@ -274,22 +274,22 @@ cdef class AVRuleXperm(BaseTERule):
            set perms = set()
            size_t curr = 0
            size_t len = sizeof(xperms.perms) * sepol.EXTENDED_PERMS_LEN
+            size_t base_value = 0

        #
        # Build permission set
        #
-        while curr < len:
+        for curr in range(len):
            if sepol.xperm_test(curr, xperms.perms):
                if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION:
                    perms.add(xperms.driver << 8 | curr)
                elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER:
-                    perms.add(curr << 8)
+                    base_value = curr << 8
+                    perms.update(range(base_value, base_value + 0x100))
                else:
                    raise LowLevelPolicyError("Unknown extended permission: {}".format(
                                              xperms.specified))

-            curr += 1
-
        #
        # Determine xperm type
        #
--- a/tests/policyrep/terule.py
+++ b/tests/policyrep/terule.py
@ -11,6 +11,8 @@ from setools import SELinuxPolicy
 from setools.exception import InvalidTERuleType, RuleNotConditional, RuleUseError, \
    TERuleNoFilename

+from .util import compile_policy
+

@unittest.skip("Needs to be reworked for cython")
@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y)
@ -249,6 +251,30 @@ class AVRuleXpermTest(unittest.TestCase):
        self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0003-0x0005 0x0007-0x0009 };")


+class AVRuleXpermTestIssue74(unittest.TestCase):
+
+    """
+    Regression test for xperm ranges starting with 0x00 not being loaded.
+    https://github.com/SELinuxProject/setools/issues/74
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        cls.p = compile_policy("tests/policyrep/terule_issue74.conf")
+
+    def test_issue74_regression(self):
+        """Regression test for GitHub issue 74."""
+        rules = sorted(self.p.terules())
+        print(rules)
+        self.assertEqual(2, len(rules))
+
+        # expect 2 rules:
+        # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 };
+        # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff };
+        self.assertSetEqual(set(range(0x100)), rules[0].perms)
+        self.assertSetEqual(set([0x8910]), rules[1].perms)
+
+
@unittest.skip("Needs to be reworked for cython")
@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y)
@patch('setools.policyrep.typeattr.type_factory', lambda x, y: y)
--- a/tests/policyrep/terule_issue74.conf
+++ b/tests/policyrep/terule_issue74.conf
@ -0,0 +1,159 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+class infoflow8
+class infoflow9
+class infoflow10
+class unix_dgram_socket
+
+sid kernel
+sid security
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+common com_a
+{
+    hi_w
+    hi_r
+    super_r
+    super_w
+}
+
+common com_b
+{
+    send
+    recv
+}
+
+common com_c
+{
+    getattr
+    setattr
+    read
+    write
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+class infoflow5
+inherits com_a
+
+class infoflow6
+inherits com_b
+
+class infoflow7
+inherits infoflow
+{
+    unmapped
+}
+
+class infoflow8
+{
+	super_w
+	super_r
+}
+
+class infoflow9
+inherits com_c
+
+class infoflow10
+{
+    read
+    write
+}
+
+class unix_dgram_socket
+{
+    ioctl
+}
+
+sensitivity low_s;
+sensitivity medium_s alias med;
+sensitivity high_s;
+
+dominance { low_s med high_s }
+
+category here;
+category there;
+category elsewhere alias lost;
+
+#level decl
+level low_s:here.there;
+level med:here, elsewhere;
+level high_s:here.lost;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+type init_type_t;
+allowxperm init_type_t self:unix_dgram_socket ioctl 0x8910;
+allowxperm init_type_t self:unix_dgram_socket ioctl { 0x0000 - 0x00ff };
+
+#users
+user system roles system level med range low_s - high_s:here.lost;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system:medium_s:here
+sid security system:system:system:high_s:lost
+
+#fs_use
+fs_use_trans devpts system:object_r:system:low_s;
+fs_use_xattr ext3 system:object_r:system:low_s;
+fs_use_task pipefs system:object_r:system:low_s;
+
+#genfscon
+genfscon proc / system:object_r:system:med
+genfscon proc /sys system:object_r:system:low_s
+genfscon selinuxfs / system:object_r:system:high_s:here.there
+
+portcon tcp 80 system:object_r:system:low_s
+
+netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
+