RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-04-01 22:58:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER.

Browse Source 
Closes #74

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
Chris PeBenito 2022-08-30 13:58:54 -04:00
parent 1612addc60
commit f78476ab65
3 changed files with 189 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
setools/policyrep/terule.pxi
View File

@ -274,22 +274,22 @@ cdef class AVRuleXperm(BaseTERule):
set perms = set() set perms = set()
size_t curr = 0 size_t curr = 0
size_t len = sizeof(xperms.perms) * sepol.EXTENDED_PERMS_LEN size_t len = sizeof(xperms.perms) * sepol.EXTENDED_PERMS_LEN
size_t base_value = 0
# #
# Build permission set # Build permission set
# #
while curr < len: for curr in range(len):
if sepol.xperm_test(curr, xperms.perms): if sepol.xperm_test(curr, xperms.perms):
if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION: if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION:
perms.add(xperms.driver << 8 | curr) perms.add(xperms.driver << 8 | curr)
elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER: elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER:
perms.add(curr << 8) base_value = curr << 8
perms.update(range(base_value, base_value + 0x100))
else: else:
raise LowLevelPolicyError("Unknown extended permission: {}".format( raise LowLevelPolicyError("Unknown extended permission: {}".format(
xperms.specified)) xperms.specified))
curr += 1
# #
# Determine xperm type # Determine xperm type
# #

26
tests/policyrep/terule.py
View File

@ -11,6 +11,8 @@ from setools import SELinuxPolicy
from setools.exception import InvalidTERuleType, RuleNotConditional, RuleUseError, \ from setools.exception import InvalidTERuleType, RuleNotConditional, RuleUseError, \
TERuleNoFilename TERuleNoFilename
from .util import compile_policy
@unittest.skip("Needs to be reworked for cython") @unittest.skip("Needs to be reworked for cython")
@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) @patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y)
@ -249,6 +251,30 @@ class AVRuleXpermTest(unittest.TestCase):
self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0003-0x0005 0x0007-0x0009 };") self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0003-0x0005 0x0007-0x0009 };")
class AVRuleXpermTestIssue74(unittest.TestCase):
"""
Regression test for xperm ranges starting with 0x00 not being loaded.
https://github.com/SELinuxProject/setools/issues/74
"""
@classmethod
def setUpClass(cls):
cls.p = compile_policy("tests/policyrep/terule_issue74.conf")
def test_issue74_regression(self):
"""Regression test for GitHub issue 74."""
rules = sorted(self.p.terules())
print(rules)
self.assertEqual(2, len(rules))
# expect 2 rules:
# allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 };
# allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff };
self.assertSetEqual(set(range(0x100)), rules[0].perms)
self.assertSetEqual(set([0x8910]), rules[1].perms)
@unittest.skip("Needs to be reworked for cython") @unittest.skip("Needs to be reworked for cython")
@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) @patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y)
@patch('setools.policyrep.typeattr.type_factory', lambda x, y: y) @patch('setools.policyrep.typeattr.type_factory', lambda x, y: y)

159
tests/policyrep/terule_issue74.conf Normal file
View File

@ -0,0 +1,159 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class infoflow8
class infoflow9
class infoflow10
class unix_dgram_socket
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
common com_a
{
hi_w
hi_r
super_r
super_w
}
common com_b
{
send
recv
}
common com_c
{
getattr
setattr
read
write
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
class infoflow5
inherits com_a
class infoflow6
inherits com_b
class infoflow7
inherits infoflow
{
unmapped
}
class infoflow8
{
super_w
super_r
}
class infoflow9
inherits com_c
class infoflow10
{
read
write
}
class unix_dgram_socket
{
ioctl
}
sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
dominance { low_s med high_s }
category here;
category there;
category elsewhere alias lost;
#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
type init_type_t;
allowxperm init_type_t self:unix_dgram_socket ioctl 0x8910;
allowxperm init_type_t self:unix_dgram_socket ioctl { 0x0000 - 0x00ff };
#users
user system roles system level med range low_s - high_s:here.lost;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost
#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;
#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there
portcon tcp 80 system:object_r:system:low_s
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here