RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

checkpolicy: add not-self neverallow support 

Add support for using negated or complemented self in the target type of
neverallow rules.

Some Refpolicy examples:

    neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
    neverallow domain { domain -self -dockerc_t }:dir create;
    # no violations

    neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

    neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

Using negated self in a complement, `~{ domain -self }`, is not
supported.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This commit is contained in:
Christian Göttsche 2022-11-25 16:49:49 +01:00 committed by James Carter
parent ec78788c29
commit 6f7b0ee6c4
2 changed files with 45 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
checkpolicy/policy_define.c
View File

@ -2075,12 +2075,17 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
if (add == 0) {
yyerror("-self is not supported");
if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) {
yyerror("-self is only supported in neverallow and neverallowxperm rules");
ret = -1;
goto out;
}
avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
avrule->flags |= RULE_SELF;
continue;
}
if (set_types
@ -2091,6 +2096,18 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
}
}
if ((avrule->ttypes.flags & TYPE_COMP)) {
if (avrule->flags & RULE_NOTSELF) {
yyerror("-self is not supported in complements");
ret = -1;
goto out;
}
if (avrule->flags & RULE_SELF) {
avrule->flags &= ~RULE_SELF;
avrule->flags |= RULE_NOTSELF;
}
}
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
@ -2537,12 +2554,17 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
if (add == 0) {
yyerror("-self is not supported");
if (add == 0 && which != AVRULE_NEVERALLOW) {
yyerror("-self is only supported in neverallow and neverallowxperm rules");
ret = -1;
goto out;
}
avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
avrule->flags |= RULE_SELF;
continue;
}
if (set_types
@ -2553,6 +2575,18 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
}
}
if ((avrule->ttypes.flags & TYPE_COMP)) {
if (avrule->flags & RULE_NOTSELF) {
yyerror("-self is not supported in complements");
ret = -1;
goto out;
}
if (avrule->flags & RULE_SELF) {
avrule->flags &= ~RULE_SELF;
avrule->flags |= RULE_NOTSELF;
}
}
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)

6
checkpolicy/test/dismod.c
View File

@ -124,7 +124,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
}
num_types = 0;
if (flags & RULE_SELF) {
if (flags & (RULE_SELF | RULE_NOTSELF)) {
num_types++;
}
@ -169,6 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
fprintf(fp, " self");
}
if (flags & RULE_NOTSELF) {
fprintf(fp, " -self");
}
if (num_types > 1)
fprintf(fp, " }");