RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: Support nlmsg xperms in assertions 

commit ba7945a250 added support for nlmsg extended permissions in the
policy. The assertion validation was not updated which lead to false
positives when evaluated. The optimization update was also missing. Add
support for the new extended permission for optimization and assertions.

Fixes: ba7945a250
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Thiébaud Weksteen 2024-10-22 10:12:01 +11:00 committed by James Carter
parent cd8302f0a6
commit b33da68f7a
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libsepol/src/assertion.c
View File

@ -110,6 +110,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext
} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
rc = extended_permissions_and(neverallow->perms, allow->perms);
} else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
&& (allow->specified == AVTAB_XPERMS_NLMSG)) {
if (neverallow->driver == allow->driver)
rc = extended_permissions_and(neverallow->perms, allow->perms);
}
return rc;
@ -142,6 +146,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result,
result->specified = AVTAB_XPERMS_IOCTLDRIVER;
for (i = 0; i < EXTENDED_PERMS_LEN; i++)
result->perms[i] = neverallow->perms[i] & allow->perms[i];
} else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
&& (allow->specified == AVTAB_XPERMS_NLMSG)) {
result->specified = AVTAB_XPERMS_NLMSG;
result->driver = allow->driver;
for (i = 0; i < EXTENDED_PERMS_LEN; i++)
result->perms[i] = neverallow->perms[i] & allow->perms[i];
}
}
@ -176,7 +186,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
node = avtab_search_node_next(node, tmp_key.specified)) {
xperms = node->datum.xperms;
if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
&& (xperms->specified != AVTAB_XPERMS_NLMSG))
continue;
found_xperm = 1;
rc = check_extended_permissions(avrule->xperms, xperms);
@ -376,7 +387,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t
xperms = node->datum.xperms;
if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)
&& (xperms->specified != AVTAB_XPERMS_NLMSG))
continue;
rc = check_extended_permissions(neverallow_xperms, xperms);
if (rc)

5
libsepol/src/optimize.c
View File

@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified,
if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER)
return process_xperms(x1->perms, x2->perms);
} else if (x1->specified == AVTAB_XPERMS_NLMSG
&& x2->specified == AVTAB_XPERMS_NLMSG) {
if (x1->driver != x2->driver)
return 0;
return process_xperms(x1->perms, x2->perms);
}
return 0;
}