RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-27 06:50:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: The src and tgt must be the same if neverallow uses self

Browse Source 
When checking for violations of neverallow rules, if the neverallow
uses self, then the src and tgt must be the same when checking
extended permissions and when reporting violations.

Example:
  allow attr attr : CLASS PERM;
  neverallow attr self : CLASS PERM;

If the types t1 and t2 have attribute attr, then the violations
that would be reported would be:
  allow t1 t1 : CLASS PERM;
  allow t1 t2 : CLASS PERM;
  allow t2 t1 : CLASS PERM;
  allow t2 t2 : CLASS PERM;
instead of:
  allow t1 t1 : CLASS PERM;
  allow t2 t2 : CLASS PERM;

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2022-01-11 12:42:09 -05:00
parent 461067242a
commit fb3a383f42
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libsepol/src/assertion.c
View File

@ -213,6 +213,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
ebitmap_t src_matches, tgt_matches, self_matches;
ebitmap_node_t *snode, *tnode;
unsigned int i, j;
const int is_avrule_self = (avrule->flags & RULE_SELF) != 0;
if ((k->specified & AVTAB_ALLOWED) == 0)
return 0;
@ -236,7 +237,7 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
if (rc < 0)
goto oom;
if (avrule->flags == RULE_SELF) {
if (is_avrule_self) {
rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]);
if (rc < 0)
goto oom;
@ -260,6 +261,8 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void
ebitmap_for_each_positive_bit(&src_matches, snode, i) {
ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
if (is_avrule_self && i != j)
continue;
if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
a->errors += report_assertion_extended_permissions(handle,p, avrule,
i, j, cp, perms, k, avtab);
@ -368,6 +371,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
ebitmap_t src_matches, tgt_matches, self_matches;
unsigned int i, j;
ebitmap_node_t *snode, *tnode;
const int is_avrule_self = (avrule->flags & RULE_SELF) != 0;
int rc;
ebitmap_init(&src_matches);
@ -389,7 +393,7 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
if (rc < 0)
goto oom;
if (avrule->flags == RULE_SELF) {
if (is_avrule_self) {
rc = ebitmap_and(&self_matches, &src_matches, &p->attr_type_map[k->target_type - 1]);
if (rc < 0)
goto oom;
@ -408,6 +412,8 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
ebitmap_for_each_positive_bit(&src_matches, snode, i) {
ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
if (is_avrule_self && i != j)
continue;
if (check_assertion_extended_permissions_avtab(avrule, avtab, i, j, k, p)) {
rc = 1;
goto exit;