Use their enum values as indices to clarify their relationships.
Specify array size to verify it at compile time.
Remove unnecessary trailing entry, since all access is controlled by a
check against POLICYDB_CAP_MAX.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use a single pointer variable for the realloc(3) result to not
immediately override the source pointer.
Also don't unnecessarily copy the first character.
Reported by Clang Analyzer:
services.c:810:14: warning: Assigned value is garbage or undefined [core.uninitialized.Assign]
810 | **r_buf = **new_buf;
| ^ ~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case the member sid_key failed to allocate, free the parent struct.
Reported by Clang Analyzer:
module_to_cil.c:2607:9: warning: Potential leak of memory pointed to by 'item' [unix.Malloc]
2607 | return rc;
| ^~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Set the number of target names to 0 instead of leaving it uninitialized.
The number is always 0 since CIL does not support non-trivial not-self
neverallow rules yet.
Reported by Clang Analyzer:
module_to_cil.c:1211:18: warning: The right operand of '<' is a garbage value [core.UndefinedBinaryOperatorResult]
1211 | for (t = 0; t < num_tnames; t++) {
| ^ ~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Check the identifier for initial SIDs is less than the maximum known ID.
The kernel will ignore all unknown IDs, see
security/selinux/ss/policydb.c:policydb_load_isids().
Without checking huge IDs result in OOM events, while writing policies,
e.g. in write_sids_to_conf() or write_sids_to_cil(), due to allocation
of large (continuous) string lists.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Several values while parsing kernel policies, like symtab sizes or
string lengths, are checked for saturation. They may not be set to the
maximum value, to avoid overflows or occupying a reserved value, and
many of those sizes must not be 0. This is currently handled via the
two macros is_saturated() and zero_or_saturated().
Both macros are tweaked for the fuzzer, because the fuzzer can create
input with huge sizes. While there is no subsequent data to provide
the announced sizes, which will be caught later, memory of the requested
size is allocated, which would lead to OOM reports. Thus the sizes for
the fuzzer are limited to 2^16. This has the drawback of the fuzzer
not checking the complete input space.
Check the sizes in question for actual enough bytes available in the
input. This is (only) possible for mapped memory, which the fuzzer
uses.
Application like setools do currently not benefit from this change,
since they load the policy via a stream. There are currently multiple
interfaces to load a policy, so reworking them to use mapped memory by
default might be subject for future work.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Change the type for the number of primary names in a symtab to uint32_t,
which conforms to the bytes read and the type used in the symtab.
The type is important for the saturation check via is_saturated(), since
it checks against -1 casted to the specific type.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the internal helper str_read() in more places while reading strings
from a binary policy. This improves readability and helps adjusting
future sanity checks on inputs in fewer places.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Kernel policies with unsupported policy capabilities enabled can
currently be parsed, since they result just in a bit set inside an
ebitmap. Writing such a loaded policy into the traditional language or
CIL will fail however, since the unsupported policy capabilities can not
be converted into a name.
Reject kernel policies with invalid policy capabilities.
Reported-by: oss-fuzz (issue 60573)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure the ibendport port is not 0 (similar to the kernel).
More general depth test for boolean expressions.
Ensure the boolean id is not set for logic operators.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure constraint expressions are complete and do not exceed the
supported depth limit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The default type of a type transition must be a regular type, not an
attribute.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure counts are not set to the maximum value of their type.
Also limit their size during fuzzing to prevent OOM reports.
Reported-by: oss-fuzz (issue 60572), caused at the time by the filetrans
prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Neverallow avtab entries are not supported (normal and extended). Reject
them to avoid lookup confusions via avtab_search(), e.g. when searching
for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
only AVTAB_NEVERALLOW has no transition value.
Simplify the check for the number of specifiers by using the compiler
popcount builtin (already used in libsepol).
Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans
prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
cil_write_post_ast() should be in libsepol version 3.6, since version
3.5 has already been released.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The function cil_write_post_ast() will write the CIL AST after
post processing is done. Most post processing does not change the
CIL AST, this is where deny rules are processed (because to process
them, type attributes have to have been evaluated.)
When processed, deny rules may add new rules and attributes and the
deny rule itself will be removed from the AST, so using this new
function will show the results of the deny rule processing.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
A deny rule is like a neverallow rule, except that permissions are
removed rather than an error reported.
(allow S1 T1 P1)
(deny S2 T2 P2)
First, write the allow rule with all of the permissions not in the deny rule
P3 = P1 and not P2
(allow S1 T1 P3)
Obviously, the rule is only written if P3 is not an empty list. This goes
for the rest of the rules as well--they are only written if the source and
target exist.
The remaining rules will only involve the common permissions
P4 = P1 and P2
Next, write the allow rule for any types in S1 that are not in S2
S3 = S1 and not S2
(allow S3 T1 P4)
Finally, write the allow rules needed to cover the types in T1 that are
not in T2. Since, T1 and T2 might be "self", "notself", or "other", this
requires more complicated handling. Any rule with "self" will not match
a rule with either "notself" or "other".
if (T1 is self and T2 is self) or (T1 is notself and T2 is notself) then
Nothing more needs to be done.
The rest of the rules will depend on the intersection of S1 and S2
which cannot be the empty set since the allow and deny rules match.
S4 = S1 and S2
if T1 is notself or T1 is other or T2 is notself or T2 is other then
if T1 is notself then
if T2 is other then
T = ALL and not S2
(allow S4 T P4)
else [T2 is not self, notself, or other]
S5 = S4 and not T2
S6 = S4 and T2
TA = ALL and not T2
TB = TA and not S4
(allow S6 TA P4)
(allow S5 TB P4)
if cardinality(S5) > 1 then
(allow S5 other P4)
else if T1 is other then
(allow S3 S4 P4)
if T2 is notself then
[Nothing else is needed]
else if T2 is other then
(allow S4 S3 P4)
else [T2 is not self, notself, or other]
S5 = S4 and not T2
S6 = S4 and T2
TC = S1 and not T2
TD = S3 and not T2
(allow S6 TC P4)
(allow S5 TD P4)
if cardinality(S5) > 1 then
(allow S5 other P4)
else [T1 is not self, notself, or other]
S8 = S4 and T1
(allow S8 self P4)
if T2 is notself then
[Nothing else is needed]
else [T2 is other]
T = T1 and not S2
(allow S4 T P4)
else [Neither T1 nor T2 are notself or other]
if T1 is self and T2 is not self then
S5 = S4 and not T2
(allow S5 self P4)
else if T1 is not self and T2 is self then
S7 = S4 and not T1
S8 = S4 and T1
T8 = T1 and not S4
(allow S7 T1 P4)
(allow S8 T8 P4)
if cardinality(S8) > 1 then
(allow S8 other P4)
else [Neither T1 nor T2 is self]
T3 = T1 and not T2
(allow S4 T3 P4)
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Add the function cil_tree_node_remove() which takes a node pointer
as an input, finds the parent, walks the list of nodes to the node
prior to the given node, updates that node's next pointer to remove
the given node from the tree, and then destroys the node.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Add a macro, called cil_list_is_empty, that returns true if the
list pointer or list head is NULL.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Adds the ability to parse a deny rule, add it to the AST, and
write it out when writing the AST, but the deny rule is otherwise
ignored and does nothing.
When it is fully supported, the deny rule will work like a neverallow
except that it will remove permissions rather than give an error.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Since log_err() has been removed, use ERR() instead of log_err() in
module_to_cil.c.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Convert trivial not-self neverallow rules to CIL, e.g.
neverallow TYPE1 ~self:CLASS1 PERM1;
into
(neverallow TYPE1 notself (CLASS1 (PERM1)))
More complex targets are not yet supported in CIL and will fail to
convert, e.g.:
neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1;
neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2;
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Like "self", both of these reserved words can be used as a target
in an access vector rule. "notself" means all types other than
the source type. "other" is meant to be used with an attribute and
its use results in the rule being expanded with each type of the
attribute being used as the source type with each of the other types
being used as the target type. Using "other" with just a type will
result in no rule.
Example 1
(allow TYPE1 notself (CLASS (PERM)))
This rule is expanded to a number of rules with TYPE1 as the source
and every type except for TYPE1 as the target.
Example 2
(allow ATTR1 notself (CLASS (PERM)))
Like Example 1, this rule will be expanded to each type in ATTR1
being the source with every type except for the type used as the
source being the target.
Example 3
(allow TYPE1 other (CLASS (PERM)))
This expands to no rule.
Example 4
(allow ATTR1 other (CLASS (PERM)))
Like Example 2, but the target types will be limited to the types
in the attribute ATTR1 instead of all types. So if ATTR1 has the
type t1, t2, and t3, then this rule expands to the following rules.
(allow t1 t2 (CLASS (PERM)))
(allow t1 t3 (CLASS (PERM)))
(allow t2 t1 (CLASS (PERM)))
(allow t2 t3 (CLASS (PERM)))
(allow t3 t1 (CLASS (PERM)))
(allow t3 t2 (CLASS (PERM)))
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
While it does no harm to call ebitmap_init() twice for an ebitmap,
since it is just memsetting the ebitmap to 0, it is poor practice.
In the function cil_type_matches() in cil_find.c, either ebitmap_and()
or ebitmap_set_bit() will be called. The function ebitmap_and() will
call ebitmap_init() on the destination ebitmap, but ebitmap_set_bit()
does not.
Instead of calling ebitmap_init() before the call to cil_type_matches(),
let cil_type_matches() make the call if it is going to call
ebitmap_set_bit(). It can also call ebitmap_destroy() on an error.
Since we are removing the call to ebitmap_init() in cil_self_match_any(),
cleanup some other things in the function (like using the FLAVOR()
macro and using ebitmap_is_empty()).
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
When compiling with the "-Wnull-dereference" flag, the compiler is
not smart enough to realize that anytime the ebitmap_t node field is
NULL, the highbit field will equal 0. This causes false positive
warnings to be generated.
Change the ebitmap_is_empty() and ebitmap_length() macros to check
for the node being NULL instead of just relying on the value of
highbit to eliminate these false warnings.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Since they are being removed, there will be nothing to install.
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The Russian translations have not been maintained and are out of
date, so remove them.
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Otherwise Linus might think we don't understand pointers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Avoid overflowing number of elements in hashtab_insert().
Use identical type for hashed values to avoid implicit conversions.
Declare tag parameter of hashtab_hash_eval() const since it is only
printed.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Avoid issues on architectures where unsigned int and uint32_t are not of
the same size.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Before the CIL post processing phase (where expressions are evaluated,
various ebitmaps are set, etc) there is a pre-verification where
checks are made to find self references or loops in bounds, attribute
sets, and class permissions. The class permission checking is faulty
in two ways.
First, it does not check for the use of "all" in a permission expression
for a class that has no permissions. An error will still be generated
later and secilc will exit cleanly, but without an error message that
explains the problem.
Second, it does not properly handle lists in permission expressions.
For example, "(C ((P)))" is a legitimate class permission. The
permissions expression contains one item that is a list containing
one permission. This permission expression will be properly evaluated.
Unfortunately, the class permission verification assumes that each
item in the permission expression is either an operator or a
permission datum and a segmenation fault will occur.
Refactor the class permission checking to give a proper error when
"all" is used in a permission expression for a class that has no
permissions and so that it can handle lists in permission
expressions. Also, check for the actual flavor of each item in
the permission expression and return an error if an unexpected
flavor is found.
The failure to properly handle lists in permission expressions was
found by oss-fuzz (#58085).
Tested-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Validate policy after optimizing.
Run policy assertion check, ignoring any assertions.
Abort on failures writing the parsed policy, as writing should not fail on
validated policies.
Set close-on-exec flag in case of any sibling thread.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
put_entry() is used during writing binary policies. Avoid short writes
due to an overflow.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 55b75a2c ("libsepol: stop translating deprecated intial SIDs to
strings") dropped several names of obsolete initial sids ans replaced
them with NULL. This leads to their printable string being dynamically
allocated but not free'd.
Instead of keeping track of which name was allocated dynamically and
which not, allocate all on the heap, which simplifies the later cleanup.
While on it also free the name in case of a strs_add_at_index() failure.
Reported-by: oss-fuzz (issue 60271)
Fixes: 55b75a2c ("libsepol: stop translating deprecated intial SIDs to strings")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch implements the support for prefix/suffix filename transitions
in the CIL structures as well as in the CIL policy parser.
Syntax of the new prefix/suffix filename transition rule:
(typetransition source_type_id target_type_id class_id object_name match_type default_type_id)
where match_type is either the keyword "prefix" or "suffix".
Examples:
(typetransition ta tb CLASS01 "file01" prefix td)
(typetransition td te CLASS01 "file02" suffix tf)
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch extends the structures for module and base policy (avrule_t)
to support prefix/suffix transitions. In addition to this, it implements
the necessary changes to functions for reading and writing the binary
policy, as well as parsing the policy conf.
Syntax of the new prefix/suffix filename transition rule:
type_transition source_type target_type : class default_type object_name match_type;
where match_type is either keyword "prefix" or "suffix"
Examples:
type_transition ta tb:CLASS01 tc "file01" prefix;
type_transition td te:CLASS01 tf "file02" suffix;
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently, filename type transitions support only exact name matching.
However, in practice, the names contain variable parts. This leads to
many duplicated rules in the policy that differ only in the part of the
name, or it is even impossible to cover all possible combinations.
This patch extends the filename type transitions structures to include
new types of filename transitions - prefix and suffix filename
transitions. It also implements the reading and writing of those rules
in the kernel binary policy format together with increasing its version.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
