Commit Graph

26 Commits

Author SHA1 Message Date
Jeff Vander Stoep
99fc177b5a Add neverallow support for ioctl extended permissions
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
   the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
   set the test will pass if the ioctl permission is not granted.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by:  Nick Kralevich <nnk@google.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
2015-09-22 10:52:47 -04:00
Jeff Vander Stoep
915fa8f08f checkpolicy: switch operations to extended perms
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-15 09:21:20 -04:00
Jeff Vander Stoep
80bc7ee8fa Add support for ioctl command whitelisting
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.

Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901

The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.

This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.

Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
2015-04-23 08:30:33 -04:00
Daniel De Graaf
f029067709 libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:44 -04:00
Daniel De Graaf
82030de5dc libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits.  This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space.  The policy version number change
is shared with the next patch.

While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:18 -04:00
Daniel De Graaf
aab2d9f904 checkpolicy: Expand allowed character set in paths
In order to support paths containing spaces or other characters, allow a
quoted string with these characters to be parsed as a path in addition
to the existing unquoted string.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:14 -04:00
Scapelli
387dc6342e Add missing semicolon to parser rule "cond_else"
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:54 -04:00
Nicolas Iooss
c4a4a1a7ed Fix gcc -Wstrict-prototypes warnings
In C, defining a function with () means "any number of parameters", not
"no parameter".  Use (void) instead where applicable and add unused
parameters when needed.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:38 -04:00
Nicolas Iooss
832e7017f8 checkpolicy: constify the message written by yyerror and yywarn
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:06 -04:00
Eric Paris
693f5241fd checkpolicy: libsepol: implement default type policy syntax
We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object.  This implements
the same thing for types.  The kernel will override this with type
transition rules and similar.  This is just the default if nothing
specific is given.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:46 -05:00
Eric Paris
09c783c9a3 libsepol: checkpolicy: implement new default labeling behaviors
We would like to be able to say that the user, role, or range of a newly
created object should be based on the user, role, or range of either the
source or the target of the creation operation.  aka, for a new file
this could be the user of the creating process or the user or the parent
directory.  This patch implements the new language and the policydb
support to give this information to the kernel.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-27 16:49:31 -04:00
Eric Paris
fdeeccaa0e Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
This reverts commit d72a9ec825.  It should
never have been added.  It breaks the correct wrapping of filenames in "
2011-11-02 13:04:39 -04:00
Harry Ciao
80f26c5ee8 checkpolicy: Separate tunable from boolean during compile.
Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.

Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:01 -04:00
Dan Walsh
5619635063 checkpolicy: add missing ; to attribute_role_def
The commit to add role attributes forgot a ; in policy_parse.y for
attribute_role_def. Add the missing ;

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 13:21:44 -04:00
Dan Walsh
d72a9ec825 checkpolicy: Redo filename/filesystem syntax to support filename trans rules
In order to support filenames, which might start with "." or filesystems
that start with a number we need to rework the matching rules a little
bit.  Since the new filename rule is so permissive it must be moved to
the bottom of the matching list to not cover other definitions.

Signed-of-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 13:21:28 -04:00
Harry Ciao
16675b7f96 Add role attribute support when compiling modules.
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;

2. Add a new "attribute_role" statement and its handler to declare
a role attribute;

3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;

4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;

5. Modify the syntax for the role-types rule only to define the
role-type associations;

6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;

7. Check if the new_role used in role-transition rule is a regular role;

8. Support to require a role attribute;

9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-07-25 10:09:27 -04:00
James Carter
17ac87ce83 checkpolicy: Allow filesystem names to start with a digit
The patch below allows filesystem names in fs_use_* and genfscon
statements to start with a digit, but still requires at least one
character to be a letter.  A new token type for filesystem names is
created since these names having nothing to do with SELinux.

This patch is needed because some filesystem names (such as 9p) start
with a digit.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-17 10:16:56 -04:00
Steve Lawrence
b42e15ffd5 checkpolicy: wrap file names in filename trans with quotes
This wraps the filename token in quotes to make parsing easier and more
clear. The quotes are stripped off before being passed to checkpolicy.
The quote wrapping is only used by filename transitions.  This changes
the filename transition syntax to the following:

    type_transition source target : object default_type "filename";

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-17 10:16:02 -04:00
Steve Lawrence
cb271f7d4c Revert "checkpolicy: use a better identifier for filenames"
This reverts commit d4c2303866.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-05-16 08:38:37 -04:00
Daniel J Walsh
c61b6934dd checkpolicy: allow version of single digit
currently policy will not build if I define a module as 1

policy_module(dan,1) Fails

policy_module(dan,1.0) works

The attached patch makes the first one work.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-29 16:21:25 -04:00
Daniel J Walsh
d4c2303866 checkpolicy: use a better identifier for filenames
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-29 16:21:24 -04:00
Eric Paris
516cb2a264 checkpolicy: add support for using last path component in type transition rules
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects.  A example
rule looks like so:

type_transition unconfined_t etc_t:file system_conf_t eric;

This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.

The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-29 15:20:21 -04:00
Harry Ciao
e95f358e3b Userspace: role_transition parser to handle class field
Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 12:12:58 -04:00
Paul Nuzzi
79d10a8f98 checkpolicy: Add support for multiple target OSes
Updated patch of checkpolicy based on input.

On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote:
> Add support for multiple target OSes by adding the -t target option to
> checkpolicy.  Implemented the new Xen ocontext identifiers pirqcon,
> pcidevicecon, iomemcon and ioportcon.
>
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>
> ---

 checkpolicy/checkpolicy.c   |   20 ++-
 checkpolicy/policy_define.c |  272
++++++++++++++++++++++++++++++++++++++++++++
 checkpolicy/policy_define.h |    4
 checkpolicy/policy_parse.y  |   29 ++++
 checkpolicy/policy_scan.l   |   10 +
 5 files changed, 330 insertions(+), 5 deletions(-)

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:46:09 -04:00
Joshua Brindle
45728407d6 Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.2)
Date: Tue, 05 Aug 2008 14:55:52 +0900

[2/3] thread-context-checkpolicy.2.patch
  It enables to support TYPEBOUNDS statement and to expand
  existing hierarchies implicitly.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
 module_compiler.c |   86 +++++++++++++++++++++++++++++++++++++++++++++++++
 policy_define.c   |   93 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 policy_define.h   |    1
 policy_parse.y    |    5 ++
 policy_scan.l     |    2 +
 5 files changed, 186 insertions(+), 1 deletion(-)

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 06:56:51 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00