Commit Graph

28 Commits

Author SHA1 Message Date
Steve Lawrence
551d834c39 libsepol/cil: improve recursion detection
Add support for detecting recursive blockinherits, and print a trace of
the detected loop. Output will look something like this upon detection:

  Recursive blockinherit found:
    test.cil:42: block a
    test.cil:43: blockinherit b
    test.cil:36: block b
    test.cil:37: blockinherit c
    test.cil:39: block c
    test.cil:40: blockinherit a

Additionally, improve support for detecting recursive macros/calls. Due
to the way calls are copied, the existing code only detected recursion
with call depth of three or more. Smaller depths, like

  (macro m ()
    (call m))

were not detected and caused a segfault. The callstack that was used for
this was not sufficient, so that is removed and replaced with a method
similar to the block recursion detection. A similar trace is also
displayed for recursive macros/calls.

Also, cleanup sidorder, classorder, catorder, sensorder, and in lists at
the end of resolve, fixing a potential memory leak if errors occur
during resolve.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-15 12:40:09 -04:00
Yuli Khodorkovskiy
2ee9377b6b libsepol/cil: Fix uninitialized false positive in cil_binary
On older versions of gcc, an error is incorrectly given about
uninitialized variables. This will initialize the culprits.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-11 11:02:53 -04:00
Yuli Khodorkovskiy
de4c95f9c8 libsepol/cil: Provide error if classperms are empty
Fixes https://github.com/SELinuxProject/cil/issues/7.

This fixes a bug where cil_verify_classperms was executed on NULL
classperms lists. A check is now performed when verifying
classpermissions and classmap to ensure the classperms lists are not
empty.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-11 11:02:37 -04:00
Yuli Khodorkovskiy
77779d2ca5 libsepol/cil: Add userattribute{set} functionality
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.

Also, disallow roleattributes where roles are accepted in contexts.

Specify a userattribute

    (userattribute foo)

Add users to the set foo

    (userattributeset foo (u1 u2))

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-11 09:07:46 -04:00
Steve Lawrence
b6e519e542 libsepol/cil: fix blockinherit copying segfault and add macro restrictions
When we copy a blockinherit statement, we perform actions that assume
the blockinherit statement was already resolved. However, this isn't the
case if the statement was copied from a tunableif or an in-statement,
since those are resolve before blockinherits and blocks.  So when
copying a blockinherit that hasn't been resolved, ignore the code that
associates blocks with the blockinherit; that will all be handled when
the copied blockinherit is actually resolved later.

Additionally, restrict block, blockabstract, and blockinherit statements
from appearing in macros. These statements are all resolved before
macros due to ordering issues, so they must not appear inside macros.
Note that in addition to doing the checks in build_ast, they are also
done in resolve_ast. This is because an in-statement could copy a block
statement into a macro, which we would not know about until after the
in-statement was resolved.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-10 10:05:16 -04:00
Steve Lawrence
1fe89056ea libsepol/cil: fix NULL pointer dereference when copying classpermission/set
When copying classpermission or classpermissionset statements, we did
not properly initialize the new structs. This would cause a segfault
when one used either of these statements inside a tunableif block, e.g.

  (tunableif foo
    (true
      (classpermissionset cps (cls (perm1 perm2))))
    (false
      (classpermissionset cps (cls (perm1)))))

Reported-by: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-09 15:31:14 -04:00
Steve Lawrence
ef93dfe039 libsepol/cil: add ioctl whitelist support
Add three new extended avrule statements with the following syntax:

  (allowx source_type target_type permissionx)
  (auditallowx source_type target_type permissionx)
  (dontauditx source_type target_type permissionx)

source_type - type, typeattribute, or typealias
target_type - type, typeattribute, typealias, or "self" keyword
permissionx - named or anonymous permissionx statement, which has the syntax:

  (permissionx name (kind object expression))

name - unique identifier of the permissionx statement
kind - must be "ioctl"; could be extended in the future
object - class or classmap
expression - standard CIL expression containing hexadecimal values,
  prefixed with '0x', and the expression keywords 'or', 'xor', 'and',
  'not', 'range', or 'all'. Values must be between 0x0000 and 0xFFFF.
  Values may also be provided in decimal, or in octal if starting with '0'.

For example:

 (allowx src_t tgt_t (ioctl cls (0x1111 0x1222 0x1333)))
 (allowx src_t tgt_t (ioctl cls (range 0x1400 0x14FF)))
 (allowx src_t tgt_t (ioctl cls (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F)))))

 (permissionx ioctl_nodebug (ioctl cls (not (range 0x2010 0x2013))))
 (allowx src_t tgt_t ioctl_nodebug)

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-02 16:03:07 -04:00
Steve Lawrence
5eae956abf libsepol/cil: Improve resolution error messages
In some cases, if a statement failed to resolve inside an optional, we
would still log a failed to resolve error message, even though the
optional was disabled and everything successfully compiled. This was
confusing. Additionally, if a resolution failure occurred outside of an
optional, the error message did not include the actual name that could
not be resolved--it only logged the statement type (e.g. allow,
booleanif, etc.) and file/line number.

This patch removes resolution error messages which should not always be
printed, as well as improves the resolution failure message to also
print the last name that was attempted to be resolved. Also makes some
less important error messages INFO rather than WARN, which tended to
just clutter things and hide actual error messages.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-07-22 11:02:16 -04:00
James Carter
3e4a902010 libsepol/cil: Add CIL bounds checking and reporting.
Use the libsepol bounds checking to check for and report user and
role bounds violations.

For type bounds checking, use libsepol bounds checking to determine
if there is a violation for a given type. For each violation display
an error message that includes the CIL AST from the root node to the
node of the rule causing the violation.

Example error report:
Child type b_t3_c exceeds bounds of parent b_t3
  (allow b_t3_c b_tc (file (write)))
    <root>
    booleanif at line 148633 of cil.conf.bounds
    true at line 148634 of cil.conf.bounds
    allow at line 148636 of cil.conf.bounds
      (allow b_t3_c b_tc (file (read write)))

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
bea07710d0 libsepol/cil: Track number of classes and number of types and attributes.
These values are stored in the CIL db so they can be used to
determine how much memory is needed for mapping libsepol values
to CIL data.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
beb01ceb49 libsepol/cil: Refactored CIL neverallow checking and reporting.
Use the libsepol neverallow checking to determine if a given neverallow
rule is violated. If a violation is found, use the function
cil_find_matching_avrule_in_ast() to find the AST node of the particular
rule that violates the neverallow. This allows CIL to provide a more
informative error message that includes the file and line number of the
node and all of its parents.

Example error report:
Neverallow check failed at line 31285 of cil.conf.neverallow
  (neverallow typeset4 self (memprotect (mmap_zero)))
    <root>
    booleanif at line 152094 of cil.conf.neverallow
    true at line 152095 of cil.conf.neverallow
    allow at line 152096 of cil.conf.neverallow
      (allow ada_t self (memprotect (mmap_zero)))

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
f9bdf580b8 libsepol/cil: Add function to search the CIL AST for an AV rule.
The search will be considered a success if any rule is found that
at least partially matches all parts (src type, tgt type, and class-
perms) of the target rule.

For example, for a target of (allow domain file_type (file (read write)
the rule (allow init_t init_exec_t (file (read exec)) will match.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:07 -04:00
Yuli Khodorkovskiy
1e2b2e57e5 libsepol/cil: Do not allow categories/sensitivities inside blocks
Fixes https://github.com/SELinuxProject/cil/issues/2.

Sensitivities and categories generated from blocks use dots to indicate
namespacing. This could result in categories that contain ambiguous
ranges with categories declared in blocks.

Example:

    (category c0)
    (category c2)
    (block c0
        (category (c2))
        (filecon ... (s0 (c2)))
    )

The above policy results in the filecontext: ... s0:c0.c2. The categories c0.c2
could be interpreted as a range between c0 and c2 or it could be the namespaced
category c0.c2. Therefore, categories are no longer allowed inside blocks to
eliminate this ambiguity.

This patch also disallows sensitivites in blocks for consistency with category
behavior.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-05-27 14:00:01 -04:00
Yuli Khodorkovskiy
c3345c58a4 libsepol/cil: Verify users prior to evaluating users
If a userlevel or userrange statement is missing from a policy,
evaluate_level_expression() and evaluate_levelrange_expression, respectively
will have a NULL pointer dereference caused by a missing level in a user.

Add cil_pre_verify() which verifies users have a valid level. Also, move loop
checking in classpermissions into cil_pre_verify().

This fixes https://github.com/SELinuxProject/cil/issues/1.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-05-05 16:00:03 -04:00
Yuli Khodorkovskiy
16796d8dc1 libsepol: Don't use symbol versioning for static object files
Libraries such as libqpol that link with libsepol statically do not understand
the symbolic versioning in libsepol. This patch disables the symbolic versioning
in libsepol if building the static library or building for Android.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2015-04-15 15:20:20 -04:00
Stephen Smalley
cacf51cef0 libsepol, secilc: Fix build for Android
The Android build does not like the symbol versioning introduced
by commit 8147bc7; the build fails with:
host SharedLib: libsepol (out/host/linux-x86/obj/lib/libsepol.so)
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version LIBSEPOL_1.1
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Omit the versioned symbols and simply use the current interfaces
when building on Android.

Commit 36f62b7 also broke the Android build by moving secilc out of
libsepol, because the libsepol headers were not installed by the Android.mk
file.

Export the required libsepol headers for use by secilc and adjust secilc
to pick them up from the right location on Android.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-02 12:01:10 -04:00
Yuli Khodorkovskiy
36f62b78f1 libsepol: Move secilc out of libsepol
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-03-31 12:31:38 -04:00
Richard Haines
d03e9373e8 libsepol: Fix building Xen policy with devicetreecon
Problems fixed:
1) Fix core dump when building CIL policy (corrupted double-linked list)
   by Steve Lawrence <slawrence@tresys.com>
2) Binary policy failed to read with devicetreecon statement.
3) Free path name - With a Xen policy running secilc/valgrind
   there are no memory errors.

Also added devicetreecon statement to CIL policy.cil and updated the CIL
Reference Guide.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-03-23 12:47:58 -04:00
Daniel De Graaf
f029067709 libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:44 -04:00
Daniel De Graaf
82030de5dc libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits.  This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space.  The policy version number change
is shared with the next patch.

While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:18 -04:00
Steve Lawrence
8147bc7622 libsepol: clean up the CIL API
- No longer require the caller to create a sepol_policydb. CIL is now
  responsible for that
- Since the user is no longer responsible for creating the policydb, two
  functions are added to let CIL know how it should configure the
  policydb, to set the policy version and the target platform
- Some functions, like cil_compile, do not need a policydb. Additionally
  some functions, like cil_filecons_to_string use the policydb, but could
  be rewritten to not require it. In these cases, remove the policydb
  from the API, and rewrite functions so they don't depend on it. The
  only function that uses a policydb is cil_build_policydb
- Add functions and symbolic versioning to maintain binary backwards
  compatability. API backwards compatability is not maintained

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-02-27 08:58:52 -05:00
Richard Haines
c2c2bd34c9 libsepol: Update CIL documentation
Reformat secilc(8) man page for readability and correct url

Remove unused/obsolete info and correct portcon statement in the
Reference Guide.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-02-26 08:30:51 -05:00
Steve Lawrence
28ae74e112 Merge commit '76ba6eaa7333483a8cc0c73a7880f7acf99c2656' 2015-02-18 09:25:20 -05:00
Stephen Smalley
00beeba1fc Maybe fix MacOS X build.
s6_addr32 is not portable; use s6_addr instead.

Change-Id: I21c237588d3e7200cefa3af96065f657dae4b1e7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-03 13:34:26 -05:00
Steve Lawrence
72dc45bf54 Merge commit '80afe7b2ce0b06f93b6b3a07e58cab1aee8afc91' 2014-12-03 10:05:59 -05:00
Steve Lawrence
450a3ea216 Merge commit '847aa150e30e6147c28ed9807fae4dc232b5a8fe' 2014-10-06 14:55:04 -04:00
Steve Lawrence
bbbd58e125 Merge commit 'a3abb2c05301b24ad2f8307d07734d89ddf808d8' into merge 2014-10-02 10:07:00 -04:00
Steve Lawrence
bb0f8beff8 Merge commit 'b19eafb97feb6389d78e1693f276fc5b10e25bd6' as 'libsepol/cil' 2014-08-26 08:02:58 -04:00