Commit Graph

75 Commits

Author SHA1 Message Date
Joshua Brindle
9ba35fe8c2 Add default_range glblub support
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00
Richard Haines
c3f9492d7f
selinux: Remove legacy local boolean and user code
Remove legacy local boolean and user code, and to preserve API/ABI
compatibility the following functions int values should be set to '0'
as they are no longer used:
  selinux_mkload_policy(int preservebools)
  security_set_boolean_list(.... int permanent)
and the following are now no-op and return '-1':
  security_load_booleans()
  sepol_genusers()
  sepol_set_delusers()
  sepol_genbools()
  sepol_genbools_array()
and these still return their paths for compatibility, however they are
marked as deprecated:
  selinux_booleans_path()
  selinux_users_path()

These have been removed as they are local functions only:
  sepol_genusers_policydb()
  sepol_genbools_policydb()

Also "SETLOCALDEFS" removed from SELinux config file and code.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-07-29 23:46:24 +02:00
Ondrej Mosnacek
b8213acff8 libsepol: add a function to optimize kernel policy
Add sepol_policydb_optimize(), which checks a kernel policy for
redundant rules (i.e. those that are covered by an existing more general
rule) and removes them.

Results on Fedora 29 policy:

WITHOUT OPTIMIZATION:
    # time semodule -B
    real    0m21,280s
    user    0m18,636s
    sys     0m2,525s

    $ wc -c /sys/fs/selinux/policy
    8692158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:            113159
      Dontaudit:         10297
      Total:            123156

WITH OPTIMIZATION ENABLED:
    # time semodule -B
    real    0m22,825s
    user    0m20,178s
    sys     0m2,520s

    $ wc -c /sys/fs/selinux/policy
    8096158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:             66334
      Dontaudit:          7480
      Total:             73814

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Ondrej Mosnacek
3e506bda3b libsepol: add ebitmap_for_each_set_bit macro
Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-20 14:00:32 -04:00
James Carter
b816808e7f libsepol: Create policydb_sort_ocontexts()
Create the function called policydb_sort_ocontexts() that calls
the internal function sort_ocontexts() to sort the ocontexts of
a policydb.

The function sort_ocontexts() is already used by
sepol_kernel_policydb_to_conf() and sepol_kernel_policydb_to_cil()
when converting a binary policy to cil or policy.conf format.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-12 13:38:00 -04:00
Nick Kralevich via Selinux
0a71c5f3eb whitespace and spelling cleanup
Signed-off-by: Nick Kralevich <nnk@google.com>
2018-09-25 08:05:41 -07:00
Stephen Smalley
38e49c7187 libsepol: remove unused function and type
Fix the following build warning:
policydb.c: In function ‘get_symtab_destroy_func’:
policydb.c:1581:9: error: cast between incompatible function types from ‘int (*)(char *, void *, void *)’ to ‘void (*)(char *, void *, void *)’ [-Werror=cast-function-type]
  return (hashtab_destroy_func_t) destroy_f[sym_num];
         ^

It turns out that this function and type are long unused in libsepol
and are not exported APIs for the shared library, so just remove them.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Richard Haines via Selinux
cf0ab12414 selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 12:34:29 -04:00
Marcus Folkesson
f8532f1773 libsepol: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:36 +01:00
Stephen Smalley
53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Stephen Smalley
ae1cd12076 libsepol: Define nnp_nosuid_transition policy capability
Define the nnp_nosuid_transition policy capability used to enable
SELinux domain transitions under NNP or nosuid if the
nnp_transition permission or nosuid_transition permission is
allowed between the old and new contexts. When this capability is not
enabled, such transitions remain limited to bounded transitions as they
were prior to the introduction of this capability.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:42:36 -04:00
Patrick Steinhardt
34dc7bcc31 libsepol: replace non-standard use of __BEGIN_DECLS
While most header files already use the common pattern of `extern "C"`
declarations to enable compiling in a C++ project, some header files in
libsepol instead use the macros `__BEGIN_DECLS` and `__END_DECLS`. These
macros are defined in the "sys/cdefs.h" header file, which provides
some non-standard extensions for glibc.

Convert usage of these declarations with the standard `extern "C"`
pattern. This improves compatibility with other libc implementations,
e.g. musl libc.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-20 11:03:12 -04:00
Daniel Jurgens
9a3d2c7a9b semanage: Update semanage to allow runtime labeling of ibendports
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
6a7a5aafe5 semanage: Update semanage to allow runtime labeling of Infiniband Pkeys
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
118c0cd103 libsepol: Add ibendport ocontext handling
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
5bc05dd2a5 checkpolicy: Add support for ibendportcon labels
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
9fbb311276 libsepol: Add ibpkey ocontext handling
Add support for reading, writing, and copying Infiniband Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00
Daniel Jurgens
5b203145fd checkpolicy: Add support for ibpkeycon labels
Add checkpolicy support for scanning and parsing ibpkeycon labels. Also
create a new ocontext for Infiniband Pkeys and define a new policydb
version for infiniband support.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00
Stephen Smalley
58962eb3d8 libsepol,checkpolicy: add binary module support for xperms
Presently we support xperms rules in source policy and in CIL modules.
The binary policy module format however was never extended for xperms.
This limitation inhibits use of xperms in refpolicy-based policy modules
(including the selinux-testsuite policy).  Update libsepol to support
linking, reading, and writing a new binary policy module version that
supports xperms rules.  Update dismod to display xperms rules in binary
policy modules.

Also, to support use of a non-base binary policy module with a newer
version on a system using a base policy module with an older version,
automatically upgrade the version during module linking.  This facilitates
usage of newer features in non-base modules without requiring rebuilding
the base module.

Tests:
1. Add an allowxperms rule to the selinux-testsuite policy and
confirm that it is properly written to the binary policy module
(displayed by dismod), converted to CIL (the latter was already supported),
and included in the kernel policy (via dispol and kernel test).

2. Use semodule_link and semodule_expand to manually link and expand
all of the .pp files via libsepol, and confirm that the allowxperms rule
is correctly propagated to the kernel policy.  This test is required to
exercise the legacy link/expand code path for binary modules that predated
CIL.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 09:35:52 -04:00
Jeff Vander Stoep
1089665e31 Add attribute expansion options
This commit adds attribute expansion statements to the policy
language allowing compiler defaults to be overridden.

Always expands an attribute example:
expandattribute { foo } true;
CIL example:
(expandtypeattribute (foo) true)

Never expand an attribute example:
expandattribute { bar } false;
CIL example:
(expandtypeattribute (bar) false)

Adding the annotations directly to policy was chosen over other
methods as it is consistent with how targeted runtime optimizations
are specified in other languages. For example, in C the "inline"
command.

Motivation

expandattribute true:
Android has been moving away from a monolithic policy binary to
a two part split policy representing the Android platform and the
underlying vendor-provided hardware interface. The goal is a stable
API allowing these two parts to be updated independently of each
other. Attributes provide an important mechanism for compatibility.
For example, when the vendor provides a HAL for the platform,
permissions needed by clients of the HAL can be granted to an
attribute. Clients need only be assigned the attribute and do not
need to be aware of the underlying types and permissions being
granted.

Inheriting permissions via attribute creates a convenient mechanism
for independence between vendor and platform policy, but results
in the creation of many attributes, and the potential for performance
issues when processes are clients of many HALs. [1] Annotating these
attributes for expansion at compile time allows us to retain the
compatibility benefits of using attributes without the performance
costs. [2]

expandattribute false:
Commit 0be23c3f15 added the capability to aggresively remove unused
attributes. This is generally useful as too many attributes assigned
to a type results in lengthy policy look up times when there is a
cache miss. However, removing attributes can also result in loss of
information used in external tests. On Android, we're considering
stripping neverallow rules from on-device policy. This is consistent
with the kernel policy binary which also did not contain neverallows.
Removing neverallow rules results in a 5-10% decrease in on-device
policy build and load and a policy size decrease of ~250k. Neverallow
rules are still asserted at build time and during device
certification (CTS). If neverallow rules are absent when secilc is
run, some attributes are being stripped from policy and neverallow
tests in CTS may be violated. [3] This change retains the aggressive
attribute stripping behavior but adds an override mechanism to
preserve attributes marked as necessary.

[1] https://github.com/SELinuxProject/cil/issues/9
[2] Annotating all HAL client attributes for expansion resulted in
    system_server's dropping from 19 attributes to 8. Because these
    attributes were not widely applied to other types, the final
    policy size change was negligible.
[3] data_file_type and service_manager_type are stripped from AOSP
    policy when using secilc's -G option. This impacts 11 neverallow
    tests in CTS.

Test: Build and boot Marlin with all hal_*_client attributes marked
    for expansion. Verify (using seinfo and sesearch) that permissions
    are correctly expanded from attributes to types.
Test: Mark types being stripped by secilc with "preserve" and verify
    that they are retained in policy and applied to the same types.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-09 12:09:46 -04:00
James Carter
0a08fd1e69 libsepol: Add ability to convert binary policy to policy.conf file
It would sometimes be helpful for debugging or verification purposes
to be able to convert a binary policy to a human-readable form.

Create new function, sepol_kernel_policydb_to_conf(), that takes a
policydb created from a binary policy and writes a policy.conf file
to the provided FILE pointer.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-05 12:23:25 -04:00
James Carter
70a480bfcd libsepol: Add ability to convert binary policy to CIL
It would sometimes be helpful for debugging or verification purposes
to be able to convert a binary policy to a human-readable form.

Create new function, sepol_kernel_policydb_to_cil(), that takes a
policydb created from a binary policy and writes CIL policy to the
provided FILE pointer.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-05 12:23:05 -04:00
Nicolas Iooss
b6579d262e libsepol: constify sepol_genbools()'s boolpath parameter
This allows removing an unnecessary cast to (char *) in libselinux.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-29 10:26:44 -04:00
Stephen Smalley
43b24f0132 libsepol: Define cgroup_seclabel policy capability
Define the new cgroup_seclabel policy capability used to
enable userspace setting of security labels on cgroup files
via setfscreatecon() aka /proc/self/attr/fscreate and/or
setfilecon() aka setxattr().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-02 12:39:13 -05:00
Nicolas Iooss
fd9e5ef7b7 libsepol: use constant keys in hashtab functions
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".

Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:46:19 -05:00
Nicolas Iooss
d4923b49b4 libsepol: make capability index an unsigned int
When sepol_polcap_getname() is called with a negative capnum, it
dereferences polcap_names[capnum] which produces a segmentation fault
most of the time.

For information, here is a gdb session when hll/pp loads a policy module
which has been mutated by American Fuzzy Lop:

    Program received signal SIGSEGV, Segmentation fault.
    sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34
    34      return polcap_names[capnum];
    => 0x00007ffff7a8da07 <sepol_polcap_getname+135>:   48 8b 04 f8 mov
    (%rax,%rdi,8),%rax

    (gdb) bt
    #0  sepol_polcap_getname (capnum=capnum@entry=-4259840) at
    polcaps.c:34
    #1  0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at
    module_to_cil.c:2492
    #2  sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0
    <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
    module_to_cil.c:4039
    #3  0x00007ffff7a7e695 in sepol_module_package_to_cil
    (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
    module_to_cil.c:4087
    #4  0x0000000000401acc in main (argc=<optimized out>,
    argv=<optimized out>) at pp.c:150

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:14 -05:00
Stephen Smalley
d479baa82d libsepol: Define extended_socket_class policy capability
Define the extended_socket_class policy capability used to enable
the use of separate socket security classes for all network address
families rather than the generic socket class. This also enables
separate security classes for ICMP and SCTP sockets, which were previously
mapped to the rawip_socket class.

The legacy redhat1 policy capability that was only ever used in testing
within Fedora for ptrace_child is reclaimed for this purpose; as far as
I can tell, this policy capability is not enabled in any supported distro
policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 09:17:17 -05:00
Stephen Smalley
7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 15:53:59 -05:00
Stephen Smalley
cf8625be58 libsepol: do not #include <sys/cdefs.h>
ratbert90 submitted this patch via
https://github.com/SELinuxProject/selinux/issues/19.
Apparently musl does not provide sys/cdefs.h, see
http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 11:03:17 -05:00
Stephen Smalley
8fdb225521 libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs
range transition and name-based type transition rules were originally
simple unordered lists.  They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.

With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy.  To do so, you can run the following sequence of commands:

checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2

Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries.  There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-28 13:10:59 -05:00
William Roberts
af9f477fb9 policydb.h: use AVTAB macros to avoid duplications
Rather than having multiple copies of the AVTAB and AVRULE
defines, consolidate them.

This makes it clear that AVRULE to AVTAB conversion no longer
need to occur.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-11-17 16:41:45 -05:00
Gary Tierney
48965c602c libsepol/cil: create user and role caches when building binary policy
Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb.  This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).

Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-10-03 14:59:23 -04:00
Richard Haines
3895fbbe0c selinux: Add support for portcon dccp protocol
This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-04-06 10:14:27 -04:00
Jeff Vander Stoep
99fc177b5a Add neverallow support for ioctl extended permissions
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
   the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
   set the test will pass if the ioctl permission is not granted.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by:  Nick Kralevich <nnk@google.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
2015-09-22 10:52:47 -04:00
Yuli Khodorkovskiy
6ea58f548b libsepol: Replace sscanf in module_to_cil
Some platforms do not have %ms support in sscanf. This adds a tokenize()
function to be used instead of sscanf. tokenize() has the ability to split on any
delimiter. All whitespace delimiters will be squashed.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-08-04 11:10:05 -04:00
James Carter
798faf1227 libsepol: Refactored bounds (hierarchy) checking code
The largest change to the user and role bounds checking was to put
them in their own functions, so they could be called independently.

The type bounds checking was changed to check one type bounds at
a time. An expanded avtab is still created, but now only the rules
of the parent type are expanded. If violations are discovered,
a list of avtab_ptr_t's provides details. This list is used to
display error messages for backwards compatibility and will be
used by CIL to provide a more detailed error message.

Memory usage is reduced from 9,355M to 126M and time is reduced
from 9 sec to 2 sec.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
James Carter
9e6840e6a2 libsepol: Refactored neverallow checking.
Instead of creating an expanded avtab, generating all of the avtab
keys corresponding to a neverallow rule and searching for a match,
walk the nodes in the avtab and use the attr_type_map and ebitmap
functions to find matching rules.

Memory usage is reduced from 370M to 125M and time is reduced from
14 sec to 2 sec. (Bounds checking commented out in both cases.)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
James Carter
49f7ebb04c libsepol: Add new ebitmap function named ebitmap_match_any()
This function returns true if there is a common bit that is set
in both bitmaps.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
Jeff Vander Stoep
915fa8f08f checkpolicy: switch operations to extended perms
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-15 09:21:20 -04:00
Jeff Vander Stoep
80bc7ee8fa Add support for ioctl command whitelisting
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.

Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901

The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.

This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.

Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
2015-04-23 08:30:33 -04:00
James Carter
4514332550 libsepol: add function to generate CIL from a module policydb
Add a new function, sepol_module_policydb_to_cil, that generates
CIL from a module (not kernel) policydb. Refactor
sepol_module_package_to_cil() to use the new function.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-01 13:09:21 -04:00
James Carter
758a7fe501 libsepol, policycoreutils: Move functions to convert a module package to CIL
Move code to convert a policy module to CIL from the policy package to
CIL conversion tool, pp, in policycoreutils to libsepol. The only changes
to the code are the additions of the prefix "sepol_" to the functions
sepol_module_package_to_cil() and sepol_ppfile_to_module_package(). This
code is being changed from GPL to LGPL with permission from Tresys.

Convert pp to use the renamed functions in libsepol.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-01 13:09:17 -04:00
Daniel De Graaf
f029067709 libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:44 -04:00
Daniel De Graaf
82030de5dc libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits.  This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space.  The policy version number change
is shared with the next patch.

While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:18 -04:00
dcashman
ed7a6ba24a Allow libsepol C++ static library on device.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-01-20 10:31:15 -05:00
John Brooks
acb2a9bede Tweak avtab hash table parameters for better performance
Using the Fedora 20 targeted policy, running check_assertions requires
an avtab with around 22 million elements. With the default limit of 4096
buckets, performance is abysmal: it takes more than an hour to populate
the hash. Profiling shows most of that time under avtab_search_node.

This patch increases the hash from 13 to 20 bits and to a maximum of
1048576 buckets. The time for check_assertions on that policy is reduced
to about 3 minutes, which is enough to re-enable those checks as part of
the build process.

A full size table will allocate 4-8 MB of memory, up from 16-32 KB. In a
cursory review, these tables are usually short-lived and only 1-3 are
allocated together. Compared to the cost of entries in this table (up to
1 GB using the same policy), this isn't a significant increase.

Signed-off-by: John Brooks <john.brooks@jolla.com>
2015-01-15 10:44:01 -05:00
Nicolas Iooss
14c0564641 libsepol: fix most gcc -Wwrite-strings warnings
gcc puts literal strings lie in read-only memory.  On x86_64, trying to
write to them triggers a segmentation fault.

To detect such issues at build time, variables holding a pointer to such
strings should be "const char*".  "gcc -Wwrite-strings" warns when using
non-const pointers to literal strings.

Remove gcc warnings by adding const to local variables and argumens of
internal functions.

This does *not* fix this warning:

  policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type
    return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
            ^
  In file included from ../include/sepol/policydb/symtab.h:16:0,
                   from ../include/sepol/policydb/policydb.h:60,
                   from policydb_public.c:4:
  ../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *'
  extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
                         ^

Moreover the "const" word in hashtab_search prototype does not make the
second parameter "const char*" but "char* const".

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:15 -04:00
Steve Lawrence
416f150f1a libsepol: build cil into libsepol
Set DISABLE_CIL=y to build libsepol without CIL support, e.g

    make DISABLE_CIL=y

To enable CIL support in libsepol, set DISABLE_CIL=n. This is the default
if not specified.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 08:03:31 -04:00
Steve Lawrence
44a65ed816 libsepol: add function to libsepol for setting target_platform
With pp modules, the target platform information comes form the base
module. However, CIL modules have no concept of target platform.  So it
must come from somewhere else. This adds an API function that allows
setting the target platform.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 08:02:16 -04:00
Stephen Smalley
ef24ade029 Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 14:58:58 -04:00