Use the libsepol bounds checking to check for and report user and
role bounds violations.
For type bounds checking, use libsepol bounds checking to determine
if there is a violation for a given type. For each violation display
an error message that includes the CIL AST from the root node to the
node of the rule causing the violation.
Example error report:
Child type b_t3_c exceeds bounds of parent b_t3
(allow b_t3_c b_tc (file (write)))
<root>
booleanif at line 148633 of cil.conf.bounds
true at line 148634 of cil.conf.bounds
allow at line 148636 of cil.conf.bounds
(allow b_t3_c b_tc (file (read write)))
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
These values are stored in the CIL db so they can be used to
determine how much memory is needed for mapping libsepol values
to CIL data.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Use the libsepol neverallow checking to determine if a given neverallow
rule is violated. If a violation is found, use the function
cil_find_matching_avrule_in_ast() to find the AST node of the particular
rule that violates the neverallow. This allows CIL to provide a more
informative error message that includes the file and line number of the
node and all of its parents.
Example error report:
Neverallow check failed at line 31285 of cil.conf.neverallow
(neverallow typeset4 self (memprotect (mmap_zero)))
<root>
booleanif at line 152094 of cil.conf.neverallow
true at line 152095 of cil.conf.neverallow
allow at line 152096 of cil.conf.neverallow
(allow ada_t self (memprotect (mmap_zero)))
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The search will be considered a success if any rule is found that
at least partially matches all parts (src type, tgt type, and class-
perms) of the target rule.
For example, for a target of (allow domain file_type (file (read write)
the rule (allow init_t init_exec_t (file (read exec)) will match.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The largest change to the user and role bounds checking was to put
them in their own functions, so they could be called independently.
The type bounds checking was changed to check one type bounds at
a time. An expanded avtab is still created, but now only the rules
of the parent type are expanded. If violations are discovered,
a list of avtab_ptr_t's provides details. This list is used to
display error messages for backwards compatibility and will be
used by CIL to provide a more detailed error message.
Memory usage is reduced from 9,355M to 126M and time is reduced
from 9 sec to 2 sec.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Instead of creating an expanded avtab, generating all of the avtab
keys corresponding to a neverallow rule and searching for a match,
walk the nodes in the avtab and use the attr_type_map and ebitmap
functions to find matching rules.
Memory usage is reduced from 370M to 125M and time is reduced from
14 sec to 2 sec. (Bounds checking commented out in both cases.)
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Types are treated as attributes that contain only themselves. This
is how types are already treated in the type_attr_map.
Treating types this way makes finding rules that apply to a given
type much easier. This simplifies the implementation of neverallow
checking in assertion.c and bounds checking in hierarchy.c.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
If you add some local file contexts via semanage fcontext -a and
later delete them all via semanage fcontext -D, you get an empty
file_contexts.local file. Then when you try to load it, getline()
returns 0 and we fall through to the out path without having set rc.
In label_file.c, rc will always be non-zero at this point because
we will have failed the load_mmap() call. In sefcontext_compile,
rc may contain random garbage at this point. Explicitly set rc
before the loop.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Update file contexts generation and loading to use common code.
Remove "status = 0; after "status = sort_specs(data);" otherwise
the function will never indicate a failure.
The file labeling code also has minor formatting, white space
removal etc. changes.
label_file.c - Move process_line function to label_file.h
sefcontext_compile.c - Update to use common process_line code. Now frees
all malloc'ed memory, checked by valgrind. Also added optional -o output
file parameter - updated man page to reflect this change.
V2 - Revert to using compat_validate instead of selabel_validate.
V3 - Revert to using callback for validation now the problem has been
fixed by commit e889148494
("libselinux: build sefcontext_compile with static libselinux")
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
sefcontext_compile depends on libselinux internals, so it might
as well use static libselinux. Hide read_spec_entries as this is not
intended as a public interface for shared library users.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix memory issues flagged by valgrind.
These changes bring the property service in line with Android [1]
V2 reverts to original upstream %u when logging errors. Android needs
these corrections also.
[1] https://android-review.googlesource.com/#/c/153580/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Fixes compiler warnings all similar to the following:
host C: checkpolicy <= external/selinux/checkpolicy/policy_define.c
external/selinux/checkpolicy/policy_define.c:1572:2: warning: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Wsign-compare]
ebitmap_for_each_bit(&tclasses, node, i) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
external/selinux/checkpolicy/../libsepol/include/sepol/policydb/ebitmap.h:76:39: note: expanded from macro 'ebitmap_for_each_bit'
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
^ ~~~~~~~~~~~~~~~~~
Signed-off-by: Nick Kralevich <nnk@google.com>
When calling "sepolgen generate" to automatically generate a SELinux
policy template, the command fails when it cannot invoke RPM related
commands on Linux distributions that do not support RPM by default:
Failed to retrieve rpm info for selinux-policy
Traceback (most recent call last):
File "/usr/lib/python-exec/python2.7/sepolicy", line 643, in <module>
args.func(args)
File "/usr/lib/python-exec/python2.7/sepolicy", line 517, in generate
print mypolicy.generate(args.path)
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1370, in generate
out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1219, in write_spec
fd.write(self.generate_spec())
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1181, in generate_spec
selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
TypeError: 'NoneType' object has no attribute '__getitem__'
As the RPM related steps are only needed on RPM-enabled distributions,
we should ignore these steps on other Linux distribution platforms.
In this patch, we use the Python platform module to get the Linux
distribution, and only start the RPM-related activities on Linux
distributions that use RPM as their native package manager.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
--089e013a1a2abb8ecf0518469d04
Content-Type: text/plain; charset=UTF-8
assert() only prevents -Wreturn-type from firing if asserts are
enabled. Use abort() so we don't do unexpected things even if we use
-UNDEBUG.
<div dir="ltr"><div>assert() only prevents -Wreturn-type from firing if asserts are</div><div>enabled. Use abort() so we don't do unexpected things even if we use</div><div>-UNDEBUG.</div></div>
From b53ad041da Mon Sep 17 00:00:00 2001
From: Dan Albert <danalbert@google.com>
Date: Wed, 10 Jun 2015 17:01:23 -0700
Subject: [PATCH] Fix -Wreturn-type issues.
To: selinux@tycho.nsa.gov
Cc: nnk@google.com,
sds@tycho.nsa.gov
assert() only prevents -Wreturn-type from firing if asserts are
enabled. Use abort() so we don't do unexpected things even if we use
-UNDEBUG.
When Eamon created label_file.c, he drew code from the setfiles program,
which I originally wrote. At the time, setfiles had a comment
about being derived in part from the setfiles.pl script written by SCC, so
Eamon put a comment in label_file.c that tried to preserve that lineage.
However, there was no real code lineage there. The setfiles program
was inspired by the setfiles.pl perl script, but the implementation was
a complete rewrite. And while label_file.c drew some data structures and
code from the setfiles C program, it had nothing to do with the setfiles.pl
script at all. Just drop the comment; it serves no purpose.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently sscanf is used with %ms parameters that are not supported
on all platforms. The new read_spec_entries function may be used
to replace these where required. This patch updates
sefcontext_compile, label_file and label_android_property services
to use the new function.
The file and property services have been tested on Android emulator
and the file service on Fedora 21.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
to the base module
In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
either the base module or a non-base module, or they could be in both.
This means that it is possible for duplicate role declarations to exist.
CIL does not allow duplicate declarations of anything, but there is no
way for the pp compiler to know if the roles are declared in which
module, or if they are in both when compiling a single module. This
means we cannot use the same hack that we use for user_r, staff_r, etc.,
to generate CIL role declarations (i.e. only create role declarations
for these when defined in base).
So only for these two roles, always declare them as part of base,
regardless of where or if they are defined. This means that turning off
the auditadm module will never remove the auditamd_r role (likewise for
secadm), whereas right now, in some cases it would. This also means that
role allow rules will still exist for these roles even with the modules
removed. However, this is okay because the roles would not have any
types associated with them so no access would be allowed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reported-by: Miroslav Grepl <mgrepl@redhat.com>
in-scope types
When a roleattribute is in a declared scope, CIL roletype statements are
generated for all types associated with it. This incorrectly includes
types that are associated with the roleattribute in optional blocks,
which can result in CIL resolution failures if the optional block is
turned off due to a missing type. So, change the roletype CIL statement
generation with roleattributes to mimic the behavior of roles, ensuring
declared roleattributes are only associated with in-scope types.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reported-by: Miroslav Grepl <mgrepl@redhat.com>
Fixes https://github.com/SELinuxProject/cil/issues/2.
Sensitivities and categories generated from blocks use dots to indicate
namespacing. This could result in categories that contain ambiguous
ranges with categories declared in blocks.
Example:
(category c0)
(category c2)
(block c0
(category (c2))
(filecon ... (s0 (c2)))
)
The above policy results in the filecontext: ... s0:c0.c2. The categories c0.c2
could be interpreted as a range between c0 and c2 or it could be the namespaced
category c0.c2. Therefore, categories are no longer allowed inside blocks to
eliminate this ambiguity.
This patch also disallows sensitivites in blocks for consistency with category
behavior.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Currently sefcontext_compile defines the mode field as mode_t whose
size will vary depending on the architecture (e.g. 32 bit / 64 bit).
This patch sets the size when writing/reading binary files to
uint32_t. The file version is set to SELINUX_COMPILED_FCONTEXT_MODE
V2 fixes those listed in http://marc.info/?l=selinux&m=143273965514292&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The reading of bin files has been changed to follow that of loading
policy to catch over-runs. Entries that should be NUL terminated are
also checked. If any error, then process the text file. This should
fix all problems highlighted in [1] with V2 fixing those in [2].
V3 corrects int32_t/uint32_t for *_len entries and V4 fixes [3]
and adds pcre_fullinfo checks to validate regex and study data
sizes. pcre_fullinfo also validates its magic number.
Tested with bin files built using sefcontext_compile PCRE_VERS 1 and 2.
The following is a rough guide to the difference in processing a bin
file against a text file:
6K entries - x5
4K entries - x4
1K entries - x3
500 entries - x2
[1] http://marc.info/?l=selinux&m=143101983922281&w=2
[2] http://marc.info/?l=selinux&m=143161763905159&w=2
[3] http://marc.info/?l=selinux&m=143204170705586&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
openssh in Fedora uses "sshd_net_t" type for privilege separated
processes in the preauthentication phase. Similarly, openssh portable uses
"sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
Therefore selinux_openssh_contexts_path() was created to get a path where sshd
can get a correct types prepared by a distribution or an administrator.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As mcstransd is not installed/running by default, we should not impose
the overhead of trying to connect to it on each operation that takes or
returns a security context string. Test for the existence of the socket
file on first use, and if the socket file does not exist, then skip the
processing on all subsequent calls.
Previously we had a similar attempt at optimization by checking
whether MLS was enabled, but since the kernel MLS support is enabled
even for -mcs and mcstransd is no longer installed/running by default,
this is not a useful optimization. Just replace it with the new test.
Compare strace ls -Z /usr/bin |& grep .setrans-unix before and after
this patch to get a sense of the impact.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Ensure that the array of strings is NULL terminated to stop core
dumps. Also cleaned up code.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
libselinux provides a proper getpeercon() implementation that uses
getsockopt with SO_PEERSEC to reliably obtain the peer's security
context from the kernel. mcstransd for reasons unknown rolled its
own get_peer_con() function that uses getsockopt SO_PEERCRED
to obtain the peer PID and then calls getpidcon_raw(). That's
less efficient and less secure (subject to races; peer context
may have changed since connect). Don't do that.
The peer context doesn't appear to be used for anything currently,
although there is a comment suggesting adding a permission check to
see if the requester dominates the label to be translated to control
what labels can be translated by what peers. Could likely dispense
with it altogether.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
To avoid regressions such as the one reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1219045
add a test for /etc/selinux/config to is_selinux_enabled().
This ensures that systems that do not install selinux-policy
will continue to return 0 from is_selinux_enabled().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
