In type_set_expand:
When nprim, the table index counter, is greater than the value of initizalized
entries in the type_val_to_struct[] array, detect this as invalid
and return an error.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
ebitmap_set_bit() can possible allocate nodes, however, the bail early
style of type_set_expand() could leave internal ebitmaps allocated
but not free'd.
Modify type_set_expand() so that it free's all allocated ebitmaps
before returning the error code to the calling routine.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
AFL Found this bug:
==6523== Invalid read of size 8
==6523== at 0x4166B4: type_set_expand (expand.c:2508)
==6523== by 0x43A0B8: policydb_role_cache (policydb.c:790)
==6523== by 0x41CD70: hashtab_map (hashtab.c:235)
==6523== by 0x43AC9E: policydb_index_others (policydb.c:1103)
==6523== by 0x441B14: policydb_read (policydb.c:3888)
==6523== by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
==6523== by 0x407ED4: init (check_seapp.c:885)
==6523== by 0x408D97: main (check_seapp.c:1231)
This occurs when the type_val_to_struct[] mapping array
doesn't contain the type indicated in the ebitmap.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Correct errors like these reported by gcc:
module_to_cil.c: In function ‘block_to_cil’:
module_to_cil.c:229:20: error: ‘attr_list’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
struct list_node *curr = (*attr_list)->head;
Usages of attr_list_destroy() were called when list_init()
fails.
stack_init() and stack_destroy() also suffered from the
aforementioned issue.
To correct the issue, initialize stack and list variables to
NULL.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
If a policy module package has been created with a policy that contains
a permission and then is used on a system without that permission CIL
will fail with an error when it cannot resolve the permission.
This will prevent the installation on policy and the user will not
know that the policy has not been installed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commit 77779d2ca, which added support for userattributes in CIL,
accidentally removed code that ignored object_r when adding userrole
mappings to the policydb. This meant that running commands like
`semanage user -l` would incorrectly show object_r. This patch adds that
code back in. Note that CIL requires that these mappings exist to
properly validate file contexts, so pp2cil's behavior of creating these
mappings is not modified.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add missing <stdarg.h> include
This is needed to fix the build on uClibc, due to the usage of
va_list.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
This patch is part of the Debian effort to make the build reproducible
Thank to Reiner Herrmann <reiner@reiner-h.de> for the patches
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
The following test incorrectly asserts a neverallowxperm failure.
attribute test1_attr1;
attribute test1_attr2;
type test1_type1, test1_attr1, test1_attr2;
allow test1_type1 test1_attr1:socket ioctl;
allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }
To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
When converting pp files to CIL or generating CIL using checkpolicy
or checkmodule use CIL's HLL line mark annotations to record the
original file and line numbers for neverallow rules so that CIL can
produce more informative error messages. (Unfortunately, the original
line number information is not saved in pp files, so there is no benefit
for policy modules.)
This is only done for neverallow rules currently.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Remove path field from cil_tree_node struct and all references
to it in CIL. This will reduce memory usage by 5%.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Replace all calls to cil_log() that print path information with a
call to cil_tree_log() which will also print information about any
high-level sources.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Provide more detailed log messages containing all relevant CIL and
high-level language source file information through cil_tree_log().
cil_tree_log() uses two new functions: cil_tree_get_next_path() and
cil_tree_get_cil_path().
cil_tree_get_next_path() traverses up the parse tree or AST until
it finds the next CIL or high-level language source information nodes.
It will return the path and whether or not the path is for a CIL file.
cil_tree_get_cil_path() uses cil_tree_get_next_path() to return
the CIL path.
Example cil_tree_log() message:
Problem at policy.cil:21 from foo.hll:11 from bar.hll:2
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Use some of the functionality recently added to support high-level
language line marking to track the CIL filename.
The goal is to eventually remove the path field from the tree node
struct and offset the addtion of the hll_line field.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Adds support for tracking original file and line numbers for
better error reporting when a high-level language is translated
into CIL.
This adds a field called "hll_line" to struct cil_tree_node which
increases memory usage by 5%.
Syntax:
;;* lm(s|x) LINENO FILENAME
(CIL STATEMENTS)
;;* lme
lms is used when each of the following CIL statements corresponds
to a line in the original file.
lmx is used when the following CIL statements are all expanded
from a single high-level language line.
lme ends a line mark block.
Example:
;;* lms 1 foo.hll
(CIL-1)
(CIL-2)
;;* lme
;;* lmx 10 bar.hll
(CIL-3)
(CIL-4)
;;* lms 100 baz.hll
(CIL-5)
(CIL-6)
;;* lme
(CIL-7)
;;* lme
CIL-1 is from line 1 of foo.hll
CIL-2 is from line 2 of foo.hll
CIL-3 is from line 10 of bar.hll
CIL-4 is from line 10 of bar.hll
CIL-5 is from line 100 of baz.hll
CIL-6 is from line 101 of baz.hll
CIL-7 is from line 10 of bar.hll
Based on work originally done by Yuli Khodorkovskiy of Tresys.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Change logic of bounds checking to match kernel's bound checking.
The following explanation is taken from Stephen Smalley's kernel
patch.
Under the new logic, if the source type and target types are both
bounded, then the parent of the source type must be allowed the same
permissions to the parent of the target type. If only the source
type is bounded, then the parent of the source type must be allowed
the same permissions to the target type.
Examples of the new logic and comparisons with the old logic:
1. If we have:
typebounds A B;
then:
allow B self:process <permissions>;
will satisfy the bounds constraint iff:
allow A self:process <permissions>;
is also allowed in policy.
Under the old logic, the allow rule on B satisfies the
bounds constraint if any of the following three are allowed:
allow A B:process <permissions>; or
allow B A:process <permissions>; or
allow A self:process <permissions>;
However, either of the first two ultimately require the third to satisfy
the bounds constraint under the old logic, and therefore this degenerates
to the same result (but is more efficient - we only need to perform
one compute_av call).
2. If we have:
typebounds A B;
typebounds A_exec B_exec;
then:
allow B B_exec:file <permissions>;
will satisfy the bounds constraint iff:
allow A A_exec:file <permissions>;
is also allowed in policy.
This is essentially the same as #1; it is merely included as
an example of dealing with object types related to a bounded domain
in a manner that satisfies the bounds relationship. Note that
this approach is preferable to leaving B_exec unbounded and having:
allow A B_exec:file <permissions>;
in policy because that would allow B's entrypoints to be used to
enter A. Similarly for _tmp or other related types.
3. If we have:
typebounds A B;
and an unbounded type T, then:
allow B T:file <permissions>;
will satisfy the bounds constraint iff:
allow A T:file <permissions>;
is allowed in policy.
The old logic would have been identical for this example.
4. If we have:
typebounds A B;
and an unbounded domain D, then:
allow D B:unix_stream_socket <permissions>;
is not subject to any bounds constraints under the new logic
because D is not bounded. This is desirable so that we can
allow a domain to e.g. connectto a child domain without having
to allow it to do the same to its parent.
The old logic would have required:
allow D A:unix_stream_socket <permissions>;
to also be allowed in policy.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The current bounds checking of both source and target types
requires allowing any domain that has access to the child domain
to also have the same permissions to the parent, which is undesirable.
Drop the target bounds expansion and checking.
Making this change fully functional requires a corresponding kernel
change; this change only allows one to build policies that would
otherwise violate the bounds checking on target type. The kernel
change is required to allow the permissions at runtime.
Based on patch by Stephen Smalley.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The attribute to type map is used to get all of the types that are
asociated with an attribute. To make neverallow and bounds checking
easier it was convienent to map a type to itself. However, CIL was
wrongly mapping an attribute to itself in addition to the types
associated with it. This caused type bounds checking to fail if the
parent was granted a permission through one attribute while the child
was granted the permission through another attribute.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commit 3895fbbe0c ("selinux: Add support
for portcon dccp protocol") added support for the (portcon dccp ..)
statement. This fix will allow policy to be built on platforms
(see [1]) that do not have DCCP support by defining the IANA
assigned IP Protocol Number 33 to IPPROTO_DCCP.
[1] https://android-review.googlesource.com/#/c/219568/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Commit 99fc177b "Add neverallow support for ioctl extended permissions"
first checks to see if the ioctl permission is granted, then checks to
see if the same source/target violates a neverallowed ioctl command.
Unfortunately this does not address the case where the ioctl permission
and extended permissions are granted on different attributes. Example,
the following will incorrectly cause a neverallow violation.
allow untrusted_app self:tcp_socket ioctl;
allowxperm domain domain:tcp_socket unpriv_sock_ioctls;
neverallowxperm untrusted_app domain:tcp_socket ~unpriv_sock_ioctls;
The fix is to enumerate over the source and target attributes when
looking for extended permission violations.
Note: The bug this addresses incorrectly asserts that a violation has
occurred. Actual neverallow violations are always caught.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Tested-by: William Roberts <william.c.roberts@intel.com>
For both neverallow and bounds checking keep neverallow and bounds
failures separate from program faults.
Have secilc exit with an error (and fail to build a binary policy)
when bounds checks fail.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
There are three improvements.
When calling cil_find_matching_avrule_in_ast(), one parameter specifies
whether to return a match of the exact same (not a duplicate) rule.
Since the target passed in is created and not actually in the tree
by making this parameter true an extra comparison can be avoided.
Currently, when printing a bounds violation trace, every match except
for the last one has only the parents of the rule printed. Only the
last rule has both its parents and the actual rule printed. Now the
parents and rule are printed for each match. This has the additional
benefit that if a match is not found (there should always be a match)
a seg fault will not occur.
To reduce the amount of error reporting, only print a trace of a
matching rule if it is different from the previous one.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
An attribute that has no types associated with it should still match
with itself, but ebitmap_match_any() will return false if there are
no bits set in either bitmap. The solution is to check to see if the
two datums passed into cil_type_match_any() are the same. This has
the additional advantage of providing a quick match anytime the
attributes are the same.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
