Commit Graph

923 Commits

Author SHA1 Message Date
Juraj Marcin eca72d8e47 libsepol: fix missing double quotes in typetransition CIL rule
CIL Reference Guide defines typetransition rule with double quotes
around object name, but those are not present in the format string.

This patch fixes this issue, so the CIL output produced by
sepol_kernel_policydb_to_cil() is in the correct format.

Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
2022-09-01 09:26:56 -04:00
Christian Göttsche 1e3c557425 libsepol: refactor ebitmap conversion in link.c
Refactor the ebitmap conversions in link.c into its own function.

Do not log an OOM message twice on type_set_or_convert() failure.

Drop the now unused state parameter from type_set_or_convert() and
type_set_convert().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:48 -04:00
Christian Göttsche d2d24b9331 libsepol: more strict validation
Validate that

  - each constraint has at least one expression
  - classes reference a valid common class identifier
  - the role flavor is either ROLE or ATTRIB
  - types reference a valid primary identifier
  - types refer to a raw type, not an attribute, as bounds
  - extended permissions in avtabs have a valid specifier
  - type av rules refer to a raw type (e.g. type_transition)
  - conditionals have at least one expression
  - the state and flags of conditionals are valid
  - filename transitions have at least one datum
  - low ports are not bigger than high ones in port ocontexts
  - genfs declarations refer to a valid class identifier
  - genfs declarations contains a filesystem name
  - filename transitions refer to a raw type
  - permissive types are raw ones
  - the range transition hashmap is valid
  - the type-attribute-maps are valid

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:44 -04:00
Christian Göttsche 858f660831 libsepol: rename parameter name
Do not use `bool` as a parameter name, for future C version support.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:40 -04:00
Christian Göttsche 9e6f8ed70e libsepol: operate on const pointers during validation
The actual policy should not be modified during validation, thus use
const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:37 -04:00
Christian Göttsche d192e4d937 libsepol: support const avtab_t pointer in avtab_map()
The access vector table itself is not modified in avtab_map() thus
support passing a const pointer.

Logically the content might be changed by the passed callback, but C
does not support transitive const-ness well, and C also does not support
function overloading, e.g. like for strchr(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:34 -04:00
Christian Göttsche 938530171b libsepol: rename validate_policydb to policydb_validate
Most global functions operating on a policy database use policydb as
prefix.

Since this function is not exported there should not be any external
use.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:31 -04:00
Christian Göttsche fc7bb9f05a libsepol: skip superfluous memset calls in ebitmap operations
The three members of struct ebitmap_node are all unconditionally
initialized.  Hinder compilers to optimize malloc() and memset() into
calloc(), which might be slightly slower.  Especially affects
ebitmap_or().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:28 -04:00
Christian Göttsche f174045525 libsepol: optimize ebitmap_xor
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:25 -04:00
Christian Göttsche efcd008148 libsepol: optimize ebitmap_and
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:22 -04:00
Christian Göttsche 12a8a00bf2 libsepol: optimize ebitmap_not
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:19 -04:00
Christian Göttsche bc8f7b502b libsepol/cil: use ebitmap_init_range
Especially in the case of __cil_permissionx_expr_range_to_bitmap_helper()
it substitutes hundreds of thousand of calls to ebitmap_set_bit() during
semodule(8) on a policy widely using extended permissions.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:15 -04:00
Christian Göttsche 6f9e682c15 libsepol: add ebitmap_init_range
Add an initializer for ebitmaps that sets all bits in a given range to
save node traversals for each bit to set, compared to calling
ebitmap_init() followed by iterating ebitmap_set_bit().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:13 -04:00
Christian Göttsche 490cd409e3 libsepol/tests: add ebitmap tests
Preparation for several ebitmap related optimizations.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:10 -04:00
Christian Göttsche 65b3f695be libsepol: enclose macro parameters and replacement lists in parentheses
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:06 -04:00
Christian Göttsche 85e73a22ff libsepol: include necessary headers in headers
Include policydb header file required for typedef policydb_t.

This is for example helpful when working with an IDE, which needs to
resolve those symbols.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:03 -04:00
Christian Göttsche 12beafe7ce libsepol: break circular include
Since `struct type_set` is forward declared including
policydb/policydb.h is not necessary and creates a circular include.

Also drop the unnecessary forward declaration of `struct policydb`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:00 -04:00
Christian Göttsche 2651989d3b libsepol: do not modify policy during write
Do not modify the in memory default_range value of a class datum while
writing a policy.

While on it fix indentation.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:27 -04:00
Christian Göttsche 36bf1be1ca libsepol/utils: improve wording
A request is denied with SEPOL_COMPUTEAV_RBAC if the source role is not
allowed to transition to the target role, granted via a

    allow source_role target_role;

statement.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:24 -04:00
Nicolas Iooss d2fecbb97b libsepol: initialize s in constraint_expr_eval_reason
clang's static analyzer reports that s[0] can be uninitialized when used
in:

    sprintf(tmp_buf, "%s %s\n",
                    xcontext ? "Validatetrans" : "Constraint",
                    s[0] ? "GRANTED" : "DENIED");

Silence this false-positive issue by making s always initialized.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:18 -04:00
Christian Göttsche f505a73b06 libsepol: avoid potential NULL dereference on optional parameter
The parameter `reason` of `context_struct_compute_av()` is optional and
can be passed in as NULL, like from `type_attribute_bounds_av()`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:15 -04:00
Christian Göttsche 88a703399f libsepol: fix validation of user declarations in modules
Users are allowed to be declared in modules. Modules do not get expanded
leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
empty.
Do no validate the expanded range and level for modular polices.

Reported-by: bauen1 <j2468h@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:59:07 -04:00
Petr Lautrbach 3f23f07f01 libsepol: Drop unused assignment
Fixes:
cil/src/cil_build_ast.c:4622:4: warning[deadcode.DeadStores]: Value stored to 'rc' is never read

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:59:01 -04:00
Petr Lautrbach 0a8c177dac
Update VERSIONs to 3.4 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 16:51:03 +02:00
Ondrej Mosnacek 9e096e6ef0 libsepol,checkpolicy: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the TE language level and adds the support to the module policydb
format. Note that changing the kernel policydb format is not necessary
at all, as type transitions are always expanded in the kernel policydb.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:17 -04:00
Ondrej Mosnacek 539b066036 libsepol/cil: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the CIL level. It also adds basic coverage for the such 'self' rules
to the secilc test policy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:05 -04:00
Petr Lautrbach 9df28c241a
Update VERSIONs to 3.4-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-04 19:20:37 +02:00
Petr Lautrbach 2a167d1156
Update VERSIONs to 3.4-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-20 21:48:57 +02:00
Christian Göttsche 8c1159363a libsepol/cil: comment out unused function __cil_verify_rule
The function __cil_verify_rule() is currently not used as all call sites
are commented out.  Keep the function for future references.

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-20 14:03:44 -04:00
Christian Göttsche 80137479d1 libsepol/tests: adjust IPv6 netmasks
checkpolicy(8) since 01b88ac3 ("checkpolicy: warn on bogus IP address or
netmask in nodecon statement") warns about host bits set in IPv6
addresses.
Adjust IPv6 netmasks in the libsepol tests so that the used address ::1
does not set any host bits and running the tests does not print several
of the following warnings:

    net_contexts:15:WARNING 'host bits in ipv6 address set' at token '' on line 594:

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-20 14:03:44 -04:00
James Carter c74df1cdff libsepol/tests: Declare file local functions as static
This is needed to use "-Wmissing-prototypes".

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-04-20 14:03:39 -04:00
James Carter 4a77a5bafc libsepol/tests: Include paired headers for prototypes
This is needed to use "-Wmissing-prototypes".

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-04-20 14:03:34 -04:00
James Carter 02f330c93a libsepol/tests Include policydb.h header for policydb_t declaration
Since test-linker-cond-map.h and test-linker-types.h references
policydb_t, include the policydb header file.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-04-20 14:03:28 -04:00
Christian Göttsche 9d57ab6c32 libsepol: drop unnecessary const discarding casts
`hashtab_search()` takes a const_hashtab_key_t, alias `const char*` as
second key parameter type.  Do not unnecessarily cast variables of type
`const char*` to hashtab_key_t, alias `char*`.

    policydb.c: In function ‘policydb_string_to_security_class’:
    policydb.c:4164:39: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
     4164 |                                       (hashtab_key_t) class_name);
          |                                       ^
    policydb.c: In function ‘policydb_string_to_av_perm’:
    policydb.c:4184:25: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
     4184 |                         (hashtab_key_t)perm_name);
          |                         ^
    policydb.c:4193:25: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
     4193 |                         (hashtab_key_t)perm_name);
          |                         ^

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:43 -04:00
Christian Göttsche 68a29c3aee libsepol: check correct pointer for oom
Check the actual pointer which memory was assigned to, not its parent
array pointer.

    services.c:810:14: warning: Assigned value is garbage or undefined [core.uninitialized.Assign]
                                            **r_buf = **new_buf;
                                                    ^ ~~~~~~~~~

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:41 -04:00
Christian Göttsche 6bc2980545 libsepol/cil: declare file local function pointer static
../cil/src/cil_log.c:45:8: warning: no previous extern declaration for non-static variable 'cil_log_handler' [-Wmissing-variable-declarations]
    void (*cil_log_handler)(int lvl, const char *msg) = &cil_default_log_handler;
           ^

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:38 -04:00
James Carter 20187dbfe9 libsepol: Replace calls to mallocarray() with calls to calloc()
Since calloc() will return an error if nmemb * size would overflow,
just use it instead of mallocarray(). This also allows code that
initializes the array to zero to be removed.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-04-12 13:09:22 -04:00
Christian Göttsche fed78faaa3 libsepol: add policy utilities
These are similar to the libselinux utilities but operate on a binary
policy instead of the running kernel.  This allows to run them on
SELinux disabled or even non Linux systems, e.g. for development or
continuous integration.

sepol_check_access:
  (similar to selinux_check_access)
  Check access:

    $ sepol_check_access policy.bin staff_u:staff_r:gpg_t:s0 sysadm_u:sysadm_r:gpg_t:s0 process fork
    requested permission fork denied by constraint; reason:
    constrain process { fork setexec setfscreate setcurrent execmem execstack execheap setkeycreate setsockcreate } ((r1 == r2 -Fail-) ); Constraint DENIED
    constrain process { signull getsched getsession getpgid getcap getattr getrlimit } ((r1 == r2 -Fail-)  or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-)  and (t1 == rbacproc_read -Fail-)  or (t1 == rbacproc_full -Fail-)  or (t1 == systemd_user_instance_domain -Fail-)  and (u2 == system_u -Fail-)  and (r2 == system_r -Fail-)  and (t2 == systemd_t -Fail-) ); Constraint DENIED
    constrain process { sigchld sigkill sigstop signal ptrace setsched setpgid setcap share setrlimit } ((r1 == r2 -Fail-)  or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-)  and (t1 == rbacproc_full -Fail-)  or (t1 == systemd_user_instance_domain -Fail-)  and (u2 == system_u -Fail-)  and (r2 == system_r -Fail-)  and (t2 == systemd_t -Fail-) ); Constraint DENIED

sepol_compute_av:
  (similar to compute_av)
  Compute access vectors:

    $ sepol_compute_av policy.bin staff_u:staff_r:gpg_t:s0 staff_u:staff_r:gpg_t:s0 process
    allowed:     fork sigchld signull signal getsched setsched setpgid getcap setcap setrlimit
    decided:     fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit
    auditallow:
    auditdeny:   fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit

sepol_compute_member:
  (similar to compute_member)
  Compute a SID to use when selecting a member of a polyinstantiated object:

    $ sepol_compute_member policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tmp_t:s0 dir
    system_u:object_r:user_tmp_t:s0

sepol_compute_relabel:
  (similar to compute_relabel)
  Compute a SID to use for relabeling an object:

    $ sepol_compute_relabel policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tty_device_t:s0 chr_file
    staff_u:object_r:user_tty_device_t:s0

sepol_validate_transition:
  (similar to validatetrans)
  Compute a validatetrans decision:

  $ sepol_validate_transition policy.bin system_u:object_r:user_tmp_t:s0 system_u:object_r:shadow_t:s0 file staff_u:staff_r:staff_t:s0
  allowed

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:19 -04:00
Christian Göttsche fbba23933c libsepol: export functions for policy analysis
Export functions needed for converting security identifiers from and to
strings and functions computing security server decisions.  These can
be used to debug or run tests on binary policies without running on a
SELinux enabled kernel.

TODO:
These functions have currently a non consistent return behavior: some
are returning -1 on failure and set errno most but not all of the time,
some return a negative errno like value.
Maybe this should be addressed before exporting them?

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:16 -04:00
Christian Göttsche 3ae07ec36f libsepol: introduce sepol_const_security_context_t typedef
The typedef `sepol_security_context_t` is used for contexts.  For the
read-only input parameter in `sepol_context_to_sid()`
`const sepol_security_context_t` is used as type, which does not expand
to the expected `const char*` but `char *const`.

Introduce a corresponding typedef for `const char*`.

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:13 -04:00
Christian Göttsche f0e085f684 libsepol: add sepol_av_perm_to_string
Add a wrapper around the utility function sepol_av_to_string() on the
service internal policy.  This allows callers to convert a permission
bit set into a string representation without access to the internal
policy structure.

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:11 -04:00
Petr Lautrbach 73562de8fc
Update VERSIONs to 3.4-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-06 19:53:39 +02:00
Christian Göttsche f5a764d94d libsepol/cil: post process pirqcon rules
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:47:16 +02:00
Christian Göttsche cf7f7aaff4 libsepol/cil: drop unused function cil_tree_error
It seems to be unused since its initial addition in 76ba6eaa
("Squashed 'libsepol/cil/' changes from 08520e9..28ad56e").

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:47:16 +02:00
Christian Göttsche 6bfd1be2c4 libsepol/cil: declare file local functions static
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:47:15 +02:00
Christian Göttsche c640af424d libsepol: mark immutable common helper parameter const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-06 10:46:11 +02:00
Christian Göttsche 6359946633 libsepol: mark immutable mls and context parameter const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:46:10 +02:00
Christian Göttsche 0233e4f6d5 libsepol: add missing oom checks
Check return values of memory allocation functions and propagate their
failure.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:45:21 +02:00
Christian Göttsche 5d3c4430ee libsepol/cil: silence GCC 12 array-bounds false positive
GCC 12 produces an array-bounds warning:

    In file included from ../include/sepol/policydb/context.h:23,
                     from ../include/sepol/policydb/policydb.h:62,
                     from ../cil/src/cil_binary.c:41:
    In function ‘mls_level_init’,
        inlined from ‘mls_level_destroy’ at ../include/sepol/policydb/mls_types.h:99:2,
        inlined from ‘mls_level_destroy’ at ../include/sepol/policydb/mls_types.h:92:20,
        inlined from ‘mls_range_destroy’ at ../include/sepol/policydb/mls_types.h:149:2,
        inlined from ‘cil_rangetransition_to_policydb’ at ../cil/src/cil_binary.c:3231:6:
    ../include/sepol/policydb/mls_types.h:89:9: error: ‘memset’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
       89 |         memset(level, 0, sizeof(mls_level_t));
          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ../include/sepol/policydb/mls_types.h:89:9: error: ‘memset’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
    cc1: all warnings being treated as errors

This is a false positive, by inspecting the code and compiling with -O3
and -flto.

Closes: https://github.com/SELinuxProject/selinux/issues/339

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:44:52 +02:00
James Carter c3f0124b18 libsepol: Validate conditional expressions
When validating a policydb, validate the conditional expressions
including the values of the booleans within them.

Found by oss-fuzz (#45523)

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-30 13:43:31 -04:00