As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Originally the fallback regex for the username was either ".*" or
"[^/]*". The second is more correct but still can match nothing.
changing the * to + means that it must match at least one character.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The fallback user is used in all the write functions, making all the
functions take the struct directly allows us to have everything
consistent between normal and fallback users.
Signed-off-by: Jason Zaman <jason@perfinion.com>
All the write_*_contexts() methods use exactly the same code.
This splits it off into a common helper function.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The current bounds checking of both source and target types
requires allowing any domain that has access to the child domain
to also have the same permissions to the parent, which is undesirable.
Drop the target bounds expansion and checking.
Making this change fully functional requires a corresponding kernel
change; this change only allows one to build policies that would
otherwise violate the bounds checking on target type. The kernel
change is required to allow the permissions at runtime.
Based on patch by Stephen Smalley.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The attribute to type map is used to get all of the types that are
asociated with an attribute. To make neverallow and bounds checking
easier it was convienent to map a type to itself. However, CIL was
wrongly mapping an attribute to itself in addition to the types
associated with it. This caused type bounds checking to fail if the
parent was granted a permission through one attribute while the child
was granted the permission through another attribute.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commit 3895fbbe0c ("selinux: Add support
for portcon dccp protocol") added support for the (portcon dccp ..)
statement. This fix will allow policy to be built on platforms
(see [1]) that do not have DCCP support by defining the IANA
assigned IP Protocol Number 33 to IPPROTO_DCCP.
[1] https://android-review.googlesource.com/#/c/219568/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Commit 99fc177b "Add neverallow support for ioctl extended permissions"
first checks to see if the ioctl permission is granted, then checks to
see if the same source/target violates a neverallowed ioctl command.
Unfortunately this does not address the case where the ioctl permission
and extended permissions are granted on different attributes. Example,
the following will incorrectly cause a neverallow violation.
allow untrusted_app self:tcp_socket ioctl;
allowxperm domain domain:tcp_socket unpriv_sock_ioctls;
neverallowxperm untrusted_app domain:tcp_socket ~unpriv_sock_ioctls;
The fix is to enumerate over the source and target attributes when
looking for extended permission violations.
Note: The bug this addresses incorrectly asserts that a violation has
occurred. Actual neverallow violations are always caught.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Tested-by: William Roberts <william.c.roberts@intel.com>
For both neverallow and bounds checking keep neverallow and bounds
failures separate from program faults.
Have secilc exit with an error (and fail to build a binary policy)
when bounds checks fail.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
There are three improvements.
When calling cil_find_matching_avrule_in_ast(), one parameter specifies
whether to return a match of the exact same (not a duplicate) rule.
Since the target passed in is created and not actually in the tree
by making this parameter true an extra comparison can be avoided.
Currently, when printing a bounds violation trace, every match except
for the last one has only the parents of the rule printed. Only the
last rule has both its parents and the actual rule printed. Now the
parents and rule are printed for each match. This has the additional
benefit that if a match is not found (there should always be a match)
a seg fault will not occur.
To reduce the amount of error reporting, only print a trace of a
matching rule if it is different from the previous one.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
An attribute that has no types associated with it should still match
with itself, but ebitmap_match_any() will return false if there are
no bits set in either bitmap. The solution is to check to see if the
two datums passed into cil_type_match_any() are the same. This has
the additional advantage of providing a quick match anytime the
attributes are the same.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The man page contains 'prce' instead of 'pcre'
Reported-by: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is different than its base filename because older
SELinux userspaces will refer to the module by its module name while
a CIL-based userspace will refer to it by its filename.
Because of this, have checkmodule fail when compiling a module and
the output base filename is different than the module name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is not the same as its base filename because older
SELinux userspaces will refer to the module by its module name while
a CIL-based userspace will refer to it by its filename.
Because of this, provide a warning message when converting a policy
package to CIL and the output filename is different than the module
name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Other build scripts define -D_GNU_SOURCE. The Android build
system should too.
Fixes the following warning:
external/selinux/libsepol/cil/src/cil_mem.c:109:7: warning: implicit
declaration of function 'vasprintf' is invalid in C99
[-Wimplicit-function-declaration]
This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1319338
$ sepolgen-ifgen
/usr/share/selinux/devel/include/contrib/docker.if: Syntax error on line 503 docker_t [type=IDENTIFIER]
/usr/share/selinux/devel/include/roles/unconfineduser.if: Syntax error on line 706 unconfined_t [type=IDENTIFIER]
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
During resolution of classcommon statements (cil_resolve_classcommon),
we add the number of class common permissions to the values of the class
permissions. This way, the internal CIL values of the common permission
go from 0 to N, and the values of class permissions start at N+1 (where
N is the number of common permissions). When we reset a class due to
reresolve (cil_reset_class), we must then reverse this process by
subtracting the number of common permissions from the class permission
values.
However, there is a bug when resetting classes in which we subtract the
number of common permissions from the common permissions value rather
than the class permissions value. This means that class permissions
could be too high (since they are not reduced on reset) and common
permissions underflowed (since they are reduced, but should not be).
In most cases, this didn't actually matter since these permission values
aren't used when creating the binary. Additionally, we always access the
permissions via a hash table lookup or map, and then use whatever value
they have to set bits in bitmaps. As long as the bits in the bitmap
match the values, things work as expected. However, the one case where
these values do matter is if you use 'all' in a class permission set. In
this case, we enable bits 0 through number of permissions in a bitmap.
But because our permission values are all mixed up, these enabled bits
do not correspond to the permission values. This results in making it
look like no permissions were set in a class permission set, and the
rule is essentially ignored.
This patch fixes the bug so that the values of class permissions are
properly reset, allowing one to use 'all' in class permission sets in a
policy that reresolves.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commit 9df4988846 ("libselinux: Mount procfs before checking
/proc/filesystems") changed selinuxfs_exists() to always try
mounting /proc before reading /proc/filesystems. However, this is
unnecessary if /proc is already mounted and can produce avc denials
if the process is not allowed to perform the mount. Check first
to see if /proc is already present and only try the mount if it is not.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
getpidcon documentation does not specify that a pid of 0 refers to the
current process, and getcon exists specifically to provide this
functionality, and getpidcon(getpid()) would provide it as well.
Disallow pid values <= 0 that may lead to unintended behavior in
userspace object managers.
Signed-off-by: Daniel Cashman <dcashman@android.com>
