Skip to content

Commit

Permalink
checkpolicy: add not-self neverallow support
Browse files Browse the repository at this point in the history 
Add support for using negated or complemented self in the target type of
neverallow rules.

Some Refpolicy examples:

    neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
    neverallow domain { domain -self -dockerc_t }:dir create;
    # no violations

    neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

    neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

Using negated self in a complement, `~{ domain -self }`, is not
supported.

Signed-off-by: Christian Göttsche <[email protected]>
  • Loading branch information
@cgzones @jwcart2
cgzones authored and jwcart2 committed Mar 30, 2023
1 parent ec78788 commit 6f7b0ee
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 7 deletions.
46 changes: 40 additions & 6 deletions checkpolicy/policy_define.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2075,12 +2075,17 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
if (add == 0) {
yyerror("-self is not supported");
if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) {
yyerror("-self is only supported in neverallow and neverallowxperm rules");
ret = -1;
goto out;
}
avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
avrule->flags |= RULE_SELF;
continue;
}
if (set_types
Expand All @@ -2091,6 +2096,18 @@ static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
}
}

if ((avrule->ttypes.flags & TYPE_COMP)) {
if (avrule->flags & RULE_NOTSELF) {
yyerror("-self is not supported in complements");
ret = -1;
goto out;
}
if (avrule->flags & RULE_SELF) {
avrule->flags &= ~RULE_SELF;
avrule->flags |= RULE_NOTSELF;
}
}

ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
Expand Down Expand Up @@ -2537,12 +2554,17 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
while ((id = queue_remove(id_queue))) {
if (strcmp(id, "self") == 0) {
free(id);
if (add == 0) {
yyerror("-self is not supported");
if (add == 0 && which != AVRULE_NEVERALLOW) {
yyerror("-self is only supported in neverallow and neverallowxperm rules");
ret = -1;
goto out;
}
avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
if ((avrule->flags & RULE_SELF) && (avrule->flags & RULE_NOTSELF)) {
yyerror("self and -self are mutual exclusive");
ret = -1;
goto out;
}
avrule->flags |= RULE_SELF;
continue;
}
if (set_types
Expand All @@ -2553,6 +2575,18 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
}
}

if ((avrule->ttypes.flags & TYPE_COMP)) {
if (avrule->flags & RULE_NOTSELF) {
yyerror("-self is not supported in complements");
ret = -1;
goto out;
}
if (avrule->flags & RULE_SELF) {
avrule->flags &= ~RULE_SELF;
avrule->flags |= RULE_NOTSELF;
}
}

ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
Expand Down
6 changes: 5 additions & 1 deletion checkpolicy/test/dismod.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
}

num_types = 0;
if (flags & RULE_SELF) {
if (flags & (RULE_SELF | RULE_NOTSELF)) {
num_types++;
}

Expand Down Expand Up @@ -169,6 +169,10 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
fprintf(fp, " self");
}

if (flags & RULE_NOTSELF) {
fprintf(fp, " -self");
}

if (num_types > 1)
fprintf(fp, " }");

Expand Down

0 comments on commit 6f7b0ee

Please sign in to comment.