Skip to content

Commit

Permalink
libsepol/cil: Add notself and minusself support to CIL
Browse files Browse the repository at this point in the history
Like "self", both of these reserved words can be used as a target
in an access vector rule. "notself" means all types other than
the source type. "minuself" is meant to be used with an attribute
and its use results in the rule being expanded with each type of
the attribute being used as the source type with each of the other
types being used as the target type. Using "minusself" with just
a type will result in no rule.

Example 1
  (allow TYPE1 notself (CLASS (PERM)))

This rule is expanded to a number of rules with TYPE1 as the source
and every type except for TYPE1 as the target.

Example 2
  (allow ATTR1 notself (CLASS (PERM)))

Like Example 1, this rule will be expanded to each type in ATTR1
being the source with every type except for the type used as the
source being the target.

Example 3
  (allow TYPE1 minusself (CLASS (PERM)))

This expands to no rule.

Example 4
  (allow ATTR1 minusself (CLASS (PERM)))

Like Example 2, but the target types will be limited to the types
in the attribute ATTR1 instead of all types. So if ATTR1 has the
type t1, t2, and t3, then this rule expands to the following rules.
  (allow t1 t2 (CLASS (PERM)))
  (allow t1 t3 (CLASS (PERM)))
  (allow t2 t1 (CLASS (PERM)))
  (allow t2 t3 (CLASS (PERM)))
  (allow t3 t1 (CLASS (PERM)))
  (allow t3 t2 (CLASS (PERM)))

Signed-off-by: James Carter <jwcart2@gmail.com>
  • Loading branch information
jwcart2 authored and cgzones committed Jul 6, 2023
1 parent cb6c46b commit c8b81d7
Show file tree
Hide file tree
Showing 7 changed files with 300 additions and 30 deletions.
12 changes: 12 additions & 0 deletions libsepol/cil/src/cil.c
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ char *CIL_KEY_CONS_INCOMP;
char *CIL_KEY_CONDTRUE;
char *CIL_KEY_CONDFALSE;
char *CIL_KEY_SELF;
char *CIL_KEY_NOTSELF;
char *CIL_KEY_MINUSSELF;
char *CIL_KEY_OBJECT_R;
char *CIL_KEY_STAR;
char *CIL_KEY_TCP;
Expand Down Expand Up @@ -253,6 +255,8 @@ static void cil_init_keys(void)
CIL_KEY_CONDTRUE = cil_strpool_add("true");
CIL_KEY_CONDFALSE = cil_strpool_add("false");
CIL_KEY_SELF = cil_strpool_add("self");
CIL_KEY_NOTSELF = cil_strpool_add("notself");
CIL_KEY_MINUSSELF = cil_strpool_add("minusself");
CIL_KEY_OBJECT_R = cil_strpool_add("object_r");
CIL_KEY_STAR = cil_strpool_add("*");
CIL_KEY_UDP = cil_strpool_add("udp");
Expand Down Expand Up @@ -430,6 +434,12 @@ void cil_db_init(struct cil_db **db)
cil_type_init(&(*db)->selftype);
(*db)->selftype->datum.name = CIL_KEY_SELF;
(*db)->selftype->datum.fqn = CIL_KEY_SELF;
cil_type_init(&(*db)->notselftype);
(*db)->notselftype->datum.name = CIL_KEY_NOTSELF;
(*db)->notselftype->datum.fqn = CIL_KEY_NOTSELF;
cil_type_init(&(*db)->minusselftype);
(*db)->minusselftype->datum.name = CIL_KEY_MINUSSELF;
(*db)->minusselftype->datum.fqn = CIL_KEY_MINUSSELF;
(*db)->num_types_and_attrs = 0;
(*db)->num_classes = 0;
(*db)->num_types = 0;
Expand Down Expand Up @@ -483,6 +493,8 @@ void cil_db_destroy(struct cil_db **db)
cil_list_destroy(&(*db)->names, CIL_TRUE);

cil_destroy_type((*db)->selftype);
cil_destroy_type((*db)->notselftype);
cil_destroy_type((*db)->minusselftype);

cil_strpool_destroy();
free((*db)->val_to_type);
Expand Down
91 changes: 90 additions & 1 deletion libsepol/cil/src/cil_binary.c
Original file line number Diff line number Diff line change
Expand Up @@ -1519,6 +1519,46 @@ static int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struc
}
}
ebitmap_destroy(&src_bitmap);
} else if (tgt->fqn == CIL_KEY_NOTSELF) {
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) {
goto exit;
}

ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
src = DATUM(db->val_to_type[s]);
for (t = 0; t < (unsigned int)db->num_types; t++) {
if (s != t) {
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
if (rc != SEPOL_OK) {
ebitmap_destroy(&src_bitmap);
goto exit;
}
}
}
}
ebitmap_destroy(&src_bitmap);
} else if (tgt->fqn == CIL_KEY_MINUSSELF) {
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) {
goto exit;
}

ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
src = DATUM(db->val_to_type[s]);
ebitmap_for_each_positive_bit(&src_bitmap, tnode, t) {
if (s != t) {
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
if (rc != SEPOL_OK) {
ebitmap_destroy(&src_bitmap);
goto exit;
}
}
}
}
ebitmap_destroy(&src_bitmap);
} else {
int expand_src = __cil_should_expand_attribute(db, src);
int expand_tgt = __cil_should_expand_attribute(db, tgt);
Expand Down Expand Up @@ -1875,10 +1915,51 @@ static int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, st
src = DATUM(db->val_to_type[s]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, src, cil_avrulex->perms.x.permx, args);
if (rc != SEPOL_OK) {
ebitmap_destroy(&src_bitmap);
goto exit;
}
}
ebitmap_destroy(&src_bitmap);
} else if (tgt->fqn == CIL_KEY_NOTSELF) {
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) {
goto exit;
}

ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
src = DATUM(db->val_to_type[s]);
for (t = 0; t < (unsigned int)db->num_types; t++) {
if (s != t) {
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
if (rc != SEPOL_OK) {
ebitmap_destroy(&src_bitmap);
goto exit;
}
}
}
}
ebitmap_destroy(&src_bitmap);
} else if (tgt->fqn == CIL_KEY_MINUSSELF) {
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) {
goto exit;
}

ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
src = DATUM(db->val_to_type[s]);
ebitmap_for_each_positive_bit(&src_bitmap, tnode, t) {
if (s != t) {
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
if (rc != SEPOL_OK) {
ebitmap_destroy(&src_bitmap);
goto exit;
}
}
}
}
ebitmap_destroy(&src_bitmap);
} else {
int expand_src = __cil_should_expand_attribute(db, src);
int expand_tgt = __cil_should_expand_attribute(db, tgt);
Expand Down Expand Up @@ -4813,8 +4894,16 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct

if (tgt->fqn == CIL_KEY_SELF) {
rule->flags = RULE_SELF;
} else if (tgt->fqn == CIL_KEY_NOTSELF) {
rule->flags = RULE_NOTSELF;
} else if (tgt->fqn == CIL_KEY_MINUSSELF) {
rule->flags = RULE_NOTSELF;
rc = __cil_add_sepol_type(pdb, db, cil_rule->src, &rule->ttypes.types);
if (rc != SEPOL_OK) {
goto exit;
}
} else {
rc = __cil_add_sepol_type(pdb, db, cil_rule->tgt, &rule->ttypes.types);
rc = __cil_add_sepol_type(pdb, db, tgt, &rule->ttypes.types);
if (rc != SEPOL_OK) {
goto exit;
}
Expand Down
10 changes: 7 additions & 3 deletions libsepol/cil/src/cil_build_ast.c
Original file line number Diff line number Diff line change
Expand Up @@ -3126,9 +3126,13 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
goto exit;
}

if ((flavor == CIL_TYPEALIAS && parse_current->next->data == CIL_KEY_SELF) || parse_current->next->next->data == CIL_KEY_SELF) {
cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF);
rc = SEPOL_ERR;
rc = cil_verify_name(db, parse_current->next->data, flavor);
if (rc != SEPOL_OK) {
goto exit;
}

rc = cil_verify_name(db, parse_current->next->next->data, flavor);
if (rc != SEPOL_OK) {
goto exit;
}

Expand Down
Loading

0 comments on commit c8b81d7

Please sign in to comment.