Re: [PATCH 08/10 v3] libsepol/cil: Add CIL bounds checking and reporting.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Lawrence <slawrence@tresys.com>
To: James Carter <jwcart2@tycho.nsa.gov>, <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 08/10 v3] libsepol/cil: Add CIL bounds checking and reporting.
Date: Mon, 22 Jun 2015 08:14:45 -0400	[thread overview]
Message-ID: <5587FC35.4040300@tresys.com> (raw)
In-Reply-To: <1434737956-17932-9-git-send-email-jwcart2@tycho.nsa.gov>

On 06/19/2015 02:19 PM, James Carter wrote:
> Use the libsepol bounds checking to check for and report user and
> role bounds violations.
> 
> For type bounds checking, use libsepol bounds checking to determine
> if there is a violation for a given type. For each violation display
> an error message that includes the CIL AST from the root node to the
> node of the rule causing the violation.
> 
> Example error report:
> Child type b_t3_c exceeds bounds of parent b_t3
>   (allow b_t3_c b_tc (file (write)))
>     <root>
>     booleanif at line 148633 of cil.conf.bounds
>     true at line 148634 of cil.conf.bounds
>     allow at line 148636 of cil.conf.bounds
>       (allow b_t3_c b_tc (file (read write)))
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

Acked-by: Steve Lawrence <slawrence@tresys.com>

> ---
>  libsepol/cil/src/cil_binary.c | 135 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 135 insertions(+)
> 
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 066184a..6d095db 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -3903,6 +3903,130 @@ exit:
>  	return rc;
>  }
>  
> +static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
> +{
> +	struct cil_classperms *cp;
> +	struct cil_list *cp_list;
> +	class_datum_t *sepol_class = pdb->class_val_to_struct[class - 1];
> +	unsigned i;
> +
> +	cil_classperms_init(&cp);
> +
> +	cp->class = class_value_to_cil[class];
> +	if (!cp->class) goto exit;
> +
> +	cil_list_init(&cp->perms, CIL_PERM);
> +	for (i = 0; i < sepol_class->permissions.nprim; i++) {
> +		struct cil_perm *perm;
> +		if ((data & (1 << i)) == 0) continue;
> +		perm = perm_value_to_cil[class][i+1];
> +		if (!perm) goto exit;
> +		cil_list_append(cp->perms, CIL_PERM, perm);
> +	}
> +
> +	cil_list_init(&cp_list, CIL_CLASSPERMS);
> +	cil_list_append(cp_list, CIL_CLASSPERMS, cp);
> +
> +	return cp_list;
> +
> +exit:
> +	cil_log(CIL_ERR,"Failed to create CIL class-permissions from sepol values\n");
> +	return NULL;
> +}
> +
> +static int cil_avrule_from_sepol(policydb_t *pdb, avtab_ptr_t sepol_rule, struct cil_avrule *cil_rule, void *type_value_to_cil[], struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
> +{
> +	int rc = SEPOL_ERR;
> +	avtab_key_t *k = &sepol_rule->key;
> +	avtab_datum_t *d = &sepol_rule->datum;
> +	cil_rule->src = type_value_to_cil[k->source_type];
> +	if (!cil_rule->src) goto exit;
> +
> +	cil_rule->tgt = type_value_to_cil[k->target_type];
> +	if (!cil_rule->tgt) goto exit;
> +
> +	cil_rule->classperms = cil_classperms_from_sepol(pdb, k->target_class, d->data, class_value_to_cil, perm_value_to_cil);
> +	if (!cil_rule->classperms) goto exit;
> +
> +	return SEPOL_OK;
> +
> +exit:
> +	cil_log(CIL_ERR,"Failed to create CIL AV rule from sepol values\n");
> +	return rc;
> +}
> +
> +static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void *type_value_to_cil, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
> +{
> +	int rc = SEPOL_OK;
> +	int i;
> +
> +	for (i = 0; i < db->num_types; i++) {
> +		type_datum_t *child;
> +		type_datum_t *parent;
> +		avtab_ptr_t bad = NULL;
> +		int numbad = 0;
> +		struct cil_type *t = db->val_to_type[i];
> +
> +		if (!t->bounds) continue;
> +
> +		rc = __cil_get_sepol_type_datum(pdb, DATUM(t), &child);
> +		if (rc != SEPOL_OK) goto exit;
> +
> +		rc = __cil_get_sepol_type_datum(pdb, DATUM(t->bounds), &parent);
> +		if (rc != SEPOL_OK) goto exit;
> +
> +		rc = bounds_check_type(NULL, pdb, child->s.value, parent->s.value, &bad, &numbad);
> +		if (rc != SEPOL_OK) goto exit;
> +
> +		if (bad) {
> +			avtab_ptr_t cur;
> +			struct cil_avrule target;
> +
> +			target.rule_kind = CIL_AVRULE_ALLOWED;
> +			target.src_str = NULL;
> +			target.tgt_str = NULL;
> +
> +			cil_log(CIL_ERR, "Child type %s exceeds bounds of parent %s\n",
> +				t->datum.fqn, t->bounds->datum.fqn);
> +			for (cur = bad; cur; cur = cur->next) {
> +				struct cil_list_item *i2;
> +				struct cil_list *matching;
> +				struct cil_tree_node *n;
> +
> +				rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
> +				if (rc != SEPOL_OK) {
> +					cil_log(CIL_ERR, "Failed to convert sepol avrule to CIL\n");
> +					goto exit;
> +				}
> +				__cil_print_rule("  ", "allow", &target);
> +				cil_list_init(&matching, CIL_NODE);
> +				rc = cil_find_matching_avrule_in_ast(db->ast->root, CIL_AVRULE, &target, matching, CIL_FALSE);
> +				if (rc) {
> +					cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
> +					cil_list_destroy(&matching, CIL_FALSE);
> +					cil_list_destroy(&target.classperms, CIL_TRUE);
> +					bounds_destroy_bad(bad);
> +					goto exit;
> +				}
> +
> +				cil_list_for_each(i2, matching) {
> +					__cil_print_parents("    ", (struct cil_tree_node *)i2->data);
> +				}
> +				i2 = matching->tail;
> +				n = i2->data;
> +				__cil_print_rule("      ", "allow", n->data);
> +				cil_log(CIL_ERR,"\n");
> +				cil_list_destroy(&matching, CIL_FALSE);
> +				cil_list_destroy(&target.classperms, CIL_TRUE);
> +			}
> +			bounds_destroy_bad(bad);
> +		}
> +	}
> +
> +exit:
> +	return rc;
> +}
> +
>  // assumes policydb is already allocated and initialized properly with things
>  // like policy type set to kernel and version set appropriately
>  int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *policydb)
> @@ -4022,6 +4146,17 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
>  		cil_log(CIL_INFO, "Checking Neverallows\n");
>  		rc = cil_check_neverallows(db, pdb, neverallows);
>  		if (rc != SEPOL_OK) goto exit;
> +
> +		cil_log(CIL_INFO, "Checking User Bounds\n");
> +		bounds_check_users(NULL, pdb);
> +
> +		cil_log(CIL_INFO, "Checking Role Bounds\n");
> +		bounds_check_roles(NULL, pdb);
> +
> +		cil_log(CIL_INFO, "Checking Type Bounds\n");
> +		rc = cil_check_type_bounds(db, pdb, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
> +		if (rc != SEPOL_OK) goto exit;
> +
>  	}
>  
>  	rc = SEPOL_OK;
>

next prev parent reply	other threads:[~2015-06-22 12:14 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-19 18:19 [PATCH 00/10 v3] Improve libsepol and CIL neverallow and bounds checking James Carter
2015-06-19 18:19 ` [PATCH 01/10 v3] libsepol: Add new ebitmap function named ebitmap_match_any() James Carter
2015-06-19 19:05   ` Stephen Smalley
2015-06-19 18:19 ` [PATCH 02/10 v3] libsepol: Treat types like an attribute in the attr_type_map James Carter
2015-06-19 19:06   ` Stephen Smalley
2015-06-19 18:19 ` [PATCH 03/10 v3] libsepol: Refactored neverallow checking James Carter
2015-06-19 19:15   ` Stephen Smalley
2015-06-19 18:19 ` [PATCH 04/10 v3] libsepol: Refactored bounds (hierarchy) checking code James Carter
2015-06-19 19:34   ` Stephen Smalley
2015-06-19 18:19 ` [PATCH 05/10 v3] libsepol/cil: Add function to search the CIL AST for an AV rule James Carter
2015-06-22 12:14   ` Steve Lawrence
2015-06-19 18:19 ` [PATCH 06/10 v3] libsepol/cil: Refactored CIL neverallow checking and reporting James Carter
2015-06-22 12:14   ` Steve Lawrence
2015-06-19 18:19 ` [PATCH 07/10 v3] libsepol/cil: Track number of classes and number of types and attributes James Carter
2015-06-22 12:14   ` Steve Lawrence
2015-06-19 18:19 ` [PATCH 08/10 v3] libsepol/cil: Add CIL bounds checking and reporting James Carter
2015-06-22 12:14   ` Steve Lawrence [this message]
2015-06-19 18:19 ` [PATCH 09/10 v3] secilc: Add a CIL policy file to test neverallow checking James Carter
2015-06-22 12:14   ` Steve Lawrence
2015-06-19 18:19 ` [PATCH 10/10 v3] secilc: Add a CIL policy file to test bounds checking James Carter
2015-06-22 12:15   ` Steve Lawrence
2015-06-22 14:11 ` [PATCH 00/10 v3] Improve libsepol and CIL neverallow and " James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5587FC35.4040300@tresys.com \
    --to=slawrence@tresys.com \
    --cc=jwcart2@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.