[PATCH] libsepol: Only apply bounds checking to source types in rules

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] libsepol: Only apply bounds checking to source types in rules
@ 2016-04-29 19:53 James Carter
  2016-04-29 20:06 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2016-04-29 19:53 UTC (permalink / raw)
  To: selinux

The current bounds checking of both source and target types
requires allowing any domain that has access to the child domain
to also have the same permissions to the parent, which is undesirable.
Drop the target bounds expansion and checking.

Making this change fully functional requires a corresponding kernel
change; this change only allows one to build policies that would
otherwise violate the bounds checking on target type.  The kernel
change is required to allow the permissions at runtime.

Based on patch by Stephen Smalley.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/src/hierarchy.c | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
index 6f73195..b24b39e 100644
--- a/libsepol/src/hierarchy.c
+++ b/libsepol/src/hierarchy.c
@@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
 		}
 	}
 
-	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], parent - 1)) {
-		avtab_key.target_type = parent;
-		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
-			if (!ebitmap_node_get_bit(tnode, i))
-				continue;
-			avtab_key.source_type = i + 1;
-			rc = bounds_insert_rule(handle, avtab, global, other,
-						&avtab_key, &datum);
-			if (rc) goto exit;
-		}
-	}
-
 exit:
 	return rc;
 }
@@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
 			if (rc) goto exit;
 		}
 	}
-	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
-		avtab_key.target_type = parent;
-		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
-			if (!ebitmap_node_get_bit(tnode, i))
-				continue;
-			avtab_key.source_type = i + 1;
-			if (avtab_key.source_type == child) {
-				/* Checked above */
-				continue;
-			}
-			d = bounds_not_covered(global_avtab, cur_avtab,
-					       &avtab_key, data);
-			if (!d) continue;
-			td = p->type_val_to_struct[i];
-			if (td && td->bounds) {
-				avtab_key.source_type = td->bounds;
-				d = bounds_not_covered(global_avtab, cur_avtab,
-						       &avtab_key, data);
-				if (!d) continue;
-			}
-			(*numbad)++;
-			rc = bounds_add_bad(handle, i+1, child, class, d, bad);
-			if (rc) goto exit;
-		}
-	}
 
 exit:
 	return rc;
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] libsepol: Only apply bounds checking to source types in rules
  2016-04-29 19:53 [PATCH] libsepol: Only apply bounds checking to source types in rules James Carter
@ 2016-04-29 20:06 ` Stephen Smalley
  2016-04-29 20:08   ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2016-04-29 20:06 UTC (permalink / raw)
  To: James Carter, selinux

On 04/29/2016 03:53 PM, James Carter wrote:
> The current bounds checking of both source and target types
> requires allowing any domain that has access to the child domain
> to also have the same permissions to the parent, which is undesirable.
> Drop the target bounds expansion and checking.
> 
> Making this change fully functional requires a corresponding kernel
> change; this change only allows one to build policies that would
> otherwise violate the bounds checking on target type.  The kernel
> change is required to allow the permissions at runtime.
> 
> Based on patch by Stephen Smalley.
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> ---
>  libsepol/src/hierarchy.c | 37 -------------------------------------
>  1 file changed, 37 deletions(-)
> 
> diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
> index 6f73195..b24b39e 100644
> --- a/libsepol/src/hierarchy.c
> +++ b/libsepol/src/hierarchy.c
> @@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
>  		}
>  	}
>  
> -	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], parent - 1)) {
> -		avtab_key.target_type = parent;
> -		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
> -			if (!ebitmap_node_get_bit(tnode, i))
> -				continue;
> -			avtab_key.source_type = i + 1;
> -			rc = bounds_insert_rule(handle, avtab, global, other,
> -						&avtab_key, &datum);
> -			if (rc) goto exit;
> -		}
> -	}
> -
>  exit:
>  	return rc;
>  }
> @@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
>  			if (rc) goto exit;
>  		}
>  	}
> -	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
> -		avtab_key.target_type = parent;
> -		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
> -			if (!ebitmap_node_get_bit(tnode, i))
> -				continue;
> -			avtab_key.source_type = i + 1;
> -			if (avtab_key.source_type == child) {
> -				/* Checked above */
> -				continue;
> -			}
> -			d = bounds_not_covered(global_avtab, cur_avtab,
> -					       &avtab_key, data);
> -			if (!d) continue;
> -			td = p->type_val_to_struct[i];
> -			if (td && td->bounds) {
> -				avtab_key.source_type = td->bounds;
> -				d = bounds_not_covered(global_avtab, cur_avtab,
> -						       &avtab_key, data);
> -				if (!d) continue;
> -			}
> -			(*numbad)++;
> -			rc = bounds_add_bad(handle, i+1, child, class, d, bad);
> -			if (rc) goto exit;
> -		}
> -	}
>  
>  exit:
>  	return rc;
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] libsepol: Only apply bounds checking to source types in rules
  2016-04-29 20:06 ` Stephen Smalley
@ 2016-04-29 20:08   ` James Carter
  0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2016-04-29 20:08 UTC (permalink / raw)
  To: Stephen Smalley, selinux

On 04/29/2016 04:06 PM, Stephen Smalley wrote:
> On 04/29/2016 03:53 PM, James Carter wrote:
>> The current bounds checking of both source and target types
>> requires allowing any domain that has access to the child domain
>> to also have the same permissions to the parent, which is undesirable.
>> Drop the target bounds expansion and checking.
>>
>> Making this change fully functional requires a corresponding kernel
>> change; this change only allows one to build policies that would
>> otherwise violate the bounds checking on target type.  The kernel
>> change is required to allow the permissions at runtime.
>>
>> Based on patch by Stephen Smalley.
>>
>> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
>
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
>

Applied.

Jim

>> ---
>>   libsepol/src/hierarchy.c | 37 -------------------------------------
>>   1 file changed, 37 deletions(-)
>>
>> diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
>> index 6f73195..b24b39e 100644
>> --- a/libsepol/src/hierarchy.c
>> +++ b/libsepol/src/hierarchy.c
>> @@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
>>   		}
>>   	}
>>
>> -	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], parent - 1)) {
>> -		avtab_key.target_type = parent;
>> -		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
>> -			if (!ebitmap_node_get_bit(tnode, i))
>> -				continue;
>> -			avtab_key.source_type = i + 1;
>> -			rc = bounds_insert_rule(handle, avtab, global, other,
>> -						&avtab_key, &datum);
>> -			if (rc) goto exit;
>> -		}
>> -	}
>> -
>>   exit:
>>   	return rc;
>>   }
>> @@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
>>   			if (rc) goto exit;
>>   		}
>>   	}
>> -	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
>> -		avtab_key.target_type = parent;
>> -		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
>> -			if (!ebitmap_node_get_bit(tnode, i))
>> -				continue;
>> -			avtab_key.source_type = i + 1;
>> -			if (avtab_key.source_type == child) {
>> -				/* Checked above */
>> -				continue;
>> -			}
>> -			d = bounds_not_covered(global_avtab, cur_avtab,
>> -					       &avtab_key, data);
>> -			if (!d) continue;
>> -			td = p->type_val_to_struct[i];
>> -			if (td && td->bounds) {
>> -				avtab_key.source_type = td->bounds;
>> -				d = bounds_not_covered(global_avtab, cur_avtab,
>> -						       &avtab_key, data);
>> -				if (!d) continue;
>> -			}
>> -			(*numbad)++;
>> -			rc = bounds_add_bad(handle, i+1, child, class, d, bad);
>> -			if (rc) goto exit;
>> -		}
>> -	}
>>
>>   exit:
>>   	return rc;
>>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-04-29 20:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-29 19:53 [PATCH] libsepol: Only apply bounds checking to source types in rules James Carter
2016-04-29 20:06 ` Stephen Smalley
2016-04-29 20:08   ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.