diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-05-20 01:37:12 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-05-20 01:37:12 +0000 |
commit | 89ade431ecff217e0ce7752fda81b5e4e404a293 (patch) | |
tree | b3909033c9a89a8e88c1a0017c8982a63ff2897c | |
parent | 1e4bfef86c44ce3c94cdfb389dec24230e4de292 (diff) | |
parent | d922fef84424ad3bba2e2f3fbd592cc51319b4ba (diff) | |
download | selinux-nougat-mr1.6-release.tar.gz |
Fix neverallowxperm checking on attributesandroid-wear-n-preview-2android-wear-7.1.1_r1android-n-mr2-preview-2android-cts_7.1_r1android-cts-7.1_r9android-cts-7.1_r8android-cts-7.1_r7android-cts-7.1_r6android-cts-7.1_r5android-cts-7.1_r4android-cts-7.1_r3android-cts-7.1_r29android-cts-7.1_r28android-cts-7.1_r27android-cts-7.1_r26android-cts-7.1_r25android-cts-7.1_r24android-cts-7.1_r23android-cts-7.1_r22android-cts-7.1_r21android-cts-7.1_r20android-cts-7.1_r2android-cts-7.1_r19android-cts-7.1_r18android-cts-7.1_r17android-cts-7.1_r16android-cts-7.1_r15android-cts-7.1_r14android-cts-7.1_r13android-cts-7.1_r12android-cts-7.1_r11android-cts-7.1_r10android-cts-7.1_r1android-7.1.2_r9android-7.1.2_r8android-7.1.2_r6android-7.1.2_r5android-7.1.2_r4android-7.1.2_r39android-7.1.2_r38android-7.1.2_r37android-7.1.2_r36android-7.1.2_r33android-7.1.2_r32android-7.1.2_r30android-7.1.2_r3android-7.1.2_r29android-7.1.2_r28android-7.1.2_r27android-7.1.2_r25android-7.1.2_r24android-7.1.2_r23android-7.1.2_r2android-7.1.2_r19android-7.1.2_r18android-7.1.2_r17android-7.1.2_r16android-7.1.2_r15android-7.1.2_r14android-7.1.2_r13android-7.1.2_r12android-7.1.2_r11android-7.1.2_r10android-7.1.2_r1android-7.1.1_r9android-7.1.1_r8android-7.1.1_r7android-7.1.1_r61android-7.1.1_r60android-7.1.1_r6android-7.1.1_r59android-7.1.1_r58android-7.1.1_r57android-7.1.1_r56android-7.1.1_r55android-7.1.1_r54android-7.1.1_r53android-7.1.1_r52android-7.1.1_r51android-7.1.1_r50android-7.1.1_r49android-7.1.1_r48android-7.1.1_r47android-7.1.1_r46android-7.1.1_r45android-7.1.1_r44android-7.1.1_r43android-7.1.1_r42android-7.1.1_r41android-7.1.1_r40android-7.1.1_r4android-7.1.1_r39android-7.1.1_r38android-7.1.1_r35android-7.1.1_r33android-7.1.1_r32android-7.1.1_r31android-7.1.1_r3android-7.1.1_r28android-7.1.1_r27android-7.1.1_r26android-7.1.1_r25android-7.1.1_r24android-7.1.1_r23android-7.1.1_r22android-7.1.1_r21android-7.1.1_r20android-7.1.1_r2android-7.1.1_r17android-7.1.1_r16android-7.1.1_r15android-7.1.1_r14android-7.1.1_r13android-7.1.1_r12android-7.1.1_r11android-7.1.1_r10android-7.1.1_r1android-7.1.0_r7android-7.1.0_r6android-7.1.0_r5android-7.1.0_r4android-7.1.0_r3android-7.1.0_r2android-7.1.0_r1nougat-mr2.3-releasenougat-mr2.2-releasenougat-mr2.1-releasenougat-mr2-security-releasenougat-mr2-releasenougat-mr2-pixel-releasenougat-mr2-devnougat-mr1.8-releasenougat-mr1.7-releasenougat-mr1.6-releasenougat-mr1.5-releasenougat-mr1.4-releasenougat-mr1.3-releasenougat-mr1.2-releasenougat-mr1.1-releasenougat-mr1-wear-releasenougat-mr1-volantis-releasenougat-mr1-security-releasenougat-mr1-releasenougat-mr1-flounder-releasenougat-mr1-devnougat-mr1-cts-releasenougat-dr1-release
am: d922fef844
* commit 'd922fef84424ad3bba2e2f3fbd592cc51319b4ba':
Fix neverallowxperm checking on attributes
Change-Id: I5e387ef684e5393dc440880b368d033e0da96010
-rw-r--r-- | libsepol/src/assertion.c | 117 |
1 files changed, 95 insertions, 22 deletions
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index f4429ad1..a4be880f 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -147,8 +147,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, avtab_key_t tmp_key; avtab_extended_perms_t *xperms; avtab_extended_perms_t error; - ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1]; - ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1]; + ebitmap_t *sattr = &p->type_attr_map[stype]; + ebitmap_t *tattr = &p->type_attr_map[ttype]; ebitmap_node_t *snode, *tnode; unsigned int i, j; int rc = 1; @@ -174,14 +174,14 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, continue; rc = check_extended_permissions(avrule->xperms, xperms); - /* failure on the extended permission check_extended_permissionss */ + /* failure on the extended permission check_extended_permissions */ if (rc) { extended_permissions_violated(&error, avrule->xperms, xperms); ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" "allowxperm %s %s:%s %s;", avrule->source_line, avrule->source_filename, avrule->line, - p->p_type_val_to_name[stype], - p->p_type_val_to_name[ttype], + p->p_type_val_to_name[i], + p->p_type_val_to_name[j], p->p_class_val_to_name[curperm->tclass - 1], sepol_extended_perms_to_string(&error)); @@ -317,29 +317,19 @@ oom: } /* - * If the ioctl permission is granted in check_assertion_avtab_match for the - * source/target/class matching the current avrule neverallow, a lookup is - * performed to determine if extended permissions exist for the source/target/class. - * - * Four scenarios of interest: - * 1. PASS - the ioctl permission is not granted for this source/target/class - * This case is handled in check_assertion_avtab_match - * 2. PASS - The ioctl permission is granted AND the extended permission - * is NOT granted - * 3. FAIL - The ioctl permission is granted AND no extended permissions - * exist - * 4. FAIL - The ioctl permission is granted AND the extended permission is - * granted + * Look up the extended permissions in avtab and verify that neverallowed + * permissions are not granted. */ -static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab, +static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t *avtab, + unsigned int stype, unsigned int ttype, avtab_key_t *k, policydb_t *p) { avtab_ptr_t node; avtab_key_t tmp_key; avtab_extended_perms_t *xperms; av_extended_perms_t *neverallow_xperms = avrule->xperms; - ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1]; - ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1]; + ebitmap_t *sattr = &p->type_attr_map[stype]; + ebitmap_t *tattr = &p->type_attr_map[ttype]; ebitmap_node_t *snode, *tnode; unsigned int i, j; int rc = 1; @@ -373,6 +363,89 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab return rc; } +/* + * When the ioctl permission is granted on an avtab entry that matches an + * avrule neverallowxperm entry, enumerate over the matching + * source/target/class sets to determine if the extended permissions exist + * and if the neverallowed ioctls are granted. + * + * Four scenarios of interest: + * 1. PASS - the ioctl permission is not granted for this source/target/class + * This case is handled in check_assertion_avtab_match + * 2. PASS - The ioctl permission is granted AND the extended permission + * is NOT granted + * 3. FAIL - The ioctl permission is granted AND no extended permissions + * exist + * 4. FAIL - The ioctl permission is granted AND the extended permission is + * granted + */ +static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab, + avtab_key_t *k, policydb_t *p) +{ + ebitmap_t src_matches, tgt_matches, matches; + unsigned int i, j; + ebitmap_node_t *snode, *tnode; + class_perm_node_t *cp; + int rc; + int ret = 1; + + ebitmap_init(&src_matches); + ebitmap_init(&tgt_matches); + ebitmap_init(&matches); + rc = ebitmap_and(&src_matches, &avrule->stypes.types, + &p->attr_type_map[k->source_type - 1]); + if (rc) + goto oom; + + if (ebitmap_length(&src_matches) == 0) + goto exit; + + if (avrule->flags == RULE_SELF) { + rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], + &p->attr_type_map[k->target_type - 1]); + if (rc) + goto oom; + rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches); + if (rc) + goto oom; + } else { + rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, + &p->attr_type_map[k->target_type -1]); + if (rc) + goto oom; + } + + if (ebitmap_length(&tgt_matches) == 0) + goto exit; + + for (cp = avrule->perms; cp; cp = cp->next) { + if (cp->tclass != k->target_class) + continue; + ebitmap_for_each_bit(&src_matches, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(&tgt_matches, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + + ret = check_assertion_extended_permissions_avtab( + avrule, avtab, i, j, k, p); + if (ret) + goto exit; + } + } + } + goto exit; + +oom: + ERR(NULL, "Out of memory - unable to check neverallows"); + +exit: + ebitmap_destroy(&src_matches); + ebitmap_destroy(&tgt_matches); + ebitmap_destroy(&matches); + return ret; +} static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *args) { @@ -382,7 +455,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a avrule_t *avrule = a->avrule; avtab_t *avtab = a->avtab; - if (k->specified != AVTAB_ALLOWED && k->specified != AVTAB_XPERMS_ALLOWED) + if (k->specified != AVTAB_ALLOWED) goto exit; if (!match_any_class_permissions(avrule->perms, k->target_class, d->data)) |