|
 |
1ae9de |
From dadf1e9ad66318fdd814cf06af2b83741467a3d8 Mon Sep 17 00:00:00 2001
|
|
|
1ae9de |
From: James Carter <jwcart2@gmail.com>
|
|
|
1ae9de |
Date: Tue, 30 Mar 2021 13:39:17 -0400
|
|
|
1ae9de |
Subject: [PATCH] libsepol/cil: Sync checks for invalid rules in booleanifs
|
|
|
1ae9de |
|
|
|
1ae9de |
When building the AST, typemember rules in a booleanif block will
|
|
|
1ae9de |
be incorrectly called invalid. They are allowed in the kernel
|
|
|
1ae9de |
policy and should be allowed in CIL.
|
|
|
1ae9de |
|
|
|
1ae9de |
When resolving the AST, if a neverallow rule is copied into a
|
|
|
1ae9de |
booleanif block, it will not be considered an invalid rule, even
|
|
|
1ae9de |
though this is not allowed in the kernel policy.
|
|
|
1ae9de |
|
|
|
1ae9de |
Update the booleanif checks to allow typemember rules and to not
|
|
|
1ae9de |
allow neverallow rules in booleanifs. Also use the same form of
|
|
|
1ae9de |
conditional for the checks when building and resolving the AST.
|
|
|
1ae9de |
|
|
|
1ae9de |
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
|
1ae9de |
---
|
|
|
1ae9de |
libsepol/cil/src/cil_build_ast.c | 3 ++-
|
|
|
1ae9de |
libsepol/cil/src/cil_resolve_ast.c | 23 +++++++++++++++--------
|
|
|
1ae9de |
2 files changed, 17 insertions(+), 9 deletions(-)
|
|
|
1ae9de |
|
|
|
1ae9de |
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
|
|
|
1ae9de |
index ceb55324..3a91be03 100644
|
|
|
1ae9de |
--- a/libsepol/cil/src/cil_build_ast.c
|
|
|
1ae9de |
+++ b/libsepol/cil/src/cil_build_ast.c
|
|
|
1ae9de |
@@ -6136,7 +6136,8 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
|
|
1ae9de |
parse_current->data != CIL_KEY_DONTAUDIT &&
|
|
|
1ae9de |
parse_current->data != CIL_KEY_AUDITALLOW &&
|
|
|
1ae9de |
parse_current->data != CIL_KEY_TYPETRANSITION &&
|
|
|
1ae9de |
- parse_current->data != CIL_KEY_TYPECHANGE) {
|
|
|
1ae9de |
+ parse_current->data != CIL_KEY_TYPECHANGE &&
|
|
|
1ae9de |
+ parse_current->data != CIL_KEY_TYPEMEMBER) {
|
|
|
1ae9de |
rc = SEPOL_ERR;
|
|
|
1ae9de |
cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data);
|
|
|
1ae9de |
if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
|
|
|
1ae9de |
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
|
|
|
1ae9de |
index c520c44a..06b6ab48 100644
|
|
|
1ae9de |
--- a/libsepol/cil/src/cil_resolve_ast.c
|
|
|
1ae9de |
+++ b/libsepol/cil/src/cil_resolve_ast.c
|
|
|
1ae9de |
@@ -3689,7 +3689,7 @@ exit:
|
|
|
1ae9de |
|
|
|
1ae9de |
int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
|
|
|
1ae9de |
{
|
|
|
1ae9de |
- int rc = SEPOL_ERR;
|
|
|
1ae9de |
+ int rc = SEPOL_OK;
|
|
|
1ae9de |
struct cil_args_resolve *args = extra_args;
|
|
|
1ae9de |
enum cil_pass pass = args->pass;
|
|
|
1ae9de |
struct cil_tree_node *block = args->block;
|
|
|
1ae9de |
@@ -3732,18 +3732,25 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
|
|
|
1ae9de |
}
|
|
|
1ae9de |
|
|
|
1ae9de |
if (boolif != NULL) {
|
|
|
1ae9de |
- if (!(node->flavor == CIL_TUNABLEIF ||
|
|
|
1ae9de |
- node->flavor == CIL_CALL ||
|
|
|
1ae9de |
- node->flavor == CIL_CONDBLOCK ||
|
|
|
1ae9de |
- node->flavor == CIL_AVRULE ||
|
|
|
1ae9de |
- node->flavor == CIL_TYPE_RULE ||
|
|
|
1ae9de |
- node->flavor == CIL_NAMETYPETRANSITION)) {
|
|
|
1ae9de |
+ if (node->flavor != CIL_TUNABLEIF &&
|
|
|
1ae9de |
+ node->flavor != CIL_CALL &&
|
|
|
1ae9de |
+ node->flavor != CIL_CONDBLOCK &&
|
|
|
1ae9de |
+ node->flavor != CIL_AVRULE &&
|
|
|
1ae9de |
+ node->flavor != CIL_TYPE_RULE &&
|
|
|
1ae9de |
+ node->flavor != CIL_NAMETYPETRANSITION) {
|
|
|
1ae9de |
+ rc = SEPOL_ERR;
|
|
|
1ae9de |
+ } else if (node->flavor == CIL_AVRULE) {
|
|
|
1ae9de |
+ struct cil_avrule *rule = node->data;
|
|
|
1ae9de |
+ if (rule->rule_kind == CIL_AVRULE_NEVERALLOW) {
|
|
|
1ae9de |
+ rc = SEPOL_ERR;
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+ }
|
|
|
1ae9de |
+ if (rc == SEPOL_ERR) {
|
|
|
1ae9de |
if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
|
|
|
1ae9de |
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node));
|
|
|
1ae9de |
} else {
|
|
|
1ae9de |
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs", cil_node_to_string(node));
|
|
|
1ae9de |
}
|
|
|
1ae9de |
- rc = SEPOL_ERR;
|
|
|
1ae9de |
goto exit;
|
|
|
1ae9de |
}
|
|
|
1ae9de |
}
|
|
|
1ae9de |
--
|
|
|
1ae9de |
2.30.2
|
|
|
1ae9de |
|