Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

semodule utils #392

Closed
wants to merge 44 commits into from
Closed

semodule utils #392

Changes from 1 commit
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
d95bc8b
libselinux: migrating hashtab from policycoreutils
Mar 8, 2023
4a42050
libselinux: adapting hashtab to libselinux
Mar 8, 2023
2c7b71d
libselinux: performance optimization for duplicate detection
Mar 8, 2023
2d5f97b
checkpolicy: drop unused token CLONE
cgzones May 12, 2023
c646f39
checkpolicy: reject condition with bool and tunable in expression
cgzones May 12, 2023
00728e1
checkpolicy: only set declared permission bits for wildcards
cgzones May 12, 2023
f5d664e
libsepol: dump non-mls validatetrans rules as such
cgzones May 12, 2023
45a4fc7
libsepol: validate some object contexts
cgzones May 12, 2023
4cf3760
libsepol: validate old style range trans classes
cgzones May 12, 2023
ac015a3
libsepol: validate: check low category is not bigger than high
cgzones May 12, 2023
4ba8f7c
libsepol: validate: reject XEN policy with xperm rules
cgzones May 12, 2023
cae65d9
libsepol: expand: skip invalid cat
cgzones May 12, 2023
808a43a
libsepol: drop message for uncommon error cases
cgzones Jun 2, 2023
b041ecc
libsepol: drop duplicate newline in sepol_log_err() calls
cgzones Jun 2, 2023
5c35a7b
libsepol: replace sepol_log_err() by ERR()
cgzones Jun 2, 2023
30fe0f1
libsepol: replace log_err() by ERR()
cgzones Jun 2, 2023
5045368
dismod: add --help option
masatake May 31, 2023
5b1a2f1
dismod: delete an unnecessary empty line
masatake May 31, 2023
d1a9cdd
dismod: handle EOF in user interaction
masatake May 31, 2023
df0b192
dismod: add --actions option for non-interactive use
masatake May 31, 2023
e867c95
policycoreutils: Add examples to man pages
vmojzis Jun 1, 2023
0b1cb09
python/sepolicy: Improve man pages
vmojzis Jun 1, 2023
535dc24
sandbox: Add examples to man pages
vmojzis Jun 1, 2023
966de0c
checkpolicy: Add examples to man pages
vmojzis Jun 1, 2023
d596efb
libselinux: Add examples to man pages
vmojzis Jun 1, 2023
6360af7
sepolicy: clarify manual page of sepolicy interface
topimiettinen Jun 4, 2023
f78eea5
dispol: add --help option
masatake Jun 8, 2023
eeb0a75
dispol: delete an unnecessary empty line
masatake Jun 8, 2023
f8a076f
dispol: handle EOF in user interaction
masatake Jun 8, 2023
666a7df
dispol: add --actions option for non-interactive use
masatake Jun 8, 2023
391cf12
python/sepolicy: Fix template for confined user policy modules
vmojzis Jun 1, 2023
48306c4
python/sepolicy: Add/remove user even when SELinux is disabled
vmojzis May 29, 2023
55b75a2
libsepol: stop translating deprecated intial SIDs to strings
WOnder93 Jun 12, 2023
02e471f
libsepol: add support for the new "init" initial SID
WOnder93 Jun 12, 2023
b87724c
checkpolicy: add option to skip checking neverallow rules
cgzones May 12, 2023
4c06922
checkpolicy/dismod: misc improvements
cgzones May 12, 2023
6e077ba
dismod: print the policy version only in interactive mode
masatake Jun 14, 2023
b3788b9
dismod, dispol: reduce the messages in batch mode
masatake Jun 14, 2023
d8edd36
libselinux: add check for calloc in check_booleans
Jun 18, 2023
1a29c28
python/sepolicy: Fix get_os_version except clause
jefferyto Jun 19, 2023
1a78f40
semodule_expand: update
cgzones May 12, 2023
f258445
semodule_link: update
cgzones May 12, 2023
84f786b
semodule_package: update
cgzones May 12, 2023
7d5efdc
semodule_unpackage: update
cgzones May 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
checkpolicy: only set declared permission bits for wildcards 
When setting permission bits from a wildcard or complement only set the
bits for permissions actually declared for the associated class.  This
helps optimizing the policy later, since only rules are dropped with a
complete empty permission bitset.  Example policy:

    class CLASS1
    sid kernel
    class CLASS1 { PERM1 }
    type TYPE1;
    bool BOOL1 true;
    allow TYPE1 self : CLASS1 { PERM1 };
    role ROLE1;
    role ROLE1 types { TYPE1 };
    if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
    user USER1 roles ROLE1;
    sid kernel USER1:ROLE1:TYPE1

Also emit a warning if a rule will have an empty permission bitset due
to an exhausting complement.

Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>
  • Loading branch information
@cgzones @jwcart2
cgzones authored and jwcart2 committed Jun 5, 2023
commit 00728e12d4a7c67a2cf578e0c2905287c579e75b
19 changes: 14 additions & 5 deletions checkpolicy/policy_define.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2511,6 +2511,8 @@ int define_te_avtab_extended_perms(int which)
return rc;
}

#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))

static int define_te_avtab_helper(int which, avrule_t ** rule)
{
char *id;
Expand Down Expand Up @@ -2616,16 +2618,25 @@ static int define_te_avtab_helper(int which, avrule_t ** rule)
cladatum = policydbp->class_val_to_struct[i];

if (strcmp(id, "*") == 0) {
/* set all permissions in the class */
cur_perms->data = ~0U;
/* set all declared permissions in the class */
cur_perms->data = PERMISSION_MASK(cladatum->permissions.nprim);
goto next;
}

if (strcmp(id, "~") == 0) {
/* complement the set */
if (which == AVRULE_DONTAUDIT)
yywarn("dontaudit rule with a ~?");
cur_perms->data = ~cur_perms->data;
cur_perms->data = ~cur_perms->data & PERMISSION_MASK(cladatum->permissions.nprim);
if (cur_perms->data == 0) {
class_perm_node_t *tmp = cur_perms;
yywarn("omitting avrule with no permission set");
if (perms == cur_perms)
perms = cur_perms->next;
cur_perms = cur_perms->next;
free(tmp);
continue;
}
goto next;
}

Expand Down Expand Up @@ -3549,8 +3560,6 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
return NULL;
}

#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))

int define_constraint(constraint_expr_t * expr)
{
struct constraint_node *node;
Expand Down