topjohnwu/selinux
1
0
Fork 0
mirror of https://github.com/topjohnwu/selinux.git synced 2024-12-04 01:20:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

libsepol: Only apply bounds checking to source types in rules

Browse Source 
The current bounds checking of both source and target types
requires allowing any domain that has access to the child domain
to also have the same permissions to the parent, which is undesirable.
Drop the target bounds expansion and checking.

Making this change fully functional requires a corresponding kernel
change; this change only allows one to build policies that would
otherwise violate the bounds checking on target type.  The kernel
change is required to allow the permissions at runtime.

Based on patch by Stephen Smalley.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2016-04-29 15:41:57 -04:00
parent 65fb72cee8
commit 3cf8669135
1 changed files with 0 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
libsepol/src/hierarchy.c
View File

@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
}
}
if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], parent - 1)) {
avtab_key.target_type = parent;
ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
if (!ebitmap_node_get_bit(tnode, i))
continue;
avtab_key.source_type = i + 1;
rc = bounds_insert_rule(handle, avtab, global, other,
&avtab_key, &datum);
if (rc) goto exit;
}
}
exit:
return rc;
}
@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
if (rc) goto exit;
}
}
if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
avtab_key.target_type = parent;
ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
if (!ebitmap_node_get_bit(tnode, i))
continue;
avtab_key.source_type = i + 1;
if (avtab_key.source_type == child) {
/* Checked above */
continue;
}
d = bounds_not_covered(global_avtab, cur_avtab,
&avtab_key, data);
if (!d) continue;
td = p->type_val_to_struct[i];
if (td && td->bounds) {
avtab_key.source_type = td->bounds;
d = bounds_not_covered(global_avtab, cur_avtab,
&avtab_key, data);
if (!d) continue;
}
(*numbad)++;
rc = bounds_add_bad(handle, i+1, child, class, d, bad);
if (rc) goto exit;
}
}
exit:
return rc;