Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for extended permission rules in conditional policies #432

Closed
wants to merge 6 commits into from

Conversation

cgzones
Copy link
Contributor

@cgzones cgzones commented Apr 5, 2024

No description provided.

@cgzones cgzones force-pushed the cond_xperm branch 7 times, most recently from 1bf68e8 to da8aa1e Compare October 25, 2024 15:49
Use const parameters where applicable to signal immutability.

Rename the passed iterator avrule from avrule to narule, to make clear
its the neverallow rule to assert against, not the allow rule to check.

Drop needless branch in check_assertions(), since in the case avrules is
NULL the for loop won't execute and errors will stay at 0, so 0 will be
returned regardless. Also there is no call to free() as mentioned in the
outdated comment.

Signed-off-by: Christian Göttsche <[email protected]>
---
v3:
  - use C99 bool where applicable
  - minor additions
v2:
  add patch
Add support for extended permission rules in conditional policies by
adding a new policy version and adjusting writing and validating
policies accordingly.

Signed-off-by: Christian Göttsche <[email protected]>
---
v5:
  - reintroduce correct avrule checking for conditional policies
    regressed in v4 via deduplication
v4:
  - fix assertion logic on CIL generated policy
  - enhance xperm validation
  - rebase onto main
v3:
  - several assertion logic fixes
v2:
  - rebase onto libsepol: Support nlmsg xperms in assertions
  - fix assertion checking with xperm av rules in conditional policies
    (spotted by Jim, thanks!)
Add support for extended permission rules in conditional policies.

Signed-off-by: Christian Göttsche <[email protected]>
---
v2:
  - resbase onto "libsepol: Support nlmsg xperms in assertions" and adjust
    resulting (correct) optimization difference
  - print extended permission range in hexadecimal
Add support for extended permission rules in conditional policies.

Signed-off-by: Christian Göttsche <[email protected]>
Indent the printed allow rule that triggered an assertion by two spaces
to improve readability.

Signed-off-by: Christian Göttsche <[email protected]>
---
v3:
  add patch
Add some tests to verify assertion checking works for extended
permissions in conditional policies.

Signed-off-by: Christian Göttsche <[email protected]>
---
v3:
  add patch
@cgzones cgzones closed this Nov 19, 2024
@cgzones cgzones deleted the cond_xperm branch November 19, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant