checkpolicy,libsepol: add prefix/suffix matching to filename type transitions #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
2 times, most recently
from
f0e8994 to
2165676
Compare
WOnder93
suggested changes
Oct 18, 2022
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
4 times, most recently
from
7b5d5cc to
21a4058
Compare
WOnder93
suggested changes
Oct 27, 2022
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
from
21a4058 to
0c45d54
Compare
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
4 times, most recently
from
49639ca to
c141f72
Compare
WOnder93
suggested changes
Nov 23, 2022
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
2 times, most recently
from
fcedfd7 to
1fccdae
Compare
JurajMarcin
commented
Nov 30, 2022
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
from
1fccdae to
5880890
Compare
JurajMarcin
pushed a commit
that referenced
this pull request
Feb 23, 2023
Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 #2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 SELinuxProject#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 SELinuxProject#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 SELinuxProject#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 SELinuxProject#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <[email protected]> Acked-by: James Carter <[email protected]>
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
2 times, most recently
from
1fe50d4 to
a662e7a
Compare
JurajMarcin
pushed a commit
that referenced
this pull request
May 11, 2023
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
from
a662e7a to
45c36a6
Compare
To move filename transitions to be part of avtab, we need to create space for it in the avtab_datum structure which holds the rule for a certain combination of stype, ttype and tclass. As only type transitions have a special variant that uses a filename, it would be suboptimal to add a (mostly empty) pointer to some structure to all avtab rules. Therefore, this patch adds a new structure to the avtab_datum and moves the otype of the transition to this structure. In the next patch, this structure will also hold filename transitions for the combination of stype, ttype and tclass. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
Currently, filename transitions are stored separately from other type enforcement rules. This leads to possibly sub-optimal performance and makes further improvements cumbersome. This patch adds a symbol table with filename transitions to the transition structure added to avtab in the previous patch. It also implements functions required for reading and writing filename transitions (either binary or source formats) and updates the code for expanding attributes. Last but not least, it updates the conflict check in the conditional avtab to account for empty transitions in the non-conditional avtab. These changes are expected to cause higher memory usage, as now there needs to be a filename transition structure for every stype. This patch effectively undoes most of the commit 42ae834 ("libsepol,checkpolicy: optimize storage of filename transitions"), but this will be mitigated by providing support for matching prefix/suffix of the filename for filename transitions in future patches which will reduce to need to have so many of them. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
Similarly to the previous patch, filename transition rules are stored and parsed separately from other type enforcement rules. Moving them to avrule makes it consistent with the filename transitions in avtab and makes future improvements easier to implement. This patch adds an optional object name attribute to the avrule structure and uses this new attribute to move filename transition rules to avrule. It also updates functions for parsing type enforcement rules to accept rules with a filename as their last argument (filename transition rules), separate functions for parsing filename transitions are therefore no longer needed. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
Implement a new binary policy format that closely matches the new internal representation introduced in the previous patch. This patch bumps the maximum kernel policy version and implements reading/writing functions such that kernel binary policy structure matches internal representation. These changes can cause the binary policy to grow in size due to effectively undoing the benefits of the commit 8206b8c ("libsepol: implement POLICYDB_VERSION_COMP_FTRANS "), but this will be mitigated by adding the prefix/suffix support as described in the previous patch. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
Implement a new module policy format that closely matches the new internal representation of avrule introduced in the previous patch. This patch bumps the maximum module policy version and implements reading/writing functions such that the module binary policy structure matches its internal representation, namely, the object name attribute used for the filename transition rules. These changes have no significant effect on the size of the module policy file (tested with Fedora policy). Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
from
2fdad7c to
9d4425a
Compare
JurajMarcin
changed the title
Currently, filename type transitions support only exact name matching. However, in practice, the names contain variable parts. This leads to many duplicated rules in the policy that differ only in the part of the name, or it is even impossible to cover all possible combinations. This patch extends the filename type transitions structures to include new types of filename transitions - prefix and suffix filename transitions. It also implements the reading and writing of those rules in the kernel binary policy format together with increasing its version. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
This patch extends the structures for module and base policy (avrule_t) to support prefix/suffix transitions. In addition to this, it implements the necessary changes to functions for reading and writing the binary policy as well as parsing the policy conf. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
This patch implements the support for prefix/suffix filename transitions in CIL structures as well as to CIL policy parser. Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Juraj Marcin <[email protected]>
JurajMarcin
force-pushed
the
selinux-2935-filename-transitions
branch
from
9d4425a to
4fbe3fa
Compare
JurajMarcin
changed the title
JurajMarcin
pushed a commit
that referenced
this pull request
Apr 5, 2024
In case the init function for a selabel backend fails, free the possible
already allocated data:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3)
#1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30
#2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6
SELinuxProject#3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8
SELinuxProject#4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, filename transitions are stored separately from other type
enforcement rules and only support exact name matching. However, in
practice, the names contain variable parts. This leads to many
duplicated rules in the policy that differ only in the part of the name,
or it is even impossible to cover all possible combinations.
This series implements equivalent changes made by this kernel patch
series 1.
First, this series of patches moves the filename transitions to be part
of the avtab and avrule structures. This not only makes the
implementation of prefix/suffix matching and future enhancements easier,
but also reduces the technical debt regarding the filename transitions.
Next, the last three patches implement the support for prefix/suffix
name matching itself by extending the structures added in previous
patches in this series and adding the support to CIL in the last of the
triple.
Even though, moving everything to avtab increases the memory usage and
the size of the binary policy itself and thus the loading time, the
ability to match the prefix or suffix of the name will reduce the
overall number of rules in the policy which should mitigate this issue.
Changelog:
v2:
"match_exact" keyword (suggested by Jim, discussed with Ondrej)
work
policy
filename transition entry
kernel version of the code 3