|
 |
83845a |
From dcd07fdcbf3ba9fc47aef924b9b9f81bdefcb18b Mon Sep 17 00:00:00 2001
|
|
|
83845a |
From: James Carter <jwcart2@gmail.com>
|
|
|
83845a |
Date: Mon, 8 Mar 2021 15:49:23 -0500
|
|
|
83845a |
Subject: [PATCH] libsepol/checkpolicy: Set user roles using role value instead
|
|
|
83845a |
of dominance
|
|
|
83845a |
|
|
|
83845a |
Roles in an optional block have two datums, one in the global block
|
|
|
83845a |
and one in the avrule_decl where it is declared. The datum in the
|
|
|
83845a |
global block does not have its dominace set. This is a problem because
|
|
|
83845a |
the function set_user_role() sets the user's roles based on the global
|
|
|
83845a |
datum's dominance ebitmap. If a user is declared with an associated role
|
|
|
83845a |
that was declared in an optional block, then it will not have any roles
|
|
|
83845a |
set for it because the dominance ebitmap is empty.
|
|
|
83845a |
|
|
|
83845a |
Example/
|
|
|
83845a |
# handle_unknown deny
|
|
|
83845a |
class CLASS1
|
|
|
83845a |
sid kernel
|
|
|
83845a |
class CLASS1 { PERM1 }
|
|
|
83845a |
type TYPE1;
|
|
|
83845a |
allow TYPE1 self:CLASS1 PERM1;
|
|
|
83845a |
role ROLE1;
|
|
|
83845a |
role ROLE1 types { TYPE1 };
|
|
|
83845a |
optional {
|
|
|
83845a |
require {
|
|
|
83845a |
class CLASS1 { PERM1 };
|
|
|
83845a |
}
|
|
|
83845a |
role ROLE1A;
|
|
|
83845a |
user USER1A roles ROLE1A;
|
|
|
83845a |
}
|
|
|
83845a |
user USER1 roles ROLE1;
|
|
|
83845a |
sid kernel USER1:ROLE1:TYPE1
|
|
|
83845a |
|
|
|
83845a |
In this example, USER1A would not have ROLE1A associated with it.
|
|
|
83845a |
|
|
|
83845a |
Instead of using dominance, which has been deprecated anyway, just
|
|
|
83845a |
set the bit corresponding to the role's value in the user's roles
|
|
|
83845a |
ebitmap in set_user_role().
|
|
|
83845a |
|
|
|
83845a |
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
|
83845a |
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
|
|
83845a |
|
|
|
83845a |
[N.I: added spaces around "-" operator]
|
|
|
83845a |
---
|
|
|
83845a |
checkpolicy/policy_define.c | 9 ++-------
|
|
|
83845a |
1 file changed, 2 insertions(+), 7 deletions(-)
|
|
|
83845a |
|
|
|
83845a |
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
|
|
83845a |
index c9286f7733c5..16234f31bbc3 100644
|
|
|
83845a |
--- a/checkpolicy/policy_define.c
|
|
|
83845a |
+++ b/checkpolicy/policy_define.c
|
|
|
83845a |
@@ -4088,8 +4088,6 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
|
|
83845a |
static int set_user_roles(role_set_t * set, char *id)
|
|
|
83845a |
{
|
|
|
83845a |
role_datum_t *r;
|
|
|
83845a |
- unsigned int i;
|
|
|
83845a |
- ebitmap_node_t *node;
|
|
|
83845a |
|
|
|
83845a |
if (strcmp(id, "*") == 0) {
|
|
|
83845a |
free(id);
|
|
|
83845a |
@@ -4115,12 +4113,9 @@ static int set_user_roles(role_set_t * set, char *id)
|
|
|
83845a |
return -1;
|
|
|
83845a |
}
|
|
|
83845a |
|
|
|
83845a |
- /* set the role and every role it dominates */
|
|
|
83845a |
- ebitmap_for_each_positive_bit(&r->dominates, node, i) {
|
|
|
83845a |
- if (ebitmap_set_bit(&set->roles, i, TRUE))
|
|
|
83845a |
- goto oom;
|
|
|
83845a |
- }
|
|
|
83845a |
free(id);
|
|
|
83845a |
+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE))
|
|
|
83845a |
+ goto oom;
|
|
|
83845a |
return 0;
|
|
|
83845a |
oom:
|
|
|
83845a |
yyerror("out of memory");
|
|
|
83845a |
--
|
|
|
83845a |
2.32.0
|
|
|
83845a |
|