assertion.c revision 255e72915d4cbddceb435e13d81601755714e9f3 
1/* Authors: Joshua Brindle <jbrindle@tresys.com>
2 *
3 * Assertion checker for avtab entries, taken from
4 * checkpolicy.c by Stephen Smalley <sds@tycho.nsa.gov>
5 *
6 * Copyright (C) 2005 Tresys Technology, LLC
7 *
8 *  This library is free software; you can redistribute it and/or
9 *  modify it under the terms of the GNU Lesser General Public
10 *  License as published by the Free Software Foundation; either
11 *  version 2.1 of the License, or (at your option) any later version.
12 *
13 *  This library is distributed in the hope that it will be useful,
14 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16 *  Lesser General Public License for more details.
17 *
18 *  You should have received a copy of the GNU Lesser General Public
19 *  License along with this library; if not, write to the Free Software
20 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
21 */
22
23#include <sepol/policydb/avtab.h>
24#include <sepol/policydb/policydb.h>
25#include <sepol/policydb/expand.h>
26#include <sepol/policydb/util.h>
27
28#include "debug.h"
29
30static int check_assertion_helper(sepol_handle_t * handle,
31				  policydb_t * p,
32				  avtab_t * te_avtab, avtab_t * te_cond_avtab,
33				  unsigned int stype, unsigned int ttype,
34				  class_perm_node_t * perm, unsigned long line)
35{
36	avtab_key_t avkey;
37	avtab_ptr_t node;
38	class_perm_node_t *curperm;
39
40	for (curperm = perm; curperm != NULL; curperm = curperm->next) {
41		avkey.source_type = stype + 1;
42		avkey.target_type = ttype + 1;
43		avkey.target_class = curperm->class;
44		avkey.specified = AVTAB_ALLOWED;
45		for (node = avtab_search_node(te_avtab, &avkey);
46		     node != NULL;
47		     node = avtab_search_node_next(node, avkey.specified)) {
48			if (node->datum.data & curperm->data)
49				goto err;
50		}
51		for (node = avtab_search_node(te_cond_avtab, &avkey);
52		     node != NULL;
53		     node = avtab_search_node_next(node, avkey.specified)) {
54			if (node->datum.data & curperm->data)
55				goto err;
56		}
57	}
58
59	return 0;
60
61      err:
62	if (line) {
63		ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
64		    line, p->p_type_val_to_name[stype],
65		    p->p_type_val_to_name[ttype],
66		    p->p_class_val_to_name[curperm->class - 1],
67		    sepol_av_to_string(p, curperm->class,
68				       node->datum.data & curperm->data));
69	} else {
70		ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
71		    p->p_type_val_to_name[stype],
72		    p->p_type_val_to_name[ttype],
73		    p->p_class_val_to_name[curperm->class - 1],
74		    sepol_av_to_string(p, curperm->class,
75				       node->datum.data & curperm->data));
76	}
77	return -1;
78}
79
80int check_assertions(sepol_handle_t * handle, policydb_t * p,
81		     avrule_t * avrules)
82{
83	avrule_t *a;
84	avtab_t te_avtab, te_cond_avtab;
85	ebitmap_node_t *snode, *tnode;
86	unsigned int i, j;
87	int rc;
88
89	if (!avrules) {
90		/* Since assertions are stored in avrules, if it is NULL
91		   there won't be any to check. This also prevents an invalid
92		   free if the avtabs are never initialized */
93		return 0;
94	}
95
96	if (avrules) {
97		if (avtab_init(&te_avtab))
98			goto oom;
99		if (avtab_init(&te_cond_avtab)) {
100			avtab_destroy(&te_avtab);
101			goto oom;
102		}
103		if (expand_avtab(p, &p->te_avtab, &te_avtab) ||
104		    expand_avtab(p, &p->te_cond_avtab, &te_cond_avtab)) {
105			avtab_destroy(&te_avtab);
106			avtab_destroy(&te_cond_avtab);
107			goto oom;
108		}
109	}
110
111	for (a = avrules; a != NULL; a = a->next) {
112		ebitmap_t *stypes = &a->stypes.types;
113		ebitmap_t *ttypes = &a->ttypes.types;
114
115		if (!(a->specified & AVRULE_NEVERALLOW))
116			continue;
117
118		ebitmap_for_each_bit(stypes, snode, i) {
119			if (!ebitmap_node_get_bit(snode, i))
120				continue;
121			if (a->flags & RULE_SELF) {
122				if (check_assertion_helper
123				    (handle, p, &te_avtab, &te_cond_avtab, i, i,
124				     a->perms, a->line)) {
125					rc = -1;
126					goto out;
127				}
128			}
129			ebitmap_for_each_bit(ttypes, tnode, j) {
130				if (!ebitmap_node_get_bit(tnode, j))
131					continue;
132				if (check_assertion_helper
133				    (handle, p, &te_avtab, &te_cond_avtab, i, j,
134				     a->perms, a->line)) {
135					rc = -1;
136					goto out;
137				}
138			}
139		}
140	}
141
142	rc = 0;
143out:
144	avtab_destroy(&te_avtab);
145	avtab_destroy(&te_cond_avtab);
146	return rc;
147
148      oom:
149	ERR(handle, "Out of memory - unable to check neverallows");
150	return -1;
151}
152