| f5602f5ff980435ee2aefed35ba643310ceeac25 |
|
01-Dec-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsepol/cil: Add support for neverallowx
Add a new statement, neverallowx, which has the same syntax as allowx:
(neverallowx foo bar (ioctl file (range 0x2000 0x20FF)))
(allowx foo bar (ioctl file (0x20A0))) ; this fails
Much of the changes just move functions around or split functions up to
ease the sharing of avrule and avrulex comparisons with neverallows.
This refactoring also modifies the avrule struct to include a union of
either class permission information for standard avrules or extended
permission information for extended avrules, also done to support
sharing code.
This also changes assertion.c and avtab.c to allow
check_assertion_avtab_match to work with extended avrules.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| 71dd7b71338e832da8e446d565e6cd871b8a08f6 |
|
10-Nov-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
secilc: Add support for unordered classes
Resolves https://github.com/SELinuxProject/cil/issues/3
An 'unordered' keyword provides the ability to append classes to the current
list of ordered classes. This allows users to not need knowledge of existing
classes when creating a class and fixes dependencies on classes when removing a
module. This enables userspace object managers with custom objects to be
modularized.
If a class is declared in both an unordered and ordered statement, then the
ordered statement will supercede the unordered declaration.
Example usage:
; Appends new_class to the existing list of classes
(class new_class ())
(classorder (unordered new_class))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| 77779d2ca5a0c6efd113ff34cee432d5bb951f09 |
|
10-Sep-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsepol/cil: Add userattribute{set} functionality
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.
Also, disallow roleattributes where roles are accepted in contexts.
Specify a userattribute
(userattribute foo)
Add users to the set foo
(userattributeset foo (u1 u2))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| b6e519e54261d14d553a28bcd1fed88f96752c26 |
|
10-Sep-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsepol/cil: fix blockinherit copying segfault and add macro restrictions
When we copy a blockinherit statement, we perform actions that assume
the blockinherit statement was already resolved. However, this isn't the
case if the statement was copied from a tunableif or an in-statement,
since those are resolve before blockinherits and blocks. So when
copying a blockinherit that hasn't been resolved, ignore the code that
associates blocks with the blockinherit; that will all be handled when
the copied blockinherit is actually resolved later.
Additionally, restrict block, blockabstract, and blockinherit statements
from appearing in macros. These statements are all resolved before
macros due to ordering issues, so they must not appear inside macros.
Note that in addition to doing the checks in build_ast, they are also
done in resolve_ast. This is because an in-statement could copy a block
statement into a macro, which we would not know about until after the
in-statement was resolved.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| ef93dfe0393c4a60483c3f7729dd98a2f886606a |
|
28-Aug-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsepol/cil: add ioctl whitelist support
Add three new extended avrule statements with the following syntax:
(allowx source_type target_type permissionx)
(auditallowx source_type target_type permissionx)
(dontauditx source_type target_type permissionx)
source_type - type, typeattribute, or typealias
target_type - type, typeattribute, typealias, or "self" keyword
permissionx - named or anonymous permissionx statement, which has the syntax:
(permissionx name (kind object expression))
name - unique identifier of the permissionx statement
kind - must be "ioctl"; could be extended in the future
object - class or classmap
expression - standard CIL expression containing hexadecimal values,
prefixed with '0x', and the expression keywords 'or', 'xor', 'and',
'not', 'range', or 'all'. Values must be between 0x0000 and 0xFFFF.
Values may also be provided in decimal, or in octal if starting with '0'.
For example:
(allowx src_t tgt_t (ioctl cls (0x1111 0x1222 0x1333)))
(allowx src_t tgt_t (ioctl cls (range 0x1400 0x14FF)))
(allowx src_t tgt_t (ioctl cls (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F)))))
(permissionx ioctl_nodebug (ioctl cls (not (range 0x2010 0x2013))))
(allowx src_t tgt_t ioctl_nodebug)
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| d03e9373e82d143c396401adf4912ed0ea490ecf |
|
23-Mar-2015 |
Richard Haines <richard_c_haines@btinternet.com> |
libsepol: Fix building Xen policy with devicetreecon
Problems fixed:
1) Fix core dump when building CIL policy (corrupted double-linked list)
by Steve Lawrence <slawrence@tresys.com>
2) Binary policy failed to read with devicetreecon statement.
3) Free path name - With a Xen policy running secilc/valgrind
there are no memory errors.
Also added devicetreecon statement to CIL policy.cil and updated the CIL
Reference Guide.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| f0290677091e7eee4a3724a2a86ede9e11f93802 |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| 82030de5dc8d08a9417842156293c65fef9dc70c |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.
While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/cil/src/cil_build_ast.c
|
| 28ae74e112a031e1aeb22a2083568a881491b6db |
|
18-Feb-2015 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit '76ba6eaa7333483a8cc0c73a7880f7acf99c2656'
|
| 72dc45bf5488a957d9db32531749a55fea414619 |
|
03-Dec-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit '80afe7b2ce0b06f93b6b3a07e58cab1aee8afc91'
|
| 450a3ea21694aafebb46254716c1a7aa0243c09f |
|
06-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit '847aa150e30e6147c28ed9807fae4dc232b5a8fe'
|
| bbbd58e1252a06550810ae6f7b40b867841da918 |
|
02-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit 'a3abb2c05301b24ad2f8307d07734d89ddf808d8' into merge
|
| bb0f8beff890195cfd459c67230c6130c86b3214 |
|
26-Aug-2014 |
Steve Lawrence <slawrence@tresys.com> |
Merge commit 'b19eafb97feb6389d78e1693f276fc5b10e25bd6' as 'libsepol/cil'
|