Merge pull request #138 from tweksteen/add_netlink_xperm

Add support for nlmsg extended permission

.github/workflows/tests.yml

@@ -4,7 +4,7 @@ on: [push, pull_request]
 
 env:
   # This should be the minimum version required to run setools:
-  SELINUX_USERSPACE_VERSION: 3.2
+  SELINUX_USERSPACE_VERSION: main
 
   # GitHub doesn't support building env
   # vars from others in this block.

setools/__init__.py

@@ -26,7 +26,7 @@
     IoctlSet, Iomemcon, IomemconRange, Ioportcon, IoportconRange, Level, LevelDecl, MLSRule, \
     Netifcon, Nodecon, ObjClass, Pcidevicecon, Pirqcon, PolicyCapability, Portcon, PortconRange, \
     Range, Role, RoleAllow, RoleTransition, Sensitivity, TERule, TruthTableRow, Type, \
-    TypeAttribute, User, Validatetrans
+    TypeAttribute, User, Validatetrans, XpermSet
 
 # Exceptions
 from . import exception

setools/diff/terules.py

@@ -41,9 +41,9 @@ class ModifiedAVRuleXperm(DifferenceResult):
     """Difference details for a modified access vector rule."""
 
     rule: policyrep.AVRuleXperm
-    added_perms: policyrep.IoctlSet
-    removed_perms: policyrep.IoctlSet
-    matched_perms: policyrep.IoctlSet
+    added_perms: policyrep.XpermSet
+    removed_perms: policyrep.XpermSet
+    matched_perms: policyrep.XpermSet
 
 
 @dataclass(frozen=True, order=True)
@@ -365,9 +365,9 @@ def diff(self) -> None:
             if added_perms or removed_perms:
                 modified.append(
                     ModifiedAVRuleXperm(left_rule.origin,
-                                        policyrep.IoctlSet(added_perms),
-                                        policyrep.IoctlSet(removed_perms),
-                                        policyrep.IoctlSet(p[0] for p in matched_perms)))
+                                        policyrep.XpermSet(added_perms),
+                                        policyrep.XpermSet(removed_perms),
+                                        policyrep.XpermSet(p[0] for p in matched_perms)))
 
         setattr(self, f"added_{ruletype}s", set(a.origin for a in added))
         setattr(self, f"removed_{ruletype}s", set(r.origin for r in removed))

setools/policyrep.pyi

@@ -43,7 +43,7 @@ class PolicyRule(PolicyObject):
     target: "PolicySymbol" = ...
     tclass: "ObjClass" = ...
     xperm_type: str = ...
-    perms: frozenset[str] | "IoctlSet" = ...
+    perms: frozenset[str] | "XpermSet" = ...
     default: PolicyObject = ...
     filename: str = ...
     def enabled(self, **kwargs) -> bool: ...
@@ -101,7 +101,7 @@ class AVRule(BaseTERule):
 
 class AVRuleXperm(BaseTERule):
     default: NoReturn = ...
-    perms: "IoctlSet" = ...
+    perms: "XpermSet" = ...
     xperm_type: str = ...
     def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ...
 
@@ -247,9 +247,11 @@ class IbpkeyconRange:
 class InitialSID(Ocontext):
     name: str = ...
 
-class IoctlSet(frozenset[int]):
+class XpermSet(frozenset[int]):
     def ranges(self) -> int: ...
 
+class IoctlSet(XpermSet): ...
+
 class Iomemcon(Ocontext):
     addr: "IomemconRange" = ...
 

setools/policyrep/sepol.pxd

@@ -157,6 +157,7 @@ cdef extern from "<sepol/policydb/avtab.h>":
     #
     cdef int AVTAB_XPERMS_IOCTLFUNCTION
     cdef int AVTAB_XPERMS_IOCTLDRIVER
+    cdef int AVTAB_XPERMS_NLMSG
 
     cdef struct avtab_extended_perms:
         uint8_t specified
@@ -437,6 +438,7 @@ cdef extern from "<sepol/policydb/policydb.h>":
     #
     cdef int AVRULE_XPERMS_IOCTLFUNCTION
     cdef int AVRULE_XPERMS_IOCTLDRIVER
+    cdef int AVRULE_XPERMS_NLMSG
     cdef int EXTENDED_PERMS_LEN
 
     cdef struct av_extended_perms:

setools/policyrep/terule.pxi

@@ -213,11 +213,11 @@ cdef class AVRule(BaseTERule):
         return self.rule_string
 
 
-cdef class IoctlSet(frozenset):
+cdef class XpermSet(frozenset):
 
     """
     A set with overridden string functions which compresses
-    the output into ioctl ranges instead of individual elements.
+    the output into ioctl/nlmsg ranges instead of individual elements.
     """
 
     def __format__(self, spec):
@@ -249,7 +249,7 @@ cdef class IoctlSet(frozenset):
         elif spec == ",":
             return ", ".join(shortlist)
         else:
-            return super(IoctlSet, self).__format__(spec)
+            return super().__format__(spec)
 
     def __str__(self):
         return f"{self}"
@@ -267,12 +267,20 @@ cdef class IoctlSet(frozenset):
             sorted(self), key=lambda k, c=itertools.count(): k - next(c)))
 
 
+cdef class IoctlSet(XpermSet):
+
+    def __init__(self, *args, **kwargs):
+        log = logging.getLogger(__name__)
+        log.warning("IoctlSet is deprecated, use XpermSet instead.")
+        super().__init__(*args, **kwargs)
+
+
 cdef class AVRuleXperm(BaseTERule):
 
     """An extended permission access vector type enforcement rule."""
 
     cdef:
-        readonly IoctlSet perms
+        readonly XpermSet perms
         readonly str xperm_type
 
     @staticmethod
@@ -292,9 +300,10 @@ cdef class AVRuleXperm(BaseTERule):
         #
         for curr in range(len):
             if sepol.xperm_test(curr, xperms.perms):
-                if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION:
+                if (xperms.specified == sepol.AVTAB_XPERMS_IOCTLFUNCTION \
+                    or xperms.specified == sepol.AVTAB_XPERMS_NLMSG):
                     perms.add(xperms.driver << 8 | curr)
-                elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER:
+                elif xperms.specified == sepol.AVTAB_XPERMS_IOCTLDRIVER:
                     base_value = curr << 8
                     perms.update(range(base_value, base_value + 0x100))
                 else:
@@ -309,6 +318,8 @@ cdef class AVRuleXperm(BaseTERule):
         if datum.xperms.specified == sepol.AVTAB_XPERMS_IOCTLFUNCTION \
             or datum.xperms.specified == sepol.AVTAB_XPERMS_IOCTLDRIVER:
             xperm_type = intern("ioctl")
+        elif datum.xperms.specified == sepol.AVTAB_XPERMS_NLMSG:
+            xperm_type = intern("nlmsg")
         else:
             raise LowLevelPolicyError(f"Unknown extended permission: {datum.xperms.specified}")
 
@@ -322,7 +333,7 @@ cdef class AVRuleXperm(BaseTERule):
         r.source = type_or_attr_factory(policy, policy.type_value_to_datum(key.source_type - 1))
         r.target = type_or_attr_factory(policy, policy.type_value_to_datum(key.target_type - 1))
         r.tclass = ObjClass.factory(policy, policy.class_value_to_datum(key.target_class - 1))
-        r.perms = IoctlSet(perms)
+        r.perms = XpermSet(perms)
         r.extended = True
         r.xperm_type = xperm_type
         r._conditional = conditional

setools/terulequery.py

@@ -80,11 +80,11 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
     boolean = CriteriaSetDescriptor[policyrep.Boolean]("boolean_regex", "lookup_boolean")
     boolean_regex: bool = False
     boolean_equal: bool = False
-    _xperms: policyrep.IoctlSet | None = None
+    _xperms: policyrep.XpermSet | None = None
     xperms_equal: bool = False
 
     @property
-    def xperms(self) -> policyrep.IoctlSet | None:
+    def xperms(self) -> policyrep.XpermSet | None:
         return self._xperms
 
     @xperms.setter
@@ -104,7 +104,7 @@ def xperms(self, value: Iterable[tuple[int, int]] | None) -> None:
 
                 pending_xperms.update(i for i in range(low, high + 1))
 
-            self._xperms = policyrep.IoctlSet(pending_xperms)
+            self._xperms = policyrep.XpermSet(pending_xperms)
         else:
             self._xperms = None
 

tests/library/policyrep/rules.conf

@@ -17,7 +17,8 @@ common infoflow
 	low_r
 	med_r
 	hi_r
-    ioctl
+	ioctl
+	nlmsg
 }
 
 class infoflow
@@ -120,7 +121,7 @@ if (a_bool) {
 type_transition type31b system:infoflow4 type30 "the_filename";
 
 allowxperm type30 type31a:infoflow ioctl 0x00ff;
-auditallowxperm type31a type31b:infoflow ioctl { 0x001-0x0003 };
+auditallowxperm type31a type31b:infoflow nlmsg { 0x001-0x0003 };
 
 allow system self:infoflow hi_w;
 range_transition type30 system:infoflow7 s0:c1 - s2:c0.c4;