From 4c240ba6430d2e46f0c2134bcd0b76de3df85e9a Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Mon, 24 Apr 2023 10:45:06 -0700 Subject: [PATCH 1/6] Fix issue with annotations and nested extensions Previously any annotations on a nested extension would be ignored. The code will now properly propagate the annotations to the types created by the extensions. --- src/compile.rs | 70 ++++++++++++++++++++++++++++++++++++--------- src/internal_rep.rs | 16 +++++++++++ src/lib.rs | 26 +++++++++++------ 3 files changed, 89 insertions(+), 23 deletions(-) diff --git a/src/compile.rs b/src/compile.rs index 1a7671a3..e8af59b6 100644 --- a/src/compile.rs +++ b/src/compile.rs @@ -10,7 +10,7 @@ use std::ops::Range; use crate::alias_map::Declared; use crate::ast::{ Argument, CascadeString, Declaration, Expression, FuncCall, LetBinding, Machine, Module, - PolicyFile, Statement, + PolicyFile, Statement, TypeDecl, }; use crate::constants; use crate::context::{BindableObject, BlockType, Context as BlockContext}; @@ -24,7 +24,8 @@ use crate::functions::{ }; use crate::internal_rep::{ generate_sid_rules, get_type_annotations, validate_derive_args, Annotated, AnnotationInfo, - Associated, ClassList, Context, Sid, TypeInfo, TypeInstance, TypeMap, TypeVar, + Associated, ClassList, Context, InsertExtendTiming, Sid, TypeInfo, TypeInstance, TypeMap, + TypeVar, }; use crate::machine::{MachineMap, ModuleMap, ValidatedMachine, ValidatedModule}; use crate::warning::{Warnings, WithWarnings}; @@ -116,6 +117,31 @@ fn generate_cil_headers( ret } +// Helper function for getting annotations from a typeDecl and adding them to a map +// of annotations +// Returns a bool as an error flag +fn map_annotation_info( + file: &SimpleFile, + key: CascadeString, + type_decl: &TypeDecl, + warnings: &mut Warnings, + errors: &mut CascadeErrors, + annotation_map: &mut BTreeMap>, +) -> bool { + let mut annotation_infos = match get_type_annotations(file, &type_decl.annotations) { + Ok(ai) => ai.inner(warnings), + Err(e) => { + errors.append(e.into()); + return false; + } + }; + if !annotation_infos.is_empty() { + let annotations = annotation_map.entry(key).or_insert_with(BTreeSet::new); + annotations.append(&mut annotation_infos); + } + true +} + // Extend the type map by inserting new types found in a given policy file // Returns a map of annotations on extend {} blocks, so that the real types can be augmented with // them after all types have been inserted @@ -154,7 +180,21 @@ pub fn extend_type_map( }); let annotations = ret.entry(t.name.clone()).or_insert_with(BTreeSet::new); annotations.insert(ann_to_insert); - }; + } else { + // Insert its annotations + if !map_annotation_info( + &p.file, + CascadeString::from( + t.name.to_string() + "." + associated_type.name.as_ref(), + ), + associated_type, + &mut warnings, + &mut errors, + &mut ret, + ) { + continue; + } + } } } @@ -168,16 +208,15 @@ pub fn extend_type_map( } } else { // Insert its annotations - let mut annotation_infos = match get_type_annotations(&p.file, &t.annotations) { - Ok(ai) => ai.inner(&mut warnings), - Err(e) => { - errors.append(e.into()); - continue; - } - }; - if !annotation_infos.is_empty() { - let annotations = ret.entry(t.name.clone()).or_insert_with(BTreeSet::new); - annotations.append(&mut annotation_infos); + if !map_annotation_info( + &p.file, + t.name.clone(), + t, + &mut warnings, + &mut errors, + &mut ret, + ) { + continue; } } } @@ -205,6 +244,7 @@ pub fn verify_extends(p: &PolicyFile, type_map: &TypeMap) -> Result<(), CascadeE pub fn insert_extend_annotations( type_map: &mut TypeMap, extend_annotations: BTreeMap>, + timing: InsertExtendTiming, ) { for (annotated_type, annotations) in extend_annotations { // If get_mut() returns None, that means we added an annotation on an extend for a type @@ -212,7 +252,9 @@ pub fn insert_extend_annotations( // whether we added an annotation, so we can just skip silently for now if let Some(t) = type_map.get_mut(annotated_type.as_ref()) { for a in annotations { - t.annotations.insert(a); + if a.insert_timing() == timing { + t.annotations.insert(a); + } } } } diff --git a/src/internal_rep.rs b/src/internal_rep.rs index b7306525..17eda3ad 100644 --- a/src/internal_rep.rs +++ b/src/internal_rep.rs @@ -36,6 +36,12 @@ pub struct Associated { pub resources: BTreeSet, } +#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)] +pub enum InsertExtendTiming { + Early, + Late, +} + #[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)] pub enum AnnotationInfo { MakeList, @@ -119,6 +125,16 @@ impl AnnotationInfo { } } } + + pub fn insert_timing(&self) -> InsertExtendTiming { + match self { + AnnotationInfo::Associate(_) => InsertExtendTiming::Early, + AnnotationInfo::Derive(_) => InsertExtendTiming::Late, + AnnotationInfo::NoDerive => InsertExtendTiming::Late, + AnnotationInfo::MakeList => InsertExtendTiming::Late, + AnnotationInfo::Alias(_) => InsertExtendTiming::Late, + } + } } pub trait Annotated { diff --git a/src/lib.rs b/src/lib.rs index f8c802ec..79251096 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -26,6 +26,7 @@ use crate::ast::{Argument, CascadeString, Declaration, Expression, Policy, Polic use crate::context::{BlockType, Context}; use crate::error::{CascadeErrors, InternalError, InvalidMachineError, ParseErrorMsg}; use crate::functions::{FunctionClass, FunctionMap}; +use crate::internal_rep::InsertExtendTiming; use crate::machine::{MachineMap, ModuleMap, ValidatedMachine, ValidatedModule}; use crate::util::append_set_map; pub use crate::warning::Warnings; @@ -120,9 +121,9 @@ fn compile_machine_policies_internal( let mut type_map = compile::get_built_in_types_map()?; let mut module_map = ModuleMap::new(); let mut machine_map = MachineMap::new(); + let mut extend_annotations = BTreeMap::new(); { - let mut extend_annotations = BTreeMap::new(); // Collect all type declarations for p in &policies { match compile::extend_type_map(p, &mut type_map) { @@ -134,7 +135,11 @@ fn compile_machine_policies_internal( } } - compile::insert_extend_annotations(&mut type_map, extend_annotations); + compile::insert_extend_annotations( + &mut type_map, + extend_annotations.clone(), + InsertExtendTiming::Early, + ); // Stops if something went wrong for this major step. errors = errors.into_result_self()?; @@ -191,6 +196,11 @@ fn compile_machine_policies_internal( } Err(e) => errors.append(e), } + compile::insert_extend_annotations( + &mut type_map, + extend_annotations, + InsertExtendTiming::Late, + ); } // Stops if something went wrong for this major step. errors = errors.into_result_self()?; @@ -1181,14 +1191,12 @@ mod tests { #[test] fn virtual_function_associate_error() { - // TODO: This is broken because we miss annotations on nested extensions. Reenable once - // that is fixed // TODO: This should be a compile error. See comment in validate_functions() - //error_policy_test!( - // "virtual_function_association.cas", - // 1, - // ErrorItem::Internal(_) - //); + error_policy_test!( + "virtual_function_association.cas", + 1, + ErrorItem::Internal(_) + ); //error_policy_test!("virtual_function_association.cas", 1, ErrorItem::Compile(_)); } From 06e7c4ffe122316c0a5c72555e3b26234a6ab438 Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Tue, 25 Apr 2023 01:26:44 -0700 Subject: [PATCH 2/6] Review comments Adding new test case for aliases on nested extend --- data/expected_cil/nested_alias.cil | 174 +++++++++++++++++++++++++++++ data/policies/nested_alias.cas | 22 ++++ src/lib.rs | 15 +++ 3 files changed, 211 insertions(+) create mode 100644 data/expected_cil/nested_alias.cil create mode 100644 data/policies/nested_alias.cas diff --git a/data/expected_cil/nested_alias.cil b/data/expected_cil/nested_alias.cil new file mode 100644 index 00000000..972515bf --- /dev/null +++ b/data/expected_cil/nested_alias.cil @@ -0,0 +1,174 @@ +(class alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class association (sendto recvfrom setcontext polmatch)) +(class atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class binder (impersonate call set_context_mgr transfer)) +(class blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class bpf (map_create map_read map_write prog_load prog_run)) +(class caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore)) +(class cap_userns (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)) +(class capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)) +(class capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore)) +(class chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class dbus (acquire_svc send_msg)) +(class dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)) +(class decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)) +(class fd (use)) +(class fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)) +(class filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)) +(class icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class infiniband_endpoint (manage_subnet)) +(class infiniband_pkey (access)) +(class ipc (create destroy getattr setattr read write associate unix_read unix_write)) +(class ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class kernel_service (use_as_override create_files_as)) +(class key (view read write search link setattr create)) +(class key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class lockdown (integrity confidentiality)) +(class memprotect (mmap_zero)) +(class msg (send receive)) +(class msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)) +(class netif (ingress egress)) +(class netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)) +(class netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)) +(class netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)) +(class netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)) +(class netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class node (recvfrom sendto)) +(class node_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class packet (send recv relabelto forward_in forward_out)) +(class packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class peer (recv)) +(class perf_event (open cpu kernel tracepoint read write)) +(class phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)) +(class process2 (nnp_transition nosuid_transition)) +(class qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect association)) +(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans)) +(class sem (create destroy getattr setattr read write associate unix_read unix_write)) +(class service (start stop status reload enable disable)) +(class shm (create destroy getattr setattr read write associate unix_read unix_write lock)) +(class smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload)) +(class tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)) +(class tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)) +(class udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)) +(class vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class x_application_data (paste paste_after_confirm copy)) +(class x_client (destroy getattr setattr manage)) +(class x_colormap (create destroy read write getattr add_color remove_color install uninstall use)) +(class x_cursor (create destroy read write getattr setattr use)) +(class x_drawable (create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive)) +(class x_event (send receive)) +(class x_extension (query use)) +(class x_font (create destroy getattr add_glyph remove_glyph use)) +(class x_gc (create destroy getattr setattr use)) +(class x_keyboard (getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy)) +(class x_pointer (getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy)) +(class x_property (create destroy read write append getattr setattr)) +(class x_resource (read write)) +(class x_screen (getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show)) +(class x_selection (read write getattr setattr)) +(class x_server (getattr setattr record debug grab manage)) +(class x_synthetic_event (send receive)) +(class xdp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(classorder (alg_socket anon_inode appletalk_socket association atmpvc_socket atmsvc_socket ax25_socket binder blk_file bluetooth_socket bpf caif_socket can_socket cap2_userns cap_userns capability capability2 chr_file dbus dccp_socket decnet_socket dir fd fifo_file file filesystem icmp_socket ieee802154_socket infiniband_endpoint infiniband_pkey ipc ipx_socket irda_socket isdn_socket iucv_socket kcm_socket kernel_service key key_socket llc_socket lnk_file lockdown memprotect msg msgq netif netlink_audit_socket netlink_connector_socket netlink_crypto_socket netlink_dnrt_socket netlink_fib_lookup_socket netlink_generic_socket netlink_iscsi_socket netlink_kobject_uevent_socket netlink_netfilter_socket netlink_nflog_socket netlink_rdma_socket netlink_route_socket netlink_scsitransport_socket netlink_selinux_socket netlink_socket netlink_tcpdiag_socket netlink_xfrm_socket netrom_socket nfc_socket node node_socket packet packet_socket peer perf_event phonet_socket pppox_socket process process2 qipcrtr_socket rawip_socket rds_socket rose_socket rxrpc_socket sctp_socket security sem service shm smc_socket sock_file socket system tcp_socket tipc_socket tun_socket udp_socket unix_dgram_socket unix_stream_socket vsock_socket x25_socket x_application_data x_client x_colormap x_cursor x_drawable x_event x_extension x_font x_gc x_keyboard x_pointer x_property x_resource x_screen x_selection x_server x_synthetic_event xdp_socket)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(role system_r) +(role object_r) +(userrole system_u system_r) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(handleunknown allow) +(typeattribute domain) +(typeattribute resource) +(type abc) +(roletype system_r abc) +(typeattributeset domain (abc)) +(typeattribute foo) +(typeattributeset domain (foo)) +(type kernel_sid) +(roletype system_r kernel_sid) +(typeattributeset domain (kernel_sid)) +(type security_sid) +(roletype object_r security_sid) +(typeattributeset resource (security_sid)) +(typeattribute tmp) +(typeattributeset resource (tmp)) +(type unlabeled_sid) +(roletype object_r unlabeled_sid) +(typeattributeset resource (unlabeled_sid)) +(typeattribute xyz) +(typeattributeset resource (xyz)) +(type abc-xyz) +(roletype object_r abc-xyz) +(typeattributeset xyz (abc-xyz)) +(typeattributeset resource (abc-xyz)) +(typealias bob) +(typealiasactual bob abc-xyz) +(type bar) +(roletype system_r bar) +(typeattributeset foo (bar)) +(typeattributeset domain (bar)) +(typeattribute foo-tmp) +(typeattributeset tmp (foo-tmp)) +(typeattributeset resource (foo-tmp)) +(type bar-tmp) +(roletype object_r bar-tmp) +(typeattributeset foo-tmp (bar-tmp)) +(typeattributeset resource (bar-tmp)) +(typealias zap) +(typealiasactual zap bar-tmp) +(macro bar-tmp-read ((type this) (type source))) +(allow bar resource (file (read))) +(sid kernel) +(sidcontext kernel (system_u system_r kernel_sid ((s0) (s0)))) +(sid security) +(sidcontext security (system_u object_r security_sid ((s0) (s0)))) +(sid unlabeled) +(sidcontext unlabeled (system_u object_r unlabeled_sid ((s0) (s0)))) +(sidorder (kernel security unlabeled)) \ No newline at end of file diff --git a/data/policies/nested_alias.cas b/data/policies/nested_alias.cas new file mode 100644 index 00000000..7c80310a --- /dev/null +++ b/data/policies/nested_alias.cas @@ -0,0 +1,22 @@ +virtual resource tmp { + // All children must implement read + virtual fn read(domain source) {} +} + +@associate([tmp]) +virtual domain foo {} + +domain bar inherits foo { + // Policies must contain at least one AV rule + allow(this, resource, file, [read]); + + @alias(zap) + extend tmp {} +} + +domain abc { + resource xyz {} + + @alias(bob) + extend xyz {} +} \ No newline at end of file diff --git a/src/lib.rs b/src/lib.rs index 79251096..ece1cbf5 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1599,4 +1599,19 @@ mod tests { fn derive_no_derive_test() { error_policy_test!("derive_noderive.cas", 1, ErrorItem::Compile(_)); } + + #[test] + fn valid_nested_alias() { + valid_policy_test( + "nested_alias.cas", + &[ + "(typealias zap)", + "(typealiasactual zap bar-tmp)", + "(typealias bob)", + "(typealiasactual bob abc-xyz)", + ], + &[], + 0, + ); + } } From 441a2bba09898d1b1f48a7ee41fe8d9f0c6b2b87 Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Tue, 25 Apr 2023 06:52:28 -0700 Subject: [PATCH 3/6] Review Comments We now pass extend_annotations by reference and just clone the values we are transfering. --- src/compile.rs | 6 ++++-- src/lib.rs | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/compile.rs b/src/compile.rs index e8af59b6..22f01047 100644 --- a/src/compile.rs +++ b/src/compile.rs @@ -243,7 +243,7 @@ pub fn verify_extends(p: &PolicyFile, type_map: &TypeMap) -> Result<(), CascadeE pub fn insert_extend_annotations( type_map: &mut TypeMap, - extend_annotations: BTreeMap>, + extend_annotations: &BTreeMap>, timing: InsertExtendTiming, ) { for (annotated_type, annotations) in extend_annotations { @@ -253,7 +253,9 @@ pub fn insert_extend_annotations( if let Some(t) = type_map.get_mut(annotated_type.as_ref()) { for a in annotations { if a.insert_timing() == timing { - t.annotations.insert(a); + // Ideally we would use drain_filter but that is currently unstable. + // TODO once drain_filter is stable convert to using that. + t.annotations.insert(a.clone()); } } } diff --git a/src/lib.rs b/src/lib.rs index ece1cbf5..9ccf03cd 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -137,7 +137,7 @@ fn compile_machine_policies_internal( compile::insert_extend_annotations( &mut type_map, - extend_annotations.clone(), + &extend_annotations, InsertExtendTiming::Early, ); @@ -198,7 +198,7 @@ fn compile_machine_policies_internal( } compile::insert_extend_annotations( &mut type_map, - extend_annotations, + &extend_annotations, InsertExtendTiming::Late, ); } From f9b03c23f587219a6c6588c883668200c5f283c9 Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Tue, 2 May 2023 01:19:06 -0700 Subject: [PATCH 4/6] Adding late annotation comment --- src/lib.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib.rs b/src/lib.rs index 9ccf03cd..68709903 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -188,6 +188,10 @@ fn compile_machine_policies_internal( ); match compile::extend_type_map(&pf, &mut type_map) { Ok(ww) => { + // Currently we are going to drop "Late" annotations (see insert_timing()) if we do not + // call append_set_map here like we do above. As of writing this comment we do not + // encounter any Late annotations, so functionality is not effected, but performance is. + // We take around 100ms hit on our benchmarking which we do not want to take at this time. ww.inner(&mut warnings); policies.push(pf); } From f7c138afffac8d9ec414388edc4f59cbc2aa3c46 Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Tue, 2 May 2023 01:32:37 -0700 Subject: [PATCH 5/6] fixing test rebase issue --- data/expected_cil/nested_alias.cil | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/expected_cil/nested_alias.cil b/data/expected_cil/nested_alias.cil index 972515bf..e8de2552 100644 --- a/data/expected_cil/nested_alias.cil +++ b/data/expected_cil/nested_alias.cil @@ -65,6 +65,7 @@ (class nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) (class node (recvfrom sendto)) (class node_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class nscd (getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv)) (class packet (send recv relabelto forward_in forward_out)) (class packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) (class peer (recv)) @@ -113,7 +114,7 @@ (class x_server (getattr setattr record debug grab manage)) (class x_synthetic_event (send receive)) (class xdp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) -(classorder (alg_socket anon_inode appletalk_socket association atmpvc_socket atmsvc_socket ax25_socket binder blk_file bluetooth_socket bpf caif_socket can_socket cap2_userns cap_userns capability capability2 chr_file dbus dccp_socket decnet_socket dir fd fifo_file file filesystem icmp_socket ieee802154_socket infiniband_endpoint infiniband_pkey ipc ipx_socket irda_socket isdn_socket iucv_socket kcm_socket kernel_service key key_socket llc_socket lnk_file lockdown memprotect msg msgq netif netlink_audit_socket netlink_connector_socket netlink_crypto_socket netlink_dnrt_socket netlink_fib_lookup_socket netlink_generic_socket netlink_iscsi_socket netlink_kobject_uevent_socket netlink_netfilter_socket netlink_nflog_socket netlink_rdma_socket netlink_route_socket netlink_scsitransport_socket netlink_selinux_socket netlink_socket netlink_tcpdiag_socket netlink_xfrm_socket netrom_socket nfc_socket node node_socket packet packet_socket peer perf_event phonet_socket pppox_socket process process2 qipcrtr_socket rawip_socket rds_socket rose_socket rxrpc_socket sctp_socket security sem service shm smc_socket sock_file socket system tcp_socket tipc_socket tun_socket udp_socket unix_dgram_socket unix_stream_socket vsock_socket x25_socket x_application_data x_client x_colormap x_cursor x_drawable x_event x_extension x_font x_gc x_keyboard x_pointer x_property x_resource x_screen x_selection x_server x_synthetic_event xdp_socket)) +(classorder (alg_socket anon_inode appletalk_socket association atmpvc_socket atmsvc_socket ax25_socket binder blk_file bluetooth_socket bpf caif_socket can_socket cap2_userns cap_userns capability capability2 chr_file dbus dccp_socket decnet_socket dir fd fifo_file file filesystem icmp_socket ieee802154_socket infiniband_endpoint infiniband_pkey ipc ipx_socket irda_socket isdn_socket iucv_socket kcm_socket kernel_service key key_socket llc_socket lnk_file lockdown memprotect msg msgq netif netlink_audit_socket netlink_connector_socket netlink_crypto_socket netlink_dnrt_socket netlink_fib_lookup_socket netlink_generic_socket netlink_iscsi_socket netlink_kobject_uevent_socket netlink_netfilter_socket netlink_nflog_socket netlink_rdma_socket netlink_route_socket netlink_scsitransport_socket netlink_selinux_socket netlink_socket netlink_tcpdiag_socket netlink_xfrm_socket netrom_socket nfc_socket node node_socket nscd packet packet_socket peer perf_event phonet_socket pppox_socket process process2 qipcrtr_socket rawip_socket rds_socket rose_socket rxrpc_socket sctp_socket security sem service shm smc_socket sock_file socket system tcp_socket tipc_socket tun_socket udp_socket unix_dgram_socket unix_stream_socket vsock_socket x25_socket x_application_data x_client x_colormap x_cursor x_drawable x_event x_extension x_font x_gc x_keyboard x_pointer x_property x_resource x_screen x_selection x_server x_synthetic_event xdp_socket)) (sensitivity s0) (sensitivityorder (s0)) (user system_u) From 66bf953e9b33d89d2ce7ca7b8acafc52dbc5a542 Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Tue, 2 May 2023 03:52:20 -0700 Subject: [PATCH 6/6] adding additional allows to nested_alias.cas --- data/expected_cil/nested_alias.cil | 4 +++- data/policies/nested_alias.cas | 11 ++++++----- src/lib.rs | 3 +++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/data/expected_cil/nested_alias.cil b/data/expected_cil/nested_alias.cil index e8de2552..3220dad3 100644 --- a/data/expected_cil/nested_alias.cil +++ b/data/expected_cil/nested_alias.cil @@ -165,7 +165,9 @@ (typealias zap) (typealiasactual zap bar-tmp) (macro bar-tmp-read ((type this) (type source))) -(allow bar resource (file (read))) +(allow abc bob (file (read))) +(allow abc zap (file (read))) +(allow bar bob (file (read))) (sid kernel) (sidcontext kernel (system_u system_r kernel_sid ((s0) (s0)))) (sid security) diff --git a/data/policies/nested_alias.cas b/data/policies/nested_alias.cas index 7c80310a..49baf2fc 100644 --- a/data/policies/nested_alias.cas +++ b/data/policies/nested_alias.cas @@ -1,20 +1,21 @@ virtual resource tmp { - // All children must implement read - virtual fn read(domain source) {} + // All children must implement read + virtual fn read(domain source) {} } @associate([tmp]) virtual domain foo {} domain bar inherits foo { - // Policies must contain at least one AV rule - allow(this, resource, file, [read]); + allow(this, bob, file, [read]); @alias(zap) - extend tmp {} + extend tmp {} } domain abc { + allow(this, bob, file, [read]); + allow(this, zap, file, [read]); resource xyz {} @alias(bob) diff --git a/src/lib.rs b/src/lib.rs index 68709903..77a1881e 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1613,6 +1613,9 @@ mod tests { "(typealiasactual zap bar-tmp)", "(typealias bob)", "(typealiasactual bob abc-xyz)", + "(allow abc bob (file (read)))", + "(allow bar bob (file (read)))", + "(allow abc zap (file (read)))", ], &[], 0,