From a3d2424c61baa55c8a08cdfc1ab0b17ab19c0ac6 Mon Sep 17 00:00:00 2001 From: Matt Sheets Date: Fri, 6 Jan 2023 11:50:53 -0700 Subject: [PATCH] Add resource transition functionality (#85) The resource_transition function keyword is now available for use. --- data/error_policies/resource_trans.cas | 16 +++ data/expected_cil/resource_trans.cil | 136 +++++++++++++++++++++ data/policies/resource_trans.cas | 8 ++ src/ast.rs | 4 + src/constants.rs | 1 + src/internal_rep.rs | 158 +++++++++++++++++++++++++ src/lib.rs | 17 +++ 7 files changed, 340 insertions(+) create mode 100644 data/error_policies/resource_trans.cas create mode 100644 data/expected_cil/resource_trans.cil create mode 100644 data/policies/resource_trans.cas diff --git a/data/error_policies/resource_trans.cas b/data/error_policies/resource_trans.cas new file mode 100644 index 00000000..394fe015 --- /dev/null +++ b/data/error_policies/resource_trans.cas @@ -0,0 +1,16 @@ +resource foo { + resource_transition(this, domain, bar, [quack]); + + resource_transition(aaa, zap, bar, [file]); + resource_transition(foo, bbb, bar, [file]); + resource_transition(foo, zap, ccc, [file]); + + // Policies must include at least one av rule + allow(domain, foo, file, [read]); +} + +resource bar {} + +domain zap { + resource_transition(foo, this, bar, [file dir]); +} diff --git a/data/expected_cil/resource_trans.cil b/data/expected_cil/resource_trans.cil new file mode 100644 index 00000000..9aef1c57 --- /dev/null +++ b/data/expected_cil/resource_trans.cil @@ -0,0 +1,136 @@ +(class alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class association (sendto recvfrom setcontext polmatch)) +(class atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class binder (impersonate call set_context_mgr transfer)) +(class blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class bpf (map_create map_read map_write prog_load prog_run)) +(class caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore)) +(class cap_userns (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)) +(class capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)) +(class capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore)) +(class chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class dbus (acquire_svc send_msg)) +(class dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)) +(class decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir)) +(class fd (use)) +(class fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)) +(class filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch)) +(class icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class infiniband_endpoint (manage_subnet)) +(class infiniband_pkey (access)) +(class ipc (create destroy getattr setattr read write associate unix_read unix_write)) +(class ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class kernel_service (use_as_override create_files_as)) +(class key (view read write search link setattr create)) +(class key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class lockdown (integrity confidentiality)) +(class memprotect (mmap_zero)) +(class msg (send receive)) +(class msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)) +(class netif (ingress egress)) +(class netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)) +(class netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)) +(class netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)) +(class netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)) +(class netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class node (recvfrom sendto)) +(class node_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class packet (send recv relabelto forward_in forward_out)) +(class packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class peer (recv)) +(class perf_event (open cpu kernel tracepoint read write)) +(class phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)) +(class process2 (nnp_transition nosuid_transition)) +(class qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect association)) +(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans)) +(class sem (create destroy getattr setattr read write associate unix_read unix_write)) +(class service (start stop status reload enable disable)) +(class shm (create destroy getattr setattr read write associate unix_read unix_write lock)) +(class smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload)) +(class tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)) +(class tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)) +(class udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)) +(class unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)) +(class vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(class xdp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)) +(classorder (alg_socket anon_inode appletalk_socket association atmpvc_socket atmsvc_socket ax25_socket binder blk_file bluetooth_socket bpf caif_socket can_socket cap2_userns cap_userns capability capability2 chr_file dbus dccp_socket decnet_socket dir fd fifo_file file filesystem icmp_socket ieee802154_socket infiniband_endpoint infiniband_pkey ipc ipx_socket irda_socket isdn_socket iucv_socket kcm_socket kernel_service key key_socket llc_socket lnk_file lockdown memprotect msg msgq netif netlink_audit_socket netlink_connector_socket netlink_crypto_socket netlink_dnrt_socket netlink_fib_lookup_socket netlink_generic_socket netlink_iscsi_socket netlink_kobject_uevent_socket netlink_netfilter_socket netlink_nflog_socket netlink_rdma_socket netlink_route_socket netlink_scsitransport_socket netlink_selinux_socket netlink_socket netlink_tcpdiag_socket netlink_xfrm_socket netrom_socket nfc_socket node node_socket packet packet_socket peer perf_event phonet_socket pppox_socket process process2 qipcrtr_socket rawip_socket rds_socket rose_socket rxrpc_socket sctp_socket security sem service shm smc_socket sock_file socket system tcp_socket tipc_socket tun_socket udp_socket unix_dgram_socket unix_stream_socket vsock_socket x25_socket xdp_socket)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(role system_r) +(role object_r) +(userrole system_u system_r) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(handleunknown allow) +(typeattribute domain) +(typeattribute resource) +(type bar) +(roletype object_r bar) +(typeattributeset resource (bar)) +(type foo) +(roletype object_r foo) +(typeattributeset resource (foo)) +(type kernel_sid) +(roletype system_r kernel_sid) +(typeattributeset domain (kernel_sid)) +(type security_sid) +(roletype object_r security_sid) +(typeattributeset resource (security_sid)) +(type unlabeled_sid) +(roletype object_r unlabeled_sid) +(typeattributeset resource (unlabeled_sid)) +(allow domain foo (file (read))) +(typetransition domain bar file foo) +(typetransition domain bar dir foo) +(sid kernel) +(sidcontext kernel (system_u system_r kernel_sid ((s0) (s0)))) +(sid security) +(sidcontext security (system_u object_r security_sid ((s0) (s0)))) +(sid unlabeled) +(sidcontext unlabeled (system_u object_r unlabeled_sid ((s0) (s0)))) +(sidorder (kernel security unlabeled)) \ No newline at end of file diff --git a/data/policies/resource_trans.cas b/data/policies/resource_trans.cas new file mode 100644 index 00000000..fa1a57e8 --- /dev/null +++ b/data/policies/resource_trans.cas @@ -0,0 +1,8 @@ +resource foo { + resource_transition(this, domain, bar, [file dir]); + + // Policies must include at least one av rule + allow(domain, foo, file, [read]); +} + +resource bar {} diff --git a/src/ast.rs b/src/ast.rs index 742e2629..eadc3eb4 100644 --- a/src/ast.rs +++ b/src/ast.rs @@ -385,6 +385,7 @@ impl Statement { pub enum BuiltIns { AvRule, FileContext, + ResourceTransition, DomainTransition, } @@ -425,6 +426,9 @@ impl FuncCall { if self.name == constants::FILE_CONTEXT_FUNCTION_NAME { return Some(BuiltIns::FileContext); } + if self.name == constants::RESOURCE_TRANS_FUNCTION_NAME { + return Some(BuiltIns::ResourceTransition); + } if self.name == constants::DOMTRANS_FUNCTION_NAME { return Some(BuiltIns::DomainTransition); } diff --git a/src/constants.rs b/src/constants.rs index f5634eb1..6887b4ff 100644 --- a/src/constants.rs +++ b/src/constants.rs @@ -5,6 +5,7 @@ pub const DONTAUDIT_FUNCTION_NAME: &str = "dontaudit"; pub const AUDITALLOW_FUNCTION_NAME: &str = "auditallow"; pub const NEVERALLOW_FUNCTION_NAME: &str = "neverallow"; pub const FILE_CONTEXT_FUNCTION_NAME: &str = "file_context"; +pub const RESOURCE_TRANS_FUNCTION_NAME: &str = "resource_transition"; pub const DOMTRANS_FUNCTION_NAME: &str = "domain_transition"; pub const SYSTEM_TYPE: &str = "machine_type"; pub const MONOLITHIC: &str = "monolithic"; diff --git a/src/internal_rep.rs b/src/internal_rep.rs index 1d74ca58..83ae7188 100644 --- a/src/internal_rep.rs +++ b/src/internal_rep.rs @@ -1642,6 +1642,139 @@ fn call_to_domain_transition<'a>( }) } +#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)] +pub struct ResourcetransRule<'a> { + pub default: Cow<'a, CascadeString>, + pub domain: Cow<'a, CascadeString>, + pub parent: Cow<'a, CascadeString>, + pub file_type: FileType, +} + +impl ResourcetransRule<'_> { + fn get_renamed_statement(&self, renames: &BTreeMap) -> Self { + ResourcetransRule { + default: rename_cow(&self.default, renames), + domain: rename_cow(&self.domain, renames), + parent: rename_cow(&self.parent, renames), + file_type: self.file_type, + } + } +} + +impl From<&ResourcetransRule<'_>> for sexp::Sexp { + fn from(r: &ResourcetransRule) -> Self { + list(&[ + atom_s("typetransition"), + atom_s(&r.domain.get_cil_name()), + atom_s(&r.parent.get_cil_name()), + Sexp::Atom(Atom::S(r.file_type.to_string())), + atom_s(&r.default.get_cil_name()), + ]) + } +} + +fn call_to_resource_transition<'a>( + c: &'a FuncCall, + types: &'a TypeMap, + class_perms: &ClassList, + context: &BlockContext<'a>, + file: &'a SimpleFile, +) -> Result>, CascadeErrors> { + let target_args = vec![ + FunctionArgument::new( + &DeclaredArgument { + param_type: CascadeString::from(constants::RESOURCE), + is_list_param: false, + name: CascadeString::from("default"), + default: None, + }, + types, + None, + )?, + FunctionArgument::new( + &DeclaredArgument { + param_type: CascadeString::from(constants::DOMAIN), + is_list_param: false, + name: CascadeString::from("domain"), + default: None, + }, + types, + None, + )?, + FunctionArgument::new( + &DeclaredArgument { + param_type: CascadeString::from(constants::RESOURCE), + is_list_param: false, + name: CascadeString::from("parent"), + default: None, + }, + types, + None, + )?, + FunctionArgument::new( + &DeclaredArgument { + param_type: CascadeString::from("obj_class"), //TODO: not really + is_list_param: true, + name: CascadeString::from("file_type"), + default: Some(Argument::List(vec![])), + }, + types, + None, + )?, + ]; + + let validated_args = + validate_arguments(c, &target_args, types, class_perms, context, Some(file))?; + let mut args_iter = validated_args.into_iter(); + let mut ret = Vec::new(); + + let default = args_iter + .next() + .ok_or_else(|| ErrorItem::Internal(InternalError::new()))? + .get_name_or_string(context)?; + let domain = args_iter + .next() + .ok_or_else(|| ErrorItem::Internal(InternalError::new()))? + .get_name_or_string(context)?; + let parent = args_iter + .next() + .ok_or_else(|| ErrorItem::Internal(InternalError::new()))? + .get_name_or_string(context)?; + let file_types = args_iter + .next() + .ok_or_else(|| ErrorItem::Internal(InternalError::new()))? + .get_list(context)?; + + if args_iter.next().is_some() { + return Err(ErrorItem::Internal(InternalError::new()).into()); + } + + for file_type in file_types { + let file_type = match file_type.to_string().parse::() { + Ok(f) => f, + Err(_) => { + return Err(CascadeErrors::from( + ErrorItem::make_compile_or_internal_error( + "Not a valid file type", + Some(file), + file_type.get_range(), + "", + ), + )) + } + }; + + ret.push(ResourcetransRule { + default: Cow::Owned(default.clone()), + domain: Cow::Owned(domain.clone()), + parent: Cow::Owned(parent.clone()), + file_type, + }); + } + + Ok(ret) +} + fn check_associated_call( annotation: &Annotation, funcdecl: &FuncDecl, @@ -2091,6 +2224,7 @@ impl TryFrom<&FunctionInfo<'_>> for sexp::Sexp { ValidatedStatement::Call(c) => macro_cil.push(Sexp::from(&**c)), ValidatedStatement::AvRule(a) => macro_cil.push(Sexp::from(a)), ValidatedStatement::FcRule(f) => macro_cil.push(Sexp::from(f)), + ValidatedStatement::ResourcetransRule(r) => macro_cil.push(Sexp::from(r)), ValidatedStatement::DomtransRule(d) => macro_cil.push(Sexp::from(d)), } } @@ -2176,6 +2310,7 @@ pub enum ValidatedStatement<'a> { Call(Box), AvRule(AvRule<'a>), FcRule(FileContextRule<'a>), + ResourcetransRule(ResourcetransRule<'a>), DomtransRule(DomtransRule<'a>), } @@ -2219,6 +2354,25 @@ impl<'a> ValidatedStatement<'a> { )) } } + Some(BuiltIns::ResourceTransition) => { + if in_resource { + Ok( + call_to_resource_transition(c, types, class_perms, &*context, file)? + .into_iter() + .map(ValidatedStatement::ResourcetransRule) + .collect(), + ) + } else { + Err(CascadeErrors::from( + ErrorItem::make_compile_or_internal_error( + "resource_transition() calls are not allowed in domains", + Some(file), + c.name.get_range(), + "Not allowed here", + ), + )) + } + } Some(BuiltIns::DomainTransition) => { if !in_resource { Ok( @@ -2290,6 +2444,9 @@ impl<'a> ValidatedStatement<'a> { ValidatedStatement::DomtransRule(d) => { ValidatedStatement::DomtransRule(d.get_renamed_statement(renames)) } + ValidatedStatement::ResourcetransRule(r) => { + ValidatedStatement::ResourcetransRule(r.get_renamed_statement(renames)) + } } } } @@ -2300,6 +2457,7 @@ impl From<&ValidatedStatement<'_>> for sexp::Sexp { ValidatedStatement::Call(c) => Sexp::from(&**c), ValidatedStatement::AvRule(a) => Sexp::from(a), ValidatedStatement::FcRule(f) => Sexp::from(f), + ValidatedStatement::ResourcetransRule(r) => Sexp::from(r), ValidatedStatement::DomtransRule(d) => Sexp::from(d), } } diff --git a/src/lib.rs b/src/lib.rs index 77fb76a8..88953622 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1206,4 +1206,21 @@ mod tests { fn valid_self() { valid_policy_test("self.cas", &["allow qux self (file (read))"], &[]); } + + #[test] + fn invalid_resourcetrans() { + error_policy_test!("resource_trans.cas", 5, ErrorItem::Compile(_)); + } + + #[test] + fn valid_resourcetrans() { + valid_policy_test( + "resource_trans.cas", + &[ + "(typetransition domain bar file foo)", + "(typetransition domain bar dir foo)", + ], + &[], + ); + } }