gradm differentiate set operation bug?
Posted: Tue Jul 15, 2014 4:58 am
I've been refactoring my policy to `define` sets for common rules using set operations where I want small changes to a bigger defined set.
Earlier I noticed that the '-' operation seems to actually modify its left operand for future use, whereas the '|' operator does not:
Here's are the 2 results, first with the dummy rule commented out, then with it activated.
Setup:
I believe the culprit is this line in gradm_sym.c:
Note the use of `&=` there, whereas the "union_objects" and "intersect_objects" function use '|' and '&' without the assignment.
Earlier I noticed that the '-' operation seems to actually modify its left operand for future use, whereas the '|' operator does not:
- Code: Select all
# Role: users
define showall {
/home/wry/grsec
/home/wry/grsec/a rw
/home/wry/grsec/b rw
/home/wry/grsec/c rw
/home/wry/grsec/d
}
define b_w {
/home/wry/grsec/b w
}
define d_rw {
/home/wry/grsec/d rw
}
### Enabling this dummy rule causes $showall to permanently lose its rule for
### file 'b', it will be like having a 'hide' rule on it.
#subject /usr/bin/dummy {
# ($showall - $b_w) | $d_rw
#}
subject /usr/bin/ls {
$showall
}
subject /usr/bin/tee {
$showall
}
subject /usr/bin/cat {
$showall
}
Here's are the 2 results, first with the dummy rule commented out, then with it activated.
- Code: Select all
$ cd /home/wry
$ ls grsec
a b c d
$ cat grsec/d
cat: grsec/d: Permission denied
$ echo aa | tee grsec/d
tee: grsec/d: Permission denied
aa
$ echo aa | tee grsec/b
aa
$ cat grsec/b
aa
$ NOW reloading RBAC with the dummy subject included^C
$ ls grsec
a c d
$ cat grsec/d
cat: grsec/d: Permission denied
$ echo aa | tee grsec/d
tee: grsec/d: Permission denied
aa
$ echo aa | tee grsec/b
tee: grsec/b: No such file or directory
aa
$ cat grsec/b
cat: grsec/b: No such file or directory
$
Setup:
- Code: Select all
Linux wrytop 3.15.5.201407131211-1-grsec #1 SMP PREEMPT Sun Jul 13 14:22:15 EDT 2014 x86_64 GNU/Linux
gradm: 3.0.201405281853
I believe the culprit is this line in gradm_sym.c:
- Code: Select all
gradm_sym.c:162 add_file_var_object(&retvar, tmpvar1->file_obj.filename, tmpvar1->file_obj.mode &= ~tmpvar2->file_obj.mode);
Note the use of `&=` there, whereas the "union_objects" and "intersect_objects" function use '|' and '&' without the assignment.