libsepol,checkpolicy: introduce neveraudit types

Introduce neveraudit types i.e. types that should never trigger
audit messages. This allows the AVC to skip all audit-related
processing for such types. Note that neveraudit differs from
dontaudit not only wrt being applied for all checks with a given
source type but also in that it disables all auditing, not just
permission denials.

When a type is both a permissive type and a neveraudit type,
the security server can short-circuit the security_compute_av()
logic, allowing all permissions and not auditing any permissions.

Signed-off-by: Stephen Smalley <[email protected]>

Author: stephensmalley

checkpolicy/policy_define.c

@@ -257,6 +257,49 @@ int define_permissive(void)
 	return rc;
 }
 
+int define_neveraudit(void)
+{
+	char *type = NULL;
+	struct type_datum *t;
+	int rc = 0;
+
+	type = queue_remove(id_queue);
+
+	if (!type) {
+		yyerror2("forgot to include type in neveraudit definition?");
+		rc = -1;
+		goto out;
+	}
+
+	if (pass == 1)
+		goto out;
+
+	if (!is_id_in_scope(SYM_TYPES, type)) {
+		yyerror2("type %s is not within scope", type);
+		rc = -1;
+		goto out;
+	}
+
+	t = hashtab_search(policydbp->p_types.table, type);
+	if (!t) {
+		yyerror2("type is not defined: %s", type);
+		rc = -1;
+		goto out;
+	}
+
+	if (t->flavor == TYPE_ATTRIB) {
+		yyerror2("attributes may not be neveraudit: %s", type);
+		rc = -1;
+		goto out;
+	}
+
+	t->flags |= TYPE_FLAGS_NEVERAUDIT;
+
+out:
+	free(type);
+	return rc;
+}
+
 int define_polcap(void)
 {
 	char *id = 0;

checkpolicy/policy_define.h

@@ -45,6 +45,7 @@ int define_ipv6_cidr_node_context(void);
 int define_level(void);
 int define_netif_context(void);
 int define_permissive(void);
+int define_neveraudit(void);
 int define_polcap(void);
 int define_ibpkey_context(unsigned int low, unsigned int high);
 int define_ibendport_context(unsigned int port);

checkpolicy/policy_parse.y

@@ -152,6 +152,7 @@ typedef int (* require_func_t)(int pass);
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
 %token POLICYCAP
 %token PERMISSIVE
+%token NEVERAUDIT
 %token FILESYSTEM
 %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
 %token LOW_HIGH LOW HIGH GLBLUB
@@ -330,6 +331,7 @@ te_decl			: attribute_def
                         | range_trans_def
                         | te_avtab_def
 			| permissive_def
+			| neveraudit_def
 			;
 attribute_def           : ATTRIBUTE identifier ';'
                         { if (define_attrib()) YYABORT;}
@@ -934,6 +936,8 @@ policycap_def		: POLICYCAP identifier ';'
 			;
 permissive_def		: PERMISSIVE identifier ';'
 			{if (define_permissive()) YYABORT;}
+neveraudit_def		: NEVERAUDIT identifier ';'
+			{if (define_neveraudit()) YYABORT;}
 
 /*********** module grammar below ***********/
 

checkpolicy/policy_scan.l

@@ -271,6 +271,8 @@ policycap |
 POLICYCAP			{ return(POLICYCAP); }
 permissive |
 PERMISSIVE			{ return(PERMISSIVE); }
+neveraudit |
+NEVERAUDIT			{ return(NEVERAUDIT); }
 default_user |
 DEFAULT_USER			{ return(DEFAULT_USER); }
 default_role |

checkpolicy/tests/policy_allonce.conf

@@ -45,6 +45,7 @@ auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
 dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
 neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
 permissive TYPE1;
+neveraudit TYPE1;
 attribute_role ROLE_ATTR1;
 role ROLE1;
 role ROLE3;

checkpolicy/tests/policy_allonce.expected.conf

@@ -31,6 +31,7 @@ typealias TYPE4 alias TYPEALIAS4;
 typebounds TYPE4 TYPE3;
 typeattribute TYPE4 ATTR2;
 permissive TYPE1;
+neveraudit TYPE1;
 allow TYPE1 self:CLASS1 { PERM1 };
 allow TYPE1 self:CLASS2 { CPERM1 };
 auditallow TYPE1 TYPE3:CLASS1 { PERM1 };

checkpolicy/tests/policy_allonce.expected_opt.conf

@@ -31,6 +31,7 @@ typealias TYPE4 alias TYPEALIAS4;
 typebounds TYPE4 TYPE3;
 typeattribute TYPE4 ATTR2;
 permissive TYPE1;
+neveraudit TYPE1;
 allow TYPE1 self:CLASS1 { PERM1 };
 allow TYPE1 self:CLASS2 { CPERM1 };
 auditallow TYPE1 TYPE3:CLASS1 { PERM1 };

checkpolicy/tests/policy_allonce_mls.conf

@@ -53,6 +53,7 @@ auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
 dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
 neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
 permissive TYPE1;
+neveraudit TYPE1;
 attribute_role ROLE_ATTR1;
 role ROLE1;
 role ROLE3;

checkpolicy/tests/policy_allonce_mls.expected.conf

@@ -39,6 +39,7 @@ typealias TYPE4 alias TYPEALIAS4;
 typebounds TYPE4 TYPE3;
 typeattribute TYPE4 ATTR2;
 permissive TYPE1;
+neveraudit TYPE1;
 allow TYPE1 self:CLASS1 { PERM1 };
 allow TYPE1 self:CLASS2 { CPERM1 };
 auditallow TYPE1 TYPE3:CLASS1 { PERM1 };

checkpolicy/tests/policy_allonce_mls.expected_opt.conf

@@ -39,6 +39,7 @@ typealias TYPE4 alias TYPEALIAS4;
 typebounds TYPE4 TYPE3;
 typeattribute TYPE4 ATTR2;
 permissive TYPE1;
+neveraudit TYPE1;
 allow TYPE1 self:CLASS1 { PERM1 };
 allow TYPE1 self:CLASS2 { CPERM1 };
 auditallow TYPE1 TYPE3:CLASS1 { PERM1 };