selinux/libsepol/src/assertion.c - nest-cam/4320010/selinux - Git at Google

 /* Authors: Joshua Brindle <jbrindle@tresys.com>
  *
  * Assertion checker for avtab entries, taken from
  * checkpolicy.c by Stephen Smalley <sds@tycho.nsa.gov>
  *
  * Copyright (C) 2005 Tresys Technology, LLC
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
  *  version 2.1 of the License, or (at your option) any later version.
  *
  *  This library is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  *  Lesser General Public License for more details.
  *
  *  You should have received a copy of the GNU Lesser General Public
  *  License along with this library; if not, write to the Free Software
  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  */

 #include <sepol/policydb/avtab.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/util.h>

 #include "private.h"
 #include "debug.h"

 struct avtab_match_args {
 	sepol_handle_t *handle;
 	policydb_t *p;
 	avrule_t *avrule;
 	avtab_t *avtab;
 	unsigned long errors;
 };

 static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule,
 			   unsigned int stype, unsigned int ttype,
 			   const class_perm_node_t *curperm, uint32_t perms)
 {
 	if (avrule->source_filename) {
 		ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
 		    avrule->source_line, avrule->source_filename, avrule->line,
 		    p->p_type_val_to_name[stype],
 		    p->p_type_val_to_name[ttype],
 		    p->p_class_val_to_name[curperm->tclass - 1],
 		    sepol_av_to_string(p, curperm->tclass, perms));
 	} else if (avrule->line) {
 		ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
 		    avrule->line, p->p_type_val_to_name[stype],
 		    p->p_type_val_to_name[ttype],
 		    p->p_class_val_to_name[curperm->tclass - 1],
 		    sepol_av_to_string(p, curperm->tclass, perms));
 	} else {
 		ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
 		    p->p_type_val_to_name[stype],
 		    p->p_type_val_to_name[ttype],
 		    p->p_class_val_to_name[curperm->tclass - 1],
 		    sepol_av_to_string(p, curperm->tclass, perms));
 	}
 }

 static int match_any_class_permissions(class_perm_node_t *cp, uint32_t class, uint32_t data)
 {
 	for (; cp; cp = cp->next) {
 		if ((cp->tclass == class) && (cp->data & data)) {
 			break;
 		}
 	}
 	if (!cp)
 		return 0;

 	return 1;
 }

 static int extended_permissions_and(uint32_t *perms1, uint32_t *perms2) {
 	size_t i;
 	for (i = 0; i < EXTENDED_PERMS_LEN; i++) {
 		if (perms1[i] & perms2[i])
 			return 1;
 	}

 	return 0;
 }

 static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_extended_perms_t *allow)
 {
 	int rc = 0;
 	if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
 		if (neverallow->driver == allow->driver)
 			rc = extended_permissions_and(neverallow->perms, allow->perms);
 	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
 		rc = xperm_test(neverallow->driver, allow->perms);
 	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
 		rc = xperm_test(allow->driver, neverallow->perms);
 	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
 		rc = extended_permissions_and(neverallow->perms, allow->perms);
 	}

 	return rc;
 }

 /* Compute which allowed extended permissions violate the neverallow rule */
 static void extended_permissions_violated(avtab_extended_perms_t *result,
 					av_extended_perms_t *neverallow,
 					avtab_extended_perms_t *allow)
 {
 	size_t i;
 	if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
 		result->specified = AVTAB_XPERMS_IOCTLFUNCTION;
 		result->driver = allow->driver;
 		for (i = 0; i < EXTENDED_PERMS_LEN; i++)
 			result->perms[i] = neverallow->perms[i] & allow->perms[i];
 	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
 		result->specified = AVTAB_XPERMS_IOCTLFUNCTION;
 		result->driver = neverallow->driver;
 		memcpy(result->perms, neverallow->perms, sizeof(result->perms));
 	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
 		result->specified = AVTAB_XPERMS_IOCTLFUNCTION;
 		result->driver = allow->driver;
 		memcpy(result->perms, allow->perms, sizeof(result->perms));
 	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
 			&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
 		result->specified = AVTAB_XPERMS_IOCTLDRIVER;
 		for (i = 0; i < EXTENDED_PERMS_LEN; i++)
 			result->perms[i] = neverallow->perms[i] & allow->perms[i];
 	}
 }

 /* Same scenarios of interest as check_assertion_extended_permissions */
 static int report_assertion_extended_permissions(sepol_handle_t *handle,
 				policydb_t *p, const avrule_t *avrule,
 				unsigned int stype, unsigned int ttype,
 				const class_perm_node_t *curperm, uint32_t perms,
 				avtab_key_t *k, avtab_t *avtab)
 {
 	avtab_ptr_t node;
 	avtab_key_t tmp_key;
 	avtab_extended_perms_t *xperms;
 	avtab_extended_perms_t error;
 	ebitmap_t *sattr = &p->type_attr_map[stype];
 	ebitmap_t *tattr = &p->type_attr_map[ttype];
 	ebitmap_node_t *snode, *tnode;
 	unsigned int i, j;
 	int rc = 1;
 	int ret = 0;

 	memcpy(&tmp_key, k, sizeof(avtab_key_t));
 	tmp_key.specified = AVTAB_XPERMS_ALLOWED;

 	ebitmap_for_each_bit(sattr, snode, i) {
 		if (!ebitmap_node_get_bit(snode, i))
 			continue;
 		ebitmap_for_each_bit(tattr, tnode, j) {
 			if (!ebitmap_node_get_bit(tnode, j))
 				continue;
 			tmp_key.source_type = i + 1;
 			tmp_key.target_type = j + 1;
 			for (node = avtab_search_node(avtab, &tmp_key);
 			     node;
 			     node = avtab_search_node_next(node, tmp_key.specified)) {
 				xperms = node->datum.xperms;
 				if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
 						&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
 					continue;

 				rc = check_extended_permissions(avrule->xperms, xperms);
 				/* failure on the extended permission check_extended_permissions */
 				if (rc) {
 					extended_permissions_violated(&error, avrule->xperms, xperms);
 					ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
 							"allowxperm %s %s:%s %s;",
 							avrule->source_line, avrule->source_filename, avrule->line,
 							p->p_type_val_to_name[i],
 							p->p_type_val_to_name[j],
 							p->p_class_val_to_name[curperm->tclass - 1],
 							sepol_extended_perms_to_string(&error));

 					rc = 0;
 					ret++;
 				}
 			}
 		}
 	}

 	/* failure on the regular permissions */
 	if (rc) {
 		ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
 				"allow %s %s:%s {%s };",
 				avrule->source_line, avrule->source_filename, avrule->line,
 				p->p_type_val_to_name[stype],
 				p->p_type_val_to_name[ttype],
 				p->p_class_val_to_name[curperm->tclass - 1],
 				sepol_av_to_string(p, curperm->tclass, perms));
 		ret++;

 	}

 	return ret;
 }

 static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void *args)
 {
 	int rc = 0;
 	struct avtab_match_args *a = (struct avtab_match_args *)args;
 	sepol_handle_t *handle = a->handle;
 	policydb_t *p = a->p;
 	avtab_t *avtab = a->avtab;
 	avrule_t *avrule = a->avrule;
 	class_perm_node_t *cp;
 	uint32_t perms;
 	ebitmap_t src_matches, tgt_matches, matches;
 	ebitmap_node_t *snode, *tnode;
 	unsigned int i, j;

 	if (k->specified != AVTAB_ALLOWED)
 		return 0;

 	if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
 		return 0;

 	ebitmap_init(&src_matches);
 	ebitmap_init(&tgt_matches);
 	ebitmap_init(&matches);

 	rc = ebitmap_and(&src_matches, &avrule->stypes.types,
 			 &p->attr_type_map[k->source_type - 1]);
 	if (rc)
 		goto oom;

 	if (ebitmap_length(&src_matches) == 0)
 		goto exit;

 	if (avrule->flags == RULE_SELF) {
 		rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
 		if (rc)
 			goto oom;
 		rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
 		if (rc)
 			goto oom;
 	} else {
 		rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type -1]);
 		if (rc)
 			goto oom;
 	}

 	if (ebitmap_length(&tgt_matches) == 0)
 		goto exit;

 	for (cp = avrule->perms; cp; cp = cp->next) {

 		perms = cp->data & d->data;
 		if ((cp->tclass != k->target_class) || !perms) {
 			continue;
 		}

 		ebitmap_for_each_bit(&src_matches, snode, i) {
 			if (!ebitmap_node_get_bit(snode, i))
 				continue;
 			ebitmap_for_each_bit(&tgt_matches, tnode, j) {
 				if (!ebitmap_node_get_bit(tnode, j))
 					continue;

 				if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
 					a->errors += report_assertion_extended_permissions(handle,p, avrule,
 											i, j, cp, perms, k, avtab);
 				} else {
 					a->errors++;
 					report_failure(handle, p, avrule, i, j, cp, perms);
 				}
 			}
 		}
 	}
 	goto exit;

 oom:
 	ERR(NULL, "Out of memory - unable to check neverallows");

 exit:
 	ebitmap_destroy(&src_matches);
 	ebitmap_destroy(&tgt_matches);
 	ebitmap_destroy(&matches);
 	return rc;
 }

 int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avrule_t *avrule)
 {
 	int rc;
 	struct avtab_match_args args;

 	args.handle = handle;
 	args.p = p;
 	args.avrule = avrule;
 	args.errors = 0;

 	rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args);
 	if (rc)
 		goto oom;

 	rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args);
 	if (rc)
 		goto oom;

 	return args.errors;

 oom:
 	return rc;
 }

 /*
  * Look up the extended permissions in avtab and verify that neverallowed
  * permissions are not granted.
  */
 static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t *avtab,
 						unsigned int stype, unsigned int ttype,
 						avtab_key_t *k, policydb_t *p)
 {
 	avtab_ptr_t node;
 	avtab_key_t tmp_key;
 	avtab_extended_perms_t *xperms;
 	av_extended_perms_t *neverallow_xperms = avrule->xperms;
 	ebitmap_t *sattr = &p->type_attr_map[stype];
 	ebitmap_t *tattr = &p->type_attr_map[ttype];
 	ebitmap_node_t *snode, *tnode;
 	unsigned int i, j;
 	int rc = 1;

 	memcpy(&tmp_key, k, sizeof(avtab_key_t));
 	tmp_key.specified = AVTAB_XPERMS_ALLOWED;

 	ebitmap_for_each_bit(sattr, snode, i) {
 		if (!ebitmap_node_get_bit(snode, i))
 			continue;
 		ebitmap_for_each_bit(tattr, tnode, j) {
 			if (!ebitmap_node_get_bit(tnode, j))
 				continue;
 			tmp_key.source_type = i + 1;
 			tmp_key.target_type = j + 1;
 			for (node = avtab_search_node(avtab, &tmp_key);
 			     node;
 			     node = avtab_search_node_next(node, tmp_key.specified)) {
 				xperms = node->datum.xperms;

 				if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
 						&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
 					continue;
 				rc = check_extended_permissions(neverallow_xperms, xperms);
 				if (rc)
 					break;
 			}
 		}
 	}

 	return rc;
 }

 /*
  * When the ioctl permission is granted on an avtab entry that matches an
  * avrule neverallowxperm entry, enumerate over the matching
  * source/target/class sets to determine if the extended permissions exist
  * and if the neverallowed ioctls are granted.
  *
  * Four scenarios of interest:
  * 1. PASS - the ioctl permission is not granted for this source/target/class
  *    This case is handled in check_assertion_avtab_match
  * 2. PASS - The ioctl permission is granted AND the extended permission
  *    is NOT granted
  * 3. FAIL - The ioctl permission is granted AND no extended permissions
  *    exist
  * 4. FAIL - The ioctl permission is granted AND the extended permission is
  *    granted
  */
 static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
 						avtab_key_t *k, policydb_t *p)
 {
 	ebitmap_t src_matches, tgt_matches, matches;
 	unsigned int i, j;
 	ebitmap_node_t *snode, *tnode;
 	class_perm_node_t *cp;
 	int rc;
 	int ret = 1;

 	ebitmap_init(&src_matches);
 	ebitmap_init(&tgt_matches);
 	ebitmap_init(&matches);
 	rc = ebitmap_and(&src_matches, &avrule->stypes.types,
 			 &p->attr_type_map[k->source_type - 1]);
 	if (rc)
 		goto oom;

 	if (ebitmap_length(&src_matches) == 0)
 		goto exit;

 	if (avrule->flags == RULE_SELF) {
 		rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
 				&p->attr_type_map[k->target_type - 1]);
 		if (rc)
 			goto oom;
 		rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
 		if (rc)
 			goto oom;
 	} else {
 		rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types,
 				&p->attr_type_map[k->target_type -1]);
 		if (rc)
 			goto oom;
 	}

 	if (ebitmap_length(&tgt_matches) == 0)
 		goto exit;

 	for (cp = avrule->perms; cp; cp = cp->next) {
 		if (cp->tclass != k->target_class)
 			continue;
 		ebitmap_for_each_bit(&src_matches, snode, i) {
 			if (!ebitmap_node_get_bit(snode, i))
 				continue;
 			ebitmap_for_each_bit(&tgt_matches, tnode, j) {
 				if (!ebitmap_node_get_bit(tnode, j))
 					continue;

 				ret = check_assertion_extended_permissions_avtab(
 						avrule, avtab, i, j, k, p);
 				if (ret)
 					goto exit;
 			}
 		}
 	}
 	goto exit;

 oom:
 	ERR(NULL, "Out of memory - unable to check neverallows");

 exit:
 	ebitmap_destroy(&src_matches);
 	ebitmap_destroy(&tgt_matches);
 	ebitmap_destroy(&matches);
 	return ret;
 }

 static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *args)
 {
 	int rc;
 	struct avtab_match_args *a = (struct avtab_match_args *)args;
 	policydb_t *p = a->p;
 	avrule_t *avrule = a->avrule;
 	avtab_t *avtab = a->avtab;

 	if (k->specified != AVTAB_ALLOWED)
 		goto exit;

 	if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
 		goto exit;

 	rc = ebitmap_match_any(&avrule->stypes.types, &p->attr_type_map[k->source_type - 1]);
 	if (rc == 0)
 		goto exit;

 	if (avrule->flags == RULE_SELF) {
 		/* If the neverallow uses SELF, then it is not enough that the
 		 * neverallow's source matches the src and tgt of the rule being checked.
 		 * It must match the same thing in the src and tgt, so AND the source
 		 * and target together and check for a match on the result.
 		 */
 		ebitmap_t match;
 		rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
 		if (rc) {
 			ebitmap_destroy(&match);
 			goto oom;
 		}
 		rc = ebitmap_match_any(&avrule->stypes.types, &match);
 		ebitmap_destroy(&match);
 	} else {
 		rc = ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1]);
 	}
 	if (rc == 0)
 		goto exit;

 	if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
 		rc = check_assertion_extended_permissions(avrule, avtab, k, p);
 		if (rc == 0)
 			goto exit;
 	}
 	return 1;

 exit:
 	return 0;

 oom:
 	ERR(NULL, "Out of memory - unable to check neverallows");
 	return rc;
 }

 int check_assertion(policydb_t *p, avrule_t *avrule)
 {
 	int rc;
 	struct avtab_match_args args;

 	args.handle = NULL;
 	args.p = p;
 	args.avrule = avrule;
 	args.errors = 0;
 	args.avtab = &p->te_avtab;

 	rc = avtab_map(&p->te_avtab, check_assertion_avtab_match, &args);

 	if (rc == 0) {
 		args.avtab = &p->te_cond_avtab;
 		rc = avtab_map(&p->te_cond_avtab, check_assertion_avtab_match, &args);
 	}

 	return rc;
 }

 int check_assertions(sepol_handle_t * handle, policydb_t * p,
 		     avrule_t * avrules)
 {
 	int rc;
 	avrule_t *a;
 	unsigned long errors = 0;

 	if (!avrules) {
 		/* Since assertions are stored in avrules, if it is NULL
 		   there won't be any to check. This also prevents an invalid
 		   free if the avtabs are never initialized */
 		return 0;
 	}

 	for (a = avrules; a != NULL; a = a->next) {
 		if (!(a->specified & (AVRULE_NEVERALLOW | AVRULE_XPERMS_NEVERALLOW)))
 			continue;
 		rc = check_assertion(p, a);
 		if (rc) {
 			rc = report_assertion_failures(handle, p, a);
 			if (rc < 0) {
 				ERR(handle, "Error occurred while checking neverallows");
 				return -1;
 			}
 			errors += rc;
 		}
 	}

 	if (errors)
 		ERR(handle, "%lu neverallow failures occurred", errors);

 	return errors ? -1 : 0;
 }
	/* Authors: Joshua Brindle <jbrindle@tresys.com>
	*
	* Assertion checker for avtab entries, taken from
	* checkpolicy.c by Stephen Smalley <sds@tycho.nsa.gov>
	*
	* Copyright (C) 2005 Tresys Technology, LLC
	*
	* This library is free software; you can redistribute it and/or
	* modify it under the terms of the GNU Lesser General Public
	* License as published by the Free Software Foundation; either
	* version 2.1 of the License, or (at your option) any later version.
	*
	* This library is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this library; if not, write to the Free Software
	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	*/

	#include <sepol/policydb/avtab.h>
	#include <sepol/policydb/policydb.h>
	#include <sepol/policydb/expand.h>
	#include <sepol/policydb/util.h>

	#include "private.h"
	#include "debug.h"

	struct avtab_match_args {
	sepol_handle_t *handle;
	policydb_t *p;
	avrule_t *avrule;
	avtab_t *avtab;
	unsigned long errors;
	};

	static void report_failure(sepol_handle_t handle, policydb_t p, const avrule_t *avrule,
	unsigned int stype, unsigned int ttype,
	const class_perm_node_t *curperm, uint32_t perms)
	{
	if (avrule->source_filename) {
	ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
	avrule->source_line, avrule->source_filename, avrule->line,
	p->p_type_val_to_name[stype],
	p->p_type_val_to_name[ttype],
	p->p_class_val_to_name[curperm->tclass - 1],
	sepol_av_to_string(p, curperm->tclass, perms));
	} else if (avrule->line) {
	ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
	avrule->line, p->p_type_val_to_name[stype],
	p->p_type_val_to_name[ttype],
	p->p_class_val_to_name[curperm->tclass - 1],
	sepol_av_to_string(p, curperm->tclass, perms));
	} else {
	ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
	p->p_type_val_to_name[stype],
	p->p_type_val_to_name[ttype],
	p->p_class_val_to_name[curperm->tclass - 1],
	sepol_av_to_string(p, curperm->tclass, perms));
	}
	}

	static int match_any_class_permissions(class_perm_node_t *cp, uint32_t class, uint32_t data)
	{
	for (; cp; cp = cp->next) {
	if ((cp->tclass == class) && (cp->data & data)) {
	break;
	}
	}
	if (!cp)
	return 0;

	return 1;
	}

	static int extended_permissions_and(uint32_t perms1, uint32_t perms2) {
	size_t i;
	for (i = 0; i < EXTENDED_PERMS_LEN; i++) {
	if (perms1[i] & perms2[i])
	return 1;
	}

	return 0;
	}

	static int check_extended_permissions(av_extended_perms_t neverallow, avtab_extended_perms_t allow)
	{
	int rc = 0;
	if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
	&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
	if (neverallow->driver == allow->driver)
	rc = extended_permissions_and(neverallow->perms, allow->perms);
	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
	&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
	rc = xperm_test(neverallow->driver, allow->perms);
	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
	&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
	rc = xperm_test(allow->driver, neverallow->perms);
	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
	&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
	rc = extended_permissions_and(neverallow->perms, allow->perms);
	}

	return rc;
	}

	/* Compute which allowed extended permissions violate the neverallow rule */
	static void extended_permissions_violated(avtab_extended_perms_t *result,
	av_extended_perms_t *neverallow,
	avtab_extended_perms_t *allow)
	{
	size_t i;
	if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
	&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
	result->specified = AVTAB_XPERMS_IOCTLFUNCTION;
	result->driver = allow->driver;
	for (i = 0; i < EXTENDED_PERMS_LEN; i++)
	result->perms[i] = neverallow->perms[i] & allow->perms[i];
	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
	&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
	result->specified = AVTAB_XPERMS_IOCTLFUNCTION;
	result->driver = neverallow->driver;
	memcpy(result->perms, neverallow->perms, sizeof(result->perms));
	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
	&& (allow->specified == AVTAB_XPERMS_IOCTLFUNCTION)) {
	result->specified = AVTAB_XPERMS_IOCTLFUNCTION;
	result->driver = allow->driver;
	memcpy(result->perms, allow->perms, sizeof(result->perms));
	} else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER)
	&& (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) {
	result->specified = AVTAB_XPERMS_IOCTLDRIVER;
	for (i = 0; i < EXTENDED_PERMS_LEN; i++)
	result->perms[i] = neverallow->perms[i] & allow->perms[i];
	}
	}

	/* Same scenarios of interest as check_assertion_extended_permissions */
	static int report_assertion_extended_permissions(sepol_handle_t *handle,
	policydb_t p, const avrule_t avrule,
	unsigned int stype, unsigned int ttype,
	const class_perm_node_t *curperm, uint32_t perms,
	avtab_key_t k, avtab_t avtab)
	{
	avtab_ptr_t node;
	avtab_key_t tmp_key;
	avtab_extended_perms_t *xperms;
	avtab_extended_perms_t error;
	ebitmap_t *sattr = &p->type_attr_map[stype];
	ebitmap_t *tattr = &p->type_attr_map[ttype];
	ebitmap_node_t snode, tnode;
	unsigned int i, j;
	int rc = 1;
	int ret = 0;

	memcpy(&tmp_key, k, sizeof(avtab_key_t));
	tmp_key.specified = AVTAB_XPERMS_ALLOWED;

	ebitmap_for_each_bit(sattr, snode, i) {
	if (!ebitmap_node_get_bit(snode, i))
	continue;
	ebitmap_for_each_bit(tattr, tnode, j) {
	if (!ebitmap_node_get_bit(tnode, j))
	continue;
	tmp_key.source_type = i + 1;
	tmp_key.target_type = j + 1;
	for (node = avtab_search_node(avtab, &tmp_key);
	node;
	node = avtab_search_node_next(node, tmp_key.specified)) {
	xperms = node->datum.xperms;
	if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
	&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
	continue;

	rc = check_extended_permissions(avrule->xperms, xperms);
	/* failure on the extended permission check_extended_permissions */
	if (rc) {
	extended_permissions_violated(&error, avrule->xperms, xperms);
	ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
	"allowxperm %s %s:%s %s;",
	avrule->source_line, avrule->source_filename, avrule->line,
	p->p_type_val_to_name[i],
	p->p_type_val_to_name[j],
	p->p_class_val_to_name[curperm->tclass - 1],
	sepol_extended_perms_to_string(&error));

	rc = 0;
	ret++;
	}
	}
	}
	}

	/* failure on the regular permissions */
	if (rc) {
	ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
	"allow %s %s:%s {%s };",
	avrule->source_line, avrule->source_filename, avrule->line,
	p->p_type_val_to_name[stype],
	p->p_type_val_to_name[ttype],
	p->p_class_val_to_name[curperm->tclass - 1],
	sepol_av_to_string(p, curperm->tclass, perms));
	ret++;

	}

	return ret;
	}

	static int report_assertion_avtab_matches(avtab_key_t k, avtab_datum_t d, void *args)
	{
	int rc = 0;
	struct avtab_match_args a = (struct avtab_match_args )args;
	sepol_handle_t *handle = a->handle;
	policydb_t *p = a->p;
	avtab_t *avtab = a->avtab;
	avrule_t *avrule = a->avrule;
	class_perm_node_t *cp;
	uint32_t perms;
	ebitmap_t src_matches, tgt_matches, matches;
	ebitmap_node_t snode, tnode;
	unsigned int i, j;

	if (k->specified != AVTAB_ALLOWED)
	return 0;

	if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
	return 0;

	ebitmap_init(&src_matches);
	ebitmap_init(&tgt_matches);
	ebitmap_init(&matches);

	rc = ebitmap_and(&src_matches, &avrule->stypes.types,
	&p->attr_type_map[k->source_type - 1]);
	if (rc)
	goto oom;

	if (ebitmap_length(&src_matches) == 0)
	goto exit;

	if (avrule->flags == RULE_SELF) {
	rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1]);
	if (rc)
	goto oom;
	rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
	if (rc)
	goto oom;
	} else {
	rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types, &p->attr_type_map[k->target_type -1]);
	if (rc)
	goto oom;
	}

	if (ebitmap_length(&tgt_matches) == 0)
	goto exit;

	for (cp = avrule->perms; cp; cp = cp->next) {

	perms = cp->data & d->data;
	if ((cp->tclass != k->target_class) \|\| !perms) {
	continue;
	}

	ebitmap_for_each_bit(&src_matches, snode, i) {
	if (!ebitmap_node_get_bit(snode, i))
	continue;
	ebitmap_for_each_bit(&tgt_matches, tnode, j) {
	if (!ebitmap_node_get_bit(tnode, j))
	continue;

	if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
	a->errors += report_assertion_extended_permissions(handle,p, avrule,
	i, j, cp, perms, k, avtab);
	} else {
	a->errors++;
	report_failure(handle, p, avrule, i, j, cp, perms);
	}
	}
	}
	}
	goto exit;

	oom:
	ERR(NULL, "Out of memory - unable to check neverallows");

	exit:
	ebitmap_destroy(&src_matches);
	ebitmap_destroy(&tgt_matches);
	ebitmap_destroy(&matches);
	return rc;
	}

	int report_assertion_failures(sepol_handle_t handle, policydb_t p, avrule_t *avrule)
	{
	int rc;
	struct avtab_match_args args;

	args.handle = handle;
	args.p = p;
	args.avrule = avrule;
	args.errors = 0;

	rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args);
	if (rc)
	goto oom;

	rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args);
	if (rc)
	goto oom;

	return args.errors;

	oom:
	return rc;
	}

	/*
	* Look up the extended permissions in avtab and verify that neverallowed
	* permissions are not granted.
	*/
	static int check_assertion_extended_permissions_avtab(avrule_t avrule, avtab_t avtab,
	unsigned int stype, unsigned int ttype,
	avtab_key_t k, policydb_t p)
	{
	avtab_ptr_t node;
	avtab_key_t tmp_key;
	avtab_extended_perms_t *xperms;
	av_extended_perms_t *neverallow_xperms = avrule->xperms;
	ebitmap_t *sattr = &p->type_attr_map[stype];
	ebitmap_t *tattr = &p->type_attr_map[ttype];
	ebitmap_node_t snode, tnode;
	unsigned int i, j;
	int rc = 1;

	memcpy(&tmp_key, k, sizeof(avtab_key_t));
	tmp_key.specified = AVTAB_XPERMS_ALLOWED;

	ebitmap_for_each_bit(sattr, snode, i) {
	if (!ebitmap_node_get_bit(snode, i))
	continue;
	ebitmap_for_each_bit(tattr, tnode, j) {
	if (!ebitmap_node_get_bit(tnode, j))
	continue;
	tmp_key.source_type = i + 1;
	tmp_key.target_type = j + 1;
	for (node = avtab_search_node(avtab, &tmp_key);
	node;
	node = avtab_search_node_next(node, tmp_key.specified)) {
	xperms = node->datum.xperms;

	if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
	&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER))
	continue;
	rc = check_extended_permissions(neverallow_xperms, xperms);
	if (rc)
	break;
	}
	}
	}

	return rc;
	}

	/*
	* When the ioctl permission is granted on an avtab entry that matches an
	* avrule neverallowxperm entry, enumerate over the matching
	* source/target/class sets to determine if the extended permissions exist
	* and if the neverallowed ioctls are granted.
	*
	* Four scenarios of interest:
	* 1. PASS - the ioctl permission is not granted for this source/target/class
	* This case is handled in check_assertion_avtab_match
	* 2. PASS - The ioctl permission is granted AND the extended permission
	* is NOT granted
	* 3. FAIL - The ioctl permission is granted AND no extended permissions
	* exist
	* 4. FAIL - The ioctl permission is granted AND the extended permission is
	* granted
	*/
	static int check_assertion_extended_permissions(avrule_t avrule, avtab_t avtab,
	avtab_key_t k, policydb_t p)
	{
	ebitmap_t src_matches, tgt_matches, matches;
	unsigned int i, j;
	ebitmap_node_t snode, tnode;
	class_perm_node_t *cp;
	int rc;
	int ret = 1;

	ebitmap_init(&src_matches);
	ebitmap_init(&tgt_matches);
	ebitmap_init(&matches);
	rc = ebitmap_and(&src_matches, &avrule->stypes.types,
	&p->attr_type_map[k->source_type - 1]);
	if (rc)
	goto oom;

	if (ebitmap_length(&src_matches) == 0)
	goto exit;

	if (avrule->flags == RULE_SELF) {
	rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
	&p->attr_type_map[k->target_type - 1]);
	if (rc)
	goto oom;
	rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
	if (rc)
	goto oom;
	} else {
	rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types,
	&p->attr_type_map[k->target_type -1]);
	if (rc)
	goto oom;
	}

	if (ebitmap_length(&tgt_matches) == 0)
	goto exit;

	for (cp = avrule->perms; cp; cp = cp->next) {
	if (cp->tclass != k->target_class)
	continue;
	ebitmap_for_each_bit(&src_matches, snode, i) {
	if (!ebitmap_node_get_bit(snode, i))
	continue;
	ebitmap_for_each_bit(&tgt_matches, tnode, j) {
	if (!ebitmap_node_get_bit(tnode, j))
	continue;

	ret = check_assertion_extended_permissions_avtab(
	avrule, avtab, i, j, k, p);
	if (ret)
	goto exit;
	}
	}
	}
	goto exit;

	oom:
	ERR(NULL, "Out of memory - unable to check neverallows");

	exit:
	ebitmap_destroy(&src_matches);
	ebitmap_destroy(&tgt_matches);
	ebitmap_destroy(&matches);
	return ret;
	}

	static int check_assertion_avtab_match(avtab_key_t k, avtab_datum_t d, void *args)
	{
	int rc;
	struct avtab_match_args a = (struct avtab_match_args )args;
	policydb_t *p = a->p;
	avrule_t *avrule = a->avrule;
	avtab_t *avtab = a->avtab;

	if (k->specified != AVTAB_ALLOWED)
	goto exit;

	if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
	goto exit;

	rc = ebitmap_match_any(&avrule->stypes.types, &p->attr_type_map[k->source_type - 1]);
	if (rc == 0)
	goto exit;

	if (avrule->flags == RULE_SELF) {
	/* If the neverallow uses SELF, then it is not enough that the
	* neverallow's source matches the src and tgt of the rule being checked.
	* It must match the same thing in the src and tgt, so AND the source
	* and target together and check for a match on the result.
	*/
	ebitmap_t match;
	rc = ebitmap_and(&match, &p->attr_type_map[k->source_type - 1], &p->attr_type_map[k->target_type - 1] );
	if (rc) {
	ebitmap_destroy(&match);
	goto oom;
	}
	rc = ebitmap_match_any(&avrule->stypes.types, &match);
	ebitmap_destroy(&match);
	} else {
	rc = ebitmap_match_any(&avrule->ttypes.types, &p->attr_type_map[k->target_type -1]);
	}
	if (rc == 0)
	goto exit;

	if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
	rc = check_assertion_extended_permissions(avrule, avtab, k, p);
	if (rc == 0)
	goto exit;
	}
	return 1;

	exit:
	return 0;

	oom:
	ERR(NULL, "Out of memory - unable to check neverallows");
	return rc;
	}

	int check_assertion(policydb_t p, avrule_t avrule)
	{
	int rc;
	struct avtab_match_args args;

	args.handle = NULL;
	args.p = p;
	args.avrule = avrule;
	args.errors = 0;
	args.avtab = &p->te_avtab;

	rc = avtab_map(&p->te_avtab, check_assertion_avtab_match, &args);

	if (rc == 0) {
	args.avtab = &p->te_cond_avtab;
	rc = avtab_map(&p->te_cond_avtab, check_assertion_avtab_match, &args);
	}

	return rc;
	}

	int check_assertions(sepol_handle_t * handle, policydb_t * p,
	avrule_t * avrules)
	{
	int rc;
	avrule_t *a;
	unsigned long errors = 0;

	if (!avrules) {
	/* Since assertions are stored in avrules, if it is NULL
	there won't be any to check. This also prevents an invalid
	free if the avtabs are never initialized */
	return 0;
	}

	for (a = avrules; a != NULL; a = a->next) {
	if (!(a->specified & (AVRULE_NEVERALLOW \| AVRULE_XPERMS_NEVERALLOW)))
	continue;
	rc = check_assertion(p, a);
	if (rc) {
	rc = report_assertion_failures(handle, p, a);
	if (rc < 0) {
	ERR(handle, "Error occurred while checking neverallows");
	return -1;
	}
	errors += rc;
	}
	}

	if (errors)
	ERR(handle, "%lu neverallow failures occurred", errors);

	return errors ? -1 : 0;
	}