dburgener · dburgener · Oct 28, 2022 · Oct 27, 2022 · Oct 28, 2022 · Oct 28, 2022
diff --git a/data/error_policies/duplicate_inherit.cas b/data/error_policies/duplicate_inherit.cas
@@ -0,0 +1,11 @@
+virtual resource foo {}
+
+virtual resource bar {}
+
+resource baz inherits foo, foo, bar {}
+
+resource zap inherits foo, bar, foo {}
+
+domain requires_allow {
+ allow(this, baz, file, read);
+}
diff --git a/data/expected_cil/duplicate_inherit.cil b/data/expected_cil/duplicate_inherit.cil
@@ -0,0 +1,142 @@
+(class alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class association (sendto recvfrom setcontext polmatch))
+(class atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class binder (impersonate call set_context_mgr transfer))
+(class blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class bpf (map_create map_read map_write prog_load prog_run))
+(class caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class cap2_userns (mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore))
+(class cap_userns (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap))
+(class capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap))
+(class capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore))
+(class chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect))
+(class decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir))
+(class fd (use))
+(class fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint))
+(class filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch))
+(class icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind))
+(class ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class infiniband_endpoint (manage_subnet))
+(class infiniband_pkey (access))
+(class ipc (create destroy getattr setattr read write associate unix_read unix_write))
+(class ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class kernel_service (use_as_override create_files_as))
+(class key (view read write search link setattr create))
+(class key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class lockdown (integrity confidentiality))
+(class memprotect (mmap_zero))
+(class msg (send receive))
+(class msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue))
+(class netif (ingress egress))
+(class netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit))
+(class netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write))
+(class netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write))
+(class netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write))
+(class netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class node (recvfrom sendto))
+(class node_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind))
+(class packet (send recv relabelto forward_in forward_out))
+(class packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class peer (recv))
+(class perf_event (open cpu kernel tracepoint read write))
+(class phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit))
+(class process2 (nnp_transition nosuid_transition))
+(class qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind))
+(class rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect association))
+(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans))
+(class sem (create destroy getattr setattr read write associate unix_read unix_write))
+(class shm (create destroy getattr setattr read write associate unix_read unix_write lock))
+(class smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class system (ipc_info syslog_read syslog_mod syslog_console module_request module_load))
+(class tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect))
+(class tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue))
+(class udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind))
+(class unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto))
+(class vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(class xdp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind))
+(classorder (alg_socket anon_inode appletalk_socket association atmpvc_socket atmsvc_socket ax25_socket binder blk_file bluetooth_socket bpf caif_socket can_socket cap2_userns cap_userns capability capability2 chr_file dccp_socket decnet_socket dir fd fifo_file file filesystem icmp_socket ieee802154_socket infiniband_endpoint infiniband_pkey ipc ipx_socket irda_socket isdn_socket iucv_socket kcm_socket kernel_service key key_socket llc_socket lnk_file lockdown memprotect msg msgq netif netlink_audit_socket netlink_connector_socket netlink_crypto_socket netlink_dnrt_socket netlink_fib_lookup_socket netlink_generic_socket netlink_iscsi_socket netlink_kobject_uevent_socket netlink_netfilter_socket netlink_nflog_socket netlink_rdma_socket netlink_route_socket netlink_scsitransport_socket netlink_selinux_socket netlink_socket netlink_tcpdiag_socket netlink_xfrm_socket netrom_socket nfc_socket node node_socket packet packet_socket peer perf_event phonet_socket pppox_socket process process2 qipcrtr_socket rawip_socket rds_socket rose_socket rxrpc_socket sctp_socket security sem shm smc_socket sock_file socket system tcp_socket tipc_socket tun_socket udp_socket unix_dgram_socket unix_stream_socket vsock_socket x25_socket xdp_socket))
+(sensitivity s0)
+(sensitivityorder (s0))
+(user system_u)
+(role system_r)
+(role object_r)
+(userrole system_u system_r)
+(userrole system_u object_r)
+(userlevel system_u (s0))
+(userrange system_u ((s0) (s0)))
+(handleunknown allow)
+(typeattribute domain)
+(typeattribute resource)
+(typeattribute foo)
+(typeattributeset resource (foo))
+(type kernel_sid)
+(roletype system_r kernel_sid)
+(typeattributeset domain (kernel_sid))
+(type requires_allow)
+(roletype system_r requires_allow)
+(typeattributeset domain (requires_allow))
+(type security_sid)
+(roletype object_r security_sid)
+(typeattributeset resource (security_sid))
+(type unlabeled_sid)
+(roletype object_r unlabeled_sid)
+(typeattributeset resource (unlabeled_sid))
+(typeattribute bar)
+(typeattributeset foo (bar))
+(typeattributeset resource (bar))
+(typeattribute baz)
+(typeattributeset foo (baz))
+(typeattributeset resource (baz))
+(type qux)
+(roletype object_r qux)
+(typeattributeset bar (qux))
+(typeattributeset baz (qux))
+(typeattributeset resource (qux))
+(allow requires_allow qux (file (read)))
+(sid kernel)
+(sidcontext kernel (system_u system_r kernel_sid ((s0) (s0))))
+(sid security)
+(sidcontext security (system_u object_r security_sid ((s0) (s0))))
+(sid unlabeled)
+(sidcontext unlabeled (system_u object_r unlabeled_sid ((s0) (s0))))
+(sidorder (kernel security unlabeled))
diff --git a/data/policies/duplicate_inherit.cas b/data/policies/duplicate_inherit.cas
@@ -0,0 +1,11 @@
+virtual resource foo {}
+
+virtual resource bar inherits foo {}
+
+virtual resource baz inherits foo {}
+
+resource qux inherits bar, baz {}
+
+domain requires_allow {
+ allow(this, qux, file, read);
+}
diff --git a/src/internal_rep.rs b/src/internal_rep.rs
@@ -248,6 +248,21 @@ impl Declared for TypeInfo {
 
 impl TypeInfo {
  pub fn new(td: TypeDecl, file: &SimpleFile<String, String>) -> Result<TypeInfo, CascadeErrors> {
+ let mut temp_vec = td.inherits.clone();
+ temp_vec.sort();
+ let mut iter = temp_vec.iter().peekable();
+ while let Some(cur_val) = iter.next() {
+ if let Some(next_val) = iter.peek() {
+ if cur_val == *next_val {
+ return Err(CascadeErrors::from(ErrorItem::Compile(CompileError::new(
+ "Duplicate Inherit",
+ file,
+ (*next_val).get_range(),
+ "This type to inherit is identical to another type in the same inheritance list. Perhaps you meant to inherit some other type?",
+ ))));
+ }
+ }
+ }
  Ok(TypeInfo {
  name: td.name.clone(),
  inherits: td.inherits.clone(),

diff --git a/src/lib.rs b/src/lib.rs
@@ -1090,4 +1090,23 @@ mod tests {
  &["this.associated", "foo.associated", "this-associated"],
  );
  }
+
+ #[test]
+ fn invalid_duplicate_inherit() {
+ error_policy_test!("duplicate_inherit.cas", 2, ErrorItem::Compile(_));
+ }
+
+ #[test]
+ fn valid_duplicate_inherit() {
+ valid_policy_test(
+ "duplicate_inherit.cas",
+ &[
+ "typeattributeset bar (qux)",
+ "typeattributeset baz (qux)",
+ "typeattributeset foo (bar)",
+ "typeattributeset foo (baz)",
+ ],
+ &[],
+ );
+ }
 }