Permission order for C-005

Question

Permission order for C-005

Closed this issue a year ago · 4 comments

I am writing a java code to parse the rules, i decided to sort permissions for solution C005 at the stage of writing the result.
I need to know the order for permissions:
the list is like this:
{ accept acquire_svc add add_entry_dir_perms add_name admin append append_file_perms associate audit_control audit_read audit_write bell bind block_suspend bpf chfn chown chsh connect connectto create create_file_perms create_netlink_socket_perms create_socket_perms create_stream_socket_perms crontab dac_override dac_read_search delete delete_chr_file_perms destroy disable drop dyntransition egress enable exec_file_perms execmem execstack execute execute_no_trans expand export force_cursor fowner freeze fsetid getattr getattr_file_perms getcap getfocus getgrp gethost getopt getpgid get_property getpwd getrlimit getsched getserv getsession getstat get_value grab import ingress insert ioctl ipc_lock ipc_owner kill lease linux_immutable list_dir_perms listen list_property lock mac_admin mac_override manage manage_blk_file_perms manage_chr_file_perms manage_dir_perms manage_fifo_file_perms manage_file_perms manage_lnk_file_perms manage_sock_file_perms map mknod mmap_exec_file_perms mmap_manage_file_perms mounton net_admin net_bind_service net_broadcast net_raw next_value nlmsg_read nlmsg_relay nlmsg_tty_audit nlmsg_write nnp_transition noatsecure nosuid_transition open passwd perfmon polmatch ptrace query read read_file_perms read_lnk_file_perms receive recv recvfrom relabel_blk_file_perms relabel_chr_file_perms relabel_dir_perms relabel_fifo_file_perms relabel_file_perms relabelfrom relabel_lnk_file_perms relabel_sock_file_perms relabelto reload remove remove_name rename rlimitinh rmdir r_netlink_socket_perms rootok rw_chr_file_perms rw_dir_perms rw_file_perms rw_netlink_socket_perms rw_shm_perms rw_socket_perms rw_stream_socket_perms rw_term_perms search search_dir_perms select send send_msg sendto setattr setattr_chr_file_perms setattr_dir_perms setattr_file_perms setcap setcontext setexec setfcap setfocus setfscreate setgid setkeycreate setopt setpcap setpgid set_property setrlimit setsched setsockcreate setuid set_value share shmemgrp shmemhost shmempwd shmemserv shutdown siginh sigkill signal signal_perms signull sigstop start status stop sys_admin sys_boot sys_chroot syslog sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config transition unlink update use view wake_alarm watch watch_mount watch_reads watch_sb watch_with_perm write write_file_perms }

Answer 1 · 2023-04-03T17:14:40.000Z

The C-005 check is alphabetical.

Answer 2 · 2023-04-03T17:18:28.000Z

xserver.te:
alphabetical:
allow xserver_unconfined_type xdrawable_type:x_drawable { add_child blend create destroy getattr get_property hide list_child list_property manage override read receive remove_child send setattr set_property show write };

xserver.te:        1004: (C): Permissions in av rule not ordered (getattr before get_property) (C-005)

Answer 3 · 2023-04-03T17:40:54.000Z

The check is the strcmp() function, which casts to an unsigned int and compares (https://man7.org/linux/man-pages/man3/strcmp.3.html), since these are ASCII characters, that's a comparison against ASCII order, and '_' comes before 'a' in ASCII.

Answer 4 · 2023-04-03T18:30:54.000Z

If anyone comes up with the same question
Sorting as List<String>:

		final var string = "add_child blend create destroy getattr get_property hide list_child list_property manage override read receive remove_child send setattr set_property show write";
		final var dataList = new ArrayList<>(Arrays.asList(string.split(" ")));

		Collections.sort(dataList, (first, second) -> {
			final var charsFirst = first.toCharArray();
			final var charsSecond = second.toCharArray();
			for (var i = 0; i < charsFirst.length; i++) {
				if (i + 1 >= charsSecond.length) {
					return -1;
				}
				if (charsFirst[i] > charsSecond[i]) {
					return 1;
				}
			}
			return 0;
		});
		System.err.println(dataList);

output:

[add_child, blend, create, destroy, get_property, getattr, hide, list_child, list_property, manage, override, read, receive, remove_child, send, set_property, setattr, show, write]