* [PATCH V3 Notebook] How to add a new policy capability
@ 2022-04-05 8:19 Richard Haines
2022-04-07 0:54 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Richard Haines @ 2022-04-05 8:19 UTC (permalink / raw)
To: selinux; +Cc: paul, dburgener, Richard Haines
Describes the steps required to add a new policy capability to:
kernel, libsepol, and policy.
Also add the ioctl_skip_cloexec capability description.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
V2 Changes:
Clarify naming conventions.
Change enums from POLICYDB_CAPABILITY to POLICYDB_CAP
Add ioctl_skip_cloexec
V3 Changes:
Fix typos and 'Policy Updates' text.
src/lsm_selinux.md | 4 +
src/policy_config_statements.md | 139 ++++++++++++++++++++++++++++++++
2 files changed, 143 insertions(+)
diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md
index cb8189b..7284912 100644
--- a/src/lsm_selinux.md
+++ b/src/lsm_selinux.md
@@ -714,6 +714,10 @@ or *libsepol* library.
- Enables fine-grained labeling of symlinks in pseudo filesystems based
on *genfscon* rules.
+*policy_capabilities/ioctl_skip_cloexec*
+
+- If true always allow FIOCLEX and FIONCLEXE ioctl permissions (from kernel 5.18).
+
*policy_capabilities/network_peer_controls*
- If true the following *network_peer_controls* are enabled:
diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md
index d4eee48..9699766 100644
--- a/src/policy_config_statements.md
+++ b/src/policy_config_statements.md
@@ -1,5 +1,12 @@
# Policy Configuration Statements
+- [*policycap*](#policycap)
+ - [Adding A New Policy Capability](#adding-a-new-policy-capability)
+ - [Kernel Updates](#kernel-updates)
+ - [*libsepol* Library Updates](#libsepol-library-updates)
+ - [Reference Policy Updates](#reference-policy-updates)
+ - [CIL Policy Updates](#cil-policy-updates)
+
## *policycap*
Policy version 22 introduced the *policycap* statement to allow new
@@ -47,6 +54,138 @@ Conditional Policy Statements
policycap network_peer_controls;
```
+## Adding A New Policy Capability
+
+The kernel, userspace libsepol library and policy must be updated to enable
+the new capability as described below. For readability, the new capability
+should follow a consistent naming convention, where:
+
+- policy capability identifier is a lower-case string.
+- enum definition is ```POLICYDB_CAP_``` with the identifier appended in
+ upper-case.
+- kernel function call is ```selinux_policycap_``` with the identifier
+ appended in lower-case.
+
+### Kernel Updates
+
+In kernel source update the following three files with the new capability:
+
+***security/selinux/include/policycap_names.h***
+
+Add new entry at end of this list:
+
+```
+/* Policy capability names */
+const char *selinux_policycap_names[__POLICYDB_CAP_MAX] = {
+ ...
+ "genfs_seclabel_symlinks",
+ "ioctl_skip_cloexec",
+ "new_name"
+};
+```
+
+***security/selinux/include/policycap.h***
+
+Add new entry at end of this list:
+
+```
+/* Policy capabilities */
+enum {
+ ...
+ POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
+ POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
+ POLICYDB_CAP_NEW_NAME,
+ __POLICYDB_CAP_MAX
+};
+```
+
+***security/selinux/include/security.h***
+
+Add a new call to retrieve the loaded policy capability state:
+
+```
+static inline bool selinux_policycap_new_name(void)
+{
+ struct selinux_state *state = &selinux_state;
+
+ return READ_ONCE(state->policycap[POLICYDB_CAP_NEW_NAME]);
+}
+```
+
+Finally in the updated code that utilises the new policy capability do
+something like:
+
+```
+if (selinux_policycap_new_name())
+ do this;
+else
+ do that;
+```
+
+### *libsepol* Library Updates
+
+In selinux userspace source update the following two files with the new
+capability:
+
+***selinux/libsepol/src/polcaps.c***
+
+Add new entry at end of this list:
+
+```
+static const char * const polcap_names[] = {
+ ...
+ "genfs_seclabel_symlinks", /* POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS */
+ "ioctl_skip_cloexec", /* POLICYDB_CAP_IOCTL_SKIP_CLOEXEC */
+ "new_name", /* POLICYDB_CAP_NEW_NAME */
+ NULL
+};
+```
+
+***selinux/libsepol/include/sepol/policydb/polcaps.h***
+
+Add new entry at end of this list:
+
+```
+/* Policy capabilities */
+enum {
+ ...
+ POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
+ POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
+ POLICYDB_CAP_NEW_NAME,
+ __POLICYDB_CAP_MAX
+};
+```
+
+### Reference Policy Updates
+
+To enable the new capability in Reference Policy, add a new entry to this file:
+
+***policy/policy_capabilities***
+
+New *policycap* statement added to end of file:
+
+```
+# A description of the capability
+policycap new_name;
+```
+
+To disable the capability, comment out the entry:
+
+```
+# A description of the capability
+#policycap new_name;
+```
+
+### CIL Policy Updates
+
+To enable the capability in policy, add the following entry to a CIL
+source file:
+
+```
+; A description of the capability
+(policycap new_name)
+```
+
<!-- %CUTHERE% -->
---
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH V3 Notebook] How to add a new policy capability
2022-04-05 8:19 [PATCH V3 Notebook] How to add a new policy capability Richard Haines
@ 2022-04-07 0:54 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2022-04-07 0:54 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux, dburgener
On Tue, Apr 5, 2022 at 4:19 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> Describes the steps required to add a new policy capability to:
> kernel, libsepol, and policy.
>
> Also add the ioctl_skip_cloexec capability description.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> V2 Changes:
> Clarify naming conventions.
> Change enums from POLICYDB_CAPABILITY to POLICYDB_CAP
> Add ioctl_skip_cloexec
> V3 Changes:
> Fix typos and 'Policy Updates' text.
>
> src/lsm_selinux.md | 4 +
> src/policy_config_statements.md | 139 ++++++++++++++++++++++++++++++++
> 2 files changed, 143 insertions(+)
Merged, thanks everyone!
--
paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-07 0:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-05 8:19 [PATCH V3 Notebook] How to add a new policy capability Richard Haines
2022-04-07 0:54 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.