From: Juraj Marcin <juraj@jurajmarcin.com>
To: selinux@vger.kernel.org
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH 0/8] checkpolicy, libsepol: add prefix/suffix matching to filename type transitions
Date: Wed, 31 May 2023 13:49:06 +0200 [thread overview]
Message-ID: <20230531114914.2237609-1-juraj@jurajmarcin.com> (raw)
Currently, filename transitions are stored separately from other type
enforcement rules and only support exact name matching. However, in
practice, the names contain variable parts. This leads to many
duplicated rules in the policy that differ only in the part of the name,
or it is even impossible to cover all possible combinations.
This series implements equivalent changes made by this kernel patch
series [1].
First, this series of patches moves the filename transitions to be part
of the avtab and avrule structures. This not only makes the
implementation of prefix/suffix matching and future enhancements easier,
but also reduces the technical debt regarding the filename transitions.
Next, the last three patches implement the support for prefix/suffix
name matching itself by extending the structures added in previous
patches in this series and adding the support to CIL in the last of the
triple.
Even though, moving everything to avtab increases the memory usage and
the size of the binary policy itself and thus the loading time, the
ability to match the prefix or suffix of the name will reduce the
overall number of rules in the policy which should mitigate this issue.
[1]: https://lore.kernel.org/selinux/20230531112927.1957093-1-juraj@jurajmarcin.com/
Juraj Marcin (8):
checkpolicy, libsepol: move transition to separate structure in avtab
checkpolicy, libsepol: move filename transitions to avtab
checkpolicy, libsepol: move filename transition rules to avrule
libsepol: implement new kernel binary format for avtab
libsepol: implement new module binary format of avrule
checkpolicy, libsepol: add prefix/suffix support to kernel policy
checkpolicy, libsepol: add prefix/suffix support to module policy
libsepol/cil: add support for prefix/suffix filename transtions to CIL
checkpolicy/checkmodule.c | 9 +
checkpolicy/module_compiler.c | 12 -
checkpolicy/module_compiler.h | 1 -
checkpolicy/policy_define.c | 211 +-----
checkpolicy/policy_define.h | 3 +-
checkpolicy/policy_parse.y | 15 +-
checkpolicy/policy_scan.l | 6 +
checkpolicy/test/dismod.c | 39 +-
checkpolicy/test/dispol.c | 106 +--
libsepol/cil/src/cil.c | 8 +
libsepol/cil/src/cil_binary.c | 63 +-
libsepol/cil/src/cil_build_ast.c | 25 +-
libsepol/cil/src/cil_copy_ast.c | 1 +
libsepol/cil/src/cil_internal.h | 5 +
libsepol/cil/src/cil_policy.c | 17 +-
libsepol/cil/src/cil_resolve_ast.c | 10 +
libsepol/cil/src/cil_write_ast.c | 2 +
libsepol/include/sepol/policydb/avtab.h | 19 +-
libsepol/include/sepol/policydb/hashtab.h | 14 +
libsepol/include/sepol/policydb/policydb.h | 50 +-
libsepol/src/avrule_block.c | 1 -
libsepol/src/avtab.c | 336 +++++++++-
libsepol/src/conditional.c | 6 +-
libsepol/src/expand.c | 149 ++---
libsepol/src/kernel_to_cil.c | 182 ++----
libsepol/src/kernel_to_common.h | 10 +
libsepol/src/kernel_to_conf.c | 178 ++----
libsepol/src/link.c | 57 +-
libsepol/src/module_to_cil.c | 86 +--
libsepol/src/optimize.c | 8 +
libsepol/src/policydb.c | 479 +++-----------
libsepol/src/policydb_validate.c | 100 +--
libsepol/src/services.c | 5 +-
libsepol/src/write.c | 712 ++++++++++++++++-----
34 files changed, 1534 insertions(+), 1391 deletions(-)
--
2.40.0
next reply other threads:[~2023-05-31 11:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-31 11:49 Juraj Marcin [this message]
2023-05-31 11:49 ` [PATCH 1/8] checkpolicy, libsepol: move transition to separate structure in avtab Juraj Marcin
2023-05-31 11:49 ` [PATCH 2/8] checkpolicy, libsepol: move filename transitions to avtab Juraj Marcin
2023-05-31 11:49 ` [PATCH 3/8] checkpolicy, libsepol: move filename transition rules to avrule Juraj Marcin
2023-05-31 11:49 ` [PATCH 4/8] libsepol: implement new kernel binary format for avtab Juraj Marcin
2023-05-31 11:49 ` [PATCH 5/8] libsepol: implement new module binary format of avrule Juraj Marcin
2023-05-31 11:49 ` [PATCH 6/8] checkpolicy, libsepol: add prefix/suffix support to kernel policy Juraj Marcin
2023-05-31 11:49 ` [PATCH 7/8] checkpolicy, libsepol: add prefix/suffix support to module policy Juraj Marcin
2023-06-01 20:59 ` James Carter
2023-06-07 8:31 ` Ondrej Mosnacek
2023-06-07 13:32 ` James Carter
2023-05-31 11:49 ` [PATCH 8/8] libsepol/cil: add support for prefix/suffix filename transtions to CIL Juraj Marcin
2023-06-01 21:00 ` James Carter
2023-06-01 21:03 ` [PATCH 0/8] checkpolicy, libsepol: add prefix/suffix matching to filename type transitions James Carter
2023-06-01 23:59 ` Juraj Marcin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230531114914.2237609-1-juraj@jurajmarcin.com \
--to=juraj@jurajmarcin.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.