Re: PATCH: peersid capability support

Re: PATCH: peersid capability support

[Todd C. Miller]

> Stephen Smalley wrote:
> Looks like the libsepol patch puts the policycaps ebitmap at a different
> location in the policy image than the kernel patch expects.

I had initially changed the ebitmap reading/writing location from
where Josh had it to work around an issue with semodule.  This version
preserves the location in the final policy binary without confusing
sepol_module_package_info().

 - todd

--

Index: trunk/libsepol/include/sepol/policydb/polcaps.h
===================================================================
--- /dev/null
+++ trunk/libsepol/include/sepol/policydb/polcaps.h
@@ -0,0 +1,14 @@
+#ifndef _SEPOL_POLICYDB_POLCAPS_H_
+#define _SEPOL_POLICYDB_POLCAPS_H_
+
+/* Policy capabilities */
+enum {
+	POLICYDB_CAPABILITY_NETPEER,
+	__POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+/* Convert a capability name to number. */
+extern int sepol_polcap_getnum(const char *name);
+
+#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
Index: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk.orig/libsepol/include/sepol/policydb/policydb.h
+++ trunk/libsepol/include/sepol/policydb/policydb.h
@@ -468,6 +468,8 @@ typedef struct policydb {
 
 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
 
+	ebitmap_t policycaps;
+
 	unsigned policyvers;
 
 	unsigned handle_unknown;
@@ -584,10 +586,11 @@ extern int policydb_write(struct policyd
 #define POLICYDB_VERSION_MLS		19
 #define POLICYDB_VERSION_AVTAB		20
 #define POLICYDB_VERSION_RANGETRANS	21
+#define POLICYDB_VERSION_POLCAP		22
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE	   4
@@ -595,9 +598,10 @@ extern int policydb_write(struct policyd
 #define MOD_POLICYDB_VERSION_MLS	   5
 #define MOD_POLICYDB_VERSION_RANGETRANS	   6
 #define MOD_POLICYDB_VERSION_MLS_USERS	   6
+#define MOD_POLICYDB_VERSION_POLCAP	   7
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
 
 #define POLICYDB_CONFIG_MLS    1
 
Index: trunk/libsepol/src/polcaps.c
===================================================================
--- /dev/null
+++ trunk/libsepol/src/polcaps.c
@@ -0,0 +1,24 @@
+/*
+ * Policy capability support functions
+ */
+
+#include <string.h>
+#include <sepol/policydb/polcaps.h>
+
+static const char *polcap_names[] = {
+	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
+	NULL
+};
+
+int sepol_polcap_getnum(const char *name)
+{
+	int capnum;
+
+	for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
+		if (polcap_names[capnum] == NULL)
+			continue;
+		if (strcasecmp(polcap_names[capnum], name) == 0)
+			return capnum;
+	}
+	return -1;
+}
Index: trunk/libsepol/src/policydb.c
===================================================================
--- trunk.orig/libsepol/src/policydb.c
+++ trunk/libsepol/src/policydb.c
@@ -99,6 +99,12 @@ static struct policydb_compat_info polic
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -117,6 +123,12 @@ static struct policydb_compat_info polic
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -132,6 +144,12 @@ static struct policydb_compat_info polic
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
 	 .sym_num = SYM_NUM,
+	 .ocon_num = 0
+	 },
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
 	 .ocon_num = 0},
 };
 
@@ -447,6 +465,8 @@ int policydb_init(policydb_t * p)
 
 	memset(p, 0, sizeof(policydb_t));
 
+	ebitmap_init(&p->policycaps);
+
 	for (i = 0; i < SYM_NUM; i++) {
 		p->sym_val_to_name[i] = NULL;
 		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
@@ -971,6 +991,8 @@ void policydb_destroy(policydb_t * p)
 	if (!p)
 		return;
 
+	ebitmap_destroy(&p->policycaps);
+
 	symtabs_destroy(p->symtab);
 
 	for (i = 0; i < SYM_NUM; i++) {
@@ -3123,6 +3145,16 @@ int policydb_read(policydb_t * p, struct
 		p->version[len] = '\0';
 	}
 
+	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_KERN) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_BASE) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_MOD)) {
+		if (ebitmap_read(&p->policycaps, fp))
+			goto bad;
+	}
+
 	for (i = 0; i < info->sym_num; i++) {
 		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
 		if (rc < 0)
Index: trunk/libsepol/src/expand.c
===================================================================
--- trunk.orig/libsepol/src/expand.c
+++ trunk/libsepol/src/expand.c
@@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
 	out->mls = base->mls;
 	out->handle_unknown = base->handle_unknown;
 
+	/* Copy policy capabilities */
+	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
+		ERR(handle, "Out of memory!");
+		goto cleanup;
+	}
+
 	if ((state.typemap =
 	     (uint32_t *) calloc(state.base->p_types.nprim,
 				 sizeof(uint32_t))) == NULL) {
@@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
 	retval = 0;
 
       cleanup:
+	ebitmap_destroy(&out->policycaps);
 	free(state.typemap);
 	free(state.boolmap);
 	return retval;
Index: trunk/libsepol/src/write.c
===================================================================
--- trunk.orig/libsepol/src/write.c
+++ trunk/libsepol/src/write.c
@@ -1595,6 +1595,17 @@ int policydb_write(policydb_t * p, struc
 		if (items != len)
 			return POLICYDB_ERROR;
 	}
+
+	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_KERN) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_BASE) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_MOD)) {
+		if (ebitmap_write(&p->policycaps, fp) == -1)
+			return POLICYDB_ERROR;
+	}
+
 	num_syms = info->sym_num;
 	for (i = 0; i < num_syms; i++) {
 		buf[0] = cpu_to_le32(p->symtab[i].nprim);
Index: trunk/libsepol/src/link.c
===================================================================
--- trunk.orig/libsepol/src/link.c
+++ trunk/libsepol/src/link.c
@@ -2177,8 +2177,14 @@ int link_modules(sepol_handle_t * handle
 		goto cleanup;
 	}
 
-	/* copy all types, declared and required */
+	/* copy all types, declared, required and polcaps */
 	for (i = 0; i < len; i++) {
+		ret = ebitmap_union(&state.base->policycaps,
+				    &modules[i]->policy->policycaps);
+		if (ret) {
+			retval = ret;
+			goto cleanup;
+		}
 		state.cur = modules[i];
 		state.cur_mod_name = modules[i]->policy->name;
 		ret =
Index: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk.orig/checkpolicy/policy_scan.l
+++ trunk/checkpolicy/policy_scan.l
@@ -201,6 +201,8 @@ h1 |
 H1				{ return(H1); }
 h2 |
 H2				{ return(H2); }
+policycap |
+POLICYCAP			{ return(POLICYCAP);}
 "/"({alnum}|[_.-/])*	        { return(PATH); }
 {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
 {digit}+                        { return(NUMBER); }
Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk.orig/checkpolicy/policy_parse.y
+++ trunk/checkpolicy/policy_parse.y
@@ -47,6 +47,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
 #include "queue.h"
 #include "checkpolicy.h"
 #include "module_compiler.h"
@@ -198,6 +199,7 @@ typedef int (* require_func_t)();
 %token IPV4_ADDR
 %token IPV6_ADDR
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
 
 %left OR
 %left XOR
@@ -323,6 +325,7 @@ te_decl			: attribute_def
                         | transition_def
                         | range_trans_def
                         | te_avtab_def
+			| policycap_def
 			;
 attribute_def           : ATTRIBUTE identifier ';'
                         { if (define_attrib()) return -1;}
@@ -765,6 +768,9 @@ number			: NUMBER 
 ipv6_addr		: IPV6_ADDR
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+policycap_def		: POLICYCAP identifier ';'
+			{if (define_polcap()) return -1;}
+			;
 
 /*********** module grammar below ***********/
 
@@ -962,6 +968,44 @@ static int define_class(void)
 	return -1;
 }
 
+static int define_polcap(void)
+{
+	char *id = 0;
+	int capnum;
+
+	if (pass == 2) {
+		id = queue_remove(id_queue);
+		free(id);
+		return 0;
+	}
+
+	id = (char *)queue_remove(id_queue);
+	if (!id) {
+		yyerror("no capability name for policycap definition?");
+		goto bad;
+	}
+
+	/* Check for valid cap name -> number mapping */
+	capnum = sepol_polcap_getnum(id);
+	if (capnum < 0) {
+		yyerror2("invalid policy capability name %s", id);
+		goto bad;
+	}
+
+	/* Store it */
+	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+		yyerror("out of memory");
+		goto bad;
+	}
+
+	free(id);
+	return 0;
+
+      bad:
+	free(id);
+	return -1;
+}
+
 static int define_initial_sid(void)
 {
 	char *id = 0;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Monday 03 December 2007 2:41:07 pm Todd C. Miller wrote:
> > Stephen Smalley wrote:
> > Looks like the libsepol patch puts the policycaps ebitmap at a different
> > location in the policy image than the kernel patch expects.
>
> I had initially changed the ebitmap reading/writing location from
> where Josh had it to work around an issue with semodule.  This version
> preserves the location in the final policy binary without confusing
> sepol_module_package_info().

Okay, well that at least loaded my simple test policy but it didn't appear to 
have any effect on /selinux/policy_capabilities/network_peer_controls.  This 
may be a problem with the kernel patch but before I started digging around I 
thought I would first check with you on the correct policy syntax.

I'm using a Rawhide targeted policy and I'm loading a simple policy module 
with the following statements:

 policy_module(peer_test,0.0.1)
 policycap network_peer_controls;
 type peer_test_t;

It compiles (using /usr/share/selinux/devel/Makefile) and loads (semodule -i 
peer_test.pp) but I'm not certain I haven't messed something up.  Thoughts?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Tue, 2007-12-04 at 14:26 -0500, Paul Moore wrote:
> On Monday 03 December 2007 2:41:07 pm Todd C. Miller wrote:
> > > Stephen Smalley wrote:
> > > Looks like the libsepol patch puts the policycaps ebitmap at a different
> > > location in the policy image than the kernel patch expects.
> >
> > I had initially changed the ebitmap reading/writing location from
> > where Josh had it to work around an issue with semodule.  This version
> > preserves the location in the final policy binary without confusing
> > sepol_module_package_info().
> 
> Okay, well that at least loaded my simple test policy but it didn't appear to 
> have any effect on /selinux/policy_capabilities/network_peer_controls.  This 
> may be a problem with the kernel patch but before I started digging around I 
> thought I would first check with you on the correct policy syntax.
> 
> I'm using a Rawhide targeted policy and I'm loading a simple policy module 
> with the following statements:
> 
>  policy_module(peer_test,0.0.1)
>  policycap network_peer_controls;
>  type peer_test_t;
> 
> It compiles (using /usr/share/selinux/devel/Makefile) and loads (semodule -i 
> peer_test.pp) but I'm not certain I haven't messed something up.  Thoughts?

It would be nice if dismod/dispol could display the capabilities of a
given module / kernel policy file.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Mon, 2007-12-03 at 14:41 -0500, Todd C. Miller wrote:
> > Stephen Smalley wrote:
> > Looks like the libsepol patch puts the policycaps ebitmap at a different
> > location in the policy image than the kernel patch expects.
> 
> I had initially changed the ebitmap reading/writing location from
> where Josh had it to work around an issue with semodule.  This version
> preserves the location in the final policy binary without confusing
> sepol_module_package_info().
> 
>  - todd
> 
> --
> 

> Index: trunk/libsepol/src/expand.c
> ===================================================================
> --- trunk.orig/libsepol/src/expand.c
> +++ trunk/libsepol/src/expand.c
> @@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
>  	out->mls = base->mls;
>  	out->handle_unknown = base->handle_unknown;
>  
> +	/* Copy policy capabilities */
> +	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
> +		ERR(handle, "Out of memory!");
> +		goto cleanup;
> +	}
> +
>  	if ((state.typemap =
>  	     (uint32_t *) calloc(state.base->p_types.nprim,
>  				 sizeof(uint32_t))) == NULL) {
> @@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
>  	retval = 0;
>  
>        cleanup:
> +	ebitmap_destroy(&out->policycaps);

This happens on the success path too - thereby clearing the policycaps
before they are written out to the kernel policy file.  Which would
explain why Paul doesn't see anything kernel side.  

If dismod/dispol had support for displaying the bitmap, you'd be able to
see that more easily...

>  	free(state.typemap);
>  	free(state.boolmap);
>  	return retval;

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: PATCH: peersid capability support

[Todd Miller]

Stephen Smalley wrote:
> This happens on the success path too - thereby clearing the policycaps
> before they are written out to the kernel policy file.  Which would
> explain why Paul doesn't see anything kernel side.
> 
> If dismod/dispol had support for displaying the bitmap, you'd be able
> to see that more easily...
> 
>>  	free(state.typemap);
>>  	free(state.boolmap);
>>  	return retval;

Yes, I realized that earlier today.  I'm actually in the process of
packing up an updated patch set that includes dismod/dispol support.

 - todd


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: PATCH: peersid capability support

[Todd Miller]

Václav Ovsík wrote:
> a prototype line for define_polcap() is missing.

Fixed, thanks.

 - todd


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

Hi,

On Thu, Nov 29, 2007 at 02:27:44PM -0500, tmiller@tresys.com wrote:
> This is a reworking of the peersid capability patch Joshua sent out
> a few weeks ago.  This version requires added explicit declaration of
> capabilities in the policy.
> 
> I've used the same strings that Paul's kernel diff used (there is
> currently just a single capability).
>...

a prototype line for define_polcap() is missing.

zito@bobek:/tmp/checkpolicy-2.0.7$ make
cc -g -Wall -O2 -pipe -fno-strict-aliasing -I. -I/usr/include -o checkpolicy.o -c checkpolicy.c
yacc -d policy_parse.y
cc -g -Wall -O2 -pipe -fno-strict-aliasing -I. -I/usr/include -o y.tab.o -c y.tab.c
policy_parse.y: In function 'yyparse':
policy_parse.y:772: warning: implicit declaration of function 'define_polcap'
policy_parse.y: At top level:
policy_parse.y:972: error: static declaration of 'define_polcap' follows non-static declaration
policy_parse.y:772: error: previous implicit declaration of 'define_polcap' was here
make: *** [y.tab.o] Error 1

Attached is a patch with the prototypee...
Regards
-- 
Zito

[-- Attachment #2: checkpolicy.proto.patch --]
[-- Type: text/x-diff, Size: 379 bytes --]

Index: policy_parse.y
===================================================================
--- policy_parse.y	(revision 2717)
+++ policy_parse.y	(working copy)
@@ -125,6 +125,7 @@
 static int define_netif_context(void);
 static int define_ipv4_node_context(void);
 static int define_ipv6_node_context(void);
+static int define_polcap(void);
 
 typedef int (* require_func_t)();
 

Re: PATCH: peersid capability support

[Stephen Smalley]

On Mon, 2007-12-03 at 12:32 -0500, Paul Moore wrote:
> On Friday 30 November 2007 7:19:15 pm Joshua Brindle wrote:
> > Paul Moore wrote:
> > > 5. Tried installing the module
> > > /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> > > libsemanage.semanage_reload_policy: load_policy returned error code 2.
> > > semodule:  Failed!
> > >
> > > Help/Ideas?
> >
> > dmesg should have the error if load_policy fails.
> 
> I haven't had a chance to look into it yet, but this is the only thing I can 
> see in dmesg that looks related ...
> 
>  security: ebitmap: map size 4 does not match my size 64 (high bit was 4)

Looks like the libsepol patch puts the policycaps ebitmap at a different
location in the policy image than the kernel patch expects.  Todd,
please fix.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 7:19:15 pm Joshua Brindle wrote:
> Paul Moore wrote:
> > 5. Tried installing the module
> > /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> > libsemanage.semanage_reload_policy: load_policy returned error code 2.
> > semodule:  Failed!
> >
> > Help/Ideas?
>
> dmesg should have the error if load_policy fails.

I haven't had a chance to look into it yet, but this is the only thing I can 
see in dmesg that looks related ...

 security: ebitmap: map size 4 does not match my size 64 (high bit was 4)

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Christopher J. PeBenito]

On Fri, 2007-11-30 at 09:29 -0500, Paul Moore wrote:
> On Thursday 29 November 2007 4:24:35 pm Stephen Smalley wrote:
> > On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> > > This is a reworking of the peersid capability patch Joshua sent out
> > > a few weeks ago.  This version requires added explicit declaration of
> > > capabilities in the policy.
> > >
> > > I've used the same strings that Paul's kernel diff used (there is
> > > currently just a single capability).
> > >
> > > Note that capability declarations are not limited to base.conf /
> > > policy.conf as we would like to eventually get rid of the base vs. module
> > > distinction.
> >
> > Taking the union of the capabilities at link time seems worrisome to me.
> > I'd be more inclined to require equivalence or take the intersection.
> 
> I agree with Stephen, to allow a single module to set a capability bit without 
> consideration for the rest of the loaded/installed modules could introduce 
> some very weird behavior

I'm going to have to agree too.  Though I don't know which of
equivalence or intersection is the right answer.

>  ... that is unless you policy folks have some freaky 
> ability to peer* into the future ;)

I can neither confirm nor deny any omniscience. :)

> *intentional pun
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Joshua Brindle]

Paul Moore wrote:
> On Friday 30 November 2007 2:06:10 pm Paul Moore wrote:
>> On Friday 30 November 2007 12:34:20 pm Todd C. Miller wrote:
>>> I see what happened.  When generating the patch I did an svn revert not
>>> realizing that of course it wouldn't revert a new file it knew nothing
>>> about.  So effectively the new files were duplicated--one copy in the
>>> patch and one on the filesystem.
>>>
>>> Here's a fixed diff that applies to a fresh checkout.
>> Thanks, that applied without problem.
> 
> Probably user error on my end but I'm running into problems trying to make use 
> of the new code.  Here is what I did, please point out if I'm missing 
> something ...
> 
> 1. Compiled the new bits
> 2. Replaced checkmodule, checkpolicy, load_policy, libsepol and libsemanage 
> with the patched versions (wasn't really sure what needed to be replaced, do 
> I need any others?)
> 3. Created a simple policy module (did I get the syntax for the policycap 
> right? ... it's been a while since I looked at lex/yacc code):
>  policy_module(peer_test,0.0.1)
>  policycap network_peer_controls;
>  type peer_test_t;
> 4. Compiled the new module using the unmodified policy Makefile from Rawhide
>  Compiling targeted peer_test module
>  /usr/bin/checkmodule:  loading policy configuration from tmp/peer_test.tmp
>  /usr/bin/checkmodule:  policy configuration loaded
>  /usr/bin/checkmodule:  writing binary representation (version 7) to 
>                         tmp/peer_test.mod
>  Creating targeted peer_test.pp policy package
> 5. Tried installing the module
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> semodule:  Failed!
> 
> Help/Ideas?
> 

dmesg should have the error if load_policy fails.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 2:06:10 pm Paul Moore wrote:
> On Friday 30 November 2007 12:34:20 pm Todd C. Miller wrote:
> > I see what happened.  When generating the patch I did an svn revert not
> > realizing that of course it wouldn't revert a new file it knew nothing
> > about.  So effectively the new files were duplicated--one copy in the
> > patch and one on the filesystem.
> >
> > Here's a fixed diff that applies to a fresh checkout.
>
> Thanks, that applied without problem.

Probably user error on my end but I'm running into problems trying to make use 
of the new code.  Here is what I did, please point out if I'm missing 
something ...

1. Compiled the new bits
2. Replaced checkmodule, checkpolicy, load_policy, libsepol and libsemanage 
with the patched versions (wasn't really sure what needed to be replaced, do 
I need any others?)
3. Created a simple policy module (did I get the syntax for the policycap 
right? ... it's been a while since I looked at lex/yacc code):
 policy_module(peer_test,0.0.1)
 policycap network_peer_controls;
 type peer_test_t;
4. Compiled the new module using the unmodified policy Makefile from Rawhide
 Compiling targeted peer_test module
 /usr/bin/checkmodule:  loading policy configuration from tmp/peer_test.tmp
 /usr/bin/checkmodule:  policy configuration loaded
 /usr/bin/checkmodule:  writing binary representation (version 7) to 
                        tmp/peer_test.mod
 Creating targeted peer_test.pp policy package
5. Tried installing the module
/usr/sbin/load_policy:  Can't load policy:  Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule:  Failed!

Help/Ideas?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 12:34:20 pm Todd C. Miller wrote:
> I see what happened.  When generating the patch I did an svn revert not
> realizing that of course it wouldn't revert a new file it knew nothing
> about.  So effectively the new files were duplicated--one copy in the
> patch and one on the filesystem.
>
> Here's a fixed diff that applies to a fresh checkout.

Thanks, that applied without problem.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 11:59:54 am Todd Miller wrote:
> Paul Moore wrote:
> > On Friday 30 November 2007 9:43:29 am Joshua Brindle wrote:
> >> Aside from this issue have you tried the patch against your kernel
> >> patches? We did not test with your kernel, we inspected the policy
> >> manually to ensure the ebitmap was set up correctly.
> >
> > Help?  What is this patch backed against?
>
> They are based on selinux trunk.  You do not want Josh's original diffs
> applied as the new diffs are meant to supercede Josh's.  I just svn up'd
> to rev 2692 and verified that they still apply.

Okay, that's what I thought but when I tried applying just your patch it 
wouldn't apply so I tried applying Josh's patches first.

> > I have a fresh copy of the SVN sources and I get a ton of failures
> > applying just this patch.  If I go back and apply Josh's original two
> > patches then try applying Todd's patch I still get failures, although
> > there are less of them.
>
> I don't know why that would be.  I have verified that the patch that
> arrived via the list didn't get munged in transit.

Okay, well maybe I'm doing something stupid but the patch appears to modify 
two files which do not exist in my SVN tree ...

 * trunk/libsepol/include/sepol/policydb/polcaps.h
 * trunk/libsepol/src/polcaps.c

The rest of the patch appears to apply just fine.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Todd C. Miller]

I see what happened.  When generating the patch I did an svn revert not
realizing that of course it wouldn't revert a new file it knew nothing
about.  So effectively the new files were duplicated--one copy in the
patch and one on the filesystem.

Here's a fixed diff that applies to a fresh checkout.

Signed-off-by: Todd C. Miller <tmiller@tresys.com>

--

Index: trunk/libsepol/include/sepol/policydb/polcaps.h
===================================================================
--- /dev/null
+++ trunk/libsepol/include/sepol/policydb/polcaps.h
@@ -0,0 +1,14 @@
+#ifndef _SEPOL_POLICYDB_POLCAPS_H_
+#define _SEPOL_POLICYDB_POLCAPS_H_
+
+/* Policy capabilities */
+enum {
+	POLICYDB_CAPABILITY_NETPEER,
+	__POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+/* Convert a capability name to number. */
+extern int sepol_polcap_getnum(const char *name);
+
+#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
Index: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk.orig/libsepol/include/sepol/policydb/policydb.h
+++ trunk/libsepol/include/sepol/policydb/policydb.h
@@ -468,6 +468,8 @@ typedef struct policydb {
 
 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
 
+	ebitmap_t policycaps;
+
 	unsigned policyvers;
 
 	unsigned handle_unknown;
@@ -584,10 +586,11 @@ extern int policydb_write(struct policyd
 #define POLICYDB_VERSION_MLS		19
 #define POLICYDB_VERSION_AVTAB		20
 #define POLICYDB_VERSION_RANGETRANS	21
+#define POLICYDB_VERSION_POLCAP		22
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE	   4
@@ -595,9 +598,10 @@ extern int policydb_write(struct policyd
 #define MOD_POLICYDB_VERSION_MLS	   5
 #define MOD_POLICYDB_VERSION_RANGETRANS	   6
 #define MOD_POLICYDB_VERSION_MLS_USERS	   6
+#define MOD_POLICYDB_VERSION_POLCAP	   7
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
 
 #define POLICYDB_CONFIG_MLS    1
 
Index: trunk/libsepol/src/polcaps.c
===================================================================
--- /dev/null
+++ trunk/libsepol/src/polcaps.c
@@ -0,0 +1,24 @@
+/*
+ * Policy capability support functions
+ */
+
+#include <string.h>
+#include <sepol/policydb/polcaps.h>
+
+static const char *polcap_names[] = {
+	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
+	NULL
+};
+
+int sepol_polcap_getnum(const char *name)
+{
+	int capnum;
+
+	for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
+		if (polcap_names[capnum] == NULL)
+			continue;
+		if (strcasecmp(polcap_names[capnum], name) == 0)
+			return capnum;
+	}
+	return -1;
+}
Index: trunk/libsepol/src/policydb.c
===================================================================
--- trunk.orig/libsepol/src/policydb.c
+++ trunk/libsepol/src/policydb.c
@@ -99,6 +99,12 @@ static struct policydb_compat_info polic
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -117,6 +123,12 @@ static struct policydb_compat_info polic
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -132,6 +144,12 @@ static struct policydb_compat_info polic
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
 	 .sym_num = SYM_NUM,
+	 .ocon_num = 0
+	 },
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
 	 .ocon_num = 0},
 };
 
@@ -447,6 +465,8 @@ int policydb_init(policydb_t * p)
 
 	memset(p, 0, sizeof(policydb_t));
 
+	ebitmap_init(&p->policycaps);
+
 	for (i = 0; i < SYM_NUM; i++) {
 		p->sym_val_to_name[i] = NULL;
 		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
@@ -971,6 +991,8 @@ void policydb_destroy(policydb_t * p)
 	if (!p)
 		return;
 
+	ebitmap_destroy(&p->policycaps);
+
 	symtabs_destroy(p->symtab);
 
 	for (i = 0; i < SYM_NUM; i++) {
@@ -3194,6 +3216,16 @@ int policydb_read(policydb_t * p, struct
 		}
 	}
 
+	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_KERN) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_BASE) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_MOD)) {
+		if (ebitmap_read(&p->policycaps, fp))
+			goto bad;
+	}
+
 	if (policy_type == POLICY_KERN) {
 		p->type_attr_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
 		p->attr_type_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
Index: trunk/libsepol/src/expand.c
===================================================================
--- trunk.orig/libsepol/src/expand.c
+++ trunk/libsepol/src/expand.c
@@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
 	out->mls = base->mls;
 	out->handle_unknown = base->handle_unknown;
 
+	/* Copy policy capabilities */
+	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
+		ERR(handle, "Out of memory!");
+		goto cleanup;
+	}
+
 	if ((state.typemap =
 	     (uint32_t *) calloc(state.base->p_types.nprim,
 				 sizeof(uint32_t))) == NULL) {
@@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
 	retval = 0;
 
       cleanup:
+	ebitmap_destroy(&out->policycaps);
 	free(state.typemap);
 	free(state.boolmap);
 	return retval;
Index: trunk/libsepol/src/write.c
===================================================================
--- trunk.orig/libsepol/src/write.c
+++ trunk/libsepol/src/write.c
@@ -1650,6 +1650,16 @@ int policydb_write(policydb_t * p, struc
 		}
 	}
 
+	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_KERN) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_BASE) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_MOD)) {
+		if (ebitmap_write(&p->policycaps, fp) == -1)
+			return POLICYDB_ERROR;
+	}
+
 	if (p->policy_type == POLICY_KERN
 	    && p->policyvers >= POLICYDB_VERSION_AVTAB) {
 		for (i = 0; i < p->p_types.nprim; i++) {
Index: trunk/libsepol/src/link.c
===================================================================
--- trunk.orig/libsepol/src/link.c
+++ trunk/libsepol/src/link.c
@@ -2177,8 +2177,14 @@ int link_modules(sepol_handle_t * handle
 		goto cleanup;
 	}
 
-	/* copy all types, declared and required */
+	/* copy all types, declared, required and polcaps */
 	for (i = 0; i < len; i++) {
+		ret = ebitmap_union(&state.base->policycaps,
+				    &modules[i]->policy->policycaps);
+		if (ret) {
+			retval = ret;
+			goto cleanup;
+		}
 		state.cur = modules[i];
 		state.cur_mod_name = modules[i]->policy->name;
 		ret =
Index: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk.orig/checkpolicy/policy_scan.l
+++ trunk/checkpolicy/policy_scan.l
@@ -201,6 +201,8 @@ h1 |
 H1				{ return(H1); }
 h2 |
 H2				{ return(H2); }
+policycap |
+POLICYCAP			{ return(POLICYCAP);}
 "/"({alnum}|[_.-/])*	        { return(PATH); }
 {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
 {digit}+                        { return(NUMBER); }
Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk.orig/checkpolicy/policy_parse.y
+++ trunk/checkpolicy/policy_parse.y
@@ -47,6 +47,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
 #include "queue.h"
 #include "checkpolicy.h"
 #include "module_compiler.h"
@@ -198,6 +199,7 @@ typedef int (* require_func_t)();
 %token IPV4_ADDR
 %token IPV6_ADDR
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
 
 %left OR
 %left XOR
@@ -323,6 +325,7 @@ te_decl			: attribute_def
                         | transition_def
                         | range_trans_def
                         | te_avtab_def
+			| policycap_def
 			;
 attribute_def           : ATTRIBUTE identifier ';'
                         { if (define_attrib()) return -1;}
@@ -765,6 +768,9 @@ number			: NUMBER 
 ipv6_addr		: IPV6_ADDR
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+policycap_def		: POLICYCAP identifier ';'
+			{if (define_polcap()) return -1;}
+			;
 
 /*********** module grammar below ***********/
 
@@ -962,6 +968,44 @@ static int define_class(void)
 	return -1;
 }
 
+static int define_polcap(void)
+{
+	char *id = 0;
+	int capnum;
+
+	if (pass == 2) {
+		id = queue_remove(id_queue);
+		free(id);
+		return 0;
+	}
+
+	id = (char *)queue_remove(id_queue);
+	if (!id) {
+		yyerror("no capability name for policycap definition?");
+		goto bad;
+	}
+
+	/* Check for valid cap name -> number mapping */
+	capnum = sepol_polcap_getnum(id);
+	if (capnum < 0) {
+		yyerror2("invalid policy capability name %s", id);
+		goto bad;
+	}
+
+	/* Store it */
+	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+		yyerror("out of memory");
+		goto bad;
+	}
+
+	free(id);
+	return 0;
+
+      bad:
+	free(id);
+	return -1;
+}
+
 static int define_initial_sid(void)
 {
 	char *id = 0;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: PATCH: peersid capability support

[Stephen Smalley]

On Fri, 2007-11-30 at 11:59 -0500, Todd Miller wrote:
> Paul Moore wrote:
> > On Friday 30 November 2007 9:43:29 am Joshua Brindle wrote:
> >> Aside from this issue have you tried the patch against your kernel
> >> patches? We did not test with your kernel, we inspected the policy
> >> manually to ensure the ebitmap was set up correctly.
> > 
> > Help?  What is this patch backed against?
> 
> They are based on selinux trunk.  You do not want Josh's original diffs
> applied as the new diffs are meant to supercede Josh's.  I just svn up'd
> to rev 2692 and verified that they still apply.

Nope, doesn't work for me either.    Look - the very first hunk adds
lines to a libsepol/include/sepol/policydb/polcaps.h file, but that
doesn't exist in trunk at all.  Paul is right - it looks to be relative
to Joshua's patches, but not quite a perfect match there either.

> 
> > I have a fresh copy of the SVN sources and I get a ton of failures
> > applying just this patch.  If I go back and apply Josh's original two
> > patches then try applying Todd's patch I still get failures, although
> > there are less of them. 
> 
> I don't know why that would be.  I have verified that the patch that
> arrived via the list didn't get munged in transit.
> 
>  - todd
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: PATCH: peersid capability support

[Todd Miller]

Paul Moore wrote:
> On Friday 30 November 2007 9:43:29 am Joshua Brindle wrote:
>> Aside from this issue have you tried the patch against your kernel
>> patches? We did not test with your kernel, we inspected the policy
>> manually to ensure the ebitmap was set up correctly.
> 
> Help?  What is this patch backed against?

They are based on selinux trunk.  You do not want Josh's original diffs
applied as the new diffs are meant to supercede Josh's.  I just svn up'd
to rev 2692 and verified that they still apply.

> I have a fresh copy of the SVN sources and I get a ton of failures
> applying just this patch.  If I go back and apply Josh's original two
> patches then try applying Todd's patch I still get failures, although
> there are less of them. 

I don't know why that would be.  I have verified that the patch that
arrived via the list didn't get munged in transit.

 - todd


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Fri, 2007-11-30 at 11:12 -0500, Stephen Smalley wrote:
> On Fri, 2007-11-30 at 10:31 -0500, Joshua Brindle wrote:
> > Stephen Smalley wrote:
> > > On Fri, 2007-11-30 at 09:38 -0500, Joshua Brindle wrote:
> > >   
> > >> Stephen Smalley wrote:
> > >>     
> > >>> On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
> > >>>   
> > >>>       
> > >>>> Stephen Smalley wrote:
> > >>>>     
> > >>>>         
> > >>>>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> > >>>>>   
> > >>>>>       
> > >>>>>           
> > >>>>>> This is a reworking of the peersid capability patch Joshua sent out
> > >>>>>> a few weeks ago.  This version requires added explicit declaration of
> > >>>>>> capabilities in the policy.
> > >>>>>>
> > >>>>>> I've used the same strings that Paul's kernel diff used (there is
> > >>>>>> currently just a single capability).
> > >>>>>>
> > >>>>>> Note that capability declarations are not limited to base.conf /
> > >>>>>> policy.conf as we would like to eventually get rid of the base vs. module
> > >>>>>> distinction.
> > >>>>>>     
> > >>>>>>         
> > >>>>>>             
> > >>>>> Taking the union of the capabilities at link time seems worrisome to me.
> > >>>>> I'd be more inclined to require equivalence or take the intersection.
> > >>>>>
> > >>>>>   
> > >>>>>       
> > >>>>>           
> > >>>> I strongly disagree. My vision was to be able to add a capability to the 
> > >>>> policy by inserting a policy module that enables the capability (and has 
> > >>>> associated policy). Making them an intersection or equivalence would 
> > >>>> require one to update every single module just to add a capability (or 
> > >>>> at least update the base if it is considered authoritative, which I was 
> > >>>> also trying to avoid).
> > >>>>     
> > >>>>         
> > >>> Joshua - think about it.  Let's say I write a policy module based on the
> > >>> new peer checks, and my base module was written in terms of the old
> > >>> network checks.  Now I link them together and get a policy that tells
> > >>> the kernel to use the new peer checks.  Voila!  My base policy breaks
> > >>> horrendously.
> > >>>   
> > >>>       
> > >> That is why I said the module being inserted would have the associated 
> > >> policy.
> > >>     
> > >
> > > That seems to violate modularity/encapsulation.
> > >
> > >   
> > >>  I don't believe policyrep is going to have a concept of base so 
> > >> we'd just be delaying the inevitable by restricting it to base now.
> > >>     
> > >
> > > It isn't a base vs. non-base issue.  You can certainly have every module
> > > declare the capabilities it requires/expects.  But taking the union is
> > > unsafe.  Module foo doesn't know what the rest of the modules on the
> > > system expect or what rules they contain.
> > >
> > > Requiring equivalence is the safest approach.
> > >   
> > 
> > Equivalence between every module? I don't see how this would possibly 
> > work in practice, how would audit2allow know what caps to include when 
> > it creates a new module? How would support for new caps come from a 
> > policy upgrade when there are local modules present that don't have them?
> 
> audit2allow would want to preserve the status quo - use the same set of
> capabilities as the existing policy.  Which could come by inspection of
> the existing policy or from some file in selinux-policy-devel.
> 
> policy upgrade with inconsistent caps has to either fail and require
> manual intervention or evict the obsolete modules.
> 
> Unioning helps with these situations how?

Let's see:
1) audit2allow wouldn't specify any caps or the null set, and just union
with the existing policy.  But that's no different than status quo
extraction of the existing set.
2) policy upgrade would take the union of the new policy caps and the
local modules caps, likely yielding a broken policy as far as local
modules are concerned.  Without a warning to the user.  Possibly as
severe as breaking all networking for some existing domains defined by
local or third party modules.  Meanwhile, the new policy can't know what
is in those local or third paty modules and thus can't automatically
include rules to enable them to work.


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 9:43:29 am Joshua Brindle wrote:
> Aside from this issue have you tried the patch against your kernel
> patches? We did not test with your kernel, we inspected the policy
> manually to ensure the ebitmap was set up correctly.

Help?  What is this patch backed against?

I have a fresh copy of the SVN sources and I get a ton of failures applying 
just this patch.  If I go back and apply Josh's original two patches then try 
applying Todd's patch I still get failures, although there are less of them.

BTW, if you want to try the kernel patches you can always test against a 
current -mm kernel or grab a kernel from here (the git tree is a smidge more 
current in regards to the audit messages but nothing that would affect the 
policy capabilities):

 * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 11:02:26 am Joshua Brindle wrote:
> Paul Moore wrote:
> > On Friday 30 November 2007 10:31:57 am Joshua Brindle wrote:
> >> Equivalence between every module? I don't see how this would possibly
> >> work in practice, how would audit2allow know what caps to include when
> >> it creates a new module? How would support for new caps come from a
> >> policy upgrade when there are local modules present that don't have
> >> them?
> >
> > I know this is more work both in the code as well as for policy writers,
> > but how about two policy bitmaps for each module: one bitmap (call this
> > bitmap A) indicates the capabilities that the module is knows about (i.e.
> > the policy capabilities that were defined when the module was written)
> > and one bitmap (call this bitmap B) to signal which capabilities should
> > be toggled on?  This way when you load/link/install a series of policy
> > modules you can check to make sure that the union of all the B bitmaps is
> > a subset of the intersection of all the A bitmaps.  If this is not the
> > case you can print an error and refuse to load the module, or load it
> > with the offending capability turned off.
>
> I think this is way too complicated from a user point of view.

I won't argue that it isn't more complicated than the other options presented 
so far ...

> I don't want users to 1) have to know capabilities that have nothing to do
> with their module

It's probably worth trying to better define "user" in this case.  Are you 
talking about the policy writer who is creating the module or the sysadmin 
trying to load the module?

> 2) disable all caps by not including any in a module and potentially
> hose their system. 

Wait a minute here, you'll have to explain this for me because I don't see how 
you jumped to that conclusion, I never said to disable all capabilities.  
Here is my thinking ...

1. System has policy installed and is working, or "not hosed"
2. Sysadmin tries to load new policy module which introduces a new capability 
which is not known/understood by all of the currently loaded modules, we can 
either:
2a. Fail to load the module and have the sysadmin report the problem, system 
continues without new policy, still "not hosed"
2b. Allow a forced load of the new module with the new capability disabled, 
the new module may not work correctly but hey we warned you ... 
potential "hosing" but should be easily repaired on the fly by removing the 
module

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Fri, 2007-11-30 at 10:31 -0500, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Fri, 2007-11-30 at 09:38 -0500, Joshua Brindle wrote:
> >   
> >> Stephen Smalley wrote:
> >>     
> >>> On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
> >>>   
> >>>       
> >>>> Stephen Smalley wrote:
> >>>>     
> >>>>         
> >>>>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> >>>>>   
> >>>>>       
> >>>>>           
> >>>>>> This is a reworking of the peersid capability patch Joshua sent out
> >>>>>> a few weeks ago.  This version requires added explicit declaration of
> >>>>>> capabilities in the policy.
> >>>>>>
> >>>>>> I've used the same strings that Paul's kernel diff used (there is
> >>>>>> currently just a single capability).
> >>>>>>
> >>>>>> Note that capability declarations are not limited to base.conf /
> >>>>>> policy.conf as we would like to eventually get rid of the base vs. module
> >>>>>> distinction.
> >>>>>>     
> >>>>>>         
> >>>>>>             
> >>>>> Taking the union of the capabilities at link time seems worrisome to me.
> >>>>> I'd be more inclined to require equivalence or take the intersection.
> >>>>>
> >>>>>   
> >>>>>       
> >>>>>           
> >>>> I strongly disagree. My vision was to be able to add a capability to the 
> >>>> policy by inserting a policy module that enables the capability (and has 
> >>>> associated policy). Making them an intersection or equivalence would 
> >>>> require one to update every single module just to add a capability (or 
> >>>> at least update the base if it is considered authoritative, which I was 
> >>>> also trying to avoid).
> >>>>     
> >>>>         
> >>> Joshua - think about it.  Let's say I write a policy module based on the
> >>> new peer checks, and my base module was written in terms of the old
> >>> network checks.  Now I link them together and get a policy that tells
> >>> the kernel to use the new peer checks.  Voila!  My base policy breaks
> >>> horrendously.
> >>>   
> >>>       
> >> That is why I said the module being inserted would have the associated 
> >> policy.
> >>     
> >
> > That seems to violate modularity/encapsulation.
> >
> >   
> >>  I don't believe policyrep is going to have a concept of base so 
> >> we'd just be delaying the inevitable by restricting it to base now.
> >>     
> >
> > It isn't a base vs. non-base issue.  You can certainly have every module
> > declare the capabilities it requires/expects.  But taking the union is
> > unsafe.  Module foo doesn't know what the rest of the modules on the
> > system expect or what rules they contain.
> >
> > Requiring equivalence is the safest approach.
> >   
> 
> Equivalence between every module? I don't see how this would possibly 
> work in practice, how would audit2allow know what caps to include when 
> it creates a new module? How would support for new caps come from a 
> policy upgrade when there are local modules present that don't have them?

audit2allow would want to preserve the status quo - use the same set of
capabilities as the existing policy.  Which could come by inspection of
the existing policy or from some file in selinux-policy-devel.

policy upgrade with inconsistent caps has to either fail and require
manual intervention or evict the obsolete modules.

Unioning helps with these situations how?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Joshua Brindle]

Paul Moore wrote:
> On Friday 30 November 2007 10:31:57 am Joshua Brindle wrote:
>   
>> Equivalence between every module? I don't see how this would possibly
>> work in practice, how would audit2allow know what caps to include when
>> it creates a new module? How would support for new caps come from a
>> policy upgrade when there are local modules present that don't have them?
>>     
>
> I know this is more work both in the code as well as for policy writers, but 
> how about two policy bitmaps for each module: one bitmap (call this bitmap A) 
> indicates the capabilities that the module is knows about (i.e. the policy 
> capabilities that were defined when the module was written) and one bitmap 
> (call this bitmap B) to signal which capabilities should be toggled on?  This 
> way when you load/link/install a series of policy modules you can check to 
> make sure that the union of all the B bitmaps is a subset of the intersection 
> of all the A bitmaps.  If this is not the case you can print an error and 
> refuse to load the module, or load it with the offending capability turned 
> off.
>   

I think this is way too complicated from a user point of view. I don't 
want users to 1) have to know capabilities that have nothing to do with 
their module and 2) disable all caps by not including any in a module 
and potentially hose their system.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 10:31:57 am Joshua Brindle wrote:
> Equivalence between every module? I don't see how this would possibly
> work in practice, how would audit2allow know what caps to include when
> it creates a new module? How would support for new caps come from a
> policy upgrade when there are local modules present that don't have them?

I know this is more work both in the code as well as for policy writers, but 
how about two policy bitmaps for each module: one bitmap (call this bitmap A) 
indicates the capabilities that the module is knows about (i.e. the policy 
capabilities that were defined when the module was written) and one bitmap 
(call this bitmap B) to signal which capabilities should be toggled on?  This 
way when you load/link/install a series of policy modules you can check to 
make sure that the union of all the B bitmaps is a subset of the intersection 
of all the A bitmaps.  If this is not the case you can print an error and 
refuse to load the module, or load it with the offending capability turned 
off.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Joshua Brindle]

Stephen Smalley wrote:
> On Fri, 2007-11-30 at 09:38 -0500, Joshua Brindle wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
>>>   
>>>       
>>>> Stephen Smalley wrote:
>>>>     
>>>>         
>>>>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> This is a reworking of the peersid capability patch Joshua sent out
>>>>>> a few weeks ago.  This version requires added explicit declaration of
>>>>>> capabilities in the policy.
>>>>>>
>>>>>> I've used the same strings that Paul's kernel diff used (there is
>>>>>> currently just a single capability).
>>>>>>
>>>>>> Note that capability declarations are not limited to base.conf /
>>>>>> policy.conf as we would like to eventually get rid of the base vs. module
>>>>>> distinction.
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> Taking the union of the capabilities at link time seems worrisome to me.
>>>>> I'd be more inclined to require equivalence or take the intersection.
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> I strongly disagree. My vision was to be able to add a capability to the 
>>>> policy by inserting a policy module that enables the capability (and has 
>>>> associated policy). Making them an intersection or equivalence would 
>>>> require one to update every single module just to add a capability (or 
>>>> at least update the base if it is considered authoritative, which I was 
>>>> also trying to avoid).
>>>>     
>>>>         
>>> Joshua - think about it.  Let's say I write a policy module based on the
>>> new peer checks, and my base module was written in terms of the old
>>> network checks.  Now I link them together and get a policy that tells
>>> the kernel to use the new peer checks.  Voila!  My base policy breaks
>>> horrendously.
>>>   
>>>       
>> That is why I said the module being inserted would have the associated 
>> policy.
>>     
>
> That seems to violate modularity/encapsulation.
>
>   
>>  I don't believe policyrep is going to have a concept of base so 
>> we'd just be delaying the inevitable by restricting it to base now.
>>     
>
> It isn't a base vs. non-base issue.  You can certainly have every module
> declare the capabilities it requires/expects.  But taking the union is
> unsafe.  Module foo doesn't know what the rest of the modules on the
> system expect or what rules they contain.
>
> Requiring equivalence is the safest approach.
>   

Equivalence between every module? I don't see how this would possibly 
work in practice, how would audit2allow know what caps to include when 
it creates a new module? How would support for new caps come from a 
policy upgrade when there are local modules present that don't have them?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Fri, 2007-11-30 at 09:48 -0500, Stephen Smalley wrote:
> On Fri, 2007-11-30 at 09:38 -0500, Joshua Brindle wrote:
> > Stephen Smalley wrote:
> > > On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
> > >   
> > >> Stephen Smalley wrote:
> > >>     
> > >>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> > >>>   
> > >>>       
> > >>>> This is a reworking of the peersid capability patch Joshua sent out
> > >>>> a few weeks ago.  This version requires added explicit declaration of
> > >>>> capabilities in the policy.
> > >>>>
> > >>>> I've used the same strings that Paul's kernel diff used (there is
> > >>>> currently just a single capability).
> > >>>>
> > >>>> Note that capability declarations are not limited to base.conf /
> > >>>> policy.conf as we would like to eventually get rid of the base vs. module
> > >>>> distinction.
> > >>>>     
> > >>>>         
> > >>> Taking the union of the capabilities at link time seems worrisome to me.
> > >>> I'd be more inclined to require equivalence or take the intersection.
> > >>>
> > >>>   
> > >>>       
> > >> I strongly disagree. My vision was to be able to add a capability to the 
> > >> policy by inserting a policy module that enables the capability (and has 
> > >> associated policy). Making them an intersection or equivalence would 
> > >> require one to update every single module just to add a capability (or 
> > >> at least update the base if it is considered authoritative, which I was 
> > >> also trying to avoid).
> > >>     
> > >
> > > Joshua - think about it.  Let's say I write a policy module based on the
> > > new peer checks, and my base module was written in terms of the old
> > > network checks.  Now I link them together and get a policy that tells
> > > the kernel to use the new peer checks.  Voila!  My base policy breaks
> > > horrendously.
> > >   
> > That is why I said the module being inserted would have the associated 
> > policy.
> 
> That seems to violate modularity/encapsulation.
> 
> >  I don't believe policyrep is going to have a concept of base so 
> > we'd just be delaying the inevitable by restricting it to base now.
> 
> It isn't a base vs. non-base issue.  You can certainly have every module
> declare the capabilities it requires/expects.  But taking the union is
> unsafe.  Module foo doesn't know what the rest of the modules on the
> system expect or what rules they contain.
> 
> Requiring equivalence is the safest approach.

Another point to consider - switching capabilities might require not
only adding new rules but also removing existing rules.  Which a new
module can't do, at least presently.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Fri, 2007-11-30 at 09:38 -0500, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
> >   
> >> Stephen Smalley wrote:
> >>     
> >>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> >>>   
> >>>       
> >>>> This is a reworking of the peersid capability patch Joshua sent out
> >>>> a few weeks ago.  This version requires added explicit declaration of
> >>>> capabilities in the policy.
> >>>>
> >>>> I've used the same strings that Paul's kernel diff used (there is
> >>>> currently just a single capability).
> >>>>
> >>>> Note that capability declarations are not limited to base.conf /
> >>>> policy.conf as we would like to eventually get rid of the base vs. module
> >>>> distinction.
> >>>>     
> >>>>         
> >>> Taking the union of the capabilities at link time seems worrisome to me.
> >>> I'd be more inclined to require equivalence or take the intersection.
> >>>
> >>>   
> >>>       
> >> I strongly disagree. My vision was to be able to add a capability to the 
> >> policy by inserting a policy module that enables the capability (and has 
> >> associated policy). Making them an intersection or equivalence would 
> >> require one to update every single module just to add a capability (or 
> >> at least update the base if it is considered authoritative, which I was 
> >> also trying to avoid).
> >>     
> >
> > Joshua - think about it.  Let's say I write a policy module based on the
> > new peer checks, and my base module was written in terms of the old
> > network checks.  Now I link them together and get a policy that tells
> > the kernel to use the new peer checks.  Voila!  My base policy breaks
> > horrendously.
> >   
> That is why I said the module being inserted would have the associated 
> policy.

That seems to violate modularity/encapsulation.

>  I don't believe policyrep is going to have a concept of base so 
> we'd just be delaying the inevitable by restricting it to base now.

It isn't a base vs. non-base issue.  You can certainly have every module
declare the capabilities it requires/expects.  But taking the union is
unsafe.  Module foo doesn't know what the rest of the modules on the
system expect or what rules they contain.

Requiring equivalence is the safest approach.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Friday 30 November 2007 9:43:29 am Joshua Brindle wrote:
> Paul Moore wrote:
> > On Thursday 29 November 2007 4:24:35 pm Stephen Smalley wrote:
> >> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> >>> This is a reworking of the peersid capability patch Joshua sent out
> >>> a few weeks ago.  This version requires added explicit declaration of
> >>> capabilities in the policy.
> >>>
> >>> I've used the same strings that Paul's kernel diff used (there is
> >>> currently just a single capability).
> >>>
> >>> Note that capability declarations are not limited to base.conf /
> >>> policy.conf as we would like to eventually get rid of the base vs.
> >>> module distinction.
> >>
> >> Taking the union of the capabilities at link time seems worrisome to me.
> >> I'd be more inclined to require equivalence or take the intersection.
> >
> > I agree with Stephen, to allow a single module to set a capability bit
> > without consideration for the rest of the loaded/installed modules could
> > introduce some very weird behavior ... that is unless you policy folks
> > have some freaky ability to peer* into the future ;)
> >
> > *intentional pun
>
> Aside from this issue have you tried the patch against your kernel
> patches? We did not test with your kernel, we inspected the policy
> manually to ensure the ebitmap was set up correctly.

No, not yet.  I was distracted by some audit issues (some related, others not 
so much).  I'm going to try and building a patched toolchain/policy today ...

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Joshua Brindle]

Paul Moore wrote:
> On Thursday 29 November 2007 4:24:35 pm Stephen Smalley wrote:
>   
>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
>>     
>>> This is a reworking of the peersid capability patch Joshua sent out
>>> a few weeks ago.  This version requires added explicit declaration of
>>> capabilities in the policy.
>>>
>>> I've used the same strings that Paul's kernel diff used (there is
>>> currently just a single capability).
>>>
>>> Note that capability declarations are not limited to base.conf /
>>> policy.conf as we would like to eventually get rid of the base vs. module
>>> distinction.
>>>       
>> Taking the union of the capabilities at link time seems worrisome to me.
>> I'd be more inclined to require equivalence or take the intersection.
>>     
>
> I agree with Stephen, to allow a single module to set a capability bit without 
> consideration for the rest of the loaded/installed modules could introduce 
> some very weird behavior ... that is unless you policy folks have some freaky 
> ability to peer* into the future ;)
>
> *intentional pun
>   

Aside from this issue have you tried the patch against your kernel 
patches? We did not test with your kernel, we inspected the policy 
manually to ensure the ebitmap was set up correctly.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Joshua Brindle]

Stephen Smalley wrote:
> On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
>>>   
>>>       
>>>> This is a reworking of the peersid capability patch Joshua sent out
>>>> a few weeks ago.  This version requires added explicit declaration of
>>>> capabilities in the policy.
>>>>
>>>> I've used the same strings that Paul's kernel diff used (there is
>>>> currently just a single capability).
>>>>
>>>> Note that capability declarations are not limited to base.conf /
>>>> policy.conf as we would like to eventually get rid of the base vs. module
>>>> distinction.
>>>>     
>>>>         
>>> Taking the union of the capabilities at link time seems worrisome to me.
>>> I'd be more inclined to require equivalence or take the intersection.
>>>
>>>   
>>>       
>> I strongly disagree. My vision was to be able to add a capability to the 
>> policy by inserting a policy module that enables the capability (and has 
>> associated policy). Making them an intersection or equivalence would 
>> require one to update every single module just to add a capability (or 
>> at least update the base if it is considered authoritative, which I was 
>> also trying to avoid).
>>     
>
> Joshua - think about it.  Let's say I write a policy module based on the
> new peer checks, and my base module was written in terms of the old
> network checks.  Now I link them together and get a policy that tells
> the kernel to use the new peer checks.  Voila!  My base policy breaks
> horrendously.
>   
That is why I said the module being inserted would have the associated 
policy. I don't believe policyrep is going to have a concept of base so 
we'd just be delaying the inevitable by restricting it to base now.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Paul Moore]

On Thursday 29 November 2007 4:24:35 pm Stephen Smalley wrote:
> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> > This is a reworking of the peersid capability patch Joshua sent out
> > a few weeks ago.  This version requires added explicit declaration of
> > capabilities in the policy.
> >
> > I've used the same strings that Paul's kernel diff used (there is
> > currently just a single capability).
> >
> > Note that capability declarations are not limited to base.conf /
> > policy.conf as we would like to eventually get rid of the base vs. module
> > distinction.
>
> Taking the union of the capabilities at link time seems worrisome to me.
> I'd be more inclined to require equivalence or take the intersection.

I agree with Stephen, to allow a single module to set a capability bit without 
consideration for the rest of the loaded/installed modules could introduce 
some very weird behavior ... that is unless you policy folks have some freaky 
ability to peer* into the future ;)

*intentional pun

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Thu, 2007-11-29 at 18:24 -0500, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> >   
> >> This is a reworking of the peersid capability patch Joshua sent out
> >> a few weeks ago.  This version requires added explicit declaration of
> >> capabilities in the policy.
> >>
> >> I've used the same strings that Paul's kernel diff used (there is
> >> currently just a single capability).
> >>
> >> Note that capability declarations are not limited to base.conf /
> >> policy.conf as we would like to eventually get rid of the base vs. module
> >> distinction.
> >>     
> >
> > Taking the union of the capabilities at link time seems worrisome to me.
> > I'd be more inclined to require equivalence or take the intersection.
> >
> >   
> 
> I strongly disagree. My vision was to be able to add a capability to the 
> policy by inserting a policy module that enables the capability (and has 
> associated policy). Making them an intersection or equivalence would 
> require one to update every single module just to add a capability (or 
> at least update the base if it is considered authoritative, which I was 
> also trying to avoid).

Joshua - think about it.  Let's say I write a policy module based on the
new peer checks, and my base module was written in terms of the old
network checks.  Now I link them together and get a policy that tells
the kernel to use the new peer checks.  Voila!  My base policy breaks
horrendously.

> 
> >> Signed-off-by: Todd C. Miller <tmiller@tresys.com>
> >>
> >> --
> >>
> >> Index: trunk/libsepol/include/sepol/policydb/polcaps.h
> >> ===================================================================
> >> --- trunk.orig/libsepol/include/sepol/policydb/polcaps.h
> >> +++ trunk/libsepol/include/sepol/policydb/polcaps.h
> >> @@ -12,3 +12,17 @@ enum {
> >>  extern int sepol_polcap_getnum(const char *name);
> >>  
> >>  #endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
> >> +#ifndef _SEPOL_POLICYDB_POLCAPS_H_
> >> +#define _SEPOL_POLICYDB_POLCAPS_H_
> >> +
> >> +/* Policy capabilities */
> >> +enum {
> >> +	POLICYDB_CAPABILITY_NETPEER,
> >> +	__POLICYDB_CAPABILITY_MAX
> >> +};
> >> +#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> >> +
> >> +/* Convert a capability name to number. */
> >> +extern int sepol_polcap_getnum(const char *name);
> >> +
> >> +#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
> >> Index: trunk/libsepol/include/sepol/policydb/policydb.h
> >> ===================================================================
> >> --- trunk.orig/libsepol/include/sepol/policydb/policydb.h
> >> +++ trunk/libsepol/include/sepol/policydb/policydb.h
> >> @@ -468,6 +468,8 @@ typedef struct policydb {
> >>  
> >>  	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
> >>  
> >> +	ebitmap_t policycaps;
> >> +
> >>  	unsigned policyvers;
> >>  
> >>  	unsigned handle_unknown;
> >> @@ -584,10 +586,11 @@ extern int policydb_write(struct policyd
> >>  #define POLICYDB_VERSION_MLS		19
> >>  #define POLICYDB_VERSION_AVTAB		20
> >>  #define POLICYDB_VERSION_RANGETRANS	21
> >> +#define POLICYDB_VERSION_POLCAP		22
> >>  
> >>  /* Range of policy versions we understand*/
> >>  #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
> >> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
> >> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP
> >>  
> >>  /* Module versions and specific changes*/
> >>  #define MOD_POLICYDB_VERSION_BASE	   4
> >> @@ -595,9 +598,10 @@ extern int policydb_write(struct policyd
> >>  #define MOD_POLICYDB_VERSION_MLS	   5
> >>  #define MOD_POLICYDB_VERSION_RANGETRANS	   6
> >>  #define MOD_POLICYDB_VERSION_MLS_USERS	   6
> >> +#define MOD_POLICYDB_VERSION_POLCAP	   7
> >>  
> >>  #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
> >> -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
> >> +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
> >>  
> >>  #define POLICYDB_CONFIG_MLS    1
> >>  
> >> Index: trunk/libsepol/src/polcaps.c
> >> ===================================================================
> >> --- trunk.orig/libsepol/src/polcaps.c
> >> +++ trunk/libsepol/src/polcaps.c
> >> @@ -22,3 +22,27 @@ int sepol_polcap_getnum(const char *name
> >>  	}
> >>  	return -1;
> >>  }
> >> +/*
> >> + * Policy capability support functions
> >> + */
> >> +
> >> +#include <string.h>
> >> +#include <sepol/policydb/polcaps.h>
> >> +
> >> +static const char *polcap_names[] = {
> >> +	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
> >> +	NULL
> >> +};
> >> +
> >> +int sepol_polcap_getnum(const char *name)
> >> +{
> >> +	int capnum;
> >> +
> >> +	for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
> >> +		if (polcap_names[capnum] == NULL)
> >> +			continue;
> >> +		if (strcasecmp(polcap_names[capnum], name) == 0)
> >> +			return capnum;
> >> +	}
> >> +	return -1;
> >> +}
> >> Index: trunk/libsepol/src/policydb.c
> >> ===================================================================
> >> --- trunk.orig/libsepol/src/policydb.c
> >> +++ trunk/libsepol/src/policydb.c
> >> @@ -99,6 +99,12 @@ static struct policydb_compat_info polic
> >>  	 .ocon_num = OCON_NODE6 + 1,
> >>  	 },
> >>  	{
> >> +	 .type = POLICY_KERN,
> >> +	 .version = POLICYDB_VERSION_POLCAP,
> >> +	 .sym_num = SYM_NUM,
> >> +	 .ocon_num = OCON_NODE6 + 1,
> >> +	 },
> >> +	{
> >>  	 .type = POLICY_BASE,
> >>  	 .version = MOD_POLICYDB_VERSION_BASE,
> >>  	 .sym_num = SYM_NUM,
> >> @@ -117,6 +123,12 @@ static struct policydb_compat_info polic
> >>  	 .ocon_num = OCON_NODE6 + 1,
> >>  	 },
> >>  	{
> >> +	 .type = POLICY_BASE,
> >> +	 .version = MOD_POLICYDB_VERSION_POLCAP,
> >> +	 .sym_num = SYM_NUM,
> >> +	 .ocon_num = OCON_NODE6 + 1,
> >> +	 },
> >> +	{
> >>  	 .type = POLICY_MOD,
> >>  	 .version = MOD_POLICYDB_VERSION_BASE,
> >>  	 .sym_num = SYM_NUM,
> >> @@ -132,6 +144,12 @@ static struct policydb_compat_info polic
> >>  	 .type = POLICY_MOD,
> >>  	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
> >>  	 .sym_num = SYM_NUM,
> >> +	 .ocon_num = 0
> >> +	 },
> >> +	{
> >> +	 .type = POLICY_MOD,
> >> +	 .version = MOD_POLICYDB_VERSION_POLCAP,
> >> +	 .sym_num = SYM_NUM,
> >>  	 .ocon_num = 0},
> >>  };
> >>  
> >> @@ -447,6 +465,8 @@ int policydb_init(policydb_t * p)
> >>  
> >>  	memset(p, 0, sizeof(policydb_t));
> >>  
> >> +	ebitmap_init(&p->policycaps);
> >> +
> >>  	for (i = 0; i < SYM_NUM; i++) {
> >>  		p->sym_val_to_name[i] = NULL;
> >>  		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
> >> @@ -971,6 +991,8 @@ void policydb_destroy(policydb_t * p)
> >>  	if (!p)
> >>  		return;
> >>  
> >> +	ebitmap_destroy(&p->policycaps);
> >> +
> >>  	symtabs_destroy(p->symtab);
> >>  
> >>  	for (i = 0; i < SYM_NUM; i++) {
> >> @@ -3194,6 +3216,16 @@ int policydb_read(policydb_t * p, struct
> >>  		}
> >>  	}
> >>  
> >> +	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
> >> +	     p->policy_type == POLICY_KERN) ||
> >> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> >> +	     p->policy_type == POLICY_BASE) ||
> >> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> >> +	     p->policy_type == POLICY_MOD)) {
> >> +		if (ebitmap_read(&p->policycaps, fp))
> >> +			goto bad;
> >> +	}
> >> +
> >>  	if (policy_type == POLICY_KERN) {
> >>  		p->type_attr_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
> >>  		p->attr_type_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
> >> Index: trunk/libsepol/src/expand.c
> >> ===================================================================
> >> --- trunk.orig/libsepol/src/expand.c
> >> +++ trunk/libsepol/src/expand.c
> >> @@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
> >>  	out->mls = base->mls;
> >>  	out->handle_unknown = base->handle_unknown;
> >>  
> >> +	/* Copy policy capabilities */
> >> +	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
> >> +		ERR(handle, "Out of memory!");
> >> +		goto cleanup;
> >> +	}
> >> +
> >>  	if ((state.typemap =
> >>  	     (uint32_t *) calloc(state.base->p_types.nprim,
> >>  				 sizeof(uint32_t))) == NULL) {
> >> @@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
> >>  	retval = 0;
> >>  
> >>        cleanup:
> >> +	ebitmap_destroy(&out->policycaps);
> >>  	free(state.typemap);
> >>  	free(state.boolmap);
> >>  	return retval;
> >> Index: trunk/libsepol/src/write.c
> >> ===================================================================
> >> --- trunk.orig/libsepol/src/write.c
> >> +++ trunk/libsepol/src/write.c
> >> @@ -1650,6 +1650,16 @@ int policydb_write(policydb_t * p, struc
> >>  		}
> >>  	}
> >>  
> >> +	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
> >> +	     p->policy_type == POLICY_KERN) ||
> >> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> >> +	     p->policy_type == POLICY_BASE) ||
> >> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> >> +	     p->policy_type == POLICY_MOD)) {
> >> +		if (ebitmap_write(&p->policycaps, fp) == -1)
> >> +			return POLICYDB_ERROR;
> >> +	}
> >> +
> >>  	if (p->policy_type == POLICY_KERN
> >>  	    && p->policyvers >= POLICYDB_VERSION_AVTAB) {
> >>  		for (i = 0; i < p->p_types.nprim; i++) {
> >> Index: trunk/libsepol/src/link.c
> >> ===================================================================
> >> --- trunk.orig/libsepol/src/link.c
> >> +++ trunk/libsepol/src/link.c
> >> @@ -2177,8 +2177,14 @@ int link_modules(sepol_handle_t * handle
> >>  		goto cleanup;
> >>  	}
> >>  
> >> -	/* copy all types, declared and required */
> >> +	/* copy all types, declared, required and polcaps */
> >>  	for (i = 0; i < len; i++) {
> >> +		ret = ebitmap_union(&state.base->policycaps,
> >> +				    &modules[i]->policy->policycaps);
> >> +		if (ret) {
> >> +			retval = ret;
> >> +			goto cleanup;
> >> +		}
> >>  		state.cur = modules[i];
> >>  		state.cur_mod_name = modules[i]->policy->name;
> >>  		ret =
> >> Index: trunk/checkpolicy/policy_scan.l
> >> ===================================================================
> >> --- trunk.orig/checkpolicy/policy_scan.l
> >> +++ trunk/checkpolicy/policy_scan.l
> >> @@ -201,6 +201,8 @@ h1 |
> >>  H1				{ return(H1); }
> >>  h2 |
> >>  H2				{ return(H2); }
> >> +policycap |
> >> +POLICYCAP			{ return(POLICYCAP);}
> >>  "/"({alnum}|[_.-/])*	        { return(PATH); }
> >>  {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
> >>  {digit}+                        { return(NUMBER); }
> >> Index: trunk/checkpolicy/policy_parse.y
> >> ===================================================================
> >> --- trunk.orig/checkpolicy/policy_parse.y
> >> +++ trunk/checkpolicy/policy_parse.y
> >> @@ -47,6 +47,7 @@
> >>  #include <sepol/policydb/conditional.h>
> >>  #include <sepol/policydb/flask.h>
> >>  #include <sepol/policydb/hierarchy.h>
> >> +#include <sepol/policydb/polcaps.h>
> >>  #include "queue.h"
> >>  #include "checkpolicy.h"
> >>  #include "module_compiler.h"
> >> @@ -198,6 +199,7 @@ typedef int (* require_func_t)();
> >>  %token IPV4_ADDR
> >>  %token IPV6_ADDR
> >>  %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
> >> +%token POLICYCAP
> >>  
> >>  %left OR
> >>  %left XOR
> >> @@ -323,6 +325,7 @@ te_decl			: attribute_def
> >>                          | transition_def
> >>                          | range_trans_def
> >>                          | te_avtab_def
> >> +			| policycap_def
> >>  			;
> >>  attribute_def           : ATTRIBUTE identifier ';'
> >>                          { if (define_attrib()) return -1;}
> >> @@ -765,6 +768,9 @@ number			: NUMBER 
> >>  ipv6_addr		: IPV6_ADDR
> >>  			{ if (insert_id(yytext,0)) return -1; }
> >>  			;
> >> +policycap_def		: POLICYCAP identifier ';'
> >> +			{if (define_polcap()) return -1;}
> >> +			;
> >>  
> >>  /*********** module grammar below ***********/
> >>  
> >> @@ -962,6 +968,44 @@ static int define_class(void)
> >>  	return -1;
> >>  }
> >>  
> >> +static int define_polcap(void)
> >> +{
> >> +	char *id = 0;
> >> +	int capnum;
> >> +
> >> +	if (pass == 2) {
> >> +		id = queue_remove(id_queue);
> >> +		free(id);
> >> +		return 0;
> >> +	}
> >> +
> >> +	id = (char *)queue_remove(id_queue);
> >> +	if (!id) {
> >> +		yyerror("no capability name for policycap definition?");
> >> +		goto bad;
> >> +	}
> >> +
> >> +	/* Check for valid cap name -> number mapping */
> >> +	capnum = sepol_polcap_getnum(id);
> >> +	if (capnum < 0) {
> >> +		yyerror2("invalid policy capability name %s", id);
> >> +		goto bad;
> >> +	}
> >> +
> >> +	/* Store it */
> >> +	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
> >> +		yyerror("out of memory");
> >> +		goto bad;
> >> +	}
> >> +
> >> +	free(id);
> >> +	return 0;
> >> +
> >> +      bad:
> >> +	free(id);
> >> +	return -1;
> >> +}
> >> +
> >>  static int define_initial_sid(void)
> >>  {
> >>  	char *id = 0;
> >>
> >> --
> >> This message was distributed to subscribers of the selinux mailing list.
> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >> the words "unsubscribe selinux" without quotes as the message.
> >>     
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Joshua Brindle]

Stephen Smalley wrote:
> On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
>   
>> This is a reworking of the peersid capability patch Joshua sent out
>> a few weeks ago.  This version requires added explicit declaration of
>> capabilities in the policy.
>>
>> I've used the same strings that Paul's kernel diff used (there is
>> currently just a single capability).
>>
>> Note that capability declarations are not limited to base.conf /
>> policy.conf as we would like to eventually get rid of the base vs. module
>> distinction.
>>     
>
> Taking the union of the capabilities at link time seems worrisome to me.
> I'd be more inclined to require equivalence or take the intersection.
>
>   

I strongly disagree. My vision was to be able to add a capability to the 
policy by inserting a policy module that enables the capability (and has 
associated policy). Making them an intersection or equivalence would 
require one to update every single module just to add a capability (or 
at least update the base if it is considered authoritative, which I was 
also trying to avoid).

>> Signed-off-by: Todd C. Miller <tmiller@tresys.com>
>>
>> --
>>
>> Index: trunk/libsepol/include/sepol/policydb/polcaps.h
>> ===================================================================
>> --- trunk.orig/libsepol/include/sepol/policydb/polcaps.h
>> +++ trunk/libsepol/include/sepol/policydb/polcaps.h
>> @@ -12,3 +12,17 @@ enum {
>>  extern int sepol_polcap_getnum(const char *name);
>>  
>>  #endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
>> +#ifndef _SEPOL_POLICYDB_POLCAPS_H_
>> +#define _SEPOL_POLICYDB_POLCAPS_H_
>> +
>> +/* Policy capabilities */
>> +enum {
>> +	POLICYDB_CAPABILITY_NETPEER,
>> +	__POLICYDB_CAPABILITY_MAX
>> +};
>> +#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>> +
>> +/* Convert a capability name to number. */
>> +extern int sepol_polcap_getnum(const char *name);
>> +
>> +#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
>> Index: trunk/libsepol/include/sepol/policydb/policydb.h
>> ===================================================================
>> --- trunk.orig/libsepol/include/sepol/policydb/policydb.h
>> +++ trunk/libsepol/include/sepol/policydb/policydb.h
>> @@ -468,6 +468,8 @@ typedef struct policydb {
>>  
>>  	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
>>  
>> +	ebitmap_t policycaps;
>> +
>>  	unsigned policyvers;
>>  
>>  	unsigned handle_unknown;
>> @@ -584,10 +586,11 @@ extern int policydb_write(struct policyd
>>  #define POLICYDB_VERSION_MLS		19
>>  #define POLICYDB_VERSION_AVTAB		20
>>  #define POLICYDB_VERSION_RANGETRANS	21
>> +#define POLICYDB_VERSION_POLCAP		22
>>  
>>  /* Range of policy versions we understand*/
>>  #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
>> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
>> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP
>>  
>>  /* Module versions and specific changes*/
>>  #define MOD_POLICYDB_VERSION_BASE	   4
>> @@ -595,9 +598,10 @@ extern int policydb_write(struct policyd
>>  #define MOD_POLICYDB_VERSION_MLS	   5
>>  #define MOD_POLICYDB_VERSION_RANGETRANS	   6
>>  #define MOD_POLICYDB_VERSION_MLS_USERS	   6
>> +#define MOD_POLICYDB_VERSION_POLCAP	   7
>>  
>>  #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
>> -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
>> +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
>>  
>>  #define POLICYDB_CONFIG_MLS    1
>>  
>> Index: trunk/libsepol/src/polcaps.c
>> ===================================================================
>> --- trunk.orig/libsepol/src/polcaps.c
>> +++ trunk/libsepol/src/polcaps.c
>> @@ -22,3 +22,27 @@ int sepol_polcap_getnum(const char *name
>>  	}
>>  	return -1;
>>  }
>> +/*
>> + * Policy capability support functions
>> + */
>> +
>> +#include <string.h>
>> +#include <sepol/policydb/polcaps.h>
>> +
>> +static const char *polcap_names[] = {
>> +	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
>> +	NULL
>> +};
>> +
>> +int sepol_polcap_getnum(const char *name)
>> +{
>> +	int capnum;
>> +
>> +	for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
>> +		if (polcap_names[capnum] == NULL)
>> +			continue;
>> +		if (strcasecmp(polcap_names[capnum], name) == 0)
>> +			return capnum;
>> +	}
>> +	return -1;
>> +}
>> Index: trunk/libsepol/src/policydb.c
>> ===================================================================
>> --- trunk.orig/libsepol/src/policydb.c
>> +++ trunk/libsepol/src/policydb.c
>> @@ -99,6 +99,12 @@ static struct policydb_compat_info polic
>>  	 .ocon_num = OCON_NODE6 + 1,
>>  	 },
>>  	{
>> +	 .type = POLICY_KERN,
>> +	 .version = POLICYDB_VERSION_POLCAP,
>> +	 .sym_num = SYM_NUM,
>> +	 .ocon_num = OCON_NODE6 + 1,
>> +	 },
>> +	{
>>  	 .type = POLICY_BASE,
>>  	 .version = MOD_POLICYDB_VERSION_BASE,
>>  	 .sym_num = SYM_NUM,
>> @@ -117,6 +123,12 @@ static struct policydb_compat_info polic
>>  	 .ocon_num = OCON_NODE6 + 1,
>>  	 },
>>  	{
>> +	 .type = POLICY_BASE,
>> +	 .version = MOD_POLICYDB_VERSION_POLCAP,
>> +	 .sym_num = SYM_NUM,
>> +	 .ocon_num = OCON_NODE6 + 1,
>> +	 },
>> +	{
>>  	 .type = POLICY_MOD,
>>  	 .version = MOD_POLICYDB_VERSION_BASE,
>>  	 .sym_num = SYM_NUM,
>> @@ -132,6 +144,12 @@ static struct policydb_compat_info polic
>>  	 .type = POLICY_MOD,
>>  	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
>>  	 .sym_num = SYM_NUM,
>> +	 .ocon_num = 0
>> +	 },
>> +	{
>> +	 .type = POLICY_MOD,
>> +	 .version = MOD_POLICYDB_VERSION_POLCAP,
>> +	 .sym_num = SYM_NUM,
>>  	 .ocon_num = 0},
>>  };
>>  
>> @@ -447,6 +465,8 @@ int policydb_init(policydb_t * p)
>>  
>>  	memset(p, 0, sizeof(policydb_t));
>>  
>> +	ebitmap_init(&p->policycaps);
>> +
>>  	for (i = 0; i < SYM_NUM; i++) {
>>  		p->sym_val_to_name[i] = NULL;
>>  		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
>> @@ -971,6 +991,8 @@ void policydb_destroy(policydb_t * p)
>>  	if (!p)
>>  		return;
>>  
>> +	ebitmap_destroy(&p->policycaps);
>> +
>>  	symtabs_destroy(p->symtab);
>>  
>>  	for (i = 0; i < SYM_NUM; i++) {
>> @@ -3194,6 +3216,16 @@ int policydb_read(policydb_t * p, struct
>>  		}
>>  	}
>>  
>> +	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
>> +	     p->policy_type == POLICY_KERN) ||
>> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
>> +	     p->policy_type == POLICY_BASE) ||
>> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
>> +	     p->policy_type == POLICY_MOD)) {
>> +		if (ebitmap_read(&p->policycaps, fp))
>> +			goto bad;
>> +	}
>> +
>>  	if (policy_type == POLICY_KERN) {
>>  		p->type_attr_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
>>  		p->attr_type_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
>> Index: trunk/libsepol/src/expand.c
>> ===================================================================
>> --- trunk.orig/libsepol/src/expand.c
>> +++ trunk/libsepol/src/expand.c
>> @@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
>>  	out->mls = base->mls;
>>  	out->handle_unknown = base->handle_unknown;
>>  
>> +	/* Copy policy capabilities */
>> +	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
>> +		ERR(handle, "Out of memory!");
>> +		goto cleanup;
>> +	}
>> +
>>  	if ((state.typemap =
>>  	     (uint32_t *) calloc(state.base->p_types.nprim,
>>  				 sizeof(uint32_t))) == NULL) {
>> @@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
>>  	retval = 0;
>>  
>>        cleanup:
>> +	ebitmap_destroy(&out->policycaps);
>>  	free(state.typemap);
>>  	free(state.boolmap);
>>  	return retval;
>> Index: trunk/libsepol/src/write.c
>> ===================================================================
>> --- trunk.orig/libsepol/src/write.c
>> +++ trunk/libsepol/src/write.c
>> @@ -1650,6 +1650,16 @@ int policydb_write(policydb_t * p, struc
>>  		}
>>  	}
>>  
>> +	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
>> +	     p->policy_type == POLICY_KERN) ||
>> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
>> +	     p->policy_type == POLICY_BASE) ||
>> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
>> +	     p->policy_type == POLICY_MOD)) {
>> +		if (ebitmap_write(&p->policycaps, fp) == -1)
>> +			return POLICYDB_ERROR;
>> +	}
>> +
>>  	if (p->policy_type == POLICY_KERN
>>  	    && p->policyvers >= POLICYDB_VERSION_AVTAB) {
>>  		for (i = 0; i < p->p_types.nprim; i++) {
>> Index: trunk/libsepol/src/link.c
>> ===================================================================
>> --- trunk.orig/libsepol/src/link.c
>> +++ trunk/libsepol/src/link.c
>> @@ -2177,8 +2177,14 @@ int link_modules(sepol_handle_t * handle
>>  		goto cleanup;
>>  	}
>>  
>> -	/* copy all types, declared and required */
>> +	/* copy all types, declared, required and polcaps */
>>  	for (i = 0; i < len; i++) {
>> +		ret = ebitmap_union(&state.base->policycaps,
>> +				    &modules[i]->policy->policycaps);
>> +		if (ret) {
>> +			retval = ret;
>> +			goto cleanup;
>> +		}
>>  		state.cur = modules[i];
>>  		state.cur_mod_name = modules[i]->policy->name;
>>  		ret =
>> Index: trunk/checkpolicy/policy_scan.l
>> ===================================================================
>> --- trunk.orig/checkpolicy/policy_scan.l
>> +++ trunk/checkpolicy/policy_scan.l
>> @@ -201,6 +201,8 @@ h1 |
>>  H1				{ return(H1); }
>>  h2 |
>>  H2				{ return(H2); }
>> +policycap |
>> +POLICYCAP			{ return(POLICYCAP);}
>>  "/"({alnum}|[_.-/])*	        { return(PATH); }
>>  {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
>>  {digit}+                        { return(NUMBER); }
>> Index: trunk/checkpolicy/policy_parse.y
>> ===================================================================
>> --- trunk.orig/checkpolicy/policy_parse.y
>> +++ trunk/checkpolicy/policy_parse.y
>> @@ -47,6 +47,7 @@
>>  #include <sepol/policydb/conditional.h>
>>  #include <sepol/policydb/flask.h>
>>  #include <sepol/policydb/hierarchy.h>
>> +#include <sepol/policydb/polcaps.h>
>>  #include "queue.h"
>>  #include "checkpolicy.h"
>>  #include "module_compiler.h"
>> @@ -198,6 +199,7 @@ typedef int (* require_func_t)();
>>  %token IPV4_ADDR
>>  %token IPV6_ADDR
>>  %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
>> +%token POLICYCAP
>>  
>>  %left OR
>>  %left XOR
>> @@ -323,6 +325,7 @@ te_decl			: attribute_def
>>                          | transition_def
>>                          | range_trans_def
>>                          | te_avtab_def
>> +			| policycap_def
>>  			;
>>  attribute_def           : ATTRIBUTE identifier ';'
>>                          { if (define_attrib()) return -1;}
>> @@ -765,6 +768,9 @@ number			: NUMBER 
>>  ipv6_addr		: IPV6_ADDR
>>  			{ if (insert_id(yytext,0)) return -1; }
>>  			;
>> +policycap_def		: POLICYCAP identifier ';'
>> +			{if (define_polcap()) return -1;}
>> +			;
>>  
>>  /*********** module grammar below ***********/
>>  
>> @@ -962,6 +968,44 @@ static int define_class(void)
>>  	return -1;
>>  }
>>  
>> +static int define_polcap(void)
>> +{
>> +	char *id = 0;
>> +	int capnum;
>> +
>> +	if (pass == 2) {
>> +		id = queue_remove(id_queue);
>> +		free(id);
>> +		return 0;
>> +	}
>> +
>> +	id = (char *)queue_remove(id_queue);
>> +	if (!id) {
>> +		yyerror("no capability name for policycap definition?");
>> +		goto bad;
>> +	}
>> +
>> +	/* Check for valid cap name -> number mapping */
>> +	capnum = sepol_polcap_getnum(id);
>> +	if (capnum < 0) {
>> +		yyerror2("invalid policy capability name %s", id);
>> +		goto bad;
>> +	}
>> +
>> +	/* Store it */
>> +	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
>> +		yyerror("out of memory");
>> +		goto bad;
>> +	}
>> +
>> +	free(id);
>> +	return 0;
>> +
>> +      bad:
>> +	free(id);
>> +	return -1;
>> +}
>> +
>>  static int define_initial_sid(void)
>>  {
>>  	char *id = 0;
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>     



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: peersid capability support

[Stephen Smalley]

On Thu, 2007-11-29 at 14:27 -0500, tmiller@tresys.com wrote:
> This is a reworking of the peersid capability patch Joshua sent out
> a few weeks ago.  This version requires added explicit declaration of
> capabilities in the policy.
> 
> I've used the same strings that Paul's kernel diff used (there is
> currently just a single capability).
> 
> Note that capability declarations are not limited to base.conf /
> policy.conf as we would like to eventually get rid of the base vs. module
> distinction.

Taking the union of the capabilities at link time seems worrisome to me.
I'd be more inclined to require equivalence or take the intersection.

> 
> Signed-off-by: Todd C. Miller <tmiller@tresys.com>
> 
> --
> 
> Index: trunk/libsepol/include/sepol/policydb/polcaps.h
> ===================================================================
> --- trunk.orig/libsepol/include/sepol/policydb/polcaps.h
> +++ trunk/libsepol/include/sepol/policydb/polcaps.h
> @@ -12,3 +12,17 @@ enum {
>  extern int sepol_polcap_getnum(const char *name);
>  
>  #endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
> +#ifndef _SEPOL_POLICYDB_POLCAPS_H_
> +#define _SEPOL_POLICYDB_POLCAPS_H_
> +
> +/* Policy capabilities */
> +enum {
> +	POLICYDB_CAPABILITY_NETPEER,
> +	__POLICYDB_CAPABILITY_MAX
> +};
> +#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> +
> +/* Convert a capability name to number. */
> +extern int sepol_polcap_getnum(const char *name);
> +
> +#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
> Index: trunk/libsepol/include/sepol/policydb/policydb.h
> ===================================================================
> --- trunk.orig/libsepol/include/sepol/policydb/policydb.h
> +++ trunk/libsepol/include/sepol/policydb/policydb.h
> @@ -468,6 +468,8 @@ typedef struct policydb {
>  
>  	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
>  
> +	ebitmap_t policycaps;
> +
>  	unsigned policyvers;
>  
>  	unsigned handle_unknown;
> @@ -584,10 +586,11 @@ extern int policydb_write(struct policyd
>  #define POLICYDB_VERSION_MLS		19
>  #define POLICYDB_VERSION_AVTAB		20
>  #define POLICYDB_VERSION_RANGETRANS	21
> +#define POLICYDB_VERSION_POLCAP		22
>  
>  /* Range of policy versions we understand*/
>  #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP
>  
>  /* Module versions and specific changes*/
>  #define MOD_POLICYDB_VERSION_BASE	   4
> @@ -595,9 +598,10 @@ extern int policydb_write(struct policyd
>  #define MOD_POLICYDB_VERSION_MLS	   5
>  #define MOD_POLICYDB_VERSION_RANGETRANS	   6
>  #define MOD_POLICYDB_VERSION_MLS_USERS	   6
> +#define MOD_POLICYDB_VERSION_POLCAP	   7
>  
>  #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
> -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
> +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
>  
>  #define POLICYDB_CONFIG_MLS    1
>  
> Index: trunk/libsepol/src/polcaps.c
> ===================================================================
> --- trunk.orig/libsepol/src/polcaps.c
> +++ trunk/libsepol/src/polcaps.c
> @@ -22,3 +22,27 @@ int sepol_polcap_getnum(const char *name
>  	}
>  	return -1;
>  }
> +/*
> + * Policy capability support functions
> + */
> +
> +#include <string.h>
> +#include <sepol/policydb/polcaps.h>
> +
> +static const char *polcap_names[] = {
> +	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
> +	NULL
> +};
> +
> +int sepol_polcap_getnum(const char *name)
> +{
> +	int capnum;
> +
> +	for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
> +		if (polcap_names[capnum] == NULL)
> +			continue;
> +		if (strcasecmp(polcap_names[capnum], name) == 0)
> +			return capnum;
> +	}
> +	return -1;
> +}
> Index: trunk/libsepol/src/policydb.c
> ===================================================================
> --- trunk.orig/libsepol/src/policydb.c
> +++ trunk/libsepol/src/policydb.c
> @@ -99,6 +99,12 @@ static struct policydb_compat_info polic
>  	 .ocon_num = OCON_NODE6 + 1,
>  	 },
>  	{
> +	 .type = POLICY_KERN,
> +	 .version = POLICYDB_VERSION_POLCAP,
> +	 .sym_num = SYM_NUM,
> +	 .ocon_num = OCON_NODE6 + 1,
> +	 },
> +	{
>  	 .type = POLICY_BASE,
>  	 .version = MOD_POLICYDB_VERSION_BASE,
>  	 .sym_num = SYM_NUM,
> @@ -117,6 +123,12 @@ static struct policydb_compat_info polic
>  	 .ocon_num = OCON_NODE6 + 1,
>  	 },
>  	{
> +	 .type = POLICY_BASE,
> +	 .version = MOD_POLICYDB_VERSION_POLCAP,
> +	 .sym_num = SYM_NUM,
> +	 .ocon_num = OCON_NODE6 + 1,
> +	 },
> +	{
>  	 .type = POLICY_MOD,
>  	 .version = MOD_POLICYDB_VERSION_BASE,
>  	 .sym_num = SYM_NUM,
> @@ -132,6 +144,12 @@ static struct policydb_compat_info polic
>  	 .type = POLICY_MOD,
>  	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
>  	 .sym_num = SYM_NUM,
> +	 .ocon_num = 0
> +	 },
> +	{
> +	 .type = POLICY_MOD,
> +	 .version = MOD_POLICYDB_VERSION_POLCAP,
> +	 .sym_num = SYM_NUM,
>  	 .ocon_num = 0},
>  };
>  
> @@ -447,6 +465,8 @@ int policydb_init(policydb_t * p)
>  
>  	memset(p, 0, sizeof(policydb_t));
>  
> +	ebitmap_init(&p->policycaps);
> +
>  	for (i = 0; i < SYM_NUM; i++) {
>  		p->sym_val_to_name[i] = NULL;
>  		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
> @@ -971,6 +991,8 @@ void policydb_destroy(policydb_t * p)
>  	if (!p)
>  		return;
>  
> +	ebitmap_destroy(&p->policycaps);
> +
>  	symtabs_destroy(p->symtab);
>  
>  	for (i = 0; i < SYM_NUM; i++) {
> @@ -3194,6 +3216,16 @@ int policydb_read(policydb_t * p, struct
>  		}
>  	}
>  
> +	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
> +	     p->policy_type == POLICY_KERN) ||
> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> +	     p->policy_type == POLICY_BASE) ||
> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> +	     p->policy_type == POLICY_MOD)) {
> +		if (ebitmap_read(&p->policycaps, fp))
> +			goto bad;
> +	}
> +
>  	if (policy_type == POLICY_KERN) {
>  		p->type_attr_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
>  		p->attr_type_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
> Index: trunk/libsepol/src/expand.c
> ===================================================================
> --- trunk.orig/libsepol/src/expand.c
> +++ trunk/libsepol/src/expand.c
> @@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
>  	out->mls = base->mls;
>  	out->handle_unknown = base->handle_unknown;
>  
> +	/* Copy policy capabilities */
> +	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
> +		ERR(handle, "Out of memory!");
> +		goto cleanup;
> +	}
> +
>  	if ((state.typemap =
>  	     (uint32_t *) calloc(state.base->p_types.nprim,
>  				 sizeof(uint32_t))) == NULL) {
> @@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
>  	retval = 0;
>  
>        cleanup:
> +	ebitmap_destroy(&out->policycaps);
>  	free(state.typemap);
>  	free(state.boolmap);
>  	return retval;
> Index: trunk/libsepol/src/write.c
> ===================================================================
> --- trunk.orig/libsepol/src/write.c
> +++ trunk/libsepol/src/write.c
> @@ -1650,6 +1650,16 @@ int policydb_write(policydb_t * p, struc
>  		}
>  	}
>  
> +	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
> +	     p->policy_type == POLICY_KERN) ||
> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> +	     p->policy_type == POLICY_BASE) ||
> +	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
> +	     p->policy_type == POLICY_MOD)) {
> +		if (ebitmap_write(&p->policycaps, fp) == -1)
> +			return POLICYDB_ERROR;
> +	}
> +
>  	if (p->policy_type == POLICY_KERN
>  	    && p->policyvers >= POLICYDB_VERSION_AVTAB) {
>  		for (i = 0; i < p->p_types.nprim; i++) {
> Index: trunk/libsepol/src/link.c
> ===================================================================
> --- trunk.orig/libsepol/src/link.c
> +++ trunk/libsepol/src/link.c
> @@ -2177,8 +2177,14 @@ int link_modules(sepol_handle_t * handle
>  		goto cleanup;
>  	}
>  
> -	/* copy all types, declared and required */
> +	/* copy all types, declared, required and polcaps */
>  	for (i = 0; i < len; i++) {
> +		ret = ebitmap_union(&state.base->policycaps,
> +				    &modules[i]->policy->policycaps);
> +		if (ret) {
> +			retval = ret;
> +			goto cleanup;
> +		}
>  		state.cur = modules[i];
>  		state.cur_mod_name = modules[i]->policy->name;
>  		ret =
> Index: trunk/checkpolicy/policy_scan.l
> ===================================================================
> --- trunk.orig/checkpolicy/policy_scan.l
> +++ trunk/checkpolicy/policy_scan.l
> @@ -201,6 +201,8 @@ h1 |
>  H1				{ return(H1); }
>  h2 |
>  H2				{ return(H2); }
> +policycap |
> +POLICYCAP			{ return(POLICYCAP);}
>  "/"({alnum}|[_.-/])*	        { return(PATH); }
>  {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
>  {digit}+                        { return(NUMBER); }
> Index: trunk/checkpolicy/policy_parse.y
> ===================================================================
> --- trunk.orig/checkpolicy/policy_parse.y
> +++ trunk/checkpolicy/policy_parse.y
> @@ -47,6 +47,7 @@
>  #include <sepol/policydb/conditional.h>
>  #include <sepol/policydb/flask.h>
>  #include <sepol/policydb/hierarchy.h>
> +#include <sepol/policydb/polcaps.h>
>  #include "queue.h"
>  #include "checkpolicy.h"
>  #include "module_compiler.h"
> @@ -198,6 +199,7 @@ typedef int (* require_func_t)();
>  %token IPV4_ADDR
>  %token IPV6_ADDR
>  %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
> +%token POLICYCAP
>  
>  %left OR
>  %left XOR
> @@ -323,6 +325,7 @@ te_decl			: attribute_def
>                          | transition_def
>                          | range_trans_def
>                          | te_avtab_def
> +			| policycap_def
>  			;
>  attribute_def           : ATTRIBUTE identifier ';'
>                          { if (define_attrib()) return -1;}
> @@ -765,6 +768,9 @@ number			: NUMBER 
>  ipv6_addr		: IPV6_ADDR
>  			{ if (insert_id(yytext,0)) return -1; }
>  			;
> +policycap_def		: POLICYCAP identifier ';'
> +			{if (define_polcap()) return -1;}
> +			;
>  
>  /*********** module grammar below ***********/
>  
> @@ -962,6 +968,44 @@ static int define_class(void)
>  	return -1;
>  }
>  
> +static int define_polcap(void)
> +{
> +	char *id = 0;
> +	int capnum;
> +
> +	if (pass == 2) {
> +		id = queue_remove(id_queue);
> +		free(id);
> +		return 0;
> +	}
> +
> +	id = (char *)queue_remove(id_queue);
> +	if (!id) {
> +		yyerror("no capability name for policycap definition?");
> +		goto bad;
> +	}
> +
> +	/* Check for valid cap name -> number mapping */
> +	capnum = sepol_polcap_getnum(id);
> +	if (capnum < 0) {
> +		yyerror2("invalid policy capability name %s", id);
> +		goto bad;
> +	}
> +
> +	/* Store it */
> +	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
> +		yyerror("out of memory");
> +		goto bad;
> +	}
> +
> +	free(id);
> +	return 0;
> +
> +      bad:
> +	free(id);
> +	return -1;
> +}
> +
>  static int define_initial_sid(void)
>  {
>  	char *id = 0;
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

PATCH: peersid capability support

[tmiller]

This is a reworking of the peersid capability patch Joshua sent out
a few weeks ago.  This version requires added explicit declaration of
capabilities in the policy.

I've used the same strings that Paul's kernel diff used (there is
currently just a single capability).

Note that capability declarations are not limited to base.conf /
policy.conf as we would like to eventually get rid of the base vs. module
distinction.

Signed-off-by: Todd C. Miller <tmiller@tresys.com>

--

Index: trunk/libsepol/include/sepol/policydb/polcaps.h
===================================================================
--- trunk.orig/libsepol/include/sepol/policydb/polcaps.h
+++ trunk/libsepol/include/sepol/policydb/polcaps.h
@@ -12,3 +12,17 @@ enum {
 extern int sepol_polcap_getnum(const char *name);
 
 #endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
+#ifndef _SEPOL_POLICYDB_POLCAPS_H_
+#define _SEPOL_POLICYDB_POLCAPS_H_
+
+/* Policy capabilities */
+enum {
+	POLICYDB_CAPABILITY_NETPEER,
+	__POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+/* Convert a capability name to number. */
+extern int sepol_polcap_getnum(const char *name);
+
+#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
Index: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk.orig/libsepol/include/sepol/policydb/policydb.h
+++ trunk/libsepol/include/sepol/policydb/policydb.h
@@ -468,6 +468,8 @@ typedef struct policydb {
 
 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
 
+	ebitmap_t policycaps;
+
 	unsigned policyvers;
 
 	unsigned handle_unknown;
@@ -584,10 +586,11 @@ extern int policydb_write(struct policyd
 #define POLICYDB_VERSION_MLS		19
 #define POLICYDB_VERSION_AVTAB		20
 #define POLICYDB_VERSION_RANGETRANS	21
+#define POLICYDB_VERSION_POLCAP		22
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE	   4
@@ -595,9 +598,10 @@ extern int policydb_write(struct policyd
 #define MOD_POLICYDB_VERSION_MLS	   5
 #define MOD_POLICYDB_VERSION_RANGETRANS	   6
 #define MOD_POLICYDB_VERSION_MLS_USERS	   6
+#define MOD_POLICYDB_VERSION_POLCAP	   7
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
 
 #define POLICYDB_CONFIG_MLS    1
 
Index: trunk/libsepol/src/polcaps.c
===================================================================
--- trunk.orig/libsepol/src/polcaps.c
+++ trunk/libsepol/src/polcaps.c
@@ -22,3 +22,27 @@ int sepol_polcap_getnum(const char *name
 	}
 	return -1;
 }
+/*
+ * Policy capability support functions
+ */
+
+#include <string.h>
+#include <sepol/policydb/polcaps.h>
+
+static const char *polcap_names[] = {
+	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
+	NULL
+};
+
+int sepol_polcap_getnum(const char *name)
+{
+	int capnum;
+
+	for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
+		if (polcap_names[capnum] == NULL)
+			continue;
+		if (strcasecmp(polcap_names[capnum], name) == 0)
+			return capnum;
+	}
+	return -1;
+}
Index: trunk/libsepol/src/policydb.c
===================================================================
--- trunk.orig/libsepol/src/policydb.c
+++ trunk/libsepol/src/policydb.c
@@ -99,6 +99,12 @@ static struct policydb_compat_info polic
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -117,6 +123,12 @@ static struct policydb_compat_info polic
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -132,6 +144,12 @@ static struct policydb_compat_info polic
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
 	 .sym_num = SYM_NUM,
+	 .ocon_num = 0
+	 },
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_POLCAP,
+	 .sym_num = SYM_NUM,
 	 .ocon_num = 0},
 };
 
@@ -447,6 +465,8 @@ int policydb_init(policydb_t * p)
 
 	memset(p, 0, sizeof(policydb_t));
 
+	ebitmap_init(&p->policycaps);
+
 	for (i = 0; i < SYM_NUM; i++) {
 		p->sym_val_to_name[i] = NULL;
 		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
@@ -971,6 +991,8 @@ void policydb_destroy(policydb_t * p)
 	if (!p)
 		return;
 
+	ebitmap_destroy(&p->policycaps);
+
 	symtabs_destroy(p->symtab);
 
 	for (i = 0; i < SYM_NUM; i++) {
@@ -3194,6 +3216,16 @@ int policydb_read(policydb_t * p, struct
 		}
 	}
 
+	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_KERN) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_BASE) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_MOD)) {
+		if (ebitmap_read(&p->policycaps, fp))
+			goto bad;
+	}
+
 	if (policy_type == POLICY_KERN) {
 		p->type_attr_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
 		p->attr_type_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
Index: trunk/libsepol/src/expand.c
===================================================================
--- trunk.orig/libsepol/src/expand.c
+++ trunk/libsepol/src/expand.c
@@ -2252,6 +2252,12 @@ int expand_module(sepol_handle_t * handl
 	out->mls = base->mls;
 	out->handle_unknown = base->handle_unknown;
 
+	/* Copy policy capabilities */
+	if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
+		ERR(handle, "Out of memory!");
+		goto cleanup;
+	}
+
 	if ((state.typemap =
 	     (uint32_t *) calloc(state.base->p_types.nprim,
 				 sizeof(uint32_t))) == NULL) {
@@ -2418,6 +2424,7 @@ int expand_module(sepol_handle_t * handl
 	retval = 0;
 
       cleanup:
+	ebitmap_destroy(&out->policycaps);
 	free(state.typemap);
 	free(state.boolmap);
 	return retval;
Index: trunk/libsepol/src/write.c
===================================================================
--- trunk.orig/libsepol/src/write.c
+++ trunk/libsepol/src/write.c
@@ -1650,6 +1650,16 @@ int policydb_write(policydb_t * p, struc
 		}
 	}
 
+	if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_KERN) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_BASE) ||
+	    (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+	     p->policy_type == POLICY_MOD)) {
+		if (ebitmap_write(&p->policycaps, fp) == -1)
+			return POLICYDB_ERROR;
+	}
+
 	if (p->policy_type == POLICY_KERN
 	    && p->policyvers >= POLICYDB_VERSION_AVTAB) {
 		for (i = 0; i < p->p_types.nprim; i++) {
Index: trunk/libsepol/src/link.c
===================================================================
--- trunk.orig/libsepol/src/link.c
+++ trunk/libsepol/src/link.c
@@ -2177,8 +2177,14 @@ int link_modules(sepol_handle_t * handle
 		goto cleanup;
 	}
 
-	/* copy all types, declared and required */
+	/* copy all types, declared, required and polcaps */
 	for (i = 0; i < len; i++) {
+		ret = ebitmap_union(&state.base->policycaps,
+				    &modules[i]->policy->policycaps);
+		if (ret) {
+			retval = ret;
+			goto cleanup;
+		}
 		state.cur = modules[i];
 		state.cur_mod_name = modules[i]->policy->name;
 		ret =
Index: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk.orig/checkpolicy/policy_scan.l
+++ trunk/checkpolicy/policy_scan.l
@@ -201,6 +201,8 @@ h1 |
 H1				{ return(H1); }
 h2 |
 H2				{ return(H2); }
+policycap |
+POLICYCAP			{ return(POLICYCAP);}
 "/"({alnum}|[_.-/])*	        { return(PATH); }
 {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
 {digit}+                        { return(NUMBER); }
Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk.orig/checkpolicy/policy_parse.y
+++ trunk/checkpolicy/policy_parse.y
@@ -47,6 +47,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
 #include "queue.h"
 #include "checkpolicy.h"
 #include "module_compiler.h"
@@ -198,6 +199,7 @@ typedef int (* require_func_t)();
 %token IPV4_ADDR
 %token IPV6_ADDR
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
 
 %left OR
 %left XOR
@@ -323,6 +325,7 @@ te_decl			: attribute_def
                         | transition_def
                         | range_trans_def
                         | te_avtab_def
+			| policycap_def
 			;
 attribute_def           : ATTRIBUTE identifier ';'
                         { if (define_attrib()) return -1;}
@@ -765,6 +768,9 @@ number			: NUMBER 
 ipv6_addr		: IPV6_ADDR
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+policycap_def		: POLICYCAP identifier ';'
+			{if (define_polcap()) return -1;}
+			;
 
 /*********** module grammar below ***********/
 
@@ -962,6 +968,44 @@ static int define_class(void)
 	return -1;
 }
 
+static int define_polcap(void)
+{
+	char *id = 0;
+	int capnum;
+
+	if (pass == 2) {
+		id = queue_remove(id_queue);
+		free(id);
+		return 0;
+	}
+
+	id = (char *)queue_remove(id_queue);
+	if (!id) {
+		yyerror("no capability name for policycap definition?");
+		goto bad;
+	}
+
+	/* Check for valid cap name -> number mapping */
+	capnum = sepol_polcap_getnum(id);
+	if (capnum < 0) {
+		yyerror2("invalid policy capability name %s", id);
+		goto bad;
+	}
+
+	/* Store it */
+	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+		yyerror("out of memory");
+		goto bad;
+	}
+
+	free(id);
+	return 0;
+
+      bad:
+	free(id);
+	return -1;
+}
+
 static int define_initial_sid(void)
 {
 	char *id = 0;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.