* [PATCH] Load the initial SIDs upon every policy load
@ 2010-02-03 17:59 Guido Trentalancia
2010-02-03 18:14 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Guido Trentalancia @ 2010-02-03 17:59 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux@tycho.nsa.gov ; Eric Paris, ; James Morris
Author: Guido Trentalancia <guido@trentalancia.com>
Date: Mon Feb 03 17:03:32 2010 +0100
Always load the initial SIDs, even in the case of a policy
reload and not just at the initial policy load. This comes
particularly handy after the introduction of a recent
patch for enabling runtime switching between different
policy types, although this patch is in theory independent
from that feature.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
security/selinux/ss/services.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- security-testing-2.6/security/selinux/ss/services.c 2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-isids/security/selinux/ss/services.c 2010-02-03 17:01:55.594310767 +0100
@@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
{
struct sidtab *s = arg;
- return sidtab_insert(s, sid, context);
+ if (sid > SECINITSID_NUM)
+ return sidtab_insert(s, sid, context);
+ else
+ return 0;
}
static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
struct user_datum *usrdatum;
char *s;
u32 len;
- int rc;
+ int rc = 0;
+
+ if (key <= SECINITSID_NUM)
+ goto out;
args = p;
@@ -1712,9 +1718,11 @@ int security_load_policy(void *data, siz
if (policydb_read(&newpolicydb, fp))
return -EINVAL;
- if (sidtab_init(&newsidtab)) {
+ rc = policydb_load_isids(&newpolicydb, &newsidtab);
+ if (rc) {
+ printk(KERN_ERR "SELinux: unable to load the initial SIDs\n");
policydb_destroy(&newpolicydb);
- return -ENOMEM;
+ return rc;
}
if (selinux_set_mapping(&newpolicydb, secclass_map,
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] Load the initial SIDs upon every policy load
2010-02-03 17:59 [PATCH] Load the initial SIDs upon every policy load Guido Trentalancia
@ 2010-02-03 18:14 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2010-02-03 18:14 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: selinux, Eric Paris, James Morris
On Wed, 2010-02-03 at 12:59 -0500, Guido Trentalancia wrote:
> Author: Guido Trentalancia <guido@trentalancia.com>
> Date: Mon Feb 03 17:03:32 2010 +0100
>
> Always load the initial SIDs, even in the case of a policy
> reload and not just at the initial policy load. This comes
> particularly handy after the introduction of a recent
> patch for enabling runtime switching between different
> policy types, although this patch is in theory independent
> from that feature.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Note: This is a change in behavior for SELinux. Changes to the initial
SID contexts will take effect immediately upon policy reload, so e.g. ps
-eZ will show a difference if you switch from targeted to mls in Fedora,
ala:
setenforce 0
sed -e "/SELINUXTYPE/s/targeted/mls/" /etc/selinux/config > /etc/selinux/config.new
mv /etc/selinux/config.new /etc/selinux/config
ps -eZ | grep kthreadd
load_policy
ps -eZ | grep kthreadd
Previously the initial SID contexts would not have changed until the next reboot.
> ---
>
> security/selinux/ss/services.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> --- security-testing-2.6/security/selinux/ss/services.c 2010-01-29 02:02:47.742042805 +0100
> +++ security-testing-2.6-isids/security/selinux/ss/services.c 2010-02-03 17:01:55.594310767 +0100
> @@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
> {
> struct sidtab *s = arg;
>
> - return sidtab_insert(s, sid, context);
> + if (sid > SECINITSID_NUM)
> + return sidtab_insert(s, sid, context);
> + else
> + return 0;
> }
>
> static inline int convert_context_handle_invalid_context(struct context *context)
> @@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
> struct user_datum *usrdatum;
> char *s;
> u32 len;
> - int rc;
> + int rc = 0;
> +
> + if (key <= SECINITSID_NUM)
> + goto out;
>
> args = p;
>
> @@ -1712,9 +1718,11 @@ int security_load_policy(void *data, siz
> if (policydb_read(&newpolicydb, fp))
> return -EINVAL;
>
> - if (sidtab_init(&newsidtab)) {
> + rc = policydb_load_isids(&newpolicydb, &newsidtab);
> + if (rc) {
> + printk(KERN_ERR "SELinux: unable to load the initial SIDs\n");
> policydb_destroy(&newpolicydb);
> - return -ENOMEM;
> + return rc;
> }
>
> if (selinux_set_mapping(&newpolicydb, secclass_map,
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] Load the initial SIDs upon every policy load
@ 2010-02-02 22:36 Guido Trentalancia
2010-02-03 15:58 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Guido Trentalancia @ 2010-02-02 22:36 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]
Stephen,
attached please find the tiny patch for always loading the initial SIDs.
Should I say "for review" ? It relies on SECINITSID_NUM which at the
moment is statically defined in flask.h (and represents the maximum
initial SID).
Author: Guido Trentalancia <guido@trentalancia.com>
Date: Mon Feb 02 22:11:05 2010 +0100
Always load the initial SIDs, even in the case of a policy
reload and not just at the initial policy load. This comes
particularly handy after the introduction of a recent
patch for enabling runtime switching between different
policy types, although this patch is in theory independent
from that feature.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
security/selinux/ss/services.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- security-testing-2.6/security/selinux/ss/services.c 2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-isids/security/selinux/ss/services.c 2010-02-02 22:09:47.809993219 +0100
@@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
{
struct sidtab *s = arg;
- return sidtab_insert(s, sid, context);
+ if (sid > SECINITSID_NUM)
+ return sidtab_insert(s, sid, context);
+ else
+ return 0;
}
static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
struct user_datum *usrdatum;
char *s;
u32 len;
- int rc;
+ int rc = 0;
+
+ if (key <= SECINITSID_NUM)
+ goto out;
args = p;
@@ -1712,9 +1718,9 @@ int security_load_policy(void *data, siz
if (policydb_read(&newpolicydb, fp))
return -EINVAL;
- if (sidtab_init(&newsidtab)) {
+ if (policydb_load_isids(&newpolicydb, &newsidtab)) {
policydb_destroy(&newpolicydb);
- return -ENOMEM;
+ return -EINVAL;
}
if (selinux_set_mapping(&newpolicydb, secclass_map,
[-- Attachment #2: always_load_initial_sids.patch --]
[-- Type: text/x-patch, Size: 1629 bytes --]
Author: Guido Trentalancia <guido@trentalancia.com>
Date: Mon Feb 02 22:11:05 2010 +0100
Always load the initial SIDs, even in the case of a policy
reload and not just at the initial policy load. This comes
particularly handy after the introduction of a recent
patch for enabling runtime switching between different
policy types, although this patch is in theory independent
from that feature.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
security/selinux/ss/services.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- security-testing-2.6/security/selinux/ss/services.c 2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-isids/security/selinux/ss/services.c 2010-02-02 22:09:47.809993219 +0100
@@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
{
struct sidtab *s = arg;
- return sidtab_insert(s, sid, context);
+ if (sid > SECINITSID_NUM)
+ return sidtab_insert(s, sid, context);
+ else
+ return 0;
}
static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
struct user_datum *usrdatum;
char *s;
u32 len;
- int rc;
+ int rc = 0;
+
+ if (key <= SECINITSID_NUM)
+ goto out;
args = p;
@@ -1712,9 +1718,9 @@ int security_load_policy(void *data, siz
if (policydb_read(&newpolicydb, fp))
return -EINVAL;
- if (sidtab_init(&newsidtab)) {
+ if (policydb_load_isids(&newpolicydb, &newsidtab)) {
policydb_destroy(&newpolicydb);
- return -ENOMEM;
+ return -EINVAL;
}
if (selinux_set_mapping(&newpolicydb, secclass_map,
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] Load the initial SIDs upon every policy load
2010-02-02 22:36 Guido Trentalancia
@ 2010-02-03 15:58 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2010-02-03 15:58 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: selinux
On Tue, 2010-02-02 at 23:36 +0100, Guido Trentalancia wrote:
> Stephen,
>
> attached please find the tiny patch for always loading the initial SIDs.
> Should I say "for review" ? It relies on SECINITSID_NUM which at the
> moment is statically defined in flask.h (and represents the maximum
> initial SID).
Normally you'd put [RFC] in the Subject line to indicate for review
only, not for committing yet. No big deal though.
>
> Author: Guido Trentalancia <guido@trentalancia.com>
> Date: Mon Feb 02 22:11:05 2010 +0100
>
> Always load the initial SIDs, even in the case of a policy
> reload and not just at the initial policy load. This comes
> particularly handy after the introduction of a recent
> patch for enabling runtime switching between different
> policy types, although this patch is in theory independent
> from that feature.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>
> ---
>
> security/selinux/ss/services.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> --- security-testing-2.6/security/selinux/ss/services.c 2010-01-29 02:02:47.742042805 +0100
> +++ security-testing-2.6-isids/security/selinux/ss/services.c 2010-02-02 22:09:47.809993219 +0100
> @@ -1712,9 +1718,9 @@ int security_load_policy(void *data, siz
> if (policydb_read(&newpolicydb, fp))
> return -EINVAL;
>
> - if (sidtab_init(&newsidtab)) {
> + if (policydb_load_isids(&newpolicydb, &newsidtab)) {
> policydb_destroy(&newpolicydb);
> - return -ENOMEM;
> + return -EINVAL;
> }
>
> if (selinux_set_mapping(&newpolicydb, secclass_map,
One minor nit: Given that policydb_load_isids() may fail with either
ENOMEM (sidtab_init failure) or EINVAL, you need to save the return code
from it and return that instead of always returning EINVAL.
Otherwise, looks good - have you tested it?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-02-03 18:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-02-03 17:59 [PATCH] Load the initial SIDs upon every policy load Guido Trentalancia
2010-02-03 18:14 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2010-02-02 22:36 Guido Trentalancia
2010-02-03 15:58 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.