[PATCH 0/2] show checkreqprot status in sestatus

[PATCH 0/2] show checkreqprot status in sestatus

[Christian Göttsche]

From: cgzones <cgzones@googlemail.com>

V2
added O_CLOEXEC to open()

cgzones (2):
  libselinux: add security_checkreqprot
  sestatus: show checkreqprot status

 libselinux/include/selinux/selinux.h      |  3 +++
 libselinux/man/man3/security_getenforce.3 |  8 ++++++-
 libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
 libselinux/src/checkreqprot.c             | 40 +++++++++++++++++++++++++++++++
 libselinux/src/selinux_internal.h         |  1 +
 policycoreutils/sestatus/sestatus.c       | 14 +++++++++++
 6 files changed, 74 insertions(+), 3 deletions(-)
 create mode 100644 libselinux/src/checkreqprot.c

-- 
2.11.0

[PATCH 1/2] libselinux: add security_checkreqprot

[Christian Göttsche]

From: cgzones <cgzones@googlemail.com>

Add security_checkreqprot() function, returning the current active
checkreqprot value
---
 libselinux/include/selinux/selinux.h      |  3 +++
 libselinux/man/man3/security_getenforce.3 |  8 ++++++-
 libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
 libselinux/src/checkreqprot.c             | 40 +++++++++++++++++++++++++++++++
 libselinux/src/selinux_internal.h         |  1 +
 5 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 libselinux/src/checkreqprot.c

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 45dd6ca5..938393f6 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -331,6 +331,9 @@ extern int security_setenforce(int value);
 /* Get the behavior for undefined classes/permissions */
 extern int security_deny_unknown(void);
 
+/* Get the checkreqprot value */
+extern int security_checkreqprot(void);
+
 /* Disable SELinux at runtime (must be done prior to initial policy load). */
 extern int security_disable(void);
 
diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3
index 7658014a..e27b6c80 100644
--- a/libselinux/man/man3/security_getenforce.3
+++ b/libselinux/man/man3/security_getenforce.3
@@ -1,6 +1,6 @@
 .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
-security_getenforce, security_setenforce, security_deny_unknown \- get or set the enforcing state of SELinux
+security_getenforce, security_setenforce, security_deny_unknown security_checkreqprot\- get or set the enforcing state of SELinux
 .
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -10,6 +10,8 @@ security_getenforce, security_setenforce, security_deny_unknown \- get or set th
 .BI "int security_setenforce(int "value );
 .sp
 .B int security_deny_unknown(void);
+.sp
+.B int security_checkreqprot(void);
 .
 .SH "DESCRIPTION"
 .BR security_getenforce ()
@@ -24,6 +26,10 @@ returned.
 .BR security_deny_unknown ()
 returns 0 if SELinux treats policy queries on undefined object classes or
 permissions as being allowed, 1 if such queries are denied, and \-1 on error.
+
+.BR security_checkreqprot ()
+returns 0 if SELinux checks the protection applied by the kernel, 1 if SELinux
+checks the protection requested by the application, and \-1 on error.
 .
 .SH "SEE ALSO"
 .BR selinux "(8)"
diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3
index 2d44be57..e70ab014 100644
--- a/libselinux/man/man3/selinux_status_open.3
+++ b/libselinux/man/man3/selinux_status_open.3
@@ -1,8 +1,9 @@
 .TH "selinux_status_open" "3" "22 January 2011" "kaigai@ak.jp.nec.com" "SELinux API documentation"
 .SH "NAME"
 selinux_status_open, selinux_status_close, selinux_status_updated,
-selinux_status_getenforce, selinux_status_policyload and
-selinux_status_deny_unknown \- reference the SELinux kernel status
+selinux_status_getenforce, selinux_status_policyload,
+selinux_status_deny_unknown and security_checkreqprot \- reference
+the SELinux kernel status
 without invocation of system calls
 .
 .SH "SYNOPSIS"
@@ -19,6 +20,8 @@ without invocation of system calls
 .BI "int selinux_status_policyload(void);"
 .sp
 .BI "int selinux_status_deny_unknown(void);"
+.sp
+.BI "int security_checkreqprot(void);"
 .
 .SH "DESCRIPTION"
 Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
@@ -78,6 +81,10 @@ Thus, don't use this value to know actual times of policy reloaded.
 returns 0 if SELinux treats policy queries on undefined object classes or
 permissions as being allowed, 1 if such queries are denied, or \-1 on error.
 .sp
+.BR security_checkreqprot ()
+returns 0 if SELinux checks the protection applied by the kernel, 1 if SELinux
+checks the protection requested by the application, and \-1 on error.
+.sp
 Also note that these interfaces are not thread-safe, so you have to protect
 them from concurrent calls using exclusive locks when multiple threads are
 performing.
diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
new file mode 100644
index 00000000..009a0ff0
--- /dev/null
+++ b/libselinux/src/checkreqprot.c
@@ -0,0 +1,40 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include <stdio.h>
+#include <limits.h>
+
+int security_checkreqprot(void)
+{
+	int fd, ret, checkreqprot = 0;
+	char path[PATH_MAX];
+	char buf[20];
+
+	if (!selinux_mnt) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	snprintf(path, sizeof(path), "%s/checkreqprot", selinux_mnt);
+	fd = open(path, O_RDONLY | O_CLOEXEC);
+	if (fd < 0)
+		return -1;
+
+	memset(buf, 0, sizeof(buf));
+	ret = read(fd, buf, sizeof(buf) - 1);
+	close(fd);
+	if (ret < 0)
+		return -1;
+
+	if (sscanf(buf, "%d", &checkreqprot) != 1)
+		return -1;
+
+	return checkreqprot;
+}
+
+hidden_def(security_checkreqprot);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 3d5c9fb4..e4650c92 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -59,6 +59,7 @@ hidden_proto(selinux_mkload_policy)
     hidden_proto(security_getenforce)
     hidden_proto(security_setenforce)
     hidden_proto(security_deny_unknown)
+    hidden_proto(security_checkreqprot)
     hidden_proto(selinux_boolean_sub)
     hidden_proto(selinux_current_policy_path)
     hidden_proto(selinux_binary_policy_path)
-- 
2.11.0

[PATCH 2/2] sestatus: show checkreqprot status

[Christian Göttsche]

From: cgzones <cgzones@googlemail.com>

Show the current active checkreqprot state in sestatus
---
 policycoreutils/sestatus/sestatus.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c
index 2111b15d..f9ed5b66 100644
--- a/policycoreutils/sestatus/sestatus.c
+++ b/policycoreutils/sestatus/sestatus.c
@@ -330,6 +330,20 @@ int main(int argc, char **argv)
 			break;
 	}
 
+	printf_tab("Policy checkreqprot status:");
+	rc = security_checkreqprot();
+	switch (rc) {
+		case 0:
+			printf("kernel\n");
+			break;
+		case 1:
+			printf("application\n");
+			break;
+		default:
+			printf("error (%s)\n", strerror(errno));
+			break;
+	}
+
 	rc = security_policyvers();
 	printf_tab("Max kernel policy version:");
 	if (rc < 0)
-- 
2.11.0

Re: [PATCH 0/2] show checkreqprot status in sestatus

[Christian Göttsche]

How do I avoid to permit *less secure apps* in gmail, and still be
able to use git send-email?

2017-04-13 0:00 GMT+02:00 Christian Göttsche <cgzones@googlemail.com>:
> From: cgzones <cgzones@googlemail.com>
>
> V2
> added O_CLOEXEC to open()
>
> cgzones (2):
>   libselinux: add security_checkreqprot
>   sestatus: show checkreqprot status
>
>  libselinux/include/selinux/selinux.h      |  3 +++
>  libselinux/man/man3/security_getenforce.3 |  8 ++++++-
>  libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
>  libselinux/src/checkreqprot.c             | 40 +++++++++++++++++++++++++++++++
>  libselinux/src/selinux_internal.h         |  1 +
>  policycoreutils/sestatus/sestatus.c       | 14 +++++++++++
>  6 files changed, 74 insertions(+), 3 deletions(-)
>  create mode 100644 libselinux/src/checkreqprot.c
>
> --
> 2.11.0
>

Re: [PATCH 1/2] libselinux: add security_checkreqprot

[Stephen Smalley]

On Thu, 2017-04-13 at 00:00 +0200, Christian Göttsche wrote:
> From: cgzones <cgzones@googlemail.com>
> 
> Add security_checkreqprot() function, returning the current active
> checkreqprot value
> ---
>  libselinux/include/selinux/selinux.h      |  3 +++
>  libselinux/man/man3/security_getenforce.3 |  8 ++++++-
>  libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
>  libselinux/src/checkreqprot.c             | 40
> +++++++++++++++++++++++++++++++
>  libselinux/src/selinux_internal.h         |  1 +
>  5 files changed, 60 insertions(+), 3 deletions(-)
>  create mode 100644 libselinux/src/checkreqprot.c
> 
> diff --git a/libselinux/include/selinux/selinux.h
> b/libselinux/include/selinux/selinux.h
> index 45dd6ca5..938393f6 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -331,6 +331,9 @@ extern int security_setenforce(int value);
>  /* Get the behavior for undefined classes/permissions */
>  extern int security_deny_unknown(void);
>  
> +/* Get the checkreqprot value */
> +extern int security_checkreqprot(void);

Technically, this can be get or set, like enforce, if allowed by
policy.
Don't know if we want to have getcheckreqprot/setcheckreqprot
interfaces.

> +
>  /* Disable SELinux at runtime (must be done prior to initial policy
> load). */
>  extern int security_disable(void);
>  
> diff --git a/libselinux/man/man3/security_getenforce.3
> b/libselinux/man/man3/security_getenforce.3
> index 7658014a..e27b6c80 100644
> --- a/libselinux/man/man3/security_getenforce.3
> +++ b/libselinux/man/man3/security_getenforce.3
> @@ -1,6 +1,6 @@
>  .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au
> " "SELinux API documentation"
>  .SH "NAME"
> -security_getenforce, security_setenforce, security_deny_unknown \-
> get or set the enforcing state of SELinux
> +security_getenforce, security_setenforce, security_deny_unknown
> security_checkreqprot\- get or set the enforcing state of SELinux
>  .
>  .SH "SYNOPSIS"
>  .B #include <selinux/selinux.h>
> @@ -10,6 +10,8 @@ security_getenforce, security_setenforce,
> security_deny_unknown \- get or set th
>  .BI "int security_setenforce(int "value );
>  .sp
>  .B int security_deny_unknown(void);
> +.sp
> +.B int security_checkreqprot(void);
>  .
>  .SH "DESCRIPTION"
>  .BR security_getenforce ()
> @@ -24,6 +26,10 @@ returned.
>  .BR security_deny_unknown ()
>  returns 0 if SELinux treats policy queries on undefined object
> classes or
>  permissions as being allowed, 1 if such queries are denied, and \-1
> on error.
> +
> +.BR security_checkreqprot ()
> +returns 0 if SELinux checks the protection applied by the kernel, 1
> if SELinux
> +checks the protection requested by the application, and \-1 on
> error.

on mmap and mprotect calls

>  .
>  .SH "SEE ALSO"
>  .BR selinux "(8)"
> diff --git a/libselinux/man/man3/selinux_status_open.3
> b/libselinux/man/man3/selinux_status_open.3
> index 2d44be57..e70ab014 100644
> --- a/libselinux/man/man3/selinux_status_open.3
> +++ b/libselinux/man/man3/selinux_status_open.3
> @@ -1,8 +1,9 @@
>  .TH "selinux_status_open" "3" "22 January 2011" "kaigai@ak.jp.nec.co
> m" "SELinux API documentation"
>  .SH "NAME"
>  selinux_status_open, selinux_status_close, selinux_status_updated,
> -selinux_status_getenforce, selinux_status_policyload and
> -selinux_status_deny_unknown \- reference the SELinux kernel status
> +selinux_status_getenforce, selinux_status_policyload,
> +selinux_status_deny_unknown and security_checkreqprot \- reference
> +the SELinux kernel status

security_checkreqprot() oesn't belong here; these calls are for the
SELinux kernel status page exported via /sys/fs/selinux/status that
allow userspace to check this information without having to perform a
system call (once the shared page is mapped).  If we were to add
checkreqprot to the status page, then there would be a separate
selinux_status_checkreqprot() call to access that value, but that
requires a kernel change and a new version for the structure.
 
>  without invocation of system calls
>  .
>  .SH "SYNOPSIS"
> @@ -19,6 +20,8 @@ without invocation of system calls
>  .BI "int selinux_status_policyload(void);"
>  .sp
>  .BI "int selinux_status_deny_unknown(void);"
> +.sp
> +.BI "int security_checkreqprot(void);"
>  .
>  .SH "DESCRIPTION"
>  Linux 2.6.37 or later provides a SELinux kernel status page; being
> mostly
> @@ -78,6 +81,10 @@ Thus, don't use this value to know actual times of
> policy reloaded.
>  returns 0 if SELinux treats policy queries on undefined object
> classes or
>  permissions as being allowed, 1 if such queries are denied, or \-1
> on error.
>  .sp
> +.BR security_checkreqprot ()
> +returns 0 if SELinux checks the protection applied by the kernel, 1
> if SELinux
> +checks the protection requested by the application, and \-1 on
> error.
> +.sp
>  Also note that these interfaces are not thread-safe, so you have to
> protect
>  them from concurrent calls using exclusive locks when multiple
> threads are
>  performing.
> diff --git a/libselinux/src/checkreqprot.c
> b/libselinux/src/checkreqprot.c
> new file mode 100644
> index 00000000..009a0ff0
> --- /dev/null
> +++ b/libselinux/src/checkreqprot.c
> @@ -0,0 +1,40 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <errno.h>
> +#include <string.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include <stdio.h>
> +#include <limits.h>
> +
> +int security_checkreqprot(void)
> +{
> +	int fd, ret, checkreqprot = 0;
> +	char path[PATH_MAX];
> +	char buf[20];
> +
> +	if (!selinux_mnt) {
> +		errno = ENOENT;
> +		return -1;
> +	}
> +
> +	snprintf(path, sizeof(path), "%s/checkreqprot",
> selinux_mnt);
> +	fd = open(path, O_RDONLY | O_CLOEXEC);
> +	if (fd < 0)
> +		return -1;
> +
> +	memset(buf, 0, sizeof(buf));
> +	ret = read(fd, buf, sizeof(buf) - 1);
> +	close(fd);
> +	if (ret < 0)
> +		return -1;
> +
> +	if (sscanf(buf, "%d", &checkreqprot) != 1)
> +		return -1;
> +
> +	return checkreqprot;
> +}
> +
> +hidden_def(security_checkreqprot);
> diff --git a/libselinux/src/selinux_internal.h
> b/libselinux/src/selinux_internal.h
> index 3d5c9fb4..e4650c92 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -59,6 +59,7 @@ hidden_proto(selinux_mkload_policy)
>      hidden_proto(security_getenforce)
>      hidden_proto(security_setenforce)
>      hidden_proto(security_deny_unknown)
> +    hidden_proto(security_checkreqprot)
>      hidden_proto(selinux_boolean_sub)
>      hidden_proto(selinux_current_policy_path)
>      hidden_proto(selinux_binary_policy_path)

Re: [PATCH 2/2] sestatus: show checkreqprot status

[Stephen Smalley]

On Thu, 2017-04-13 at 00:00 +0200, Christian Göttsche wrote:
> From: cgzones <cgzones@googlemail.com>
> 
> Show the current active checkreqprot state in sestatus
> ---
>  policycoreutils/sestatus/sestatus.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/policycoreutils/sestatus/sestatus.c
> b/policycoreutils/sestatus/sestatus.c
> index 2111b15d..f9ed5b66 100644
> --- a/policycoreutils/sestatus/sestatus.c
> +++ b/policycoreutils/sestatus/sestatus.c
> @@ -330,6 +330,20 @@ int main(int argc, char **argv)
>  			break;
>  	}
>  
> +	printf_tab("Policy checkreqprot status:");

checkreqprot isn't defined by the policy (like Current mode/enforcing),
so it isn't really the "Policy checkreqprot status", unlike MLS or
deny_unknown.  It is more like Current mode (i.e. enforcing).

> +	rc = security_checkreqprot();
> +	switch (rc) {
> +		case 0:
> +			printf("kernel\n");
> +			break;
> +		case 1:
> +			printf("application\n");
> +			break;
> +		default:
> +			printf("error (%s)\n", strerror(errno));
> +			break;
> +	}
> +

Trying to think how understandable and meaningful this would be to a
user.  Possible alternatives:
Check requested protection: false/true
Memory protection checking: actual/requested

Or if we want to convey a value judgment on preferred settings:
Memory protection checking: secure/insecure

Open to discussion on it, just not sure that
checkreqprot status: kernel/application
will make sense to users.

>  	rc = security_policyvers();
>  	printf_tab("Max kernel policy version:");
>  	if (rc < 0)

Re: [PATCH 1/2] libselinux: add security_checkreqprot

[Stephen Smalley]

On Wed, 2017-04-12 at 08:49 -0700, Nick Kralevich wrote:
> On Wed, Apr 12, 2017 at 6:41 AM, Christian Göttsche
> <cgzones@googlemail.com> wrote:
> > Add security_checkreqprot() function, returning the current active
> > checkreqprot value
> > 
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> >  libselinux/include/selinux/selinux.h      |  3 +++
> >  libselinux/man/man3/security_getenforce.3 |  8 ++++++-
> >  libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
> >  libselinux/src/checkreqprot.c             | 40
> > +++++++++++++++++++++++++++++++
> >  libselinux/src/selinux_internal.h         |  1 +
> >  5 files changed, 60 insertions(+), 3 deletions(-)
> >  create mode 100644 libselinux/src/checkreqprot.c
> > 
> > diff --git a/libselinux/include/selinux/selinux.h
> > b/libselinux/include/selinux/selinux.h
> > index 45dd6ca5..938393f6 100644
> > --- a/libselinux/include/selinux/selinux.h
> > +++ b/libselinux/include/selinux/selinux.h
> > @@ -331,6 +331,9 @@ extern int security_setenforce(int value);
> >  /* Get the behavior for undefined classes/permissions */
> >  extern int security_deny_unknown(void);
> > 
> > +/* Get the checkreqprot value */
> > +extern int security_checkreqprot(void);
> > +
> >  /* Disable SELinux at runtime (must be done prior to initial
> > policy load). */
> >  extern int security_disable(void);
> > 
> > diff --git a/libselinux/man/man3/security_getenforce.3
> > b/libselinux/man/man3/security_getenforce.3
> > index 7658014a..e27b6c80 100644
> > --- a/libselinux/man/man3/security_getenforce.3
> > +++ b/libselinux/man/man3/security_getenforce.3
> > @@ -1,6 +1,6 @@
> >  .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.
> > au"
> > "SELinux API documentation"
> >  .SH "NAME"
> > -security_getenforce, security_setenforce, security_deny_unknown \-
> > get or set the enforcing state of SELinux
> > +security_getenforce, security_setenforce, security_deny_unknown
> > security_checkreqprot\- get or set the enforcing state of SELinux
> >  .
> >  .SH "SYNOPSIS"
> >  .B #include <selinux/selinux.h>
> > @@ -10,6 +10,8 @@ security_getenforce, security_setenforce,
> > security_deny_unknown \- get or set th
> >  .BI "int security_setenforce(int "value );
> >  .sp
> >  .B int security_deny_unknown(void);
> > +.sp
> > +.B int security_checkreqprot(void);
> >  .
> >  .SH "DESCRIPTION"
> >  .BR security_getenforce ()
> > @@ -24,6 +26,10 @@ returned.
> >  .BR security_deny_unknown ()
> >  returns 0 if SELinux treats policy queries on undefined object
> > classes or
> >  permissions as being allowed, 1 if such queries are denied, and \-
> > 1 on error.
> > +
> > +.BR security_checkreqprot ()
> > +returns 0 if SELinux checks the protection applied by the kernel,
> > 1 if SELinux
> > +checks the protection requested by the application, and \-1 on
> > error.
> >  .
> >  .SH "SEE ALSO"
> >  .BR selinux "(8)"
> > diff --git a/libselinux/man/man3/selinux_status_open.3
> > b/libselinux/man/man3/selinux_status_open.3
> > index 2d44be57..e70ab014 100644
> > --- a/libselinux/man/man3/selinux_status_open.3
> > +++ b/libselinux/man/man3/selinux_status_open.3
> > @@ -1,8 +1,9 @@
> >  .TH "selinux_status_open" "3" "22 January 2011"
> > "kaigai@ak.jp.nec.com" "SELinux API documentation"
> >  .SH "NAME"
> >  selinux_status_open, selinux_status_close, selinux_status_updated,
> > -selinux_status_getenforce, selinux_status_policyload and
> > -selinux_status_deny_unknown \- reference the SELinux kernel status
> > +selinux_status_getenforce, selinux_status_policyload,
> > +selinux_status_deny_unknown and security_checkreqprot \- reference
> > +the SELinux kernel status
> >  without invocation of system calls
> >  .
> >  .SH "SYNOPSIS"
> > @@ -19,6 +20,8 @@ without invocation of system calls
> >  .BI "int selinux_status_policyload(void);"
> >  .sp
> >  .BI "int selinux_status_deny_unknown(void);"
> > +.sp
> > +.BI "int security_checkreqprot(void);"
> >  .
> >  .SH "DESCRIPTION"
> >  Linux 2.6.37 or later provides a SELinux kernel status page; being
> > mostly
> > @@ -78,6 +81,10 @@ Thus, don't use this value to know actual times
> > of
> > policy reloaded.
> >  returns 0 if SELinux treats policy queries on undefined object
> > classes or
> >  permissions as being allowed, 1 if such queries are denied, or \-1 
> > on error.
> >  .sp
> > +.BR security_checkreqprot ()
> > +returns 0 if SELinux checks the protection applied by the kernel,
> > 1 if SELinux
> > +checks the protection requested by the application, and \-1 on
> > error.
> > +.sp
> >  Also note that these interfaces are not thread-safe, so you have
> > to protect
> >  them from concurrent calls using exclusive locks when multiple
> > threads are
> >  performing.
> > diff --git a/libselinux/src/checkreqprot.c
> > b/libselinux/src/checkreqprot.c
> > new file mode 100644
> > index 00000000..38f3bebb
> > --- /dev/null
> > +++ b/libselinux/src/checkreqprot.c
> > @@ -0,0 +1,40 @@
> > +#include <unistd.h>
> > +#include <sys/types.h>
> > +#include <fcntl.h>
> > +#include <stdlib.h>
> > +#include <errno.h>
> > +#include <string.h>
> > +#include "selinux_internal.h"
> > +#include "policy.h"
> > +#include <stdio.h>
> > +#include <limits.h>
> > +
> > +int security_checkreqprot(void)
> > +{
> > + int fd, ret, checkreqprot = 0;
> > + char path[PATH_MAX];
> > + char buf[20];
> > +
> > + if (!selinux_mnt) {
> > + errno = ENOENT;
> > + return -1;
> > + }
> > +
> > + snprintf(path, sizeof(path), "%s/checkreqprot", selinux_mnt);
> > + fd = open(path, O_RDONLY);
> 
> Please use O_CLOEXEC above.
> 
> > + if (fd < 0)
> > + return -1;
> > +
> > + memset(buf, 0, sizeof(buf));
> > + ret = read(fd, buf, sizeof(buf) - 1);
> 
> Please surround read() calls by TEMP_FAILURE_RETRY
> 
>   ret = TEMP_FAILURE_RETRY(read(fd, buf, sizeof(buf) - 1));

Not sure that's necessary.
http://man7.org/linux/man-pages/man7/signal.7.html says:

       If a blocked call to one of the following interfaces is interrupted
       by a signal handler, then the call will be automatically restarted
       after the signal handler returns if the SA_RESTART flag was used;
       otherwise the call will fail with the error EINTR:

       * read(2), readv(2), write(2), writev(2), and ioctl(2) calls on
         "slow" devices.  A "slow" device is one where the I/O call may
         block for an indefinite time, for example, a terminal, pipe, or
         socket.  If an I/O call on a slow device has already transferred
         some data by the time it is interrupted by a signal handler, then
         the call will return a success status (normally, the number of
         bytes transferred).  Note that a (local) disk is not a slow device
         according to this definition; I/O operations on disk devices are
         not interrupted by signals.

/sys/fs/selinux/checkreqprot is definitely not a "slow" device.

> 
> > + close(fd);
> > + if (ret < 0)
> > + return -1;
> > +
> > + if (sscanf(buf, "%d", &checkreqprot) != 1)
> > + return -1;
> > +
> > + return checkreqprot;
> > +}
> > +
> > +hidden_def(security_checkreqprot);
> > diff --git a/libselinux/src/selinux_internal.h
> > b/libselinux/src/selinux_internal.h
> > index 3d5c9fb4..e4650c92 100644
> > --- a/libselinux/src/selinux_internal.h
> > +++ b/libselinux/src/selinux_internal.h
> > @@ -59,6 +59,7 @@ hidden_proto(selinux_mkload_policy)
> >      hidden_proto(security_getenforce)
> >      hidden_proto(security_setenforce)
> >      hidden_proto(security_deny_unknown)
> > +    hidden_proto(security_checkreqprot)
> >      hidden_proto(selinux_boolean_sub)
> >      hidden_proto(selinux_current_policy_path)
> >      hidden_proto(selinux_binary_policy_path)
> > --
> > 2.11.0
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tyc
> > ho.nsa.gov.
> 
> 
> 

Re: [PATCH 1/2] libselinux: add security_checkreqprot

[Stephen Smalley]

On Wed, 2017-04-12 at 15:41 +0200, Christian Göttsche wrote:
> Add security_checkreqprot() function, returning the current active
> checkreqprot value

Your patches are whitespace-damaged.  Sending with git send-email tends
to work better.

> 
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libselinux/include/selinux/selinux.h      |  3 +++
>  libselinux/man/man3/security_getenforce.3 |  8 ++++++-
>  libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
>  libselinux/src/checkreqprot.c             | 40
> +++++++++++++++++++++++++++++++
>  libselinux/src/selinux_internal.h         |  1 +
>  5 files changed, 60 insertions(+), 3 deletions(-)
>  create mode 100644 libselinux/src/checkreqprot.c
> 
> diff --git a/libselinux/include/selinux/selinux.h
> b/libselinux/include/selinux/selinux.h
> index 45dd6ca5..938393f6 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -331,6 +331,9 @@ extern int security_setenforce(int value);
>  /* Get the behavior for undefined classes/permissions */
>  extern int security_deny_unknown(void);
> 
> +/* Get the checkreqprot value */
> +extern int security_checkreqprot(void);
> +
>  /* Disable SELinux at runtime (must be done prior to initial policy
> load). */
>  extern int security_disable(void);
> 
> diff --git a/libselinux/man/man3/security_getenforce.3
> b/libselinux/man/man3/security_getenforce.3
> index 7658014a..e27b6c80 100644
> --- a/libselinux/man/man3/security_getenforce.3
> +++ b/libselinux/man/man3/security_getenforce.3
> @@ -1,6 +1,6 @@
>  .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au
> "
> "SELinux API documentation"
>  .SH "NAME"
> -security_getenforce, security_setenforce, security_deny_unknown \-
> get or set the enforcing state of SELinux
> +security_getenforce, security_setenforce, security_deny_unknown
> security_checkreqprot\- get or set the enforcing state of SELinux
>  .
>  .SH "SYNOPSIS"
>  .B #include <selinux/selinux.h>
> @@ -10,6 +10,8 @@ security_getenforce, security_setenforce,
> security_deny_unknown \- get or set th
>  .BI "int security_setenforce(int "value );
>  .sp
>  .B int security_deny_unknown(void);
> +.sp
> +.B int security_checkreqprot(void);
>  .
>  .SH "DESCRIPTION"
>  .BR security_getenforce ()
> @@ -24,6 +26,10 @@ returned.
>  .BR security_deny_unknown ()
>  returns 0 if SELinux treats policy queries on undefined object
> classes or
>  permissions as being allowed, 1 if such queries are denied, and \-1
> on error.
> +
> +.BR security_checkreqprot ()
> +returns 0 if SELinux checks the protection applied by the kernel, 1
> if SELinux
> +checks the protection requested by the application, and \-1 on
> error.
>  .
>  .SH "SEE ALSO"
>  .BR selinux "(8)"
> diff --git a/libselinux/man/man3/selinux_status_open.3
> b/libselinux/man/man3/selinux_status_open.3
> index 2d44be57..e70ab014 100644
> --- a/libselinux/man/man3/selinux_status_open.3
> +++ b/libselinux/man/man3/selinux_status_open.3
> @@ -1,8 +1,9 @@
>  .TH "selinux_status_open" "3" "22 January 2011"
> "kaigai@ak.jp.nec.com" "SELinux API documentation"
>  .SH "NAME"
>  selinux_status_open, selinux_status_close, selinux_status_updated,
> -selinux_status_getenforce, selinux_status_policyload and
> -selinux_status_deny_unknown \- reference the SELinux kernel status
> +selinux_status_getenforce, selinux_status_policyload,
> +selinux_status_deny_unknown and security_checkreqprot \- reference
> +the SELinux kernel status
>  without invocation of system calls
>  .
>  .SH "SYNOPSIS"
> @@ -19,6 +20,8 @@ without invocation of system calls
>  .BI "int selinux_status_policyload(void);"
>  .sp
>  .BI "int selinux_status_deny_unknown(void);"
> +.sp
> +.BI "int security_checkreqprot(void);"
>  .
>  .SH "DESCRIPTION"
>  Linux 2.6.37 or later provides a SELinux kernel status page; being
> mostly
> @@ -78,6 +81,10 @@ Thus, don't use this value to know actual times of
> policy reloaded.
>  returns 0 if SELinux treats policy queries on undefined object
> classes or
>  permissions as being allowed, 1 if such queries are denied, or \-1
> on error.
>  .sp
> +.BR security_checkreqprot ()
> +returns 0 if SELinux checks the protection applied by the kernel, 1
> if SELinux
> +checks the protection requested by the application, and \-1 on
> error.
> +.sp
>  Also note that these interfaces are not thread-safe, so you have to
> protect
>  them from concurrent calls using exclusive locks when multiple
> threads are
>  performing.
> diff --git a/libselinux/src/checkreqprot.c
> b/libselinux/src/checkreqprot.c
> new file mode 100644
> index 00000000..38f3bebb
> --- /dev/null
> +++ b/libselinux/src/checkreqprot.c
> @@ -0,0 +1,40 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <errno.h>
> +#include <string.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include <stdio.h>
> +#include <limits.h>
> +
> +int security_checkreqprot(void)
> +{
> + int fd, ret, checkreqprot = 0;
> + char path[PATH_MAX];
> + char buf[20];
> +
> + if (!selinux_mnt) {
> + errno = ENOENT;
> + return -1;
> + }
> +
> + snprintf(path, sizeof(path), "%s/checkreqprot", selinux_mnt);
> + fd = open(path, O_RDONLY);
> + if (fd < 0)
> + return -1;
> +
> + memset(buf, 0, sizeof(buf));
> + ret = read(fd, buf, sizeof(buf) - 1);
> + close(fd);
> + if (ret < 0)
> + return -1;
> +
> + if (sscanf(buf, "%d", &checkreqprot) != 1)
> + return -1;
> +
> + return checkreqprot;
> +}
> +
> +hidden_def(security_checkreqprot);
> diff --git a/libselinux/src/selinux_internal.h
> b/libselinux/src/selinux_internal.h
> index 3d5c9fb4..e4650c92 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -59,6 +59,7 @@ hidden_proto(selinux_mkload_policy)
>      hidden_proto(security_getenforce)
>      hidden_proto(security_setenforce)
>      hidden_proto(security_deny_unknown)
> +    hidden_proto(security_checkreqprot)
>      hidden_proto(selinux_boolean_sub)
>      hidden_proto(selinux_current_policy_path)
>      hidden_proto(selinux_binary_policy_path)

Re: [PATCH 1/2] libselinux: add security_checkreqprot

[Nick Kralevich]

On Wed, Apr 12, 2017 at 6:41 AM, Christian Göttsche
<cgzones@googlemail.com> wrote:
> Add security_checkreqprot() function, returning the current active
> checkreqprot value
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libselinux/include/selinux/selinux.h      |  3 +++
>  libselinux/man/man3/security_getenforce.3 |  8 ++++++-
>  libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
>  libselinux/src/checkreqprot.c             | 40 +++++++++++++++++++++++++++++++
>  libselinux/src/selinux_internal.h         |  1 +
>  5 files changed, 60 insertions(+), 3 deletions(-)
>  create mode 100644 libselinux/src/checkreqprot.c
>
> diff --git a/libselinux/include/selinux/selinux.h
> b/libselinux/include/selinux/selinux.h
> index 45dd6ca5..938393f6 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -331,6 +331,9 @@ extern int security_setenforce(int value);
>  /* Get the behavior for undefined classes/permissions */
>  extern int security_deny_unknown(void);
>
> +/* Get the checkreqprot value */
> +extern int security_checkreqprot(void);
> +
>  /* Disable SELinux at runtime (must be done prior to initial policy load). */
>  extern int security_disable(void);
>
> diff --git a/libselinux/man/man3/security_getenforce.3
> b/libselinux/man/man3/security_getenforce.3
> index 7658014a..e27b6c80 100644
> --- a/libselinux/man/man3/security_getenforce.3
> +++ b/libselinux/man/man3/security_getenforce.3
> @@ -1,6 +1,6 @@
>  .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au"
> "SELinux API documentation"
>  .SH "NAME"
> -security_getenforce, security_setenforce, security_deny_unknown \-
> get or set the enforcing state of SELinux
> +security_getenforce, security_setenforce, security_deny_unknown
> security_checkreqprot\- get or set the enforcing state of SELinux
>  .
>  .SH "SYNOPSIS"
>  .B #include <selinux/selinux.h>
> @@ -10,6 +10,8 @@ security_getenforce, security_setenforce,
> security_deny_unknown \- get or set th
>  .BI "int security_setenforce(int "value );
>  .sp
>  .B int security_deny_unknown(void);
> +.sp
> +.B int security_checkreqprot(void);
>  .
>  .SH "DESCRIPTION"
>  .BR security_getenforce ()
> @@ -24,6 +26,10 @@ returned.
>  .BR security_deny_unknown ()
>  returns 0 if SELinux treats policy queries on undefined object classes or
>  permissions as being allowed, 1 if such queries are denied, and \-1 on error.
> +
> +.BR security_checkreqprot ()
> +returns 0 if SELinux checks the protection applied by the kernel, 1 if SELinux
> +checks the protection requested by the application, and \-1 on error.
>  .
>  .SH "SEE ALSO"
>  .BR selinux "(8)"
> diff --git a/libselinux/man/man3/selinux_status_open.3
> b/libselinux/man/man3/selinux_status_open.3
> index 2d44be57..e70ab014 100644
> --- a/libselinux/man/man3/selinux_status_open.3
> +++ b/libselinux/man/man3/selinux_status_open.3
> @@ -1,8 +1,9 @@
>  .TH "selinux_status_open" "3" "22 January 2011"
> "kaigai@ak.jp.nec.com" "SELinux API documentation"
>  .SH "NAME"
>  selinux_status_open, selinux_status_close, selinux_status_updated,
> -selinux_status_getenforce, selinux_status_policyload and
> -selinux_status_deny_unknown \- reference the SELinux kernel status
> +selinux_status_getenforce, selinux_status_policyload,
> +selinux_status_deny_unknown and security_checkreqprot \- reference
> +the SELinux kernel status
>  without invocation of system calls
>  .
>  .SH "SYNOPSIS"
> @@ -19,6 +20,8 @@ without invocation of system calls
>  .BI "int selinux_status_policyload(void);"
>  .sp
>  .BI "int selinux_status_deny_unknown(void);"
> +.sp
> +.BI "int security_checkreqprot(void);"
>  .
>  .SH "DESCRIPTION"
>  Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
> @@ -78,6 +81,10 @@ Thus, don't use this value to know actual times of
> policy reloaded.
>  returns 0 if SELinux treats policy queries on undefined object classes or
>  permissions as being allowed, 1 if such queries are denied, or \-1 on error.
>  .sp
> +.BR security_checkreqprot ()
> +returns 0 if SELinux checks the protection applied by the kernel, 1 if SELinux
> +checks the protection requested by the application, and \-1 on error.
> +.sp
>  Also note that these interfaces are not thread-safe, so you have to protect
>  them from concurrent calls using exclusive locks when multiple threads are
>  performing.
> diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
> new file mode 100644
> index 00000000..38f3bebb
> --- /dev/null
> +++ b/libselinux/src/checkreqprot.c
> @@ -0,0 +1,40 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <errno.h>
> +#include <string.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include <stdio.h>
> +#include <limits.h>
> +
> +int security_checkreqprot(void)
> +{
> + int fd, ret, checkreqprot = 0;
> + char path[PATH_MAX];
> + char buf[20];
> +
> + if (!selinux_mnt) {
> + errno = ENOENT;
> + return -1;
> + }
> +
> + snprintf(path, sizeof(path), "%s/checkreqprot", selinux_mnt);
> + fd = open(path, O_RDONLY);

Please use O_CLOEXEC above.

> + if (fd < 0)
> + return -1;
> +
> + memset(buf, 0, sizeof(buf));
> + ret = read(fd, buf, sizeof(buf) - 1);

Please surround read() calls by TEMP_FAILURE_RETRY

  ret = TEMP_FAILURE_RETRY(read(fd, buf, sizeof(buf) - 1));

> + close(fd);
> + if (ret < 0)
> + return -1;
> +
> + if (sscanf(buf, "%d", &checkreqprot) != 1)
> + return -1;
> +
> + return checkreqprot;
> +}
> +
> +hidden_def(security_checkreqprot);
> diff --git a/libselinux/src/selinux_internal.h
> b/libselinux/src/selinux_internal.h
> index 3d5c9fb4..e4650c92 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -59,6 +59,7 @@ hidden_proto(selinux_mkload_policy)
>      hidden_proto(security_getenforce)
>      hidden_proto(security_setenforce)
>      hidden_proto(security_deny_unknown)
> +    hidden_proto(security_checkreqprot)
>      hidden_proto(selinux_boolean_sub)
>      hidden_proto(selinux_current_policy_path)
>      hidden_proto(selinux_binary_policy_path)
> --
> 2.11.0
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.



-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

[PATCH 1/2] libselinux: add security_checkreqprot

[Christian Göttsche]

Add security_checkreqprot() function, returning the current active
checkreqprot value

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/include/selinux/selinux.h      |  3 +++
 libselinux/man/man3/security_getenforce.3 |  8 ++++++-
 libselinux/man/man3/selinux_status_open.3 | 11 +++++++--
 libselinux/src/checkreqprot.c             | 40 +++++++++++++++++++++++++++++++
 libselinux/src/selinux_internal.h         |  1 +
 5 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 libselinux/src/checkreqprot.c

diff --git a/libselinux/include/selinux/selinux.h
b/libselinux/include/selinux/selinux.h
index 45dd6ca5..938393f6 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -331,6 +331,9 @@ extern int security_setenforce(int value);
 /* Get the behavior for undefined classes/permissions */
 extern int security_deny_unknown(void);

+/* Get the checkreqprot value */
+extern int security_checkreqprot(void);
+
 /* Disable SELinux at runtime (must be done prior to initial policy load). */
 extern int security_disable(void);

diff --git a/libselinux/man/man3/security_getenforce.3
b/libselinux/man/man3/security_getenforce.3
index 7658014a..e27b6c80 100644
--- a/libselinux/man/man3/security_getenforce.3
+++ b/libselinux/man/man3/security_getenforce.3
@@ -1,6 +1,6 @@
 .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au"
"SELinux API documentation"
 .SH "NAME"
-security_getenforce, security_setenforce, security_deny_unknown \-
get or set the enforcing state of SELinux
+security_getenforce, security_setenforce, security_deny_unknown
security_checkreqprot\- get or set the enforcing state of SELinux
 .
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -10,6 +10,8 @@ security_getenforce, security_setenforce,
security_deny_unknown \- get or set th
 .BI "int security_setenforce(int "value );
 .sp
 .B int security_deny_unknown(void);
+.sp
+.B int security_checkreqprot(void);
 .
 .SH "DESCRIPTION"
 .BR security_getenforce ()
@@ -24,6 +26,10 @@ returned.
 .BR security_deny_unknown ()
 returns 0 if SELinux treats policy queries on undefined object classes or
 permissions as being allowed, 1 if such queries are denied, and \-1 on error.
+
+.BR security_checkreqprot ()
+returns 0 if SELinux checks the protection applied by the kernel, 1 if SELinux
+checks the protection requested by the application, and \-1 on error.
 .
 .SH "SEE ALSO"
 .BR selinux "(8)"
diff --git a/libselinux/man/man3/selinux_status_open.3
b/libselinux/man/man3/selinux_status_open.3
index 2d44be57..e70ab014 100644
--- a/libselinux/man/man3/selinux_status_open.3
+++ b/libselinux/man/man3/selinux_status_open.3
@@ -1,8 +1,9 @@
 .TH "selinux_status_open" "3" "22 January 2011"
"kaigai@ak.jp.nec.com" "SELinux API documentation"
 .SH "NAME"
 selinux_status_open, selinux_status_close, selinux_status_updated,
-selinux_status_getenforce, selinux_status_policyload and
-selinux_status_deny_unknown \- reference the SELinux kernel status
+selinux_status_getenforce, selinux_status_policyload,
+selinux_status_deny_unknown and security_checkreqprot \- reference
+the SELinux kernel status
 without invocation of system calls
 .
 .SH "SYNOPSIS"
@@ -19,6 +20,8 @@ without invocation of system calls
 .BI "int selinux_status_policyload(void);"
 .sp
 .BI "int selinux_status_deny_unknown(void);"
+.sp
+.BI "int security_checkreqprot(void);"
 .
 .SH "DESCRIPTION"
 Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
@@ -78,6 +81,10 @@ Thus, don't use this value to know actual times of
policy reloaded.
 returns 0 if SELinux treats policy queries on undefined object classes or
 permissions as being allowed, 1 if such queries are denied, or \-1 on error.
 .sp
+.BR security_checkreqprot ()
+returns 0 if SELinux checks the protection applied by the kernel, 1 if SELinux
+checks the protection requested by the application, and \-1 on error.
+.sp
 Also note that these interfaces are not thread-safe, so you have to protect
 them from concurrent calls using exclusive locks when multiple threads are
 performing.
diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
new file mode 100644
index 00000000..38f3bebb
--- /dev/null
+++ b/libselinux/src/checkreqprot.c
@@ -0,0 +1,40 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include <stdio.h>
+#include <limits.h>
+
+int security_checkreqprot(void)
+{
+ int fd, ret, checkreqprot = 0;
+ char path[PATH_MAX];
+ char buf[20];
+
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ snprintf(path, sizeof(path), "%s/checkreqprot", selinux_mnt);
+ fd = open(path, O_RDONLY);
+ if (fd < 0)
+ return -1;
+
+ memset(buf, 0, sizeof(buf));
+ ret = read(fd, buf, sizeof(buf) - 1);
+ close(fd);
+ if (ret < 0)
+ return -1;
+
+ if (sscanf(buf, "%d", &checkreqprot) != 1)
+ return -1;
+
+ return checkreqprot;
+}
+
+hidden_def(security_checkreqprot);
diff --git a/libselinux/src/selinux_internal.h
b/libselinux/src/selinux_internal.h
index 3d5c9fb4..e4650c92 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -59,6 +59,7 @@ hidden_proto(selinux_mkload_policy)
     hidden_proto(security_getenforce)
     hidden_proto(security_setenforce)
     hidden_proto(security_deny_unknown)
+    hidden_proto(security_checkreqprot)
     hidden_proto(selinux_boolean_sub)
     hidden_proto(selinux_current_policy_path)
     hidden_proto(selinux_binary_policy_path)
-- 
2.11.0