straceing SE Linux

straceing SE Linux

[Russell Coker]

I'm working on hacking strace to trace LSM system calls as used by SE Linux.

Firstly what name should I use to refer to this syscall?  lsm() as the 
library code uses or security() after the sys_security() definition in the 
kernel?

The next issue is that there is one system call defined for LSM (number 223 
on Intel).  The first parameter of this call is the id of the security 
service to manage.  I would like to display selinux() for a SE system call 
lids() for a LIDS call, etc.  However it seems that this would require a 
change to the strace structure.

Should I do so, or am I on the wrong track by wanting to display these as 
different function calls depending on the id parameter?

-- 
Signatures >4 lines are rude.  If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

(no subject)

[Metrix]

Hey people, just wanted to compliment you on the good
job, I will actualy be using RSBAC as it suits my
needs a bit better...

My question is, what are the diferences of RSBAC
[rsbac.org] and SELinux from a technical standpoint?

__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: your mail

[Stephen Smalley]

On Wed, 27 Feb 2002, Metrix wrote:

> Hey people, just wanted to compliment you on the good
> job, I will actualy be using RSBAC as it suits my
> needs a bit better...
>
> My question is, what are the diferences of RSBAC
> [rsbac.org] and SELinux from a technical standpoint?

This has been previously discussed on the mailing list, and is also
summarized in the related work section of the Freenix '01 paper.  The
mailing list thread starts at
http://marc.theaimsgroup.com/?l=selinux&m=98618795624462&w=2 and the
Freenix '01 paper is available at
http://www.nsa.gov/selinux/freenix01-abs.html.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: straceing SE Linux

[Stephen Smalley]

On Wed, 27 Feb 2002, Russell Coker wrote:

> Firstly what name should I use to refer to this syscall?  lsm() as the
> library code uses or security() after the sys_security() definition in the
> kernel?

I'd use the 'security' name, since it is the name used in unistd.h
(__NR_security).  We were using 'lsm' as the name of the system call
before there was any unistd.h definition, and it is now just an alias
for the security call.

> The next issue is that there is one system call defined for LSM (number 223
> on Intel).  The first parameter of this call is the id of the security
> service to manage.  I would like to display selinux() for a SE system call
> lids() for a LIDS call, etc.  However it seems that this would require a
> change to the strace structure.
>
> Should I do so, or am I on the wrong track by wanting to display these as
> different function calls depending on the id parameter?

I'd suggest looking at how strace handles the socketcall call, since the
security call is similar to it in form, with an additional module
identifier parameter to identify the security module.  strace does appear
to interpret the call value and the argument array for socketcall,
displaying socket operations with the corresponding call name and
interpreted argument list.

I suppose a first step for making strace aware of security calls would be
to translate the 'id' parameter to the security call and display the
corresponding module name.  However, the longer term goal would be to
actually display a name based on both the 'id' and the 'call' parameter
and to interpret the argument array based on the (id, call) pair.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: straceing SE Linux

[Russell Coker]

On Wed, 27 Feb 2002 14:53, Stephen Smalley wrote:
> On Wed, 27 Feb 2002, Russell Coker wrote:
> > Firstly what name should I use to refer to this syscall?  lsm() as the
> > library code uses or security() after the sys_security() definition in
> > the kernel?
>
> I'd use the 'security' name, since it is the name used in unistd.h
> (__NR_security).  We were using 'lsm' as the name of the system call
> before there was any unistd.h definition, and it is now just an alias
> for the security call.

OK.

> > The next issue is that there is one system call defined for LSM (number
> > 223 on Intel).  The first parameter of this call is the id of the
> > security service to manage.  I would like to display selinux() for a SE
> > system call lids() for a LIDS call, etc.  However it seems that this
> > would require a change to the strace structure.
> >
> > Should I do so, or am I on the wrong track by wanting to display these as
> > different function calls depending on the id parameter?
>
> I'd suggest looking at how strace handles the socketcall call, since the
> security call is similar to it in form, with an additional module
> identifier parameter to identify the security module.  strace does appear
> to interpret the call value and the argument array for socketcall,
> displaying socket operations with the corresponding call name and
> interpreted argument list.

>From inspecting the kernel code and the strace it appears that socketcall 
doesn't get processed the way you might expect.  It appears that for every 
function that works with socketcall() there is a separate system call for it. 
 So when I strace a socket program on my system it displays the socket(), 
connect() etc because those system calls are called directly.  It appears 
that my libc does not use socketcall()!  I could not find any special 
handling in the strace source for socketcall, it appears that socketcall() 
will be displayed as such!

Also I'm using strace version 4.4, I grabbed the source from the Debian 
unstable tree, as Wichert is both upstream author and Debian developer for 
strace I presume that there is no version of strace that has more 
capabilities in this regard.

Another thing, I just checked out the code for ioctl() and it doesn't help me 
as the output always matches "^ioctl(".

> I suppose a first step for making strace aware of security calls would be
> to translate the 'id' parameter to the security call and display the
> corresponding module name.  However, the longer term goal would be to
> actually display a name based on both the 'id' and the 'call' parameter
> and to interpret the argument array based on the (id, call) pair.

I agree.

What I think is necessary is firstly to write code to handle unknown id 
parameters from the security() system call as security(id = %d, ...
Then have code to handle known module IDs but unknown system calls as 
security(SELINUX, ... (or whatever the name is).  Then have code to handle 
known system calls by the full name.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: straceing SE Linux

[Stephen Smalley]

On Wed, 27 Feb 2002, Russell Coker wrote:

> From inspecting the kernel code and the strace it appears that socketcall
> doesn't get processed the way you might expect.  It appears that for every
> function that works with socketcall() there is a separate system call for it.
>  So when I strace a socket program on my system it displays the socket(),
> connect() etc because those system calls are called directly.  It appears
> that my libc does not use socketcall()!  I could not find any special
> handling in the strace source for socketcall, it appears that socketcall()
> will be displayed as such!

If you look at arch/i386/kernel/entry.S in the kernel tree, you'll see
that there are no entrypoints for the individual socket calls.  Just for
sys_socketcall.  Similarly for the System V IPC system calls - they are
all multiplexed through sys_ipc.  It is true that there are separate
library functions for the different calls, but not different system calls.
You won't find any definitions for connect and friends in
include/asm-i386/unistd.h either.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.