* [PATCH] Add security_validatetrans support
@ 2019-04-04 15:36 Joshua Brindle
2019-04-04 18:43 ` William Roberts
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-04 15:36 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
---
libselinux/include/selinux/selinux.h | 13 +++
libselinux/man/man3/security_compute_av.3 | 13 ++-
libselinux/man/man3/security_validatetrans.c | 1 +
.../man/man3/security_validatetrans_raw.c | 1 +
libselinux/src/selinux_internal.h | 2 +
libselinux/src/validatetrans.c | 80 +++++++++++++++++++
6 files changed, 109 insertions(+), 1 deletion(-)
create mode 100644 libselinux/man/man3/security_validatetrans.c
create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
create mode 100644 libselinux/src/validatetrans.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..948028ea 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
const char *username,
char *** con);
+/* Validate a transition. This determines whether a transition from scon to newcon
+ using tcon as the target for object class tclass is valid in the loaded policy.
+ This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
+ Returns 0 if allowed, -EPERM if denied, and -1 if an error occured */
+extern int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+extern int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..e03960bc 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -1,7 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
-security_compute_member, security_compute_user, security_get_initial_context \- query
+security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
the SELinux policy database in the kernel
.
.SH "SYNOPSIS"
@@ -35,6 +35,10 @@ the SELinux policy database in the kernel
.sp
.BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
.sp
+.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
+.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
.BI "int security_get_initial_context(const char *" name ", char **" con );
.sp
.BI "int security_get_initial_context_raw(const char *" name ", char **" con );
@@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
source context. It is mainly used by
.BR get_ordered_context_list ().
+.BR security_validatetrans ()
+is used to determine if a transition from scon to newcon using tcon as the object
+is valid for object class tclass. This checks against the mlsvalidatetrans and
+validatetrans constraints in the loaded policy. Returns 0 if allowed, -EPERM if denied,
+and -1 if an error occured
+
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
.I name
@@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
.BR \%security_compute_relabel_raw (),
.BR \%security_compute_member_raw (),
.BR \%security_compute_user_raw ()
+.BR \%security_validatetrans_raw ()
and
.BR \%security_get_initial_context_raw ()
behave identically to their non-raw counterparts but do not perform context
diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans_raw.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 70b5025d..acd59c7c 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(security_compute_create_name_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(security_validatetrans)
+ hidden_proto(security_validatetrans_raw)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
new file mode 100644
index 00000000..86bfaa30
--- /dev/null
+++ b/libselinux/src/validatetrans.c
@@ -0,0 +1,80 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "mapping.h"
+
+int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ char path[PATH_MAX];
+ char *buf;
+ size_t size;
+ int fd, ret;
+
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
+ fd = open(path, O_RDWR | O_CLOEXEC);
+ if (fd < 0)
+ return -1;
+
+ size = selinux_page_size;
+ buf = malloc(size);
+ if (!buf) {
+ ret = -1;
+ goto out;
+ }
+ snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
+
+ ret = write(fd, buf, strlen(buf));
+ free(buf);
+out:
+ close(fd);
+ return ret;
+}
+
+hidden_def(security_validatetrans_raw)
+
+int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ int ret = -1;
+ char *rscon = NULL;
+ char *rtcon = NULL;
+ char *rnewcon = NULL;
+
+ if (selinux_trans_to_raw_context(scon, &rscon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(tcon, &rtcon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
+ goto out;
+ }
+
+ ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
+
+out:
+ freecon(rnewcon);
+ freecon(rtcon);
+ freecon(rscon);
+
+ return ret;
+}
--
2.17.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] Add security_validatetrans support
2019-04-04 15:36 [PATCH] Add security_validatetrans support Joshua Brindle
@ 2019-04-04 18:43 ` William Roberts
2019-04-04 19:22 ` Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: William Roberts @ 2019-04-04 18:43 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Thu, Apr 4, 2019 at 8:37 AM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> It seems validatetrans support was never added to libselinux, despite being added to
> selinuxfs in kernel version 4.5
>
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
> libselinux/include/selinux/selinux.h | 13 +++
> libselinux/man/man3/security_compute_av.3 | 13 ++-
> libselinux/man/man3/security_validatetrans.c | 1 +
> .../man/man3/security_validatetrans_raw.c | 1 +
> libselinux/src/selinux_internal.h | 2 +
> libselinux/src/validatetrans.c | 80 +++++++++++++++++++
> 6 files changed, 109 insertions(+), 1 deletion(-)
> create mode 100644 libselinux/man/man3/security_validatetrans.c
> create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
> create mode 100644 libselinux/src/validatetrans.c
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index a34d54fc..948028ea 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
> const char *username,
> char *** con);
>
> +/* Validate a transition. This determines whether a transition from scon to newcon
> + using tcon as the target for object class tclass is valid in the loaded policy.
> + This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
> + Returns 0 if allowed, -EPERM if denied, and -1 if an error occured */
> +extern int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +extern int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +
> /* Load a policy configuration. */
> extern int security_load_policy(void *data, size_t len);
>
> diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
> index 2aade5fe..e03960bc 100644
> --- a/libselinux/man/man3/security_compute_av.3
> +++ b/libselinux/man/man3/security_compute_av.3
> @@ -1,7 +1,7 @@
> .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
> .SH "NAME"
> security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
> -security_compute_member, security_compute_user, security_get_initial_context \- query
> +security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
> the SELinux policy database in the kernel
> .
> .SH "SYNOPSIS"
> @@ -35,6 +35,10 @@ the SELinux policy database in the kernel
> .sp
> .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
> .sp
> +.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> +.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> .BI "int security_get_initial_context(const char *" name ", char **" con );
> .sp
> .BI "int security_get_initial_context_raw(const char *" name ", char **" con );
> @@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
> source context. It is mainly used by
> .BR get_ordered_context_list ().
>
> +.BR security_validatetrans ()
> +is used to determine if a transition from scon to newcon using tcon as the object
> +is valid for object class tclass. This checks against the mlsvalidatetrans and
> +validatetrans constraints in the loaded policy. Returns 0 if allowed, -EPERM if denied,
> +and -1 if an error occured
> +
> .BR security_get_initial_context ()
> is used to get the context of a kernel initial security identifier specified by
> .I name
> @@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
> .BR \%security_compute_relabel_raw (),
> .BR \%security_compute_member_raw (),
> .BR \%security_compute_user_raw ()
> +.BR \%security_validatetrans_raw ()
> and
> .BR \%security_get_initial_context_raw ()
> behave identically to their non-raw counterparts but do not perform context
> diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans_raw.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 70b5025d..acd59c7c 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(security_compute_create_name_raw)
> hidden_proto(security_compute_member_raw)
> hidden_proto(security_compute_relabel_raw)
> + hidden_proto(security_validatetrans)
> + hidden_proto(security_validatetrans_raw)
> hidden_proto(is_selinux_enabled)
> hidden_proto(is_selinux_mls_enabled)
> hidden_proto(freecon)
> diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
> new file mode 100644
> index 00000000..86bfaa30
> --- /dev/null
> +++ b/libselinux/src/validatetrans.c
> @@ -0,0 +1,80 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <limits.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include "mapping.h"
> +
> +int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + char path[PATH_MAX];
> + char *buf;
> + size_t size;
> + int fd, ret;
> +
> + if (!selinux_mnt) {
> + errno = ENOENT;
> + return -1;
> + }
> +
> + snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
> + fd = open(path, O_RDWR | O_CLOEXEC);
> + if (fd < 0)
> + return -1;
> +
> + size = selinux_page_size;
> + buf = malloc(size);
> + if (!buf) {
> + ret = -1;
> + goto out;
> + }
> + snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
Shouldn't we be checking both snprintf's for truncation?
I see things like selinux_status_open() not doing it, also it doesn't
use selinux_page_size but calls
sysconf() directly, so that might not be the best example. I just
wonder if we're glossing over truncation
bugs that might be hard to debug if they ever crop up without explicit errors.
> +
> + ret = write(fd, buf, strlen(buf));
> + free(buf);
> +out:
> + close(fd);
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans_raw)
> +
> +int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + int ret = -1;
> + char *rscon = NULL;
> + char *rtcon = NULL;
> + char *rnewcon = NULL;
> +
> + if (selinux_trans_to_raw_context(scon, &rscon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(tcon, &rtcon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
> + goto out;
> + }
> +
> + ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
> +
> +out:
> + freecon(rnewcon);
> + freecon(rtcon);
> + freecon(rscon);
> +
> + return ret;
> +}
> --
> 2.17.2
>
$ git am ~/Downloads/\[PATCH\]\ Add\ security_validatetrans\ support.eml
Applying: Add security_validatetrans support
.git/rebase-apply/patch:68: trailing whitespace.
validatetrans constraints in the loaded policy. Returns 0 if allowed,
-EPERM if denied,
warning: 1 line adds whitespace errors.
Other then my question and trailing whitespace, overall LGTM. Builds and passes.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Add security_validatetrans support
2019-04-04 18:43 ` William Roberts
@ 2019-04-04 19:22 ` Joshua Brindle
2019-04-05 0:17 ` Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-04 19:22 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On Thu, Apr 4, 2019 at 2:43 PM William Roberts <bill.c.roberts@gmail.com> wrote:
>
> On Thu, Apr 4, 2019 at 8:37 AM Joshua Brindle
> <joshua.brindle@crunchydata.com> wrote:
> >
> > It seems validatetrans support was never added to libselinux, despite being added to
> > selinuxfs in kernel version 4.5
> >
> > Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> > ---
>
> I see things like selinux_status_open() not doing it, also it doesn't
> use selinux_page_size but calls
> sysconf() directly, so that might not be the best example. I just
> wonder if we're glossing over truncation
> bugs that might be hard to debug if they ever crop up without explicit errors.
Hrm.. I started off with a copy of compute_relabel.c or something, it
looks like none of these functions check. Checking the snprintf for
the path is probably not helpful, but now that you mention it, a
truncation of the last context could remove some categories and cause
an erroneous decision, and since we don't get the answer back from the
file like the compute_ functions it could cause a vulnerability.
Thanks, will update and resend.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Add security_validatetrans support
2019-04-04 19:22 ` Joshua Brindle
@ 2019-04-05 0:17 ` Joshua Brindle
2019-04-05 0:32 ` Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-05 0:17 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On Thu, Apr 4, 2019 at 3:22 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> On Thu, Apr 4, 2019 at 2:43 PM William Roberts <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Apr 4, 2019 at 8:37 AM Joshua Brindle
> > <joshua.brindle@crunchydata.com> wrote:
> > >
> > > It seems validatetrans support was never added to libselinux, despite being added to
> > > selinuxfs in kernel version 4.5
> > >
> > > Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> > > ---
>
> >
> > I see things like selinux_status_open() not doing it, also it doesn't
> > use selinux_page_size but calls
> > sysconf() directly, so that might not be the best example. I just
> > wonder if we're glossing over truncation
> > bugs that might be hard to debug if they ever crop up without explicit errors.
>
> Hrm.. I started off with a copy of compute_relabel.c or something, it
> looks like none of these functions check. Checking the snprintf for
> the path is probably not helpful, but now that you mention it, a
> truncation of the last context could remove some categories and cause
> an erroneous decision, and since we don't get the answer back from the
> file like the compute_ functions it could cause a vulnerability.
>
> Thanks, will update and resend.
Well, this was wrong anyway, I trusted the commit message from when
validatetrans was exposed in selinuxfs:
https://github.com/torvalds/linux/commit/f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
but It was incorrect, 0 is not returned on success, the length written
is returned.
Will resend soon. Thanks again.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] Add security_validatetrans support
2019-04-05 0:17 ` Joshua Brindle
@ 2019-04-05 0:32 ` Joshua Brindle
2019-04-05 14:08 ` [PATCH v3] " Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-05 0:32 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5
There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
$ cat validatetrans.cil
(mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
$ sudo semodule -i validatetrans.cil
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Invalid argument
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Operation not permitted
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned 0 errno: Success
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
---
libselinux/include/selinux/selinux.h | 13 +++
libselinux/man/man3/security_compute_av.3 | 13 ++-
libselinux/man/man3/security_validatetrans.c | 1 +
.../man/man3/security_validatetrans_raw.c | 1 +
libselinux/src/selinux_internal.h | 2 +
libselinux/src/validatetrans.c | 98 +++++++++++++++++++
libselinux/utils/.gitignore | 1 +
libselinux/utils/validatetrans.c | 30 ++++++
8 files changed, 158 insertions(+), 1 deletion(-)
create mode 100644 libselinux/man/man3/security_validatetrans.c
create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
create mode 100644 libselinux/src/validatetrans.c
create mode 100644 libselinux/utils/validatetrans.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..f54f236b 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
const char *username,
char *** con);
+/* Validate a transition. This determines whether a transition from scon to newcon
+ using tcon as the target for object class tclass is valid in the loaded policy.
+ This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
+ Returns 0 if allowed and -1 if an error occured with errno set */
+extern int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+extern int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..a7181bed 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -1,7 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
-security_compute_member, security_compute_user, security_get_initial_context \- query
+security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
the SELinux policy database in the kernel
.
.SH "SYNOPSIS"
@@ -35,6 +35,10 @@ the SELinux policy database in the kernel
.sp
.BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
.sp
+.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
+.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
.BI "int security_get_initial_context(const char *" name ", char **" con );
.sp
.BI "int security_get_initial_context_raw(const char *" name ", char **" con );
@@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
source context. It is mainly used by
.BR get_ordered_context_list ().
+.BR security_validatetrans ()
+is used to determine if a transition from scon to newcon using tcon as the object
+is valid for object class tclass. This checks against the mlsvalidatetrans and
+validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
+if an error occured with errno set.
+
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
.I name
@@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
.BR \%security_compute_relabel_raw (),
.BR \%security_compute_member_raw (),
.BR \%security_compute_user_raw ()
+.BR \%security_validatetrans_raw ()
and
.BR \%security_get_initial_context_raw ()
behave identically to their non-raw counterparts but do not perform context
diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans_raw.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 70b5025d..acd59c7c 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(security_compute_create_name_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(security_validatetrans)
+ hidden_proto(security_validatetrans_raw)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
new file mode 100644
index 00000000..1bb5df2d
--- /dev/null
+++ b/libselinux/src/validatetrans.c
@@ -0,0 +1,98 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "mapping.h"
+
+int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ char path[PATH_MAX];
+ char *buf = NULL;
+ int size, bufsz;
+ int fd, ret = -1;
+ errno = ENOENT;
+
+ if (!selinux_mnt) {
+ return -1;
+ }
+
+ snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
+ fd = open(path, O_WRONLY | O_CLOEXEC);
+ if (fd < 0) {
+ return -1;
+ }
+
+ errno = EINVAL;
+ size = selinux_page_size;
+ buf = malloc(size);
+ if (!buf) {
+ goto out;
+ }
+
+ bufsz = snprintf(NULL, 0, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
+ if (bufsz > size) {
+ // This is going to be too large
+ goto out;
+ }
+ if (bufsz != snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon)) {
+ // It got truncated somehow
+ goto out;
+ }
+
+ // clear errno for write()
+ errno = 0;
+ ret = write(fd, buf, strlen(buf));
+ if (ret > 0) {
+ // The kernel returns the bytes written on success, not 0 as noted in the commit message
+ ret = 0;
+ }
+ free(buf);
+out:
+ close(fd);
+ return ret;
+}
+
+hidden_def(security_validatetrans_raw)
+
+int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ int ret = -1;
+ char *rscon = NULL;
+ char *rtcon = NULL;
+ char *rnewcon = NULL;
+
+ if (selinux_trans_to_raw_context(scon, &rscon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(tcon, &rtcon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
+ goto out;
+ }
+
+ ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
+
+out:
+ freecon(rnewcon);
+ freecon(rtcon);
+ freecon(rscon);
+
+ return ret;
+}
+
+hidden_def(security_validatetrans)
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index 5cd01025..aba18a3c 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -25,3 +25,4 @@ setenforce
setfilecon
togglesebool
selinux_check_access
+validatetrans
diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
new file mode 100644
index 00000000..fa8541f6
--- /dev/null
+++ b/libselinux/utils/validatetrans.c
@@ -0,0 +1,30 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+ security_class_t tclass;
+ int ret;
+
+ if (argc != 5) {
+ fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
+ argv[0]);
+ exit(1);
+ }
+
+ tclass = string_to_security_class(argv[3]);
+ if (!tclass) {
+ fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
+ exit(2);
+ }
+
+ ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
+ printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
+
+ return(ret);
+}
--
2.17.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v3] Add security_validatetrans support
2019-04-05 0:32 ` Joshua Brindle
@ 2019-04-05 14:08 ` Joshua Brindle
2019-04-05 14:43 ` William Roberts
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-05 14:08 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5
There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
$ cat validatetrans.cil
(mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
$ sudo semodule -i validatetrans.cil
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Invalid argument
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Operation not permitted
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned 0 errno: Success
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
---
libselinux/include/selinux/selinux.h | 13 +++
libselinux/man/man3/security_compute_av.3 | 13 ++-
libselinux/man/man3/security_validatetrans.c | 1 +
.../man/man3/security_validatetrans_raw.c | 1 +
libselinux/src/selinux_internal.h | 2 +
libselinux/src/validatetrans.c | 98 +++++++++++++++++++
libselinux/utils/.gitignore | 1 +
libselinux/utils/validatetrans.c | 30 ++++++
8 files changed, 158 insertions(+), 1 deletion(-)
create mode 100644 libselinux/man/man3/security_validatetrans.c
create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
create mode 100644 libselinux/src/validatetrans.c
create mode 100644 libselinux/utils/validatetrans.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..f54f236b 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
const char *username,
char *** con);
+/* Validate a transition. This determines whether a transition from scon to newcon
+ using tcon as the target for object class tclass is valid in the loaded policy.
+ This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
+ Returns 0 if allowed and -1 if an error occured with errno set */
+extern int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+extern int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..a7181bed 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -1,7 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
-security_compute_member, security_compute_user, security_get_initial_context \- query
+security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
the SELinux policy database in the kernel
.
.SH "SYNOPSIS"
@@ -35,6 +35,10 @@ the SELinux policy database in the kernel
.sp
.BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
.sp
+.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
+.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
.BI "int security_get_initial_context(const char *" name ", char **" con );
.sp
.BI "int security_get_initial_context_raw(const char *" name ", char **" con );
@@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
source context. It is mainly used by
.BR get_ordered_context_list ().
+.BR security_validatetrans ()
+is used to determine if a transition from scon to newcon using tcon as the object
+is valid for object class tclass. This checks against the mlsvalidatetrans and
+validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
+if an error occured with errno set.
+
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
.I name
@@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
.BR \%security_compute_relabel_raw (),
.BR \%security_compute_member_raw (),
.BR \%security_compute_user_raw ()
+.BR \%security_validatetrans_raw ()
and
.BR \%security_get_initial_context_raw ()
behave identically to their non-raw counterparts but do not perform context
diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans_raw.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 70b5025d..acd59c7c 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(security_compute_create_name_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(security_validatetrans)
+ hidden_proto(security_validatetrans_raw)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
new file mode 100644
index 00000000..e080e166
--- /dev/null
+++ b/libselinux/src/validatetrans.c
@@ -0,0 +1,98 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "mapping.h"
+
+int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ char path[PATH_MAX];
+ char *buf = NULL;
+ int size, bufsz;
+ int fd, ret = -1;
+ errno = ENOENT;
+
+ if (!selinux_mnt) {
+ return -1;
+ }
+
+ snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
+ fd = open(path, O_WRONLY | O_CLOEXEC);
+ if (fd < 0) {
+ return -1;
+ }
+
+ errno = EINVAL;
+ size = selinux_page_size;
+ buf = malloc(size);
+ if (!buf) {
+ goto out;
+ }
+
+ bufsz = snprintf(NULL, 0, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
+ if (bufsz > size) {
+ // This is going to be too large
+ goto out;
+ }
+ if (bufsz != snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon)) {
+ // It got truncated somehow
+ goto out;
+ }
+
+ // clear errno for write()
+ errno = 0;
+ ret = write(fd, buf, strlen(buf));
+ if (ret > 0) {
+ // The kernel returns the bytes written on success, not 0 as noted in the commit message
+ ret = 0;
+ }
+out:
+ free(buf);
+ close(fd);
+ return ret;
+}
+
+hidden_def(security_validatetrans_raw)
+
+int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ int ret = -1;
+ char *rscon = NULL;
+ char *rtcon = NULL;
+ char *rnewcon = NULL;
+
+ if (selinux_trans_to_raw_context(scon, &rscon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(tcon, &rtcon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
+ goto out;
+ }
+
+ ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
+
+out:
+ freecon(rnewcon);
+ freecon(rtcon);
+ freecon(rscon);
+
+ return ret;
+}
+
+hidden_def(security_validatetrans)
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index 5cd01025..aba18a3c 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -25,3 +25,4 @@ setenforce
setfilecon
togglesebool
selinux_check_access
+validatetrans
diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
new file mode 100644
index 00000000..1db33e66
--- /dev/null
+++ b/libselinux/utils/validatetrans.c
@@ -0,0 +1,30 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+ security_class_t tclass;
+ int ret;
+
+ if (argc != 5) {
+ fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
+ argv[0]);
+ exit(1);
+ }
+
+ tclass = string_to_security_class(argv[3]);
+ if (!tclass) {
+ fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
+ exit(2);
+ }
+
+ ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
+ printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
+
+ return ret;
+}
--
2.17.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v3] Add security_validatetrans support
2019-04-05 14:08 ` [PATCH v3] " Joshua Brindle
@ 2019-04-05 14:43 ` William Roberts
2019-04-05 18:38 ` [PATCH v4] " Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: William Roberts @ 2019-04-05 14:43 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Fri, Apr 5, 2019 at 7:09 AM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> It seems validatetrans support was never added to libselinux, despite being added to
> selinuxfs in kernel version 4.5
>
> There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
>
> $ cat validatetrans.cil
> (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
>
> $ sudo semodule -i validatetrans.cil
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned -1 errno: Invalid argument
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned -1 errno: Operation not permitted
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned 0 errno: Success
>
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
> libselinux/include/selinux/selinux.h | 13 +++
> libselinux/man/man3/security_compute_av.3 | 13 ++-
> libselinux/man/man3/security_validatetrans.c | 1 +
> .../man/man3/security_validatetrans_raw.c | 1 +
> libselinux/src/selinux_internal.h | 2 +
> libselinux/src/validatetrans.c | 98 +++++++++++++++++++
> libselinux/utils/.gitignore | 1 +
> libselinux/utils/validatetrans.c | 30 ++++++
> 8 files changed, 158 insertions(+), 1 deletion(-)
> create mode 100644 libselinux/man/man3/security_validatetrans.c
> create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
> create mode 100644 libselinux/src/validatetrans.c
> create mode 100644 libselinux/utils/validatetrans.c
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index a34d54fc..f54f236b 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
> const char *username,
> char *** con);
>
> +/* Validate a transition. This determines whether a transition from scon to newcon
> + using tcon as the target for object class tclass is valid in the loaded policy.
> + This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
> + Returns 0 if allowed and -1 if an error occured with errno set */
> +extern int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +extern int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +
> /* Load a policy configuration. */
> extern int security_load_policy(void *data, size_t len);
>
> diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
> index 2aade5fe..a7181bed 100644
> --- a/libselinux/man/man3/security_compute_av.3
> +++ b/libselinux/man/man3/security_compute_av.3
> @@ -1,7 +1,7 @@
> .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
> .SH "NAME"
> security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
> -security_compute_member, security_compute_user, security_get_initial_context \- query
> +security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
> the SELinux policy database in the kernel
> .
> .SH "SYNOPSIS"
> @@ -35,6 +35,10 @@ the SELinux policy database in the kernel
> .sp
> .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
> .sp
> +.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> +.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> .BI "int security_get_initial_context(const char *" name ", char **" con );
> .sp
> .BI "int security_get_initial_context_raw(const char *" name ", char **" con );
> @@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
> source context. It is mainly used by
> .BR get_ordered_context_list ().
>
> +.BR security_validatetrans ()
> +is used to determine if a transition from scon to newcon using tcon as the object
> +is valid for object class tclass. This checks against the mlsvalidatetrans and
> +validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
> +if an error occured with errno set.
> +
> .BR security_get_initial_context ()
> is used to get the context of a kernel initial security identifier specified by
> .I name
> @@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
> .BR \%security_compute_relabel_raw (),
> .BR \%security_compute_member_raw (),
> .BR \%security_compute_user_raw ()
> +.BR \%security_validatetrans_raw ()
> and
> .BR \%security_get_initial_context_raw ()
> behave identically to their non-raw counterparts but do not perform context
> diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans_raw.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 70b5025d..acd59c7c 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(security_compute_create_name_raw)
> hidden_proto(security_compute_member_raw)
> hidden_proto(security_compute_relabel_raw)
> + hidden_proto(security_validatetrans)
> + hidden_proto(security_validatetrans_raw)
> hidden_proto(is_selinux_enabled)
> hidden_proto(is_selinux_mls_enabled)
> hidden_proto(freecon)
> diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
> new file mode 100644
> index 00000000..e080e166
> --- /dev/null
> +++ b/libselinux/src/validatetrans.c
> @@ -0,0 +1,98 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <limits.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include "mapping.h"
> +
> +int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + char path[PATH_MAX];
> + char *buf = NULL;
> + int size, bufsz;
> + int fd, ret = -1;
> + errno = ENOENT;
> +
> + if (!selinux_mnt) {
> + return -1;
> + }
> +
> + snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
> + fd = open(path, O_WRONLY | O_CLOEXEC);
> + if (fd < 0) {
> + return -1;
> + }
> +
> + errno = EINVAL;
> + size = selinux_page_size;
> + buf = malloc(size);
> + if (!buf) {
> + goto out;
> + }
> +
> + bufsz = snprintf(NULL, 0, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
> + if (bufsz > size) {
> + // This is going to be too large
> + goto out;
> + }
> + if (bufsz != snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon)) {
> + // It got truncated somehow
> + goto out;
> + }
This seems like the hardest way to do this, especially to catch an
exceptional error.
Per the man page, "a return value of size or more means that the
output was truncated."
bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon,
unmap_class(tclass), newcon)
if (bufsz < 0 || bufsz >= size) {
// It got truncated somehow
goto out;
}
No need to call it twice.
> +
> + // clear errno for write()
> + errno = 0;
> + ret = write(fd, buf, strlen(buf));
> + if (ret > 0) {
> + // The kernel returns the bytes written on success, not 0 as noted in the commit message
> + ret = 0;
> + }
> +out:
> + free(buf);
> + close(fd);
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans_raw)
> +
> +int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + int ret = -1;
> + char *rscon = NULL;
> + char *rtcon = NULL;
> + char *rnewcon = NULL;
> +
> + if (selinux_trans_to_raw_context(scon, &rscon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(tcon, &rtcon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
> + goto out;
> + }
> +
> + ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
> +
> +out:
> + freecon(rnewcon);
> + freecon(rtcon);
> + freecon(rscon);
> +
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans)
> diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> index 5cd01025..aba18a3c 100644
> --- a/libselinux/utils/.gitignore
> +++ b/libselinux/utils/.gitignore
> @@ -25,3 +25,4 @@ setenforce
> setfilecon
> togglesebool
> selinux_check_access
> +validatetrans
> diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
> new file mode 100644
> index 00000000..1db33e66
> --- /dev/null
> +++ b/libselinux/utils/validatetrans.c
> @@ -0,0 +1,30 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <errno.h>
> +#include <selinux/selinux.h>
> +
> +int main(int argc, char **argv)
> +{
> + security_class_t tclass;
> + int ret;
> +
> + if (argc != 5) {
> + fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
> + argv[0]);
> + exit(1);
> + }
> +
> + tclass = string_to_security_class(argv[3]);
> + if (!tclass) {
> + fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
> + exit(2);
> + }
> +
> + ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
> + printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
> +
> + return ret;
> +}
> --
> 2.17.2
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v4] Add security_validatetrans support
2019-04-05 14:43 ` William Roberts
@ 2019-04-05 18:38 ` Joshua Brindle
2019-04-05 18:50 ` William Roberts
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-05 18:38 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5
There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
$ cat validatetrans.cil
(mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
$ sudo semodule -i validatetrans.cil
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Invalid argument
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Operation not permitted
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned 0 errno: Success
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
---
libselinux/include/selinux/selinux.h | 13 +++
libselinux/man/man3/security_compute_av.3 | 13 ++-
libselinux/man/man3/security_validatetrans.c | 1 +
.../man/man3/security_validatetrans_raw.c | 1 +
libselinux/src/selinux_internal.h | 2 +
libselinux/src/validatetrans.c | 94 +++++++++++++++++++
libselinux/utils/.gitignore | 1 +
libselinux/utils/validatetrans.c | 30 ++++++
8 files changed, 154 insertions(+), 1 deletion(-)
create mode 100644 libselinux/man/man3/security_validatetrans.c
create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
create mode 100644 libselinux/src/validatetrans.c
create mode 100644 libselinux/utils/validatetrans.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..f54f236b 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
const char *username,
char *** con);
+/* Validate a transition. This determines whether a transition from scon to newcon
+ using tcon as the target for object class tclass is valid in the loaded policy.
+ This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
+ Returns 0 if allowed and -1 if an error occured with errno set */
+extern int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+extern int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..a7181bed 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -1,7 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
-security_compute_member, security_compute_user, security_get_initial_context \- query
+security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
the SELinux policy database in the kernel
.
.SH "SYNOPSIS"
@@ -35,6 +35,10 @@ the SELinux policy database in the kernel
.sp
.BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
.sp
+.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
+.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
.BI "int security_get_initial_context(const char *" name ", char **" con );
.sp
.BI "int security_get_initial_context_raw(const char *" name ", char **" con );
@@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
source context. It is mainly used by
.BR get_ordered_context_list ().
+.BR security_validatetrans ()
+is used to determine if a transition from scon to newcon using tcon as the object
+is valid for object class tclass. This checks against the mlsvalidatetrans and
+validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
+if an error occured with errno set.
+
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
.I name
@@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
.BR \%security_compute_relabel_raw (),
.BR \%security_compute_member_raw (),
.BR \%security_compute_user_raw ()
+.BR \%security_validatetrans_raw ()
and
.BR \%security_get_initial_context_raw ()
behave identically to their non-raw counterparts but do not perform context
diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans_raw.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 70b5025d..acd59c7c 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(security_compute_create_name_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(security_validatetrans)
+ hidden_proto(security_validatetrans_raw)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
new file mode 100644
index 00000000..9e745a91
--- /dev/null
+++ b/libselinux/src/validatetrans.c
@@ -0,0 +1,94 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "mapping.h"
+
+int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ char path[PATH_MAX];
+ char *buf = NULL;
+ int size, bufsz;
+ int fd, ret = -1;
+ errno = ENOENT;
+
+ if (!selinux_mnt) {
+ return -1;
+ }
+
+ snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
+ fd = open(path, O_WRONLY | O_CLOEXEC);
+ if (fd < 0) {
+ return -1;
+ }
+
+ errno = EINVAL;
+ size = selinux_page_size;
+ buf = malloc(size);
+ if (!buf) {
+ goto out;
+ }
+
+ bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
+ if (bufsz >= size) {
+ // It got truncated
+ goto out;
+ }
+
+ // clear errno for write()
+ errno = 0;
+ ret = write(fd, buf, strlen(buf));
+ if (ret > 0) {
+ // The kernel returns the bytes written on success, not 0 as noted in the commit message
+ ret = 0;
+ }
+out:
+ free(buf);
+ close(fd);
+ return ret;
+}
+
+hidden_def(security_validatetrans_raw)
+
+int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ int ret = -1;
+ char *rscon = NULL;
+ char *rtcon = NULL;
+ char *rnewcon = NULL;
+
+ if (selinux_trans_to_raw_context(scon, &rscon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(tcon, &rtcon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
+ goto out;
+ }
+
+ ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
+
+out:
+ freecon(rnewcon);
+ freecon(rtcon);
+ freecon(rscon);
+
+ return ret;
+}
+
+hidden_def(security_validatetrans)
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index 5cd01025..aba18a3c 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -25,3 +25,4 @@ setenforce
setfilecon
togglesebool
selinux_check_access
+validatetrans
diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
new file mode 100644
index 00000000..1db33e66
--- /dev/null
+++ b/libselinux/utils/validatetrans.c
@@ -0,0 +1,30 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+ security_class_t tclass;
+ int ret;
+
+ if (argc != 5) {
+ fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
+ argv[0]);
+ exit(1);
+ }
+
+ tclass = string_to_security_class(argv[3]);
+ if (!tclass) {
+ fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
+ exit(2);
+ }
+
+ ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
+ printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
+
+ return ret;
+}
--
2.17.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v4] Add security_validatetrans support
2019-04-05 18:38 ` [PATCH v4] " Joshua Brindle
@ 2019-04-05 18:50 ` William Roberts
2019-04-05 18:53 ` Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: William Roberts @ 2019-04-05 18:50 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Fri, Apr 5, 2019 at 11:39 AM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> It seems validatetrans support was never added to libselinux, despite being added to
> selinuxfs in kernel version 4.5
>
> There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
>
> $ cat validatetrans.cil
> (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
>
> $ sudo semodule -i validatetrans.cil
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned -1 errno: Invalid argument
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned -1 errno: Operation not permitted
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned 0 errno: Success
>
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
> libselinux/include/selinux/selinux.h | 13 +++
> libselinux/man/man3/security_compute_av.3 | 13 ++-
> libselinux/man/man3/security_validatetrans.c | 1 +
> .../man/man3/security_validatetrans_raw.c | 1 +
> libselinux/src/selinux_internal.h | 2 +
> libselinux/src/validatetrans.c | 94 +++++++++++++++++++
> libselinux/utils/.gitignore | 1 +
> libselinux/utils/validatetrans.c | 30 ++++++
> 8 files changed, 154 insertions(+), 1 deletion(-)
> create mode 100644 libselinux/man/man3/security_validatetrans.c
> create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
> create mode 100644 libselinux/src/validatetrans.c
> create mode 100644 libselinux/utils/validatetrans.c
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index a34d54fc..f54f236b 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
> const char *username,
> char *** con);
>
> +/* Validate a transition. This determines whether a transition from scon to newcon
> + using tcon as the target for object class tclass is valid in the loaded policy.
> + This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
> + Returns 0 if allowed and -1 if an error occured with errno set */
> +extern int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +extern int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +
> /* Load a policy configuration. */
> extern int security_load_policy(void *data, size_t len);
>
> diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
> index 2aade5fe..a7181bed 100644
> --- a/libselinux/man/man3/security_compute_av.3
> +++ b/libselinux/man/man3/security_compute_av.3
> @@ -1,7 +1,7 @@
> .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
> .SH "NAME"
> security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
> -security_compute_member, security_compute_user, security_get_initial_context \- query
> +security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
> the SELinux policy database in the kernel
> .
> .SH "SYNOPSIS"
> @@ -35,6 +35,10 @@ the SELinux policy database in the kernel
> .sp
> .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
> .sp
> +.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> +.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> .BI "int security_get_initial_context(const char *" name ", char **" con );
> .sp
> .BI "int security_get_initial_context_raw(const char *" name ", char **" con );
> @@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
> source context. It is mainly used by
> .BR get_ordered_context_list ().
>
> +.BR security_validatetrans ()
> +is used to determine if a transition from scon to newcon using tcon as the object
> +is valid for object class tclass. This checks against the mlsvalidatetrans and
> +validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
> +if an error occured with errno set.
> +
> .BR security_get_initial_context ()
> is used to get the context of a kernel initial security identifier specified by
> .I name
> @@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
> .BR \%security_compute_relabel_raw (),
> .BR \%security_compute_member_raw (),
> .BR \%security_compute_user_raw ()
> +.BR \%security_validatetrans_raw ()
> and
> .BR \%security_get_initial_context_raw ()
> behave identically to their non-raw counterparts but do not perform context
> diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans_raw.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 70b5025d..acd59c7c 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(security_compute_create_name_raw)
> hidden_proto(security_compute_member_raw)
> hidden_proto(security_compute_relabel_raw)
> + hidden_proto(security_validatetrans)
> + hidden_proto(security_validatetrans_raw)
> hidden_proto(is_selinux_enabled)
> hidden_proto(is_selinux_mls_enabled)
> hidden_proto(freecon)
> diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
> new file mode 100644
> index 00000000..9e745a91
> --- /dev/null
> +++ b/libselinux/src/validatetrans.c
> @@ -0,0 +1,94 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <limits.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include "mapping.h"
> +
> +int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + char path[PATH_MAX];
> + char *buf = NULL;
> + int size, bufsz;
> + int fd, ret = -1;
> + errno = ENOENT;
> +
> + if (!selinux_mnt) {
> + return -1;
> + }
> +
> + snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
> + fd = open(path, O_WRONLY | O_CLOEXEC);
> + if (fd < 0) {
> + return -1;
> + }
> +
> + errno = EINVAL;
> + size = selinux_page_size;
> + buf = malloc(size);
> + if (!buf) {
> + goto out;
> + }
> +
> + bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
> + if (bufsz >= size) {
I guess this is fine, I don't think the negative return conditions can
exist unless you bork the format
string.
> + // It got truncated
> + goto out;
> + }
> +
> + // clear errno for write()
> + errno = 0;
> + ret = write(fd, buf, strlen(buf));
> + if (ret > 0) {
> + // The kernel returns the bytes written on success, not 0 as noted in the commit message
> + ret = 0;
> + }
> +out:
> + free(buf);
> + close(fd);
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans_raw)
> +
> +int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + int ret = -1;
> + char *rscon = NULL;
> + char *rtcon = NULL;
> + char *rnewcon = NULL;
> +
> + if (selinux_trans_to_raw_context(scon, &rscon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(tcon, &rtcon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
> + goto out;
> + }
> +
> + ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
> +
> +out:
> + freecon(rnewcon);
> + freecon(rtcon);
> + freecon(rscon);
> +
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans)
> diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> index 5cd01025..aba18a3c 100644
> --- a/libselinux/utils/.gitignore
> +++ b/libselinux/utils/.gitignore
> @@ -25,3 +25,4 @@ setenforce
> setfilecon
> togglesebool
> selinux_check_access
> +validatetrans
> diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
> new file mode 100644
> index 00000000..1db33e66
> --- /dev/null
> +++ b/libselinux/utils/validatetrans.c
> @@ -0,0 +1,30 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <errno.h>
> +#include <selinux/selinux.h>
> +
> +int main(int argc, char **argv)
> +{
> + security_class_t tclass;
> + int ret;
> +
> + if (argc != 5) {
> + fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
> + argv[0]);
> + exit(1);
> + }
> +
> + tclass = string_to_security_class(argv[3]);
> + if (!tclass) {
> + fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
> + exit(2);
> + }
> +
> + ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
> + printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
> +
> + return ret;
> +}
> --
> 2.17.2
>
ack
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v4] Add security_validatetrans support
2019-04-05 18:50 ` William Roberts
@ 2019-04-05 18:53 ` Joshua Brindle
2019-04-05 19:01 ` [PATCH v5] " Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-05 18:53 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
<snip>
>
> I guess this is fine, I don't think the negative return conditions can
> exist unless you bork the format
> string.
>
I'll fix it.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v5] Add security_validatetrans support
2019-04-05 18:53 ` Joshua Brindle
@ 2019-04-05 19:01 ` Joshua Brindle
2019-04-05 19:04 ` William Roberts
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2019-04-05 19:01 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5
There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
$ cat validatetrans.cil
(mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
$ sudo semodule -i validatetrans.cil
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Invalid argument
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Operation not permitted
$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned 0 errno: Success
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
---
libselinux/include/selinux/selinux.h | 13 +++
libselinux/man/man3/security_compute_av.3 | 13 ++-
libselinux/man/man3/security_validatetrans.c | 1 +
.../man/man3/security_validatetrans_raw.c | 1 +
libselinux/src/selinux_internal.h | 2 +
libselinux/src/validatetrans.c | 94 +++++++++++++++++++
libselinux/utils/.gitignore | 1 +
libselinux/utils/validatetrans.c | 30 ++++++
8 files changed, 154 insertions(+), 1 deletion(-)
create mode 100644 libselinux/man/man3/security_validatetrans.c
create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
create mode 100644 libselinux/src/validatetrans.c
create mode 100644 libselinux/utils/validatetrans.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..f54f236b 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
const char *username,
char *** con);
+/* Validate a transition. This determines whether a transition from scon to newcon
+ using tcon as the target for object class tclass is valid in the loaded policy.
+ This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
+ Returns 0 if allowed and -1 if an error occured with errno set */
+extern int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+extern int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon);
+
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..a7181bed 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -1,7 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
-security_compute_member, security_compute_user, security_get_initial_context \- query
+security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
the SELinux policy database in the kernel
.
.SH "SYNOPSIS"
@@ -35,6 +35,10 @@ the SELinux policy database in the kernel
.sp
.BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
.sp
+.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
+.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
+.sp
.BI "int security_get_initial_context(const char *" name ", char **" con );
.sp
.BI "int security_get_initial_context_raw(const char *" name ", char **" con );
@@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
source context. It is mainly used by
.BR get_ordered_context_list ().
+.BR security_validatetrans ()
+is used to determine if a transition from scon to newcon using tcon as the object
+is valid for object class tclass. This checks against the mlsvalidatetrans and
+validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
+if an error occured with errno set.
+
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
.I name
@@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
.BR \%security_compute_relabel_raw (),
.BR \%security_compute_member_raw (),
.BR \%security_compute_user_raw ()
+.BR \%security_validatetrans_raw ()
and
.BR \%security_get_initial_context_raw ()
behave identically to their non-raw counterparts but do not perform context
diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
new file mode 100644
index 00000000..a60bca4d
--- /dev/null
+++ b/libselinux/man/man3/security_validatetrans_raw.c
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 70b5025d..acd59c7c 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(security_compute_create_name_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(security_validatetrans)
+ hidden_proto(security_validatetrans_raw)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
new file mode 100644
index 00000000..2aa300cf
--- /dev/null
+++ b/libselinux/src/validatetrans.c
@@ -0,0 +1,94 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "mapping.h"
+
+int security_validatetrans_raw(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ char path[PATH_MAX];
+ char *buf = NULL;
+ int size, bufsz;
+ int fd, ret = -1;
+ errno = ENOENT;
+
+ if (!selinux_mnt) {
+ return -1;
+ }
+
+ snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
+ fd = open(path, O_WRONLY | O_CLOEXEC);
+ if (fd < 0) {
+ return -1;
+ }
+
+ errno = EINVAL;
+ size = selinux_page_size;
+ buf = malloc(size);
+ if (!buf) {
+ goto out;
+ }
+
+ bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
+ if (bufsz >= size || bufsz < 0) {
+ // It got truncated or there was an encoding error
+ goto out;
+ }
+
+ // clear errno for write()
+ errno = 0;
+ ret = write(fd, buf, strlen(buf));
+ if (ret > 0) {
+ // The kernel returns the bytes written on success, not 0 as noted in the commit message
+ ret = 0;
+ }
+out:
+ free(buf);
+ close(fd);
+ return ret;
+}
+
+hidden_def(security_validatetrans_raw)
+
+int security_validatetrans(const char *scon,
+ const char *tcon,
+ security_class_t tclass,
+ const char *newcon)
+{
+ int ret = -1;
+ char *rscon = NULL;
+ char *rtcon = NULL;
+ char *rnewcon = NULL;
+
+ if (selinux_trans_to_raw_context(scon, &rscon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(tcon, &rtcon)) {
+ goto out;
+ }
+
+ if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
+ goto out;
+ }
+
+ ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
+
+out:
+ freecon(rnewcon);
+ freecon(rtcon);
+ freecon(rscon);
+
+ return ret;
+}
+
+hidden_def(security_validatetrans)
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index 5cd01025..aba18a3c 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -25,3 +25,4 @@ setenforce
setfilecon
togglesebool
selinux_check_access
+validatetrans
diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
new file mode 100644
index 00000000..1db33e66
--- /dev/null
+++ b/libselinux/utils/validatetrans.c
@@ -0,0 +1,30 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv)
+{
+ security_class_t tclass;
+ int ret;
+
+ if (argc != 5) {
+ fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
+ argv[0]);
+ exit(1);
+ }
+
+ tclass = string_to_security_class(argv[3]);
+ if (!tclass) {
+ fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
+ exit(2);
+ }
+
+ ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
+ printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
+
+ return ret;
+}
--
2.17.2
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v5] Add security_validatetrans support
2019-04-05 19:01 ` [PATCH v5] " Joshua Brindle
@ 2019-04-05 19:04 ` William Roberts
2019-04-07 20:58 ` Nicolas Iooss
0 siblings, 1 reply; 14+ messages in thread
From: William Roberts @ 2019-04-05 19:04 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Fri, Apr 5, 2019 at 12:01 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> It seems validatetrans support was never added to libselinux, despite being added to
> selinuxfs in kernel version 4.5
>
> There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
>
> $ cat validatetrans.cil
> (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
>
> $ sudo semodule -i validatetrans.cil
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned -1 errno: Invalid argument
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned -1 errno: Operation not permitted
>
> $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
> opening /sys/fs/selinux/validatetrans
> security_validatetrans returned 0 errno: Success
>
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
> libselinux/include/selinux/selinux.h | 13 +++
> libselinux/man/man3/security_compute_av.3 | 13 ++-
> libselinux/man/man3/security_validatetrans.c | 1 +
> .../man/man3/security_validatetrans_raw.c | 1 +
> libselinux/src/selinux_internal.h | 2 +
> libselinux/src/validatetrans.c | 94 +++++++++++++++++++
> libselinux/utils/.gitignore | 1 +
> libselinux/utils/validatetrans.c | 30 ++++++
> 8 files changed, 154 insertions(+), 1 deletion(-)
> create mode 100644 libselinux/man/man3/security_validatetrans.c
> create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
> create mode 100644 libselinux/src/validatetrans.c
> create mode 100644 libselinux/utils/validatetrans.c
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index a34d54fc..f54f236b 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
> const char *username,
> char *** con);
>
> +/* Validate a transition. This determines whether a transition from scon to newcon
> + using tcon as the target for object class tclass is valid in the loaded policy.
> + This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
> + Returns 0 if allowed and -1 if an error occured with errno set */
> +extern int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +extern int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon);
> +
> /* Load a policy configuration. */
> extern int security_load_policy(void *data, size_t len);
>
> diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
> index 2aade5fe..a7181bed 100644
> --- a/libselinux/man/man3/security_compute_av.3
> +++ b/libselinux/man/man3/security_compute_av.3
> @@ -1,7 +1,7 @@
> .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
> .SH "NAME"
> security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
> -security_compute_member, security_compute_user, security_get_initial_context \- query
> +security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
> the SELinux policy database in the kernel
> .
> .SH "SYNOPSIS"
> @@ -35,6 +35,10 @@ the SELinux policy database in the kernel
> .sp
> .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
> .sp
> +.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> +.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> +.sp
> .BI "int security_get_initial_context(const char *" name ", char **" con );
> .sp
> .BI "int security_get_initial_context_raw(const char *" name ", char **" con );
> @@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
> source context. It is mainly used by
> .BR get_ordered_context_list ().
>
> +.BR security_validatetrans ()
> +is used to determine if a transition from scon to newcon using tcon as the object
> +is valid for object class tclass. This checks against the mlsvalidatetrans and
> +validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
> +if an error occured with errno set.
> +
> .BR security_get_initial_context ()
> is used to get the context of a kernel initial security identifier specified by
> .I name
> @@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
> .BR \%security_compute_relabel_raw (),
> .BR \%security_compute_member_raw (),
> .BR \%security_compute_user_raw ()
> +.BR \%security_validatetrans_raw ()
> and
> .BR \%security_get_initial_context_raw ()
> behave identically to their non-raw counterparts but do not perform context
> diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
> new file mode 100644
> index 00000000..a60bca4d
> --- /dev/null
> +++ b/libselinux/man/man3/security_validatetrans_raw.c
> @@ -0,0 +1 @@
> +.so man3/security_compute_av.3
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 70b5025d..acd59c7c 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(security_compute_create_name_raw)
> hidden_proto(security_compute_member_raw)
> hidden_proto(security_compute_relabel_raw)
> + hidden_proto(security_validatetrans)
> + hidden_proto(security_validatetrans_raw)
> hidden_proto(is_selinux_enabled)
> hidden_proto(is_selinux_mls_enabled)
> hidden_proto(freecon)
> diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
> new file mode 100644
> index 00000000..2aa300cf
> --- /dev/null
> +++ b/libselinux/src/validatetrans.c
> @@ -0,0 +1,94 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <limits.h>
> +#include "selinux_internal.h"
> +#include "policy.h"
> +#include "mapping.h"
> +
> +int security_validatetrans_raw(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + char path[PATH_MAX];
> + char *buf = NULL;
> + int size, bufsz;
> + int fd, ret = -1;
> + errno = ENOENT;
> +
> + if (!selinux_mnt) {
> + return -1;
> + }
> +
> + snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
> + fd = open(path, O_WRONLY | O_CLOEXEC);
> + if (fd < 0) {
> + return -1;
> + }
> +
> + errno = EINVAL;
> + size = selinux_page_size;
> + buf = malloc(size);
> + if (!buf) {
> + goto out;
> + }
> +
> + bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
> + if (bufsz >= size || bufsz < 0) {
> + // It got truncated or there was an encoding error
> + goto out;
> + }
> +
> + // clear errno for write()
> + errno = 0;
> + ret = write(fd, buf, strlen(buf));
> + if (ret > 0) {
> + // The kernel returns the bytes written on success, not 0 as noted in the commit message
> + ret = 0;
> + }
> +out:
> + free(buf);
> + close(fd);
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans_raw)
> +
> +int security_validatetrans(const char *scon,
> + const char *tcon,
> + security_class_t tclass,
> + const char *newcon)
> +{
> + int ret = -1;
> + char *rscon = NULL;
> + char *rtcon = NULL;
> + char *rnewcon = NULL;
> +
> + if (selinux_trans_to_raw_context(scon, &rscon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(tcon, &rtcon)) {
> + goto out;
> + }
> +
> + if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
> + goto out;
> + }
> +
> + ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
> +
> +out:
> + freecon(rnewcon);
> + freecon(rtcon);
> + freecon(rscon);
> +
> + return ret;
> +}
> +
> +hidden_def(security_validatetrans)
> diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> index 5cd01025..aba18a3c 100644
> --- a/libselinux/utils/.gitignore
> +++ b/libselinux/utils/.gitignore
> @@ -25,3 +25,4 @@ setenforce
> setfilecon
> togglesebool
> selinux_check_access
> +validatetrans
> diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
> new file mode 100644
> index 00000000..1db33e66
> --- /dev/null
> +++ b/libselinux/utils/validatetrans.c
> @@ -0,0 +1,30 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <errno.h>
> +#include <selinux/selinux.h>
> +
> +int main(int argc, char **argv)
> +{
> + security_class_t tclass;
> + int ret;
> +
> + if (argc != 5) {
> + fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
> + argv[0]);
> + exit(1);
> + }
> +
> + tclass = string_to_security_class(argv[3]);
> + if (!tclass) {
> + fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
> + exit(2);
> + }
> +
> + ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
> + printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
> +
> + return ret;
> +}
> --
> 2.17.2
>
ack - staged: https://github.com/SELinuxProject/selinux/pull/142
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5] Add security_validatetrans support
2019-04-05 19:04 ` William Roberts
@ 2019-04-07 20:58 ` Nicolas Iooss
2019-04-09 13:51 ` William Roberts
0 siblings, 1 reply; 14+ messages in thread
From: Nicolas Iooss @ 2019-04-07 20:58 UTC (permalink / raw)
To: William Roberts; +Cc: Joshua Brindle, selinux
On Fri, Apr 5, 2019 at 9:04 PM William Roberts <bill.c.roberts@gmail.com> wrote:
>
> On Fri, Apr 5, 2019 at 12:01 PM Joshua Brindle
> <joshua.brindle@crunchydata.com> wrote:
> >
> > It seems validatetrans support was never added to libselinux, despite being added to
> > selinuxfs in kernel version 4.5
> >
> > There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
> >
> > $ cat validatetrans.cil
> > (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
> >
> > $ sudo semodule -i validatetrans.cil
> >
> > $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
> > opening /sys/fs/selinux/validatetrans
> > security_validatetrans returned -1 errno: Invalid argument
> >
> > $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
> > opening /sys/fs/selinux/validatetrans
> > security_validatetrans returned -1 errno: Operation not permitted
> >
> > $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
> > opening /sys/fs/selinux/validatetrans
> > security_validatetrans returned 0 errno: Success
> >
> > Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> > ---
> > libselinux/include/selinux/selinux.h | 13 +++
> > libselinux/man/man3/security_compute_av.3 | 13 ++-
> > libselinux/man/man3/security_validatetrans.c | 1 +
> > .../man/man3/security_validatetrans_raw.c | 1 +
> > libselinux/src/selinux_internal.h | 2 +
> > libselinux/src/validatetrans.c | 94 +++++++++++++++++++
> > libselinux/utils/.gitignore | 1 +
> > libselinux/utils/validatetrans.c | 30 ++++++
> > 8 files changed, 154 insertions(+), 1 deletion(-)
> > create mode 100644 libselinux/man/man3/security_validatetrans.c
> > create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
> > create mode 100644 libselinux/src/validatetrans.c
> > create mode 100644 libselinux/utils/validatetrans.c
> >
> > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > index a34d54fc..f54f236b 100644
> > --- a/libselinux/include/selinux/selinux.h
> > +++ b/libselinux/include/selinux/selinux.h
> > @@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
> > const char *username,
> > char *** con);
> >
> > +/* Validate a transition. This determines whether a transition from scon to newcon
> > + using tcon as the target for object class tclass is valid in the loaded policy.
> > + This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
> > + Returns 0 if allowed and -1 if an error occured with errno set */
> > +extern int security_validatetrans(const char *scon,
> > + const char *tcon,
> > + security_class_t tclass,
> > + const char *newcon);
> > +extern int security_validatetrans_raw(const char *scon,
> > + const char *tcon,
> > + security_class_t tclass,
> > + const char *newcon);
> > +
> > /* Load a policy configuration. */
> > extern int security_load_policy(void *data, size_t len);
> >
> > diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
> > index 2aade5fe..a7181bed 100644
> > --- a/libselinux/man/man3/security_compute_av.3
> > +++ b/libselinux/man/man3/security_compute_av.3
> > @@ -1,7 +1,7 @@
> > .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
> > .SH "NAME"
> > security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
> > -security_compute_member, security_compute_user, security_get_initial_context \- query
> > +security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
> > the SELinux policy database in the kernel
> > .
> > .SH "SYNOPSIS"
> > @@ -35,6 +35,10 @@ the SELinux policy database in the kernel
> > .sp
> > .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
> > .sp
> > +.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> > +.sp
> > +.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> > +.sp
> > .BI "int security_get_initial_context(const char *" name ", char **" con );
> > .sp
> > .BI "int security_get_initial_context_raw(const char *" name ", char **" con );
> > @@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
> > source context. It is mainly used by
> > .BR get_ordered_context_list ().
> >
> > +.BR security_validatetrans ()
> > +is used to determine if a transition from scon to newcon using tcon as the object
> > +is valid for object class tclass. This checks against the mlsvalidatetrans and
> > +validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
> > +if an error occured with errno set.
> > +
> > .BR security_get_initial_context ()
> > is used to get the context of a kernel initial security identifier specified by
> > .I name
> > @@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
> > .BR \%security_compute_relabel_raw (),
> > .BR \%security_compute_member_raw (),
> > .BR \%security_compute_user_raw ()
> > +.BR \%security_validatetrans_raw ()
> > and
> > .BR \%security_get_initial_context_raw ()
> > behave identically to their non-raw counterparts but do not perform context
> > diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
> > new file mode 100644
> > index 00000000..a60bca4d
> > --- /dev/null
> > +++ b/libselinux/man/man3/security_validatetrans.c
> > @@ -0,0 +1 @@
> > +.so man3/security_compute_av.3
> > diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
> > new file mode 100644
> > index 00000000..a60bca4d
> > --- /dev/null
> > +++ b/libselinux/man/man3/security_validatetrans_raw.c
> > @@ -0,0 +1 @@
> > +.so man3/security_compute_av.3
> > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> > index 70b5025d..acd59c7c 100644
> > --- a/libselinux/src/selinux_internal.h
> > +++ b/libselinux/src/selinux_internal.h
> > @@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
> > hidden_proto(security_compute_create_name_raw)
> > hidden_proto(security_compute_member_raw)
> > hidden_proto(security_compute_relabel_raw)
> > + hidden_proto(security_validatetrans)
> > + hidden_proto(security_validatetrans_raw)
> > hidden_proto(is_selinux_enabled)
> > hidden_proto(is_selinux_mls_enabled)
> > hidden_proto(freecon)
> > diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
> > new file mode 100644
> > index 00000000..2aa300cf
> > --- /dev/null
> > +++ b/libselinux/src/validatetrans.c
> > @@ -0,0 +1,94 @@
> > +#include <unistd.h>
> > +#include <sys/types.h>
> > +#include <fcntl.h>
> > +#include <stdlib.h>
> > +#include <stdio.h>
> > +#include <errno.h>
> > +#include <string.h>
> > +#include <limits.h>
> > +#include "selinux_internal.h"
> > +#include "policy.h"
> > +#include "mapping.h"
> > +
> > +int security_validatetrans_raw(const char *scon,
> > + const char *tcon,
> > + security_class_t tclass,
> > + const char *newcon)
> > +{
> > + char path[PATH_MAX];
> > + char *buf = NULL;
> > + int size, bufsz;
> > + int fd, ret = -1;
> > + errno = ENOENT;
> > +
> > + if (!selinux_mnt) {
> > + return -1;
> > + }
> > +
> > + snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
> > + fd = open(path, O_WRONLY | O_CLOEXEC);
> > + if (fd < 0) {
> > + return -1;
> > + }
> > +
> > + errno = EINVAL;
> > + size = selinux_page_size;
> > + buf = malloc(size);
> > + if (!buf) {
> > + goto out;
> > + }
> > +
> > + bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
> > + if (bufsz >= size || bufsz < 0) {
> > + // It got truncated or there was an encoding error
> > + goto out;
> > + }
> > +
> > + // clear errno for write()
> > + errno = 0;
> > + ret = write(fd, buf, strlen(buf));
> > + if (ret > 0) {
> > + // The kernel returns the bytes written on success, not 0 as noted in the commit message
> > + ret = 0;
> > + }
> > +out:
> > + free(buf);
> > + close(fd);
> > + return ret;
> > +}
> > +
> > +hidden_def(security_validatetrans_raw)
> > +
> > +int security_validatetrans(const char *scon,
> > + const char *tcon,
> > + security_class_t tclass,
> > + const char *newcon)
> > +{
> > + int ret = -1;
> > + char *rscon = NULL;
> > + char *rtcon = NULL;
> > + char *rnewcon = NULL;
> > +
> > + if (selinux_trans_to_raw_context(scon, &rscon)) {
> > + goto out;
> > + }
> > +
> > + if (selinux_trans_to_raw_context(tcon, &rtcon)) {
> > + goto out;
> > + }
> > +
> > + if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
> > + goto out;
> > + }
> > +
> > + ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
> > +
> > +out:
> > + freecon(rnewcon);
> > + freecon(rtcon);
> > + freecon(rscon);
> > +
> > + return ret;
> > +}
> > +
> > +hidden_def(security_validatetrans)
> > diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> > index 5cd01025..aba18a3c 100644
> > --- a/libselinux/utils/.gitignore
> > +++ b/libselinux/utils/.gitignore
> > @@ -25,3 +25,4 @@ setenforce
> > setfilecon
> > togglesebool
> > selinux_check_access
> > +validatetrans
> > diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
> > new file mode 100644
> > index 00000000..1db33e66
> > --- /dev/null
> > +++ b/libselinux/utils/validatetrans.c
> > @@ -0,0 +1,30 @@
> > +#include <unistd.h>
> > +#include <sys/types.h>
> > +#include <stdio.h>
> > +#include <stdlib.h>
> > +#include <string.h>
> > +#include <errno.h>
> > +#include <selinux/selinux.h>
> > +
> > +int main(int argc, char **argv)
> > +{
> > + security_class_t tclass;
> > + int ret;
> > +
> > + if (argc != 5) {
> > + fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
> > + argv[0]);
> > + exit(1);
> > + }
> > +
> > + tclass = string_to_security_class(argv[3]);
> > + if (!tclass) {
> > + fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
> > + exit(2);
> > + }
> > +
> > + ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
> > + printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
> > +
> > + return ret;
> > +}
> > --
> > 2.17.2
> >
>
> ack - staged: https://github.com/SELinuxProject/selinux/pull/142
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Thanks!
Nicolas
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5] Add security_validatetrans support
2019-04-07 20:58 ` Nicolas Iooss
@ 2019-04-09 13:51 ` William Roberts
0 siblings, 0 replies; 14+ messages in thread
From: William Roberts @ 2019-04-09 13:51 UTC (permalink / raw)
To: Nicolas Iooss; +Cc: Joshua Brindle, selinux
merged:
https://github.com/SELinuxProject/selinux/pull/142
On Sun, Apr 7, 2019 at 1:59 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Fri, Apr 5, 2019 at 9:04 PM William Roberts <bill.c.roberts@gmail.com> wrote:
> >
> > On Fri, Apr 5, 2019 at 12:01 PM Joshua Brindle
> > <joshua.brindle@crunchydata.com> wrote:
> > >
> > > It seems validatetrans support was never added to libselinux, despite being added to
> > > selinuxfs in kernel version 4.5
> > >
> > > There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:
> > >
> > > $ cat validatetrans.cil
> > > (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))
> > >
> > > $ sudo semodule -i validatetrans.cil
> > >
> > > $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
> > > opening /sys/fs/selinux/validatetrans
> > > security_validatetrans returned -1 errno: Invalid argument
> > >
> > > $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
> > > opening /sys/fs/selinux/validatetrans
> > > security_validatetrans returned -1 errno: Operation not permitted
> > >
> > > $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
> > > opening /sys/fs/selinux/validatetrans
> > > security_validatetrans returned 0 errno: Success
> > >
> > > Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> > > ---
> > > libselinux/include/selinux/selinux.h | 13 +++
> > > libselinux/man/man3/security_compute_av.3 | 13 ++-
> > > libselinux/man/man3/security_validatetrans.c | 1 +
> > > .../man/man3/security_validatetrans_raw.c | 1 +
> > > libselinux/src/selinux_internal.h | 2 +
> > > libselinux/src/validatetrans.c | 94 +++++++++++++++++++
> > > libselinux/utils/.gitignore | 1 +
> > > libselinux/utils/validatetrans.c | 30 ++++++
> > > 8 files changed, 154 insertions(+), 1 deletion(-)
> > > create mode 100644 libselinux/man/man3/security_validatetrans.c
> > > create mode 100644 libselinux/man/man3/security_validatetrans_raw.c
> > > create mode 100644 libselinux/src/validatetrans.c
> > > create mode 100644 libselinux/utils/validatetrans.c
> > >
> > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > > index a34d54fc..f54f236b 100644
> > > --- a/libselinux/include/selinux/selinux.h
> > > +++ b/libselinux/include/selinux/selinux.h
> > > @@ -255,6 +255,19 @@ extern int security_compute_user_raw(const char * scon,
> > > const char *username,
> > > char *** con);
> > >
> > > +/* Validate a transition. This determines whether a transition from scon to newcon
> > > + using tcon as the target for object class tclass is valid in the loaded policy.
> > > + This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
> > > + Returns 0 if allowed and -1 if an error occured with errno set */
> > > +extern int security_validatetrans(const char *scon,
> > > + const char *tcon,
> > > + security_class_t tclass,
> > > + const char *newcon);
> > > +extern int security_validatetrans_raw(const char *scon,
> > > + const char *tcon,
> > > + security_class_t tclass,
> > > + const char *newcon);
> > > +
> > > /* Load a policy configuration. */
> > > extern int security_load_policy(void *data, size_t len);
> > >
> > > diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
> > > index 2aade5fe..a7181bed 100644
> > > --- a/libselinux/man/man3/security_compute_av.3
> > > +++ b/libselinux/man/man3/security_compute_av.3
> > > @@ -1,7 +1,7 @@
> > > .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
> > > .SH "NAME"
> > > security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
> > > -security_compute_member, security_compute_user, security_get_initial_context \- query
> > > +security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
> > > the SELinux policy database in the kernel
> > > .
> > > .SH "SYNOPSIS"
> > > @@ -35,6 +35,10 @@ the SELinux policy database in the kernel
> > > .sp
> > > .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
> > > .sp
> > > +.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> > > +.sp
> > > +.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
> > > +.sp
> > > .BI "int security_get_initial_context(const char *" name ", char **" con );
> > > .sp
> > > .BI "int security_get_initial_context_raw(const char *" name ", char **" con );
> > > @@ -100,6 +104,12 @@ is used to determine the set of user contexts that can be reached from a
> > > source context. It is mainly used by
> > > .BR get_ordered_context_list ().
> > >
> > > +.BR security_validatetrans ()
> > > +is used to determine if a transition from scon to newcon using tcon as the object
> > > +is valid for object class tclass. This checks against the mlsvalidatetrans and
> > > +validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
> > > +if an error occured with errno set.
> > > +
> > > .BR security_get_initial_context ()
> > > is used to get the context of a kernel initial security identifier specified by
> > > .I name
> > > @@ -111,6 +121,7 @@ is used to get the context of a kernel initial security identifier specified by
> > > .BR \%security_compute_relabel_raw (),
> > > .BR \%security_compute_member_raw (),
> > > .BR \%security_compute_user_raw ()
> > > +.BR \%security_validatetrans_raw ()
> > > and
> > > .BR \%security_get_initial_context_raw ()
> > > behave identically to their non-raw counterparts but do not perform context
> > > diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
> > > new file mode 100644
> > > index 00000000..a60bca4d
> > > --- /dev/null
> > > +++ b/libselinux/man/man3/security_validatetrans.c
> > > @@ -0,0 +1 @@
> > > +.so man3/security_compute_av.3
> > > diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
> > > new file mode 100644
> > > index 00000000..a60bca4d
> > > --- /dev/null
> > > +++ b/libselinux/man/man3/security_validatetrans_raw.c
> > > @@ -0,0 +1 @@
> > > +.so man3/security_compute_av.3
> > > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> > > index 70b5025d..acd59c7c 100644
> > > --- a/libselinux/src/selinux_internal.h
> > > +++ b/libselinux/src/selinux_internal.h
> > > @@ -29,6 +29,8 @@ hidden_proto(selinux_mkload_policy)
> > > hidden_proto(security_compute_create_name_raw)
> > > hidden_proto(security_compute_member_raw)
> > > hidden_proto(security_compute_relabel_raw)
> > > + hidden_proto(security_validatetrans)
> > > + hidden_proto(security_validatetrans_raw)
> > > hidden_proto(is_selinux_enabled)
> > > hidden_proto(is_selinux_mls_enabled)
> > > hidden_proto(freecon)
> > > diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
> > > new file mode 100644
> > > index 00000000..2aa300cf
> > > --- /dev/null
> > > +++ b/libselinux/src/validatetrans.c
> > > @@ -0,0 +1,94 @@
> > > +#include <unistd.h>
> > > +#include <sys/types.h>
> > > +#include <fcntl.h>
> > > +#include <stdlib.h>
> > > +#include <stdio.h>
> > > +#include <errno.h>
> > > +#include <string.h>
> > > +#include <limits.h>
> > > +#include "selinux_internal.h"
> > > +#include "policy.h"
> > > +#include "mapping.h"
> > > +
> > > +int security_validatetrans_raw(const char *scon,
> > > + const char *tcon,
> > > + security_class_t tclass,
> > > + const char *newcon)
> > > +{
> > > + char path[PATH_MAX];
> > > + char *buf = NULL;
> > > + int size, bufsz;
> > > + int fd, ret = -1;
> > > + errno = ENOENT;
> > > +
> > > + if (!selinux_mnt) {
> > > + return -1;
> > > + }
> > > +
> > > + snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
> > > + fd = open(path, O_WRONLY | O_CLOEXEC);
> > > + if (fd < 0) {
> > > + return -1;
> > > + }
> > > +
> > > + errno = EINVAL;
> > > + size = selinux_page_size;
> > > + buf = malloc(size);
> > > + if (!buf) {
> > > + goto out;
> > > + }
> > > +
> > > + bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
> > > + if (bufsz >= size || bufsz < 0) {
> > > + // It got truncated or there was an encoding error
> > > + goto out;
> > > + }
> > > +
> > > + // clear errno for write()
> > > + errno = 0;
> > > + ret = write(fd, buf, strlen(buf));
> > > + if (ret > 0) {
> > > + // The kernel returns the bytes written on success, not 0 as noted in the commit message
> > > + ret = 0;
> > > + }
> > > +out:
> > > + free(buf);
> > > + close(fd);
> > > + return ret;
> > > +}
> > > +
> > > +hidden_def(security_validatetrans_raw)
> > > +
> > > +int security_validatetrans(const char *scon,
> > > + const char *tcon,
> > > + security_class_t tclass,
> > > + const char *newcon)
> > > +{
> > > + int ret = -1;
> > > + char *rscon = NULL;
> > > + char *rtcon = NULL;
> > > + char *rnewcon = NULL;
> > > +
> > > + if (selinux_trans_to_raw_context(scon, &rscon)) {
> > > + goto out;
> > > + }
> > > +
> > > + if (selinux_trans_to_raw_context(tcon, &rtcon)) {
> > > + goto out;
> > > + }
> > > +
> > > + if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
> > > + goto out;
> > > + }
> > > +
> > > + ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
> > > +
> > > +out:
> > > + freecon(rnewcon);
> > > + freecon(rtcon);
> > > + freecon(rscon);
> > > +
> > > + return ret;
> > > +}
> > > +
> > > +hidden_def(security_validatetrans)
> > > diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> > > index 5cd01025..aba18a3c 100644
> > > --- a/libselinux/utils/.gitignore
> > > +++ b/libselinux/utils/.gitignore
> > > @@ -25,3 +25,4 @@ setenforce
> > > setfilecon
> > > togglesebool
> > > selinux_check_access
> > > +validatetrans
> > > diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
> > > new file mode 100644
> > > index 00000000..1db33e66
> > > --- /dev/null
> > > +++ b/libselinux/utils/validatetrans.c
> > > @@ -0,0 +1,30 @@
> > > +#include <unistd.h>
> > > +#include <sys/types.h>
> > > +#include <stdio.h>
> > > +#include <stdlib.h>
> > > +#include <string.h>
> > > +#include <errno.h>
> > > +#include <selinux/selinux.h>
> > > +
> > > +int main(int argc, char **argv)
> > > +{
> > > + security_class_t tclass;
> > > + int ret;
> > > +
> > > + if (argc != 5) {
> > > + fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
> > > + argv[0]);
> > > + exit(1);
> > > + }
> > > +
> > > + tclass = string_to_security_class(argv[3]);
> > > + if (!tclass) {
> > > + fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
> > > + exit(2);
> > > + }
> > > +
> > > + ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
> > > + printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
> > > +
> > > + return ret;
> > > +}
> > > --
> > > 2.17.2
> > >
> >
> > ack - staged: https://github.com/SELinuxProject/selinux/pull/142
>
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Thanks!
> Nicolas
>
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-04-09 13:51 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-04 15:36 [PATCH] Add security_validatetrans support Joshua Brindle
2019-04-04 18:43 ` William Roberts
2019-04-04 19:22 ` Joshua Brindle
2019-04-05 0:17 ` Joshua Brindle
2019-04-05 0:32 ` Joshua Brindle
2019-04-05 14:08 ` [PATCH v3] " Joshua Brindle
2019-04-05 14:43 ` William Roberts
2019-04-05 18:38 ` [PATCH v4] " Joshua Brindle
2019-04-05 18:50 ` William Roberts
2019-04-05 18:53 ` Joshua Brindle
2019-04-05 19:01 ` [PATCH v5] " Joshua Brindle
2019-04-05 19:04 ` William Roberts
2019-04-07 20:58 ` Nicolas Iooss
2019-04-09 13:51 ` William Roberts
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.