From: Juraj Marcin <juraj@jurajmarcin.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
selinux@vger.kernel.org, Ondrej Mosnacek <omosnace@redhat.com>
Subject: [PATCH 1/5] selinux: move transition to separate structure in avtab_datum
Date: Wed, 31 May 2023 13:29:24 +0200 [thread overview]
Message-ID: <20230531112927.1957093-2-juraj@jurajmarcin.com> (raw)
In-Reply-To: <20230531112927.1957093-1-juraj@jurajmarcin.com>
This is a preparation to move filename transitions to be part of the
avtab data structure. To do that, we first need to create space for it
in the avtab_datum structure which holds the rule for certain
combination of stype, ttype and tclass.
As only type transitions have a special variant that uses a filename, it
would be suboptimal to add a (mostly empty) pointer to some structure to
all avtab rules.
Therefore, this patch adds a new structure to the union in avtab_datum
and moves the otype of the transition to this structure. In the next
patch, this structure will also hold filename transitions for the
combination of stype, ttype and tclass. As the union already contains a
pointer, the size of avtab_datum does not increase. The only trade-off
is that each transition requires at least 4 more bytes and structure
allocation.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
---
security/selinux/ss/avtab.c | 60 ++++++++++++++++++++++++++++++----
security/selinux/ss/avtab.h | 7 +++-
security/selinux/ss/services.c | 5 ++-
3 files changed, 63 insertions(+), 9 deletions(-)
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 6766edc0fe68..a7f348e4509d 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -24,6 +24,7 @@
#include "policydb.h"
static struct kmem_cache *avtab_node_cachep __ro_after_init;
+static struct kmem_cache *avtab_trans_cachep __ro_after_init;
static struct kmem_cache *avtab_xperms_cachep __ro_after_init;
/* Based on MurmurHash3, written by Austin Appleby and placed in the
@@ -71,6 +72,7 @@ avtab_insert_node(struct avtab *h, int hvalue,
const struct avtab_key *key, const struct avtab_datum *datum)
{
struct avtab_node *newnode;
+ struct avtab_trans *trans;
struct avtab_extended_perms *xperms;
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL)
@@ -85,6 +87,14 @@ avtab_insert_node(struct avtab *h, int hvalue,
}
*xperms = *(datum->u.xperms);
newnode->datum.u.xperms = xperms;
+ } else if (key->specified & AVTAB_TRANSITION) {
+ trans = kmem_cache_zalloc(avtab_trans_cachep, GFP_KERNEL);
+ if (!trans) {
+ kmem_cache_free(avtab_node_cachep, newnode);
+ return NULL;
+ }
+ *trans = *datum->u.trans;
+ newnode->datum.u.trans = trans;
} else {
newnode->datum.u.data = datum->u.data;
}
@@ -289,9 +299,13 @@ void avtab_destroy(struct avtab *h)
while (cur) {
temp = cur;
cur = cur->next;
- if (temp->key.specified & AVTAB_XPERMS)
+ if (temp->key.specified & AVTAB_XPERMS) {
kmem_cache_free(avtab_xperms_cachep,
temp->datum.u.xperms);
+ } else if (temp->key.specified & AVTAB_TRANSITION) {
+ kmem_cache_free(avtab_trans_cachep,
+ temp->datum.u.trans);
+ }
kmem_cache_free(avtab_node_cachep, temp);
}
}
@@ -407,6 +421,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
u32 items, items2, val, vers = pol->policyvers;
struct avtab_key key;
struct avtab_datum datum;
+ struct avtab_trans trans;
struct avtab_extended_perms xperms;
__le32 buf32[ARRAY_SIZE(xperms.perms.p)];
int i, rc;
@@ -473,7 +488,16 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
if (val & spec_order[i]) {
key.specified = spec_order[i] | enabled;
- datum.u.data = le32_to_cpu(buf32[items++]);
+ if (key.specified & AVTAB_TRANSITION) {
+ memset(&trans, 0,
+ sizeof(struct avtab_trans));
+ trans.otype =
+ le32_to_cpu(buf32[items++]);
+ datum.u.trans = &trans;
+ } else {
+ datum.u.data =
+ le32_to_cpu(buf32[items++]);
+ }
rc = insertf(a, &key, &datum, p);
if (rc)
return rc;
@@ -543,6 +567,15 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
for (i = 0; i < ARRAY_SIZE(xperms.perms.p); i++)
xperms.perms.p[i] = le32_to_cpu(buf32[i]);
datum.u.xperms = &xperms;
+ } else if (key.specified & AVTAB_TRANSITION) {
+ memset(&trans, 0, sizeof(struct avtab_trans));
+ rc = next_entry(buf32, fp, sizeof(u32));
+ if (rc) {
+ pr_err("SELinux: avtab: truncated entry\n");
+ return rc;
+ }
+ trans.otype = le32_to_cpu(*buf32);
+ datum.u.trans = &trans;
} else {
rc = next_entry(buf32, fp, sizeof(u32));
if (rc) {
@@ -551,12 +584,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
}
datum.u.data = le32_to_cpu(*buf32);
}
- if ((key.specified & AVTAB_TYPE) &&
- !policydb_type_isvalid(pol, datum.u.data)) {
- pr_err("SELinux: avtab: invalid type\n");
- return -EINVAL;
+ if (key.specified & AVTAB_TRANSITION) {
+ if (!policydb_type_isvalid(pol, datum.u.trans->otype)) {
+ pr_err("SELinux: avtab: invalid transition type\n");
+ return -EINVAL;
+ }
+ } else if (key.specified & AVTAB_TYPE) {
+ if (!policydb_type_isvalid(pol, datum.u.data)) {
+ pr_err("SELinux: avtab: invalid type\n");
+ return -EINVAL;
+ }
}
- return insertf(a, &key, &datum, p);
+ rc = insertf(a, &key, &datum, p);
+ return rc;
}
static int avtab_insertf(struct avtab *a, const struct avtab_key *k,
@@ -635,6 +675,9 @@ int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp)
buf32[i] = cpu_to_le32(cur->datum.u.xperms->perms.p[i]);
rc = put_entry(buf32, sizeof(u32),
ARRAY_SIZE(cur->datum.u.xperms->perms.p), fp);
+ } else if (cur->key.specified & AVTAB_TRANSITION) {
+ buf32[0] = cpu_to_le32(cur->datum.u.trans->otype);
+ rc = put_entry(buf32, sizeof(u32), 1, fp);
} else {
buf32[0] = cpu_to_le32(cur->datum.u.data);
rc = put_entry(buf32, sizeof(u32), 1, fp);
@@ -673,6 +716,9 @@ void __init avtab_cache_init(void)
avtab_node_cachep = kmem_cache_create("avtab_node",
sizeof(struct avtab_node),
0, SLAB_PANIC, NULL);
+ avtab_trans_cachep = kmem_cache_create("avtab_trans",
+ sizeof(struct avtab_trans),
+ 0, SLAB_PANIC, NULL);
avtab_xperms_cachep = kmem_cache_create("avtab_extended_perms",
sizeof(struct avtab_extended_perms),
0, SLAB_PANIC, NULL);
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index d6742fd9c560..6c8eb7c379cf 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -47,6 +47,10 @@ struct avtab_key {
u16 specified; /* what field is specified */
};
+struct avtab_trans {
+ u32 otype; /* default resulting type of the new object */
+};
+
/*
* For operations that require more than the 32 permissions provided by the avc
* extended permissions may be used to provide 256 bits of permissions.
@@ -69,7 +73,8 @@ struct avtab_extended_perms {
struct avtab_datum {
union {
- u32 data; /* access vector or type value */
+ u32 data; /* access vector, member or change value */
+ struct avtab_trans *trans; /* transition value */
struct avtab_extended_perms *xperms;
} u;
};
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 78946b71c1c1..8ed12406acba 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1830,7 +1830,10 @@ static int security_compute_sid(u32 ssid,
if (avdatum) {
/* Use the type from the type transition/member/change rule. */
- newcontext.type = avdatum->u.data;
+ if (avkey.specified & AVTAB_TRANSITION)
+ newcontext.type = avdatum->u.trans->otype;
+ else
+ newcontext.type = avdatum->u.data;
}
/* if we have a objname this is a file trans check so check those rules */
--
2.40.0
next prev parent reply other threads:[~2023-05-31 11:32 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-31 11:29 [PATCH 0/5] selinux: add prefix/suffix matching to filename type transitions Juraj Marcin
2023-05-31 11:29 ` Juraj Marcin [this message]
2023-05-31 11:29 ` [PATCH 2/5] selinux: move filename transitions to avtab Juraj Marcin
2023-06-01 14:29 ` Christian Göttsche
2023-06-02 13:13 ` Christian Göttsche
2023-06-07 8:04 ` Ondrej Mosnacek
2023-06-08 15:59 ` Juraj Marcin
2023-05-31 11:29 ` [PATCH 3/5] selinux: implement new binary format for filename transitions in avtab Juraj Marcin
2023-05-31 11:29 ` [PATCH 4/5] selinux: filename transitions move tests Juraj Marcin
2023-05-31 11:29 ` [PATCH 5/5] selinux: add prefix/suffix matching support to filename type transitions Juraj Marcin
2023-07-17 18:33 ` Stephen Smalley
2023-07-17 18:51 ` Stephen Smalley
2023-05-31 22:24 ` [PATCH 0/5] selinux: add prefix/suffix matching " Paul Moore
2023-06-01 17:03 ` Juraj Marcin
2023-06-16 2:04 ` Paul Moore
2023-06-18 9:40 ` Juraj Marcin
2023-06-19 21:53 ` Paul Moore
2023-06-20 7:51 ` Juraj Marcin
2023-07-17 18:44 ` Stephen Smalley
2023-07-27 16:42 ` Juraj Marcin
2023-07-28 12:48 ` Stephen Smalley
2023-07-28 17:52 ` James Carter
2023-08-01 8:49 ` Juraj Marcin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230531112927.1957093-2-juraj@jurajmarcin.com \
--to=juraj@jurajmarcin.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.