wildcards in file_contexts.subs for NixOS

wildcards in file_contexts.subs for NixOS

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 2313 bytes --]

https://nixos.org/

The NixOS distribution of Linux is based on having hashes of packages in the 
path names.

/nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/usermod
/nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/vipw
/nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdadm
/nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdsetup
/nix/store/mzxhj1cxrhbqvsga4155xhw44iigwxxs-shadow-4.5-su/bin/su
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenconsoled
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenstored
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xl
/nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/fusermount
/nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/mount.fuse
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/libvirtd
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virsh
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlockd
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlogd
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/blkid
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/dmsetup
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/e2fsck

Above is a random sample of binaries that need labelling on a NixOS system.  
Before anyone asks, the naming of such paths is core to the way NixOS works, 
requesting a change in that regard is not viable.

NixOS can run as a full OS (managing grub etc) or it can run on a system 
running a regular Linux distribution.  Running as a full OS or as a labelled 
chroot are the use cases that interest me.

semanage fcontext -a -e / "/nix/store/*"

setfiles -r /chroot/nix /etc/selinux/default/contexts/files/file_contexts \
/chroot/nix/store -v

I've written a patch to support commands like the above to label a Nix store 
(the above is a chroot example but the next step is to get full SE Linux 
support in NixOS).

I've attached the patch.  I don't expect this version to be accepted upstream 
as-is.  But it's a place to start the discussion about how to approach this 
problem.

Russell Coker

PS Please use my personal address russell@coker.com.au for SE Linux 
discussions unrelated to NixOS.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: wildcard-subs.diff --]
[-- Type: text/x-patch; name="wildcard-subs.diff", Size: 2017 bytes --]

Description: Support wildcard source (EG /lib/*) in file_contexts.subs_dist

Index: libselinux-2.8/src/label_file.c
===================================================================
--- libselinux-2.8.orig/src/label_file.c
+++ libselinux-2.8/src/label_file.c
@@ -581,6 +581,25 @@ static char *selabel_sub(struct selabel_
 
 	while (ptr) {
 		if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
+			if (ptr->wildcard)
+			{
+				if ( src[ptr->slen] == 0 || !strchr(src+ptr->slen, '/') )
+				{
+					ptr = ptr->next;
+					continue;
+				}
+				for(len = ptr->slen + 1 ; src[len] && src[len] != '/' ; len++)
+					;
+				if(!src[len])
+				{
+					ptr = ptr->next;
+					continue;
+				}
+				len++;
+				if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
+					return NULL;
+				return dst;
+			}
 			if (src[ptr->slen] == '/' ||
 			    src[ptr->slen] == 0) {
 				if ((src[ptr->slen] == '/') &&
@@ -606,6 +625,7 @@ static int selabel_subs_init(const char
 	struct selabel_sub *list = NULL, *sub = NULL;
 	struct stat sb;
 	int status = -1;
+	int len;
 
 	*out_subs = NULL;
 	if (!cfg) {
@@ -630,6 +650,8 @@ static int selabel_subs_init(const char
 		*ptr++ = '\0';
 		if (! *src) continue;
 
+		if(!strcmp("/*", src)) continue;
+
 		dst = ptr;
 		while (*dst && isspace(*dst))
 			dst++;
@@ -645,6 +667,16 @@ static int selabel_subs_init(const char
 			goto err;
 		memset(sub, 0, sizeof(*sub));
 
+		len = strlen(src);
+		if(len < 2) continue;
+		if(src[len - 1] == '*')
+		{
+			sub->wildcard = 1;
+			src[len - 1] = 0;
+			len--;
+		}
+		else
+			sub->wildcard = 0;
 		sub->src=strdup(src);
 		if (! sub->src)
 			goto err;
Index: libselinux-2.8/src/label_file.h
===================================================================
--- libselinux-2.8.orig/src/label_file.h
+++ libselinux-2.8/src/label_file.h
@@ -35,6 +35,7 @@ struct selabel_sub {
 	char *src;
 	int slen;
 	char *dst;
+	int wildcard;
 	struct selabel_sub *next;
 };
 

Re: wildcards in file_contexts.subs for NixOS

[Nicolas Iooss]

On Fri, Feb 22, 2019 at 5:26 AM Russell Coker <russell.coker@daisee.com> wrote:
>
> https://nixos.org/
>
> The NixOS distribution of Linux is based on having hashes of packages in the
> path names.
>
> /nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/usermod
> /nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/vipw
> /nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdadm
> /nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdsetup
> /nix/store/mzxhj1cxrhbqvsga4155xhw44iigwxxs-shadow-4.5-su/bin/su
> /nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenconsoled
> /nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenstored
> /nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xl
> /nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/fusermount
> /nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/mount.fuse
> /nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/libvirtd
> /nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virsh
> /nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlockd
> /nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlogd
> /nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/blkid
> /nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/dmsetup
> /nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/e2fsck
>
> Above is a random sample of binaries that need labelling on a NixOS system.
> Before anyone asks, the naming of such paths is core to the way NixOS works,
> requesting a change in that regard is not viable.
>
> NixOS can run as a full OS (managing grub etc) or it can run on a system
> running a regular Linux distribution.  Running as a full OS or as a labelled
> chroot are the use cases that interest me.
>
> semanage fcontext -a -e / "/nix/store/*"
>
> setfiles -r /chroot/nix /etc/selinux/default/contexts/files/file_contexts \
> /chroot/nix/store -v
>
> I've written a patch to support commands like the above to label a Nix store
> (the above is a chroot example but the next step is to get full SE Linux
> support in NixOS).
>
> I've attached the patch.  I don't expect this version to be accepted upstream
> as-is.  But it's a place to start the discussion about how to approach this
> problem.
>
> Russell Coker
>
> PS Please use my personal address russell@coker.com.au for SE Linux
> discussions unrelated to NixOS.

Hello,

I agree it would be nice to be able to use SELinux on NixOS, and that
the first step consists in handling the file paths that are very
specific to this distribution. The patch you submitted adds the
support of source file contexts ending with "/*", but it does not
allow things like "match /chroot/nix/*/bin and replace it with
/usr/bin". This could be solved in several ways. The most
straightforward way probably consists in making selabel_sub_key() call
selabel_sub() several times, until no substitution occurred. An other
possibility could consist in using fnmatch() or regexp to match the
source pattern of substitution files, but I guess this would impact
performance too much.

I agree with adding support of source entries ending with "/*" in file
context substitution files. If others agree with this, for the next
iteration of the patch I suggest naming the new member of struct
selabel_sub "ends_with_star" instead of "wildcard". This would make
the code easier to understand.

Thanks,
Nicolas

Re: wildcards in file_contexts.subs for NixOS

[Russell Coker]

On Sunday, 24 February 2019 11:36:34 PM AEDT Nicolas Iooss wrote:
> I agree it would be nice to be able to use SELinux on NixOS, and that
> the first step consists in handling the file paths that are very
> specific to this distribution. The patch you submitted adds the
> support of source file contexts ending with "/*", but it does not
> allow things like "match /chroot/nix/*/bin and replace it with
> /usr/bin". This could be solved in several ways. The most
> straightforward way probably consists in making selabel_sub_key() call
> selabel_sub() several times, until no substitution occurred. An other
> possibility could consist in using fnmatch() or regexp to match the
> source pattern of substitution files, but I guess this would impact
> performance too much.

We should be able to accept the performance overhead of regexs because we 
typically do less than a dozen checks of the subs file before doing hundreds of 
checks of the file_contexts file which has regexes (on my Debian/Stretch laptop 
there are 4572 lines in the file_contexts file and 27 in the subst file including 
comments).  I'm not advocating regexs as such, merely suggesting that we 
shouldn't rule out the possibility.

You are correct that my patch misses the double level needed.  The way the 
code works is that the custom subst file is checked and then the distribution 
subst file is checked afterwards.  I had put in my NixOS rule as a custom subst 
file (via semanage fcontext) so the tests passed.  I had also misread the 
source to think that it was already doing recursive checks of the subst files.

> I agree with adding support of source entries ending with "/*" in file
> context substitution files. If others agree with this, for the next
> iteration of the patch I suggest naming the new member of struct
> selabel_sub "ends_with_star" instead of "wildcard". This would make
> the code easier to understand.

Sure, that sounds like a reasonable idea.

Before I get to the stage of submitting a patch with a merge request I'll put 
in some comments too.


Russell Coker