From: Stephen Smalley <sds@tycho.nsa.gov>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: selinux@vger.kernel.org
Subject: Re: [RFC PATCH 2/3] libselinux: add security_is_policy_capabilty_enabled()
Date: Fri, 10 Jan 2020 09:59:01 -0500 [thread overview]
Message-ID: <bf835427-93c4-1490-8bbd-f7a82ab61b75@tycho.nsa.gov> (raw)
In-Reply-To: <CAJ2a_DfK4BjJOmQfjbg0zXcFxWB2B+7_p9gvp6tEKd=fzOuS+g@mail.gmail.com>
On 1/10/20 9:43 AM, Christian Göttsche wrote:
> Am Fr., 10. Jan. 2020 um 15:29 Uhr schrieb Stephen Smalley <sds@tycho.nsa.gov>:
>>
>> On 1/10/20 9:15 AM, Christian Göttsche wrote:
>>> Allow userspace (e.g. object managers like systemd) to obtain the state of a policy capability via a library call.
>>> ---
>>> diff --git a/libselinux/man/man3/security_is_policy_capability_enabled.3 b/libselinux/man/man3/security_is_policy_capability_enabled.3
>>> new file mode 100644
>>> index 00000000..18c53b67
>>> --- /dev/null
>>> +++ b/libselinux/man/man3/security_is_policy_capability_enabled.3
>>> @@ -0,0 +1,27 @@
>>> +.TH "security_is_policy_capability_enabled" "3" "9 January 2020" "cgzones@googlemail.com" "SELinux API documentation"
>>> +.SH "NAME"
>>> +security_is_policy_capability_enabled \- get the state of a SELinux policy
>>> +capability
>>> +.
>>> +.SH "SYNOPSIS"
>>> +.B #include <selinux/selinux.h>
>>> +.sp
>>> +.BI "int security_is_policy_capability_enabled(const char *" name ");"
>>> +.
>>> +.SH "DESCRIPTION"
>>> +.BR security_is_policy_capability_enabled ()
>>> +returns 1 if the SELinux policy capability with the given name is enabled,
>>> +0 if it is disabled, and \-1 on error.
>>> +.SH "NOTES"
>>> +The parameter
>>> +.IR name
>>> +is case insensitive.
>>
>> Why support case-insensitivity? It complicates the implementation and
>> seems unnecessary.
>>
>
> sepol_polcap_getnum() does it:
> https://github.com/SELinuxProject/selinux/blob/5bbe32a7e585dcd403739ea55a2fb25cbd184383/libsepol/src/polcaps.c#L25
Not sure why though. One difference is that sepol_polcap_getnum() is
only used for capability names specified in policies, while
security_is_policy_capability_enabled() will be used in application
code. It seems reasonable to require application writers to use the
right case for the capability name?
>
>>
>>> +
>>> +If the the current kernel does not support the given policy capability \-1 is returned and
>>> +.BR errno
>>> +is set to
>>> +.BR ENOTSUP
>>> +\&.
>>> +.
>>> +.SH "SEE ALSO"
>>> +.BR selinux "(8)"
>>> diff --git a/libselinux/src/polcap.c b/libselinux/src/polcap.c
>>> new file mode 100644
>>> index 00000000..801231cf
>>> --- /dev/null
>>> +++ b/libselinux/src/polcap.c
>>> @@ -0,0 +1,64 @@
>>> +#include <dirent.h>
>>> +#include <errno.h>
>>> +#include <fcntl.h>
>>> +#include <limits.h>
>>> +#include <stdio.h>
>>> +#include <string.h>
>>> +#include <sys/types.h>
>>> +#include <unistd.h>
>>> +
>>> +#include "policy.h"
>>> +#include "selinux_internal.h"
>>> +
>>> +int security_is_policy_capability_enabled(const char *name)
>>> +{
>>> + int fd, enabled;
>>> + ssize_t ret;
>>> + char path[PATH_MAX];
>>> + char buf[20];
>>> + DIR *polcapdir;
>>> + struct dirent *dentry;
>>> +
>>> + if (!selinux_mnt) {
>>> + errno = ENOENT;
>>> + return -1;
>>> + }
>>> +
>>> + snprintf(path, sizeof path, "%s/policy_capabilities", selinux_mnt);
>>> + polcapdir = opendir(path);
>>> + if (!polcapdir)
>>> + return -1;
>>> +
>>> + while ((dentry = readdir(polcapdir)) != NULL) {
>>> + if (strcmp(dentry->d_name, ".") == 0 || strcmp(dentry->d_name, "..") == 0)
>>> + continue;
>>> +
>>> + if (strcasecmp(name, dentry->d_name) != 0)
>>> + continue;
>>> +
>>> + snprintf(path, sizeof path, "%s/policy_capabilities/%s", selinux_mnt, dentry->d_name);
>>> + fd = open(path, O_RDONLY | O_CLOEXEC);
>>> + if (fd < 0)
>>> + goto err;
>>
>> If you weren't trying to support case-insensitivity, you could just
>> directly open() the capability file and be done with it.
>>
>
> Would we need to check for directory traversals in that case?
> char *tainted_userdata = "../../../../etc/passwd"
> security_is_policy_capability_enabled(tainted_userdata)
No, we aren't crossing a trust boundary here and any sane application is
going to hardcode the policy capability name, not take it from an
untrusted source.
next prev parent reply other threads:[~2020-01-10 14:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-10 14:15 [RFC PATCH 0/3] Add policy capability for systemd overhaul Christian Göttsche
2020-01-10 14:15 ` [RFC PATCH 1/3] libsepol: add " Christian Göttsche
2020-01-10 14:15 ` [RFC PATCH 2/3] libselinux: add security_is_policy_capabilty_enabled() Christian Göttsche
2020-01-10 14:30 ` Stephen Smalley
2020-01-10 14:43 ` Christian Göttsche
2020-01-10 14:59 ` Stephen Smalley [this message]
2020-01-10 14:15 ` [RFC PATCH 3/3] libselinux: add policy capability test binary Christian Göttsche
2020-01-10 14:32 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bf835427-93c4-1490-8bbd-f7a82ab61b75@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.