From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings
Date: Mon, 12 Jun 2023 11:31:06 +0200 [thread overview]
Message-ID: <20230612093107.1066410-2-omosnace@redhat.com> (raw)
In-Reply-To: <20230612093107.1066410-1-omosnace@redhat.com>
Many of the initial SIDs are no longer used by the kernel, so
translating them to the legacy names doesn't bring much value. Clear the
legacy names from the table and let the code translate them to the
fallback "unknown" names instead.
Note that this only affects the generated text output when converting
policies from binary to text form. The text policy languages let the
policy define its own names for the initial SIDs based on the order in
which they are declared, so the table is never used to convert from name
to SID. Thus this is just a cosmetic change and has no functional
impact.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libsepol/src/kernel_to_cil.c | 4 ++--
libsepol/src/kernel_to_common.h | 36 ++++++++++++++++-----------------
libsepol/src/kernel_to_conf.c | 4 ++--
libsepol/src/module_to_cil.c | 2 +-
4 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index e9cd89c2..bd04c087 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- if (i < num_sids) {
+ if (i < num_sids && sid_to_str[i]) {
sid = (char *)sid_to_str[i];
} else {
snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
@@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- if (i < num_sids) {
+ if (i < num_sids && sid_to_str[i]) {
sid = (char *)sid_to_str[i];
} else {
snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 159c4289..6073ff3a 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -13,33 +13,33 @@
// initial sid names aren't actually stored in the pp files, need to a have
// a mapping, taken from the linux kernel
static const char * const selinux_sid_to_str[] = {
- "null",
+ NULL,
"kernel",
"security",
"unlabeled",
- "fs",
+ NULL,
"file",
- "file_labels",
- "init",
+ NULL,
+ NULL,
"any_socket",
"port",
"netif",
"netmsg",
"node",
- "igmp_packet",
- "icmp_socket",
- "tcp_socket",
- "sysctl_modprobe",
- "sysctl",
- "sysctl_fs",
- "sysctl_kernel",
- "sysctl_net",
- "sysctl_net_unix",
- "sysctl_vm",
- "sysctl_dev",
- "kmod",
- "policy",
- "scmp_packet",
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
"devnull",
};
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index c48a7114..3be87184 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- if (i < num_sids) {
+ if (i < num_sids && sid_to_str[i]) {
sid = (char *)sid_to_str[i];
} else {
snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
@@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- if (i < num_sids) {
+ if (i < num_sids && sid_to_str[i]) {
sid = (char *)sid_to_str[i];
} else {
snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index e7bc6ee6..a46775ca 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- if (i < num_sids) {
+ if (i < num_sids && sid_to_string[i]) {
sid = (char*)sid_to_string[i];
} else {
snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
--
2.40.1
next prev parent reply other threads:[~2023-06-12 9:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 9:31 [PATCH userspace 0/2] Introduce an initial SID for early boot processes Ondrej Mosnacek
2023-06-12 9:31 ` Ondrej Mosnacek [this message]
2023-06-23 19:10 ` [PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings James Carter
2023-06-30 8:32 ` Petr Lautrbach
2023-06-12 9:31 ` [PATCH userspace 2/2] libsepol: add support for the new "init" initial SID Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230612093107.1066410-2-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.