SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] Add default_range glblub support
@ 2019-08-26 14:20 Joshua Brindle
  2019-08-29 19:14 ` [Non-DoD Source] " jwcart2
  0 siblings, 1 reply; 4+ messages in thread
From: Joshua Brindle @ 2019-08-26 14:20 UTC (permalink / raw)
  To: selinux; +Cc: Joshua Brindle

Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. For example, one can add a default with
this cil:

(defaultrange db_table glblub);

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
---
 checkpolicy/policy_parse.y                  |  4 +++-
 checkpolicy/policy_scan.l                   |  2 ++
 libsemanage/src/direct_api.c                |  1 +
 libsepol/cil/src/cil.c                      |  1 +
 libsepol/cil/src/cil_build_ast.c            | 11 +++++----
 libsepol/cil/src/cil_internal.h             |  2 ++
 libsepol/cil/src/cil_policy.c               |  3 +++
 libsepol/include/sepol/policydb/context.h   |  5 +++++
 libsepol/include/sepol/policydb/mls_types.h | 25 +++++++++++++++++++++
 libsepol/include/sepol/policydb/policydb.h  |  7 ++++--
 libsepol/src/kernel_to_conf.c               |  3 +++
 libsepol/src/mls.c                          |  2 ++
 libsepol/src/module_to_cil.c                |  1 +
 libsepol/src/policydb.c                     | 22 ++++++++++++++++++
 libsepol/src/write.c                        | 12 ++++++++++
 15 files changed, 94 insertions(+), 7 deletions(-)

diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 247bd4ee..abb7d885 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -155,7 +155,7 @@ typedef int (* require_func_t)(int pass);
 %token PERMISSIVE
 %token FILESYSTEM
 %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
-%token LOW_HIGH LOW HIGH
+%token LOW_HIGH LOW HIGH GLBLUB
 
 %left OR
 %left XOR
@@ -247,6 +247,8 @@ default_range_def	: DEFAULT_RANGE names SOURCE LOW ';'
 			{if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
 			| DEFAULT_RANGE names TARGET LOW_HIGH ';'
 			{if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
+			| DEFAULT_RANGE names GLBLUB';'
+			{if (define_default_range(DEFAULT_GLBLUB)) return -1; }
 			;
 opt_mls			: mls
                         | 
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index e93ccb64..e2f676e4 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -256,6 +256,8 @@ high |
 HIGH				{ return(HIGH); }
 low |
 LOW				{ return(LOW); }
+glblub |
+GLBLUB				{ return(GLBLUB); }
 "/"[^ \n\r\t\f]*	        { return(PATH); }
 \""/"[^\"\n]*\" 		{ return(QPATH); }
 \"[^"/"\"\n]+\"	{ return(FILENAME); }
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 1088a0ac..c9d7fa1c 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -22,6 +22,7 @@
 #include <sepol/module.h>
 #include <sepol/handle.h>
 #include <sepol/cil/cil.h>
+#include <sepol/policydb.h>
 #include <selinux/selinux.h>
 
 #include <assert.h>
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 2a7ec063..de729cf8 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -227,6 +227,7 @@ static void cil_init_keys(void)
 	CIL_KEY_LOW = cil_strpool_add("low");
 	CIL_KEY_HIGH = cil_strpool_add("high");
 	CIL_KEY_LOW_HIGH = cil_strpool_add("low-high");
+	CIL_KEY_GLBLUB = cil_strpool_add("glblub");
 	CIL_KEY_ROOT = cil_strpool_add("<root>");
 	CIL_KEY_NODE = cil_strpool_add("<node>");
 	CIL_KEY_PERM = cil_strpool_add("perm");
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index b90b0f60..ee1c51ce 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -5894,7 +5894,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
 		CIL_SYN_STRING,
 		CIL_SYN_STRING | CIL_SYN_LIST,
 		CIL_SYN_STRING,
-		CIL_SYN_STRING,
+		CIL_SYN_STRING | CIL_SYN_END,
 		CIL_SYN_END
 	};
 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
@@ -5917,8 +5917,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
 	}
 
 	object = parse_current->next->next->data;
-	range = parse_current->next->next->next->data;
 	if (object == CIL_KEY_SOURCE) {
+		range = parse_current->next->next->next->data;
 		if (range == CIL_KEY_LOW) {
 			def->object_range = CIL_DEFAULT_SOURCE_LOW;
 		} else if (range == CIL_KEY_HIGH) {
@@ -5930,7 +5930,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
 			rc = SEPOL_ERR;
 			goto exit;
 		}
-	} else if (parse_current->next->next->data == CIL_KEY_TARGET) {
+	} else if (object == CIL_KEY_TARGET) {
+		range = parse_current->next->next->next->data;
 		if (range == CIL_KEY_LOW) {
 			def->object_range = CIL_DEFAULT_TARGET_LOW;
 		} else if (range == CIL_KEY_HIGH) {
@@ -5942,8 +5943,10 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
 			rc = SEPOL_ERR;
 			goto exit;
 		}
+	} else if (object == CIL_KEY_GLBLUB) {
+		def->object_range = CIL_DEFAULT_GLBLUB;
 	} else {
-		cil_log(CIL_ERR,"Expected either \'source\' or \'target\'\n");
+		cil_log(CIL_ERR,"Expected \'source\', \'target\', or \'glblub\'\n");
 		rc = SEPOL_ERR;
 		goto exit;
 	}
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 6ff32285..30fab649 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -149,6 +149,7 @@ char *CIL_KEY_TARGET;
 char *CIL_KEY_LOW;
 char *CIL_KEY_HIGH;
 char *CIL_KEY_LOW_HIGH;
+char *CIL_KEY_GLBLUB;
 char *CIL_KEY_HANDLEUNKNOWN;
 char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
 char *CIL_KEY_HANDLEUNKNOWN_DENY;
@@ -941,6 +942,7 @@ enum cil_default_object_range {
 	CIL_DEFAULT_TARGET_LOW      = DEFAULT_TARGET_LOW,
 	CIL_DEFAULT_TARGET_HIGH     = DEFAULT_TARGET_HIGH,
 	CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH,
+	CIL_DEFAULT_GLBLUB          = DEFAULT_GLBLUB,
 };
 
 /* Default labeling behavior for range */
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
index 1adf22a3..b031bb00 100644
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
 		case CIL_DEFAULT_TARGET_LOW_HIGH:
 			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
 			break;
+		case CIL_DEFAULT_GLBLUB:
+			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
+			break;
 		default:
 			break;
 		}
diff --git a/libsepol/include/sepol/policydb/context.h b/libsepol/include/sepol/policydb/context.h
index c27c3341..37cdc591 100644
--- a/libsepol/include/sepol/policydb/context.h
+++ b/libsepol/include/sepol/policydb/context.h
@@ -92,6 +92,11 @@ out:
 	return rc;
 }
 
+static inline int mls_context_glblub(context_struct_t *dst, context_struct_t *c1, context_struct_t *c2)
+{
+	return mls_range_glblub(&dst->range, &c1->range, &c2->range);
+}
+
 static inline int mls_context_cmp(context_struct_t * c1, context_struct_t * c2)
 {
 	return (mls_level_eq(&c1->range.level[0], &c2->range.level[0]) &&
diff --git a/libsepol/include/sepol/policydb/mls_types.h b/libsepol/include/sepol/policydb/mls_types.h
index a06723be..450c9564 100644
--- a/libsepol/include/sepol/policydb/mls_types.h
+++ b/libsepol/include/sepol/policydb/mls_types.h
@@ -32,6 +32,7 @@
 
 #include <stdint.h>
 #include <stdlib.h>
+#include <sys/param.h>
 #include <sepol/policydb/ebitmap.h>
 #include <sepol/policydb/flask_types.h>
 
@@ -48,6 +49,30 @@ typedef struct mls_range {
 	mls_level_t level[2];	/* low == level[0], high == level[1] */
 } mls_range_t;
 
+static inline int mls_range_glblub(struct mls_range *dst, struct mls_range *r1, struct mls_range *r2)
+{
+	if (r1->level[1].sens < r2->level[0].sens || r2->level[1].sens < r1->level[0].sens) {
+		// These ranges have no common sensitivities
+		return -1;
+	}
+
+	// Take the greatest of the low
+	dst->level[0].sens = MAX(r1->level[0].sens, r2->level[0].sens);
+	// Take the least of the high
+	dst->level[1].sens = MIN(r1->level[1].sens, r2->level[1].sens);
+
+	if (ebitmap_and(&dst->level[0].cat, &r1->level[0].cat, &r2->level[0].cat) < 0) {
+		return -1;
+	}
+
+	if (ebitmap_and(&dst->level[1].cat, &r1->level[1].cat, &r2->level[1].cat) < 0) {
+		return -1;
+	}
+
+	return 0;
+}
+
+
 static inline int mls_level_cpy(struct mls_level *dst, struct mls_level *src)
 {
 
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index a279382e..b0d2fdfc 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -130,6 +130,7 @@ typedef struct class_datum {
 #define DEFAULT_TARGET_LOW	4
 #define DEFAULT_TARGET_HIGH	5
 #define DEFAULT_TARGET_LOW_HIGH	6
+#define DEFAULT_GLBLUB 		7
 	char default_range;
 } class_datum_t;
 
@@ -741,10 +742,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define POLICYDB_VERSION_XEN_DEVICETREE		30 /* Xen-specific */
 #define POLICYDB_VERSION_XPERMS_IOCTL	30 /* Linux-specific */
 #define POLICYDB_VERSION_INFINIBAND		31 /* Linux-specific */
+#define POLICYDB_VERSION_GLBLUB		32
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_INFINIBAND
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_GLBLUB
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE		4
@@ -765,9 +767,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES  17
 #define MOD_POLICYDB_VERSION_XPERMS_IOCTL  18
 #define MOD_POLICYDB_VERSION_INFINIBAND		19
+#define MOD_POLICYDB_VERSION_GLBLUB		20
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_INFINIBAND
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_GLBLUB
 
 #define POLICYDB_CONFIG_MLS    1
 
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 930bafab..a44ba30a 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
 	case DEFAULT_TARGET_LOW_HIGH:
 		dft = "target low-high";
 		break;
+	case DEFAULT_GLBLUB:
+		dft = "glblub";
+		break;
 	default:
 		sepol_log_err("Unknown default type value: %i", class->default_range);
 		return -1;
diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
index 63ad1bcb..6ff9a846 100644
--- a/libsepol/src/mls.c
+++ b/libsepol/src/mls.c
@@ -643,6 +643,8 @@ int mls_compute_sid(policydb_t * policydb,
 			return mls_context_cpy_high(newcontext, tcontext);
 		case DEFAULT_TARGET_LOW_HIGH:
 			return mls_context_cpy(newcontext, tcontext);
+		case DEFAULT_GLBLUB:
+			return mls_context_glblub(newcontext, scontext, tcontext);
 		}
 
 		/* Fallthrough */
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 1af166c9..c48a897d 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2033,6 +2033,7 @@ static int class_to_cil(int indent, struct policydb *pdb, struct avrule_block *U
 		case DEFAULT_TARGET_LOW:		dflt = "target low";	break;
 		case DEFAULT_TARGET_HIGH:		dflt = "target high";	break;
 		case DEFAULT_TARGET_LOW_HIGH:	dflt = "target low-high";	break;
+		case DEFAULT_GLBLUB:		dflt = "glblub";		break;
 		default:
 			log_err("Unknown default range value: %i", class->default_range);
 			rc = -1;
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 69bcb4d5..67037b6d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -194,6 +194,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = OCON_IBENDPORT + 1,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
+	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_GLBLUB,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_IBENDPORT + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
 	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
@@ -306,6 +313,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = OCON_IBENDPORT + 1,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
+	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_GLBLUB,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_IBENDPORT + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
 	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
@@ -418,6 +432,14 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = 0,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_GLBLUB,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = 0,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+
 };
 
 #if 0
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index dee7b4a3..c6be2be2 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -46,6 +46,11 @@
 #include "private.h"
 #include "mls.h"
 
+#define glblub_version ((p->policy_type == POLICY_KERN && \
+		     p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
+		    (p->policy_type == POLICY_BASE && \
+		     p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
+
 struct policy_data {
 	struct policy_file *fp;
 	struct policydb *p;
@@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	     p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
 		buf[0] = cpu_to_le32(cladatum->default_user);
 		buf[1] = cpu_to_le32(cladatum->default_role);
+		if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
+			WARN(fp->handle,
+                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
+                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
+                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
+                        cladatum->default_range = 0;
+                }
 		buf[2] = cpu_to_le32(cladatum->default_range);
 		items = put_entry(buf, sizeof(uint32_t), 3, fp);
 		if (items != 3)
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Non-DoD Source] [PATCH] Add default_range glblub support
  2019-08-26 14:20 [PATCH] Add default_range glblub support Joshua Brindle
@ 2019-08-29 19:14 ` " jwcart2
  2019-08-29 19:25   ` Joshua Brindle
  0 siblings, 1 reply; 4+ messages in thread
From: jwcart2 @ 2019-08-29 19:14 UTC (permalink / raw)
  To: Joshua Brindle, selinux; +Cc: Steve Smalley

On 8/26/19 10:20 AM, Joshua Brindle wrote:
> Policy developers can set a default_range default to glblub and
> computed contexts will be the intersection of the ranges of the
> source and target contexts. For example, one can add a default with
> this cil:
> 
> (defaultrange db_table glblub);
> 
> and then test using the compute_create utility:
> 
> $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
> system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
> 

It would be nice to say what glblub means and to have an example for checkpolicy 
as well.

> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
>   checkpolicy/policy_parse.y                  |  4 +++-
>   checkpolicy/policy_scan.l                   |  2 ++
>   libsemanage/src/direct_api.c                |  1 +
>   libsepol/cil/src/cil.c                      |  1 +
>   libsepol/cil/src/cil_build_ast.c            | 11 +++++----
>   libsepol/cil/src/cil_internal.h             |  2 ++
>   libsepol/cil/src/cil_policy.c               |  3 +++
>   libsepol/include/sepol/policydb/context.h   |  5 +++++
>   libsepol/include/sepol/policydb/mls_types.h | 25 +++++++++++++++++++++
>   libsepol/include/sepol/policydb/policydb.h  |  7 ++++--
>   libsepol/src/kernel_to_conf.c               |  3 +++
>   libsepol/src/mls.c                          |  2 ++
>   libsepol/src/module_to_cil.c                |  1 +
>   libsepol/src/policydb.c                     | 22 ++++++++++++++++++
>   libsepol/src/write.c                        | 12 ++++++++++
>   15 files changed, 94 insertions(+), 7 deletions(-)
> 
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 247bd4ee..abb7d885 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -155,7 +155,7 @@ typedef int (* require_func_t)(int pass);
>   %token PERMISSIVE
>   %token FILESYSTEM
>   %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
> -%token LOW_HIGH LOW HIGH
> +%token LOW_HIGH LOW HIGH GLBLUB
>   
>   %left OR
>   %left XOR
> @@ -247,6 +247,8 @@ default_range_def	: DEFAULT_RANGE names SOURCE LOW ';'
>   			{if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
>   			| DEFAULT_RANGE names TARGET LOW_HIGH ';'
>   			{if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
> +			| DEFAULT_RANGE names GLBLUB';'
> +			{if (define_default_range(DEFAULT_GLBLUB)) return -1; }
>   			;
>   opt_mls			: mls
>                           |
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index e93ccb64..e2f676e4 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -256,6 +256,8 @@ high |
>   HIGH				{ return(HIGH); }
>   low |
>   LOW				{ return(LOW); }
> +glblub |
> +GLBLUB				{ return(GLBLUB); }
>   "/"[^ \n\r\t\f]*	        { return(PATH); }
>   \""/"[^\"\n]*\" 		{ return(QPATH); }
>   \"[^"/"\"\n]+\"	{ return(FILENAME); }
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index 1088a0ac..c9d7fa1c 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -22,6 +22,7 @@
>   #include <sepol/module.h>
>   #include <sepol/handle.h>
>   #include <sepol/cil/cil.h>
> +#include <sepol/policydb.h>

What's this for?

>   #include <selinux/selinux.h>
>   
>   #include <assert.h>
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index 2a7ec063..de729cf8 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -227,6 +227,7 @@ static void cil_init_keys(void)
>   	CIL_KEY_LOW = cil_strpool_add("low");
>   	CIL_KEY_HIGH = cil_strpool_add("high");
>   	CIL_KEY_LOW_HIGH = cil_strpool_add("low-high");
> +	CIL_KEY_GLBLUB = cil_strpool_add("glblub");
>   	CIL_KEY_ROOT = cil_strpool_add("<root>");
>   	CIL_KEY_NODE = cil_strpool_add("<node>");
>   	CIL_KEY_PERM = cil_strpool_add("perm");
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index b90b0f60..ee1c51ce 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -5894,7 +5894,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
>   		CIL_SYN_STRING,
>   		CIL_SYN_STRING | CIL_SYN_LIST,
>   		CIL_SYN_STRING,
> -		CIL_SYN_STRING,
> +		CIL_SYN_STRING | CIL_SYN_END,
>   		CIL_SYN_END
>   	};
>   	int syntax_len = sizeof(syntax)/sizeof(*syntax);
> @@ -5917,8 +5917,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
>   	}
>   
>   	object = parse_current->next->next->data;
> -	range = parse_current->next->next->next->data;
>   	if (object == CIL_KEY_SOURCE) {
> +		range = parse_current->next->next->next->data;
>   		if (range == CIL_KEY_LOW) {
>   			def->object_range = CIL_DEFAULT_SOURCE_LOW;
>   		} else if (range == CIL_KEY_HIGH) {
> @@ -5930,7 +5930,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
>   			rc = SEPOL_ERR;
>   			goto exit;
>   		}
> -	} else if (parse_current->next->next->data == CIL_KEY_TARGET) {
> +	} else if (object == CIL_KEY_TARGET) {
> +		range = parse_current->next->next->next->data;
>   		if (range == CIL_KEY_LOW) {
>   			def->object_range = CIL_DEFAULT_TARGET_LOW;
>   		} else if (range == CIL_KEY_HIGH) {
> @@ -5942,8 +5943,10 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
>   			rc = SEPOL_ERR;
>   			goto exit;
>   		}
> +	} else if (object == CIL_KEY_GLBLUB) {
> +		def->object_range = CIL_DEFAULT_GLBLUB;
>   	} else {
> -		cil_log(CIL_ERR,"Expected either \'source\' or \'target\'\n");
> +		cil_log(CIL_ERR,"Expected \'source\', \'target\', or \'glblub\'\n");
>   		rc = SEPOL_ERR;
>   		goto exit;
>   	}
> diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
> index 6ff32285..30fab649 100644
> --- a/libsepol/cil/src/cil_internal.h
> +++ b/libsepol/cil/src/cil_internal.h
> @@ -149,6 +149,7 @@ char *CIL_KEY_TARGET;
>   char *CIL_KEY_LOW;
>   char *CIL_KEY_HIGH;
>   char *CIL_KEY_LOW_HIGH;
> +char *CIL_KEY_GLBLUB;
>   char *CIL_KEY_HANDLEUNKNOWN;
>   char *CIL_KEY_HANDLEUNKNOWN_ALLOW;
>   char *CIL_KEY_HANDLEUNKNOWN_DENY;
> @@ -941,6 +942,7 @@ enum cil_default_object_range {
>   	CIL_DEFAULT_TARGET_LOW      = DEFAULT_TARGET_LOW,
>   	CIL_DEFAULT_TARGET_HIGH     = DEFAULT_TARGET_HIGH,
>   	CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH,
> +	CIL_DEFAULT_GLBLUB          = DEFAULT_GLBLUB,
>   };
>   
>   /* Default labeling behavior for range */
> diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
> index 1adf22a3..b031bb00 100644
> --- a/libsepol/cil/src/cil_policy.c
> +++ b/libsepol/cil/src/cil_policy.c
> @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
>   		case CIL_DEFAULT_TARGET_LOW_HIGH:
>   			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
>   			break;
> +		case CIL_DEFAULT_GLBLUB:
> +			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);

I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);

> +			break;
>   		default:
>   			break;
>   		}
> diff --git a/libsepol/include/sepol/policydb/context.h b/libsepol/include/sepol/policydb/context.h
> index c27c3341..37cdc591 100644
> --- a/libsepol/include/sepol/policydb/context.h
> +++ b/libsepol/include/sepol/policydb/context.h
> @@ -92,6 +92,11 @@ out:
>   	return rc;
>   }
>   
> +static inline int mls_context_glblub(context_struct_t *dst, context_struct_t *c1, context_struct_t *c2)
> +{
> +	return mls_range_glblub(&dst->range, &c1->range, &c2->range);
> +}
> +
>   static inline int mls_context_cmp(context_struct_t * c1, context_struct_t * c2)
>   {
>   	return (mls_level_eq(&c1->range.level[0], &c2->range.level[0]) &&
> diff --git a/libsepol/include/sepol/policydb/mls_types.h b/libsepol/include/sepol/policydb/mls_types.h
> index a06723be..450c9564 100644
> --- a/libsepol/include/sepol/policydb/mls_types.h
> +++ b/libsepol/include/sepol/policydb/mls_types.h
> @@ -32,6 +32,7 @@
>   
>   #include <stdint.h>
>   #include <stdlib.h>
> +#include <sys/param.h>
>   #include <sepol/policydb/ebitmap.h>
>   #include <sepol/policydb/flask_types.h>
>   
> @@ -48,6 +49,30 @@ typedef struct mls_range {
>   	mls_level_t level[2];	/* low == level[0], high == level[1] */
>   } mls_range_t;
>   
> +static inline int mls_range_glblub(struct mls_range *dst, struct mls_range *r1, struct mls_range *r2)
> +{
> +	if (r1->level[1].sens < r2->level[0].sens || r2->level[1].sens < r1->level[0].sens) {
> +		// These ranges have no common sensitivities
> +		return -1;
> +	}
> +
> +	// Take the greatest of the low
> +	dst->level[0].sens = MAX(r1->level[0].sens, r2->level[0].sens);
> +	// Take the least of the high
> +	dst->level[1].sens = MIN(r1->level[1].sens, r2->level[1].sens);
> +
> +	if (ebitmap_and(&dst->level[0].cat, &r1->level[0].cat, &r2->level[0].cat) < 0) {
> +		return -1;
> +	}
> +
> +	if (ebitmap_and(&dst->level[1].cat, &r1->level[1].cat, &r2->level[1].cat) < 0) {
> +		return -1;
> +	}
> +
> +	return 0;
> +}
> +
> +
>   static inline int mls_level_cpy(struct mls_level *dst, struct mls_level *src)
>   {
>   
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index a279382e..b0d2fdfc 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -130,6 +130,7 @@ typedef struct class_datum {
>   #define DEFAULT_TARGET_LOW	4
>   #define DEFAULT_TARGET_HIGH	5
>   #define DEFAULT_TARGET_LOW_HIGH	6
> +#define DEFAULT_GLBLUB 		7
>   	char default_range;
>   } class_datum_t;
>   
> @@ -741,10 +742,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
>   #define POLICYDB_VERSION_XEN_DEVICETREE		30 /* Xen-specific */
>   #define POLICYDB_VERSION_XPERMS_IOCTL	30 /* Linux-specific */
>   #define POLICYDB_VERSION_INFINIBAND		31 /* Linux-specific */
> +#define POLICYDB_VERSION_GLBLUB		32
>   
>   /* Range of policy versions we understand*/
>   #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_INFINIBAND
> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_GLBLUB
>   
>   /* Module versions and specific changes*/
>   #define MOD_POLICYDB_VERSION_BASE		4
> @@ -765,9 +767,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
>   #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES  17
>   #define MOD_POLICYDB_VERSION_XPERMS_IOCTL  18
>   #define MOD_POLICYDB_VERSION_INFINIBAND		19
> +#define MOD_POLICYDB_VERSION_GLBLUB		20
>   
>   #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
> -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_INFINIBAND
> +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_GLBLUB
>   
>   #define POLICYDB_CONFIG_MLS    1
>   
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index 930bafab..a44ba30a 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
>   	case DEFAULT_TARGET_LOW_HIGH:
>   		dft = "target low-high";
>   		break;
> +	case DEFAULT_GLBLUB:
> +		dft = "glblub";
> +		break;
>   	default:
>   		sepol_log_err("Unknown default type value: %i", class->default_range);
>   		return -1;

You need to update kernel_to_cil.c as well.

> diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
> index 63ad1bcb..6ff9a846 100644
> --- a/libsepol/src/mls.c
> +++ b/libsepol/src/mls.c
> @@ -643,6 +643,8 @@ int mls_compute_sid(policydb_t * policydb,
>   			return mls_context_cpy_high(newcontext, tcontext);
>   		case DEFAULT_TARGET_LOW_HIGH:
>   			return mls_context_cpy(newcontext, tcontext);
> +		case DEFAULT_GLBLUB:
> +			return mls_context_glblub(newcontext, scontext, tcontext);
>   		}
>   
>   		/* Fallthrough */
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 1af166c9..c48a897d 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2033,6 +2033,7 @@ static int class_to_cil(int indent, struct policydb *pdb, struct avrule_block *U
>   		case DEFAULT_TARGET_LOW:		dflt = "target low";	break;
>   		case DEFAULT_TARGET_HIGH:		dflt = "target high";	break;
>   		case DEFAULT_TARGET_LOW_HIGH:	dflt = "target low-high";	break;
> +		case DEFAULT_GLBLUB:		dflt = "glblub";		break;
>   		default:
>   			log_err("Unknown default range value: %i", class->default_range);
>   			rc = -1;
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 69bcb4d5..67037b6d 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -194,6 +194,13 @@ static struct policydb_compat_info policydb_compat[] = {
>   	 .ocon_num = OCON_IBENDPORT + 1,
>   	 .target_platform = SEPOL_TARGET_SELINUX,
>   	},
> +	{
> +	 .type = POLICY_KERN,
> +	 .version = POLICYDB_VERSION_GLBLUB,
> +	 .sym_num = SYM_NUM,
> +	 .ocon_num = OCON_IBENDPORT + 1,
> +	 .target_platform = SEPOL_TARGET_SELINUX,
> +	},
>   	{
>   	 .type = POLICY_BASE,
>   	 .version = MOD_POLICYDB_VERSION_BASE,
> @@ -306,6 +313,13 @@ static struct policydb_compat_info policydb_compat[] = {
>   	 .ocon_num = OCON_IBENDPORT + 1,
>   	 .target_platform = SEPOL_TARGET_SELINUX,
>   	},
> +	{
> +	 .type = POLICY_BASE,
> +	 .version = MOD_POLICYDB_VERSION_GLBLUB,
> +	 .sym_num = SYM_NUM,
> +	 .ocon_num = OCON_IBENDPORT + 1,
> +	 .target_platform = SEPOL_TARGET_SELINUX,
> +	},
>   	{
>   	 .type = POLICY_MOD,
>   	 .version = MOD_POLICYDB_VERSION_BASE,
> @@ -418,6 +432,14 @@ static struct policydb_compat_info policydb_compat[] = {
>   	 .ocon_num = 0,
>   	 .target_platform = SEPOL_TARGET_SELINUX,
>   	},
> +	{
> +	 .type = POLICY_MOD,
> +	 .version = MOD_POLICYDB_VERSION_GLBLUB,
> +	 .sym_num = SYM_NUM,
> +	 .ocon_num = 0,
> +	 .target_platform = SEPOL_TARGET_SELINUX,
> +	},
> +
>   };
>   
>   #if 0
> diff --git a/libsepol/src/write.c b/libsepol/src/write.c
> index dee7b4a3..c6be2be2 100644
> --- a/libsepol/src/write.c
> +++ b/libsepol/src/write.c
> @@ -46,6 +46,11 @@
>   #include "private.h"
>   #include "mls.h"
>   
> +#define glblub_version ((p->policy_type == POLICY_KERN && \
> +		     p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
> +		    (p->policy_type == POLICY_BASE && \
> +		     p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
> +
>   struct policy_data {
>   	struct policy_file *fp;
>   	struct policydb *p;
> @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
>   	     p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
>   		buf[0] = cpu_to_le32(cladatum->default_user);
>   		buf[1] = cpu_to_le32(cladatum->default_role);
> +		if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
> +			WARN(fp->handle,
> +                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> +                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> +                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> +                        cladatum->default_range = 0;
> +                }
>   		buf[2] = cpu_to_le32(cladatum->default_range);
>   		items = put_entry(buf, sizeof(uint32_t), 3, fp);
>   		if (items != 3)
> 

Everything else looks ok, but I haven't tested it yet.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Non-DoD Source] [PATCH] Add default_range glblub support
  2019-08-29 19:14 ` [Non-DoD Source] " jwcart2
@ 2019-08-29 19:25   ` Joshua Brindle
  2019-08-29 20:12     ` jwcart2
  0 siblings, 1 reply; 4+ messages in thread
From: Joshua Brindle @ 2019-08-29 19:25 UTC (permalink / raw)
  To: jwcart2; +Cc: selinux, Steve Smalley

On Thu, Aug 29, 2019 at 3:12 PM jwcart2 <jwcart2@tycho.nsa.gov> wrote:
>
> On 8/26/19 10:20 AM, Joshua Brindle wrote:
> > Policy developers can set a default_range default to glblub and
> > computed contexts will be the intersection of the ranges of the
> > source and target contexts. For example, one can add a default with
> > this cil:
> >
> > (defaultrange db_table glblub);
> >
> > and then test using the compute_create utility:
> >
> > $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
> > system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
> >
>
> It would be nice to say what glblub means and to have an example for checkpolicy
> as well.
>

Can do.

<snip>
> > --- a/libsepol/cil/src/cil_policy.c
> > +++ b/libsepol/cil/src/cil_policy.c
> > @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
> >               case CIL_DEFAULT_TARGET_LOW_HIGH:
> >                       fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
> >                       break;
> > +             case CIL_DEFAULT_GLBLUB:
> > +                     fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
>
> I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);

Yea, you are right. I wonder why this even works then?

<snip>

> > --- a/libsepol/src/kernel_to_conf.c
> > +++ b/libsepol/src/kernel_to_conf.c
> > @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
> >       case DEFAULT_TARGET_LOW_HIGH:
> >               dft = "target low-high";
> >               break;
> > +     case DEFAULT_GLBLUB:
> > +             dft = "glblub";
> > +             break;
> >       default:
> >               sepol_log_err("Unknown default type value: %i", class->default_range);
> >               return -1;
>
> You need to update kernel_to_cil.c as well.

Good catch. As a side note changing the policy has many more touch
points than it use to (this is my first time making an update that
include CIL). Is there some checklist or developer readme or something
available?

Also, it isn't clear how to test all the combinations. I did add:

Add via CIL module (which combos does that test?)
Add to exported CIL base (is that really the same as above?)
Add to .te base

What would I have needed to do to see that kernel_to_cil.c hadn't been updated?

<snip>

> > --- a/libsepol/src/write.c
> > +++ b/libsepol/src/write.c
> > @@ -46,6 +46,11 @@
> >   #include "private.h"
> >   #include "mls.h"
> >
> > +#define glblub_version ((p->policy_type == POLICY_KERN && \
> > +                  p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
> > +                 (p->policy_type == POLICY_BASE && \
> > +                  p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
> > +
> >   struct policy_data {
> >       struct policy_file *fp;
> >       struct policydb *p;
> > @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
> >            p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
> >               buf[0] = cpu_to_le32(cladatum->default_user);
> >               buf[1] = cpu_to_le32(cladatum->default_role);
> > +             if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
> > +                     WARN(fp->handle,
> > +                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> > +                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> > +                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> > +                        cladatum->default_range = 0;
> > +                }
> >               buf[2] = cpu_to_le32(cladatum->default_range);
> >               items = put_entry(buf, sizeof(uint32_t), 3, fp);
> >               if (items != 3)
> >
>
> Everything else looks ok, but I haven't tested it yet.

Thanks. You can test using the test suite as well, I'm impressed that
adding a bunch of sensitivities to an mcs policy works as well as it
does!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Non-DoD Source] [PATCH] Add default_range glblub support
  2019-08-29 19:25   ` Joshua Brindle
@ 2019-08-29 20:12     ` jwcart2
  0 siblings, 0 replies; 4+ messages in thread
From: jwcart2 @ 2019-08-29 20:12 UTC (permalink / raw)
  To: Joshua Brindle; +Cc: selinux, Steve Smalley

On 8/29/19 3:25 PM, Joshua Brindle wrote:
> On Thu, Aug 29, 2019 at 3:12 PM jwcart2 <jwcart2@tycho.nsa.gov> wrote:
>>
>> On 8/26/19 10:20 AM, Joshua Brindle wrote:
>>> Policy developers can set a default_range default to glblub and
>>> computed contexts will be the intersection of the ranges of the
>>> source and target contexts. For example, one can add a default with
>>> this cil:
>>>
>>> (defaultrange db_table glblub);
>>>
>>> and then test using the compute_create utility:
>>>
>>> $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
>>> system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
>>>
>>
>> It would be nice to say what glblub means and to have an example for checkpolicy
>> as well.
>>
> 
> Can do.
> 
> <snip>
>>> --- a/libsepol/cil/src/cil_policy.c
>>> +++ b/libsepol/cil/src/cil_policy.c
>>> @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
>>>                case CIL_DEFAULT_TARGET_LOW_HIGH:
>>>                        fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
>>>                        break;
>>> +             case CIL_DEFAULT_GLBLUB:
>>> +                     fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
>>
>> I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);
> 
> Yea, you are right. I wonder why this even works then?
> 
> <snip>
> 
>>> --- a/libsepol/src/kernel_to_conf.c
>>> +++ b/libsepol/src/kernel_to_conf.c
>>> @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
>>>        case DEFAULT_TARGET_LOW_HIGH:
>>>                dft = "target low-high";
>>>                break;
>>> +     case DEFAULT_GLBLUB:
>>> +             dft = "glblub";
>>> +             break;
>>>        default:
>>>                sepol_log_err("Unknown default type value: %i", class->default_range);
>>>                return -1;
>>
>> You need to update kernel_to_cil.c as well.
> 
> Good catch. As a side note changing the policy has many more touch
> points than it use to (this is my first time making an update that
> include CIL). Is there some checklist or developer readme or something
> available?
> 

No, there is no checklist. I can see how it would be useful though.

> Also, it isn't clear how to test all the combinations. I did add:
> 
> Add via CIL module (which combos does that test?)
That tests secilc

> Add to exported CIL base (is that really the same as above?)
That also tests secilc

> Add to .te base
> 
That tests checkmodule

> What would I have needed to do to see that kernel_to_cil.c hadn't been updated?
> 

1. checkpolicy -M -C -o foo.cil foo.conf
    This converts conf to cil and tests module_to_cil.c.

2. checkpolicy -M -C -b -o foo.cil foo.bin
    This converts kernel binary to cil and tests kernel_to_cil.c

3. checkpolicy -M -F -b -o foo.conf foo.bin
    This converts kernel binary to conf and tests kernel_to_conf.c

4. secil2conf -o foo.conf foo.cil
    This converts cil to conf and tests cil_policy.c

I think that covers everything. It is complicated.

> <snip>
> 
>>> --- a/libsepol/src/write.c
>>> +++ b/libsepol/src/write.c
>>> @@ -46,6 +46,11 @@
>>>    #include "private.h"
>>>    #include "mls.h"
>>>
>>> +#define glblub_version ((p->policy_type == POLICY_KERN && \
>>> +                  p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
>>> +                 (p->policy_type == POLICY_BASE && \
>>> +                  p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
>>> +
>>>    struct policy_data {
>>>        struct policy_file *fp;
>>>        struct policydb *p;
>>> @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
>>>             p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
>>>                buf[0] = cpu_to_le32(cladatum->default_user);
>>>                buf[1] = cpu_to_le32(cladatum->default_role);
>>> +             if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
>>> +                     WARN(fp->handle,
>>> +                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
>>> +                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
>>> +                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
>>> +                        cladatum->default_range = 0;
>>> +                }
>>>                buf[2] = cpu_to_le32(cladatum->default_range);
>>>                items = put_entry(buf, sizeof(uint32_t), 3, fp);
>>>                if (items != 3)
>>>
>>
>> Everything else looks ok, but I haven't tested it yet.
> 
> Thanks. You can test using the test suite as well, I'm impressed that
> adding a bunch of sensitivities to an mcs policy works as well as it
> does!
> 


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-26 14:20 [PATCH] Add default_range glblub support Joshua Brindle
2019-08-29 19:14 ` [Non-DoD Source] " jwcart2
2019-08-29 19:25   ` Joshua Brindle
2019-08-29 20:12     ` jwcart2

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox