[PATCH userspace 0/2] Introduce an initial SID for early boot processes

[PATCH userspace 0/2] Introduce an initial SID for early boot processes

[Ondrej Mosnacek]

These are userspace support patches corresponding to the following
kernel patch submission:
https://lore.kernel.org/selinux/20230612090145.1059245-1-omosnace@redhat.com/

The first patch merely removes the names of the discontinued initial
SIDs. The second patch adds the new policy capability and re-adds
the "init" initial SID's name as it's being reused for the new
functionality added by the kernel patch.

Ondrej Mosnacek (2):
  libsepol: stop translating deprecated intial SIDs to strings
  libsepol: add support for the new "init" initial SID

 libsepol/include/sepol/policydb/polcaps.h |  1 +
 libsepol/src/kernel_to_cil.c              |  4 +--
 libsepol/src/kernel_to_common.h           | 34 +++++++++++------------
 libsepol/src/kernel_to_conf.c             |  4 +--
 libsepol/src/module_to_cil.c              |  2 +-
 libsepol/src/polcaps.c                    |  1 +
 6 files changed, 24 insertions(+), 22 deletions(-)

-- 
2.40.1

[PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings

[Ondrej Mosnacek]

Many of the initial SIDs are no longer used by the kernel, so
translating them to the legacy names doesn't bring much value. Clear the
legacy names from the table and let the code translate them to the
fallback "unknown" names instead.

Note that this only affects the generated text output when converting
policies from binary to text form. The text policy languages let the
policy define its own names for the initial SIDs based on the order in
which they are declared, so the table is never used to convert from name
to SID. Thus this is just a cosmetic change and has no functional
impact.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 libsepol/src/kernel_to_cil.c    |  4 ++--
 libsepol/src/kernel_to_common.h | 36 ++++++++++++++++-----------------
 libsepol/src/kernel_to_conf.c   |  4 ++--
 libsepol/src/module_to_cil.c    |  2 +-
 4 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index e9cd89c2..bd04c087 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
@@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
 
 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 159c4289..6073ff3a 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -13,33 +13,33 @@
 // initial sid names aren't actually stored in the pp files, need to a have
 // a mapping, taken from the linux kernel
 static const char * const selinux_sid_to_str[] = {
-	"null",
+	NULL,
 	"kernel",
 	"security",
 	"unlabeled",
-	"fs",
+	NULL,
 	"file",
-	"file_labels",
-	"init",
+	NULL,
+	NULL,
 	"any_socket",
 	"port",
 	"netif",
 	"netmsg",
 	"node",
-	"igmp_packet",
-	"icmp_socket",
-	"tcp_socket",
-	"sysctl_modprobe",
-	"sysctl",
-	"sysctl_fs",
-	"sysctl_kernel",
-	"sysctl_net",
-	"sysctl_net_unix",
-	"sysctl_vm",
-	"sysctl_dev",
-	"kmod",
-	"policy",
-	"scmp_packet",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
 	"devnull",
 };
 
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index c48a7114..3be87184 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
@@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
 
 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index e7bc6ee6..a46775ca 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_string[i]) {
 			sid = (char*)sid_to_string[i];
 		} else {
 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
-- 
2.40.1

[PATCH userspace 2/2] libsepol: add support for the new "init" initial SID

[Ondrej Mosnacek]

Resurrect the naming of the "init" initial SID, as it has been
reintroduced in the kernel. Also add the new "userspace_initial_context"
policy capability that is used to enable the new semantics for this
initial SID.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 libsepol/include/sepol/policydb/polcaps.h | 1 +
 libsepol/src/kernel_to_common.h           | 2 +-
 libsepol/src/polcaps.c                    | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
index f5e32e60..14bcc6cb 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -15,6 +15,7 @@ enum {
 	POLICYDB_CAP_NNP_NOSUID_TRANSITION,
 	POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
 	POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
+	POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
 	__POLICYDB_CAP_MAX
 };
 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 6073ff3a..5d927a3d 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -20,7 +20,7 @@ static const char * const selinux_sid_to_str[] = {
 	NULL,
 	"file",
 	NULL,
-	NULL,
+	"init",
 	"any_socket",
 	"port",
 	"netif",
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index 687e971c..be12580a 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -14,6 +14,7 @@ static const char * const polcap_names[] = {
 	"nnp_nosuid_transition",	/* POLICYDB_CAP_NNP_NOSUID_TRANSITION */
 	"genfs_seclabel_symlinks",	/* POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS */
 	"ioctl_skip_cloexec",		/* POLICYDB_CAP_IOCTL_SKIP_CLOEXEC */
+	"userspace_initial_context",	/* POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT */
 	NULL
 };
 
-- 
2.40.1

Re: [PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings

[James Carter]

On Mon, Jun 12, 2023 at 5:50 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Many of the initial SIDs are no longer used by the kernel, so
> translating them to the legacy names doesn't bring much value. Clear the
> legacy names from the table and let the code translate them to the
> fallback "unknown" names instead.
>
> Note that this only affects the generated text output when converting
> policies from binary to text form. The text policy languages let the
> policy define its own names for the initial SIDs based on the order in
> which they are declared, so the table is never used to convert from name
> to SID. Thus this is just a cosmetic change and has no functional
> impact.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

For these two patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/kernel_to_cil.c    |  4 ++--
>  libsepol/src/kernel_to_common.h | 36 ++++++++++++++++-----------------
>  libsepol/src/kernel_to_conf.c   |  4 ++--
>  libsepol/src/module_to_cil.c    |  2 +-
>  4 files changed, 23 insertions(+), 23 deletions(-)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index e9cd89c2..bd04c087 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
>
>         for (isid = isids; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
> @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
>
>         for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
> index 159c4289..6073ff3a 100644
> --- a/libsepol/src/kernel_to_common.h
> +++ b/libsepol/src/kernel_to_common.h
> @@ -13,33 +13,33 @@
>  // initial sid names aren't actually stored in the pp files, need to a have
>  // a mapping, taken from the linux kernel
>  static const char * const selinux_sid_to_str[] = {
> -       "null",
> +       NULL,
>         "kernel",
>         "security",
>         "unlabeled",
> -       "fs",
> +       NULL,
>         "file",
> -       "file_labels",
> -       "init",
> +       NULL,
> +       NULL,
>         "any_socket",
>         "port",
>         "netif",
>         "netmsg",
>         "node",
> -       "igmp_packet",
> -       "icmp_socket",
> -       "tcp_socket",
> -       "sysctl_modprobe",
> -       "sysctl",
> -       "sysctl_fs",
> -       "sysctl_kernel",
> -       "sysctl_net",
> -       "sysctl_net_unix",
> -       "sysctl_vm",
> -       "sysctl_dev",
> -       "kmod",
> -       "policy",
> -       "scmp_packet",
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
>         "devnull",
>  };
>
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index c48a7114..3be87184 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
>
>         for (isid = isids; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
> @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
>
>         for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index e7bc6ee6..a46775ca 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
>
>         for (isid = isids; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_string[i]) {
>                         sid = (char*)sid_to_string[i];
>                 } else {
>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
> --
> 2.40.1
>

Re: [PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings

[Petr Lautrbach]

James Carter <jwcart2@gmail.com> writes:

> On Mon, Jun 12, 2023 at 5:50 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>
>> Many of the initial SIDs are no longer used by the kernel, so
>> translating them to the legacy names doesn't bring much value. Clear the
>> legacy names from the table and let the code translate them to the
>> fallback "unknown" names instead.
>>
>> Note that this only affects the generated text output when converting
>> policies from binary to text form. The text policy languages let the
>> policy define its own names for the initial SIDs based on the order in
>> which they are declared, so the table is never used to convert from name
>> to SID. Thus this is just a cosmetic change and has no functional
>> impact.
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> For these two patches:
> Acked-by: James Carter <jwcart2@gmail.com>

Both merged. Thanks!


>> ---
>>  libsepol/src/kernel_to_cil.c    |  4 ++--
>>  libsepol/src/kernel_to_common.h | 36 ++++++++++++++++-----------------
>>  libsepol/src/kernel_to_conf.c   |  4 ++--
>>  libsepol/src/module_to_cil.c    |  2 +-
>>  4 files changed, 23 insertions(+), 23 deletions(-)
>>
>> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
>> index e9cd89c2..bd04c087 100644
>> --- a/libsepol/src/kernel_to_cil.c
>> +++ b/libsepol/src/kernel_to_cil.c
>> @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
>>
>>         for (isid = isids; isid != NULL; isid = isid->next) {
>>                 i = isid->sid[0];
>> -               if (i < num_sids) {
>> +               if (i < num_sids && sid_to_str[i]) {
>>                         sid = (char *)sid_to_str[i];
>>                 } else {
>>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
>> @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
>>
>>         for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
>>                 i = isid->sid[0];
>> -               if (i < num_sids) {
>> +               if (i < num_sids && sid_to_str[i]) {
>>                         sid = (char *)sid_to_str[i];
>>                 } else {
>>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
>> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
>> index 159c4289..6073ff3a 100644
>> --- a/libsepol/src/kernel_to_common.h
>> +++ b/libsepol/src/kernel_to_common.h
>> @@ -13,33 +13,33 @@
>>  // initial sid names aren't actually stored in the pp files, need to a have
>>  // a mapping, taken from the linux kernel
>>  static const char * const selinux_sid_to_str[] = {
>> -       "null",
>> +       NULL,
>>         "kernel",
>>         "security",
>>         "unlabeled",
>> -       "fs",
>> +       NULL,
>>         "file",
>> -       "file_labels",
>> -       "init",
>> +       NULL,
>> +       NULL,
>>         "any_socket",
>>         "port",
>>         "netif",
>>         "netmsg",
>>         "node",
>> -       "igmp_packet",
>> -       "icmp_socket",
>> -       "tcp_socket",
>> -       "sysctl_modprobe",
>> -       "sysctl",
>> -       "sysctl_fs",
>> -       "sysctl_kernel",
>> -       "sysctl_net",
>> -       "sysctl_net_unix",
>> -       "sysctl_vm",
>> -       "sysctl_dev",
>> -       "kmod",
>> -       "policy",
>> -       "scmp_packet",
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>> +       NULL,
>>         "devnull",
>>  };
>>
>> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
>> index c48a7114..3be87184 100644
>> --- a/libsepol/src/kernel_to_conf.c
>> +++ b/libsepol/src/kernel_to_conf.c
>> @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
>>
>>         for (isid = isids; isid != NULL; isid = isid->next) {
>>                 i = isid->sid[0];
>> -               if (i < num_sids) {
>> +               if (i < num_sids && sid_to_str[i]) {
>>                         sid = (char *)sid_to_str[i];
>>                 } else {
>>                         snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
>> @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
>>
>>         for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
>>                 i = isid->sid[0];
>> -               if (i < num_sids) {
>> +               if (i < num_sids && sid_to_str[i]) {
>>                         sid = (char *)sid_to_str[i];
>>                 } else {
>>                         snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
>> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
>> index e7bc6ee6..a46775ca 100644
>> --- a/libsepol/src/module_to_cil.c
>> +++ b/libsepol/src/module_to_cil.c
>> @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
>>
>>         for (isid = isids; isid != NULL; isid = isid->next) {
>>                 i = isid->sid[0];
>> -               if (i < num_sids) {
>> +               if (i < num_sids && sid_to_string[i]) {
>>                         sid = (char*)sid_to_string[i];
>>                 } else {
>>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
>> --
>> 2.40.1
>>