From: Stephen Smalley <sds@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com>,
selinux@vger.kernel.org
Cc: xunchang@google.com, nnk@google.com
Subject: Re: [PATCH 0/3] Update restorecon to support new digest scheme
Date: Tue, 28 May 2019 10:24:03 -0400 [thread overview]
Message-ID: <2a7c75b3-c0c4-0eee-fe6c-d47702ac91af@tycho.nsa.gov> (raw)
In-Reply-To: <cc26a91a5fb500e6c61131965920131782751880.camel@btinternet.com>
On 5/24/19 2:06 PM, Richard Haines wrote:
> On Fri, 2019-05-24 at 13:11 -0400, Stephen Smalley wrote:
>> On 5/22/19 12:42 PM, Richard Haines wrote:
>>> These patches require [1] and [2] be installed first. They have
>>> been implemented on Android and sent to the selinux list, however
>>> their
>>> merge has been deferred. They will install the core hashing of
>>> file_context entries and fix root stem processing.
>>>
>>> Patch 1/3 updates selinux_restorecon() replacing the per-mountpoint
>>> security.restorecon_last attribute with a per-directory
>>> security.sehash
>>> attribute computed from only those file contexts entries that
>>> partially
>>> match the directory. This is to avoid the need to walk the entire
>>> tree
>>> when any part of file_contexts changes, limiting relabels to only
>>> those
>>> parts of the tree that could have changed.
>>>
>>> One change is to add a new
>>> selabel_get_digests_all_partial_matches(3)
>>> function that is explained in the man page. This could replace the
>>> Android
>>> version of selabel_hash_all_partial_matches(3), that could then be
>>> converted into a local function (The Android team would need to
>>> approve).
>>
>> Has Android sorted out all of the ramifications of this change?
> As I'm not involved with Android I don't know. Note that as I do not
> change their core selabel code my new function could be added to
> libselinux and they pick it up if they want it (or it gets rejected by
> the SELinux team). I've added Nick to the cc list in case any comments.
>
> The main reason I added the function was the call retrieved the info in
> one go plus you did't need to know the digest length.
>
>> What
>> about the triggering of CAP_SYS_ADMIN denials for setting the
>> security.sehash attribute?
> They solved this by adding the *_RESTORECON_SKIP_SEHASH flag that I've
> copied (the selinux-testsuite restorecon has tests for this).
Per
https://android-review.googlesource.com/c/platform/external/selinux/+/940326,
they say:
"TODO: It would be better if the default for restorecon was to suppress
the hash computation, since otherwise it encourages programs to be
overprivileged with CAP_SYS_ADMIN. I'll plan on doing that in a followup
commit."
So I think we would want to disable the setting of sehash by default
upstream to match their planned future behavior. In fact, I think that
is how your version of setting security.restoreconlast worked upstream
originally - the caller had to selabel_open() with options containing a
SELABEL_OPT_DIGEST option with a non-zero value in order to enable
setting of a digest in the first place? By the way, this patch set
seems to dispense with SELABEL_OPT_DIGEST and selabel_digest() usage
internally even though it leaves them defined, thereby changing behavior
for existing API callers?
>
>>
>>> Patches 2/3 and 3/3 update restorecon, setfiles and restorecond.
>>>
>>> I will send a patch for the selinux-testsuite that will perform
>>> tests on
>>> the new code.
>>>
>>> [1]
>>> https://lore.kernel.org/selinux/20190311222442.49824-1-xunchang@google.com/
>>> [2]
>>> https://lore.kernel.org/selinux/20190417180955.136942-1-xunchang@google.com/
>>>
>>> Richard Haines (3):
>>> libselinux: Save digest of all partial matches for directory
>>> setfiles: Update utilities for the new digest scheme
>>> restorecond: Update to handle new digest scheme
>>>
>>> libselinux/include/selinux/label.h | 5 +
>>> libselinux/include/selinux/restorecon.h | 17 +-
>>> .../selabel_get_digests_all_partial_matches.3 | 70 +++++
>>> libselinux/man/man3/selinux_restorecon.3 | 91 +++---
>>> .../man3/selinux_restorecon_default_handle.3 | 9 +-
>>> .../man/man3/selinux_restorecon_xattr.3 | 11 +-
>>> libselinux/src/label.c | 15 +
>>> libselinux/src/label_file.c | 51 ++++
>>> libselinux/src/label_file.h | 4 +
>>> libselinux/src/label_internal.h | 5 +
>>> libselinux/src/selinux_restorecon.c | 267 +++++++++++
>>> -------
>>> libselinux/utils/.gitignore | 1 +
>>> .../selabel_get_digests_all_partial_matches.c | 170 +++++++++++
>>> policycoreutils/setfiles/restore.c | 7 +-
>>> policycoreutils/setfiles/restore.h | 2 +-
>>> policycoreutils/setfiles/restorecon.8 | 10 +-
>>> policycoreutils/setfiles/restorecon_xattr.8 | 19 +-
>>> policycoreutils/setfiles/restorecon_xattr.c | 66 +----
>>> policycoreutils/setfiles/setfiles.8 | 10 +-
>>> policycoreutils/setfiles/setfiles.c | 19 +-
>>> restorecond/restore.c | 8 +-
>>> restorecond/restore.h | 2 +-
>>> restorecond/restorecond.c | 5 +-
>>> 23 files changed, 593 insertions(+), 271 deletions(-)
>>> create mode 100644
>>> libselinux/man/man3/selabel_get_digests_all_partial_matches.3
>>> create mode 100644
>>> libselinux/utils/selabel_get_digests_all_partial_matches.c
>>>
>
next prev parent reply other threads:[~2019-05-28 14:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 16:42 [PATCH 0/3] Update restorecon to support new digest scheme Richard Haines
2019-05-24 17:11 ` Stephen Smalley
[not found] ` <cc26a91a5fb500e6c61131965920131782751880.camel@btinternet.com>
2019-05-28 14:24 ` Stephen Smalley [this message]
[not found] ` <c56a4e4524b98db76c642714c9e4fd927458e3f8.camel@btinternet.com>
2019-05-30 16:29 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2019-05-22 5:41 Richard Haines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a7c75b3-c0c4-0eee-fe6c-d47702ac91af@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=nnk@google.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
--cc=xunchang@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).