SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Joshua Brindle <joshua.brindle@crunchydata.com>
Cc: selinux@vger.kernel.org, Steve Smalley <sds@tycho.nsa.gov>
Subject: Re: [Non-DoD Source] [PATCH] Add default_range glblub support
Date: Thu, 29 Aug 2019 16:12:15 -0400
Message-ID: <496c9521-dd58-7164-f3c6-c233c8f5dc5f@tycho.nsa.gov> (raw)
In-Reply-To: <CAGB+Vh41FrvMOs2MoONi23gmve0i3oz3m70Fbitkj629EiMBHg@mail.gmail.com>

On 8/29/19 3:25 PM, Joshua Brindle wrote:
> On Thu, Aug 29, 2019 at 3:12 PM jwcart2 <jwcart2@tycho.nsa.gov> wrote:
>>
>> On 8/26/19 10:20 AM, Joshua Brindle wrote:
>>> Policy developers can set a default_range default to glblub and
>>> computed contexts will be the intersection of the ranges of the
>>> source and target contexts. For example, one can add a default with
>>> this cil:
>>>
>>> (defaultrange db_table glblub);
>>>
>>> and then test using the compute_create utility:
>>>
>>> $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
>>> system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
>>>
>>
>> It would be nice to say what glblub means and to have an example for checkpolicy
>> as well.
>>
> 
> Can do.
> 
> <snip>
>>> --- a/libsepol/cil/src/cil_policy.c
>>> +++ b/libsepol/cil/src/cil_policy.c
>>> @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
>>>                case CIL_DEFAULT_TARGET_LOW_HIGH:
>>>                        fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
>>>                        break;
>>> +             case CIL_DEFAULT_GLBLUB:
>>> +                     fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
>>
>> I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);
> 
> Yea, you are right. I wonder why this even works then?
> 
> <snip>
> 
>>> --- a/libsepol/src/kernel_to_conf.c
>>> +++ b/libsepol/src/kernel_to_conf.c
>>> @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
>>>        case DEFAULT_TARGET_LOW_HIGH:
>>>                dft = "target low-high";
>>>                break;
>>> +     case DEFAULT_GLBLUB:
>>> +             dft = "glblub";
>>> +             break;
>>>        default:
>>>                sepol_log_err("Unknown default type value: %i", class->default_range);
>>>                return -1;
>>
>> You need to update kernel_to_cil.c as well.
> 
> Good catch. As a side note changing the policy has many more touch
> points than it use to (this is my first time making an update that
> include CIL). Is there some checklist or developer readme or something
> available?
> 

No, there is no checklist. I can see how it would be useful though.

> Also, it isn't clear how to test all the combinations. I did add:
> 
> Add via CIL module (which combos does that test?)
That tests secilc

> Add to exported CIL base (is that really the same as above?)
That also tests secilc

> Add to .te base
> 
That tests checkmodule

> What would I have needed to do to see that kernel_to_cil.c hadn't been updated?
> 

1. checkpolicy -M -C -o foo.cil foo.conf
    This converts conf to cil and tests module_to_cil.c.

2. checkpolicy -M -C -b -o foo.cil foo.bin
    This converts kernel binary to cil and tests kernel_to_cil.c

3. checkpolicy -M -F -b -o foo.conf foo.bin
    This converts kernel binary to conf and tests kernel_to_conf.c

4. secil2conf -o foo.conf foo.cil
    This converts cil to conf and tests cil_policy.c

I think that covers everything. It is complicated.

> <snip>
> 
>>> --- a/libsepol/src/write.c
>>> +++ b/libsepol/src/write.c
>>> @@ -46,6 +46,11 @@
>>>    #include "private.h"
>>>    #include "mls.h"
>>>
>>> +#define glblub_version ((p->policy_type == POLICY_KERN && \
>>> +                  p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
>>> +                 (p->policy_type == POLICY_BASE && \
>>> +                  p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
>>> +
>>>    struct policy_data {
>>>        struct policy_file *fp;
>>>        struct policydb *p;
>>> @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
>>>             p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
>>>                buf[0] = cpu_to_le32(cladatum->default_user);
>>>                buf[1] = cpu_to_le32(cladatum->default_role);
>>> +             if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
>>> +                     WARN(fp->handle,
>>> +                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
>>> +                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
>>> +                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
>>> +                        cladatum->default_range = 0;
>>> +                }
>>>                buf[2] = cpu_to_le32(cladatum->default_range);
>>>                items = put_entry(buf, sizeof(uint32_t), 3, fp);
>>>                if (items != 3)
>>>
>>
>> Everything else looks ok, but I haven't tested it yet.
> 
> Thanks. You can test using the test suite as well, I'm impressed that
> adding a bunch of sensitivities to an mcs policy works as well as it
> does!
> 


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

      reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-26 14:20 Joshua Brindle
2019-08-29 19:14 ` [Non-DoD Source] " jwcart2
2019-08-29 19:25   ` Joshua Brindle
2019-08-29 20:12     ` jwcart2 [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=496c9521-dd58-7164-f3c6-c233c8f5dc5f@tycho.nsa.gov \
    --to=jwcart2@tycho.nsa.gov \
    --cc=joshua.brindle@crunchydata.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox