From: Stephen Smalley <sds@tycho.nsa.gov>
To: Joshua Brindle <joshua.brindle@crunchydata.com>, selinux@vger.kernel.org
Cc: paul@paul-moore.com
Subject: Re: [PATCH v3] default_range glblub implementation
Date: Fri, 30 Aug 2019 11:44:21 -0400 [thread overview]
Message-ID: <85c1aba4-39ce-ba21-bb8c-30aa71bab06c@tycho.nsa.gov> (raw)
In-Reply-To: <20190830153946.28159-1-joshua.brindle@crunchydata.com>
On 8/30/19 11:39 AM, Joshua Brindle wrote:
> A policy developer can now specify glblub as a default_range default and
> the computed transition will be the intersection of the mls range of
> the two contexts.
>
> The glb (greatest lower bound) lub (lowest upper bound) of a range is calculated
> as the greater of the low sensitivities and the lower of the high sensitivities
> and the and of each category bitmap.
>
> This can be used by MLS solution developers to compute a context that satisfies,
> for example, the range of a network interface and the range of a user logging in.
>
> Some examples are:
>
> User Permitted Range | Network Device Label | Computed Label
> ---------------------|----------------------|----------------
> S0-S1:c0.c12 | S0 | S0
> S0-S1:c0.c12 | S0-S1:c0.c1024 | S0-S1:c0.c12
> S0-S4:c0.c512 | S1-S1:c0.c1024 | S1-S1:c0.c512
> S0-S16:c0,c2 | S4-S6:c0.c128 | S4-S6:c0,c2
> S0-S4 | S2-S6 | S2-S4
> S0-S4 | S5-S8 | INVALID
> S5-S8 | S0-S4 | INVALID
> S6:c0,c2-S7:c4,c5 | S0:c2,c4-S6:c5.c100 | S6:c2-S6:c5
>
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
> security/selinux/include/security.h | 3 ++-
> security/selinux/ss/context.h | 28 ++++++++++++++++++++++++++++
> security/selinux/ss/ebitmap.c | 18 ++++++++++++++++++
> security/selinux/ss/ebitmap.h | 1 +
> security/selinux/ss/mls.c | 2 ++
> security/selinux/ss/policydb.c | 5 +++++
> security/selinux/ss/policydb.h | 1 +
> 7 files changed, 57 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 111121281c47..ae840634e3c7 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -40,10 +40,11 @@
> #define POLICYDB_VERSION_CONSTRAINT_NAMES 29
> #define POLICYDB_VERSION_XPERMS_IOCTL 30
> #define POLICYDB_VERSION_INFINIBAND 31
> +#define POLICYDB_VERSION_GLBLUB 32
>
> /* Range of policy versions we understand*/
> #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
> -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
> +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB
>
> /* Mask for just the mount related flags */
> #define SE_MNTMASK 0x0f
> diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
> index 2260c44a568c..ea2a56d910a5 100644
> --- a/security/selinux/ss/context.h
> +++ b/security/selinux/ss/context.h
> @@ -95,6 +95,34 @@ static inline int mls_context_cpy_high(struct context *dst, struct context *src)
> return rc;
> }
>
> +
> +static inline int mls_context_glblub(struct context *dst, struct context *c1, struct context *c2)
> +{
> + struct mls_range *dr = &dst->range, *r1 = &c1->range, *r2 = &c2->range;
> + int rc = 0;
> +
> + if (r1->level[1].sens < r2->level[0].sens || r2->level[1].sens < r1->level[0].sens)
> + /* These ranges have no common sensitivities */
> + return -1;
I mentioned this on the prior patch, but perhaps you didn't read past
the first comment: I think you need to return -EINVAL or some other
-errno value here since this will get propagated up to the userspace
caller as an errno if I am not mistaken.
> +
> + /* Take the greatest of the low */
> + dr->level[0].sens = max(r1->level[0].sens, r2->level[0].sens);
> +
> + /* Take the least of the high */
> + dr->level[1].sens = min(r1->level[1].sens, r2->level[1].sens);
> +
> + rc = ebitmap_and(&dr->level[0].cat, &r1->level[0].cat, &r2->level[0].cat);
> + if (rc)
> + goto out;
> +
> + rc = ebitmap_and(&dr->level[1].cat, &r1->level[1].cat, &r2->level[1].cat);
> + if (rc)
> + goto out;
> +
> +out:
> + return rc;
> +}
> +
> static inline int mls_context_cmp(struct context *c1, struct context *c2)
> {
> return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
> diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
> index 09929fc5ab47..c8c3663111e2 100644
> --- a/security/selinux/ss/ebitmap.c
> +++ b/security/selinux/ss/ebitmap.c
> @@ -77,6 +77,24 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
> return 0;
> }
>
> +int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2)
> +{
> + struct ebitmap_node *n;
> + int bit, rc;
> +
> + ebitmap_init(dst);
> +
> + ebitmap_for_each_positive_bit(e1, n, bit) {
> + if (ebitmap_get_bit(e2, bit)) {
> + rc = ebitmap_set_bit(dst, bit, 1);
> + if (rc < 0)
> + return rc;
> + }
> + }
> + return 0;
> +}
> +
> +
> #ifdef CONFIG_NETLABEL
> /**
> * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
> diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
> index 6aa7cf6a2197..9a23b81b8832 100644
> --- a/security/selinux/ss/ebitmap.h
> +++ b/security/selinux/ss/ebitmap.h
> @@ -124,6 +124,7 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
>
> int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
> int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
> +int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2);
> int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
> int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
> int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index 5e05f5b902d7..76c8ad014ac9 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -529,6 +529,8 @@ int mls_compute_sid(struct policydb *p,
> return mls_context_cpy_high(newcontext, tcontext);
> case DEFAULT_TARGET_LOW_HIGH:
> return mls_context_cpy(newcontext, tcontext);
> + case DEFAULT_GLBLUB:
> + return mls_context_glblub(newcontext, scontext, tcontext);
> }
>
> /* Fallthrough */
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index f8efaa9f647c..1b59f72effbb 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -160,6 +160,11 @@ static struct policydb_compat_info policydb_compat[] = {
> .sym_num = SYM_NUM,
> .ocon_num = OCON_NUM,
> },
> + {
> + .version = POLICYDB_VERSION_GLBLUB,
> + .sym_num = SYM_NUM,
> + .ocon_num = OCON_NUM,
> + },
> };
>
> static struct policydb_compat_info *policydb_lookup_compat(int version)
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index fcc6366b447f..0c41d0b4da96 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -69,6 +69,7 @@ struct class_datum {
> #define DEFAULT_TARGET_LOW 4
> #define DEFAULT_TARGET_HIGH 5
> #define DEFAULT_TARGET_LOW_HIGH 6
> +#define DEFAULT_GLBLUB 7
> char default_range;
> };
>
>
next prev parent reply other threads:[~2019-08-30 15:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-30 15:39 [PATCH v3] default_range glblub implementation Joshua Brindle
2019-08-30 15:44 ` Stephen Smalley [this message]
2019-08-30 15:47 ` Joshua Brindle
2019-08-30 21:44 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85c1aba4-39ce-ba21-bb8c-30aa71bab06c@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=joshua.brindle@crunchydata.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).