Re: [PATCH v3] default_range glblub implementation

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Joshua Brindle <joshua.brindle@crunchydata.com>, selinux@vger.kernel.org
Cc: paul@paul-moore.com
Subject: Re: [PATCH v3] default_range glblub implementation
Date: Fri, 30 Aug 2019 11:44:21 -0400	[thread overview]
Message-ID: <85c1aba4-39ce-ba21-bb8c-30aa71bab06c@tycho.nsa.gov> (raw)
In-Reply-To: <20190830153946.28159-1-joshua.brindle@crunchydata.com>

On 8/30/19 11:39 AM, Joshua Brindle wrote:
> A policy developer can now specify glblub as a default_range default and
> the computed transition will be the intersection of the mls range of
> the two contexts.
> 
> The glb (greatest lower bound) lub (lowest upper bound) of a range is calculated
> as the greater of the low sensitivities and the lower of the high sensitivities
> and the and of each category bitmap.
> 
> This can be used by MLS solution developers to compute a context that satisfies,
> for example, the range of a network interface and the range of a user logging in.
> 
> Some examples are:
> 
> User Permitted Range | Network Device Label | Computed Label
> ---------------------|----------------------|----------------
> S0-S1:c0.c12         | S0                   | S0
> S0-S1:c0.c12         | S0-S1:c0.c1024       | S0-S1:c0.c12
> S0-S4:c0.c512        | S1-S1:c0.c1024       | S1-S1:c0.c512
> S0-S16:c0,c2         | S4-S6:c0.c128        | S4-S6:c0,c2
> S0-S4                | S2-S6                | S2-S4
> S0-S4                | S5-S8                | INVALID
> S5-S8                | S0-S4                | INVALID
> S6:c0,c2-S7:c4,c5    | S0:c2,c4-S6:c5.c100  | S6:c2-S6:c5
> 
> Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> ---
>   security/selinux/include/security.h |  3 ++-
>   security/selinux/ss/context.h       | 28 ++++++++++++++++++++++++++++
>   security/selinux/ss/ebitmap.c       | 18 ++++++++++++++++++
>   security/selinux/ss/ebitmap.h       |  1 +
>   security/selinux/ss/mls.c           |  2 ++
>   security/selinux/ss/policydb.c      |  5 +++++
>   security/selinux/ss/policydb.h      |  1 +
>   7 files changed, 57 insertions(+), 1 deletion(-)
> 
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 111121281c47..ae840634e3c7 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -40,10 +40,11 @@
>   #define POLICYDB_VERSION_CONSTRAINT_NAMES	29
>   #define POLICYDB_VERSION_XPERMS_IOCTL	30
>   #define POLICYDB_VERSION_INFINIBAND		31
> +#define POLICYDB_VERSION_GLBLUB		32
>   
>   /* Range of policy versions we understand*/
>   #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
> -#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_INFINIBAND
> +#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_GLBLUB
>   
>   /* Mask for just the mount related flags */
>   #define SE_MNTMASK	0x0f
> diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
> index 2260c44a568c..ea2a56d910a5 100644
> --- a/security/selinux/ss/context.h
> +++ b/security/selinux/ss/context.h
> @@ -95,6 +95,34 @@ static inline int mls_context_cpy_high(struct context *dst, struct context *src)
>   	return rc;
>   }
>   
> +
> +static inline int mls_context_glblub(struct context *dst, struct context *c1, struct context *c2)
> +{
> +	struct mls_range *dr = &dst->range, *r1 = &c1->range, *r2 = &c2->range;
> +	int rc = 0;
> +
> +	if (r1->level[1].sens < r2->level[0].sens || r2->level[1].sens < r1->level[0].sens)
> +		/* These ranges have no common sensitivities */
> +		return -1;

I mentioned this on the prior patch, but perhaps you didn't read past 
the first comment: I think you need to return -EINVAL or some other 
-errno value here since this will get propagated up to the userspace 
caller as an errno if I am not mistaken.

> +
> +	/* Take the greatest of the low */
> +	dr->level[0].sens = max(r1->level[0].sens, r2->level[0].sens);
> +
> +	/* Take the least of the high */
> +	dr->level[1].sens = min(r1->level[1].sens, r2->level[1].sens);
> +
> +	rc = ebitmap_and(&dr->level[0].cat, &r1->level[0].cat, &r2->level[0].cat);
> +	if (rc)
> +		goto out;
> +
> +	rc = ebitmap_and(&dr->level[1].cat, &r1->level[1].cat, &r2->level[1].cat);
> +	if (rc)
> +		goto out;
> +
> +out:
> +	return rc;
> +}
> +
>   static inline int mls_context_cmp(struct context *c1, struct context *c2)
>   {
>   	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
> diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
> index 09929fc5ab47..c8c3663111e2 100644
> --- a/security/selinux/ss/ebitmap.c
> +++ b/security/selinux/ss/ebitmap.c
> @@ -77,6 +77,24 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
>   	return 0;
>   }
>   
> +int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2)
> +{
> +	struct ebitmap_node *n;
> +	int bit, rc;
> +
> +	ebitmap_init(dst);
> +
> +	ebitmap_for_each_positive_bit(e1, n, bit) {
> +		if (ebitmap_get_bit(e2, bit)) {
> +			rc = ebitmap_set_bit(dst, bit, 1);
> +			if (rc < 0)
> +				return rc;
> +		}
> +	}
> +	return 0;
> +}
> +
> +
>   #ifdef CONFIG_NETLABEL
>   /**
>    * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
> diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
> index 6aa7cf6a2197..9a23b81b8832 100644
> --- a/security/selinux/ss/ebitmap.h
> +++ b/security/selinux/ss/ebitmap.h
> @@ -124,6 +124,7 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
>   
>   int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
>   int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
> +int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2);
>   int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
>   int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
>   int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index 5e05f5b902d7..76c8ad014ac9 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -529,6 +529,8 @@ int mls_compute_sid(struct policydb *p,
>   			return mls_context_cpy_high(newcontext, tcontext);
>   		case DEFAULT_TARGET_LOW_HIGH:
>   			return mls_context_cpy(newcontext, tcontext);
> +		case DEFAULT_GLBLUB:
> +			return mls_context_glblub(newcontext, scontext, tcontext);
>   		}
>   
>   		/* Fallthrough */
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index f8efaa9f647c..1b59f72effbb 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -160,6 +160,11 @@ static struct policydb_compat_info policydb_compat[] = {
>   		.sym_num	= SYM_NUM,
>   		.ocon_num	= OCON_NUM,
>   	},
> +	{
> +		.version	= POLICYDB_VERSION_GLBLUB,
> +		.sym_num	= SYM_NUM,
> +		.ocon_num	= OCON_NUM,
> +	},
>   };
>   
>   static struct policydb_compat_info *policydb_lookup_compat(int version)
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index fcc6366b447f..0c41d0b4da96 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -69,6 +69,7 @@ struct class_datum {
>   #define DEFAULT_TARGET_LOW     4
>   #define DEFAULT_TARGET_HIGH    5
>   #define DEFAULT_TARGET_LOW_HIGH        6
> +#define DEFAULT_GLBLUB		7
>   	char default_range;
>   };
>   
>