| Message ID | 20220422154307.968527-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Support the 'self' keyword in type transitions | expand |
On Fri, 22 Apr 2022 at 17:44, Ondrej Mosnacek <omosnace@redhat.com> wrote: > > With the addition of the anon_inode class in the kernel, 'self' > transition rules became useful, but haven't been implemented. > > This series implements the self keyword support in the CIL & TE > languages and the module policydb format. The kernel policydb format > doesn't need any changes, as type transitions are always expanded in the > kernel policydb. Since the type transitions are expanded a single usage of type_transition domain self iouring_t:anon_inode "[io_uring]"; will result of thousands of filetrans entries in the binary policy. When using a limited type-attribute type_transition iouring_domain self iouring_t:anon_inode "[io_uring]"; what is the benefit of implementing the interface kernel_iouring_domain() as typeattribute $1 iouring_domain; instead of type_transition $1 $1 iouring_t:anon_inode "[io_uring]"; ? Wouldn't true policydb support be much more efficient (not only regarding size but also (lookup) performance)? > The patches have been tested using the following WIP beakerlib/tmt test: > https://src.fedoraproject.org/fork/omos/tests/selinux/blob/self-in-tt/f/libsepol/self-keyword-in-type-transitions > > Ondrej Mosnacek (2): > libsepol/cil: add support for self keyword in type transitions > libsepol,checkpolicy: add support for self keyword in type transitions > > checkpolicy/policy_define.c | 42 +++++- > libsepol/cil/src/cil_binary.c | 168 +++++++++++++++------ > libsepol/cil/src/cil_resolve_ast.c | 25 ++- > libsepol/include/sepol/policydb/policydb.h | 4 +- > libsepol/src/expand.c | 69 ++++++--- > libsepol/src/link.c | 1 + > libsepol/src/module_to_cil.c | 30 ++-- > libsepol/src/policydb.c | 33 +++- > libsepol/src/write.c | 19 ++- > secilc/test/policy.cil | 3 + > 10 files changed, 293 insertions(+), 101 deletions(-) > > -- > 2.35.1 >
On Sat, Apr 23, 2022 at 9:52 AM Christian Göttsche <cgzones@googlemail.com> wrote: > On Fri, 22 Apr 2022 at 17:44, Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > With the addition of the anon_inode class in the kernel, 'self' > > transition rules became useful, but haven't been implemented. > > > > This series implements the self keyword support in the CIL & TE > > languages and the module policydb format. The kernel policydb format > > doesn't need any changes, as type transitions are always expanded in the > > kernel policydb. > > Since the type transitions are expanded a single usage of > > type_transition domain self iouring_t:anon_inode "[io_uring]"; > > will result of thousands of filetrans entries in the binary policy. > When using a limited type-attribute > > type_transition iouring_domain self iouring_t:anon_inode "[io_uring]"; > > what is the benefit of implementing the interface kernel_iouring_domain() as > > typeattribute $1 iouring_domain; > > instead of > > type_transition $1 $1 iouring_t:anon_inode "[io_uring]"; > > ? Indeed currently it will only make a cosmetic difference. Still, I think it is more intuitive to write the self rule than to add a rule into the interface. Plus, it would allow you to write today a policy that is ready for policy handling optimizations in the future (e.g. by implementing a better attribute support for type transitions). > Wouldn't true policydb support be much more efficient (not only > regarding size but also (lookup) performance)? It would only be more space-efficient. The lookup performance would actually get worse, since you would need to look up the cartesian product of all attributes for source and target in case of attribute support. The individual lookups would not become faster by making the table smaller, since the hash table size already scales with the number of rules (elements). > > The patches have been tested using the following WIP beakerlib/tmt test: > > https://src.fedoraproject.org/fork/omos/tests/selinux/blob/self-in-tt/f/libsepol/self-keyword-in-type-transitions > > > > Ondrej Mosnacek (2): > > libsepol/cil: add support for self keyword in type transitions > > libsepol,checkpolicy: add support for self keyword in type transitions > > > > checkpolicy/policy_define.c | 42 +++++- > > libsepol/cil/src/cil_binary.c | 168 +++++++++++++++------ > > libsepol/cil/src/cil_resolve_ast.c | 25 ++- > > libsepol/include/sepol/policydb/policydb.h | 4 +- > > libsepol/src/expand.c | 69 ++++++--- > > libsepol/src/link.c | 1 + > > libsepol/src/module_to_cil.c | 30 ++-- > > libsepol/src/policydb.c | 33 +++- > > libsepol/src/write.c | 19 ++- > > secilc/test/policy.cil | 3 + > > 10 files changed, 293 insertions(+), 101 deletions(-) > > > > -- > > 2.35.1 > > > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.