[RFC] xperm_rules: add two notes

Message ID	20200904161834.7677-1-cgzones@googlemail.com (mailing list archive)
State	Accepted
Delegated to:	Paul Moore
Headers	show Return-Path: <SRS0=VTMH=CN=vger.kernel.org=selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [RFC PATCH] xperm_rules: add two notes Date: Fri, 4 Sep 2020 18:18:34 +0200 Message-Id: <20200904161834.7677-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	[RFC] xperm_rules: add two notes \| expand [RFC] xperm_rules: add two notes

Message ID

20200904161834.7677-1-cgzones@googlemail.com (mailing list archive)

State

Accepted

Delegated to:

Paul Moore

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH] xperm_rules: add two notes
Date: Fri,  4 Sep 2020 18:18:34 +0200
Message-Id: <20200904161834.7677-1-cgzones@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

[RFC] xperm_rules: add two notes | expand

Comments

Richard Haines Sept. 6, 2020, 1:59 p.m. UTC | #1

On Fri, 2020-09-04 at 18:18 +0200, Christian Göttsche wrote:
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> I *hope* the note number 4 is actually correct!?

It is correct as noted in [1]. checkpolicy allows 0x1234ABCD and just
uses ABCD whereas CIL only allows 0xABCD.

[1] 
https://lore.kernel.org/selinux/1495656704.3489.4.camel@tycho.nsa.gov/

> 
>  src/xperm_rules.md | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/src/xperm_rules.md b/src/xperm_rules.md
> index 7f8744b..1e1dfff 100644
> --- a/src/xperm_rules.md
> +++ b/src/xperm_rules.md
> @@ -1,6 +1,6 @@
>  # Extended Access Vector Rules
>  
> -There are three extended AV rules implemented from Policy version 30
> +There are four extended AV rules implemented from Policy version 30

Yes I think they all came under policy 30. It's just that
neverallowxperm was added a few months later.


>  with the target platform 'selinux' that expand the permission sets
> from
>  a fixed 32 bits to permission sets in 256 bit increments:
> *allowxperm*,
>  *dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
> @@ -127,6 +127,12 @@ Notes:
>      class/permission is required.
>  3.  To deny all ioctl requests for a specific source/target/class
> the
>      *xperm_set* should be set to *0* or *0x0*.
> +4.  From the 32-bit ioctl request parameter value only the least
> significant
> +    16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
> +    are the same extended permission.
> +5.  To decode a numeric ioctl request parameter into the
> corresponding
> +    textual identifier see
> +    <
> https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html
> >
>  
>  <!-- %CUTHERE% -->
>

Paul Moore Sept. 18, 2020, 2:28 p.m. UTC | #2

On Fri, Sep 4, 2020 at 12:18 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> I *hope* the note number 4 is actually correct!?
>
>  src/xperm_rules.md | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)

Hi Christian, I'm sorry for the delay but this fix is now merged.  I
did have to merge it by hand so please double check to make sure I
didn't mess it up (it looked good to me in all three formats).

> diff --git a/src/xperm_rules.md b/src/xperm_rules.md
> index 7f8744b..1e1dfff 100644
> --- a/src/xperm_rules.md
> +++ b/src/xperm_rules.md
> @@ -1,6 +1,6 @@
>  # Extended Access Vector Rules
>
> -There are three extended AV rules implemented from Policy version 30
> +There are four extended AV rules implemented from Policy version 30
>  with the target platform 'selinux' that expand the permission sets from
>  a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
>  *dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
> @@ -127,6 +127,12 @@ Notes:
>      class/permission is required.
>  3.  To deny all ioctl requests for a specific source/target/class the
>      *xperm_set* should be set to *0* or *0x0*.
> +4.  From the 32-bit ioctl request parameter value only the least significant
> +    16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
> +    are the same extended permission.
> +5.  To decode a numeric ioctl request parameter into the corresponding
> +    textual identifier see
> +    <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html>
>
>  <!-- %CUTHERE% -->
>
> --
> 2.28.0

diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 7f8744b..1e1dfff 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -1,6 +1,6 @@ 
 # Extended Access Vector Rules
 
-There are three extended AV rules implemented from Policy version 30
+There are four extended AV rules implemented from Policy version 30
 with the target platform 'selinux' that expand the permission sets from
 a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
 *dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
@@ -127,6 +127,12 @@  Notes:
     class/permission is required.
 3.  To deny all ioctl requests for a specific source/target/class the
     *xperm_set* should be set to *0* or *0x0*.
+4.  From the 32-bit ioctl request parameter value only the least significant
+    16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
+    are the same extended permission.
+5.  To decode a numeric ioctl request parameter into the corresponding
+    textual identifier see
+    <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html>
 
 <!-- %CUTHERE% -->

[RFC] xperm_rules: add two notes

Commit Message

Comments

Patch