| Message ID | 20220607174145.51330-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Rejected, archived |
| Headers | show |
| Series | [RFC,1/3] libsepol: export initial SIDs | expand |
On Tue, Jun 7, 2022 at 3:02 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Export initial SIDs, so they can be used for example in checkpolicy. > We don't want to export the initial SID names. See commit 8677ce5e "libsepol,checkpolicy: support omitting unused initial sid contexts" and https://github.com/SELinuxProject/selinux-kernel/issues/12 for more information. Eventually, we want to go to a dynamic discovery of initial SIDs. The initial SID names are in kernel_to_common.h as a hack because the name is not stored in the binary policy, but we don't want to encourage more use. Thanks, Jim > Add helper functions for name lookup. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > libsepol/include/sepol/policydb/initialsids.h | 89 +++++++++++++++++++ > libsepol/include/sepol/policydb/policydb.h | 2 +- > libsepol/src/kernel_to_cil.c | 1 + > libsepol/src/kernel_to_common.h | 53 ----------- > libsepol/src/kernel_to_conf.c | 1 + > libsepol/src/module_to_cil.c | 1 + > 6 files changed, 93 insertions(+), 54 deletions(-) > create mode 100644 libsepol/include/sepol/policydb/initialsids.h > > diff --git a/libsepol/include/sepol/policydb/initialsids.h b/libsepol/include/sepol/policydb/initialsids.h > new file mode 100644 > index 00000000..7b2fe021 > --- /dev/null > +++ b/libsepol/include/sepol/policydb/initialsids.h > @@ -0,0 +1,89 @@ > +#ifndef _SEPOL_POLICYDB_INITIALSIDS_H_ > +#define _SEPOL_POLICYDB_INITIALSIDS_H_ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +// initial sid names aren't actually stored in the pp files, need to a have > +// a mapping, taken from the linux kernel > +static const char * const selinux_sid_to_str[] = { > + "null", > + "kernel", > + "security", > + "unlabeled", > + "fs", > + "file", > + "file_labels", > + "init", > + "any_socket", > + "port", > + "netif", > + "netmsg", > + "node", > + "igmp_packet", > + "icmp_socket", > + "tcp_socket", > + "sysctl_modprobe", > + "sysctl", > + "sysctl_fs", > + "sysctl_kernel", > + "sysctl_net", > + "sysctl_net_unix", > + "sysctl_vm", > + "sysctl_dev", > + "kmod", > + "policy", > + "scmp_packet", > + "devnull", > +}; > + > +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) > + > +static inline unsigned int selinux_str_to_sid(const char *name) > +{ > + unsigned i; > + > + for (i = 1; i < SELINUX_SID_SZ; i++) { > + if (strcmp(name, selinux_sid_to_str[i]) == 0) > + return i; > + } > + > + return 0; > +} > + > +static const char * const xen_sid_to_str[] = { > + "null", > + "xen", > + "dom0", > + "domio", > + "domxen", > + "unlabeled", > + "security", > + "ioport", > + "iomem", > + "irq", > + "device", > + "domU", > + "domDM", > +}; > + > +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) > + > +static inline unsigned int xen_str_to_sid(const char *name) > +{ > + unsigned i; > + > + for (i = 1; i < XEN_SID_SZ; i++) { > + if (strcmp(name, xen_sid_to_str[i]) == 0) > + return i; > + } > + > + return 0; > +} > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif /* _SEPOL_POLICYDB_INITIALSIDS_H_ */ > diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h > index de0068a6..2ce4da5d 100644 > --- a/libsepol/include/sepol/policydb/policydb.h > +++ b/libsepol/include/sepol/policydb/policydb.h > @@ -340,7 +340,7 @@ typedef struct range_trans_rule { > */ > typedef struct ocontext { > union { > - char *name; /* name of initial SID, fs, netif, fstype, path */ > + char *name; /* name of initial SID (not saved in binary policy), fs, netif, fstype, path */ > struct { > uint8_t protocol; > uint16_t low_port; > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > index 9128ac55..42251684 100644 > --- a/libsepol/src/kernel_to_cil.c > +++ b/libsepol/src/kernel_to_cil.c > @@ -20,6 +20,7 @@ > #include <sepol/policydb/avtab.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hashtab.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include <sepol/policydb/policydb.h> > #include <sepol/policydb/services.h> > diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h > index 159c4289..5e8482bf 100644 > --- a/libsepol/src/kernel_to_common.h > +++ b/libsepol/src/kernel_to_common.h > @@ -10,59 +10,6 @@ > #define DEFAULT_LEVEL "systemlow" > #define DEFAULT_OBJECT "object_r" > > -// initial sid names aren't actually stored in the pp files, need to a have > -// a mapping, taken from the linux kernel > -static const char * const selinux_sid_to_str[] = { > - "null", > - "kernel", > - "security", > - "unlabeled", > - "fs", > - "file", > - "file_labels", > - "init", > - "any_socket", > - "port", > - "netif", > - "netmsg", > - "node", > - "igmp_packet", > - "icmp_socket", > - "tcp_socket", > - "sysctl_modprobe", > - "sysctl", > - "sysctl_fs", > - "sysctl_kernel", > - "sysctl_net", > - "sysctl_net_unix", > - "sysctl_vm", > - "sysctl_dev", > - "kmod", > - "policy", > - "scmp_packet", > - "devnull", > -}; > - > -#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) > - > -static const char * const xen_sid_to_str[] = { > - "null", > - "xen", > - "dom0", > - "domio", > - "domxen", > - "unlabeled", > - "security", > - "ioport", > - "iomem", > - "irq", > - "device", > - "domU", > - "domDM", > -}; > - > -#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) > - > static const uint32_t avtab_flavors[] = { > AVTAB_ALLOWED, > AVTAB_AUDITALLOW, > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index 63dffd9b..51a8270d 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -19,6 +19,7 @@ > #include <sepol/policydb/avtab.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hashtab.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include <sepol/policydb/policydb.h> > #include <sepol/policydb/services.h> > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index b35bf055..1945b369 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -47,6 +47,7 @@ > #include <sepol/module_to_cil.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hashtab.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include <sepol/policydb/policydb.h> > #include <sepol/policydb/services.h> > -- > 2.36.1 >
diff --git a/libsepol/include/sepol/policydb/initialsids.h b/libsepol/include/sepol/policydb/initialsids.h new file mode 100644 index 00000000..7b2fe021 --- /dev/null +++ b/libsepol/include/sepol/policydb/initialsids.h @@ -0,0 +1,89 @@ +#ifndef _SEPOL_POLICYDB_INITIALSIDS_H_ +#define _SEPOL_POLICYDB_INITIALSIDS_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +// initial sid names aren't actually stored in the pp files, need to a have +// a mapping, taken from the linux kernel +static const char * const selinux_sid_to_str[] = { + "null", + "kernel", + "security", + "unlabeled", + "fs", + "file", + "file_labels", + "init", + "any_socket", + "port", + "netif", + "netmsg", + "node", + "igmp_packet", + "icmp_socket", + "tcp_socket", + "sysctl_modprobe", + "sysctl", + "sysctl_fs", + "sysctl_kernel", + "sysctl_net", + "sysctl_net_unix", + "sysctl_vm", + "sysctl_dev", + "kmod", + "policy", + "scmp_packet", + "devnull", +}; + +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) + +static inline unsigned int selinux_str_to_sid(const char *name) +{ + unsigned i; + + for (i = 1; i < SELINUX_SID_SZ; i++) { + if (strcmp(name, selinux_sid_to_str[i]) == 0) + return i; + } + + return 0; +} + +static const char * const xen_sid_to_str[] = { + "null", + "xen", + "dom0", + "domio", + "domxen", + "unlabeled", + "security", + "ioport", + "iomem", + "irq", + "device", + "domU", + "domDM", +}; + +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) + +static inline unsigned int xen_str_to_sid(const char *name) +{ + unsigned i; + + for (i = 1; i < XEN_SID_SZ; i++) { + if (strcmp(name, xen_sid_to_str[i]) == 0) + return i; + } + + return 0; +} + +#ifdef __cplusplus +} +#endif + +#endif /* _SEPOL_POLICYDB_INITIALSIDS_H_ */ diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index de0068a6..2ce4da5d 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -340,7 +340,7 @@ typedef struct range_trans_rule { */ typedef struct ocontext { union { - char *name; /* name of initial SID, fs, netif, fstype, path */ + char *name; /* name of initial SID (not saved in binary policy), fs, netif, fstype, path */ struct { uint8_t protocol; uint16_t low_port; diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 9128ac55..42251684 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -20,6 +20,7 @@ #include <sepol/policydb/avtab.h> #include <sepol/policydb/conditional.h> #include <sepol/policydb/hashtab.h> +#include <sepol/policydb/initialsids.h> #include <sepol/policydb/polcaps.h> #include <sepol/policydb/policydb.h> #include <sepol/policydb/services.h> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 159c4289..5e8482bf 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -10,59 +10,6 @@ #define DEFAULT_LEVEL "systemlow" #define DEFAULT_OBJECT "object_r" -// initial sid names aren't actually stored in the pp files, need to a have -// a mapping, taken from the linux kernel -static const char * const selinux_sid_to_str[] = { - "null", - "kernel", - "security", - "unlabeled", - "fs", - "file", - "file_labels", - "init", - "any_socket", - "port", - "netif", - "netmsg", - "node", - "igmp_packet", - "icmp_socket", - "tcp_socket", - "sysctl_modprobe", - "sysctl", - "sysctl_fs", - "sysctl_kernel", - "sysctl_net", - "sysctl_net_unix", - "sysctl_vm", - "sysctl_dev", - "kmod", - "policy", - "scmp_packet", - "devnull", -}; - -#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) - -static const char * const xen_sid_to_str[] = { - "null", - "xen", - "dom0", - "domio", - "domxen", - "unlabeled", - "security", - "ioport", - "iomem", - "irq", - "device", - "domU", - "domDM", -}; - -#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) - static const uint32_t avtab_flavors[] = { AVTAB_ALLOWED, AVTAB_AUDITALLOW, diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 63dffd9b..51a8270d 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -19,6 +19,7 @@ #include <sepol/policydb/avtab.h> #include <sepol/policydb/conditional.h> #include <sepol/policydb/hashtab.h> +#include <sepol/policydb/initialsids.h> #include <sepol/policydb/polcaps.h> #include <sepol/policydb/policydb.h> #include <sepol/policydb/services.h> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index b35bf055..1945b369 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -47,6 +47,7 @@ #include <sepol/module_to_cil.h> #include <sepol/policydb/conditional.h> #include <sepol/policydb/hashtab.h> +#include <sepol/policydb/initialsids.h> #include <sepol/policydb/polcaps.h> #include <sepol/policydb/policydb.h> #include <sepol/policydb/services.h>
Export initial SIDs, so they can be used for example in checkpolicy. Add helper functions for name lookup. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/include/sepol/policydb/initialsids.h | 89 +++++++++++++++++++ libsepol/include/sepol/policydb/policydb.h | 2 +- libsepol/src/kernel_to_cil.c | 1 + libsepol/src/kernel_to_common.h | 53 ----------- libsepol/src/kernel_to_conf.c | 1 + libsepol/src/module_to_cil.c | 1 + 6 files changed, 93 insertions(+), 54 deletions(-) create mode 100644 libsepol/include/sepol/policydb/initialsids.h