Message ID | 20220607174145.51330-3-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Rejected, archived |
Headers | show |
Series | [RFC,1/3] libsepol: export initial SIDs | expand |
On Tue, Jun 7, 2022 at 3:01 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > The kernel removed [1] some unused initial SIDs. Also libsepol got > support for omitting unused ones [2]. > > Currently in traditional policy all initial SIDs have to be defined and > also the order of declarations has to follow the order of the libsepol > internal representation. Support omitting unused initial SIDs in the > traditional policy and do not require a specific order of declarations. > I think that your goal is good, but see below. > [1]: https://github.com/SELinuxProject/selinux-kernel/commit/e3e0b582c321aefd72db0e7083a0adfe285e96b5 > [2]: https://github.com/SELinuxProject/selinux/commit/8677ce5e8f592950ae6f14cea1b68a20ddc1ac25 > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > checkpolicy/policy_define.c | 39 ++++++++++++++++++++++++------------- > 1 file changed, 26 insertions(+), 13 deletions(-) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index 8bf36859..8f55650d 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -54,6 +54,7 @@ > #include <sepol/policydb/services.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hierarchy.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include "queue.h" > #include "checkpolicy.h" > @@ -287,6 +288,7 @@ int define_polcap(void) > int define_initial_sid(void) > { > char *id = 0; > + sepol_security_id_t sid; > ocontext_t *newc = 0, *c, *head; > > if (pass == 2) { > @@ -300,28 +302,30 @@ int define_initial_sid(void) > yyerror("no sid name for SID definition?"); > return -1; > } > - newc = (ocontext_t *) malloc(sizeof(ocontext_t)); > - if (!newc) { > - yyerror("out of memory"); > + > + sid = selinux_str_to_sid(id); > + if (sid == 0) { > + yyerror2("invalid initial SID %s", id); We can't give an error if the name is not found. In your reference [2], it is stated that unused SIDs can be renamed and it even suggests using an "unamed_" prefix. I am not sure what to suggest here. In the past, one could theoretically use any name, because all that mattered was the ordering. I doubt if there are any policies that use any other names, but I don't know. Thanks, Jim > goto bad; > } > - memset(newc, 0, sizeof(ocontext_t)); > - newc->u.name = id; > - context_init(&newc->context[0]); > - head = policydbp->ocontexts[OCON_ISID]; > > + head = policydbp->ocontexts[OCON_ISID]; > for (c = head; c; c = c->next) { > - if (!strcmp(newc->u.name, c->u.name)) { > + if (sid == c->sid[0]) { > yyerror2("duplicate initial SID %s", id); > goto bad; > } > } > > - if (head) { > - newc->sid[0] = head->sid[0] + 1; > - } else { > - newc->sid[0] = 1; > + newc = (ocontext_t *) malloc(sizeof(ocontext_t)); > + if (!newc) { > + yyerror("out of memory"); > + goto bad; > } > + memset(newc, 0, sizeof(ocontext_t)); > + newc->u.name = id; > + context_init(&newc->context[0]); > + newc->sid[0] = sid; > newc->next = head; > policydbp->ocontexts[OCON_ISID] = newc; > > @@ -4567,6 +4571,7 @@ static int parse_security_context(context_struct_t * c) > int define_initial_sid_context(void) > { > char *id; > + sepol_security_id_t sid; > ocontext_t *c, *head; > > if (pass == 1) { > @@ -4581,9 +4586,17 @@ int define_initial_sid_context(void) > yyerror("no sid name for SID context definition?"); > return -1; > } > + > + sid = selinux_str_to_sid(id); > + if (sid == 0) { > + yyerror2("invalid initial SID %s", id); > + free(id); > + return -1; > + } > + > head = policydbp->ocontexts[OCON_ISID]; > for (c = head; c; c = c->next) { > - if (!strcmp(id, c->u.name)) > + if (sid == c->sid[0]) > break; > } > > -- > 2.36.1 >
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 8bf36859..8f55650d 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -54,6 +54,7 @@ #include <sepol/policydb/services.h> #include <sepol/policydb/conditional.h> #include <sepol/policydb/hierarchy.h> +#include <sepol/policydb/initialsids.h> #include <sepol/policydb/polcaps.h> #include "queue.h" #include "checkpolicy.h" @@ -287,6 +288,7 @@ int define_polcap(void) int define_initial_sid(void) { char *id = 0; + sepol_security_id_t sid; ocontext_t *newc = 0, *c, *head; if (pass == 2) { @@ -300,28 +302,30 @@ int define_initial_sid(void) yyerror("no sid name for SID definition?"); return -1; } - newc = (ocontext_t *) malloc(sizeof(ocontext_t)); - if (!newc) { - yyerror("out of memory"); + + sid = selinux_str_to_sid(id); + if (sid == 0) { + yyerror2("invalid initial SID %s", id); goto bad; } - memset(newc, 0, sizeof(ocontext_t)); - newc->u.name = id; - context_init(&newc->context[0]); - head = policydbp->ocontexts[OCON_ISID]; + head = policydbp->ocontexts[OCON_ISID]; for (c = head; c; c = c->next) { - if (!strcmp(newc->u.name, c->u.name)) { + if (sid == c->sid[0]) { yyerror2("duplicate initial SID %s", id); goto bad; } } - if (head) { - newc->sid[0] = head->sid[0] + 1; - } else { - newc->sid[0] = 1; + newc = (ocontext_t *) malloc(sizeof(ocontext_t)); + if (!newc) { + yyerror("out of memory"); + goto bad; } + memset(newc, 0, sizeof(ocontext_t)); + newc->u.name = id; + context_init(&newc->context[0]); + newc->sid[0] = sid; newc->next = head; policydbp->ocontexts[OCON_ISID] = newc; @@ -4567,6 +4571,7 @@ static int parse_security_context(context_struct_t * c) int define_initial_sid_context(void) { char *id; + sepol_security_id_t sid; ocontext_t *c, *head; if (pass == 1) { @@ -4581,9 +4586,17 @@ int define_initial_sid_context(void) yyerror("no sid name for SID context definition?"); return -1; } + + sid = selinux_str_to_sid(id); + if (sid == 0) { + yyerror2("invalid initial SID %s", id); + free(id); + return -1; + } + head = policydbp->ocontexts[OCON_ISID]; for (c = head; c; c = c->next) { - if (!strcmp(id, c->u.name)) + if (sid == c->sid[0]) break; }
The kernel removed [1] some unused initial SIDs. Also libsepol got support for omitting unused ones [2]. Currently in traditional policy all initial SIDs have to be defined and also the order of declarations has to follow the order of the libsepol internal representation. Support omitting unused initial SIDs in the traditional policy and do not require a specific order of declarations. [1]: https://github.com/SELinuxProject/selinux-kernel/commit/e3e0b582c321aefd72db0e7083a0adfe285e96b5 [2]: https://github.com/SELinuxProject/selinux/commit/8677ce5e8f592950ae6f14cea1b68a20ddc1ac25 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- checkpolicy/policy_define.c | 39 ++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-)