From patchwork Wed Oct 27 18:12:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12587695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2ABB2C433EF for ; Wed, 27 Oct 2021 18:12:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1126D6109F for ; Wed, 27 Oct 2021 18:12:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235258AbhJ0SPQ (ORCPT ); Wed, 27 Oct 2021 14:15:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231782AbhJ0SPP (ORCPT ); Wed, 27 Oct 2021 14:15:15 -0400 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5CC7C061570 for ; Wed, 27 Oct 2021 11:12:49 -0700 (PDT) Received: by mail-qv1-xf34.google.com with SMTP id d6so2376860qvb.3 for ; Wed, 27 Oct 2021 11:12:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=11sKQkCHAIdW1oub2Q/OnFGqoW0sq3lOKK/jQiHICbw=; b=guFNdZpbeL5E4EmVxiefM36XsWzUMDMFEzccaPiMxloHbNQzF51p6ksBj+bKPAMEpU OjnbQ5c4mq63h7IIGkCB8NWSImIrDOj29jjWLTUGoFZjKBKtpVFGKz2oMuDbmF1uSzSW ul71+3+8kvIF/MqFK0y1s62/8lW+BTtL/4ilbQB4TnWAnb+oTGGnVnSfXfMgRioOCF7r v0Z+JAk8cMDJ5Qy3GOB/ZiKOz2z0rI2f3XbXeKDh7PdoF1wrt3dP0Iwsvv0qNvv2EuR0 bMK+XAGet6DiXeWCCKas32wuX3s9N1W/MLcTJ5YyBTk3HanXFbNpq95AcEAE0AJjdV82 2C3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=11sKQkCHAIdW1oub2Q/OnFGqoW0sq3lOKK/jQiHICbw=; b=OWWNNlE+fO/1w7N5LptYzn4SAzLsEM+iC0JLSjQTjJiKtRZUsfMQMYRUiHEXhbSw7r ybyL43LJLR0q+itTmkQDPuBBIHoNJsiy6uXBVaT0C1KA6Cp5W7mxDjcxng2n/tJuNED9 +xahy5bTV7B1amX87ZxKLJ9MLW2yA0pw7PRwzimNvcdHzVph7FNZKcouWeGGl0PBatrt OU+GaItqc23wvpxBSAhBQIKBn80sEd4Z/0Ib//kn4H8m1H+fwkC8kceZlvZU/F+FAorO yxt9I2qJi/2GsHQWk2dCkykbtq3HEwPpsnvrhEH9QfW2xnFWtkbXqcPvbARvWt5B0AGf ngxg== X-Gm-Message-State: AOAM532qQxytLYw2Hv9j3lCxvtpO0Y6m0HytMxBl2CY3qTrgQ/gleZZS ELyTSbA1//jS8lVy/Hdquz9fIkN2EYY= X-Google-Smtp-Source: ABdhPJyMMGSA1ONZUN4XdqLHMKGrziTuP/p97xqmMco77p3CL1NVffZVQXL3H19Vu5QxAHWfB9gfTg== X-Received: by 2002:a05:6214:4112:: with SMTP id kc18mr30726812qvb.11.1635358368745; Wed, 27 Oct 2021 11:12:48 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id l15sm440561qtk.41.2021.10.27.11.12.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 11:12:45 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 1/4] libsepol: Add support for file types in writing out policy.conf Date: Wed, 27 Oct 2021 14:12:07 -0400 Message-Id: <20211027181210.1019597-2-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211027181210.1019597-1-jwcart2@gmail.com> References: <20211027181210.1019597-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Although rarely used, genfscon rules support the specification of a file type just like the rules in a file context file. The file type is used to make the genfscon rule apply only for a specific security class. Currently, when writing out a policy.conf file from a kernel policy, it is assumed that every genfscon rule applies to all security classes and no file type will be added to the genfscon rule. Write out the appropriate file type if the genfscon rule is only for a specific security class (file, dir, blk_file, chr_file, fifo_file, lnk_file, or sock_file). Signed-off-by: James Carter --- libsepol/src/kernel_to_conf.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index eb72e4ac..aa963ca5 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -2513,6 +2513,8 @@ static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb) struct ocontext *ocon; struct strs *strs; char *fstype, *name, *ctx; + uint32_t sclass; + const char *file_type; int rc; rc = strs_init(&strs, 32); @@ -2525,14 +2527,43 @@ static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb) fstype = genfs->fstype; name = ocon->u.name; + sclass = ocon->v.sclass; + file_type = NULL; + if (sclass) { + const char *class_name = pdb->p_class_val_to_name[sclass-1]; + if (strcmp(class_name, "blk_file") == 0) { + file_type = "-b"; + } else if (strcmp(class_name, "chr_file") == 0) { + file_type = "-c"; + } else if (strcmp(class_name, "dir") == 0) { + file_type = "-d"; + } else if (strcmp(class_name, "fifo_file") == 0) { + file_type = "-p"; + } else if (strcmp(class_name, "lnk_file") == 0) { + file_type = "-l"; + } else if (strcmp(class_name, "sock_file") == 0) { + file_type = "-s"; + } else if (strcmp(class_name, "file") == 0) { + file_type = "--"; + } else { + rc = -1; + goto exit; + } + } + ctx = context_to_str(pdb, &ocon->context[0]); if (!ctx) { rc = -1; goto exit; } - rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3, - fstype, name, ctx); + if (file_type) { + rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s %s", 4, + fstype, name, file_type, ctx); + } else { + rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3, + fstype, name, ctx); + } free(ctx); if (rc != 0) { goto exit; From patchwork Wed Oct 27 18:12:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12587697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5F3CC433FE for ; Wed, 27 Oct 2021 18:12:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 949706109F for ; Wed, 27 Oct 2021 18:12:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238518AbhJ0SPR (ORCPT ); Wed, 27 Oct 2021 14:15:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231782AbhJ0SPQ (ORCPT ); Wed, 27 Oct 2021 14:15:16 -0400 Received: from mail-qv1-xf30.google.com (mail-qv1-xf30.google.com [IPv6:2607:f8b0:4864:20::f30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 477D1C061570 for ; Wed, 27 Oct 2021 11:12:51 -0700 (PDT) Received: by mail-qv1-xf30.google.com with SMTP id t1so2383981qvb.1 for ; Wed, 27 Oct 2021 11:12:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=OPggv6zCYBbQxTUNZt7tcHPra8bmol1DYLivtlCvfsA=; b=ROcN0k5hPp1/Znp0At3jgc3lDeEQ1vp5B39/y5ROjOmNQxQfIx47Q0rHg4rtTO4BCt urTWp39YmJxM8dz6O+KdnR2R8Gc1330CMHparP6YPLAYrOZo3qzeqbsLEFbgKYzFJ1MY 3ubmeBugIc0cAHhwMoM3XSaYJFecVmchMAw08fxMpOEXlZDq6AUMTduGjYgZY3STnhyO WbFvoIIKwFUoHvQHs2VveL3/5jFIkyRNF71kS+oZhjeVpGWEOe4Qh2dnpYsp5cH39Ra2 bmngXO1SQwOxrCLbshcOh07u5ksrSY9FzRZduoi25NhRKmCF7QAREvwadal0w/CMmM5Z n12A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OPggv6zCYBbQxTUNZt7tcHPra8bmol1DYLivtlCvfsA=; b=G6yo8ZzYQJVwqYTgtharQCMFWL4EWzb07pe6H3g/zbD2k8nkOohe/jz/KaZMhnMZT9 eYE/RChXU8TsuNJ6DDXO9tPOifukuzqxVNacr4CNmuYn775vv6s9gtOJfcN3Hxs08KHY 05yWpI2bwlVz/dkh4jWmkm4wVpKXNyrn5yI1eFQqvpIofwqkEc9U19qyqHTJWzLWhG6i OULH+7gMFppu8IL3C0vyKTN5oPiu7QMOD/zb3wODAIg6R1U1NT9PHk2SfnH9CEpXdf3M DYazFtV893G/FZhN2T/L7nA//ShJWCPmIeHpLnexJbGUJVN93ok4NIjJM42VwPCsAHr1 UxDA== X-Gm-Message-State: AOAM532d95b/ZDVYKD0Mop0jxiTHnwyjfa531j3YN4NBOODf8g0of3+G XdnruViTUB2nj8nfb+BpKadULv8XAFY= X-Google-Smtp-Source: ABdhPJxmEdaTeX/47PdDrr1NDLxHo3SxCbgnC7X/z7jQGXfJ0Ho7AkOXOz35zLzVDRZZzSQxOYQLAQ== X-Received: by 2002:a05:6214:80f:: with SMTP id df15mr8289701qvb.37.1635358370257; Wed, 27 Oct 2021 11:12:50 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id l15sm440561qtk.41.2021.10.27.11.12.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 11:12:49 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 2/4] libsepol/cil: Allow optional file type in genfscon rules Date: Wed, 27 Oct 2021 14:12:08 -0400 Message-Id: <20211027181210.1019597-3-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211027181210.1019597-1-jwcart2@gmail.com> References: <20211027181210.1019597-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The optional specification of a file type for a genfscon rule to make it apply only to a specific security class is allowed by checkpolicy and checkmodule and should be allowed for CIL policies as well. Allow an optional file type to be specified for a genfscon rule. The new syntax: (genfscon FSNAME PATH [FILE_TYPE] CONTEXT) FSNAME - The name of the supported filesystem PATH - If FSNAME is proc then this is the partial path, othewise this must be "/". FILE_TYPE - A single keyword representing the file type. file type security class file file dir dir char chr_file block blk_file socket sock_file pipe fifo_file symlink lnk_file any Same as not specifying a file type CONTEXT - Either a previously declared security context identifier or an anonymous security context. Signed-off-by: James Carter --- libsepol/cil/src/cil_binary.c | 39 +++++++++++++++++++++++++++++ libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++++++++++++--- libsepol/cil/src/cil_internal.h | 1 + 3 files changed, 79 insertions(+), 4 deletions(-) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index d8aa495a..b6ed750f 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -3462,6 +3462,45 @@ int cil_genfscon_to_policydb(policydb_t *pdb, struct cil_sort *genfscons) new_ocon->u.name = cil_strdup(cil_genfscon->path_str); + if (cil_genfscon->file_type && cil_genfscon->file_type != CIL_FILECON_ANY) { + class_datum_t *class_datum; + const char *class_name; + switch (cil_genfscon->file_type) { + case CIL_FILECON_FILE: + class_name = "file"; + break; + case CIL_FILECON_DIR: + class_name = "dir"; + break; + case CIL_FILECON_CHAR: + class_name = "chr_file"; + break; + case CIL_FILECON_BLOCK: + class_name = "blk_file"; + break; + case CIL_FILECON_SOCKET: + class_name = "sock_file"; + break; + case CIL_FILECON_PIPE: + class_name = "fifo_file"; + break; + case CIL_FILECON_SYMLINK: + class_name = "lnk_file"; + break; + default: + fprintf(stderr, "What is going on?\n"); + rc = SEPOL_ERR; + goto exit; + } + class_datum = hashtab_search(pdb->p_classes.table, class_name); + if (!class_datum) { + fprintf(stderr, "What is going on?\n"); + rc = SEPOL_ERR; + goto exit; + } + new_ocon->v.sclass = class_datum->s.value; + } + rc = __cil_context_to_sepol_context(pdb, cil_genfscon->context, &new_ocon->context[0]); if (rc != SEPOL_OK) { goto exit; diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 9c34be23..a7d973df 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -4572,9 +4572,11 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str CIL_SYN_STRING, CIL_SYN_STRING, CIL_SYN_STRING | CIL_SYN_LIST, + CIL_SYN_STRING | CIL_SYN_LIST | CIL_SYN_END, CIL_SYN_END }; size_t syntax_len = sizeof(syntax)/sizeof(*syntax); + struct cil_tree_node *context_node; int rc = SEPOL_ERR; struct cil_genfscon *genfscon = NULL; @@ -4592,15 +4594,48 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str genfscon->fs_str = parse_current->next->data; genfscon->path_str = parse_current->next->next->data; - if (parse_current->next->next->next->cl_head == NULL ) { - genfscon->context_str = parse_current->next->next->next->data; + if (parse_current->next->next->next->next) { + /* (genfscon ... */ + char *file_type = parse_current->next->next->next->data; + if (file_type == CIL_KEY_FILE) { + genfscon->file_type = CIL_FILECON_FILE; + } else if (file_type == CIL_KEY_DIR) { + genfscon->file_type = CIL_FILECON_DIR; + } else if (file_type == CIL_KEY_CHAR) { + genfscon->file_type = CIL_FILECON_CHAR; + } else if (file_type == CIL_KEY_BLOCK) { + genfscon->file_type = CIL_FILECON_BLOCK; + } else if (file_type == CIL_KEY_SOCKET) { + genfscon->file_type = CIL_FILECON_SOCKET; + } else if (file_type == CIL_KEY_PIPE) { + genfscon->file_type = CIL_FILECON_PIPE; + } else if (file_type == CIL_KEY_SYMLINK) { + genfscon->file_type = CIL_FILECON_SYMLINK; + } else if (file_type == CIL_KEY_ANY) { + genfscon->file_type = CIL_FILECON_ANY; + } else { + if (parse_current->next->next->next->cl_head) { + cil_log(CIL_ERR, "Expecting file type, but found a list\n"); + } else { + cil_log(CIL_ERR, "Invalid file type \"%s\"\n", file_type); + } + rc = SEPOL_ERR; + goto exit; + } + context_node = parse_current->next->next->next->next; } else { - cil_context_init(&genfscon->context); + /* (genfscon ... */ + context_node = parse_current->next->next->next; + } - rc = cil_fill_context(parse_current->next->next->next->cl_head, genfscon->context); + if (context_node->cl_head) { + cil_context_init(&genfscon->context); + rc = cil_fill_context(context_node->cl_head, genfscon->context); if (rc != SEPOL_OK) { goto exit; } + } else { + genfscon->context_str = context_node->data; } ast_node->data = genfscon; diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index 6f1d3cb5..0e92ccae 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -791,6 +791,7 @@ struct cil_ipaddr { struct cil_genfscon { char *fs_str; char *path_str; + enum cil_filecon_types file_type; char *context_str; struct cil_context *context; }; From patchwork Wed Oct 27 18:12:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12587699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 296E3C433F5 for ; Wed, 27 Oct 2021 18:12:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 15BE06109F for ; Wed, 27 Oct 2021 18:12:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238910AbhJ0SPS (ORCPT ); Wed, 27 Oct 2021 14:15:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231782AbhJ0SPS (ORCPT ); Wed, 27 Oct 2021 14:15:18 -0400 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81393C061570 for ; Wed, 27 Oct 2021 11:12:52 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id f1so3294614qto.9 for ; Wed, 27 Oct 2021 11:12:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=K1B9JHLq9PWLP/zHWyJ6cnJpdltyQSgV6M1zrRnwDJg=; b=ax54oA0cDoFEkb/tpte93WVd9lKkDOxHpl102g+BtgVJbxsh2rknDfd065AY7rztgw kH/0ZFRc8Pu8J1oVGMMBZ4UPLIEOnS0LoTgg64O9scLbjCHT+DkGqEXUe3Uo5hR0jQx3 xima8ieH0UlbGqDZwSLFySvLQRklDyFeBEgi4hl4bCDBsa6g3Ugnhjfelvh5V6itr3Go Ue9xPB/RRby+azPlw9vuvYMTBGiZgkTzYUua+mmptbj94sLfwtv4Vb969cSKHSKMntm2 RXGGwUw012ds84qZZjyT4KtFXnVwame9Gr5V6TGQ0M19FsTQArGu5RvBps51iCVX99iJ 3q5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K1B9JHLq9PWLP/zHWyJ6cnJpdltyQSgV6M1zrRnwDJg=; b=XXLUythjdrwb5INDpukmcoZP0lf7/ZvSN3/kTvE86yNxbqAacDI8IHd+JkMDLnORBx 0pBGpwEtz+2mnR7MxRRf9jRiysJZzzt8s56HCe7PyweHLMwV71Sae7cGPBCfpeoy+xoQ bfKnIFvv5N4o54Xd/j7GB1q/c22c+aq9BUB/bZJ4wKliFn5Xkl39+2O4FB5D7mTIHFkj 6YFxu9ShDcxk11RFle+CyaAwdgBpv8MJczzBtvCnxAF7so/FZGNNN+y//MU4/eDNZPV3 cOddbP4xxbgmQ1/MHH7Fjlzlf7KcWq16bSr8z/XQb476CyNwU9a24lPF0VYYEFqbatZ3 cItg== X-Gm-Message-State: AOAM5313m0FUQ/JBmBAPzFsiJ7uJHeyNonm5543vaIw5d70TKjZV0ueX H4D6I41bMTUIA7/gk/jM9YXjpYEDosY= X-Google-Smtp-Source: ABdhPJziyIdPVBBMSwqCbO3sKhkeWFTiaByk2l8+xM/ASQeiemzWE+MivdJox2Kvok0PCHVwndWV0w== X-Received: by 2002:ac8:594b:: with SMTP id 11mr34166425qtz.191.1635358371551; Wed, 27 Oct 2021 11:12:51 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id l15sm440561qtk.41.2021.10.27.11.12.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 11:12:50 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 3/4] secilc/docs: Document the optional file type for genfscon rules Date: Wed, 27 Oct 2021 14:12:09 -0400 Message-Id: <20211027181210.1019597-4-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211027181210.1019597-1-jwcart2@gmail.com> References: <20211027181210.1019597-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Update the CIL documentation to include the optional file type for genfscon rules. Signed-off-by: James Carter --- secilc/docs/cil_file_labeling_statements.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/secilc/docs/cil_file_labeling_statements.md b/secilc/docs/cil_file_labeling_statements.md index ed7b7bf9..73f73885 100644 --- a/secilc/docs/cil_file_labeling_statements.md +++ b/secilc/docs/cil_file_labeling_statements.md @@ -36,11 +36,13 @@ Define entries for labeling files. The compiler will produce these entries in a - +

keyword

file_contexts entry

+ +

file

--

@@ -185,7 +187,7 @@ Used to allocate a security context to filesystems that cannot support any of th **Statement definition:** ```secil - (genfscon fsname path context_id) + (genfscon fsname path [file_type] context_id) ``` **Where:** @@ -209,6 +211,10 @@ Used to allocate a security context to filesystems that cannot support any of th

If fsname is proc, then the partial path (see examples). For all other types this must be ‘/’.

+

file_type

+

Optional keyword representing a file type. Valid values are the same as in [`filecon`](cil_file_labeling_statements.md#filecon) rules.

+ +

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

From patchwork Wed Oct 27 18:12:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12587701 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EBFDC433FE for ; Wed, 27 Oct 2021 18:12:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 125696109F for ; Wed, 27 Oct 2021 18:12:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238876AbhJ0SPT (ORCPT ); Wed, 27 Oct 2021 14:15:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231782AbhJ0SPT (ORCPT ); Wed, 27 Oct 2021 14:15:19 -0400 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C4C2C061745 for ; Wed, 27 Oct 2021 11:12:53 -0700 (PDT) Received: by mail-qv1-xf34.google.com with SMTP id c3so2350654qvh.7 for ; Wed, 27 Oct 2021 11:12:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=I2eCYgNRKXswXFfWPQ92SfTVbVOmqP45FGZ7P8DE/ns=; b=qN74CtCzkKNWDLIvAABRK4DyFdjdG2pmklEwsQ73n44Kx8siUlkJtn3s5S9L4hY5gh 6D+sxX8HSHyNIrzvR8nc8+tYaDpbVo6QwR7oyFcecuDwW5SkDb28lwEvQHbJUAklnxUG qMSEzg6xo9yzaIkmrI8F2dAeoYpSE85mGZpA6A7o/GAILcpfcx2LIm7egindoPSddOyR AqMeDgeUJjrKzRam2vDYoAftDsw9BFQcoz/uXiBpTv6IkwOYNKwZG9nkPodHualb/Erc Ct1QM7cJkkgn7SKfm4dgZUpoGXJsx0lNXxNxMZ/8KMnmNPKv9pNqqms1czTvzTLoLwTq 1FNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=I2eCYgNRKXswXFfWPQ92SfTVbVOmqP45FGZ7P8DE/ns=; b=w4UfFwnCcAsUdVv7w1boTEKBWRSaUUIBHPgoHmew7/8pH/a7UDWHmjCZIwxmnQDnZX zZ3GVwxiglzIfO6n8spy7kYCtzliZfSt63GlCsgpbAYu6Q739JCf16sq6VzD/UW1ImSa 39hMj0Vg7w5/0mVbw37/Z3ZwROB3JPGBvQDOGUuoHmt4CGlGRp7NeVpXOvOtaqnW6NdM sQ/E2pcevvw1zhHfJ6N381mn/VccES6KfUgmW6MhO3zT8DrjoBQx41Lo4lc7fsqGshwx eStREvG6v6Dnscp+BVEJMjoe2R3/m4jaiog+/KXexjvwpC5TPI8xpdq8Edun24C88bC2 s2Bg== X-Gm-Message-State: AOAM532L0ByotDKoMrcjUA4eOtqEeVgCcvKrzueDmCtuwTepVjSvj9Wf C8mODW23K/UM8wOPPGa3Wcj+pDDWSqQ= X-Google-Smtp-Source: ABdhPJwr7hb7LhdZe4NzdRcm1Wf8nCpIVW5Wdnsx+H9Tm0oN8iz7T1nSm47dk6dTiW0Grp5aFtPnvA== X-Received: by 2002:ad4:43e8:: with SMTP id f8mr11371365qvu.41.1635358372555; Wed, 27 Oct 2021 11:12:52 -0700 (PDT) Received: from localhost.localdomain (c-73-200-157-122.hsd1.md.comcast.net. [73.200.157.122]) by smtp.gmail.com with ESMTPSA id l15sm440561qtk.41.2021.10.27.11.12.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Oct 2021 11:12:51 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: James Carter Subject: [PATCH 4/4] libsepol: Write out genfscon file type when writing out CIL policy Date: Wed, 27 Oct 2021 14:12:10 -0400 Message-Id: <20211027181210.1019597-5-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211027181210.1019597-1-jwcart2@gmail.com> References: <20211027181210.1019597-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org With an optional file type being added to CIL genfscon rules, it should be used when writing out a kernel policy or module to CIL when a genfscon rule should only apply to a single security class. Signed-off-by: James Carter --- libsepol/src/kernel_to_cil.c | 35 +++++++++++++++++++++++++++++++++-- libsepol/src/module_to_cil.c | 27 ++++++++++++++++++++++++++- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 305567a5..ef66b2fb 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -2640,6 +2640,8 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb) struct ocontext *ocon; struct strs *strs; char *fstype, *name, *ctx; + uint32_t sclass; + const char *file_type; int rc; rc = strs_init(&strs, 32); @@ -2652,14 +2654,43 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb) fstype = genfs->fstype; name = ocon->u.name; + sclass = ocon->v.sclass; + file_type = NULL; + if (sclass) { + const char *class_name = pdb->p_class_val_to_name[sclass-1]; + if (strcmp(class_name, "blk_file") == 0) { + file_type = "block"; + } else if (strcmp(class_name, "chr_file") == 0) { + file_type = "char"; + } else if (strcmp(class_name, "dir") == 0) { + file_type = "dir"; + } else if (strcmp(class_name, "fifo_file") == 0) { + file_type = "pipe"; + } else if (strcmp(class_name, "lnk_file") == 0) { + file_type = "symlink"; + } else if (strcmp(class_name, "sock_file") == 0) { + file_type = "socket"; + } else if (strcmp(class_name, "file") == 0) { + file_type = "file"; + } else { + rc = -1; + goto exit; + } + } + ctx = context_to_str(pdb, &ocon->context[0]); if (!ctx) { rc = -1; goto exit; } - rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3, - fstype, name, ctx); + if (file_type) { + rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s %s)", 4, + fstype, name, file_type, ctx); + } else { + rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3, + fstype, name, ctx); + } free(ctx); if (rc != 0) { goto exit; diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 16e4004e..33c198b9 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2961,10 +2961,35 @@ static int genfscon_to_cil(struct policydb *pdb) { struct genfs *genfs; struct ocontext *ocon; + uint32_t sclass; for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) { for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) { - cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name); + sclass = ocon->v.sclass; + if (sclass) { + const char *file_type; + const char *class_name = pdb->p_class_val_to_name[sclass-1]; + if (strcmp(class_name, "blk_file") == 0) { + file_type = "block"; + } else if (strcmp(class_name, "chr_file") == 0) { + file_type = "char"; + } else if (strcmp(class_name, "dir") == 0) { + file_type = "dir"; + } else if (strcmp(class_name, "fifo_file") == 0) { + file_type = "pipe"; + } else if (strcmp(class_name, "lnk_file") == 0) { + file_type = "symlink"; + } else if (strcmp(class_name, "sock_file") == 0) { + file_type = "socket"; + } else if (strcmp(class_name, "file") == 0) { + file_type = "file"; + } else { + return -1; + } + cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type); + } else { + cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name); + } context_to_cil(pdb, &ocon->context[0]); cil_printf(")\n"); }