From patchwork Mon Jun 12 09:31:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 13275967 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27414C7EE2E for ; Mon, 12 Jun 2023 09:43:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234977AbjFLJnv (ORCPT ); Mon, 12 Jun 2023 05:43:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232083AbjFLJnT (ORCPT ); Mon, 12 Jun 2023 05:43:19 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B38B37EC8 for ; Mon, 12 Jun 2023 02:31:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1686562273; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LFos/X//uKuniYz2qpcbAbf8WpJsZ1+fegHxhjw+UC8=; b=N59yYERohX+6oBX5R9Nv4WsIxAdiWuSvjRhki3on4qQORvEhRlBwmrkRL6hd9Ly4qJBMHx JlurEXi92SOO0W5biMSdP0xgSVsNVfocMyfk8zMcq92yW4Lzdlc9ejLLFpebnAeH9I0KpL iQyf5jQ9VeQ4FDkIi4PlMd/h206pzSo= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-543-PwaGdbQ9MLetLMLSTFaHiw-1; Mon, 12 Jun 2023 05:31:12 -0400 X-MC-Unique: PwaGdbQ9MLetLMLSTFaHiw-1 Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-974566553ccso478580966b.3 for ; Mon, 12 Jun 2023 02:31:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686562270; x=1689154270; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LFos/X//uKuniYz2qpcbAbf8WpJsZ1+fegHxhjw+UC8=; b=Unk8nubFBdbB6QBwoydq9WupMR5mEwR9PUu4fxwRkEsmsHtZxOK6hddZkYmOh7/+hL 1RClkaX2DTWaxzf0sKVy/3KLVTf1hfR8Ao9YeSPxc1/fqj5Kf8QIvsZ/UYbKft/pWg7V FL8ls54WDijT1piI7q9HLQ5Gwv66qgMEe9pPa2xvfCpcWq+myKpoCvSocW+f3k0OD+m2 YZeACiP8vfMRMa4Y+MA+gW7g6yXdPNjUMIWESrZE1hWMNgN/1M8BaWi9LGNE2BWU1zMP onx9lORTuJySnWMZeKYcmjFY2BpoVItwEKswMIrCF94kj69vfnxvdSWv4uNR1gaM/pmE e/8A== X-Gm-Message-State: AC+VfDyrxi/3q9v8++4QyQgJd0ADDfMuRGb5J3PIO3LDXkgYRC3+fR6a oqJCiSkl17JIO2xt/d+cV2poMEe9+6JNYdhze1oOhaSO3KK4ea3oUxZJq+54J6fQhApCl6iGGUH vucXbNKW8TfE3Gfufu09zCzSkfGhHejbKpLUMRFsybG1oqKcIvTyriVon/Hem3oBUT4Kpj9YETo 0d+hsT X-Received: by 2002:a17:907:928e:b0:974:1eb9:f74e with SMTP id bw14-20020a170907928e00b009741eb9f74emr9780757ejc.3.1686562270625; Mon, 12 Jun 2023 02:31:10 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7Mvuuk1fE1UXI5bci1N1gLY593qZlCyYaWN0VThRmSDUeu9tfVCIFQZevtRzIpA8UEsqPK7A== X-Received: by 2002:a17:907:928e:b0:974:1eb9:f74e with SMTP id bw14-20020a170907928e00b009741eb9f74emr9780736ejc.3.1686562270177; Mon, 12 Jun 2023 02:31:10 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b104:2c00:2e8:ec99:5760:fb52]) by smtp.gmail.com with ESMTPSA id i8-20020a170906a28800b009655eb8be26sm4958000ejz.73.2023.06.12.02.31.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jun 2023 02:31:09 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings Date: Mon, 12 Jun 2023 11:31:06 +0200 Message-Id: <20230612093107.1066410-2-omosnace@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230612093107.1066410-1-omosnace@redhat.com> References: <20230612093107.1066410-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Many of the initial SIDs are no longer used by the kernel, so translating them to the legacy names doesn't bring much value. Clear the legacy names from the table and let the code translate them to the fallback "unknown" names instead. Note that this only affects the generated text output when converting policies from binary to text form. The text policy languages let the policy define its own names for the initial SIDs based on the order in which they are declared, so the table is never used to convert from name to SID. Thus this is just a cosmetic change and has no functional impact. Signed-off-by: Ondrej Mosnacek Acked-by: James Carter --- libsepol/src/kernel_to_cil.c | 4 ++-- libsepol/src/kernel_to_common.h | 36 ++++++++++++++++----------------- libsepol/src/kernel_to_conf.c | 4 ++-- libsepol/src/module_to_cil.c | 2 +- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index e9cd89c2..bd04c087 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, 18, "%s%u", "UNKNOWN", i); @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, 18, "%s%u", "UNKNOWN", i); diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 159c4289..6073ff3a 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -13,33 +13,33 @@ // initial sid names aren't actually stored in the pp files, need to a have // a mapping, taken from the linux kernel static const char * const selinux_sid_to_str[] = { - "null", + NULL, "kernel", "security", "unlabeled", - "fs", + NULL, "file", - "file_labels", - "init", + NULL, + NULL, "any_socket", "port", "netif", "netmsg", "node", - "igmp_packet", - "icmp_socket", - "tcp_socket", - "sysctl_modprobe", - "sysctl", - "sysctl_fs", - "sysctl_kernel", - "sysctl_net", - "sysctl_net_unix", - "sysctl_vm", - "sysctl_dev", - "kmod", - "policy", - "scmp_packet", + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, "devnull", }; diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index c48a7114..3be87184 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index e7bc6ee6..a46775ca 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_string[i]) { sid = (char*)sid_to_string[i]; } else { snprintf(unknown, 18, "%s%u", "UNKNOWN", i); From patchwork Mon Jun 12 09:31:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 13275968 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85FF2C7EE25 for ; Mon, 12 Jun 2023 09:43:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232847AbjFLJny (ORCPT ); Mon, 12 Jun 2023 05:43:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231716AbjFLJnW (ORCPT ); Mon, 12 Jun 2023 05:43:22 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65C3D7ECD for ; Mon, 12 Jun 2023 02:31:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1686562274; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zx9eCdvzRsZ33gJ5l73NjkTjESdf6DSYiX4yjqBuUTE=; b=TfDniNwGm0qJQyvlRo5l2QvYlqzgCOyHPqBwboOL9muzi4eHCdf2yHgv/NTRnymjc1si6L vRjvabK1YU6PBHISH4v+415mVKmDaeFD6i9Tbiplc20G1AARFjkCzm1HFxlpGECHBG4ozt QCWS6CyrKCjoyXbt8nGHObc6ADdcv+4= Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-237-4JBDibDKMPakV3EygLjN1Q-1; Mon, 12 Jun 2023 05:31:12 -0400 X-MC-Unique: 4JBDibDKMPakV3EygLjN1Q-1 Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-9750bb0695dso599109666b.0 for ; Mon, 12 Jun 2023 02:31:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686562271; x=1689154271; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zx9eCdvzRsZ33gJ5l73NjkTjESdf6DSYiX4yjqBuUTE=; b=c2e2U9UVzRXmc8zX3U6ulUBr4oAGK5rD4wBlxSZ7sP3MPVFCu3wLiDU9GVO5R+AjWr DlNoD8dOd5ntdniu5BvFGkaToZ4IBZOqZ7L/tYOkHPNhb5ejPSg0qaNXTxFJWtRpvlLB GJr/DsvcIBLEFtkRF2omZVZx5aB1EKZlNHA266u0YNpjSv31CNgLmdoeFt24VwYE83l/ nwZYRZNxpaha41a+8DETmoplFYf8M8O3gGY69os9ZZgfj5JnXvRop3V8L1EQQQuxRCz6 3HDBDltCeOD3tzbjtepM7HxxLMlRgE0S7AbCCJ68NIyk2edXUt3b/J1u1puFTm/VGM5+ rnug== X-Gm-Message-State: AC+VfDwswmL+6+MmS5yDdbwobuXyfy22pftf+j7aIuXgro+ziEmwShrD /UvSG7YQMuT55KM53PwoGPMRw2ZkSs9AhXUkGJ8DHl5j/mhwdqfio2dGB6VuCHKjQSTR1h12TW/ 6e0jrvqSgT1EmjhrcTCvGQBFTzizSdJibU7GWDOj94E7fwcKUmFsrZiAzYyQGeLX1FCp+PFIrAj 60kshr X-Received: by 2002:a17:906:794b:b0:973:ddfe:e074 with SMTP id l11-20020a170906794b00b00973ddfee074mr9159961ejo.2.1686562271334; Mon, 12 Jun 2023 02:31:11 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ75I4tmUUnNmc/VKXmn4TgbigYRpVKleVA8Zo+cLvNDnfRA2x9AJVGa0/7PcBvZ0WViil3MXA== X-Received: by 2002:a17:906:794b:b0:973:ddfe:e074 with SMTP id l11-20020a170906794b00b00973ddfee074mr9159946ejo.2.1686562270982; Mon, 12 Jun 2023 02:31:10 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b104:2c00:2e8:ec99:5760:fb52]) by smtp.gmail.com with ESMTPSA id i8-20020a170906a28800b009655eb8be26sm4958000ejz.73.2023.06.12.02.31.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jun 2023 02:31:10 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH userspace 2/2] libsepol: add support for the new "init" initial SID Date: Mon, 12 Jun 2023 11:31:07 +0200 Message-Id: <20230612093107.1066410-3-omosnace@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230612093107.1066410-1-omosnace@redhat.com> References: <20230612093107.1066410-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Resurrect the naming of the "init" initial SID, as it has been reintroduced in the kernel. Also add the new "userspace_initial_context" policy capability that is used to enable the new semantics for this initial SID. Signed-off-by: Ondrej Mosnacek --- libsepol/include/sepol/policydb/polcaps.h | 1 + libsepol/src/kernel_to_common.h | 2 +- libsepol/src/polcaps.c | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h index f5e32e60..14bcc6cb 100644 --- a/libsepol/include/sepol/policydb/polcaps.h +++ b/libsepol/include/sepol/policydb/polcaps.h @@ -15,6 +15,7 @@ enum { POLICYDB_CAP_NNP_NOSUID_TRANSITION, POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS, POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, + POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, __POLICYDB_CAP_MAX }; #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1) diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 6073ff3a..5d927a3d 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -20,7 +20,7 @@ static const char * const selinux_sid_to_str[] = { NULL, "file", NULL, - NULL, + "init", "any_socket", "port", "netif", diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c index 687e971c..be12580a 100644 --- a/libsepol/src/polcaps.c +++ b/libsepol/src/polcaps.c @@ -14,6 +14,7 @@ static const char * const polcap_names[] = { "nnp_nosuid_transition", /* POLICYDB_CAP_NNP_NOSUID_TRANSITION */ "genfs_seclabel_symlinks", /* POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS */ "ioctl_skip_cloexec", /* POLICYDB_CAP_IOCTL_SKIP_CLOEXEC */ + "userspace_initial_context", /* POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT */ NULL };