selinux: dynamic class/perm discovery

Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server. The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix. The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions. The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic. The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1. avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices. The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Stephen Smalley <sds@tycho.nsa.gov> 2009-09-30 13:37:50 -0400
committer: James Morris <jmorris@namei.org> 2009-10-07 06:56:42 -0400
commit: c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c (patch)
tree: 1a5475b4370655a22670fd6eb35e54d8b131b362 /scripts/selinux
parent: 23acb98de5a4109a60b5fe3f0439389218b039d7 (diff)
1 files changed, 28 insertions, 123 deletions
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index b4ced8562587..62b34ce1f50d 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
 #include <unistd.h>
 #include <string.h>
-#include "flask.h"
 static void usage(char *name)
 {
        printf("usage: %s [-m] policy_file context_file\n", name);
        exit(1);
 }
-static void find_common_name(char *cname, char *dest, int len)
+/* Class/perm mapping support */
-{
+struct security_class_mapping {
-        char *start, *end;
+        const char *name;
+        const char *perms[sizeof(unsigned) * 8 + 1];
-        start = strchr(cname, '_')+1;
-        end = strchr(start, '_');
-        if (!start || !end || start-cname > len || end-start > len) {
-                printf("Error with commons defines\n");
-                exit(1);
-        }
-        strncpy(dest, start, end-start);
-        dest[end-start] = '\0';
-}
-#define S_(x) x,
-static char *classlist[] = {
-#include "class_to_string.h"
-        NULL
 };
-#undef S_
+#include "classmap.h"
 #include "initial_sid_to_string.h"
-#define TB_(x) char *x[] = {
-#define TE_(x) NULL };
-#define S_(x) x,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-struct common {
-        char *cname;
-        char **perms;
-};
-struct common common[] = {
-#define TB_(x) { #x, x },
-#define S_(x)
-#define TE_(x)
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-};
-#define S_(x, y, z) {x, #y},
-struct av_inherit {
-        int class;
-        char *common;
-};
-struct av_inherit av_inherit[] = {
-#include "av_inherit.h"
-};
-#undef S_
-#include "av_permissions.h"
-#define S_(x, y, z) {x, y, z},
-struct av_perms {
-        int class;
-        int perm_i;
-        char *perm_s;
-};
-struct av_perms av_perms[] = {
-#include "av_perm_to_string.h"
-};
-#undef S_
 int main(int argc, char *argv[])
 {
        int i, j, mls = 0;
+        int initial_sid_to_string_len;
        char **arg, *polout, *ctxout;
-        int classlist_len, initial_sid_to_string_len;
        FILE *fout;
        if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
                usage(argv[0]);
        }
-        classlist_len = sizeof(classlist) / sizeof(char *);
        /* print out the classes */
-        for (i=1; i < classlist_len; i++) {
+        for (i = 0; secclass_map[i].name; i++)
-                if(classlist[i])
+                fprintf(fout, "class %s\n", secclass_map[i].name);
-                        fprintf(fout, "class %s\n", classlist[i]);
-                else
-                        fprintf(fout, "class user%d\n", i);
-        }
        fprintf(fout, "\n");
        initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
        /* print out the sids */
-        for (i=1; i < initial_sid_to_string_len; i++)
+        for (i = 1; i < initial_sid_to_string_len; i++)
                fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
        fprintf(fout, "\n");
-        /* print out the commons */
-        for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
-                char cname[101];
-                find_common_name(common[i].cname, cname, 100);
-                cname[100] = '\0';
-                fprintf(fout, "common %s\n{\n", cname);
-                for (j=0; common[i].perms[j]; j++)
-                        fprintf(fout, "\t%s\n", common[i].perms[j]);
-                fprintf(fout, "}\n\n");
-        }
-        fprintf(fout, "\n");
        /* print out the class permissions */
-        for (i=1; i < classlist_len; i++) {
+        for (i = 0; secclass_map[i].name; i++) {
-                if (classlist[i]) {
+                struct security_class_mapping *map = &secclass_map[i];
-                        int firstperm = -1, numperms = 0;
+                fprintf(fout, "class %s\n", map->name);
+                fprintf(fout, "{\n");
-                        fprintf(fout, "class %s\n", classlist[i]);
+                for (j = 0; map->perms[j]; j++)
-                        /* does it inherit from a common? */
+                        fprintf(fout, "\t%s\n", map->perms[j]);
-                        for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
+                fprintf(fout, "}\n\n");
-                                if (av_inherit[j].class == i)
-                                        fprintf(fout, "inherits %s\n", av_inherit[j].common);
-                        for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
-                                if (av_perms[j].class == i) {
-                                        if (firstperm == -1)
-                                                firstperm = j;
-                                        numperms++;
-                                }
-                        }
-                        if (!numperms) {
-                                fprintf(fout, "\n");
-                                continue;
-                        }
-                        fprintf(fout, "{\n");
-                        /* print out the av_perms */
-                        for (j=0; j < numperms; j++) {
-                                fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
-                        }
-                        fprintf(fout, "}\n\n");
-                }
        }
        fprintf(fout, "\n");
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
        /* types, roles, and allows */
        fprintf(fout, "type base_t;\n");
        fprintf(fout, "role base_r types { base_t };\n");
-        for (i=1; i < classlist_len; i++) {
+        for (i = 0; secclass_map[i].name; i++)
-                if (classlist[i])
+                fprintf(fout, "allow base_t base_t:%s *;\n",
-                        fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
+                        secclass_map[i].name);
-                else
-                        fprintf(fout, "allow base_t base_t:user%d *;\n", i);
-        }
        fprintf(fout, "user user_u roles { base_r };\n");
        fprintf(fout, "\n");
        /* default sids */
-        for (i=1; i < initial_sid_to_string_len; i++)
+        for (i = 1; i < initial_sid_to_string_len; i++)
                fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
        fprintf(fout, "\n");
        fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
        fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
author	Stephen Smalley <sds@tycho.nsa.gov>	2009-09-30 13:37:50 -0400
committer	James Morris <jmorris@namei.org>	2009-10-07 06:56:42 -0400
commit	c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c (patch)
tree	1a5475b4370655a22670fd6eb35e54d8b131b362 /scripts/selinux
parent	23acb98de5a4109a60b5fe3f0439389218b039d7 (diff)

diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index b4ced8562587..62b34ce1f50d 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
29	#include <unistd.h>	29	#include <unistd.h>
30	#include <string.h>	30	#include <string.h>
31		31
32	#include "flask.h"
33
34	static void usage(char *name)	32	static void usage(char *name)
35	{	33	{
36	printf("usage: %s [-m] policy_file context_file\n", name);	34	printf("usage: %s [-m] policy_file context_file\n", name);
37	exit(1);	35	exit(1);
38	}	36	}
39		37
40	static void find_common_name(char cname, char dest, int len)	38	/* Class/perm mapping support */
41	{	39	struct security_class_mapping {
42	char start, end;	40	const char *name;
43		41	const char perms[sizeof(unsigned) 8 + 1];
44	start = strchr(cname, '_')+1;
45	end = strchr(start, '_');
46	if (!start \|\| !end \|\| start-cname > len \|\| end-start > len) {
47	printf("Error with commons defines\n");
48	exit(1);
49	}
50	strncpy(dest, start, end-start);
51	dest[end-start] = '\0';
52	}
53
54	#define S_(x) x,
55	static char *classlist[] = {
56	#include "class_to_string.h"
57	NULL
58	};	42	};
59	#undef S_
60		43
		44	#include "classmap.h"
61	#include "initial_sid_to_string.h"	45	#include "initial_sid_to_string.h"
62		46
63	#define TB_(x) char *x[] = {
64	#define TE_(x) NULL };
65	#define S_(x) x,
66	#include "common_perm_to_string.h"
67	#undef TB_
68	#undef TE_
69	#undef S_
70
71	struct common {
72	char *cname;
73	char **perms;
74	};
75	struct common common[] = {
76	#define TB_(x) { #x, x },
77	#define S_(x)
78	#define TE_(x)
79	#include "common_perm_to_string.h"
80	#undef TB_
81	#undef TE_
82	#undef S_
83	};
84
85	#define S_(x, y, z) {x, #y},
86	struct av_inherit {
87	int class;
88	char *common;
89	};
90	struct av_inherit av_inherit[] = {
91	#include "av_inherit.h"
92	};
93	#undef S_
94
95	#include "av_permissions.h"
96	#define S_(x, y, z) {x, y, z},
97	struct av_perms {
98	int class;
99	int perm_i;
100	char *perm_s;
101	};
102	struct av_perms av_perms[] = {
103	#include "av_perm_to_string.h"
104	};
105	#undef S_
106
107	int main(int argc, char *argv[])	47	int main(int argc, char *argv[])
108	{	48	{
109	int i, j, mls = 0;	49	int i, j, mls = 0;
		50	int initial_sid_to_string_len;
110	char *arg, polout, *ctxout;	51	char *arg, polout, *ctxout;
111	int classlist_len, initial_sid_to_string_len;	52
112	FILE *fout;	53	FILE *fout;
113		54
114	if (argc < 3)	55	if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
127	usage(argv[0]);	68	usage(argv[0]);
128	}	69	}
129		70
130	classlist_len = sizeof(classlist) / sizeof(char *);
131	/* print out the classes */	71	/* print out the classes */
132	for (i=1; i < classlist_len; i++) {	72	for (i = 0; secclass_map[i].name; i++)
133	if(classlist[i])	73	fprintf(fout, "class %s\n", secclass_map[i].name);
134	fprintf(fout, "class %s\n", classlist[i]);
135	else
136	fprintf(fout, "class user%d\n", i);
137	}
138	fprintf(fout, "\n");	74	fprintf(fout, "\n");
139		75
140	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);	76	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
141	/* print out the sids */	77	/* print out the sids */
142	for (i=1; i < initial_sid_to_string_len; i++)	78	for (i = 1; i < initial_sid_to_string_len; i++)
143	fprintf(fout, "sid %s\n", initial_sid_to_string[i]);	79	fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
144	fprintf(fout, "\n");	80	fprintf(fout, "\n");
145		81
146	/* print out the commons */
147	for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
148	char cname[101];
149	find_common_name(common[i].cname, cname, 100);
150	cname[100] = '\0';
151	fprintf(fout, "common %s\n{\n", cname);
152	for (j=0; common[i].perms[j]; j++)
153	fprintf(fout, "\t%s\n", common[i].perms[j]);
154	fprintf(fout, "}\n\n");
155	}
156	fprintf(fout, "\n");
157
158	/* print out the class permissions */	82	/* print out the class permissions */
159	for (i=1; i < classlist_len; i++) {	83	for (i = 0; secclass_map[i].name; i++) {
160	if (classlist[i]) {	84	struct security_class_mapping *map = &secclass_map[i];
161	int firstperm = -1, numperms = 0;	85	fprintf(fout, "class %s\n", map->name);
162		86	fprintf(fout, "{\n");
163	fprintf(fout, "class %s\n", classlist[i]);	87	for (j = 0; map->perms[j]; j++)
164	/* does it inherit from a common? */	88	fprintf(fout, "\t%s\n", map->perms[j]);
165	for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)	89	fprintf(fout, "}\n\n");
166	if (av_inherit[j].class == i)
167	fprintf(fout, "inherits %s\n", av_inherit[j].common);
168
169	for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
170	if (av_perms[j].class == i) {
171	if (firstperm == -1)
172	firstperm = j;
173	numperms++;
174	}
175	}
176	if (!numperms) {
177	fprintf(fout, "\n");
178	continue;
179	}
180
181	fprintf(fout, "{\n");
182	/* print out the av_perms */
183	for (j=0; j < numperms; j++) {
184	fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
185	}
186	fprintf(fout, "}\n\n");
187	}
188	}	90	}
189	fprintf(fout, "\n");	91	fprintf(fout, "\n");
190		92
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
197	/* types, roles, and allows */	99	/* types, roles, and allows */
198	fprintf(fout, "type base_t;\n");	100	fprintf(fout, "type base_t;\n");
199	fprintf(fout, "role base_r types { base_t };\n");	101	fprintf(fout, "role base_r types { base_t };\n");
200	for (i=1; i < classlist_len; i++) {	102	for (i = 0; secclass_map[i].name; i++)
201	if (classlist[i])	103	fprintf(fout, "allow base_t base_t:%s *;\n",
202	fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);	104	secclass_map[i].name);
203	else
204	fprintf(fout, "allow base_t base_t:user%d *;\n", i);
205	}
206	fprintf(fout, "user user_u roles { base_r };\n");	105	fprintf(fout, "user user_u roles { base_r };\n");
207	fprintf(fout, "\n");	106	fprintf(fout, "\n");
208		107
209	/* default sids */	108	/* default sids */
210	for (i=1; i < initial_sid_to_string_len; i++)	109	for (i = 1; i < initial_sid_to_string_len; i++)
211	fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);	110	fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
212	fprintf(fout, "\n");	111	fprintf(fout, "\n");
213		112
214
215	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");	113	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
216	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");	114	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
		115	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
217	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");	116	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
218	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");	117	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
219	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");	118	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
		119	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
		120	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
		121	fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
220		122
		123	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
221	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");	124	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
222	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");	125	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
223		126
		127	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
224	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");	128	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
		129	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
225	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");	130	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
226	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");	131	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
227		132