Joshua Brindle wrote:
Stephen Smalley wrote:
On Fri, 2008-07-25 at 22:03 +0900, KaiGai Kohei wrote:
[1/3] thread-context-kernel.1.patch
This patch enables to assign a thread a "weaker" hierarchical
domain, only if the destinated domain is a child of the current
domain. Hierachy relationships are defined in the policy version
24. This patch also enables to read the new version of policy.
If you are going to take type hierarchy support into the
kernel, then it seems like it should be completely taken into
the kernel, i.e. the hierarchy checking should be applied by
the kernel rather than by the toolchain. That is what the
Flask security server did for its extensible policy mechanism.
If we are going to do this we also might as well implement the explicit
hierarchy support and get away from name based hierarchy.
And I think both the neverallow checking and the type
hierarchy checking needs to move away from needing to do a
full expansion in order to check; it is just too expensive these days.
Do you think it will be faster to do attribute based lookups? It will
certainly use significantly less memory.
What do you means the attribute based lookups?
In hierarchy checks, we should not expand any attribute of type without
applying them to its parent type. We can check it by comparing type_attr_map
of both types, without additional memory consumption.
In never allow checks, all we have to do is adding a "else if" block to check
in context_struct_compute_av(), like:
------------
ebitmap_for_each_positive_bit(sattr, snode, i) {
ebitmap_for_each_positive_bit(tattr, tnode, j) {
avkey.source_type = i + 1;
avkey.target_type = j + 1;
for (node = avtab_search_node(&policydb.te_avtab, &avkey);
node != NULL;
node = avtab_search_node_next(node, avkey.specified)) {
if (node->key.specified == AVTAB_ALLOWED)
avd->allowed |= node->datum.data;
else if (node->key.specified == AVTAB_AUDITALLOW)
avd->auditallow |= node->datum.data;
else if (node->key.specified == AVTAB_AUDITDENY)
avd->auditdeny &= node->datum.data;
+ else if (node->key.specified == AVTAB_NEVERALLOW)
+ avd->allowed &= ~node->datum.data;
+ /* TODO: print logs to notice masked perms */
}
/* Check conditional av table for additional permissions */
cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
}
}
------------
Thanks,
--
KaiGai Kohei <kaigai@xxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
