|
Hi, Sorry I seems to have some problem to send the last 6/6 patch by git send-mail, try again and re-send it by attachment. This 6/6 patch adds support to adding one role attribute into another, while the first 5 patches are the same as v0. Thanks! Harry From: harrytaurus2002@xxxxxxxxxxx To: qingtao.cao@xxxxxxxxxxxxx; cpebenito@xxxxxxxxxx; sds@xxxxxxxxxxxxx; method@xxxxxxxxxxxxxxx; jmorris@xxxxxxxxx; eparis@xxxxxxxxxxxxxx CC: selinux@xxxxxxxxxxxxx Subject: RE: v1 Add role attribute support to libsepol Date: Sun, 29 May 2011 04:51:26 +0000 Attach the refpolicy patch to test adding one role attribute into another. > From: qingtao.cao@xxxxxxxxxxxxx > To: cpebenito@xxxxxxxxxx; sds@xxxxxxxxxxxxx; method@xxxxxxxxxxxxxxx; jmorris@xxxxxxxxx; eparis@xxxxxxxxxxxxxx > CC: selinux@xxxxxxxxxxxxx > Subject: v1 Add role attribute support to libsepol > Date: Sun, 29 May 2011 12:36:53 +0800 > > > > Comments > --------- > > Support adding one role attribute into another. > > When the link process is completed, the types type_set_t and roles > ebitmap in a role attribute are settled, then we could go on scan > all role attributes in the base.p_roles table checking if any non-zero > bit in its roles ebitmap is indeed another role attribute. > > If this is the case, then we need to escalate the roles ebitmap of > the sub-attribute into that of the parent attribute, a! nd remove the > sub-attribute from parent's roles ebitmap. > > Since sub-attribute's roles ebitmap may further contain other role > attributes, we need to re-scan the updated parent's roles ebitmap. > > Also if a loop dependency is detected, no escalation of sub-attribute's > roles ebitmap is needed. > > > In order to highlight this patch I've decided to introduce a new > separate commit, while all the rest 5 commits are the same as v0. > > > Tests of adding one role attribute into another > ------------------------------------------------ > > 1. Apply the patch for rpm.* and selinuxuti.*, to introduce rpm_roles and > semanage_roles attributes and eliminate the "chain of run interfaces", > make policy.X and dump its hexdump, check out the policy value for > related identifiers: > > 0! 035b00: 5f74 0500 0000 4103 0000 0100 0000 0000 _t....A......... & gt; 0035b10: 0000 7270 6d5f 7407 0000 0042 0300 0001 ..rpm_t.... > > rpm_t: policy value = 0x341 > > 0040460: 740c 0000 0075 0700 0001 0000 0000 0000 t....u.......... > 0040470: 0072 706d 5f73 6372 6970 745f 740f 0000 .rpm_script_t. > > rpm_script_t: policy value = 0x775 > > 004c900: 6563 7572 6974 795f 740a 0000 001e 0c00 ecurity_t....... > 004c910: 0001 0000 0000 0000 0073 656d 616e 6167 .........semanag > 004c920: 655f 7409 0000 001f 0c00 0003 0000 0000 e_t > > semanage_t: policy value = 0xc1e > > 004c760: 0a00 0000 140c 0000 0100 0000 0000 0000 ................ > 004c770: 7365 7466 696c 6573 5f74 1400 0000 ec0a setfiles_t...... > > setfiles_t: policy value = 0xc14 > > 00484e0: 740d 0000 008b 0a00 0001 0000 0000 0000 t............... > 00484f0: 006c 6f61 645f 706f 6c! 69 6379 5f74 0c00 .load_policy_t.. > > load_policy_t: policy value = 0xa8b > > > 2. Check out rpm_roles.types ebitmap: > > 002d2c0: 0000 0400 0000 0000 0000 0900 0000 0f00 ................ > 002d2d0: 0000 0000 0000 7270 6d5f 726f 6c65 7340 ......rpm_roles@ > 002d2e0: 0000 0040 0000 0001 0000 0000 0000 0000 ...@............ > 002d2f0: 4000 0000 0000 0040 0000 0080 0700 0002 @......@........ > 002d300: 0000 0040 0300 0001 0000 0000 0000 0040 ...@...........@ > 002d310: 0700 0000 0000 0000 0010 000b 0000 0010 ................ > 002d320: 0000 0000 0000 006e 785f 7365 7276 6572 ....... > > rpm_roles: policy value = 0x0f > dominates: > mz = 0x40, highbit = 0x40, node = 1 > startbit = 0, map: 00 4000 0000 0000 00 > policy value: 0x0f(rpm_roles) > types.types: > mz = 0x40, highbit ! = 0x780, node = 2 > startbit = 0x340, map: 01 0000 0000 000 0 00 > policy value: 0x341(rpm_t) > startbit = 0x740, map: 00 0000 0000 0010 00 > policy value: 0x775(rpm_script_t) > > > 3. Check out semanage_roles.types ebitmap: > > 002caa0: 0000 0000 0e00 0000 0800 0000 0000 0000 ................ > 002cab0: 7365 6d61 6e61 6765 5f72 6f6c 6573 4000 semanage_roles@. > 002cac0: 0000 4000 0000 0100 0000 0000 0000 8000 ..@............. > 002cad0: 0000 0000 0000 4000 0000 400c 0000 0200 ......@...@..... > 002cae0: 0000 800a 0000 0004 0000 0000 0000 000c ................ > 002caf0: 0000 0000 0820 0000 0000 1000 0000 0900 ..... .......... > 002cb00: 0000 0000 0000 726f 6c65 5f61 7474 7269 ...... > > semanage_roles: policy value = 0x08 > dominates: > mz = 0x40, highbit = 0x40, node = 1, > startbit = 0, map: 8000 0000 0000 0000 > policy value: 8(semanage_rol! es) > types.types: > mz = 0x40, highbit = 0xc40 node = 2 > startbit = 0xa80, map: 0004 0000 0000 0000 > policy value: 0xa8b(load_policy_t) > startbit = 0xc00, map: 0000 0820 0000 0000 > policy value: 0xc14(setfiles_t), 0xc1e(semanage_t) > > > 4. Verify that once rpm_roles attribute becomes a sub-attribute of > semanage_roles attribute, then all regular roles belonging to rpm_roles > such as sysadm_r should be able to type all those types of the parent role > attribute's types(that is, semanage_roles.types): > > 002ccc0: 0000 0800 0000 0b00 0000 0000 0000 7379 ..............sy > 002ccd0: 7361 646d 5f72 4000 0000 4000 0000 0100 sadm_r@...@..... > 002cce0: 0000 0000 0000 0004 0000 0000 0000 4000 ..............@. > 002ccf0: 0000 800d 0000 2d00 0000 8000 0000 0000 ......-......... > ... > 002cd70: 5808, 40! 03 0000 0906 0200 0000 0000, 8003 X.@............. > ... > 002cdf0: 4000 0000 0900 c006 0000 0000 0008 0000 @............... > 002ce00: 0000, 4007 0000 4000 0000 0000 1006, 8007 ..@...@......... > 002ce10: 0000 0000 000a 0000 0000 c007 0000 0080 ................ > ... > 002ce90: 8000, 400a 0000 0000 0000 0000 0040, 800a ..@..........@.. > 002cea0: 0000 0004 0002 0000 0000 c00a 0000 0000 ................ > 002ceb0: 0000 8000 0000 000b 0000 0000 0080 0080 ................ > 002cec0: 0000 c00b 0000 0000 0000 1000 0000, 000c ................ > 002ced0: 0000 0000 3820 0004 0000 400c 0000 0400 ....8 ....@..... > ... > > sysadm_r: policy value = 0x0b > dominates: > mz = 0x40, highbit = 0x40, node = 1 > startbit = 0x0, map: 0004 0000 0000 0000 > policy value: 0x0b(sysadm_r) > types.types: > mz = 0x40, highbit = 0xd80, node = 0x2d > startbit = 0x340, map: ! 0906 0200 0000 0000 > policy value: 341(rpm_t), 344, 34a, 34b > > startbit = 0x740, map: 4000 0000 0000 1006 > policy value: 747, 775(rpm_script_t), 77a, 77b > > startbit = 0xa80, map: 0004 0002 0000 0000 > policy value: a8b(load_policy_t), a9a > > startbit = 0xc00, map: 0000 3820 0004 0000 > policy value: c14(setfiles_t), c15, c16, c1e(semanage_t) > > > 5. Extra loop depenency tests. > > 5.1 When there is no loop dependency between rpm_roles and semanage_roles > attributes, the secadm_r that belongs to semanage_roles attributes is > not able to type those types of the rpm_roles.types, such as rpm_t or > rpm_script_t: > > 002cb60: 0000 0a00 0000 0000 0000 7365 6361 646d ..........secadm > 002cb70: 5f72 4000 0000 4000 0000 0100 0000 0000 _r@...@......... > 00! 2cb80: 0000 0002 0000 0000 0000 4000 0000 400d ..........@...@. &g t; 002cb90: 0000 1900 0000 8000 0000 0000 0000 0200 ................ > ... > 002cbe0: 0000 0400 0200 0000 1800, 4003 0000 0002 ..........@..... > 002cbf0: 0000 0000 0000 c003 0000 0000 0000 0000 ................ > ... > 002cc30: 0800 4006 0000 0000 0000 0000 0100, 4007 ..@...........@. > 002cc40: 0000 0000 0000 0000 2000 4009 0000 0000 ........ .@..... > 002cc50: 0000 0000 0420 8009 0000 0000 0820 0000 ..... ....... .. > > secadm_r: > types.types: > mz = 0x40, highbit = 0xd40, node = 0x19 > startbit = 0x340, map: 0002 0000 0000 0000 > policy value: 34a, ... > > startbit = 0x740, map: 0000 0000 0000 2000 > policy value: 776 > > > 5.2 Add below statements in selinuxutil.te to create a loop dependcy > between rpm_roles and semanage_roles attributes: > > att! ribute rpm_roles ROLE; > roleattribute semanage_roles rpm_roles; > > Then rebuild policy.X in modular way, the loop dependency should be > properly handled, and secadm_r that belongs to the semanage_roles > should be able to type all those types in rpm_roles.types ebitmap, > such as rpm_t and rpm_script_t: > > 002cb60: 0000 0a00 0000 0000 0000 7365 6361 646d ..........secadm > 002cb70: 5f72 4000 0000 4000 0000 0100 0000 0000 _r@...@......... > 002cb80: 0000 0002 0000 0000 0000 4000 0000 400d ..........@...@. > 002cb90: 0000 1900 0000 8000 0000 0000 0000 0200 ................ > ... > 002cbe0: 0000 0400 0200 0000 1800, 4003 0000 0102 ..........@..... > 002cbf0: 0000 0000 0000 c003 0000 0000 0000 0000 ................ > ... > 002cc30: 0800 4006 0000 0000 0000 0000 0100, 4007 ..@...........@. > 002cc40: 0000 0000 0000 ! 0000 3000 4009 0000 0000 ........0.@..... > 002cc50: 0000 00 00 0420 8009 0000 0000 0820 0000 ..... ....... .. > > secadm_r: > types.types: > mz = 0x40, highbit = 0xd40, node = 0x19 > startbit = 0x340, map: 0102 0000 0000 0000 > policy value: 341(rpm_t), ... > > startbit = 0x740, map: 0000 0000 0000 3000 > policy value: 775(rpm_script_t), 776 > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
From c4f111176422eeb385eff04be801c27db0ca4ca3 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Sun, 29 May 2011 11:50:40 +0800
Subject: [v1 PATCH 6/6] Support adding one role attribute into another.
When the link process is completed, the types type_set_t and roles
ebitmap in a role attribute are settled, then we could go on scan
all role attributes in the base.p_roles table checking if any non-zero
bit in its roles ebitmap is indeed another role attribute.
If this is the case, then we need to escalate the roles ebitmap of
the sub-attribute into that of the parent attribute, and remove the
sub-attribute from parent's roles ebitmap.
Since sub-attribute's roles ebitmap may further contain other role
attributes, we need to re-scan the updated parent's roles ebitmap.
Also if a loop dependency is detected, no escalation of sub-attribute's
roles ebitmap is needed.
Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
checkpolicy/policy_define.c | 5 ++-
libsepol/src/link.c | 62 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 402912e..6f48c50 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1895,8 +1895,9 @@ int define_roleattribute(void)
return -1;
}
r = hashtab_search(policydbp->p_roles.table, id);
- if (!r || r->flavor != ROLE_ROLE) {
- yyerror2("unknown role %s, or not a regular role", id);
+ /* We support adding one role attribute into another */
+ if (!r) {
+ yyerror2("unknown role %s", id);
free(id);
return -1;
}
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 53fcff9..3a6fa5a 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2335,6 +2335,62 @@ static int prepare_base(link_state_t * state, uint32_t num_mod_decls)
return 0;
}
+static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum,
+ void * data)
+{
+ char *id;
+ role_datum_t *role, *sub_attr;
+ link_state_t *state;
+ unsigned int i;
+ ebitmap_node_t *rnode;
+
+ id = key;
+ role = (role_datum_t *)datum;
+ state = (link_state_t *)data;
+
+ if (strcmp(id, OBJECT_R) == 0){
+ /* object_r is never a role attribute by far */
+ return 0;
+ }
+
+ if (role->flavor != ROLE_ATTRIB)
+ return 0;
+
+ if (state->verbose)
+ INFO(state->handle, "expanding role attribute %s", id);
+
+restart:
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ sub_attr = state->base->role_val_to_struct[i];
+ if (sub_attr->flavor != ROLE_ATTRIB)
+ continue;
+
+ /* remove the sub role attribute from the parent
+ * role attribute's roles ebitmap */
+ if (ebitmap_set_bit(&role->roles, i, 0))
+ return -1;
+
+ /* loop dependency of role attributes */
+ if (sub_attr->s.value == role->s.value)
+ continue;
+
+ /* now go on to expand a sub role attribute
+ * by escalating its roles ebitmap */
+ if (ebitmap_union(&role->roles, &sub_attr->roles)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ /* sub_attr->roles may contain other role attributes,
+ * re-scan the parent role attribute's roles ebitmap */
+ goto restart;
+ }
+ }
+
+ return 0;
+}
+
/* Link a set of modules into a base module. This process is somewhat
* similar to an actual compiler: it requires a set of order dependent
* steps. The base and every module must have been indexed prior to
@@ -2455,6 +2511,12 @@ int link_modules(sepol_handle_t * handle,
goto cleanup;
}
+ /* now that all role attribute's roles ebitmap have been settled,
+ * expand sub role attribute's roles ebitmap into that of parent */
+ if (hashtab_map
+ (state.base->p_roles.table, expand_role_attributes, &state))
+ goto cleanup;
+
retval = 0;
cleanup:
for (i = 0; modules != NULL && i < len; i++) {
--
1.7.0.4
