Re: [PATCH v3 0/3] Xen/FLASK policy updates for device contexts

Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> · Fri, 20 Mar 2015 16:59:06 +0000

I've been testing this and found a few problems:

1) I could not read a policy with sedispol (in the checkpolicy/test directory)
    when the devicetreecon statement was included (checkpolicy built ok).
    I've attached a patch that fixes this problem and included CIL Ref Guide
   updates for the new features.

2) When building policy with the CIL compiler secilc I get core dumps but
    only if I include the devicetreecon statement. I think its related to not releasing
    the devicetreepath "path" when sepol_policydb_free is called. I've been
    trying to track it down and failed - any ideas !!!
   sedispol will read the generated CIL policy with the above fix applied.


Richard



----- Original Message -----
> From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> To: selinux@xxxxxxxxxxxxx
> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
> Sent: Tuesday, 17 March 2015, 20:43
> Subject: [PATCH v3 0/3] Xen/FLASK policy updates for device contexts
> 
> In order to support assigning security lables to ARM device tree nodes
> in Xen's XSM policy, a new ocontext type is needed in the security
> policy.
> 
> In addition to adding the new ocontext, the existing I/O memory range
> ocontext is expanded to 64 bits in order to support hardware with more
> than 44 bits of physical address space (32-bit count of 4K pages).
> 
> Changes from v2:
> - Clean up printf format strings for 32-bit builds
> 
> Changes from v1:
> - Use policy version 30 instead of forking the version numbers for Xen;
>    this removes the need for v1's patch 3.
> - Report an error when attempting to use an I/O memory range that
>    requires a 64-bit representation with an old policy output version
>    that cannot support this
> - Fix a few incorrect references to PCIDEVICECON
> - Reorder patches to clarify the allowed characterset of device tree
>    paths
> 
> [PATCH 1/3] checkpolicy: Expand allowed character set in paths
> [PATCH 2/3] libsepol, checkpolicy: widen Xen IOMEM ocontext entries
> [PATCH 3/3] libsepol, checkpolicy: add device tree ocontext nodes to
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to 
> Selinux-request@xxxxxxxxxxxxx.
> 
From 12f17f0022784a7b57aa355dc8c4e5c8d4b9a99d Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Fri, 20 Mar 2015 14:18:31 +0000
Subject: [PATCH] libsepol: Fix reading Xen policy with devicetreecon

Policy failed to read with devicetreecon statement.

Added devicetreecon statement to CIL policy.cil and updated the CIL
Reference Guide.

Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
 libsepol/cil/docs/cil_xen_statements.xml | 44 ++++++++++++++++++++++++++++++++
 libsepol/cil/test/policy.cil             |  1 +
 libsepol/src/policydb.c                  |  4 ++-
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/libsepol/cil/docs/cil_xen_statements.xml b/libsepol/cil/docs/cil_xen_statements.xml
index 1035b68..45865c6 100644
--- a/libsepol/cil/docs/cil_xen_statements.xml
+++ b/libsepol/cil/docs/cil_xen_statements.xml
@@ -3,6 +3,7 @@
 
    <sect1>
       <title>Xen Statements</title>
+      <para>Policy version 30 introduced the <literal><link linkend="devicetreecon">context</link></literal> statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).</para>
       <para>See the <ulink url="http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt";>"XSM/FLASK Configuration"</ulink> document for further information (<ulink url="http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt";></ulink>)</para>
       <sect2 id="iomemcon">
          <title>iomemcon</title>
@@ -180,4 +181,47 @@
          <programlisting><![CDATA[(pirqcon 33 (unconfined.user object_r unconfined.object low_low))]]></programlisting>
       </sect2>
 
+      <sect2 id="devicetreecon">
+         <title>devicetreecon</title>
+         <para>Label device tree nodes.</para>
+         <para><emphasis role="bold">Statement definition:</emphasis></para>
+         <programlisting><![CDATA[(devicetreecon path context_id)]]></programlisting>
+         <para><emphasis role="bold">Where:</emphasis></para>
+         <informaltable frame="all">
+            <tgroup cols="2">
+            <colspec colwidth="2 *"/>
+            <colspec colwidth="6 *"/>
+               <tbody>
+               <row>
+                  <entry>
+                     <para><literal>devicetreecon</literal></para>
+                  </entry>
+                  <entry>
+                     <para>The <literal>devicetreecon</literal> keyword.</para>
+                  </entry>
+               </row>
+               <row>
+                  <entry>
+                     <para><literal>path</literal></para>
+                  </entry>
+                  <entry>
+                     <para>The device tree path. If this contains spaces enclose within <literal>""</literal>.</para>
+                  </entry>
+               </row>
+               <row>
+                  <entry>
+                     <para><literal>context_id</literal></para>
+                  </entry>
+                  <entry>
+                     <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
+                  </entry>
+               </row>
+            </tbody></tgroup>
+         </informaltable>
+
+         <para><emphasis role="bold">Example:</emphasis></para>
+         <para>An anonymous context for the specified path:</para>
+         <programlisting><![CDATA[(devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))]]></programlisting>
+      </sect2>
+
    </sect1>
diff --git a/libsepol/cil/test/policy.cil b/libsepol/cil/test/policy.cil
index 9c76cad..25c8545 100644
--- a/libsepol/cil/test/policy.cil
+++ b/libsepol/cil/test/policy.cil
@@ -250,6 +250,7 @@
 	(iomemcon (0 255) system_u_bin_t_l2h)
 	(ioportcon (22 22) system_u_bin_t_l2h)
 	(pcidevicecon 345 system_u_bin_t_l2h)
+	(devicetreecon "/this is/a/path" system_u_bin_t_l2h)
 
 	(constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
 	(constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index b45b662..ceac33d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2559,11 +2559,13 @@ static int ocontext_read_xen(struct policydb_compat_info *info,
 				rc = next_entry(buf, fp, sizeof(uint32_t));
 				if (rc < 0)
 					return -1;
-				len = le32_to_cpu(buf[1]);
+				len = le32_to_cpu(buf[0]);
 				c->u.name = malloc(len + 1);
 				if (!c->u.name)
 					return -1;
 				rc = next_entry(c->u.name, fp, len);
+				if (rc < 0)
+					return -1;
 				c->u.name[len] = 0;
 				if (context_read_and_validate
 				    (&c->context[0], p, fp))
-- 
2.1.0

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



