On Thu, Aug 29, 2019 at 3:12 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote:
>
> On 8/26/19 10:20 AM, Joshua Brindle wrote:
> > Policy developers can set a default_range default to glblub and
> > computed contexts will be the intersection of the ranges of the
> > source and target contexts. For example, one can add a default with
> > this cil:
> >
> > (defaultrange db_table glblub);
> >
> > and then test using the compute_create utility:
> >
> > $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
> > system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
> >
>
> It would be nice to say what glblub means and to have an example for checkpolicy
> as well.
>
Can do.
<snip>
> > --- a/libsepol/cil/src/cil_policy.c
> > +++ b/libsepol/cil/src/cil_policy.c
> > @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
> > case CIL_DEFAULT_TARGET_LOW_HIGH:
> > fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
> > break;
> > + case CIL_DEFAULT_GLBLUB:
> > + fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
>
> I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);
Yea, you are right. I wonder why this even works then?
<snip>
> > --- a/libsepol/src/kernel_to_conf.c
> > +++ b/libsepol/src/kernel_to_conf.c
> > @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
> > case DEFAULT_TARGET_LOW_HIGH:
> > dft = "target low-high";
> > break;
> > + case DEFAULT_GLBLUB:
> > + dft = "glblub";
> > + break;
> > default:
> > sepol_log_err("Unknown default type value: %i", class->default_range);
> > return -1;
>
> You need to update kernel_to_cil.c as well.
Good catch. As a side note changing the policy has many more touch
points than it use to (this is my first time making an update that
include CIL). Is there some checklist or developer readme or something
available?
Also, it isn't clear how to test all the combinations. I did add:
Add via CIL module (which combos does that test?)
Add to exported CIL base (is that really the same as above?)
Add to .te base
What would I have needed to do to see that kernel_to_cil.c hadn't been updated?
<snip>
> > --- a/libsepol/src/write.c
> > +++ b/libsepol/src/write.c
> > @@ -46,6 +46,11 @@
> > #include "private.h"
> > #include "mls.h"
> >
> > +#define glblub_version ((p->policy_type == POLICY_KERN && \
> > + p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
> > + (p->policy_type == POLICY_BASE && \
> > + p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
> > +
> > struct policy_data {
> > struct policy_file *fp;
> > struct policydb *p;
> > @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
> > p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
> > buf[0] = cpu_to_le32(cladatum->default_user);
> > buf[1] = cpu_to_le32(cladatum->default_role);
> > + if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
> > + WARN(fp->handle,
> > + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> > + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> > + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> > + cladatum->default_range = 0;
> > + }
> > buf[2] = cpu_to_le32(cladatum->default_range);
> > items = put_entry(buf, sizeof(uint32_t), 3, fp);
> > if (items != 3)
> >
>
> Everything else looks ok, but I haven't tested it yet.
Thanks. You can test using the test suite as well, I'm impressed that
adding a bunch of sensitivities to an mcs policy works as well as it
does!
