On 8/29/19 3:25 PM, Joshua Brindle wrote:
On Thu, Aug 29, 2019 at 3:12 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote:
On 8/26/19 10:20 AM, Joshua Brindle wrote:
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. For example, one can add a default with
this cil:
(defaultrange db_table glblub);
and then test using the compute_create utility:
$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
It would be nice to say what glblub means and to have an example for checkpolicy
as well.
Can do.
<snip>
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
case CIL_DEFAULT_TARGET_LOW_HIGH:
fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
break;
+ case CIL_DEFAULT_GLBLUB:
+ fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);
Yea, you are right. I wonder why this even works then?
<snip>
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
case DEFAULT_TARGET_LOW_HIGH:
dft = "target low-high";
break;
+ case DEFAULT_GLBLUB:
+ dft = "glblub";
+ break;
default:
sepol_log_err("Unknown default type value: %i", class->default_range);
return -1;
You need to update kernel_to_cil.c as well.
Good catch. As a side note changing the policy has many more touch
points than it use to (this is my first time making an update that
include CIL). Is there some checklist or developer readme or something
available?
No, there is no checklist. I can see how it would be useful though.
Also, it isn't clear how to test all the combinations. I did add:
Add via CIL module (which combos does that test?)
That tests secilc
Add to exported CIL base (is that really the same as above?)
That also tests secilc
Add to .te base
That tests checkmodule
What would I have needed to do to see that kernel_to_cil.c hadn't been updated?
1. checkpolicy -M -C -o foo.cil foo.conf
This converts conf to cil and tests module_to_cil.c.
2. checkpolicy -M -C -b -o foo.cil foo.bin
This converts kernel binary to cil and tests kernel_to_cil.c
3. checkpolicy -M -F -b -o foo.conf foo.bin
This converts kernel binary to conf and tests kernel_to_conf.c
4. secil2conf -o foo.conf foo.cil
This converts cil to conf and tests cil_policy.c
I think that covers everything. It is complicated.
<snip>
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -46,6 +46,11 @@
#include "private.h"
#include "mls.h"
+#define glblub_version ((p->policy_type == POLICY_KERN && \
+ p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
+ (p->policy_type == POLICY_BASE && \
+ p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
+
struct policy_data {
struct policy_file *fp;
struct policydb *p;
@@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
buf[0] = cpu_to_le32(cladatum->default_user);
buf[1] = cpu_to_le32(cladatum->default_role);
+ if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
+ WARN(fp->handle,
+ "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
+ p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
+ p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
+ cladatum->default_range = 0;
+ }
buf[2] = cpu_to_le32(cladatum->default_range);
items = put_entry(buf, sizeof(uint32_t), 3, fp);
if (items != 3)
Everything else looks ok, but I haven't tested it yet.
Thanks. You can test using the test suite as well, I'm impressed that
adding a bunch of sensitivities to an mcs policy works as well as it
does!
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
