On 1/27/20 3:55 PM, Stephen Smalley wrote:
Remove initial SIDs that have never been used or are no longer used by the kernel from its string table, which is also used to generate the SECINITSID_* symbols referenced in code. Update the code to gracefully handle the fact that these can now be NULL. Stop treating it as an error if a policy defines additional initial SIDs unknown to the kernel, or if the policy leaves one of the unused initial SIDs without a defined context. Fix the incorrect usage of the name from the ocontext in error messages when loading initial SIDs since these are not presently written to the kernel policy and are therefore always NULL. This is a first step toward enabling future evolution of initial SIDs. Further changes are required to both userspace and the kernel to fully address https://github.com/SELinuxProject/selinux-kernel/issues/12 but this takes a small step toward that end. NB Even with this change, one cannot yet add or remove initial SIDs in policy without breakage; separate changes to the policy compiler are still necessary. Further, fully decoupling the policy and kernel initial SID values will require a policy format/version change to include the SID names in the kernel policy so that they can be dynamically mapped at policy load. Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Review welcome but do not merge (should have marked it RFC); I have a v2 in progress.
--- scripts/selinux/genheaders/genheaders.c | 11 +++- .../selinux/include/initial_sid_to_string.h | 57 +++++++++---------- security/selinux/selinuxfs.c | 6 +- security/selinux/ss/policydb.c | 28 ++++++--- security/selinux/ss/services.c | 26 ++++----- 5 files changed, 73 insertions(+), 55 deletions(-)
[...]
