Hello,
Doing some post-processing of the SELinux policy (more about this some
other time), I noticed that permissions for class "dir" could be
tightened, for example "execmod" doesn't make a lot of sense for
directories. Perhaps there are even more useless permissions? Let's grep
for all use cases of permissions with DIR__ prefix:
$ git grep DIR__ -- :^drivers/ :^arch/
security/selinux/hooks.c: DIR__ADD_NAME |
DIR__SEARCH,
security/selinux/hooks.c: av = DIR__SEARCH;
security/selinux/hooks.c: av |= (kind ? DIR__REMOVE_NAME :
DIR__ADD_NAME);
security/selinux/hooks.c: av = DIR__RMDIR;
security/selinux/hooks.c: DIR__REMOVE_NAME |
DIR__SEARCH, &ad);
security/selinux/hooks.c:
old_isec->sclass, DIR__REPARENT, &ad);
security/selinux/hooks.c: av = DIR__ADD_NAME | DIR__SEARCH;
security/selinux/hooks.c: av |= DIR__REMOVE_NAME;
security/selinux/hooks.c: (new_is_dir ?
DIR__RMDIR : FILE__UNLINK), &ad);
security/selinux/hooks.c: av |= DIR__SEARCH;
security/selinux/hooks.c: av |= DIR__WRITE;
security/selinux/hooks.c: av |= DIR__READ;
So, no instances of for example DIR__IOCTL or DIR__OPEN can be seen. But
blindly removing all unreferenced DIR__ perms from policy is a big
mistake, which I learned the hard way as the system didn't work normally
anymore after installing such a filtered policy.
The reason for this is that in security/selinux/hooks.c, FILE__ perms
are used sometimes as DIR__ perms and "git grep" won't find them. While
semantically incorrect, the #defines for DIR__xyz are identical bitwise
to corresponding FILE__xyz and so either works.
Perhaps the situation could be improved:
1. Add a comment to security/selinux/hooks.c to alert readers that
FILE__ perms are sometimes used in place of DIR__ perms and why this is
in fact OK.
2. Add static asserts to verify the hard way that each DIR__abc #define
matches the corresponding FILE__abc #define. If one day this would no
longer be the case, the compiler would warn.
3. Add a new unified set of #defines, for example COMMON_INODE__xyz, to
document that the same perms are used for both files and directories.
4. Replace the semantically incorrect uses of FILE__ with something more
complex (but technically useless) like
if (S_ISDIR(xyz)
av = DIR__abc
else
av = FILE__abc
and since the values are identical bitwise, compilers could be expected
to eliminate the useless checks and branches.
Would patches be acceptable along some of these ideas?
Maybe the unused permissions could be even removed entirely with lots of
work and perhaps no real benefit.
-Topi
