On Tue, Jun 7, 2022 at 3:02 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Export initial SIDs, so they can be used for example in checkpolicy. > We don't want to export the initial SID names. See commit 8677ce5e "libsepol,checkpolicy: support omitting unused initial sid contexts" and https://github.com/SELinuxProject/selinux-kernel/issues/12 for more information. Eventually, we want to go to a dynamic discovery of initial SIDs. The initial SID names are in kernel_to_common.h as a hack because the name is not stored in the binary policy, but we don't want to encourage more use. Thanks, Jim > Add helper functions for name lookup. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > libsepol/include/sepol/policydb/initialsids.h | 89 +++++++++++++++++++ > libsepol/include/sepol/policydb/policydb.h | 2 +- > libsepol/src/kernel_to_cil.c | 1 + > libsepol/src/kernel_to_common.h | 53 ----------- > libsepol/src/kernel_to_conf.c | 1 + > libsepol/src/module_to_cil.c | 1 + > 6 files changed, 93 insertions(+), 54 deletions(-) > create mode 100644 libsepol/include/sepol/policydb/initialsids.h > > diff --git a/libsepol/include/sepol/policydb/initialsids.h b/libsepol/include/sepol/policydb/initialsids.h > new file mode 100644 > index 00000000..7b2fe021 > --- /dev/null > +++ b/libsepol/include/sepol/policydb/initialsids.h > @@ -0,0 +1,89 @@ > +#ifndef _SEPOL_POLICYDB_INITIALSIDS_H_ > +#define _SEPOL_POLICYDB_INITIALSIDS_H_ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +// initial sid names aren't actually stored in the pp files, need to a have > +// a mapping, taken from the linux kernel > +static const char * const selinux_sid_to_str[] = { > + "null", > + "kernel", > + "security", > + "unlabeled", > + "fs", > + "file", > + "file_labels", > + "init", > + "any_socket", > + "port", > + "netif", > + "netmsg", > + "node", > + "igmp_packet", > + "icmp_socket", > + "tcp_socket", > + "sysctl_modprobe", > + "sysctl", > + "sysctl_fs", > + "sysctl_kernel", > + "sysctl_net", > + "sysctl_net_unix", > + "sysctl_vm", > + "sysctl_dev", > + "kmod", > + "policy", > + "scmp_packet", > + "devnull", > +}; > + > +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) > + > +static inline unsigned int selinux_str_to_sid(const char *name) > +{ > + unsigned i; > + > + for (i = 1; i < SELINUX_SID_SZ; i++) { > + if (strcmp(name, selinux_sid_to_str[i]) == 0) > + return i; > + } > + > + return 0; > +} > + > +static const char * const xen_sid_to_str[] = { > + "null", > + "xen", > + "dom0", > + "domio", > + "domxen", > + "unlabeled", > + "security", > + "ioport", > + "iomem", > + "irq", > + "device", > + "domU", > + "domDM", > +}; > + > +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) > + > +static inline unsigned int xen_str_to_sid(const char *name) > +{ > + unsigned i; > + > + for (i = 1; i < XEN_SID_SZ; i++) { > + if (strcmp(name, xen_sid_to_str[i]) == 0) > + return i; > + } > + > + return 0; > +} > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif /* _SEPOL_POLICYDB_INITIALSIDS_H_ */ > diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h > index de0068a6..2ce4da5d 100644 > --- a/libsepol/include/sepol/policydb/policydb.h > +++ b/libsepol/include/sepol/policydb/policydb.h > @@ -340,7 +340,7 @@ typedef struct range_trans_rule { > */ > typedef struct ocontext { > union { > - char *name; /* name of initial SID, fs, netif, fstype, path */ > + char *name; /* name of initial SID (not saved in binary policy), fs, netif, fstype, path */ > struct { > uint8_t protocol; > uint16_t low_port; > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > index 9128ac55..42251684 100644 > --- a/libsepol/src/kernel_to_cil.c > +++ b/libsepol/src/kernel_to_cil.c > @@ -20,6 +20,7 @@ > #include <sepol/policydb/avtab.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hashtab.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include <sepol/policydb/policydb.h> > #include <sepol/policydb/services.h> > diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h > index 159c4289..5e8482bf 100644 > --- a/libsepol/src/kernel_to_common.h > +++ b/libsepol/src/kernel_to_common.h > @@ -10,59 +10,6 @@ > #define DEFAULT_LEVEL "systemlow" > #define DEFAULT_OBJECT "object_r" > > -// initial sid names aren't actually stored in the pp files, need to a have > -// a mapping, taken from the linux kernel > -static const char * const selinux_sid_to_str[] = { > - "null", > - "kernel", > - "security", > - "unlabeled", > - "fs", > - "file", > - "file_labels", > - "init", > - "any_socket", > - "port", > - "netif", > - "netmsg", > - "node", > - "igmp_packet", > - "icmp_socket", > - "tcp_socket", > - "sysctl_modprobe", > - "sysctl", > - "sysctl_fs", > - "sysctl_kernel", > - "sysctl_net", > - "sysctl_net_unix", > - "sysctl_vm", > - "sysctl_dev", > - "kmod", > - "policy", > - "scmp_packet", > - "devnull", > -}; > - > -#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) > - > -static const char * const xen_sid_to_str[] = { > - "null", > - "xen", > - "dom0", > - "domio", > - "domxen", > - "unlabeled", > - "security", > - "ioport", > - "iomem", > - "irq", > - "device", > - "domU", > - "domDM", > -}; > - > -#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) > - > static const uint32_t avtab_flavors[] = { > AVTAB_ALLOWED, > AVTAB_AUDITALLOW, > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index 63dffd9b..51a8270d 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -19,6 +19,7 @@ > #include <sepol/policydb/avtab.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hashtab.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include <sepol/policydb/policydb.h> > #include <sepol/policydb/services.h> > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index b35bf055..1945b369 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -47,6 +47,7 @@ > #include <sepol/module_to_cil.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hashtab.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include <sepol/policydb/policydb.h> > #include <sepol/policydb/services.h> > -- > 2.36.1 >
