[PATCH 0/5] selinux: add prefix/suffix matching to filename type transitions

Juraj Marcin <juraj@xxxxxxxxxxxxxxx> · Wed, 31 May 2023 13:29:23 +0200

Currently, filename transitions are stored separately from other type
enforcement rules and only support exact name matching. However, in
practice, the names contain variable parts. This leads to many
duplicated rules in the policy that differ only in the part of the name,
or it is even impossible to cover all possible combinations.

First, this series of patches moves the filename transitions to be part
of the avtab structures. This not only makes the implementation of
prefix/suffix matching and future enhancements easier, but also reduces
the technical debt regarding the filename transitions. Next, the last
patch implements the support for prefix/suffix name matching itself by
extending the structures added in previous patches in this series.

Even though, moving everything to avtab increases the memory usage and
the size of the binary policy itself and thus the loading time, the
ability to match the prefix or suffix of the name will reduce the
overall number of rules in the policy which should mitigate this issue.

This implementation has been successfully tested using the existing and
also new tests in the SELinux Testsuite.

Juraj Marcin (5):
  selinux: move transition to separate structure in avtab_datum
  selinux: move filename transitions to avtab
  selinux: implement new binary format for filename transitions in avtab
  selinux: filename transitions move tests
  selinux: add prefix/suffix matching support to filename type
    transitions

 security/selinux/Kconfig            |  17 +
 security/selinux/Makefile           |   2 +
 security/selinux/include/security.h |   4 +-
 security/selinux/ss/avtab.c         | 814 +++++++++++++++++++++++++++-
 security/selinux/ss/avtab.h         |  16 +-
 security/selinux/ss/avtab_test.c    | 745 +++++++++++++++++++++++++
 security/selinux/ss/conditional.c   |   6 +-
 security/selinux/ss/hashtab.h       |   6 +
 security/selinux/ss/policydb.c      | 421 +-------------
 security/selinux/ss/policydb.h      |  25 +-
 security/selinux/ss/services.c      |  80 ++-
 security/selinux/ss/symtab.c        |   3 +
 12 files changed, 1677 insertions(+), 462 deletions(-)
 create mode 100644 security/selinux/ss/avtab_test.c

-- 
2.40.0