Re: [PATCH 7/8] checkpolicy, libsepol: add prefix/suffix support to module policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jun 1, 2023 at 10:59 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Wed, May 31, 2023 at 7:51 AM Juraj Marcin <juraj@xxxxxxxxxxxxxxx> wrote:
> >
> > This patch extends the structures for module and base policy (avrule_t)
> > to support prefix/suffix transitions. In addition to this, it implements
> > the necessary changes to functions for reading and writing the binary
> > policy as well as parsing the policy conf.
> >
>
> I would like to see an example of the new syntax.
> Something like:
> type_transition ta tb : CLASS03 tc "file03" match_exact;
> type_transition ta tb : CLASS04 tc "file04" match_prefix;
> type_transition ta tb : CLASS05 tc "file05" match_suffix;
>
> > Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > Signed-off-by: Juraj Marcin <juraj@xxxxxxxxxxxxxxx>
> > ---
> >  checkpolicy/policy_define.c                | 13 ++++---
> >  checkpolicy/policy_define.h                |  2 +-
> >  checkpolicy/policy_parse.y                 | 15 +++++---
> >  checkpolicy/policy_scan.l                  |  6 ++++
> >  checkpolicy/test/dismod.c                  | 14 ++++++++
> >  checkpolicy/test/dispol.c                  |  2 +-
> >  libsepol/cil/src/cil_binary.c              |  4 ++-
> >  libsepol/include/sepol/policydb/avtab.h    |  1 +
> >  libsepol/include/sepol/policydb/policydb.h | 13 ++++---
> >  libsepol/src/avtab.c                       | 30 ++++++++++++----
> >  libsepol/src/expand.c                      |  6 +++-
> >  libsepol/src/kernel_to_common.h            |  2 +-
> >  libsepol/src/link.c                        |  1 +
> >  libsepol/src/module_to_cil.c               | 25 +++++++++++---
> >  libsepol/src/policydb.c                    | 23 ++++++++++++-
> >  libsepol/src/write.c                       | 40 ++++++++++++++++------
> >  16 files changed, 154 insertions(+), 43 deletions(-)

<snip>

> > @@ -452,13 +453,19 @@ cond_dontaudit_def        : DONTAUDIT names names ':' names names ';'
> >                         ;
> >                         ;
> >  transition_def         : TYPE_TRANSITION  names names ':' names identifier filename ';'
> > -                       {if (define_compute_type(AVRULE_TRANSITION, 1)) return -1; }
> > +                       {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_EXACT)) return -1;}
> > +            | TYPE_TRANSITION names names ':' names identifier filename MATCH_EXACT ';'
> > +            {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_EXACT)) return -1;}
> > +            | TYPE_TRANSITION names names ':' names identifier filename MATCH_PREFIX ';'
> > +            {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_PREFIX)) return -1;}
> > +            | TYPE_TRANSITION names names ':' names identifier filename MATCH_SUFFIX ';'
> > +            {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_SUFFIX)) return -1;}
> >                         | TYPE_TRANSITION names names ':' names identifier ';'
> > -                        {if (define_compute_type(AVRULE_TRANSITION, 0)) return -1;}
> > +                        {if (define_compute_type(AVRULE_TRANSITION, 0, NAME_TRANS_MATCH_EXACT)) return -1;}
> >                          | TYPE_MEMBER names names ':' names identifier ';'
> > -                        {if (define_compute_type(AVRULE_MEMBER, 0)) return -1;}
> > +                        {if (define_compute_type(AVRULE_MEMBER, 0, NAME_TRANS_MATCH_EXACT)) return -1;}
> >                          | TYPE_CHANGE names names ':' names identifier ';'
> > -                        {if (define_compute_type(AVRULE_CHANGE, 0)) return -1;}
> > +                        {if (define_compute_type(AVRULE_CHANGE, 0, NAME_TRANS_MATCH_EXACT)) return -1;}
> >                         ;
> >  range_trans_def                : RANGE_TRANSITION names names mls_range_def ';'
> >                         { if (define_range_trans(0)) return -1; }
> > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> > index 9fefea7b..3f568701 100644
> > --- a/checkpolicy/policy_scan.l
> > +++ b/checkpolicy/policy_scan.l
> > @@ -125,6 +125,12 @@ EXPANDATTRIBUTE |
> >  expandattribute                 { return(EXPANDATTRIBUTE); }
> >  TYPE_TRANSITION |
> >  type_transition                        { return(TYPE_TRANSITION); }
> > +MATCH_EXACT |
> > +match_exact                    { return(MATCH_EXACT); }
> > +MATCH_PREFIX |
> > +match_prefix                   { return(MATCH_PREFIX); }
> > +MATCH_SUFFIX |
> > +match_suffix                   { return(MATCH_SUFFIX); }
>
> I would prefer just "exact", "prefix", and "suffix" without the
> "match_" prefix, but I can live with it if others think that the
> shorter keywords will cause problems.

I slightly prefer the "match_" in the keyword, since it makes the
semantic more clear when reading the policy (especially for people
that are only learning SELinux). But I guess in the case of "prefix"
and "suffix" it doesn't make as much difference as in the case of
"exact". Which leads me to the question whether we want to even add
the redundant "exact"/"match_exact" keyword as opposed to just leaving
the current syntax (which we need to keep either way for
compatibility). IIRC, when we discussed this with Juraj, we were not
sure which way to go, so we are open to dropping it if that's
preferred by others.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux