From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>
Subject: Re: [RFC 01/10] selinux: introduce a selinux namespace
Date: Thu, 08 Feb 2018 10:02:42 -0500 [thread overview]
Message-ID: <1518102162.21656.46.camel@tycho.nsa.gov> (raw)
In-Reply-To: <CAHC9VhTt1GZeDuhacdMbF9J9q3xndqVO=k4UqQT6v_n_Cq3vrA@mail.gmail.com>
On Wed, 2018-02-07 at 14:56 -0500, Paul Moore wrote:
> On Wed, Feb 7, 2018 at 12:48 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
> > On Tue, 2018-02-06 at 17:18 -0500, Paul Moore wrote:
>
> ...
>
> > > While I don't think we need to tackle this as part of the
> > > encapsulation work, this is another reminder that we should look
> > > into
> > > breaking the separation between the security server and the
> > > Linux/hooks code. I understand there were historical reasons for
> > > this
> > > split, but I think all of those reasons are now gone, and further
> > > I
> > > think enough Linux'isms have crept into the security server that
> > > the
> > > separation is no longer as meaningful as it may have been in the
> > > past.
> >
> > I think we want to retain some degree of encapsulation of the
> > policy
> > logic and data structures, which is what the security server is
> > supposed to provide. That allows us to evolve that logic and
> > structures without impacting the object label management and
> > permission
> > enforcement code. Separation of policy from mechanism. I don't
> > mind
> > nativizing the security server for Linux, and where appropriate,
> > allowing some optimization of the interfaces between it and the
> > rest of
> > the SELinux code, but I wouldn't want to e.g. directly expose the
> > policydb to the rest of the code. There has been some leakage of
> > policy awareness outside the security server in the past but I view
> > that as a mistake that ought to be corrected over time.
>
> I agree that a level of abstraction between the policydb code and the
> enforcement code is a good thing, but I think there are some
> boundaries between the hook code and the security server that we
> could
> do without. Once again, not really part of this work, just popped up
> in my head again while looking at these patches.
I wanted to clarify that point because it motivates keeping selinux_ss
as a separate struct from selinux_state (previously selinux_ns), and
not exposing the selinux_ss struct definition outside of the security
server. So the selinux_state struct would still be something like:
struct selinux_state {
bool disabled;
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
bool enforcing;
#endif
bool checkreqprot;
bool initialized;
bool policycap[__POLICYDB_CAPABILITY_MAX];
struct selinux_avc *avc;
struct selinux_ss *ss;
}
(dropping the reference count, work struct, and parent pointers that
were part of selinux_ns as being specific to the namespace work).
hooks.c would declare struct selinux_state selinux_state;.
ss/services.c would declare static struct selinux_ss selinux_ss; and
provide a selinux_ss_init() function (instead of selinux_ss_create)
that would set the ->ss field to &selinux_ss. Likewise for avc.c and
the selinux_avc. hooks.c:selinux_init() would call
selinux_ss_init(&selinux_state.ss) and
selinux_avc_init(&selinux_state.avc) to set those pointers to the
appropriate structures private to the ss and avc code. The _create and
_free functions would go away and none of the structures would be
dynamically allocated/freed.
This is in contrast to exposing the selinux_ss struct definition
outside the security server and directly embedding it in the
selinux_state, since that would require exposing the policydb and
sidtab structures as well (unless we were to make those opaque pointers
within the selinux_ss; currently the policydb and sidtab are directly
embedded within it). Likewise for the selinux_avc and its embedded
avc_cache structure.
Trying to make sure we're in agreement on the data structures before I
rewrite since I don't want to have to rewrite it twice ;)
next prev parent reply other threads:[~2018-02-08 15:02 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 15:58 [RFC 00/10] Introduce a SELinux namespace Stephen Smalley
2017-10-02 15:58 ` [RFC 01/10] selinux: introduce a selinux namespace Stephen Smalley
2018-02-06 22:18 ` Paul Moore
2018-02-07 16:17 ` Paul Moore
2018-02-07 17:48 ` Stephen Smalley
2018-02-07 19:56 ` Paul Moore
2018-02-08 15:02 ` Stephen Smalley [this message]
2018-02-08 21:41 ` Paul Moore
2017-10-02 15:58 ` [RFC 02/10] selinux: support multiple selinuxfs instances Stephen Smalley
2017-10-02 15:58 ` [RFC 03/10] selinux: move the AVC into the selinux namespace Stephen Smalley
2017-10-09 3:10 ` James Morris
2017-10-10 14:35 ` Stephen Smalley
2017-10-02 15:58 ` [RFC 04/10] netns, selinux: create the selinux netlink socket per network namespace Stephen Smalley
2017-10-05 5:47 ` Serge E. Hallyn
2017-10-05 14:06 ` Stephen Smalley
2017-10-05 14:11 ` Stephen Smalley
2017-10-29 3:16 ` Serge E. Hallyn
2017-10-06 1:07 ` James Morris
2017-10-06 13:21 ` Stephen Smalley
2017-10-06 19:24 ` Serge E. Hallyn
2017-10-10 14:35 ` Stephen Smalley
2017-10-02 15:58 ` [RFC 05/10] selinux: support per-task/cred selinux namespace Stephen Smalley
2017-10-06 1:14 ` James Morris
2017-10-06 19:25 ` Serge E. Hallyn
2017-10-08 22:08 ` James Morris
2017-10-02 15:58 ` [RFC 06/10] selinux: introduce cred_selinux_ns() and use it Stephen Smalley
2017-10-02 15:58 ` [RFC 07/10] selinux: support per-namespace inode security structures Stephen Smalley
2017-10-02 15:58 ` [RFC 08/10] selinux: support per-namespace superblock " Stephen Smalley
2017-10-02 15:58 ` [RFC 09/10] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2017-10-02 23:56 ` Casey Schaufler
2017-10-03 12:29 ` Stephen Smalley
2017-10-03 17:14 ` Casey Schaufler
2017-10-05 15:27 ` Stephen Smalley
2017-10-05 15:49 ` Stephen Smalley
2017-10-05 17:04 ` Stephen Smalley
2017-10-09 1:52 ` James Morris
[not found] ` <CAB9W1A2-PT8QU-md1s9fxhNg+Cv0C4Xu-i1w_q0XzQ+K9rsyAg@mail.gmail.com>
2017-10-09 13:53 ` Stephen Smalley
2017-10-09 23:04 ` James Morris
2017-10-02 15:58 ` [RFC 10/10] selinuxfs: restrict write operations to the same " Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518102162.21656.46.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=jmorris@namei.org \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.