[RFC][PATCH]

[RFC][PATCH]

[Jan-Benedict Glaw]

[-- Attachment #1: Type: text/plain, Size: 1644 bytes --]

Hi!

Please give me a comment on this patch. I'm currently tryin' to make the
HAL2 driver work (yes, I've got my Indy out of the edge again and I'm
going to use it as my desktop machine).

It fixes a compilation problem on dmabuf.c. There, DMA_AUTOINIT isn't
defined. As ./include/asm-mips/dma.h looks like the asm-i386 file in
general, I've copied the #define from the i386 port (and reformated the
passus...).

If you think it'o okay, please apply it (and drop me a note:-p)

MfG, JBG



Index: include/asm-mips/dma.h
===================================================================
RCS file: /cvs/linux/include/asm-mips/dma.h,v
retrieving revision 1.8
diff -u -r1.8 dma.h
--- include/asm-mips/dma.h	2001/09/06 13:12:02	1.8
+++ include/asm-mips/dma.h	2002/06/29 18:23:37
@@ -138,10 +138,11 @@
 #define DMA_PAGE_6              0x89
 #define DMA_PAGE_7              0x8A
 
-#define DMA_MODE_READ	0x44	/* I/O to memory, no autoinit, increment, single mode */
-#define DMA_MODE_WRITE	0x48	/* memory to I/O, no autoinit, increment, single mode */
-#define DMA_MODE_CASCADE 0xC0   /* pass thru DREQ->HRQ, DACK<-HLDA only */
+#define DMA_MODE_READ		0x44	/* I/O to memory, no autoinit, increment, single mode */
+#define DMA_MODE_WRITE		0x48	/* memory to I/O, no autoinit, increment, single mode */
+#define DMA_MODE_CASCADE	0xC0	/* pass thru DREQ->HRQ, DACK<-HLDA only */
 
+#define DMA_AUTOINIT		0x10
 
 extern spinlock_t  dma_spin_lock;
 


-- 
Jan-Benedict Glaw   .   jbglaw@lug-owl.de   .   +49-172-7608481
	 -- New APT-Proxy written in shell script --
	   http://lug-owl.de/~jbglaw/software/ap2/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [RFC][PATCH]

[Ralf Baechle]

On Sat, Jun 29, 2002 at 08:41:29PM +0200, Jan-Benedict Glaw wrote:

> Please give me a comment on this patch. I'm currently tryin' to make the
> HAL2 driver work (yes, I've got my Indy out of the edge again and I'm
> going to use it as my desktop machine).
> 
> It fixes a compilation problem on dmabuf.c. There, DMA_AUTOINIT isn't
> defined. As ./include/asm-mips/dma.h looks like the asm-i386 file in
> general, I've copied the #define from the i386 port (and reformated the
> passus...).
> 
> If you think it'o okay, please apply it (and drop me a note:-p)

Sort of the right thing - why the heck does the Indy sound code have to
rely on code for the that antique PC DMA controller ...

  Ralf

Re: [RFC][PATCH]

[Jan-Benedict Glaw]

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

On Sun, 2002-06-30 14:42:38 +0200, Ralf Baechle <ralf@oss.sgi.com>
wrote in message <20020630144238.A342@dea.linux-mips.net>:
> On Sat, Jun 29, 2002 at 08:41:29PM +0200, Jan-Benedict Glaw wrote:
> > Please give me a comment on this patch. I'm currently tryin' to make the
> > HAL2 driver work (yes, I've got my Indy out of the edge again and I'm
> > going to use it as my desktop machine).
> > 
> > It fixes a compilation problem on dmabuf.c. There, DMA_AUTOINIT isn't
> > defined. As ./include/asm-mips/dma.h looks like the asm-i386 file in
> > general, I've copied the #define from the i386 port (and reformated the
> > passus...).
> > 
> > If you think it'o okay, please apply it (and drop me a note:-p)
> 
> Sort of the right thing - why the heck does the Indy sound code have to
> rely on code for the that antique PC DMA controller ...

Well, OSS has some 'soundbase.o', in which dmabuf.o is linked into.
Possibly which code path is not used at all on Indy, but the #define has
to be there... So there's no real answer, but running 2.4.16 (from
Debian installer) and 'insmod -f'ing the just compiled 2.4.19-rc1 hal2.o
into that kernel ends up in useable sound. So this is some working way
of doing sound.

Btw., I think I'll have a deeper look at hal2.o - the smallest load lets
sound proceed in snail mode:-(

MfG, JBG

-- 
Jan-Benedict Glaw   .   jbglaw@lug-owl.de   .   +49-172-7608481
	 -- New APT-Proxy written in shell script --
	   http://lug-owl.de/~jbglaw/software/ap2/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [RFC][PATCH]

[Ladislav Michl]

On Sun, Jun 30, 2002 at 03:20:20PM +0200, Jan-Benedict Glaw wrote:
> On Sun, 2002-06-30 14:42:38 +0200, Ralf Baechle <ralf@oss.sgi.com>
> wrote in message <20020630144238.A342@dea.linux-mips.net>:
> > On Sat, Jun 29, 2002 at 08:41:29PM +0200, Jan-Benedict Glaw wrote:
> > > Please give me a comment on this patch. I'm currently tryin' to make the
> > > HAL2 driver work (yes, I've got my Indy out of the edge again and I'm
> > > going to use it as my desktop machine).
> > > 
> > > It fixes a compilation problem on dmabuf.c. There, DMA_AUTOINIT isn't
> > > defined. As ./include/asm-mips/dma.h looks like the asm-i386 file in
> > > general, I've copied the #define from the i386 port (and reformated the
> > > passus...).
> > > 
> > > If you think it'o okay, please apply it (and drop me a note:-p)
> > 
> > Sort of the right thing - why the heck does the Indy sound code have to
> > rely on code for the that antique PC DMA controller ...
> 
> Well, OSS has some 'soundbase.o', in which dmabuf.o is linked into.

you need soundcore.o and hal2.o only.

> Possibly which code path is not used at all on Indy, but the #define has
> to be there... So there's no real answer, but running 2.4.16 (from

the real answer is that you are trying to build support for OSS drivers,
which has definitely nothing to do with HAL2 driver. disable it.

> Debian installer) and 'insmod -f'ing the just compiled 2.4.19-rc1 hal2.o
> into that kernel ends up in useable sound. So this is some working way
> of doing sound.
> 
> Btw., I think I'll have a deeper look at hal2.o - the smallest load lets
> sound proceed in snail mode:-(

can you describe it better? (it has always worked for me ;-))

	ladis

[RFC] [PATCH]

[Darrel Goeddel]

Hello,

This patch provides the selinux "backend" for the audit system to perform
filtering based on the process context.  Dustin Kirkland has previously
a portion of this functionality here:

http://www.redhat.com/archives/linux-audit/2006-February/msg00004.html

This interfaces included in this patch will allow selinux to perform more
efficient matches based on lower level constructs within the selinux module,
rather than relying on string comparisons.  It also allows for dominance checks
on the mls portion of the contexts that are impossible with only string
comparisons.  Dustin's previous patch will be modified to take advantage of
the new interface.

This is still a work in progress (I'm guessing that the conversion of Dustin's
earlier work will point out some improvements to these interfaces).  I also
need to check the context of memory allocations.

I'm only allow == and != for type, role, and user because they seemed to be
the only ones that make sense, is that OK, or should I take them all even
though they may not do anything useful?  Does the general approach seem acceptable?

The patch is against Al Viro's audit tree:
http://www.kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary


diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4bb4b9f..dd4f759 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -140,6 +140,11 @@
 #define AUDIT_PERS	10
 #define AUDIT_ARCH	11
 #define AUDIT_MSGTYPE	12
+#define AUDIT_SE_USER	13	/* security label user */
+#define AUDIT_SE_ROLE	14	/* security label role */
+#define AUDIT_SE_TYPE	15	/* security label type */
+#define AUDIT_SE_SEN	16	/* security label sensitivity label */
+#define AUDIT_SE_CLR	17	/* security label clearance label */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
new file mode 100644
index 0000000..5a402a5
--- /dev/null
+++ b/include/linux/selinux.h
@@ -0,0 +1,83 @@
+/*
+ * SELinux services exported to the rest of the kernel.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Copyright (C) 2006 Trusted Computer Solutions <dgoeddel@trustedcs.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#ifndef _LINUX_SELINUX_H
+#define _LINUX_SELINUX_H
+
+#ifdef CONFIG_SECURITY_SELINUX
+
+/**
+ *	selinux_audit_rule_init - alloc/init an selinux audit rule structure.
+ *	@field: the field this rule refers to
+ *	@op: the operater the rule uses
+ *	@rulestr: the text "target" of the rule
+ *	@rule: address of the rule structure pointer to be returned
+ *
+ *	Returns 0 if successful, -errno if not.  On success, the rule structure
+ *	will be allocated internally.  The caller must free this structure with
+ *	selinux_audit_rule_free() after use.
+ */
+int selinux_audit_rule_init(u32 field, u32 op, const char *rulestr,
+                            void **rule);
+
+/**
+ *	selinux_audit_rule_free - free an selinux audit rule structure.
+ *	@rule: address of the seliux_audit_rule structure to be freed
+ *
+ *	This will free all memory associated with the given rule.
+ */
+void selinux_audit_rule_free(void *rule);
+
+/**
+ *	selinux_audit_rule_match - determine if a context ID matches a rule.
+ *	@ctxid: the context ID to check
+ *	@rule: the audit rule created by selinux_audit_rule_init()
+ *
+ *	Returns 1 if the context id matches the rule, 0 if it does not, and
+ *	-errno on failure.
+ */
+int selinux_audit_rule_match(u32 ctxid, void *rule);
+
+/**
+ *	selinux_task_getsecid - retrieve the context ID of a process.
+ *	@tsk: the task_struct of the process we are interested in
+ *
+ *	Returns the context ID of the process.
+ */
+
+int selinux_task_getsecid(struct task_struct *tsk);
+
+#else
+
+int selinux_audit_rule_init(u32 field, u32 op, const char *rulestr, void **rule)
+{
+	return -ENOTSUPP;
+}
+
+void selinux_audit_rule_free(void *rule)
+{
+	return;
+}
+
+int selinux_audit_rule_match(u32 ctxid, void *rule)
+{
+	return 0;
+}
+
+int selinux_task_getsecid(struct task_struct *tsk)
+{
+	return 0;
+}
+
+#endif	/* CONFIG_SECURITY_SELINUX */
+
+#endif /* _LINUX_SELINUX_H */
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 688c0a2..faf2e02 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -4,7 +4,7 @@
 
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
 
-selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o
+selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
new file mode 100644
index 0000000..a44e301
--- /dev/null
+++ b/security/selinux/exports.c
@@ -0,0 +1,44 @@
+/*
+ * SELinux services exported to the rest of the kernel.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/selinux.h>
+
+#include "security.h"
+#include "objsec.h"
+
+int selinux_audit_rule_init(u32 field, u32 op, const char *rulestr, void **rule)
+{
+	return security_aurule_init(field, op, rulestr, rule);
+}
+
+void selinux_audit_rule_free(void *rule)
+{
+	return security_aurule_free(rule);
+}
+
+int selinux_audit_rule_match(u32 ctxid, void *rule)
+{
+	return security_aurule_match(ctxid, rule);
+}
+
+int selinux_task_getsecid(struct task_struct *tsk)
+{
+	struct task_security_struct *tsec = tsk->security;
+	return tsec->sid;
+}
+
+EXPORT_SYMBOL_GPL(selinux_audit_rule_init);
+EXPORT_SYMBOL_GPL(selinux_audit_rule_free);
+EXPORT_SYMBOL_GPL(selinux_audit_rule_match);
+EXPORT_SYMBOL_GPL(selinux_task_getsecid);
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 5f016c9..bfea536 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -96,5 +96,9 @@ int security_fs_use(const char *fstype, 
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
 	u32 *sid);
 
+int security_aurule_init(u32 field, u32 op, const char *rulestr, void **rule);
+void security_aurule_free(void *rule);
+int security_aurule_match(u32 ctxid, void *rule);
+
 #endif /* _SELINUX_SECURITY_H_ */
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index d877cd1..480df81 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1810,3 +1810,250 @@ out:
 	POLICY_RDUNLOCK;
 	return rc;
 }
+
+struct selinux_audit_rule {
+	u32 au_skip;
+	u32 au_op;
+	u32 au_field;
+	u32 au_seqno;
+	struct context au_ctxt;
+	char *au_str;
+};
+
+/* needs policy read lock held */
+static void aurule_init_context(struct selinux_audit_rule *aurule)
+{
+	struct role_datum *roledatum;
+	struct type_datum *typedatum;
+	struct user_datum *userdatum;
+	char *tmpstr;
+	int rc = 0;
+
+	switch (aurule->au_field) {
+	case AUDIT_SE_USER:
+		userdatum = hashtab_search(policydb.p_users.table,
+		                           aurule->au_str);
+		if (!userdatum)
+			rc = -EINVAL;
+		else
+			aurule->au_ctxt.user = userdatum->value;
+		break;
+	case AUDIT_SE_ROLE:
+		roledatum = hashtab_search(policydb.p_roles.table,
+		                           aurule->au_str);
+		if (!roledatum)
+			rc = -EINVAL;
+		else
+			aurule->au_ctxt.role = roledatum->value;
+		break;
+	case AUDIT_SE_TYPE:
+		typedatum = hashtab_search(policydb.p_types.table,
+		                           aurule->au_str);
+		if (!typedatum)
+			rc = -EINVAL;
+		else
+			aurule->au_ctxt.type = typedatum->value;
+		break;
+	case AUDIT_SE_SEN:
+	case AUDIT_SE_CLR:
+		/* TODO:figure out proper allocation below */
+		tmpstr = kstrdup(aurule->au_str, GFP_KERNEL);
+		rc = mls_context_to_sid(':', &tmpstr, &aurule->au_ctxt, NULL,
+		                        SECSID_NULL);
+		kfree(tmpstr);
+		break;
+	default:
+		rc = -EINVAL;
+		break;
+	}
+
+	if (rc) {
+		aurule->au_skip = 1;
+		context_destroy(&aurule->au_ctxt);
+	} else {
+		/* we merely flags this rule to not be processed - the role,
+		   user, type, or level of the rule may not be valid now, but
+		   may be after a future policy reload. */
+		aurule->au_skip = 0;
+	}
+
+	return;
+}
+
+int security_aurule_init(u32 field, u32 op, const char *rulestr, void **rule)
+{
+	struct selinux_audit_rule *tmprule;
+
+	*rule = NULL;
+
+	switch (field) {
+	case AUDIT_SE_USER:
+	case AUDIT_SE_ROLE:
+	case AUDIT_SE_TYPE:
+		/* only 'equals' and 'not equals' make sense */
+		if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+			return -EINVAL;
+	case AUDIT_SE_SEN:
+	case AUDIT_SE_CLR:
+		/* we do not allow a range, indicated by '-' */
+		if (strchr(rulestr, '-'))
+			return -EINVAL;
+	}
+
+	/* TODO:figure out proper allocations below */
+	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
+	if (!tmprule)
+		return -ENOMEM;
+	tmprule->au_str = kstrdup(rulestr, GFP_KERNEL);
+	if (!tmprule->au_str) {
+		kfree(tmprule);
+		return -ENOMEM;
+	}
+	tmprule->au_op = op;
+	tmprule->au_field = field;
+	context_init(&tmprule->au_ctxt);
+
+	if (!ss_initialized) {
+		tmprule->au_seqno = latest_granting;
+		tmprule->au_skip = 1;
+		*rule = tmprule;
+		return 0;
+	}
+
+	POLICY_RDLOCK;
+
+	tmprule->au_seqno = latest_granting;
+	aurule_init_context(tmprule);
+
+	POLICY_RDUNLOCK;
+
+	*rule = tmprule;
+
+	return 0;
+}
+
+void security_aurule_free(void *rule)
+{
+	struct selinux_audit_rule *aurule = rule;
+
+	kfree(aurule->au_str);
+	context_destroy(&aurule->au_ctxt);
+	kfree(aurule);
+}
+
+int security_aurule_match(u32 ctxid, void *rule)
+{
+	struct selinux_audit_rule *aurule = rule;
+	struct context *ctxt;
+	struct mls_level *level;
+	int match = 0;
+
+	if (!rule || !ss_initialized)
+		return 0;
+
+	POLICY_RDLOCK;
+
+	if (aurule->au_seqno < latest_granting) {
+		context_destroy(&aurule->au_ctxt);
+		aurule->au_seqno = latest_granting;
+		aurule_init_context(aurule);
+	}
+
+	if (aurule->au_skip)
+		goto out;
+
+	ctxt = sidtab_search(&sidtab, ctxid);
+	if (!ctxt) {
+		/* TODO: what to do? */
+		printk(KERN_ERR "security_aurule_match: unrecognized SID %d\n",
+		       ctxid);
+		match = -EINVAL;
+		goto out;
+	}
+
+	switch (aurule->au_field) {
+	case AUDIT_SE_USER:
+		switch (aurule->au_op) {
+		case AUDIT_EQUAL:
+			match = (ctxt->user == aurule->au_ctxt.user);
+			break;
+		case AUDIT_NOT_EQUAL:
+			match = (ctxt->user != aurule->au_ctxt.user);
+			break;
+		default:
+			match = -EINVAL;
+			break;
+		}
+		break;
+	case AUDIT_SE_ROLE:
+		switch (aurule->au_op) {
+		case AUDIT_EQUAL:
+			match = (ctxt->role == aurule->au_ctxt.role);
+			break;
+		case AUDIT_NOT_EQUAL:
+			match = (ctxt->role != aurule->au_ctxt.role);
+			break;
+		default:
+			match = -EINVAL;
+			break;
+		}
+		break;
+	case AUDIT_SE_TYPE:
+		switch (aurule->au_op) {
+		case AUDIT_EQUAL:
+			match = (ctxt->type == aurule->au_ctxt.type);
+			break;
+		case AUDIT_NOT_EQUAL:
+			match = (ctxt->type != aurule->au_ctxt.type);
+			break;
+		default:
+			match = -EINVAL;
+			break;
+		}
+		break;
+	case AUDIT_SE_SEN:
+	case AUDIT_SE_CLR:
+		level = (aurule->au_op == AUDIT_SE_SEN ?
+		         &ctxt->range.level[0] : &ctxt->range.level[1]);
+		switch (aurule->au_op) {
+		case AUDIT_EQUAL:
+			match = mls_level_eq(&aurule->au_ctxt.range.level[0],
+			                     level);
+			break;
+		case AUDIT_NOT_EQUAL:
+			match = !mls_level_eq(&aurule->au_ctxt.range.level[0],
+			                      level);
+			break;
+		case AUDIT_LESS_THAN:
+			match = mls_level_dom(&aurule->au_ctxt.range.level[0],
+			                      level);
+			break;
+		case AUDIT_LESS_THAN_OR_EQUAL:
+			match = (mls_level_eq(&aurule->au_ctxt.range.level[0],
+			                      level) ||
+			         mls_level_dom(&aurule->au_ctxt.range.level[0],
+			                       level));
+			break;
+		case AUDIT_GREATER_THAN:
+			match = mls_level_dom(level,
+			                      &aurule->au_ctxt.range.level[0]);
+			break;
+		case AUDIT_GREATER_THAN_OR_EQUAL:
+			match = (mls_level_eq(&aurule->au_ctxt.range.level[0],
+			                      level) ||
+			         mls_level_dom(level,
+			                      &aurule->au_ctxt.range.level[0]));
+			break;
+		default:
+			match = -EINVAL;
+			break;
+		}
+	default:
+		match = -EINVAL;
+		break;
+	}
+
+out:
+	POLICY_RDUNLOCK;
+	return match;
+}

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] [PATCH]

[Stephen Smalley]

On Thu, 2006-02-16 at 09:19 -0600, Darrel Goeddel wrote:
> This is still a work in progress (I'm guessing that the conversion of Dustin's
> earlier work will point out some improvements to these interfaces).  I also
> need to check the context of memory allocations.

Needs to be GFP_ATOMIC when the policy rdlock is held.

> I'm only allow == and != for type, role, and user because they seemed to be
> the only ones that make sense, is that OK, or should I take them all even
> though they may not do anything useful?  Does the general approach seem acceptable?

Role dominance is another possibility, although I don't know if it would
be used in practice.  Did you consider trying to leverage or factor
common code with constraint_expr_eval?

> +int selinux_audit_rule_init(u32 field, u32 op, const char *rulestr,
> +                            void **rule);

We could alternatively define an opaque struct type for the rule, and
just keep the definition private to SELinux.  That allows proper type
checking in the audit code when they are passed around and stored.

> +int selinux_task_getsecid(struct task_struct *tsk);

SID is an unsigned 32-bit quantity, but you return a signed int.  And
typically it seems that it is preferred to return-by-argument and leave
the return value as either an integer error status (0 or -errno) or void
if no errors are possible.

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index d877cd1..480df81 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1810,3 +1810,250 @@ out:
>  	POLICY_RDUNLOCK;
>  	return rc;
>  }
> +
> +struct selinux_audit_rule {
> +	u32 au_skip;

Not sure I understand when skipped rules get re-processed.

> +static void aurule_init_context(struct selinux_audit_rule *aurule)
<snip>
> +	if (rc) {
> +		aurule->au_skip = 1;
> +		context_destroy(&aurule->au_ctxt);
> +	} else {
> +		/* we merely flags this rule to not be processed - the role,
> +		   user, type, or level of the rule may not be valid now, but
> +		   may be after a future policy reload. */
> +		aurule->au_skip = 0;
> +	}

Hmm..seems like you'd want an error status returned all the way to
userspace (auditctl) so that the user knows it isn't active.

> +	if (!ss_initialized) {
> +		tmprule->au_seqno = latest_granting;
> +		tmprule->au_skip = 1;
> +		*rule = tmprule;
> +		return 0;
> +	}

I think we should just reject audit filters on contexts until policy is
loaded, and not try to defer them.

> +int security_aurule_match(u32 ctxid, void *rule)
> +{
<snip>
> +	POLICY_RDLOCK;
> +
> +	if (aurule->au_seqno < latest_granting) {
> +		context_destroy(&aurule->au_ctxt);
> +		aurule->au_seqno = latest_granting;
> +		aurule_init_context(aurule);
> +	}

Interesting approach; I was expecting to have the audit system register
an AVC callback for reloads (similar to netif table) and initiate the
re-processing of its audit rules at that time.  And simply fail on
filters with stale seqnos if there happened to be an interleaving with
the policy reload.  I suppose that this is more robust.

> +	if (aurule->au_skip)
> +		goto out;

Ok, but when does the skip flag ever get cleared?

> +	ctxt = sidtab_search(&sidtab, ctxid);
> +	if (!ctxt) {
> +		/* TODO: what to do? */
> +		printk(KERN_ERR "security_aurule_match: unrecognized SID %d\n",
> +		       ctxid);
> +		match = -EINVAL;
> +		goto out;
> +	}

Unlikely since sidtab_search remaps invalid SIDs to unlabeled to deal
with invalidated SIDs due to reloads.

> +		case AUDIT_LESS_THAN_OR_EQUAL:
> +			match = (mls_level_eq(&aurule->au_ctxt.range.level[0],
> +			                      level) ||
> +			         mls_level_dom(&aurule->au_ctxt.range.level[0],
> +			                       level));
> +			break;

Isn't checking both redundant?  Did you mean to force !mls_level_eq in
the LESS_THAN case?

> +		case AUDIT_GREATER_THAN:
> +			match = mls_level_dom(level,
> +			                      &aurule->au_ctxt.range.level[0]);
> +			break;
> +		case AUDIT_GREATER_THAN_OR_EQUAL:
> +			match = (mls_level_eq(&aurule->au_ctxt.range.level[0],
> +			                      level) ||
> +			         mls_level_dom(level,
> +			                      &aurule->au_ctxt.range.level[0]));
> +			break;

Ditto.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] [PATCH]

[Darrel Goeddel]

Stephen Smalley wrote:
> On Thu, 2006-02-16 at 09:19 -0600, Darrel Goeddel wrote:
> 
>>This is still a work in progress (I'm guessing that the conversion of Dustin's
>>earlier work will point out some improvements to these interfaces).  I also
>>need to check the context of memory allocations.
> 
> 
> Needs to be GFP_ATOMIC when the policy rdlock is held.

Thanks.  Now I have to figure out how to propogate ENOMEM...

> 
>>I'm only allow == and != for type, role, and user because they seemed to be
>>the only ones that make sense, is that OK, or should I take them all even
>>though they may not do anything useful?  Does the general approach seem acceptable?
> 
> 
> Role dominance is another possibility, although I don't know if it would
> be used in practice.  Did you consider trying to leverage or factor
> common code with constraint_expr_eval?

True on role dominance.  No on constraint_expr_eval - I'll give it a look.

> 
>>+int selinux_audit_rule_init(u32 field, u32 op, const char *rulestr,
>>+                            void **rule);
> 
> 
> We could alternatively define an opaque struct type for the rule, and
> just keep the definition private to SELinux.  That allows proper type
> checking in the audit code when they are passed around and stored.
> 
> 
>>+int selinux_task_getsecid(struct task_struct *tsk);
> 
> 
> SID is an unsigned 32-bit quantity, but you return a signed int.  And
> typically it seems that it is preferred to return-by-argument and leave
> the return value as either an integer error status (0 or -errno) or void
> if no errors are possible.

I'll change to:

void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)

Thats in-line with James' selinux_sk_ctxid

> 
>>diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
>>index d877cd1..480df81 100644
>>--- a/security/selinux/ss/services.c
>>+++ b/security/selinux/ss/services.c
>>@@ -1810,3 +1810,250 @@ out:
>> 	POLICY_RDUNLOCK;
>> 	return rc;
>> }
>>+
>>+struct selinux_audit_rule {
>>+	u32 au_skip;
> 
> 
> Not sure I understand when skipped rules get re-processed.

I'll add some comments for that.  A rule will get reprocessed when a new
policy is loaded (triggered by the seqno check in security_aurule_match).
That will then reset the au_skip field appropriately.  The idea behind this
is to allow a rule to be present for a type, role, etc. that does not exist
in the current policy, but they are never processed.  If the item is included
in a policy that is loaded later, the rule will be setup completely and
activated (au_skip = 0).  Conversely, if an item disappears, the rule is
just inactivated.

This give the same behavior as the other audit rule fields.  For example, a
rule can be there for a uid that is not used on the system and it will simply
never match.  If that uid is later used on the system, the rule will then be
used.  Same goes for inums that aren't used and probably most other fields...

> 
>>+static void aurule_init_context(struct selinux_audit_rule *aurule)
> 
> <snip>
> 
>>+	if (rc) {
>>+		aurule->au_skip = 1;
>>+		context_destroy(&aurule->au_ctxt);
>>+	} else {
>>+		/* we merely flags this rule to not be processed - the role,
>>+		   user, type, or level of the rule may not be valid now, but
>>+		   may be after a future policy reload. */
>>+		aurule->au_skip = 0;
>>+	}
> 
> 
> Hmm..seems like you'd want an error status returned all the way to
> userspace (auditctl) so that the user knows it isn't active.

The above comment hopefully explains my thinking on this one.  Steve Grubb had
the same question and seemed to buy into my explanation.

> 
>>+	if (!ss_initialized) {
>>+		tmprule->au_seqno = latest_granting;
>>+		tmprule->au_skip = 1;
>>+		*rule = tmprule;
>>+		return 0;
>>+	}
> 
> 
> I think we should just reject audit filters on contexts until policy is
> loaded, and not try to defer them.

True.  My previous "testing" did add rules before policy load with an __initcall in
the audit module - but I somehow don't think that will be standard practice...

> 
>>+int security_aurule_match(u32 ctxid, void *rule)
>>+{
> 
> <snip>
> 
>>+	POLICY_RDLOCK;
>>+
>>+	if (aurule->au_seqno < latest_granting) {
>>+		context_destroy(&aurule->au_ctxt);
>>+		aurule->au_seqno = latest_granting;
>>+		aurule_init_context(aurule);
>>+	}
> 
> 
> Interesting approach; I was expecting to have the audit system register
> an AVC callback for reloads (similar to netif table) and initiate the
> re-processing of its audit rules at that time.  And simply fail on
> filters with stale seqnos if there happened to be an interleaving with
> the policy reload.  I suppose that this is more robust.

I was hoping you'd agree on this one.  This idea seemed much simpler to me and
I think it avoids quite a bit of extra code for the rule rebuilding.

> 
>>+	if (aurule->au_skip)
>>+		goto out;
> 
> 
> Ok, but when does the skip flag ever get cleared?

See above comment on rule re-processing.

>>+	ctxt = sidtab_search(&sidtab, ctxid);
>>+	if (!ctxt) {
>>+		/* TODO: what to do? */
>>+		printk(KERN_ERR "security_aurule_match: unrecognized SID %d\n",
>>+		       ctxid);
>>+		match = -EINVAL;
>>+		goto out;
>>+	}
> 
> 
> Unlikely since sidtab_search remaps invalid SIDs to unlabeled to deal
> with invalidated SIDs due to reloads.

True.  I'm thinking this is a pretty bad one since it really shouldn't happen.
I'll have to see how the user intends to handle the return of this function
before a final patch will be ready.

> 
>>+		case AUDIT_LESS_THAN_OR_EQUAL:
>>+			match = (mls_level_eq(&aurule->au_ctxt.range.level[0],
>>+			                      level) ||
>>+			         mls_level_dom(&aurule->au_ctxt.range.level[0],
>>+			                       level));
>>+			break;
> 
> 
> Isn't checking both redundant?  Did you mean to force !mls_level_eq in
> the LESS_THAN case?
> 
> 
>>+		case AUDIT_GREATER_THAN:
>>+			match = mls_level_dom(level,
>>+			                      &aurule->au_ctxt.range.level[0]);
>>+			break;
>>+		case AUDIT_GREATER_THAN_OR_EQUAL:
>>+			match = (mls_level_eq(&aurule->au_ctxt.range.level[0],
>>+			                      level) ||
>>+			         mls_level_dom(level,
>>+			                      &aurule->au_ctxt.range.level[0]));
>>+			break;
> 
> 
> Ditto.

Yep to both.  I was thinking of the old mls_level_realtion function that would return
EQ before DOM...  You think I'd know better on that one ;)

Thanks for the feedback.  Next version will incorporate the changes.

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] [PATCH]

[Stephen Smalley]

On Thu, 2006-02-16 at 14:09 -0600, Darrel Goeddel wrote:
> True on role dominance.  No on constraint_expr_eval - I'll give it a look.

Note that we'd still want separate audit representation (so that we
don't expose the constraint representation directly to audit), but could
convert it to constraint form during rule setup and then just feed it to
constraint_expr_eval or some common helper.

> I'll add some comments for that.  A rule will get reprocessed when a new
> policy is loaded (triggered by the seqno check in security_aurule_match).
> That will then reset the au_skip field appropriately.  The idea behind this
> is to allow a rule to be present for a type, role, etc. that does not exist
> in the current policy, but they are never processed.  If the item is included
> in a policy that is loaded later, the rule will be setup completely and
> activated (au_skip = 0).  Conversely, if an item disappears, the rule is
> just inactivated.
> 
> This give the same behavior as the other audit rule fields.  For example, a
> rule can be there for a uid that is not used on the system and it will simply
> never match.  If that uid is later used on the system, the rule will then be
> used.  Same goes for inums that aren't used and probably most other fields...

True, but seems prone to error, e.g. user typo on a name or user using
an obsolete name never knows he made a mistake.  Unless auditctl itself
does validity checking, which requires it to interact with
libsemanage/libsepol.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] [PATCH]

[Darrel Goeddel]

Stephen Smalley wrote:
> On Thu, 2006-02-16 at 14:09 -0600, Darrel Goeddel wrote:
> 
>>True on role dominance.  No on constraint_expr_eval - I'll give it a look.
> 
> 
> Note that we'd still want separate audit representation (so that we
> don't expose the constraint representation directly to audit), but could
> convert it to constraint form during rule setup and then just feed it to
> constraint_expr_eval or some common helper.
> 
> 
>>I'll add some comments for that.  A rule will get reprocessed when a new
>>policy is loaded (triggered by the seqno check in security_aurule_match).
>>That will then reset the au_skip field appropriately.  The idea behind this
>>is to allow a rule to be present for a type, role, etc. that does not exist
>>in the current policy, but they are never processed.  If the item is included
>>in a policy that is loaded later, the rule will be setup completely and
>>activated (au_skip = 0).  Conversely, if an item disappears, the rule is
>>just inactivated.
>>
>>This give the same behavior as the other audit rule fields.  For example, a
>>rule can be there for a uid that is not used on the system and it will simply
>>never match.  If that uid is later used on the system, the rule will then be
>>used.  Same goes for inums that aren't used and probably most other fields...
> 
> 
> True, but seems prone to error, e.g. user typo on a name or user using
> an obsolete name never knows he made a mistake.  Unless auditctl itself
> does validity checking, which requires it to interact with
> libsemanage/libsepol.
> 

Yes it does, but that seems to be the nature of the beast with the audit rules.
If we perform the validity check at this level, we may bonk rules that we really
do want to enforce.  There is also the question of how to handle a situation
like the following:

- we have an audit filter set up for matching the role darrel_r
- we load a policy that does not have darrel_r
- we reload the original policy

In the current scheme, the rule would simply become inactive when the policy
does not contain the target, and it would be reactivated when a policy that
did contain the target was loaded.  We would never miss an action involving
darrel_r.

If we needed to toss out the darrel_r rule because it became invalid, later
operations involving darrel_r would go unaudited unless the audit rules
are reloaded along with a policy reload.  Do we want to marry policy loads
with audit filter loads (and how would we know which filter to load anyway)?

It would seem to me that we need the current functionality of keeping all rules
that are set up and revalidating them upon policy loads.  If we don't do it here,
it would need to be done at the audit layer - it might not be as pretty there.

As the policy becomes more dynamic (adding/removing policy modules, etc.) this
would become more of a problem.

Anybody else have an idea on this (Steve G)?  Am I being to paranoid about usage?

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] [PATCH]

[Darrel Goeddel]

Dustin Kirkland wrote:
> On Fri, 2006-02-17 at 08:43 -0600, Darrel Goeddel wrote:
> 
>>It would seem to me that we need the current functionality of keeping all rules
>>that are set up and revalidating them upon policy loads.  If we don't do it here,
>>it would need to be done at the audit layer - it might not be as pretty there.
> 
> 
> 
> I don't know...  My first thoughts are that it seems like the audit
> layer should be ignorant of policy loads/reloads--that's not really it's
> business.

I was trying to avoid knowledge of policy reloads (and really policy in general)
with the rule skipping piece and the sequo checking when the rule is used.  As
far as the audit system is concerned, SELinux could be rolling dice to determine
matches.

As for the big picture.  Steve Grubb suggested a compromise of keeping the current
methodology and enhancing it with KERN_INFO messages.  I'd suggest message for the
following:

- a rule that is inactive is inserted
- a rule that was active becomes inactive
- a rule that was inactive becomes active

Does that fit the bill?

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] [PATCH]

[Stephen Smalley]

On Fri, 2006-02-17 at 10:04 -0600, Dustin Kirkland wrote:
> On Fri, 2006-02-17 at 08:43 -0600, Darrel Goeddel wrote:
> > It would seem to me that we need the current functionality of keeping all rules
> > that are set up and revalidating them upon policy loads.  If we don't do it here,
> > it would need to be done at the audit layer - it might not be as pretty there.
> 
> 
> I don't know...  My first thoughts are that it seems like the audit
> layer should be ignorant of policy loads/reloads--that's not really it's
> business.

Disagree - it is caching policy information, and thus should register a
callback for notification of reloads so that it can re-process its audit
rules at that time, similar to the netif table.  That would presumably
address the locking concern as well.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC][PATCH]

[Oliver Schinagl]

[-- Attachment #1: Type: text/plain, Size: 1169 bytes --]

Hey all,

as an original Austrian, I was curious about the current status of the 
at DVB-T scan tables. I found that neither the original source was any 
longer available, nor where all frequencies listed. I thus located the 
new list [1] and updated the list accordingly. I am not aware if any of 
the original authors of at-Official (from git log) that are actual 
employees of the ORS and thus renamed the file to at-All as that is more 
representative and more in line with other files.

With regard to the content of the scan table, I could not find 
information on any of the parameters except for the bandwith so I 
assumed they where all identical (3/4 QAM16 8K 1/4). The only exception 
is 578 MHz, which has been both 1/4 and 1/8th guard-interval and thus 
left it as such. Since I'm many kilometers away from Austria I have no 
way of scanning all those frequencies. While I assume the list from the 
ORS is accurate, some confirmation before pushing would be appreciated. 
I'll wait a while before pushing this one from my local repository.

Oliver


[1] 
http://www.ors.at/fileadmin/user_upload/downloads/DVB-T_Kanalbezeichnungen_und_Mittenfrequenzen.pdf


[-- Attachment #2: 0001-Update-for-Austrian-DVB-T.patch --]
[-- Type: text/x-patch, Size: 4589 bytes --]

>From 3cda18f8369c515bd47d1ae1e2ffc88cfbb97436 Mon Sep 17 00:00:00 2001
From: Oliver Schinagl <oliver@schinagl.nl>
Date: Thu, 28 Feb 2013 11:16:20 +0100
Subject: [PATCH] Update for Austrian DVB-T

Renamed at-Official to at-All.
Added and updated all frequencies. from
http://www.ors.at/fileadmin/user_upload/downloads/DVB-T_Kanalbezeichnungen_und_Mittenfrequenzen.pdf
No further details are given besides an 8MHz bandwith so assuming the previous settings for now.
---
 dvb-t/at-All      | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 dvb-t/at-Official | 24 ------------------------
 2 files changed, 53 insertions(+), 24 deletions(-)
 create mode 100644 dvb-t/at-All
 delete mode 100644 dvb-t/at-Official

diff --git a/dvb-t/at-All b/dvb-t/at-All
new file mode 100644
index 0000000..183dc0c
--- /dev/null
+++ b/dvb-t/at-All
@@ -0,0 +1,53 @@
+# Austria, all DVB-T transmitters run by ORS
+# Created from 
+# http://www.ors.at/fileadmin/user_upload/downloads/DVB-T_Kanalbezeichnungen_und_Mittenfrequenzen.pdf
+# T freq bw fec_hi fec_lo mod transmission-mode guard-interval hierarchy
+T 474000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 482000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 490000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 498000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 506000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 514000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 522000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 530000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 538000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 546000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 554000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 562000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 570000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 578000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 578000000 8MHz 3/4 NONE QAM16 8k 1/8 NONE
+T 586000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 594000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 602000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 610000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 618000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 626000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 634000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 642000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 650000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 658000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 666000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 674000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 682000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 690000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 698000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 706000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 714000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 722000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 730000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 738000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 746000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 754000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 762000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 770000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 778000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 786000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 794000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 802000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 810000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 826000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 834000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 842000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 850000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
+T 858000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
diff --git a/dvb-t/at-Official b/dvb-t/at-Official
deleted file mode 100644
index cdb221c..0000000
--- a/dvb-t/at-Official
+++ /dev/null
@@ -1,24 +0,0 @@
-# Austria, all DVB-T transmitters run by ORS
-# Created from http://www.ors.at/view08/ors.php?mid=94
-# T freq bw fec_hi fec_lo mod transmission-mode guard-interval hierarchy
-T 474000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 490000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 498000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 514000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 522000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 530000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 538000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 546000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 554000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 562000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 578000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 578000000 8MHz 3/4 NONE QAM16 8k 1/8 NONE
-T 594000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 602000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 610000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 634000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 650000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 666000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 698000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 722000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-T 754000000 8MHz 3/4 NONE QAM16 8k 1/4 NONE
-- 
1.7.12.4