From: Paul Moore <paul.moore@hp.com>
To: Eric Paris <eparis@redhat.com>
Cc: selinux <selinux@tycho.nsa.gov>, sds@tycho.nsa.gov, jmorris@namei.org
Subject: Re: [PATCH -v2] SELinux: create new open permission
Date: Thu, 28 Feb 2008 13:30:56 -0500 [thread overview]
Message-ID: <200802281330.56328.paul.moore@hp.com> (raw)
In-Reply-To: <1204221520.3206.86.camel@localhost.localdomain>
On Thursday 28 February 2008 12:58:40 pm Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file. The
> idea is that opening a file and reading/writing to that file are not
> the same thing. Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open
> /tmp/output. This should allow policy writers to more liberally give
> read/write permissions across the policy while still blocking many
> design and programing flaws SELinux is so good at catching today.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
Much better :)
Reviewed-by: Paul Moore <paul.moore@hp.com>
> ---
> As an example, process1 in httpd_t opened a bunch of files of type
> user_tmp_t. It then called process2 running as ntpd_t which did
> nothing but accept those open fd's and terminate. Notice proc1
> needed open perms and proc2 only needed read and write.
>
> #============= httpd_t ==============
> allow httpd_t tmp_t:dir open;
> allow httpd_t user_tmp_t:blk_file { read write open };
> allow httpd_t user_tmp_t:chr_file { read write open };
> allow httpd_t user_tmp_t:dir { read open };
> allow httpd_t user_tmp_t:fifo_file { read write open };
> allow httpd_t user_tmp_t:file { read write execute entrypoint open };
> allow httpd_t user_tmp_t:lnk_file read;
>
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:blk_file { read write };
> allow ntpd_t user_tmp_t:chr_file { read write };
> allow ntpd_t user_tmp_t:dir read;
> allow ntpd_t user_tmp_t:fifo_file { read write };
> allow ntpd_t user_tmp_t:file { read write entrypoint };
>
> security/selinux/hooks.c | 31
> +++++++++++++++++++++++++-
> security/selinux/include/av_perm_to_string.h | 5 ++++
> security/selinux/include/av_permissions.h | 5 ++++
> security/selinux/include/security.h | 2 +
> security/selinux/selinuxfs.c | 3 +-
> security/selinux/ss/services.c | 3 ++
> 6 files changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..a4cf5ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1599,6 +1599,35 @@ static inline u32 file_mask_to_av(int mode,
> int mask) return av;
> }
>
> +/*
> + * Convert a file mask to an access vector and include the correct
> open + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> + u32 av = file_mask_to_av(mode, mask);
> +
> + if (selinux_policycap_openperm) {
> + /*
> + * lnk files and socks do not really have an 'open'
> + */
> + if (S_ISREG(mode))
> + av |= FILE__OPEN;
> + else if (S_ISCHR(mode))
> + av |= CHR_FILE__OPEN;
> + else if (S_ISBLK(mode))
> + av |= BLK_FILE__OPEN;
> + else if (S_ISFIFO(mode))
> + av |= FIFO_FILE__OPEN;
> + else if (S_ISDIR(mode))
> + av |= DIR__OPEN;
> + else
> + printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> + "with unknown mode:%x\n", mode);
> + }
> + return av;
> +}
> +
> /* Convert a Linux file to an access vector. */
> static inline u32 file_to_av(struct file *file)
> {
> @@ -2517,7 +2546,7 @@ static int selinux_inode_permission(struct
> inode *inode, int mask, }
>
> return inode_has_perm(current, inode,
> - file_mask_to_av(inode->i_mode, mask), NULL);
> + open_file_mask_to_av(inode->i_mode, mask), NULL);
> }
>
> static int selinux_inode_setattr(struct dentry *dentry, struct iattr
> *iattr) diff --git a/security/selinux/include/av_perm_to_string.h
> b/security/selinux/include/av_perm_to_string.h index d569669..1223b4f
> 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -14,12 +14,17 @@
> S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
> S_(SECCLASS_DIR, DIR__SEARCH, "search")
> S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
> + S_(SECCLASS_DIR, DIR__OPEN, "open")
> S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
> S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
> S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
> + S_(SECCLASS_FILE, FILE__OPEN, "open")
> S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS,
> "execute_no_trans") S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT,
> "entrypoint") S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
> + S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
> + S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
> + S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
> S_(SECCLASS_FD, FD__USE, "use")
> S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
> S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
> diff --git a/security/selinux/include/av_permissions.h
> b/security/selinux/include/av_permissions.h index 75b4131..c4c5116
> 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -79,6 +79,7 @@
> #define DIR__REPARENT 0x00080000UL
> #define DIR__SEARCH 0x00100000UL
> #define DIR__RMDIR 0x00200000UL
> +#define DIR__OPEN 0x00400000UL
> #define FILE__IOCTL 0x00000001UL
> #define FILE__READ 0x00000002UL
> #define FILE__WRITE 0x00000004UL
> @@ -99,6 +100,7 @@
> #define FILE__EXECUTE_NO_TRANS 0x00020000UL
> #define FILE__ENTRYPOINT 0x00040000UL
> #define FILE__EXECMOD 0x00080000UL
> +#define FILE__OPEN 0x00100000UL
> #define LNK_FILE__IOCTL 0x00000001UL
> #define LNK_FILE__READ 0x00000002UL
> #define LNK_FILE__WRITE 0x00000004UL
> @@ -136,6 +138,7 @@
> #define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
> #define CHR_FILE__ENTRYPOINT 0x00040000UL
> #define CHR_FILE__EXECMOD 0x00080000UL
> +#define CHR_FILE__OPEN 0x00100000UL
> #define BLK_FILE__IOCTL 0x00000001UL
> #define BLK_FILE__READ 0x00000002UL
> #define BLK_FILE__WRITE 0x00000004UL
> @@ -153,6 +156,7 @@
> #define BLK_FILE__SWAPON 0x00004000UL
> #define BLK_FILE__QUOTAON 0x00008000UL
> #define BLK_FILE__MOUNTON 0x00010000UL
> +#define BLK_FILE__OPEN 0x00020000UL
> #define SOCK_FILE__IOCTL 0x00000001UL
> #define SOCK_FILE__READ 0x00000002UL
> #define SOCK_FILE__WRITE 0x00000004UL
> @@ -187,6 +191,7 @@
> #define FIFO_FILE__SWAPON 0x00004000UL
> #define FIFO_FILE__QUOTAON 0x00008000UL
> #define FIFO_FILE__MOUNTON 0x00010000UL
> +#define FIFO_FILE__OPEN 0x00020000UL
> #define FD__USE 0x00000001UL
> #define SOCKET__IOCTL 0x00000001UL
> #define SOCKET__READ 0x00000002UL
> diff --git a/security/selinux/include/security.h
> b/security/selinux/include/security.h index 837ce42..fa30f53 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -43,11 +43,13 @@ extern int selinux_mls_enabled;
> /* Policy capabilities */
> enum {
> POLICYDB_CAPABILITY_NETPEER,
> + POLICYDB_CAPABILITY_OPENPERM,
> __POLICYDB_CAPABILITY_MAX
> };
> #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>
> extern int selinux_policycap_netpeer;
> +extern int selinux_policycap_openperm;
>
> int security_load_policy(void * data, size_t len);
>
> diff --git a/security/selinux/selinuxfs.c
> b/security/selinux/selinuxfs.c index 0341567..1d996bb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -42,7 +42,8 @@
>
> /* Policy capability filenames */
> static char *policycap_names[] = {
> - "network_peer_controls"
> + "network_peer_controls",
> + "open_perms"
> };
>
> unsigned int selinux_checkreqprot =
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff --git
> a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index f374186..23a61f1 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno);
> unsigned int policydb_loaded_version;
>
> int selinux_policycap_netpeer;
> +int selinux_policycap_openperm;
>
> /*
> * This is declared in avc.c
> @@ -1306,6 +1307,8 @@ static void security_load_policycaps(void)
> {
> selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
> POLICYDB_CAPABILITY_NETPEER);
> + selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
> + POLICYDB_CAPABILITY_OPENPERM);
> }
>
> extern void selinux_complete_init(void);
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-02-28 18:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-28 17:58 [PATCH -v2] SELinux: create new open permission Eric Paris
2008-02-28 18:30 ` Paul Moore [this message]
2008-02-28 18:50 ` Christopher J. PeBenito
2008-02-28 19:00 ` Eric Paris
2008-02-28 20:32 ` James Antill
2008-02-29 12:37 ` Russell Coker
2008-02-29 13:00 ` Stephen Smalley
2008-02-28 19:04 ` Stephen Smalley
2008-02-28 20:50 ` Stephen Smalley
2008-02-28 23:05 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200802281330.56328.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.