[PATCH] atuomatic type transitions for pts in devfs

[PATCH] atuomatic type transitions for pts in devfs

[Debian User]

[-- Attachment #1: Type: text/plain, Size: 124 bytes --]

This patch only works properly with a devfsd less system. Devfsd needs 
to be patched for this to work on systems using it.

[-- Attachment #2: automatic_transition_in_devfs.diff --]
[-- Type: text/plain, Size: 1176 bytes --]

--- /root/tmp/lsm-2.4/security/selinux/hooks.c	Wed Jul 10 01:11:11 2002
+++ security/selinux/hooks.c	Wed Jul 10 03:45:14 2002
@@ -689,7 +689,7 @@
 {
 	struct superblock_security_struct *sbsec = NULL; 
 	struct inode_security_struct *isec = inode->i_security;
-	security_id_t sid;
+	security_id_t sid, devfs_pts_sid;
 	char *buffer, *path;
 	struct dentry *dentry;
 	int rc;
@@ -779,10 +779,21 @@
 				path = avc_d_path(dentry, buffer,
 						  PAGE_SIZE);
 				if (path) {
+
+                            if ( (!memcmp(inode->i_sb->s_type->name, "devfs", 5)) && (!memcmp(path, "/pts/", 5)) ) {
+                                security_genfs_sid("devfs", "/pts", SECCLASS_DIR, &devfs_pts_sid);
+		                /* Try to obtain a transition SID. */
+		                rc = security_transition_sid(isec->task_sid, 
+                                                             devfs_pts_sid, 
+					                     isec->sclass,
+					                     &sid);
+
+                            } else {
 					rc = security_genfs_sid(inode->i_sb->s_type->name,
 								path, 
 								isec->sclass,
 								&sid);
+			    }
 					if (!rc)
 						isec->sid = sid;
 				}

Re: [PATCH] atuomatic type transitions for pts in devfs

[Stephen Smalley]

On Wed, 10 Jul 2002, Debian User wrote:

> This patch only works properly with a devfsd less system. Devfsd needs
> to be patched for this to work on systems using it.

Just to further clarify, when devfsd is used, the allocating task SID is
the SID of devfsd rather than the SID of the requesting process, so the
kernel cannot automatically determine an appropriate type transition
for the requesting process.  To support such functionality while using
devfsd, you would need to patch devfsd to permit passing the SID of the
requesting process to an action (much like the current support for passing
the uid).  A devfsd module for nodes within pts could then call
security_transition_sid based on the requesting process SID and the base
devpts SID to obtain a transition SID for the pty.

As a separate issue (previously mentioned on the list), fully supporting
labeling by devfsd would also require patches to the kernel devfs code to
preserve and restore SIDs on devfs entries labeled by devfsd, as the
entries may be evicted from the dcache.

Hence, at present, devfs labeling support is only reliable without devfsd
through the use of genfs_contexts and this patch.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] atuomatic type transitions for pts in devfs

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 256 bytes --]


The attached patch is a slightly revised version of your patch that has
been merged into our tree for future releases.  It has also been committed
to the sourceforge CVS tree.  Thanks for contributing.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




[-- Attachment #2: Type: TEXT/PLAIN, Size: 1683 bytes --]

Index: security/selinux/hooks.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.4/security/selinux/hooks.c,v
retrieving revision 1.13
diff -u -r1.13 hooks.c
--- security/selinux/hooks.c	5 Jul 2002 11:06:37 -0000	1.13
+++ security/selinux/hooks.c	12 Jul 2002 15:13:15 -0000
@@ -13,6 +13,8 @@
  *	it under the terms of the GNU General Public License as published by
  *	the Free Software Foundation; either version 2 of the License, or
  *	(at your option) any later version.
+ *
+ * [Jul 2002, Rogelio M. Serrano Jr.] Added type transitions for pts in devfs.
  */ 
 
 #include <linux/config.h>
@@ -689,7 +691,7 @@
 {
 	struct superblock_security_struct *sbsec = NULL; 
 	struct inode_security_struct *isec = inode->i_security;
-	security_id_t sid;
+	security_id_t sid, devfs_pts_sid;
 	char *buffer, *path;
 	struct dentry *dentry;
 	int rc;
@@ -779,10 +781,22 @@
 				path = avc_d_path(dentry, buffer,
 						  PAGE_SIZE);
 				if (path) {
-					rc = security_genfs_sid(inode->i_sb->s_type->name,
-								path, 
-								isec->sclass,
-								&sid);
+					if (!strcmp(inode->i_sb->s_type->name,
+						    "devfs") && 
+					    !memcmp(path, "/pts/", 5)) {
+						rc = security_genfs_sid("devfs", "/pts", SECCLASS_DIR, &devfs_pts_sid);
+						if (!rc) 
+						  rc = security_transition_sid(
+							  isec->task_sid, 
+							  devfs_pts_sid, 
+							  isec->sclass,
+							  &sid);
+					} else {
+						rc = security_genfs_sid(inode->i_sb->s_type->name,
+									path, 
+									isec->sclass,
+									&sid);
+					}
 					if (!rc)
 						isec->sid = sid;
 				}