[patch] selinux: export initial SID contexts via selinuxfs (v2)

[patch] selinux: export initial SID contexts via selinuxfs (v2)

[James Carter]

Make the initial SID contexts accessible to userspace via selinuxfs.
An initial use of this support will be to make the unlabeled context
available to libselinux for use for invalidated userspace SIDs.

This version fixes the problem with the for loop that Steve pointed out,
and changes the flow of security_get_initial_sid_context so that the if
clause checks for the error condition and uses unlikely().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

---

 security/selinux/include/security.h |    2 +
 security/selinux/selinuxfs.c        |   67 ++++++++++++++++++++++++++++++++++++
 security/selinux/ss/services.c      |    7 +++
 3 files changed, 76 insertions(+)

diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 210eec7..505e558 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -102,5 +102,7 @@ int security_fs_use(const char *fstype, unsigned int *behavior,
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
 	u32 *sid);
 
+const char* security_get_initial_sid_context(u32 sid);
+
 #endif /* _SELINUX_SECURITY_H_ */
 
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 93b3177..60d18a7 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -102,6 +102,9 @@ enum sel_inos {
 	SEL_COMPAT_NET,	/* whether to use old compat network packet controls */
 };
 
+#define SEL_INITCON_INO_OFFSET 	0x01000000
+#define SEL_INO_MASK		0x00ffffff
+
 #define TMPBUFLEN	12
 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
 				size_t count, loff_t *ppos)
@@ -1240,6 +1243,55 @@ out:
 	return ret;
 }
 
+static ssize_t sel_read_initcon(struct file * file, char __user *buf, 
+				size_t count, loff_t *ppos)
+{
+	struct inode *inode;
+	char *con;
+	u32 sid, len;
+	ssize_t ret;
+
+	inode = file->f_path.dentry->d_inode;
+	sid = inode->i_ino&SEL_INO_MASK;
+	ret = security_sid_to_context(sid, &con, &len);
+	if (ret < 0)
+		return ret;
+	
+	ret = simple_read_from_buffer(buf, count, ppos, con, len);
+	kfree(con);
+	return ret;
+}
+
+static const struct file_operations sel_initcon_ops = {
+	.read		= sel_read_initcon,
+};
+
+static int sel_make_initcon_files(struct dentry *dir)
+{
+	int i, ret = 0;
+
+	for (i = 1; i <= SECINITSID_NUM; i++) {
+		struct inode *inode;
+		struct dentry *dentry;
+		dentry = d_alloc_name(dir, security_get_initial_sid_context(i));
+		if (!dentry) {
+			ret = -ENOMEM;
+			goto out;
+		}
+
+		inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
+		if (!inode) {
+			ret = -ENOMEM;
+			goto out;
+		}
+		inode->i_fop = &sel_initcon_ops;
+		inode->i_ino = i|SEL_INITCON_INO_OFFSET;
+		d_add(dentry, inode);
+	}
+out:
+	return ret;
+}
+
 static int sel_make_dir(struct inode *dir, struct dentry *dentry)
 {
 	int ret = 0;
@@ -1336,6 +1388,21 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
 	ret = sel_make_avc_files(dentry);
 	if (ret)
 		goto err;
+
+	dentry = d_alloc_name(sb->s_root, "initial_contexts");
+	if (!dentry) {
+		ret = -ENOMEM;
+		goto err;
+	}
+
+	ret = sel_make_dir(root_inode, dentry);
+	if (ret)
+		goto err;
+
+	ret = sel_make_initcon_files(dentry);
+	if (ret)
+		goto err;
+
 out:
 	return ret;
 err:
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 1e52356..edead1b 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -594,6 +594,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 
 #include "initial_sid_to_string.h"
 
+const char* security_get_initial_sid_context(u32 sid)
+{
+	if (unlikely(sid > SECINITSID_NUM))
+		return NULL;
+	return initial_sid_to_string[sid];
+}
+
 /**
  * security_sid_to_context - Obtain a context for a given SID.
  * @sid: security identifier, SID

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[Stephen Smalley]

On Wed, 2007-04-04 at 10:11 -0400, James Carter wrote:
> Make the initial SID contexts accessible to userspace via selinuxfs.
> An initial use of this support will be to make the unlabeled context
> available to libselinux for use for invalidated userspace SIDs.
> 
> This version fixes the problem with the for loop that Steve pointed out,
> and changes the flow of security_get_initial_sid_context so that the if
> clause checks for the error condition and uses unlikely().
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

Possibly we should also look into removing the unused initial SIDs,
although doing so in a backwards compatible way won't be
straightforward.

> 
> ---
> 
>  security/selinux/include/security.h |    2 +
>  security/selinux/selinuxfs.c        |   67 ++++++++++++++++++++++++++++++++++++
>  security/selinux/ss/services.c      |    7 +++
>  3 files changed, 76 insertions(+)
> 
> diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 210eec7..505e558 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -102,5 +102,7 @@ int security_fs_use(const char *fstype, unsigned int *behavior,
>  int security_genfs_sid(const char *fstype, char *name, u16 sclass,
>  	u32 *sid);
>  
> +const char* security_get_initial_sid_context(u32 sid);
> +
>  #endif /* _SELINUX_SECURITY_H_ */
>  
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 93b3177..60d18a7 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -102,6 +102,9 @@ enum sel_inos {
>  	SEL_COMPAT_NET,	/* whether to use old compat network packet controls */
>  };
>  
> +#define SEL_INITCON_INO_OFFSET 	0x01000000
> +#define SEL_INO_MASK		0x00ffffff
> +
>  #define TMPBUFLEN	12
>  static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
>  				size_t count, loff_t *ppos)
> @@ -1240,6 +1243,55 @@ out:
>  	return ret;
>  }
>  
> +static ssize_t sel_read_initcon(struct file * file, char __user *buf, 
> +				size_t count, loff_t *ppos)
> +{
> +	struct inode *inode;
> +	char *con;
> +	u32 sid, len;
> +	ssize_t ret;
> +
> +	inode = file->f_path.dentry->d_inode;
> +	sid = inode->i_ino&SEL_INO_MASK;
> +	ret = security_sid_to_context(sid, &con, &len);
> +	if (ret < 0)
> +		return ret;
> +	
> +	ret = simple_read_from_buffer(buf, count, ppos, con, len);
> +	kfree(con);
> +	return ret;
> +}
> +
> +static const struct file_operations sel_initcon_ops = {
> +	.read		= sel_read_initcon,
> +};
> +
> +static int sel_make_initcon_files(struct dentry *dir)
> +{
> +	int i, ret = 0;
> +
> +	for (i = 1; i <= SECINITSID_NUM; i++) {
> +		struct inode *inode;
> +		struct dentry *dentry;
> +		dentry = d_alloc_name(dir, security_get_initial_sid_context(i));
> +		if (!dentry) {
> +			ret = -ENOMEM;
> +			goto out;
> +		}
> +
> +		inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
> +		if (!inode) {
> +			ret = -ENOMEM;
> +			goto out;
> +		}
> +		inode->i_fop = &sel_initcon_ops;
> +		inode->i_ino = i|SEL_INITCON_INO_OFFSET;
> +		d_add(dentry, inode);
> +	}
> +out:
> +	return ret;
> +}
> +
>  static int sel_make_dir(struct inode *dir, struct dentry *dentry)
>  {
>  	int ret = 0;
> @@ -1336,6 +1388,21 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
>  	ret = sel_make_avc_files(dentry);
>  	if (ret)
>  		goto err;
> +
> +	dentry = d_alloc_name(sb->s_root, "initial_contexts");
> +	if (!dentry) {
> +		ret = -ENOMEM;
> +		goto err;
> +	}
> +
> +	ret = sel_make_dir(root_inode, dentry);
> +	if (ret)
> +		goto err;
> +
> +	ret = sel_make_initcon_files(dentry);
> +	if (ret)
> +		goto err;
> +
>  out:
>  	return ret;
>  err:
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 1e52356..edead1b 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -594,6 +594,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
>  
>  #include "initial_sid_to_string.h"
>  
> +const char* security_get_initial_sid_context(u32 sid)
> +{
> +	if (unlikely(sid > SECINITSID_NUM))
> +		return NULL;
> +	return initial_sid_to_string[sid];
> +}
> +
>  /**
>   * security_sid_to_context - Obtain a context for a given SID.
>   * @sid: security identifier, SID
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[Eric Paris]

On Wed, 2007-04-04 at 10:11 -0400, James Carter wrote:
> Make the initial SID contexts accessible to userspace via selinuxfs.
> An initial use of this support will be to make the unlabeled context
> available to libselinux for use for invalidated userspace SIDs.
> 
> This version fixes the problem with the for loop that Steve pointed out,
> and changes the flow of security_get_initial_sid_context so that the if
> clause checks for the error condition and uses unlikely().
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

I'm just wondering why we have such arbitrary static i_ino for most
inodes in /seliunx but it looks to me like we let avc, booleans, and all
inodes inside avc pick up their i_ino from new_inode() as:

inode->i_ino = ++last_ino;

(now initial_sids is going to get it's i_ino from last_ino)  If /selinux
were created at the wrong time such that last_ino was the same as one of
the static i_ino ranges we use for /selinux we could have a collision.
Talking with a FS guy he seemed to think the worst case a collision
would cause userspace to mess up hard link detection (which we shouldn't
really have in /selinux) but this seems like something we want to fix.
I guess that is actually not something that needs to be fixed for this
patch so I'm happy enough with this patch.

But, if you do have to redo the patch though there are 2 very very minor
nits below about * placement.  Maybe James can just clean those up when
he puts it into GIT.

-Eric

> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -102,5 +102,7 @@ int security_fs_use(const char *fstype, unsigned int *behavior,
>  int security_genfs_sid(const char *fstype, char *name, u16 sclass,
>  	u32 *sid);
>  
> +const char* security_get_initial_sid_context(u32 sid);

char *security_get_initial_sid_context


> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -594,6 +594,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
>  
>  #include "initial_sid_to_string.h"
>  
> +const char* security_get_initial_sid_context(u32 sid)

char *security_get_initial_sid_context


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[Stephen Smalley]

On Wed, 2007-04-04 at 12:17 -0400, Eric Paris wrote:
> On Wed, 2007-04-04 at 10:11 -0400, James Carter wrote:
> > Make the initial SID contexts accessible to userspace via selinuxfs.
> > An initial use of this support will be to make the unlabeled context
> > available to libselinux for use for invalidated userspace SIDs.
> > 
> > This version fixes the problem with the for loop that Steve pointed out,
> > and changes the flow of security_get_initial_sid_context so that the if
> > clause checks for the error condition and uses unlikely().
> > 
> > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
> 
> I'm just wondering why we have such arbitrary static i_ino for most
> inodes in /seliunx but it looks to me like we let avc, booleans, and all
> inodes inside avc pick up their i_ino from new_inode() as:
> 
> inode->i_ino = ++last_ino;
> 
> (now initial_sids is going to get it's i_ino from last_ino)  If /selinux
> were created at the wrong time such that last_ino was the same as one of
> the static i_ino ranges we use for /selinux we could have a collision.
> Talking with a FS guy he seemed to think the worst case a collision
> would cause userspace to mess up hard link detection (which we shouldn't
> really have in /selinux) but this seems like something we want to fix.
> I guess that is actually not something that needs to be fixed for this
> patch so I'm happy enough with this patch.

simple_fill_super() also calls new_inode() for each of the inodes in the
tree_descr (and then goes on to overwrite inode->i_ino with the index
value), so last_ino should be guaranteed to be above the range of the
fixed inodes before we proceed to create the rest of the inodes.  Right?

> But, if you do have to redo the patch though there are 2 very very minor
> nits below about * placement.  Maybe James can just clean those up when
> he puts it into GIT.

patch-tester.pl also complains about a couple places where trailing
whitespace is added; another trivial cleanup.

> -Eric
> 
> > --- a/security/selinux/include/security.h
> > +++ b/security/selinux/include/security.h
> > @@ -102,5 +102,7 @@ int security_fs_use(const char *fstype, unsigned int *behavior,
> >  int security_genfs_sid(const char *fstype, char *name, u16 sclass,
> >  	u32 *sid);
> >  
> > +const char* security_get_initial_sid_context(u32 sid);
> 
> char *security_get_initial_sid_context
> 
> 
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -594,6 +594,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
> >  
> >  #include "initial_sid_to_string.h"
> >  
> > +const char* security_get_initial_sid_context(u32 sid)
> 
> char *security_get_initial_sid_context
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[James Morris]

On Wed, 4 Apr 2007, Stephen Smalley wrote:

> patch-tester.pl also complains about a couple places where trailing
> whitespace is added; another trivial cleanup.

FYI, "git-am --dotest=.dotest -i -s -u --whitespace=strip /path/to/mbox"

fixes that up automatically.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[Eric Paris]

On Wed, 2007-04-04 at 13:00 -0400, Stephen Smalley wrote:
> On Wed, 2007-04-04 at 12:17 -0400, Eric Paris wrote:
> > On Wed, 2007-04-04 at 10:11 -0400, James Carter wrote:
> > > Make the initial SID contexts accessible to userspace via selinuxfs.
> > > An initial use of this support will be to make the unlabeled context
> > > available to libselinux for use for invalidated userspace SIDs.
> > > 
> > > This version fixes the problem with the for loop that Steve pointed out,
> > > and changes the flow of security_get_initial_sid_context so that the if
> > > clause checks for the error condition and uses unlikely().
> > > 
> > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
> > 
> > I'm just wondering why we have such arbitrary static i_ino for most
> > inodes in /seliunx but it looks to me like we let avc, booleans, and all
> > inodes inside avc pick up their i_ino from new_inode() as:
> > 
> > inode->i_ino = ++last_ino;
> > 
> > (now initial_sids is going to get it's i_ino from last_ino)  If /selinux
> > were created at the wrong time such that last_ino was the same as one of
> > the static i_ino ranges we use for /selinux we could have a collision.
> > Talking with a FS guy he seemed to think the worst case a collision
> > would cause userspace to mess up hard link detection (which we shouldn't
> > really have in /selinux) but this seems like something we want to fix.
> > I guess that is actually not something that needs to be fixed for this
> > patch so I'm happy enough with this patch.
> 
> simple_fill_super() also calls new_inode() for each of the inodes in the
> tree_descr (and then goes on to overwrite inode->i_ino with the index
> value), so last_ino should be guaranteed to be above the range of the
> fixed inodes before we proceed to create the rest of the inodes.  Right?

Correct, the inodes not explicitly numbered will never conflict with
those created by simple_fill_super.  But notice that last_ino is global
(not per SB) and so there is no garantee that last_ino is not going to
be of a size (thanks to other FS's that are mounted and used new_inode
before selinuxfs) that it starts to bump into the space used by other
things.  If very very few inodes were created by other FS's we could
land in the range used by the booleans (30+boolean number) or if lots
and lots of inodes were created we could land in the range used by
initial sids (0x01000000 + sid).  While I agree there is a whole lot of
space in the middle to land in I still think collision is possible.

Note that on my system this range of free assignment lies between about
322 and 328 but since it is dictated by inodes created in FS's outside
of selinux FS we have no way to guarantee that it can't fall into one of
those static zones of inodes.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[James Morris]

On Wed, 4 Apr 2007, James Carter wrote:

> Make the initial SID contexts accessible to userspace via selinuxfs.
> An initial use of this support will be to make the unlabeled context
> available to libselinux for use for invalidated userspace SIDs.
> 
> This version fixes the problem with the for loop that Steve pointed out,
> and changes the flow of security_get_initial_sid_context so that the if
> clause checks for the error condition and uses unlikely().
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[Stephen Smalley]

On Wed, 2007-04-04 at 13:22 -0400, Eric Paris wrote:
> On Wed, 2007-04-04 at 13:00 -0400, Stephen Smalley wrote:
> > On Wed, 2007-04-04 at 12:17 -0400, Eric Paris wrote:
> > > On Wed, 2007-04-04 at 10:11 -0400, James Carter wrote:
> > > > Make the initial SID contexts accessible to userspace via selinuxfs.
> > > > An initial use of this support will be to make the unlabeled context
> > > > available to libselinux for use for invalidated userspace SIDs.
> > > > 
> > > > This version fixes the problem with the for loop that Steve pointed out,
> > > > and changes the flow of security_get_initial_sid_context so that the if
> > > > clause checks for the error condition and uses unlikely().
> > > > 
> > > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
> > > 
> > > I'm just wondering why we have such arbitrary static i_ino for most
> > > inodes in /seliunx but it looks to me like we let avc, booleans, and all
> > > inodes inside avc pick up their i_ino from new_inode() as:
> > > 
> > > inode->i_ino = ++last_ino;
> > > 
> > > (now initial_sids is going to get it's i_ino from last_ino)  If /selinux
> > > were created at the wrong time such that last_ino was the same as one of
> > > the static i_ino ranges we use for /selinux we could have a collision.
> > > Talking with a FS guy he seemed to think the worst case a collision
> > > would cause userspace to mess up hard link detection (which we shouldn't
> > > really have in /selinux) but this seems like something we want to fix.
> > > I guess that is actually not something that needs to be fixed for this
> > > patch so I'm happy enough with this patch.
> > 
> > simple_fill_super() also calls new_inode() for each of the inodes in the
> > tree_descr (and then goes on to overwrite inode->i_ino with the index
> > value), so last_ino should be guaranteed to be above the range of the
> > fixed inodes before we proceed to create the rest of the inodes.  Right?
> 
> Correct, the inodes not explicitly numbered will never conflict with
> those created by simple_fill_super.  But notice that last_ino is global
> (not per SB) and so there is no garantee that last_ino is not going to
> be of a size (thanks to other FS's that are mounted and used new_inode
> before selinuxfs) that it starts to bump into the space used by other
> things.  If very very few inodes were created by other FS's we could
> land in the range used by the booleans (30+boolean number) or if lots
> and lots of inodes were created we could land in the range used by
> initial sids (0x01000000 + sid).  While I agree there is a whole lot of
> space in the middle to land in I still think collision is possible.
> 
> Note that on my system this range of free assignment lies between about
> 322 and 328 but since it is dictated by inodes created in FS's outside
> of selinux FS we have no way to guarantee that it can't fall into one of
> those static zones of inodes.

Ok, so explicitly setting i_ino in all cases would make sense to prevent
such collisions, as well as moving up the base for the booleans.
jwcart2 already has a patch in the works for the latter.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

James Carter wrote:
> Make the initial SID contexts accessible to userspace via selinuxfs.
> An initial use of this support will be to make the unlabeled context
> available to libselinux for use for invalidated userspace SIDs.
> 
> This version fixes the problem with the for loop that Steve pointed out,
> and changes the flow of security_get_initial_sid_context so that the if
> clause checks for the error condition and uses unlikely().
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

The attached patch enables to access /selinux/initial_contexts/*
entries via libselinux.
It add the following two functions:
  int getinitsidcon(int init_sid, security_context_t * con);
  int getinitsidcon_raw(int init_sid, security_context_t * con);

You have to specify init_sid with one of SECINITSID_* in selinux/flask.h

Thanks,
-- 
Open Source Software Promotion Center, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: getinitsidcon.patch --]
[-- Type: text/x-patch, Size: 4000 bytes --]

Index: libselinux/include/selinux/selinux.h
===================================================================
--- libselinux/include/selinux/selinux.h	(revision 2324)
+++ libselinux/include/selinux/selinux.h	(working copy)
@@ -119,6 +119,11 @@
 	extern int getpeercon(int fd, security_context_t * con);
 	extern int getpeercon_raw(int fd, security_context_t * con);
 
+/* Get context of initial SID, and set *con to refer to it.
+   Caller must free via freecon. */
+	extern int getinitsidcon(int init_sid, security_context_t * con);
+	extern int getinitsidcon_raw(int init_sid, security_context_t * con);
+
 /* Wrappers for the selinuxfs (policy) API. */
 
 	typedef unsigned int access_vector_t;
Index: libselinux/src/initial_sid_to_string.h
===================================================================
--- libselinux/src/initial_sid_to_string.h	(revision 0)
+++ libselinux/src/initial_sid_to_string.h	(revision 0)
@@ -0,0 +1,33 @@
+/* This file is automatically generated.  Do not edit. */
+static char *initial_sid_to_string[] =
+{
+    "null",
+    "kernel",
+    "security",
+    "unlabeled",
+    "fs",
+    "file",
+    "file_labels",
+    "init",
+    "any_socket",
+    "port",
+    "netif",
+    "netmsg",
+    "node",
+    "igmp_packet",
+    "icmp_socket",
+    "tcp_socket",
+    "sysctl_modprobe",
+    "sysctl",
+    "sysctl_fs",
+    "sysctl_kernel",
+    "sysctl_net",
+    "sysctl_net_unix",
+    "sysctl_vm",
+    "sysctl_dev",
+    "kmod",
+    "policy",
+    "scmp_packet",
+    "devnull",
+};
+
Index: libselinux/src/getinitsidcon.c
===================================================================
--- libselinux/src/getinitsidcon.c	(revision 0)
+++ libselinux/src/getinitsidcon.c	(revision 0)
@@ -0,0 +1,62 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <selinux/flask.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "initial_sid_to_string.h"
+
+int getinitsidcon_raw(int init_sid, security_context_t * con)
+{
+	security_context_t initcon;
+	char path[PATH_MAX];
+	int fd, n;
+
+	if (init_sid < 1 || init_sid > SECINITSID_NUM) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (!selinux_mnt) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	snprintf(path, sizeof(path), "%s/initial_contexts/%s",
+		 selinux_mnt, initial_sid_to_string[init_sid]);
+	fd = open(path, O_RDONLY);
+	if (fd < 0)
+		return -1;
+
+	n = read(fd, path, sizeof(path));
+	close(fd);
+	if (n < 0)
+		return -1;
+
+	initcon = strdup(path);
+	if (!initcon)
+		return -1;
+
+	*con = initcon;
+
+	return 0;
+}
+
+int getinitsidcon(int init_sid, security_context_t * con)
+{
+	int rc;
+	security_context_t rcontext;
+
+	rc = getinitsidcon_raw(init_sid, &rcontext);
+
+	if (!rc) {
+		rc = selinux_raw_to_trans_context(rcontext, con);
+		freecon(rcontext);
+	}
+
+	return rc;
+}
Index: libselinux/man/man3/getcon.3
===================================================================
--- libselinux/man/man3/getcon.3	(revision 2324)
+++ libselinux/man/man3/getcon.3	(working copy)
@@ -16,6 +16,8 @@
 .br
 .BI "int getpeercon(int " fd ", security_context_t *" context);
 .br
+.BI "int getinitsidcon(int " init_sid ", security_context_t *" context);
+.br
 .BI "int setcon(security_context_t " context);
 
 .SH "DESCRIPTION"
@@ -32,6 +34,9 @@
 .B getpeercon
 retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
 
+.B getinitsidcon
+retrieves context of initial SID, and set *context to refer to it, which must be free'd with freecon.
+
 .B setcon
 sets the current security context of the process to a new value.  Note
 that use of this function requires that the entire application be
Index: libselinux/man/man3/getinitsidcon.3
===================================================================
--- libselinux/man/man3/getinitsidcon.3	(revision 0)
+++ libselinux/man/man3/getinitsidcon.3	(revision 0)
@@ -0,0 +1 @@
+.so man3/getcon.3

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[James Carter]

On Fri, 2007-04-06 at 15:44 +0900, KaiGai Kohei wrote:
> James Carter wrote:
> > Make the initial SID contexts accessible to userspace via selinuxfs.
> > An initial use of this support will be to make the unlabeled context
> > available to libselinux for use for invalidated userspace SIDs.
> > 
> > This version fixes the problem with the for loop that Steve pointed out,
> > and changes the flow of security_get_initial_sid_context so that the if
> > clause checks for the error condition and uses unlikely().
> > 
> > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
> 
> The attached patch enables to access /selinux/initial_contexts/*
> entries via libselinux.
> It add the following two functions:
>   int getinitsidcon(int init_sid, security_context_t * con);
>   int getinitsidcon_raw(int init_sid, security_context_t * con);
> 
> You have to specify init_sid with one of SECINITSID_* in selinux/flask.h
> 
I have been working on a patch to libselinux that would add the
functions security_get_initial_context(),
security_get_initial_context_raw() and avc_get_initial_sid() functions.
I was just planning on passing a string, like "unlabeled", to the
functions rather than a kernel initial SID, because I wanted to avoid
confusion between kernel's SIDs, which are u32, and userspace SIDs,
which are reference-counted structs.

I know that SEPostgreSQL uses its object id type as the SID.  If
userspace used unsigned integers for SIDs, then only a sid_to_context
function would be needed; it would do the right thing if the SID was in
the range of the kernel initial SIDs.

Do we need to revisit how userspace SIDs are managed?  Are there other
places were it would be better to have the object manager determine the
SID, so that it can be meaningful, rather than the userspace AVC?
What do you think Eamon?

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[KaiGai Kohei]

> I have been working on a patch to libselinux that would add the
> functions security_get_initial_context(),
> security_get_initial_context_raw() and avc_get_initial_sid() functions.
> I was just planning on passing a string, like "unlabeled", to the
> functions rather than a kernel initial SID, because I wanted to avoid
> confusion between kernel's SIDs, which are u32, and userspace SIDs,
> which are reference-counted structs.

I don't have any claim about the type of argument variables, and it seems
to me fair enough. :)
SE-PostgreSQL will be able to handle the initial SID context in either way.

> I know that SEPostgreSQL uses its object id type as the SID.  If
> userspace used unsigned integers for SIDs, then only a sid_to_context
> function would be needed; it would do the right thing if the SID was in
> the range of the kernel initial SIDs.

SE-PostgreSQL will call your new API only when a security context
associated with a persistent SID is invalid, to obtain "unlabeled"
context.
It has completely separated mapping between kernel initial SIDs and
persistent SIDs of SE-PostgreSQL, so there is no reason to restrict
the type of its arguments.

Thanks,

> Do we need to revisit how userspace SIDs are managed?  Are there other
> places were it would be better to have the object manager determine the
> SID, so that it can be meaningful, rather than the userspace AVC?
> What do you think Eamon?

-- 
Open Source Software Promotion Center, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.