Re: [RFC PATCH v2 1/2] [SELINUX] Add a capabilities bitmap to SELinux policy version 22

[Joshua Brindle <method@manicmethod.com>]

Stephen Smalley wrote:
> On Wed, 2007-09-26 at 18:24 -0400, Joshua Brindle wrote:
>   
>> Paul Moore wrote:
>>     
>>> Add a new policy capabilities bitmap to SELinux policy version 22.  This bitmap
>>> will enable the security server to query the policy to determine which features
>>> it supports.
>>> ---
>>>
>>>  security/selinux/include/security.h |   15 +++++-
>>>  security/selinux/selinuxfs.c        |   90 +++++++++++++++++++++++++++++++++--
>>>  security/selinux/ss/policydb.c      |   18 +++++++
>>>  security/selinux/ss/policydb.h      |    2 +
>>>  security/selinux/ss/services.c      |   39 +++++++++++++++
>>>  5 files changed, 158 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
>>> index 83bdd4d..d7e6ed2 100644
>>> --- a/security/selinux/include/security.h
>>> +++ b/security/selinux/include/security.h
>>> @@ -25,13 +25,14 @@
>>>  #define POLICYDB_VERSION_MLS		19
>>>  #define POLICYDB_VERSION_AVTAB		20
>>>  #define POLICYDB_VERSION_RANGETRANS	21
>>> +#define POLICYDB_VERSION_CAPBITMAP	22
>>>  
>>>   
>>>       
>> I didn't like this name (I almost used it myself) because it sounds like 
>> we are doing something with linux capabilities, I ended up using 
>> POLICYDB_VERSION_PCAPS (for policy capabilities)
>>     
>
> Doesn't help much; PCAP sounds like process capabilities, and
> CAP_SETPCAP ;)  I don't think the name matters either way.
>
>   

Fair enough, I'll just use what Paul does next time he releases a 
patchset (no pressure on you to pick the perfect name Paul ;) )

>>>  /* Range of policy versions we understand*/
>>>  #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
>>>  #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
>>>  #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
>>>  #else
>>> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
>>> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_CAPBITMAP
>>>  #endif
>>>  
>>>  struct netlbl_lsm_secattr;
>>> @@ -39,8 +40,19 @@ struct netlbl_lsm_secattr;
>>>  extern int selinux_enabled;
>>>  extern int selinux_mls_enabled;
>>>  
>>> +/* Policy capabilities */
>>> +enum {
>>> +	POLICYDB_CAPABILITY_NETPEER,
>>> +	__POLICYDB_CAPABILITY_MAX
>>> +};
>>> +#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>>> +
>>>   
>>>       
>> Hrm, I just used an ebitmap and didn't set a max at all.
>>     
>
> ebitmaps are a security server internal construct; you have to export
> them in a different form to users of the security server, like
> selinuxfs, the hook functions, etc.  Or you'd have to move them out a
> layer.
>
>
>   

Oops, yea, I forgot that ebitmaps were private to the security server, 
disregard all comments pertaining to them :)


>> Shouldn't this just check if policyvers > POLICYDB_VERSION_CAPBITMAP? it 
>> could be inlined too.
>>     
>
> It can't be inlined as it is a security server interface.
>
> I suppose you could check the version first to see if it is < 22 and
> always return 0 in that case without having to take the rdlock.
>
> You could also extract the first word of the bitmap to a simple unsigned
> long in the policydb at load time and do a direct bit test on it if
> req_cap < (sizeof(unsigned long) * 8), without taking policy rdlock.
>
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.