[RFC][PATCH] selinux: support 64-bit capabilities

[RFC][PATCH] selinux: support 64-bit capabilities

[Stephen Smalley]

64-bit capability support has gone into mainline.
Update SELinux to correctly handle 64-bit capabilities.

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e5ed075..fa4b021 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1278,6 +1278,8 @@ static int task_has_capability(struct task_struct *tsk,
 {
 	struct task_security_struct *tsec;
 	struct avc_audit_data ad;
+	u16 sclass;
+	u32 av = CAP_TO_MASK(cap);	
 
 	tsec = tsk->security;
 
@@ -1285,8 +1287,17 @@ static int task_has_capability(struct task_struct *tsk,
 	ad.tsk = tsk;
 	ad.u.cap = cap;
 
-	return avc_has_perm(tsec->sid, tsec->sid,
-			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
+	switch (CAP_TO_INDEX(cap)) {
+	case 0:
+		sclass = SECCLASS_CAPABILITY;
+		break;
+	case 1:
+		sclass = SECCLASS_CAPABILITY2;
+		break;
+	default:
+		return -EPERM;
+	}
+	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
 }
 
 /* Check whether a task is allowed to use a system operation. */
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 399f868..d569669 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -132,6 +132,9 @@
    S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
    S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 84c9abc..75b4131 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -533,6 +533,9 @@
 #define CAPABILITY__LEASE                         0x10000000UL
 #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
 #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
+#define CAPABILITY__SETFCAP                       0x80000000UL
+#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
+#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
 #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
 #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
 #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index b1b0d1d..bd813c3 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -71,3 +71,4 @@
     S_(NULL)
     S_(NULL)
     S_("peer")
+    S_("capability2")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 09e9dd2..febf886 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -51,6 +51,7 @@
 #define SECCLASS_DCCP_SOCKET                             60
 #define SECCLASS_MEMPROTECT                              61
 #define SECCLASS_PEER                                    68
+#define SECCLASS_CAPABILITY2                             69
 
 /*
  * Security identifier indices for initial entities

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Serge E. Hallyn]

Thanks, Stephen.

I'd thought setfcap was already there, hence my only sending the patch
for refpolicy...

thanks,
-serge

Quoting Stephen Smalley (sds@tycho.nsa.gov):
> 64-bit capability support has gone into mainline.
> Update SELinux to correctly handle 64-bit capabilities.
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e5ed075..fa4b021 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1278,6 +1278,8 @@ static int task_has_capability(struct task_struct *tsk,
>  {
>  	struct task_security_struct *tsec;
>  	struct avc_audit_data ad;
> +	u16 sclass;
> +	u32 av = CAP_TO_MASK(cap);	
> 
>  	tsec = tsk->security;
> 
> @@ -1285,8 +1287,17 @@ static int task_has_capability(struct task_struct *tsk,
>  	ad.tsk = tsk;
>  	ad.u.cap = cap;
> 
> -	return avc_has_perm(tsec->sid, tsec->sid,
> -			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
> +	switch (CAP_TO_INDEX(cap)) {
> +	case 0:
> +		sclass = SECCLASS_CAPABILITY;
> +		break;
> +	case 1:
> +		sclass = SECCLASS_CAPABILITY2;
> +		break;
> +	default:
> +		return -EPERM;
> +	}
> +	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
>  }
> 
>  /* Check whether a task is allowed to use a system operation. */
> diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> index 399f868..d569669 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -132,6 +132,9 @@
>     S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
>     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
>     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
> +   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
> +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
> +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
>     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
>     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
>     S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
> diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> index 84c9abc..75b4131 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -533,6 +533,9 @@
>  #define CAPABILITY__LEASE                         0x10000000UL
>  #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
>  #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
> +#define CAPABILITY__SETFCAP                       0x80000000UL
> +#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
> +#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
>  #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
>  #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
>  #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
> diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
> index b1b0d1d..bd813c3 100644
> --- a/security/selinux/include/class_to_string.h
> +++ b/security/selinux/include/class_to_string.h
> @@ -71,3 +71,4 @@
>      S_(NULL)
>      S_(NULL)
>      S_("peer")
> +    S_("capability2")
> diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
> index 09e9dd2..febf886 100644
> --- a/security/selinux/include/flask.h
> +++ b/security/selinux/include/flask.h
> @@ -51,6 +51,7 @@
>  #define SECCLASS_DCCP_SOCKET                             60
>  #define SECCLASS_MEMPROTECT                              61
>  #define SECCLASS_PEER                                    68
> +#define SECCLASS_CAPABILITY2                             69
> 
>  /*
>   * Security identifier indices for initial entities
> 
> -- 
> Stephen Smalley
> National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Stephen Smalley]

On Wed, 2008-02-06 at 11:22 -0500, Stephen Smalley wrote:
> 64-bit capability support has gone into mainline.
> Update SELinux to correctly handle 64-bit capabilities.
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e5ed075..fa4b021 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1278,6 +1278,8 @@ static int task_has_capability(struct task_struct *tsk,
>  {
>  	struct task_security_struct *tsec;
>  	struct avc_audit_data ad;
> +	u16 sclass;
> +	u32 av = CAP_TO_MASK(cap);	
>  
>  	tsec = tsk->security;
>  
> @@ -1285,8 +1287,17 @@ static int task_has_capability(struct task_struct *tsk,
>  	ad.tsk = tsk;
>  	ad.u.cap = cap;
>  
> -	return avc_has_perm(tsec->sid, tsec->sid,
> -			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
> +	switch (CAP_TO_INDEX(cap)) {
> +	case 0:
> +		sclass = SECCLASS_CAPABILITY;
> +		break;
> +	case 1:
> +		sclass = SECCLASS_CAPABILITY2;
> +		break;
> +	default:
> +		return -EPERM;

Should likely make this something like:
	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
	if (selinux_enforcing)
		return -EPERM;
	else
		return 0;

Then, if/when people introduce capabilities without updating SELinux,
we'll get a warning but permissive mode will allow the operation to
proceed.

> +	}
> +	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
>  }
>  
>  /* Check whether a task is allowed to use a system operation. */
> diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> index 399f868..d569669 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -132,6 +132,9 @@
>     S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
>     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
>     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
> +   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
> +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
> +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
>     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
>     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
>     S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
> diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> index 84c9abc..75b4131 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -533,6 +533,9 @@
>  #define CAPABILITY__LEASE                         0x10000000UL
>  #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
>  #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
> +#define CAPABILITY__SETFCAP                       0x80000000UL
> +#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
> +#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
>  #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
>  #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
>  #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
> diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
> index b1b0d1d..bd813c3 100644
> --- a/security/selinux/include/class_to_string.h
> +++ b/security/selinux/include/class_to_string.h
> @@ -71,3 +71,4 @@
>      S_(NULL)
>      S_(NULL)
>      S_("peer")
> +    S_("capability2")
> diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
> index 09e9dd2..febf886 100644
> --- a/security/selinux/include/flask.h
> +++ b/security/selinux/include/flask.h
> @@ -51,6 +51,7 @@
>  #define SECCLASS_DCCP_SOCKET                             60
>  #define SECCLASS_MEMPROTECT                              61
>  #define SECCLASS_PEER                                    68
> +#define SECCLASS_CAPABILITY2                             69
>  
>  /*
>   * Security identifier indices for initial entities
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[James Morris]

On Wed, 6 Feb 2008, Stephen Smalley wrote:

> 
> > +	switch (CAP_TO_INDEX(cap)) {
> > +	case 0:
> > +		sclass = SECCLASS_CAPABILITY;
> > +		break;
> > +	case 1:
> > +		sclass = SECCLASS_CAPABILITY2;
> > +		break;
> > +	default:
> > +		return -EPERM;
> 
> Should likely make this something like:
> 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> 	if (selinux_enforcing)
> 		return -EPERM;
> 	else
> 		return 0;
> 
> Then, if/when people introduce capabilities without updating SELinux,
> we'll get a warning but permissive mode will allow the operation to
> proceed.

Agreed, perhaps also suggest upgrading policy in the message.


> 
> > +	}
> > +	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
> >  }
> >  
> >  /* Check whether a task is allowed to use a system operation. */
> > diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> > index 399f868..d569669 100644
> > --- a/security/selinux/include/av_perm_to_string.h
> > +++ b/security/selinux/include/av_perm_to_string.h
> > @@ -132,6 +132,9 @@
> >     S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
> >     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
> >     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
> > +   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
> > +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
> > +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
> >     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
> >     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
> >     S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
> > diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> > index 84c9abc..75b4131 100644
> > --- a/security/selinux/include/av_permissions.h
> > +++ b/security/selinux/include/av_permissions.h
> > @@ -533,6 +533,9 @@
> >  #define CAPABILITY__LEASE                         0x10000000UL
> >  #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
> >  #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
> > +#define CAPABILITY__SETFCAP                       0x80000000UL
> > +#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
> > +#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
> >  #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
> >  #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
> >  #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
> > diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
> > index b1b0d1d..bd813c3 100644
> > --- a/security/selinux/include/class_to_string.h
> > +++ b/security/selinux/include/class_to_string.h
> > @@ -71,3 +71,4 @@
> >      S_(NULL)
> >      S_(NULL)
> >      S_("peer")
> > +    S_("capability2")
> > diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
> > index 09e9dd2..febf886 100644
> > --- a/security/selinux/include/flask.h
> > +++ b/security/selinux/include/flask.h
> > @@ -51,6 +51,7 @@
> >  #define SECCLASS_DCCP_SOCKET                             60
> >  #define SECCLASS_MEMPROTECT                              61
> >  #define SECCLASS_PEER                                    68
> > +#define SECCLASS_CAPABILITY2                             69
> >  
> >  /*
> >   * Security identifier indices for initial entities
> > 
> 

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Joshua Brindle]

Stephen Smalley wrote:
> On Wed, 2008-02-06 at 11:22 -0500, Stephen Smalley wrote:
>   
>> 64-bit capability support has gone into mainline.
>> Update SELinux to correctly handle 64-bit capabilities.
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index e5ed075..fa4b021 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -1278,6 +1278,8 @@ static int task_has_capability(struct task_struct *tsk,
>>  {
>>  	struct task_security_struct *tsec;
>>  	struct avc_audit_data ad;
>> +	u16 sclass;
>> +	u32 av = CAP_TO_MASK(cap);	
>>  
>>  	tsec = tsk->security;
>>  
>> @@ -1285,8 +1287,17 @@ static int task_has_capability(struct task_struct *tsk,
>>  	ad.tsk = tsk;
>>  	ad.u.cap = cap;
>>  
>> -	return avc_has_perm(tsec->sid, tsec->sid,
>> -			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
>> +	switch (CAP_TO_INDEX(cap)) {
>> +	case 0:
>> +		sclass = SECCLASS_CAPABILITY;
>> +		break;
>> +	case 1:
>> +		sclass = SECCLASS_CAPABILITY2;
>> +		break;
>> +	default:
>> +		return -EPERM;
>>     
>
> Should likely make this something like:
> 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> 	if (selinux_enforcing)
> 		return -EPERM;
> 	else
> 		return 0;
>
> Then, if/when people introduce capabilities without updating SELinux,
> we'll get a warning but permissive mode will allow the operation to
> proceed.
>
>   

Are we going to do some magic in the toolchain to treat caps as 1 class 
in source policy but split it up in binary? I remember that being a 
possibility at some point.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[James Morris]

On Wed, 6 Feb 2008, Stephen Smalley wrote:

> Should likely make this something like:
> 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> 	if (selinux_enforcing)
> 		return -EPERM;

Also, make this printk_ratelimit() to prevent DoS.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Stephen Smalley]

On Thu, 2008-02-07 at 11:04 +1100, James Morris wrote:
> On Wed, 6 Feb 2008, Stephen Smalley wrote:
> 
> > 
> > > +	switch (CAP_TO_INDEX(cap)) {
> > > +	case 0:
> > > +		sclass = SECCLASS_CAPABILITY;
> > > +		break;
> > > +	case 1:
> > > +		sclass = SECCLASS_CAPABILITY2;
> > > +		break;
> > > +	default:
> > > +		return -EPERM;
> > 
> > Should likely make this something like:
> > 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> > 	if (selinux_enforcing)
> > 		return -EPERM;
> > 	else
> > 		return 0;
> > 
> > Then, if/when people introduce capabilities without updating SELinux,
> > we'll get a warning but permissive mode will allow the operation to
> > proceed.
> 
> Agreed, perhaps also suggest upgrading policy in the message.

Policy upgrade won't help in that case - it requires code changes to
allow SELinux to deal with higher capabilities beyond its supported
range (the printk here is in the default: case, where we've gone beyond
CAP_INDEX() of 0 or 1, i.e. capability value >= 64).

Alternatively, possibly we could cause a build failure in some way if
CAP_INDEX(CAP_LAST_CAP) > 1, and make the default case a BUG().

> > 
> > > +	}
> > > +	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
> > >  }
> > >  
> > >  /* Check whether a task is allowed to use a system operation. */
> > > diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> > > index 399f868..d569669 100644
> > > --- a/security/selinux/include/av_perm_to_string.h
> > > +++ b/security/selinux/include/av_perm_to_string.h
> > > @@ -132,6 +132,9 @@
> > >     S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
> > >     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
> > >     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
> > > +   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
> > > +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
> > > +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
> > >     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
> > >     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
> > >     S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
> > > diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> > > index 84c9abc..75b4131 100644
> > > --- a/security/selinux/include/av_permissions.h
> > > +++ b/security/selinux/include/av_permissions.h
> > > @@ -533,6 +533,9 @@
> > >  #define CAPABILITY__LEASE                         0x10000000UL
> > >  #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
> > >  #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
> > > +#define CAPABILITY__SETFCAP                       0x80000000UL
> > > +#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
> > > +#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
> > >  #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
> > >  #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
> > >  #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
> > > diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
> > > index b1b0d1d..bd813c3 100644
> > > --- a/security/selinux/include/class_to_string.h
> > > +++ b/security/selinux/include/class_to_string.h
> > > @@ -71,3 +71,4 @@
> > >      S_(NULL)
> > >      S_(NULL)
> > >      S_("peer")
> > > +    S_("capability2")
> > > diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
> > > index 09e9dd2..febf886 100644
> > > --- a/security/selinux/include/flask.h
> > > +++ b/security/selinux/include/flask.h
> > > @@ -51,6 +51,7 @@
> > >  #define SECCLASS_DCCP_SOCKET                             60
> > >  #define SECCLASS_MEMPROTECT                              61
> > >  #define SECCLASS_PEER                                    68
> > > +#define SECCLASS_CAPABILITY2                             69
> > >  
> > >  /*
> > >   * Security identifier indices for initial entities
> > > 
> > 
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Stephen Smalley]

On Wed, 2008-02-06 at 19:52 -0500, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2008-02-06 at 11:22 -0500, Stephen Smalley wrote:
> >   
> >> 64-bit capability support has gone into mainline.
> >> Update SELinux to correctly handle 64-bit capabilities.
> >>
> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index e5ed075..fa4b021 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -1278,6 +1278,8 @@ static int task_has_capability(struct task_struct *tsk,
> >>  {
> >>  	struct task_security_struct *tsec;
> >>  	struct avc_audit_data ad;
> >> +	u16 sclass;
> >> +	u32 av = CAP_TO_MASK(cap);	
> >>  
> >>  	tsec = tsk->security;
> >>  
> >> @@ -1285,8 +1287,17 @@ static int task_has_capability(struct task_struct *tsk,
> >>  	ad.tsk = tsk;
> >>  	ad.u.cap = cap;
> >>  
> >> -	return avc_has_perm(tsec->sid, tsec->sid,
> >> -			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
> >> +	switch (CAP_TO_INDEX(cap)) {
> >> +	case 0:
> >> +		sclass = SECCLASS_CAPABILITY;
> >> +		break;
> >> +	case 1:
> >> +		sclass = SECCLASS_CAPABILITY2;
> >> +		break;
> >> +	default:
> >> +		return -EPERM;
> >>     
> >
> > Should likely make this something like:
> > 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> > 	if (selinux_enforcing)
> > 		return -EPERM;
> > 	else
> > 		return 0;
> >
> > Then, if/when people introduce capabilities without updating SELinux,
> > we'll get a warning but permissive mode will allow the operation to
> > proceed.
> >
> >   
> 
> Are we going to do some magic in the toolchain to treat caps as 1 class 
> in source policy but split it up in binary? I remember that being a 
> possibility at some point.

We could, but at present, there are no capabilities > 31 that we care
about (mac_admin and mac_override are only used by other LSMs).

And the avc messages will still report them as capability or
capability2, with audit2allow turning that into distinct allow rules
unless we modify it to collapse them.

I'm not sure it really buys us much - it isn't that hard to just write
two allow rules for the distinct capability classes for the cases where
we actually want them both.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Serge E. Hallyn]

Quoting Stephen Smalley (sds@tycho.nsa.gov):
> 
> On Thu, 2008-02-07 at 11:04 +1100, James Morris wrote:
> > On Wed, 6 Feb 2008, Stephen Smalley wrote:
> > 
> > > 
> > > > +	switch (CAP_TO_INDEX(cap)) {
> > > > +	case 0:
> > > > +		sclass = SECCLASS_CAPABILITY;
> > > > +		break;
> > > > +	case 1:
> > > > +		sclass = SECCLASS_CAPABILITY2;
> > > > +		break;
> > > > +	default:
> > > > +		return -EPERM;
> > > 
> > > Should likely make this something like:
> > > 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> > > 	if (selinux_enforcing)
> > > 		return -EPERM;
> > > 	else
> > > 		return 0;
> > > 
> > > Then, if/when people introduce capabilities without updating SELinux,
> > > we'll get a warning but permissive mode will allow the operation to
> > > proceed.
> > 
> > Agreed, perhaps also suggest upgrading policy in the message.
> 
> Policy upgrade won't help in that case - it requires code changes to
> allow SELinux to deal with higher capabilities beyond its supported
> range (the printk here is in the default: case, where we've gone beyond
> CAP_INDEX() of 0 or 1, i.e. capability value >= 64).
> 
> Alternatively, possibly we could cause a build failure in some way if
> CAP_INDEX(CAP_LAST_CAP) > 1, and make the default case a BUG().

That sounds good.  And maybe add a comment near CAP_LAST_CAP pointing
out that it's only responsible for any new caps to be added to
security/selinux/include/av_perm_to_string.h

-serge

> 
> > > 
> > > > +	}
> > > > +	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
> > > >  }
> > > >  
> > > >  /* Check whether a task is allowed to use a system operation. */
> > > > diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> > > > index 399f868..d569669 100644
> > > > --- a/security/selinux/include/av_perm_to_string.h
> > > > +++ b/security/selinux/include/av_perm_to_string.h
> > > > @@ -132,6 +132,9 @@
> > > >     S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
> > > >     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
> > > >     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
> > > > +   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
> > > > +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
> > > > +   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
> > > >     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
> > > >     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
> > > >     S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
> > > > diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> > > > index 84c9abc..75b4131 100644
> > > > --- a/security/selinux/include/av_permissions.h
> > > > +++ b/security/selinux/include/av_permissions.h
> > > > @@ -533,6 +533,9 @@
> > > >  #define CAPABILITY__LEASE                         0x10000000UL
> > > >  #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
> > > >  #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
> > > > +#define CAPABILITY__SETFCAP                       0x80000000UL
> > > > +#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
> > > > +#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
> > > >  #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
> > > >  #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
> > > >  #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
> > > > diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
> > > > index b1b0d1d..bd813c3 100644
> > > > --- a/security/selinux/include/class_to_string.h
> > > > +++ b/security/selinux/include/class_to_string.h
> > > > @@ -71,3 +71,4 @@
> > > >      S_(NULL)
> > > >      S_(NULL)
> > > >      S_("peer")
> > > > +    S_("capability2")
> > > > diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
> > > > index 09e9dd2..febf886 100644
> > > > --- a/security/selinux/include/flask.h
> > > > +++ b/security/selinux/include/flask.h
> > > > @@ -51,6 +51,7 @@
> > > >  #define SECCLASS_DCCP_SOCKET                             60
> > > >  #define SECCLASS_MEMPROTECT                              61
> > > >  #define SECCLASS_PEER                                    68
> > > > +#define SECCLASS_CAPABILITY2                             69
> > > >  
> > > >  /*
> > > >   * Security identifier indices for initial entities
> > > > 
> > > 
> > 
> -- 
> Stephen Smalley
> National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Stephen Smalley]

On Thu, 2008-02-07 at 08:03 -0600, Serge E. Hallyn wrote:
> Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > 
> > On Thu, 2008-02-07 at 11:04 +1100, James Morris wrote:
> > > On Wed, 6 Feb 2008, Stephen Smalley wrote:
> > > 
> > > > 
> > > > > +	switch (CAP_TO_INDEX(cap)) {
> > > > > +	case 0:
> > > > > +		sclass = SECCLASS_CAPABILITY;
> > > > > +		break;
> > > > > +	case 1:
> > > > > +		sclass = SECCLASS_CAPABILITY2;
> > > > > +		break;
> > > > > +	default:
> > > > > +		return -EPERM;
> > > > 
> > > > Should likely make this something like:
> > > > 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> > > > 	if (selinux_enforcing)
> > > > 		return -EPERM;
> > > > 	else
> > > > 		return 0;
> > > > 
> > > > Then, if/when people introduce capabilities without updating SELinux,
> > > > we'll get a warning but permissive mode will allow the operation to
> > > > proceed.
> > > 
> > > Agreed, perhaps also suggest upgrading policy in the message.
> > 
> > Policy upgrade won't help in that case - it requires code changes to
> > allow SELinux to deal with higher capabilities beyond its supported
> > range (the printk here is in the default: case, where we've gone beyond
> > CAP_INDEX() of 0 or 1, i.e. capability value >= 64).
> > 
> > Alternatively, possibly we could cause a build failure in some way if
> > CAP_INDEX(CAP_LAST_CAP) > 1, and make the default case a BUG().
> 
> That sounds good.  And maybe add a comment near CAP_LAST_CAP pointing
> out that it's only responsible for any new caps to be added to
> security/selinux/include/av_perm_to_string.h

Well, I think we'd just insert a polite request there to send an email
to the SELinux maintainers and/or the entire LSM list to notify all LSM
maintainers that they need to deal with a new capability.  We don't
really want people directly patching the generated headers though - we
need to keep them in sync with policy (and avoid the Fedora fiasco with
taking permissions that never got reserved upstream in policy).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] selinux: support 64-bit capabilities

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> 
> On Thu, 2008-02-07 at 08:03 -0600, Serge E. Hallyn wrote:
> > Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > > 
> > > On Thu, 2008-02-07 at 11:04 +1100, James Morris wrote:
> > > > On Wed, 6 Feb 2008, Stephen Smalley wrote:
> > > > 
> > > > > 
> > > > > > +	switch (CAP_TO_INDEX(cap)) {
> > > > > > +	case 0:
> > > > > > +		sclass = SECCLASS_CAPABILITY;
> > > > > > +		break;
> > > > > > +	case 1:
> > > > > > +		sclass = SECCLASS_CAPABILITY2;
> > > > > > +		break;
> > > > > > +	default:
> > > > > > +		return -EPERM;
> > > > > 
> > > > > Should likely make this something like:
> > > > > 	printk(KERN_WARNING "SELinux:  unknown capability %d\n", cap);
> > > > > 	if (selinux_enforcing)
> > > > > 		return -EPERM;
> > > > > 	else
> > > > > 		return 0;
> > > > > 
> > > > > Then, if/when people introduce capabilities without updating SELinux,
> > > > > we'll get a warning but permissive mode will allow the operation to
> > > > > proceed.
> > > > 
> > > > Agreed, perhaps also suggest upgrading policy in the message.
> > > 
> > > Policy upgrade won't help in that case - it requires code changes to
> > > allow SELinux to deal with higher capabilities beyond its supported
> > > range (the printk here is in the default: case, where we've gone beyond
> > > CAP_INDEX() of 0 or 1, i.e. capability value >= 64).
> > > 
> > > Alternatively, possibly we could cause a build failure in some way if
> > > CAP_INDEX(CAP_LAST_CAP) > 1, and make the default case a BUG().
> > 
> > That sounds good.  And maybe add a comment near CAP_LAST_CAP pointing
> > out that it's only responsible for any new caps to be added to
> > security/selinux/include/av_perm_to_string.h
> 
> Well, I think we'd just insert a polite request there to send an email
> to the SELinux maintainers and/or the entire LSM list to notify all LSM
> maintainers that they need to deal with a new capability.

That wouldn't be a bad idea, maybe put something in Documentation, too.

> We don't
> really want people directly patching the generated headers though - we
> need to keep them in sync with policy (and avoid the Fedora fiasco with
> taking permissions that never got reserved upstream in policy).

Yes, patching generated headers is a bad idea.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.