copy/paste policy patch

copy/paste policy patch

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 1340 bytes --]

Here's a patch I'm using with an MLS version of glipper to give the
capability to check for dominance between copy and paste data contexts.
Hopefully some version of this can be upstreamed.

--- serefpolicy-3.3.1/policy/flask/access_vectors       2008-04-08
13:41:18.000000000 -0500
+++ serefpolicy-3.3.1.new//policy/flask/access_vectors  2008-04-08
13:35:43.000000000 -0500
@@ -765,3 +765,10 @@
 {
        recv
 }
+
+class x_application_data
+{
+        paste
+        paste_without_confirm
+        copy
+}
--- serefpolicy-3.3.1/policy/flask/security_classes     2008-04-08
13:41:18.000000000 -0500
+++ serefpolicy-3.3.1.new//policy/flask/security_classes        2008-04-08
13:34:36.000000000 -0500
@@ -114,5 +114,6 @@
 class x_resource               # userspace
 class x_event                  # userspace
 class x_synthetic_event                # userspace
+class x_application_data        # userspace

 # FLASK
--- serefpolicy-3.3.1/policy/mls        2008-04-08 13:41:18.000000000 -0500
+++ serefpolicy-3.3.1.new/policy/mls    2008-04-08 14:20:49.000000000 -0500
@@ -567,6 +567,12 @@
         ( t1 == mlsxwinwritexinput ) or
         ( t1 == mlsxwinwrite ));

+#
+# MLS policy for the x_application_data class
+#
+mlsconstrain x_application_data { paste_without_confirm }
+       ( l1 domby l2 );
+

 #
 # MLS policy for the pax class

[-- Attachment #2: Type: text/html, Size: 2190 bytes --]

Re: copy/paste policy patch

[Christopher J. PeBenito]

On Fri, 2008-04-25 at 08:07 -0500, Xavier Toth wrote:
> Here's a patch I'm using with an MLS version of glipper to give the
> capability to check for dominance between copy and paste data
> contexts. Hopefully some version of this can be upstreamed.

Is the code on its way to being upstreamed?

> --- serefpolicy-3.3.1/policy/flask/access_vectors       2008-04-08 13:41:18.000000000 -0500
> +++ serefpolicy-3.3.1.new//policy/flask/access_vectors  2008-04-08 13:35:43.000000000 -0500
> @@ -765,3 +765,10 @@
>  {
>         recv
>  }
> +
> +class x_application_data 
> +{
> +        paste
> +        paste_without_confirm
> +        copy
> +}
> --- serefpolicy-3.3.1/policy/flask/security_classes     2008-04-08 13:41:18.000000000 -0500
> +++ serefpolicy-3.3.1.new//policy/flask/security_classes        2008-04-08 13:34:36.000000000 -0500
> @@ -114,5 +114,6 @@
>  class x_resource               # userspace
>  class x_event                  # userspace
>  class x_synthetic_event                # userspace
> +class x_application_data        # userspace
>  
>  # FLASK
> --- serefpolicy-3.3.1/policy/mls        2008-04-08 13:41:18.000000000 -0500
> +++ serefpolicy-3.3.1.new/policy/mls    2008-04-08 14:20:49.000000000 -0500
> @@ -567,6 +567,12 @@
>          ( t1 == mlsxwinwritexinput ) or
>          ( t1 == mlsxwinwrite ));
>  
> +#
> +# MLS policy for the x_application_data class
> +#
> +mlsconstrain x_application_data { paste_without_confirm }
> +       ( l1 domby l2 );
> +
>  
>  #
>  # MLS policy for the pax class
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Eamon Walsh]

Christopher J. PeBenito wrote:
> On Fri, 2008-04-25 at 08:07 -0500, Xavier Toth wrote:
>   
>> Here's a patch I'm using with an MLS version of glipper to give the
>> capability to check for dominance between copy and paste data
>> contexts. Hopefully some version of this can be upstreamed.
>>     

Here is a revised patch.  I support including this in refpolicy as it's 
generally useful for supporting selection managers.

Note that the access_vectors definition is at the end of the file in 
this patch.  Not sure if the ordering matters in that file, if it 
doesn't you can move this to coincide with the other X classes.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
---


Index: policy/flask/security_classes
===================================================================
--- policy/flask/security_classes	(revision 2667)
+++ policy/flask/security_classes	(working copy)
@@ -114,5 +114,6 @@
 class x_resource		# userspace
 class x_event			# userspace
 class x_synthetic_event		# userspace
+class x_application_data	# userspace
 
 # FLASK
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors	(revision 2667)
+++ policy/flask/access_vectors	(working copy)
@@ -775,3 +775,10 @@
 {
 	recv
 }
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
Index: policy/mls
===================================================================
--- policy/mls	(revision 2667)
+++ policy/mls	(working copy)
@@ -568,7 +568,13 @@
 	 ( t1 == mlsxwinwrite ));
 
 
+#
+# MLS policy for the x_application_data class
+#
+mlsconstrain x_application_data { paste }
+	( l1 domby l2 );
 
+
 #
 # MLS policy for the pax class
 #



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]

On Mon, Apr 28, 2008 at 5:39 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:

> Christopher J. PeBenito wrote:
>
>> On Fri, 2008-04-25 at 08:07 -0500, Xavier Toth wrote:
>>
>>
>>> Here's a patch I'm using with an MLS version of glipper to give the
>>> capability to check for dominance between copy and paste data
>>> contexts. Hopefully some version of this can be upstreamed.
>>>
>>>
>>
> Here is a revised patch.  I support including this in refpolicy as it's
> generally useful for supporting selection managers.
>
> Note that the access_vectors definition is at the end of the file in this
> patch.  Not sure if the ordering matters in that file, if it doesn't you can
> move this to coincide with the other X classes.
>
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> ---
>
>
> Index: policy/flask/security_classes
> ===================================================================
> --- policy/flask/security_classes       (revision 2667)
> +++ policy/flask/security_classes       (working copy)
> @@ -114,5 +114,6 @@
> class x_resource                # userspace
> class x_event                   # userspace
> class x_synthetic_event         # userspace
> +class x_application_data       # userspace
>
> # FLASK
> Index: policy/flask/access_vectors
> ===================================================================
> --- policy/flask/access_vectors (revision 2667)
> +++ policy/flask/access_vectors (working copy)
> @@ -775,3 +775,10 @@
> {
>        recv
> }
> +
> +class x_application_data
> +{
> +       paste
> +       paste_after_confirm
> +       copy
> +}
> Index: policy/mls
> ===================================================================
> --- policy/mls  (revision 2667)
> +++ policy/mls  (working copy)
> @@ -568,7 +568,13 @@
>         ( t1 == mlsxwinwrite ));
>
>
> +#
> +# MLS policy for the x_application_data class
> +#
> +mlsconstrain x_application_data { paste }
> +       ( l1 domby l2 );
>
> +
> #
> # MLS policy for the pax class
> #
>
>
>
> --
> Eamon Walsh <ewalsh@tycho.nsa.gov>
> National Security Agency
>

Seems to me that paste mlsconstrain should be (l1 eq l2) and should be a
mlsconstrain for paste_after_confirm which is (l1 domby l2).

[-- Attachment #2: Type: text/html, Size: 3464 bytes --]

Re: copy/paste policy patch

[Eamon Walsh]

Xavier Toth wrote:
> Seems to me that paste mlsconstrain should be (l1 eq l2) and should be 
> a mlsconstrain for paste_after_confirm which is (l1 domby l2).

Revised patch attached.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
---

Index: policy/flask/security_classes
===================================================================
--- policy/flask/security_classes	(revision 2669)
+++ policy/flask/security_classes	(working copy)
@@ -114,5 +114,6 @@
 class x_resource		# userspace
 class x_event			# userspace
 class x_synthetic_event		# userspace
+class x_application_data	# userspace
 
 # FLASK
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors	(revision 2669)
+++ policy/flask/access_vectors	(working copy)
@@ -775,3 +775,10 @@
 {
 	recv
 }
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
Index: policy/mls
===================================================================
--- policy/mls	(revision 2669)
+++ policy/mls	(working copy)
@@ -568,7 +568,19 @@
 	 ( t1 == mlsxwinwrite ));
 
 
+#
+# MLS policy for the x_application_data class
+#
 
+# the x_application_data "paste" ops (explicit single level)
+mlsconstrain x_application_data { paste }
+	( l1 eq l2 );
+
+# the x_application_data "paste_after_confirm" ops (downgrade permitted)
+mlsconstrain x_application_data { paste_after_confirm }
+	( l1 domby l2 );
+
+
 #
 # MLS policy for the pax class
 #


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Christopher J. PeBenito]

On Wed, 2008-04-30 at 19:29 -0400, Eamon Walsh wrote:
> Xavier Toth wrote:
> > Seems to me that paste mlsconstrain should be (l1 eq l2) and should be 
> > a mlsconstrain for paste_after_confirm which is (l1 domby l2).
> 
> Revised patch attached.

Merged.

> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> ---
> 
> Index: policy/flask/security_classes
> ===================================================================
> --- policy/flask/security_classes	(revision 2669)
> +++ policy/flask/security_classes	(working copy)
> @@ -114,5 +114,6 @@
>  class x_resource		# userspace
>  class x_event			# userspace
>  class x_synthetic_event		# userspace
> +class x_application_data	# userspace
>  
>  # FLASK
> Index: policy/flask/access_vectors
> ===================================================================
> --- policy/flask/access_vectors	(revision 2669)
> +++ policy/flask/access_vectors	(working copy)
> @@ -775,3 +775,10 @@
>  {
>  	recv
>  }
> +
> +class x_application_data
> +{
> +	paste
> +	paste_after_confirm
> +	copy
> +}
> Index: policy/mls
> ===================================================================
> --- policy/mls	(revision 2669)
> +++ policy/mls	(working copy)
> @@ -568,7 +568,19 @@
>  	 ( t1 == mlsxwinwrite ));
>  
> 
> +#
> +# MLS policy for the x_application_data class
> +#
>  
> +# the x_application_data "paste" ops (explicit single level)
> +mlsconstrain x_application_data { paste }
> +	( l1 eq l2 );
> +
> +# the x_application_data "paste_after_confirm" ops (downgrade permitted)
> +mlsconstrain x_application_data { paste_after_confirm }
> +	( l1 domby l2 );
> +
> +
>  #
>  # MLS policy for the pax class
>  #
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Xavier Toth]

On Tue, May 6, 2008 at 9:27 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Wed, 2008-04-30 at 19:29 -0400, Eamon Walsh wrote:
>> Xavier Toth wrote:
>> > Seems to me that paste mlsconstrain should be (l1 eq l2) and should be
>> > a mlsconstrain for paste_after_confirm which is (l1 domby l2).
>>
>> Revised patch attached.
>
> Merged.
>
>> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
>> ---
>>
>> Index: policy/flask/security_classes
>> ===================================================================
>> --- policy/flask/security_classes     (revision 2669)
>> +++ policy/flask/security_classes     (working copy)
>> @@ -114,5 +114,6 @@
>>  class x_resource             # userspace
>>  class x_event                        # userspace
>>  class x_synthetic_event              # userspace
>> +class x_application_data     # userspace
>>
>>  # FLASK
>> Index: policy/flask/access_vectors
>> ===================================================================
>> --- policy/flask/access_vectors       (revision 2669)
>> +++ policy/flask/access_vectors       (working copy)
>> @@ -775,3 +775,10 @@
>>  {
>>       recv
>>  }
>> +
>> +class x_application_data
>> +{
>> +     paste
>> +     paste_after_confirm
>> +     copy
>> +}
>> Index: policy/mls
>> ===================================================================
>> --- policy/mls        (revision 2669)
>> +++ policy/mls        (working copy)
>> @@ -568,7 +568,19 @@
>>        ( t1 == mlsxwinwrite ));
>>
>>
>> +#
>> +# MLS policy for the x_application_data class
>> +#
>>
>> +# the x_application_data "paste" ops (explicit single level)
>> +mlsconstrain x_application_data { paste }
>> +     ( l1 eq l2 );
>> +
>> +# the x_application_data "paste_after_confirm" ops (downgrade permitted)
>> +mlsconstrain x_application_data { paste_after_confirm }
>> +     ( l1 domby l2 );
>> +
>> +
>>  #
>>  # MLS policy for the pax class
>>  #
>>
>>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

Here's what I've actually ended up using to allow pasting equal or up
without requiring confirmation and to require confirmation when
attempting to paste down:

Index: policy/mls
===================================================================
--- policy/mls	(revision 2704)
+++ policy/mls	(working copy)
@@ -574,11 +574,11 @@

 # the x_application_data "paste" ops (explicit single level)
 mlsconstrain x_application_data { paste }
-	( l1 eq l2 );
+	(( l1 eq l2 ) or ( l1 domby l2 ));

 # the x_application_data "paste_after_confirm" ops (downgrade permitted)
 mlsconstrain x_application_data { paste_after_confirm }
-	( l1 domby l2 );
+	( l1 dom l2 );


 #

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Christopher J. PeBenito]

On Wed, 2008-05-28 at 12:18 -0500, Xavier Toth wrote:
> Here's what I've actually ended up using to allow pasting equal or up
> without requiring confirmation and to require confirmation when
> attempting to paste down:
> 
> Index: policy/mls
> ===================================================================
> --- policy/mls	(revision 2704)
> +++ policy/mls	(working copy)
> @@ -574,11 +574,11 @@
> 
>  # the x_application_data "paste" ops (explicit single level)
>  mlsconstrain x_application_data { paste }
> -	( l1 eq l2 );
> +	(( l1 eq l2 ) or ( l1 domby l2 ));

Isn't the (l1 eq l2) redundant?

>  # the x_application_data "paste_after_confirm" ops (downgrade permitted)
>  mlsconstrain x_application_data { paste_after_confirm }
> -	( l1 domby l2 );
> +	( l1 dom l2 );
> 
> 
>  #
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Eamon Walsh]

Xavier Toth wrote:
> Here's a patch I'm using with an MLS version of glipper to give the 
> capability to check for dominance between copy and paste data 
> contexts. Hopefully some version of this can be upstreamed.

Hi, why did you reverse the two paste operations?  In my suggestion I 
had the "paste" bit meaning "unconditional paste" and 
"paste_after_confirm" meaning "allow paste only after the user confirms."

Having the confirmation dialog semantics built in to the plain old 
"paste" permission seems to me like it would be more confusing, and 
difficult to change later.


>
> --- serefpolicy-3.3.1/policy/flask/access_vectors       2008-04-08 
> 13:41:18.000000000 -0500
> +++ serefpolicy-3.3.1.new//policy/flask/access_vectors  2008-04-08 
> 13:35:43.000000000 -0500
> @@ -765,3 +765,10 @@
>  {
>         recv
>  }
> +
> +class x_application_data
> +{
> +        paste
> +        paste_without_confirm
> +        copy
> +}
> --- serefpolicy-3.3.1/policy/flask/security_classes     2008-04-08 
> 13:41:18.000000000 -0500
> +++ serefpolicy-3.3.1.new//policy/flask/security_classes        
> 2008-04-08 13:34:36.000000000 -0500
> @@ -114,5 +114,6 @@
>  class x_resource               # userspace
>  class x_event                  # userspace
>  class x_synthetic_event                # userspace
> +class x_application_data        # userspace
>  
>  # FLASK
> --- serefpolicy-3.3.1/policy/mls        2008-04-08 13:41:18.000000000 
> -0500
> +++ serefpolicy-3.3.1.new/policy/mls    2008-04-08 14:20:49.000000000 
> -0500
> @@ -567,6 +567,12 @@
>          ( t1 == mlsxwinwritexinput ) or
>          ( t1 == mlsxwinwrite ));
>  
> +#
> +# MLS policy for the x_application_data class
> +#
> +mlsconstrain x_application_data { paste_without_confirm }
> +       ( l1 domby l2 );
> +
>  
>  #
>  # MLS policy for the pax class
>


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: copy/paste policy patch

[Eamon Walsh]

Xavier Toth wrote:
>
>
> On Mon, Apr 28, 2008 at 1:26 PM, Eamon Walsh <ewalsh@tycho.nsa.gov 
> <mailto:ewalsh@tycho.nsa.gov>> wrote:
>
>     Xavier Toth wrote:
>
>         Here's a patch I'm using with an MLS version of glipper to
>         give the capability to check for dominance between copy and
>         paste data contexts. Hopefully some version of this can be
>         upstreamed.
>
>
>     Hi, why did you reverse the two paste operations?  In my
>     suggestion I had the "paste" bit meaning "unconditional paste" and
>     "paste_after_confirm" meaning "allow paste only after the user
>     confirms."
>
>     Having the confirmation dialog semantics built in to the plain old
>     "paste" permission seems to me like it would be more confusing,
>     and difficult to change later.
>
>
> Well maybe I didn't understand what you were thinking. I did it the 
> way I did because I use the avc_has_perm to tell me whether I need to 
> bring up the downgrade dialog.


Here is pseudo-code for the way I'd prefer to have the check done:

if (avc_has_perm(requestor's context, selection's context, X_APPLICATION_DATA, PASTE) == 0)
    // Perform the paste without asking.
   
else if (avc_has_perm(requestor's context, selection's context, X_APPLICATION_DATA, PASTE_AFTER_CONFIRM) == 0)
    // Pop up the confirmation dialog; perform the paste if user accepts.

else
    // If you get here, the paste just isn't allowed at all.



>
>
>
>
>         --- serefpolicy-3.3.1/policy/flask/access_vectors      
>         2008-04-08 13:41:18.000000000 -0500
>         +++ serefpolicy-3.3.1.new//policy/flask/access_vectors
>          2008-04-08 13:35:43.000000000 -0500
>         @@ -765,3 +765,10 @@
>          {
>                recv
>          }
>         +
>         +class x_application_data
>         +{
>         +        paste
>         +        paste_without_confirm
>         +        copy
>         +}
>         --- serefpolicy-3.3.1/policy/flask/security_classes    
>         2008-04-08 13:41:18.000000000 -0500
>         +++ serefpolicy-3.3.1.new//policy/flask/security_classes      
>          2008-04-08 13:34:36.000000000 -0500
>         @@ -114,5 +114,6 @@
>          class x_resource               # userspace
>          class x_event                  # userspace
>          class x_synthetic_event                # userspace
>         +class x_application_data        # userspace
>           # FLASK
>         --- serefpolicy-3.3.1/policy/mls        2008-04-08
>         13:41:18.000000000 -0500
>         +++ serefpolicy-3.3.1.new/policy/mls    2008-04-08
>         14:20:49.000000000 -0500
>         @@ -567,6 +567,12 @@
>                 ( t1 == mlsxwinwritexinput ) or
>                 ( t1 == mlsxwinwrite ));
>          +#
>         +# MLS policy for the x_application_data class
>         +#
>         +mlsconstrain x_application_data { paste_without_confirm }
>         +       ( l1 domby l2 );
>         +
>           #
>          # MLS policy for the pax class
>
>
>
>     -- 
>     Eamon Walsh <ewalsh@tycho.nsa.gov <mailto:ewalsh@tycho.nsa.gov>>
>     National Security Agency
>
>


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.