[RFC] Context ordering based on MLS dominance.

[RFC] Context ordering based on MLS dominance.

[Dave Quigley]

This patch set was original made to help in providing unioned polyinstantiated
directories for MLS. The method used Unionfs to order the branches from the
highest to lowest levels so when a process at a certain level listed the
directory contents it would see all of the polyinstantiated directories as one
with duplicates exposing the document at the highest level found.

Others have expressed a need for this functionality so the patches have been
revived. The question is should this be done as a kernel interface or should
it be done on the on disk policy file using libsepol?

The kernel patch is based off of Linus' current git tree as of 6/10 while the
libselinux patch is based off of the current svn tree from sourceforge as of
the same date. The patches went through testing initially when I was working
on polyinstantiated directories but I haven't tested the new version so give
them a try and see if they meet your needs.

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SELINUX: Add interface to compute MLS dominance relationship.

[Dave Quigley]

This patch adds a new entry into selinuxfs and the backing function to allow
userspace to request the dominance relationship of two mls labels. The new
entry uses the standard transactional interface that the other computer fields
use.

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ad30ac4..453aad5 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -133,6 +133,8 @@ int security_get_allow_unknown(void);
 int security_fs_use(const char *fstype, unsigned int *behavior,
 	u32 *sid);
 
+int selinux_context_dom(u32 ctxid1, u32 ctxid2, u32 *result);
+
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
 	u32 *sid);
 
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ac1ccc1..bc3cb96 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -119,6 +119,7 @@ enum sel_inos {
 	SEL_COMPAT_NET,	/* whether to use old compat network packet controls */
 	SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */
 	SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */
+	SEL_CONTEXT_DOM, /* compute dominance of two contexts */
 	SEL_INO_NEXT,	/* The next inode number to use */
 };
 
@@ -509,6 +510,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
 static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
 static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_context_dom(struct file *file, char *buf, size_t size);
 
 static ssize_t (*write_op[])(struct file *, char *, size_t) = {
 	[SEL_ACCESS] = sel_write_access,
@@ -517,6 +519,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
 	[SEL_USER] = sel_write_user,
 	[SEL_MEMBER] = sel_write_member,
 	[SEL_CONTEXT] = sel_write_context,
+	[SEL_CONTEXT_DOM] = sel_write_context_dom,
 };
 
 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
@@ -837,6 +840,45 @@ out:
 	return length;
 }
 
+static ssize_t sel_write_context_dom(struct file * file, char *buf, size_t size)
+{
+	char *scon1, *scon2;
+	u32 ssid1, ssid2, result;
+	ssize_t length;
+
+	length = task_has_security(current, SECURITY__CHECK_CONTEXT);
+	if (length)
+		return length;
+
+	length = -ENOMEM;
+	scon1 = kzalloc(size+1, GFP_KERNEL);
+	if (!scon1)
+		return length;
+
+	scon2 = kzalloc(size+1, GFP_KERNEL);
+	if (!scon2)
+		goto out;
+
+	length = -EINVAL;
+	if (sscanf(buf, "%s %s", scon1, scon2) != 2)
+		goto out2;
+	length = security_context_to_sid(scon1, strlen(scon1)+1, &ssid1);
+	if (length < 0)
+		goto out2;
+	length = security_context_to_sid(scon2, strlen(scon2)+1, &ssid2);
+	if (length < 0)
+		goto out2;
+	length = selinux_context_dom(ssid1, ssid2, &result);
+	if (length < 0)
+		goto out2;
+	length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, "%d", result);
+out2:
+	kfree(scon2);
+out:
+	kfree(scon1);
+	return length;
+}
+
 static struct inode *sel_make_inode(struct super_block *sb, int mode)
 {
 	struct inode *ret = new_inode(sb);
@@ -1666,6 +1708,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
 		[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
 		[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
 		[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
+		[SEL_CONTEXT_DOM] = {"contexT_dom", &transaction_ops, S_IRUGO|S_IWUGO},
 		/* last one */ {""}
 	};
 	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index dcc2e1c..c6e3e45 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1752,6 +1752,55 @@ out:
 }
 
 /**
+ * selinux_context_dom - check which of two ctxids dominates another
+ * @ctxid1: first ctxid to check
+ * @ctxid2: second ctxid to check
+ * @result: result form the checl
+ *
+ * Perform a check to see which security context
+ * dominantes the two passed in. -1, 0, 1 placed in result
+ * for ctxid2 dominating ctxid1, ctxid1 and ctxid2 being equal,
+ * and ctxid1 dominating ctxid2 respectivly. The mls level checked
+ * is the lower of the two in the range.
+ */
+int selinux_context_dom(u32 ctxid1, u32 ctxid2, u32 *result)
+{
+	struct context *ctxt1, *ctxt2;
+	struct mls_level *level1, *level2;
+	int ret = 0;
+
+	//Grab contexts from sids
+	ctxt1 = sidtab_search(&sidtab, ctxid1);
+	if (!ctxt1) {
+		ret = -ENOENT;
+		goto out;
+	}
+	ctxt2 = sidtab_search(&sidtab, ctxid2);
+	if (!ctxt2) {
+		ret = -ENOENT;
+		goto out;
+	}
+	level1 = &ctxt1->range.level[0];
+	level2 = &ctxt2->range.level[0];
+
+	if(mls_level_eq(level1, level2)) {
+		*result = 0;
+		goto out;
+	}
+	if(mls_level_dom(level1, level2)) {
+		*result = 1;
+		goto out;
+	}
+	if (mls_level_dom(level2, level1)) {
+		*result = -1;
+		goto out;
+	}
+	*result = 0;
+out:
+	return ret;
+}
+
+/**
  * security_genfs_sid - Obtain a SID for a file in a filesystem
  * @fstype: filesystem type
  * @path: path from root of mount


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

libselinux: Introduce interfaces to use context_dom selinuxfs entry

[Dave Quigley]

This patch introduces libselinux interfaces to make use of the new context_dom entry in selinuxfs. It uses standard strcmp semantics for returning the ordering (-1 c1 before c2, 0 c1 == c2, 1 c1 after c2).

Index: libselinux/include/selinux/selinux.h
===================================================================
--- libselinux/include/selinux/selinux.h	(revision 2903)
+++ libselinux/include/selinux/selinux.h	(working copy)
@@ -180,6 +180,14 @@
 				   access_vector_t requested,
 				   struct av_decision *avd);
 
+/* Compute dominance of one label over another */
+extern int security_compute_dom(security_context_t scon1,
+				security_context_t scon2,
+				int *result);
+extern int security_compute_dom_raw(security_context_t scon1,
+				    security_context_t scon2,
+				    int *result);
+
 /* Compute a labeling decision and set *newcon to refer to it.
    Caller must free via freecon. */
 extern int security_compute_create(security_context_t scon,
Index: libselinux/src/compute_dom.c
===================================================================
--- libselinux/src/compute_dom.c	(revision 0)
+++ libselinux/src/compute_dom.c	(revision 0)
@@ -0,0 +1,82 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include <limits.h>
+
+int security_compute_dom_raw(security_context_t scon1,
+			     security_context_t scon2,
+			     int *result)
+{
+	char path[PATH_MAX];
+	char *buf;
+	size_t size;
+	int fd, ret;
+
+	if (!selinux_mnt) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	snprintf(path, sizeof path, "%s/context_dom", selinux_mnt);
+	fd = open(path, O_RDWR);
+	if (fd < 0)
+		return -1;
+
+	size = selinux_page_size;
+	buf = malloc(size);
+	if (!buf) {
+		ret = -1;
+		goto out;
+	}
+	snprintf(buf, size, "%s %s", scon1, scon2);
+	
+	ret = write(fd, buf, strlen(buf));
+	if (ret < 0)
+		goto out2;
+
+	memset(buf, 0, size);
+	ret = read(fd, buf, size - 1);
+	if (ret < 0)
+		goto out2;
+
+	if (sscanf(buf, "%d", result) != 1) {
+		ret = -1;
+		goto out2;
+	}
+	ret = 0;
+out2:
+	free(buf);
+out:
+	close(fd);
+	return ret;
+}
+
+int security_compute_dom(security_context_t scon1,
+			security_context_t scon2,
+			int *result)
+{
+	int ret;
+	security_context_t rscon1 = scon1;
+	security_context_t rscon2 = scon2;
+
+	if (selinux_trans_to_raw_context(scon1, &rscon1))
+		return -1;
+	if (selinux_trans_to_raw_context(scon2, &rscon2)) {
+		freecon(rscon1);
+		return -1;
+	}
+
+	ret = security_compute_dom_raw(rscon1, rscon2, result);
+
+	freecon(rscon1);
+	freecon(rscon2);
+
+	return ret;
+}
+


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] Context ordering based on MLS dominance.

[Joshua Brindle]

Dave Quigley wrote:
> This patch set was original made to help in providing unioned polyinstantiated
> directories for MLS. The method used Unionfs to order the branches from the
> highest to lowest levels so when a process at a certain level listed the
> directory contents it would see all of the polyinstantiated directories as one
> with duplicates exposing the document at the highest level found.
> 
> Others have expressed a need for this functionality so the patches have been
> revived. The question is should this be done as a kernel interface or should
> it be done on the on disk policy file using libsepol?

So is this the real functionality people have a need for? My use was to take some set of contexts and order them based on dominance. This patch can be used to do that but at a possibly high cost. Is the standard use case to order some number of contexts or just 2? Is it possible to allow an arbitrary number of contexts to be passed into the kernel interface to be sorted in-kernel or would that be inappropriate?

> 
> The kernel patch is based off of Linus' current git tree as of 6/10 while the
> libselinux patch is based off of the current svn tree from sourceforge as of
> the same date. The patches went through testing initially when I was working
> on polyinstantiated directories but I haven't tested the new version so give
> them a try and see if they meet your needs.
> 
> Dave
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] Context ordering based on MLS dominance.

[Stephen Smalley]

On Wed, 2008-06-11 at 10:57 -0400, Joshua Brindle wrote:
> Dave Quigley wrote:
> > This patch set was original made to help in providing unioned polyinstantiated
> > directories for MLS. The method used Unionfs to order the branches from the
> > highest to lowest levels so when a process at a certain level listed the
> > directory contents it would see all of the polyinstantiated directories as one
> > with duplicates exposing the document at the highest level found.
> > 
> > Others have expressed a need for this functionality so the patches have been
> > revived. The question is should this be done as a kernel interface or should
> > it be done on the on disk policy file using libsepol?
> 
> So is this the real functionality people have a need for? My use was
> to take some set of contexts and order them based on dominance. This
> patch can be used to do that but at a possibly high cost. Is the
> standard use case to order some number of contexts or just 2? Is it
> possible to allow an arbitrary number of contexts to be passed into
> the kernel interface to be sorted in-kernel or would that be
> inappropriate?

Not a good idea for a kernel interface; I wouldn't want the kernel
churning away on sorting a large array provided by userspace while
holding the policy rdlock.  (we want to kill /selinux/user for similar
reasons, although there the list is internally computed).

If the conventional use is to sort a large array and the cost of making
calls to selinuxfs for each comparison is deemed too high, then I'd say
we should go with the libsepol route.  That carries a high cost for the
initial policy read (plus requires permission to read it) but then
libsepol can quickly sort the entire array entirely in userspace.

> 
> > 
> > The kernel patch is based off of Linus' current git tree as of 6/10 while the
> > libselinux patch is based off of the current svn tree from sourceforge as of
> > the same date. The patches went through testing initially when I was working
> > on polyinstantiated directories but I haven't tested the new version so give
> > them a try and see if they meet your needs.
> > 
> > Dave
> > 
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> > 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] Context ordering based on MLS dominance.

[Casey Schaufler]

Dave Quigley wrote:
> This patch set was original made to help in providing unioned polyinstantiated
> directories for MLS. The method used Unionfs to order the branches from the
> highest to lowest levels so when a process at a certain level listed the
> directory contents it would see all of the polyinstantiated directories as one
> with duplicates exposing the document at the highest level found.
>
>   

How do you address TS/A and TS/B objects with the same name in
the presence of a TS/A,B subject? In B&L neither is "higher"
than the other, they are incomparable, and the subject should
be able to read both. I suppose you could chose and document
secondary criteria, but I shouldn't think that very satisfactory.


> Others have expressed a need for this functionality so the patches have been
> revived. The question is should this be done as a kernel interface or should
> it be done on the on disk policy file using libsepol?
>
> The kernel patch is based off of Linus' current git tree as of 6/10 while the
> libselinux patch is based off of the current svn tree from sourceforge as of
> the same date. The patches went through testing initially when I was working
> on polyinstantiated directories but I haven't tested the new version so give
> them a try and see if they meet your needs.
>
>   

Whichever way you would do it, I don't think you've
got a general solution to the problem.

> Dave
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>
>   


-- 

----------------------

Casey Schaufler
casey@schaufler-ca.com
650.906.1780



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] Context ordering based on MLS dominance.

[Dave Quigley]

On Wed, 2008-06-11 at 08:53 -0700, Casey Schaufler wrote:
> Dave Quigley wrote:
> > This patch set was original made to help in providing unioned polyinstantiated
> > directories for MLS. The method used Unionfs to order the branches from the
> > highest to lowest levels so when a process at a certain level listed the
> > directory contents it would see all of the polyinstantiated directories as one
> > with duplicates exposing the document at the highest level found.
> >
> >   
> 
> How do you address TS/A and TS/B objects with the same name in
> the presence of a TS/A,B subject? In B&L neither is "higher"
> than the other, they are incomparable, and the subject should
> be able to read both. I suppose you could chose and document
> secondary criteria, but I shouldn't think that very satisfactory.
> 

This work was done as a prototype when I initially interned here. There
were still many concerns left unaddressed this being one of them. One of
the ideas we had was to modify unionfs such that instead of removing
duplicates you modified the name to reflect its security level. This
would mean you would see TS/A and TS/B in the directory. The problem
with this is that you run into the names getting too long and possibly
going over the max component length for a name (this is a similar
problem to the .wh. prefix that is added to the names for whiteout
support). Another option would be to modify the readdir code such that
it would give back the name and all of the levels/categories it existed
at. Then you could have a way of opening the file at a particular
level/category 

Regardless this is just a userspace interface to expose the SELinux
computation that the kernel already has. Looking at it the current
interface doesn't seem to handle incomparable properly but we are
waiting on Josh to decide if this can be done in libsepol instead. He
seems to want to be able to sort a large number of contexts at once and
as Steve said before having the kernel sort an array of contexts of
arbitrary length isn't a good idea.

> 
> > Others have expressed a need for this functionality so the patches have been
> > revived. The question is should this be done as a kernel interface or should
> > it be done on the on disk policy file using libsepol?
> >
> > The kernel patch is based off of Linus' current git tree as of 6/10 while the
> > libselinux patch is based off of the current svn tree from sourceforge as of
> > the same date. The patches went through testing initially when I was working
> > on polyinstantiated directories but I haven't tested the new version so give
> > them a try and see if they meet your needs.
> >
> >   
> 
> Whichever way you would do it, I don't think you've
> got a general solution to the problem.

I'm not sure how much more general it can be since all it is doing is
reflecting what is in the kernel policy. We need to send non-comparable
back up from the kernel in the case you mentioned above but we will see
which direction it goes in.

> 
> > Dave
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >
> >
> >   
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.