Re: [PATCH 1/3] Thread/Child-Domain Assignment

[KaiGai Kohei <kaigai@kaigai.gr.jp>]

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Fri, 2008-07-25 at 22:03 +0900, KaiGai Kohei wrote:
>>> [1/3] thread-context-kernel.1.patch
>>>   This patch enables to assign a thread a "weaker" hierarchical
>>>   domain, only if the destinated domain is a child of the current
>>>   domain. Hierachy relationships are defined in the policy version
>>>   24. This patch also enables to read the new version of policy.
>> If you are going to take type hierarchy support into the
>> kernel, then it seems like it should be completely taken into
>> the kernel, i.e. the hierarchy checking should be applied by
>> the kernel rather than by the toolchain.  That is what the
>> Flask security server did for its extensible policy mechanism.
>>
> 
> If we are going to do this we also might as well implement the explicit
> hierarchy support and get away from name based hierarchy.
> 
>> And I think both the neverallow checking and the type
>> hierarchy checking needs to move away from needing to do a
>> full expansion in order to check; it is just too expensive these days.
>>
> 
> Do you think it will be faster to do attribute based lookups? It will
> certainly use significantly less memory.

What do you means the attribute based lookups?

In hierarchy checks, we should not expand any attribute of type without
applying them to its parent type. We can check it by comparing type_attr_map
of both types, without additional memory consumption.

In never allow checks, all we have to do is adding a "else if" block to check
in context_struct_compute_av(), like:

------------
   ebitmap_for_each_positive_bit(sattr, snode, i) {
       ebitmap_for_each_positive_bit(tattr, tnode, j) {
           avkey.source_type = i + 1;
           avkey.target_type = j + 1;
           for (node = avtab_search_node(&policydb.te_avtab, &avkey);
                node != NULL;
                node = avtab_search_node_next(node, avkey.specified)) {
               if (node->key.specified == AVTAB_ALLOWED)
                   avd->allowed |= node->datum.data;
               else if (node->key.specified == AVTAB_AUDITALLOW)
                   avd->auditallow |= node->datum.data;
               else if (node->key.specified == AVTAB_AUDITDENY)
                   avd->auditdeny &= node->datum.data;
+             else if (node->key.specified == AVTAB_NEVERALLOW)
+                  avd->allowed &= ~node->datum.data;
+                  /* TODO: print logs to notice masked perms */
           }

           /* Check conditional av table for additional permissions */
           cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
       }
   }
------------

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.