From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Eamon Walsh <ewalsh@tycho.nsa.gov>
Cc: method@manicmethod.com, jmorris@namei.org,
selinux <selinux@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] Permissive domain in userspace (Re: Some ideas in SE-PostgreSQL enhancement)
Date: Tue, 31 Mar 2009 10:45:42 +0900 [thread overview]
Message-ID: <49D175C6.2050001@ak.jp.nec.com> (raw)
In-Reply-To: <49D034B9.9080406@ak.jp.nec.com>
[-- Attachment #1: Type: text/plain, Size: 1154 bytes --]
KaiGai Kohei wrote:
> If we have an entry something like "/selinux/permissive" to return
> whether the given domain is permissive or not, I think we don't need
> to have the flags field on security_compute_av(). It can be checked
> on the creation of userspace avc entry, and checked it on later access
> controls.
The attached patch exposes a new entry in selinuxfs, which enables
userspace stuff to make a query whether the given context is permissive
domain, or not.
If the given context is permissive domain, userspace stuffs can mark
its entry as a permissive one on creation of avc entries, to avoid
policy enforcement on permissive domains.
It now checks security:{check_context} permission, but it should be
discussed what permission to be checked here.
The attached check_permissive.c is an example to use the interface.
[kaigai@saba ~]$ ./check_permissive staff_u:staff_r:staff_t:s0
staff_u:staff_r:staff_t:s0 is a permissive domain
[kaigai@saba ~]$ ./check_permissive user_u:user_r:user_t:s0
user_u:user_r:user_t:s0 is NOT a permissive domain
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: kernel-interface-permissive-domain.1.patch --]
[-- Type: text/x-patch, Size: 2679 bytes --]
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
security/selinux/selinuxfs.c | 24 ++++++++++++++++++++++++
1 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d3c8b98..10accc0 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -122,6 +122,7 @@ enum sel_inos {
SEL_COMPAT_NET, /* whether to use old compat network packet controls */
SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */
SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */
+ SEL_PERMISSIVE, /* check whether permissive domain or not */
SEL_INO_NEXT, /* The next inode number to use */
};
@@ -513,6 +514,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_permissive(struct file *file, char *buf, size_t size);
static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_ACCESS] = sel_write_access,
@@ -521,6 +523,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_USER] = sel_write_user,
[SEL_MEMBER] = sel_write_member,
[SEL_CONTEXT] = sel_write_context,
+ [SEL_PERMISSIVE] = sel_write_permissive,
};
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
@@ -841,6 +844,26 @@ out:
return length;
}
+static ssize_t sel_write_permissive(struct file *file, char *buf, size_t size)
+{
+ u32 sid;
+ ssize_t rc;
+
+ /*
+ * MEMO: Is it correct to check security:{check_context} here?
+ * Or, we should add something like security:{check_permissive}?
+ */
+ rc = task_has_security(current, SECURITY__CHECK_CONTEXT);
+ if (rc)
+ return rc;
+
+ rc = security_context_to_sid(buf, size, &sid);
+ if (rc < 0)
+ return rc;
+
+ return security_permissive_sid(sid);
+}
+
static struct inode *sel_make_inode(struct super_block *sb, int mode)
{
struct inode *ret = new_inode(sb);
@@ -1668,6 +1691,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
+ [SEL_PERMISSIVE] = {"permissive", &transaction_ops, S_IRUGO|S_IWUGO},
/* last one */ {""}
};
ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
[-- Attachment #3: check_permissive.c --]
[-- Type: text/plain, Size: 758 bytes --]
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <selinux/selinux.h>
int main(int argc, char *argv[])
{
const char *path = "/selinux/permissive";
int fd, rc;
if (argv[1] == NULL) {
fprintf(stderr, "usage: %s <context>\n", argv[0]);
return -1;
}
fd = open(path, O_RDWR);
if (fd < 0) {
fprintf(stderr, "could not open %s (%s)\n",
path, strerror(errno));
return -1;
}
rc = write(fd, argv[1], strlen(argv[1]));
if (rc < 0) {
fprintf(stderr, "error: write('%s', '%s') (%s)\n",
path, argv[1], strerror(errno));
return -1;
}
printf("%s is %s permissive domain\n",
argv[1], rc ? "a" : "NOT a");
close(fd);
return 0;
}
next prev parent reply other threads:[~2009-03-31 1:45 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-23 10:37 The status of SE-PostgreSQL KaiGai Kohei
2009-03-23 10:37 ` [refpolicy] " KaiGai Kohei
2009-03-23 14:56 ` Shaz
2009-03-23 14:57 ` Shaz
2009-03-23 15:19 ` Andy Warner
2009-03-24 2:14 ` KaiGai Kohei
2009-03-24 2:14 ` [refpolicy] " KaiGai Kohei
2009-03-25 6:54 ` Some ideas in SE-PostgreSQL enhancement (Re: The status of SE-PostgreSQL) KaiGai Kohei
2009-03-25 6:54 ` [refpolicy] " KaiGai Kohei
2009-03-25 7:45 ` Andy Warner
2009-03-25 8:20 ` KaiGai Kohei
2009-03-25 8:59 ` Andy Warner
2009-03-25 12:00 ` KaiGai Kohei
2009-03-25 17:02 ` Andy Warner
2009-03-26 0:13 ` KaiGai Kohei
2009-03-25 17:43 ` Joshua Brindle
2009-03-25 19:42 ` Andy Warner
2009-03-27 15:43 ` Joshua Brindle
2009-03-27 16:25 ` Andy Warner
2009-03-27 17:15 ` Joshua Brindle
2009-03-27 17:54 ` Andy Warner
2009-03-27 18:12 ` Joshua Brindle
2009-03-27 18:48 ` Andy Warner
2009-03-27 19:53 ` Joshua Brindle
2009-03-27 20:04 ` Andy Warner
2009-03-27 23:59 ` KaiGai Kohei
2009-03-28 7:17 ` Andy Warner
2009-03-30 0:56 ` KaiGai Kohei
2009-03-30 8:21 ` KaiGai Kohei
2009-03-30 9:58 ` Andy Warner
2009-03-30 13:22 ` KaiGai Kohei
2009-04-22 0:08 ` Eamon Walsh
2009-04-22 3:59 ` KaiGai Kohei
2009-05-01 4:54 ` Eamon Walsh
2009-05-07 1:34 ` KaiGai Kohei
2009-05-07 7:24 ` KaiGai Kohei
2009-03-30 9:49 ` Andy Warner
2009-03-26 5:50 ` [PATCH] Expose avc_netlink_loop() for applications (Re: Some ideas in SE-PostgreSQL enhancement) KaiGai Kohei
2009-03-26 23:28 ` Eamon Walsh
2009-03-26 23:41 ` Eamon Walsh
2009-03-27 0:35 ` KaiGai Kohei
2009-03-28 0:54 ` Eamon Walsh
2009-03-28 2:00 ` KaiGai Kohei
2009-03-30 4:56 ` KaiGai Kohei
2009-03-26 6:11 ` [PATCH] database audit integration " KaiGai Kohei
2009-03-26 6:11 ` KaiGai Kohei
2009-03-26 21:45 ` John Dennis
[not found] ` <49CB313B.7020507@redhat.com>
2009-03-27 2:34 ` KaiGai Kohei
2009-03-27 2:34 ` KaiGai Kohei
2009-03-26 8:29 ` [PATCH] Permissive domain in userspace " KaiGai Kohei
2009-03-28 2:41 ` Eamon Walsh
2009-03-30 2:55 ` KaiGai Kohei
2009-03-31 1:45 ` KaiGai Kohei [this message]
2009-03-31 16:46 ` Stephen Smalley
2009-04-01 1:07 ` [PATCH] Permissive domain in userspace object manager KaiGai Kohei
2009-04-01 1:41 ` KaiGai Kohei
2009-04-01 12:34 ` Stephen Smalley
2009-04-01 20:07 ` Eric Paris
2009-04-01 22:53 ` James Morris
2009-03-27 8:18 ` [PATCH] Policy rework for SE-PostgreSQL (Re: Some ideas in SE-PostgreSQL enhancement) KaiGai Kohei
2009-03-27 8:18 ` [refpolicy] " KaiGai Kohei
2009-03-27 9:44 ` Andy Warner
2009-03-27 11:20 ` KaiGai Kohei
2009-03-27 11:20 ` [refpolicy] " KaiGai Kohei
2009-03-27 11:45 ` Andy Warner
2009-03-27 11:45 ` [refpolicy] " Andy Warner
2009-03-27 12:17 ` KaiGai Kohei
2009-03-27 12:17 ` [refpolicy] " KaiGai Kohei
2009-04-01 7:26 ` Correct manner to handler undefined classes/permissions? " KaiGai Kohei
2009-04-01 12:45 ` Stephen Smalley
2009-04-02 0:28 ` KaiGai Kohei
2009-03-23 15:25 ` The status of SE-PostgreSQL Stephen Smalley
2009-03-23 15:25 ` [refpolicy] " Stephen Smalley
2009-03-24 1:13 ` KaiGai Kohei
2009-03-24 1:13 ` [refpolicy] " KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49D175C6.2050001@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=jmorris@namei.org \
--cc=method@manicmethod.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.