From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-"
Date: Wed, 25 Aug 2010 11:56:30 -0400 [thread overview]
Message-ID: <4C753D2E.60208@tresys.com> (raw)
In-Reply-To: <1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
On 08/25/10 10:19, James Carter wrote:
> On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
>> On 08/24/10 15:50, James Carter wrote:
>>> The *_except interfaces expect the caller to call it like this:
>>> files_read_all_dirs_except(foo_t, - bar_t)
>>>
>>> This makes the call argument hard to deal with because it is neither a
>>> type nor a set. Also an argument like $2 -shadow_t could either be a
>>> set or an MLS range.
>>>
>>> The *_except interfaces are never used except for in the *_except_shadow
>>> interfaces. The calls to the *_except_shadow interfaces never specify a
>>> second argument.
>>>
>>> files_manage_all_files is called only in portage.te (with no exception)
>>> and authlogin.if.
>>
>> Theres two issues with this change:
>>
>> 1. It breaks API stability.
>
> That may be true, but the current interface makes no sense to me. If I
> use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> access to file_type and bar_t. It doesn't exclude anything.
>
>> 2. It doesn't work if you want to specify a set, e.g.
>>
>> files_read_all_dirs_except(foo_t, { bar_t baz_t })
>>
> Why doesn't that work? Doesn't that give
> { file_type - { bar_t baz_t } }?
I didn't think that was valid. Is it?
> Again, if you don't like the changes, that's fine. It is just something
> that will have to be worked around. Any changes that you do accept just
> makes life a easier.
I'd like to get rid of the interfaces completely. I just haven't come
up with a better way of getting { files_type -shadow_t } without
breaking encapsulation. Perhaps we just have to rethink the access or
concept.
>>> ---
>>> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
>>> policy/modules/system/authlogin.if | 10 ++--
>>> 2 files changed, 79 insertions(+), 23 deletions(-)
>>>
>>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
>>> index 5302dac..9212dea 100644
>>> --- a/policy/modules/kernel/files.if
>>> +++ b/policy/modules/kernel/files.if
>>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - allow $1 { file_type $2 }:dir list_dir_perms;
>>> + allow $1 { file_type - $2 }:dir list_dir_perms;
>>> ')
>>>
>>> ########################################
>>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> ')
>>>
>>> ########################################
>>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> ')
>>>
>>> ########################################
>>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>>>
>>> ########################################
>>> ##<summary>
>>> +## Relabel all files on the filesystem
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +## The type of the domain perfoming this action.
>>> +##</summary>
>>> +##</param>
>>> +##<rolecap/>
>>> +#
>>> +interface(`files_relabel_all_files',`
>>> + gen_require(`
>>> + attribute file_type;
>>> + ')
>>> +
>>> + allow $1 file_type : dir list_dir_perms;
>>> + relabel_dirs_pattern($1, file_type, file_type)
>>> + relabel_files_pattern($1, file_type, file_type)
>>> + relabel_lnk_files_pattern($1, file_type, file_type)
>>> + relabel_fifo_files_pattern($1, file_type, file_type)
>>> + relabel_sock_files_pattern($1, file_type, file_type)
>>> + relabelfrom_blk_files_pattern($1, file_type, file_type)
>>> + relabelfrom_chr_files_pattern($1, file_type, file_type)
>>> +
>>> + # satisfy the assertions:
>>> + seutil_relabelto_bin_policy($1)
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> ## Relabel all files on the filesystem, except
>>> ## the listed exceptions.
>>> ##</summary>
>>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
>>> ##</param>
>>> ##<rolecap/>
>>> #
>>> -interface(`files_relabel_all_files',`
>>> +interface(`files_relabel_all_files_except',`
>>> gen_require(`
>>> attribute file_type;
>>> ')
>>>
>>> - allow $1 { file_type $2 }:dir list_dir_perms;
>>> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + allow $1 { file_type - $2 }:dir list_dir_perms;
>>> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> # this is only relabelfrom since there should be no
>>> # device nodes with file types.
>>> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>> # satisfy the assertions:
>>> seutil_relabelto_bin_policy($1)
>>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>>>
>>> ########################################
>>> ##<summary>
>>> +## Manage all files on the filesystem.
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +## The type of the domain perfoming this action.
>>> +##</summary>
>>> +##</param>
>>> +##<rolecap/>
>>> +#
>>> +interface(`files_manage_all_files',`
>>> + gen_require(`
>>> + attribute file_type;
>>> + ')
>>> +
>>> + manage_dirs_pattern($1, file_type, file_type)
>>> + manage_files_pattern($1, file_type, file_type)
>>> + manage_lnk_files_pattern($1, file_type, file_type)
>>> + manage_fifo_files_pattern($1, file_type, file_type)
>>> + manage_sock_files_pattern($1, file_type, file_type)
>>> +
>>> + # satisfy the assertions:
>>> + seutil_create_bin_policy($1)
>>> + files_manage_kernel_modules($1)
>>> +')
>>> +
>>> +########################################
>>> +##<summary>
>>> ## Manage all files on the filesystem, except
>>> ## the listed exceptions.
>>> ##</summary>
>>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
>>> ##</param>
>>> ##<rolecap/>
>>> #
>>> -interface(`files_manage_all_files',`
>>> +interface(`files_manage_all_files_except',`
>>> gen_require(`
>>> attribute file_type;
>>> ')
>>>
>>> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>> # satisfy the assertions:
>>> seutil_create_bin_policy($1)
>>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
>>> index 7fddc24..c116df6 100644
>>> --- a/policy/modules/system/authlogin.if
>>> +++ b/policy/modules/system/authlogin.if
>>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_dirs_except($1,$2 -shadow_t)
>>> + files_read_all_dirs_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_files_except($1,$2 -shadow_t)
>>> + files_read_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_symlinks_except($1,$2 -shadow_t)
>>> + files_read_all_symlinks_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_relabel_all_files($1,$2 -shadow_t)
>>> + files_relabel_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_manage_all_files($1,$2 -shadow_t)
>>> + files_manage_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>>
>>
>>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2010-08-25 15:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-24 19:50 [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not have caller supply the "-" James Carter
2010-08-25 13:05 ` Christopher J. PeBenito
2010-08-25 14:19 ` James Carter
2010-08-25 15:56 ` Christopher J. PeBenito [this message]
2010-08-25 17:10 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C753D2E.60208@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.