* seandroid and policy version @ 2012-07-11 0:07 Joshua Brindle 2012-07-11 12:50 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Joshua Brindle @ 2012-07-11 0:07 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux I was looking at this: <https://android-review.googlesource.com/#/c/36321/4/init/init.c> and remembered that years ago we had a discussion about the .policyver filename syntax. I kind of get it for SELinux machines where there is managed policy and could be multiple policies on the system but since SEAndroid is targeting non-device managed policies, it adds extra code to search for the right extension and you can tell what version the policy is as soon as you open it, why not ditch the suffix? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-07-11 0:07 seandroid and policy version Joshua Brindle @ 2012-07-11 12:50 ` Stephen Smalley 2012-07-11 19:45 ` Joshua Brindle 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2012-07-11 12:50 UTC (permalink / raw) To: Joshua Brindle; +Cc: selinux On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: > I was looking at this: > <https://android-review.googlesource.com/#/c/36321/4/init/init.c> > > and remembered that years ago we had a discussion about the .policyver > filename syntax. I kind of get it for SELinux machines where there is > managed policy and could be multiple policies on the system but since > SEAndroid is targeting non-device managed policies, it adds extra code > to search for the right extension and you can tell what version the > policy is as soon as you open it, why not ditch the suffix? First, that patch doesn't introduce the use of the version suffix (that's in the already merged code); it just preserves it in the new logic for reloading policy at runtime. I'm open to removing the use of the policy version suffix in a follow-on patch, although that would need to be coordinated across sepolicy and system/core. But the current code is consistent with existing practice in Linux distributions (so follows principle of least surprise) and it allows for different versions to be installed simultaneously (thereby supporting booting multiple kernels). Also, we don't have libsepol on the device so we cannot in fact determine the version when we open it there presently. So I'm not convinced we should remove the suffix. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-07-11 12:50 ` Stephen Smalley @ 2012-07-11 19:45 ` Joshua Brindle 2012-07-11 19:49 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Joshua Brindle @ 2012-07-11 19:45 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux Stephen Smalley wrote: > On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: >> I was looking at this: >> <https://android-review.googlesource.com/#/c/36321/4/init/init.c> >> >> and remembered that years ago we had a discussion about the .policyver >> filename syntax. I kind of get it for SELinux machines where there is >> managed policy and could be multiple policies on the system but since >> SEAndroid is targeting non-device managed policies, it adds extra code >> to search for the right extension and you can tell what version the >> policy is as soon as you open it, why not ditch the suffix? > > First, that patch doesn't introduce the use of the version suffix > (that's in the already merged code); it just preserves it in the new > logic for reloading policy at runtime. I know, it just reminded me that I wanted to mention it :) > > I'm open to removing the use of the policy version suffix in a follow-on > patch, although that would need to be coordinated across sepolicy and > system/core. But the current code is consistent with existing practice > in Linux distributions (so follows principle of least surprise) and it From what I can tell most people doing anything with SEAndroid have never been exposed to SELinux so it probably is surprising to them that the file extension would change version to version. > allows for different versions to be installed simultaneously (thereby > supporting booting multiple kernels). Also, we don't have libsepol on I don't think this will ever be an issue on mobile devices (and I don't think it ever was an issue on real machines, more likely that stale policies were being enforced if there was some kernel or library change) > the device so we cannot in fact determine the version when we open it > there presently. So I'm not convinced we should remove the suffix. We don't need libsepol, just read the first few bytes, a la file. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-07-11 19:45 ` Joshua Brindle @ 2012-07-11 19:49 ` Stephen Smalley 2012-09-18 17:33 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2012-07-11 19:49 UTC (permalink / raw) To: Joshua Brindle; +Cc: selinux On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle wrote: > Stephen Smalley wrote: > > On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: > >> I was looking at this: > >> <https://android-review.googlesource.com/#/c/36321/4/init/init.c> > >> > >> and remembered that years ago we had a discussion about the .policyver > >> filename syntax. I kind of get it for SELinux machines where there is > >> managed policy and could be multiple policies on the system but since > >> SEAndroid is targeting non-device managed policies, it adds extra code > >> to search for the right extension and you can tell what version the > >> policy is as soon as you open it, why not ditch the suffix? > > > > First, that patch doesn't introduce the use of the version suffix > > (that's in the already merged code); it just preserves it in the new > > logic for reloading policy at runtime. > > I know, it just reminded me that I wanted to mention it :) > > > > > I'm open to removing the use of the policy version suffix in a follow-on > > patch, although that would need to be coordinated across sepolicy and > > system/core. But the current code is consistent with existing practice > > in Linux distributions (so follows principle of least surprise) and it > > From what I can tell most people doing anything with SEAndroid have never been > exposed to SELinux so it probably is surprising to them that the file extension > would change version to version. > > > allows for different versions to be installed simultaneously (thereby > > supporting booting multiple kernels). Also, we don't have libsepol on > > I don't think this will ever be an issue on mobile devices (and I don't think it > ever was an issue on real machines, more likely that stale policies were being > enforced if there was some kernel or library change) > > > the device so we cannot in fact determine the version when we open it > > there presently. So I'm not convinced we should remove the suffix. > > We don't need libsepol, just read the first few bytes, a la file. We need libsepol at least if we want to support automatic downgrading of the policy to a version supported by the kernel. So unless we think we can guarantee that Android userspace + kernel are always updated in lock-step and one will never want to support multiple kernels, it seems a bit inflexible to drop the versioning. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-07-11 19:49 ` Stephen Smalley @ 2012-09-18 17:33 ` Stephen Smalley 2012-09-18 17:40 ` Joshua Brindle 2012-09-18 17:46 ` William Roberts 0 siblings, 2 replies; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 17:33 UTC (permalink / raw) To: Joshua Brindle; +Cc: selinux, William Roberts, Joman Chu On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle wrote: > > Stephen Smalley wrote: > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: > > >> I was looking at this: > > >> <https://android-review.googlesource.com/#/c/36321/4/init/init.c> > > >> > > >> and remembered that years ago we had a discussion about the .policyver > > >> filename syntax. I kind of get it for SELinux machines where there is > > >> managed policy and could be multiple policies on the system but since > > >> SEAndroid is targeting non-device managed policies, it adds extra code > > >> to search for the right extension and you can tell what version the > > >> policy is as soon as you open it, why not ditch the suffix? > > > > > > First, that patch doesn't introduce the use of the version suffix > > > (that's in the already merged code); it just preserves it in the new > > > logic for reloading policy at runtime. > > > > I know, it just reminded me that I wanted to mention it :) > > > > > > > > I'm open to removing the use of the policy version suffix in a follow-on > > > patch, although that would need to be coordinated across sepolicy and > > > system/core. But the current code is consistent with existing practice > > > in Linux distributions (so follows principle of least surprise) and it > > > > From what I can tell most people doing anything with SEAndroid have never been > > exposed to SELinux so it probably is surprising to them that the file extension > > would change version to version. > > > > > allows for different versions to be installed simultaneously (thereby > > > supporting booting multiple kernels). Also, we don't have libsepol on > > > > I don't think this will ever be an issue on mobile devices (and I don't think it > > ever was an issue on real machines, more likely that stale policies were being > > enforced if there was some kernel or library change) > > > > > the device so we cannot in fact determine the version when we open it > > > there presently. So I'm not convinced we should remove the suffix. > > > > We don't need libsepol, just read the first few bytes, a la file. > > We need libsepol at least if we want to support automatic downgrading of > the policy to a version supported by the kernel. So unless we think we > can guarantee that Android userspace + kernel are always updated in > lock-step and one will never want to support multiple kernels, it seems > a bit inflexible to drop the versioning. So this issue has come up again in the context of implementing device admin APIs and a sample device admin app. The device admin API implementation in the system_server needs to know how to name the file it creates under /data/system for the kernel policy, but it has no way to determine the actual policy version of the supplied policy. So it doesn't know what suffix to use. Options: - Get rid of the version suffix altogether, or at least for the sepolicy file under /data/system. - Have the system_server parse the header of the policy image to determine the policy version, and use that as the suffix. Thoughts? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:33 ` Stephen Smalley @ 2012-09-18 17:40 ` Joshua Brindle 2012-09-18 17:43 ` Stephen Smalley 2012-09-18 17:46 ` William Roberts 1 sibling, 1 reply; 22+ messages in thread From: Joshua Brindle @ 2012-09-18 17:40 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, William Roberts, Joman Chu Stephen Smalley wrote: > On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: <snip> > So this issue has come up again in the context of implementing device > admin APIs and a sample device admin app. The device admin API > implementation in the system_server needs to know how to name the file > it creates under /data/system for the kernel policy, but it has no way > to determine the actual policy version of the supplied policy. So it > doesn't know what suffix to use. Options: > - Get rid of the version suffix altogether, or at least for the sepolicy > file under /data/system. > - Have the system_server parse the header of the policy image to > determine the policy version, and use that as the suffix. > > Thoughts? > Can the MDM server not provide the device admin API with the correct filename to use? How are you feeding the policy to the API? I'm a fan of dropping the extension altogether but I'm just trying to understand the issue. I'd hope that the system_server wouldn't directly try to parse the image, hopefully at least a library would be used. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:40 ` Joshua Brindle @ 2012-09-18 17:43 ` Stephen Smalley 2012-09-18 17:56 ` Joshua Brindle 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 17:43 UTC (permalink / raw) To: Joshua Brindle; +Cc: selinux, William Roberts, Joman Chu On Tue, 2012-09-18 at 13:40 -0400, Joshua Brindle wrote: > Stephen Smalley wrote: > > On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: > <snip> > > So this issue has come up again in the context of implementing device > > admin APIs and a sample device admin app. The device admin API > > implementation in the system_server needs to know how to name the file > > it creates under /data/system for the kernel policy, but it has no way > > to determine the actual policy version of the supplied policy. So it > > doesn't know what suffix to use. Options: > > - Get rid of the version suffix altogether, or at least for the sepolicy > > file under /data/system. > > - Have the system_server parse the header of the policy image to > > determine the policy version, and use that as the suffix. > > > > Thoughts? > > > > Can the MDM server not provide the device admin API with the correct > filename to use? How are you feeding the policy to the API? At the moment it is being passed directly as a byte array (similar to security_load_policy). Passing by pathname would require that the system_server have read/search access to a private file created by the device admin app, and passing by open fd would require that the device admin app first write the policy image to local storage before passing it to the system_server. So passing it directly seems preferable. > I'm a fan of dropping the extension altogether but I'm just trying to > understand the issue. I'd hope that the system_server wouldn't directly > try to parse the image, hopefully at least a library would be used. I expect we'd add a function to the Android libselinux for this purpose, since libsepol isn't available on the device. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:43 ` Stephen Smalley @ 2012-09-18 17:56 ` Joshua Brindle 2012-09-18 18:21 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Joshua Brindle @ 2012-09-18 17:56 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, William Roberts, Joman Chu Stephen Smalley wrote: > On Tue, 2012-09-18 at 13:40 -0400, Joshua Brindle wrote: >> Stephen Smalley wrote: >>> On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: >> <snip> >>> So this issue has come up again in the context of implementing device >>> admin APIs and a sample device admin app. The device admin API >>> implementation in the system_server needs to know how to name the file >>> it creates under /data/system for the kernel policy, but it has no way >>> to determine the actual policy version of the supplied policy. So it >>> doesn't know what suffix to use. Options: >>> - Get rid of the version suffix altogether, or at least for the sepolicy >>> file under /data/system. >>> - Have the system_server parse the header of the policy image to >>> determine the policy version, and use that as the suffix. >>> >>> Thoughts? >>> >> Can the MDM server not provide the device admin API with the correct >> filename to use? How are you feeding the policy to the API? > > At the moment it is being passed directly as a byte array (similar to > security_load_policy). Passing by pathname would require that the > system_server have read/search access to a private file created by the > device admin app, and passing by open fd would require that the device > admin app first write the policy image to local storage before passing > it to the system_server. So passing it directly seems preferable. > I assumed byte array but is the API going to basically be "here's your policy blob" and the system_server has to figure out what to do with it? I strongly believe that we will outgrow an API like that very quickly. MDM vendors want to do some interesting things and always doing it on the server side isn't going to be feasible I think (holding >10k SELinux policies in order to update them when new containers/apps/features/whatever are added is not ideal). -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:56 ` Joshua Brindle @ 2012-09-18 18:21 ` Stephen Smalley 0 siblings, 0 replies; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 18:21 UTC (permalink / raw) To: Joshua Brindle; +Cc: selinux, William Roberts, Joman Chu On Tue, 2012-09-18 at 13:56 -0400, Joshua Brindle wrote: > Stephen Smalley wrote: > > On Tue, 2012-09-18 at 13:40 -0400, Joshua Brindle wrote: > >> Stephen Smalley wrote: > >>> On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: > >> <snip> > >>> So this issue has come up again in the context of implementing device > >>> admin APIs and a sample device admin app. The device admin API > >>> implementation in the system_server needs to know how to name the file > >>> it creates under /data/system for the kernel policy, but it has no way > >>> to determine the actual policy version of the supplied policy. So it > >>> doesn't know what suffix to use. Options: > >>> - Get rid of the version suffix altogether, or at least for the sepolicy > >>> file under /data/system. > >>> - Have the system_server parse the header of the policy image to > >>> determine the policy version, and use that as the suffix. > >>> > >>> Thoughts? > >>> > >> Can the MDM server not provide the device admin API with the correct > >> filename to use? How are you feeding the policy to the API? > > > > At the moment it is being passed directly as a byte array (similar to > > security_load_policy). Passing by pathname would require that the > > system_server have read/search access to a private file created by the > > device admin app, and passing by open fd would require that the device > > admin app first write the policy image to local storage before passing > > it to the system_server. So passing it directly seems preferable. > > > > I assumed byte array but is the API going to basically be "here's your > policy blob" and the system_server has to figure out what to do with it? > I strongly believe that we will outgrow an API like that very quickly. > MDM vendors want to do some interesting things and always doing it on > the server side isn't going to be feasible I think (holding >10k SELinux > policies in order to update them when new > containers/apps/features/whatever are added is not ideal). Well, first, it is intended as a starting point, so it doesn't exclude providing finer-grained APIs in the future. Second, as we don't presently have any way to manipulate policy on the device in any other way than setting policy booleans or completely replacing policy, there isn't much point in providing such a finer-grained API until we have the underlying support for it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:33 ` Stephen Smalley 2012-09-18 17:40 ` Joshua Brindle @ 2012-09-18 17:46 ` William Roberts 2012-09-18 17:50 ` Stephen Smalley 2012-09-18 17:54 ` William Roberts 1 sibling, 2 replies; 22+ messages in thread From: William Roberts @ 2012-09-18 17:46 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 3610 bytes --] How hard is it to parse the header, is it a simple fixed with field? I could go either way on this, I like have the version number in the file name myself. On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: > > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle wrote: > > > Stephen Smalley wrote: > > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: > > > >> I was looking at this: > > > >> <https://android-review.googlesource.com/#/c/36321/4/init/init.c> > > > >> > > > >> and remembered that years ago we had a discussion about the > .policyver > > > >> filename syntax. I kind of get it for SELinux machines where there > is > > > >> managed policy and could be multiple policies on the system but > since > > > >> SEAndroid is targeting non-device managed policies, it adds extra > code > > > >> to search for the right extension and you can tell what version the > > > >> policy is as soon as you open it, why not ditch the suffix? > > > > > > > > First, that patch doesn't introduce the use of the version suffix > > > > (that's in the already merged code); it just preserves it in the new > > > > logic for reloading policy at runtime. > > > > > > I know, it just reminded me that I wanted to mention it :) > > > > > > > > > > > I'm open to removing the use of the policy version suffix in a > follow-on > > > > patch, although that would need to be coordinated across sepolicy and > > > > system/core. But the current code is consistent with existing > practice > > > > in Linux distributions (so follows principle of least surprise) and > it > > > > > > From what I can tell most people doing anything with SEAndroid have > never been > > > exposed to SELinux so it probably is surprising to them that the file > extension > > > would change version to version. > > > > > > > allows for different versions to be installed simultaneously (thereby > > > > supporting booting multiple kernels). Also, we don't have libsepol > on > > > > > > I don't think this will ever be an issue on mobile devices (and I > don't think it > > > ever was an issue on real machines, more likely that stale policies > were being > > > enforced if there was some kernel or library change) > > > > > > > the device so we cannot in fact determine the version when we open it > > > > there presently. So I'm not convinced we should remove the suffix. > > > > > > We don't need libsepol, just read the first few bytes, a la file. > > > > We need libsepol at least if we want to support automatic downgrading of > > the policy to a version supported by the kernel. So unless we think we > > can guarantee that Android userspace + kernel are always updated in > > lock-step and one will never want to support multiple kernels, it seems > > a bit inflexible to drop the versioning. > > So this issue has come up again in the context of implementing device > admin APIs and a sample device admin app. The device admin API > implementation in the system_server needs to know how to name the file > it creates under /data/system for the kernel policy, but it has no way > to determine the actual policy version of the supplied policy. So it > doesn't know what suffix to use. Options: > - Get rid of the version suffix altogether, or at least for the sepolicy > file under /data/system. > - Have the system_server parse the header of the policy image to > determine the policy version, and use that as the suffix. > > Thoughts? > > -- > Stephen Smalley > National Security Agency > > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 4687 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:46 ` William Roberts @ 2012-09-18 17:50 ` Stephen Smalley 2012-09-18 17:54 ` William Roberts 1 sibling, 0 replies; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 17:50 UTC (permalink / raw) To: William Roberts; +Cc: Joshua Brindle, selinux, Joman Chu On Tue, 2012-09-18 at 10:46 -0700, William Roberts wrote: > How hard is it to parse the header, is it a simple fixed with field? > > > I could go either way on this, I like have the version number in the > file name myself. See the beginning of policydb_read() in security/selinux/ss/policydb.c. Fairly straightforward, especially as we can presume that it is a SELinux kernel policy. We would just read and check the magic number, skip the fixed string identifier, and read the version number. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:46 ` William Roberts 2012-09-18 17:50 ` Stephen Smalley @ 2012-09-18 17:54 ` William Roberts 2012-09-18 17:57 ` William Roberts 2012-09-18 18:15 ` Stephen Smalley 1 sibling, 2 replies; 22+ messages in thread From: William Roberts @ 2012-09-18 17:54 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 4217 bytes --] Actually on second thought, lets ditch the version. Either your have a supported version or not, and if you don't have a supported version you've done something very wrong, and can extract dmesg and use libsepol on the host to solve your problem. I would imagine dmesg would have "cannot load policy error" and libsepol on the host could tell your version number. Bill On Tue, Sep 18, 2012 at 10:46 AM, William Roberts <bill.c.roberts@gmail.com>wrote: > How hard is it to parse the header, is it a simple fixed with field? > > I could go either way on this, I like have the version number in the file > name myself. > > > On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley <sds@tycho.nsa.gov>wrote: > >> On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: >> > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle wrote: >> > > Stephen Smalley wrote: >> > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: >> > > >> I was looking at this: >> > > >> <https://android-review.googlesource.com/#/c/36321/4/init/init.c> >> > > >> >> > > >> and remembered that years ago we had a discussion about the >> .policyver >> > > >> filename syntax. I kind of get it for SELinux machines where there >> is >> > > >> managed policy and could be multiple policies on the system but >> since >> > > >> SEAndroid is targeting non-device managed policies, it adds extra >> code >> > > >> to search for the right extension and you can tell what version the >> > > >> policy is as soon as you open it, why not ditch the suffix? >> > > > >> > > > First, that patch doesn't introduce the use of the version suffix >> > > > (that's in the already merged code); it just preserves it in the new >> > > > logic for reloading policy at runtime. >> > > >> > > I know, it just reminded me that I wanted to mention it :) >> > > >> > > > >> > > > I'm open to removing the use of the policy version suffix in a >> follow-on >> > > > patch, although that would need to be coordinated across sepolicy >> and >> > > > system/core. But the current code is consistent with existing >> practice >> > > > in Linux distributions (so follows principle of least surprise) and >> it >> > > >> > > From what I can tell most people doing anything with SEAndroid have >> never been >> > > exposed to SELinux so it probably is surprising to them that the file >> extension >> > > would change version to version. >> > > >> > > > allows for different versions to be installed simultaneously >> (thereby >> > > > supporting booting multiple kernels). Also, we don't have libsepol >> on >> > > >> > > I don't think this will ever be an issue on mobile devices (and I >> don't think it >> > > ever was an issue on real machines, more likely that stale policies >> were being >> > > enforced if there was some kernel or library change) >> > > >> > > > the device so we cannot in fact determine the version when we open >> it >> > > > there presently. So I'm not convinced we should remove the suffix. >> > > >> > > We don't need libsepol, just read the first few bytes, a la file. >> > >> > We need libsepol at least if we want to support automatic downgrading of >> > the policy to a version supported by the kernel. So unless we think we >> > can guarantee that Android userspace + kernel are always updated in >> > lock-step and one will never want to support multiple kernels, it seems >> > a bit inflexible to drop the versioning. >> >> So this issue has come up again in the context of implementing device >> admin APIs and a sample device admin app. The device admin API >> implementation in the system_server needs to know how to name the file >> it creates under /data/system for the kernel policy, but it has no way >> to determine the actual policy version of the supplied policy. So it >> doesn't know what suffix to use. Options: >> - Get rid of the version suffix altogether, or at least for the sepolicy >> file under /data/system. >> - Have the system_server parse the header of the policy image to >> determine the policy version, and use that as the suffix. >> >> Thoughts? >> >> -- >> Stephen Smalley >> National Security Agency >> >> > > > -- > Respectfully, > > William C Roberts > > > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 5593 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:54 ` William Roberts @ 2012-09-18 17:57 ` William Roberts 2012-09-18 18:10 ` Stephen Smalley 2012-09-18 18:15 ` Stephen Smalley 1 sibling, 1 reply; 22+ messages in thread From: William Roberts @ 2012-09-18 17:57 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 4672 bytes --] I saw up above your passing the policy as a byte array.... Were on memory constrained devices, what happens if the file is to big to be resident in memory? Could we just pass a fd? On Tue, Sep 18, 2012 at 10:54 AM, William Roberts <bill.c.roberts@gmail.com>wrote: > Actually on second thought, lets ditch the version. Either your have a > supported version or not, and if you don't have a supported > version you've done something very wrong, and can extract dmesg and use > libsepol on the host to solve your problem. I would imagine dmesg would > have "cannot load policy error" and libsepol on the host could tell your > version number. > > Bill > > > On Tue, Sep 18, 2012 at 10:46 AM, William Roberts < > bill.c.roberts@gmail.com> wrote: > >> How hard is it to parse the header, is it a simple fixed with field? >> >> I could go either way on this, I like have the version number in the file >> name myself. >> >> >> On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley <sds@tycho.nsa.gov>wrote: >> >>> On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley wrote: >>> > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle wrote: >>> > > Stephen Smalley wrote: >>> > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua Brindle wrote: >>> > > >> I was looking at this: >>> > > >> <https://android-review.googlesource.com/#/c/36321/4/init/init.c> >>> > > >> >>> > > >> and remembered that years ago we had a discussion about the >>> .policyver >>> > > >> filename syntax. I kind of get it for SELinux machines where >>> there is >>> > > >> managed policy and could be multiple policies on the system but >>> since >>> > > >> SEAndroid is targeting non-device managed policies, it adds extra >>> code >>> > > >> to search for the right extension and you can tell what version >>> the >>> > > >> policy is as soon as you open it, why not ditch the suffix? >>> > > > >>> > > > First, that patch doesn't introduce the use of the version suffix >>> > > > (that's in the already merged code); it just preserves it in the >>> new >>> > > > logic for reloading policy at runtime. >>> > > >>> > > I know, it just reminded me that I wanted to mention it :) >>> > > >>> > > > >>> > > > I'm open to removing the use of the policy version suffix in a >>> follow-on >>> > > > patch, although that would need to be coordinated across sepolicy >>> and >>> > > > system/core. But the current code is consistent with existing >>> practice >>> > > > in Linux distributions (so follows principle of least surprise) >>> and it >>> > > >>> > > From what I can tell most people doing anything with SEAndroid have >>> never been >>> > > exposed to SELinux so it probably is surprising to them that the >>> file extension >>> > > would change version to version. >>> > > >>> > > > allows for different versions to be installed simultaneously >>> (thereby >>> > > > supporting booting multiple kernels). Also, we don't have >>> libsepol on >>> > > >>> > > I don't think this will ever be an issue on mobile devices (and I >>> don't think it >>> > > ever was an issue on real machines, more likely that stale policies >>> were being >>> > > enforced if there was some kernel or library change) >>> > > >>> > > > the device so we cannot in fact determine the version when we open >>> it >>> > > > there presently. So I'm not convinced we should remove the suffix. >>> > > >>> > > We don't need libsepol, just read the first few bytes, a la file. >>> > >>> > We need libsepol at least if we want to support automatic downgrading >>> of >>> > the policy to a version supported by the kernel. So unless we think we >>> > can guarantee that Android userspace + kernel are always updated in >>> > lock-step and one will never want to support multiple kernels, it seems >>> > a bit inflexible to drop the versioning. >>> >>> So this issue has come up again in the context of implementing device >>> admin APIs and a sample device admin app. The device admin API >>> implementation in the system_server needs to know how to name the file >>> it creates under /data/system for the kernel policy, but it has no way >>> to determine the actual policy version of the supplied policy. So it >>> doesn't know what suffix to use. Options: >>> - Get rid of the version suffix altogether, or at least for the sepolicy >>> file under /data/system. >>> - Have the system_server parse the header of the policy image to >>> determine the policy version, and use that as the suffix. >>> >>> Thoughts? >>> >>> -- >>> Stephen Smalley >>> National Security Agency >>> >>> >> >> >> -- >> Respectfully, >> >> William C Roberts >> >> >> > > > -- > Respectfully, > > William C Roberts > > > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 6240 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:57 ` William Roberts @ 2012-09-18 18:10 ` Stephen Smalley 0 siblings, 0 replies; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 18:10 UTC (permalink / raw) To: William Roberts; +Cc: Joshua Brindle, selinux, Joman Chu On Tue, 2012-09-18 at 10:57 -0700, William Roberts wrote: > I saw up above your passing the policy as a byte array.... Were on > memory constrained devices, what happens if the file is to big to be > resident in memory? Could we just pass a fd? We're talking about kernel policy, so it has to live within kernel memory ultimately. So if it is too big to be resident in userspace memory, then I think you have other problems. Passing by fd means that the device admin app has to first write it to a private file on local storage. So then you are requiring two copies to local storage, one temporary copy written by the device admin app to a private file and one final copy written by the system_server to /data/system. Willing to consider a different API, but not clear whether it is beneficial overall to switch to passing by fd. > On Tue, Sep 18, 2012 at 10:54 AM, William Roberts > <bill.c.roberts@gmail.com> wrote: > Actually on second thought, lets ditch the version. Either > your have a supported version or not, and if you don't have a > supported version you've done something very wrong, and can > extract dmesg and use libsepol on the host to solve your > problem. I would imagine dmesg would have "cannot load policy > error" and libsepol on the host could tell your version > number. > > > Bill > > > On Tue, Sep 18, 2012 at 10:46 AM, William Roberts > <bill.c.roberts@gmail.com> wrote: > How hard is it to parse the header, is it a simple > fixed with field? > > > I could go either way on this, I like have the version > number in the file name myself. > > > On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley > <sds@tycho.nsa.gov> wrote: > On Wed, 2012-07-11 at 15:49 -0400, Stephen > Smalley wrote: > > On Wed, 2012-07-11 at 15:45 -0400, Joshua > Brindle wrote: > > > Stephen Smalley wrote: > > > > On Tue, 2012-07-10 at 20:07 -0400, > Joshua Brindle wrote: > > > >> I was looking at this: > > > >> > <https://android-review.googlesource.com/#/c/36321/4/init/init.c> > > > >> > > > >> and remembered that years ago we had a > discussion about the .policyver > > > >> filename syntax. I kind of get it for > SELinux machines where there is > > > >> managed policy and could be multiple > policies on the system but since > > > >> SEAndroid is targeting non-device > managed policies, it adds extra code > > > >> to search for the right extension and > you can tell what version the > > > >> policy is as soon as you open it, why > not ditch the suffix? > > > > > > > > First, that patch doesn't introduce the > use of the version suffix > > > > (that's in the already merged code); it > just preserves it in the new > > > > logic for reloading policy at runtime. > > > > > > I know, it just reminded me that I wanted > to mention it :) > > > > > > > > > > > I'm open to removing the use of the > policy version suffix in a follow-on > > > > patch, although that would need to be > coordinated across sepolicy and > > > > system/core. But the current code is > consistent with existing practice > > > > in Linux distributions (so follows > principle of least surprise) and it > > > > > > From what I can tell most people doing > anything with SEAndroid have never been > > > exposed to SELinux so it probably is > surprising to them that the file extension > > > would change version to version. > > > > > > > allows for different versions to be > installed simultaneously (thereby > > > > supporting booting multiple kernels). > Also, we don't have libsepol on > > > > > > I don't think this will ever be an issue > on mobile devices (and I don't think it > > > ever was an issue on real machines, more > likely that stale policies were being > > > enforced if there was some kernel or > library change) > > > > > > > the device so we cannot in fact > determine the version when we open it > > > > there presently. So I'm not convinced > we should remove the suffix. > > > > > > We don't need libsepol, just read the > first few bytes, a la file. > > > > We need libsepol at least if we want to > support automatic downgrading of > > the policy to a version supported by the > kernel. So unless we think we > > can guarantee that Android userspace + > kernel are always updated in > > lock-step and one will never want to support > multiple kernels, it seems > > a bit inflexible to drop the versioning. > > > So this issue has come up again in the context > of implementing device > admin APIs and a sample device admin app. The > device admin API > implementation in the system_server needs to > know how to name the file > it creates under /data/system for the kernel > policy, but it has no way > to determine the actual policy version of the > supplied policy. So it > doesn't know what suffix to use. Options: > - Get rid of the version suffix altogether, or > at least for the sepolicy > file under /data/system. > - Have the system_server parse the header of > the policy image to > determine the policy version, and use that as > the suffix. > > Thoughts? > > -- > Stephen Smalley > National Security Agency > > > > > > > -- > Respectfully, > > William C Roberts > > > > > > > > -- > Respectfully, > > William C Roberts > > > > > > > > -- > Respectfully, > > William C Roberts > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 17:54 ` William Roberts 2012-09-18 17:57 ` William Roberts @ 2012-09-18 18:15 ` Stephen Smalley 2012-09-18 18:25 ` William Roberts 1 sibling, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 18:15 UTC (permalink / raw) To: William Roberts; +Cc: Joshua Brindle, selinux, Joman Chu On Tue, 2012-09-18 at 10:54 -0700, William Roberts wrote: > Actually on second thought, lets ditch the version. Either your have a > supported version or not, and if you don't have a supported version > you've done something very wrong, and can extract dmesg and use > libsepol on the host to solve your problem. I would imagine dmesg > would have "cannot load policy error" and libsepol on the host could > tell your version number. The reason for the version number suffix is so that you can have multiple versions installed simultaneously for different kernels, allowing you to install a new version for a new kernel yet still back out to the old version/old kernel if necessary. If we do drop the version suffix, do we do it only for the /data/system/sepolicy or also for /sepolicy? Requires a coordinated change across external/sepolicy and external/libselinux (and for 4.0.4, system/core since it still has the old policy loading logic directly within init). Also, do we continue to force the policy version to 24 in external/sepolicy Android.mk or let it go with whatever checkpolicy supports. We were capping it at policy.24 because that is the least common denominator for all of the AOSP kernels (going back to the emulator kernel), and because that was the latest version supported by Ubuntu 10.04 (but that doesn't matter now that there is a copy of checkpolicy in AOSP, which we might want to get updated btw). > On Tue, Sep 18, 2012 at 10:46 AM, William Roberts > <bill.c.roberts@gmail.com> wrote: > How hard is it to parse the header, is it a simple fixed with > field? > > > I could go either way on this, I like have the version number > in the file name myself. > > > On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley > <sds@tycho.nsa.gov> wrote: > On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley > wrote: > > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle > wrote: > > > Stephen Smalley wrote: > > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua > Brindle wrote: > > > >> I was looking at this: > > > >> > <https://android-review.googlesource.com/#/c/36321/4/init/init.c> > > > >> > > > >> and remembered that years ago we had a > discussion about the .policyver > > > >> filename syntax. I kind of get it for SELinux > machines where there is > > > >> managed policy and could be multiple policies > on the system but since > > > >> SEAndroid is targeting non-device managed > policies, it adds extra code > > > >> to search for the right extension and you can > tell what version the > > > >> policy is as soon as you open it, why not ditch > the suffix? > > > > > > > > First, that patch doesn't introduce the use of > the version suffix > > > > (that's in the already merged code); it just > preserves it in the new > > > > logic for reloading policy at runtime. > > > > > > I know, it just reminded me that I wanted to > mention it :) > > > > > > > > > > > I'm open to removing the use of the policy > version suffix in a follow-on > > > > patch, although that would need to be > coordinated across sepolicy and > > > > system/core. But the current code is consistent > with existing practice > > > > in Linux distributions (so follows principle of > least surprise) and it > > > > > > From what I can tell most people doing anything > with SEAndroid have never been > > > exposed to SELinux so it probably is surprising to > them that the file extension > > > would change version to version. > > > > > > > allows for different versions to be installed > simultaneously (thereby > > > > supporting booting multiple kernels). Also, we > don't have libsepol on > > > > > > I don't think this will ever be an issue on mobile > devices (and I don't think it > > > ever was an issue on real machines, more likely > that stale policies were being > > > enforced if there was some kernel or library > change) > > > > > > > the device so we cannot in fact determine the > version when we open it > > > > there presently. So I'm not convinced we should > remove the suffix. > > > > > > We don't need libsepol, just read the first few > bytes, a la file. > > > > We need libsepol at least if we want to support > automatic downgrading of > > the policy to a version supported by the kernel. So > unless we think we > > can guarantee that Android userspace + kernel are > always updated in > > lock-step and one will never want to support > multiple kernels, it seems > > a bit inflexible to drop the versioning. > > > So this issue has come up again in the context of > implementing device > admin APIs and a sample device admin app. The device > admin API > implementation in the system_server needs to know how > to name the file > it creates under /data/system for the kernel policy, > but it has no way > to determine the actual policy version of the supplied > policy. So it > doesn't know what suffix to use. Options: > - Get rid of the version suffix altogether, or at > least for the sepolicy > file under /data/system. > - Have the system_server parse the header of the > policy image to > determine the policy version, and use that as the > suffix. > > Thoughts? > > -- > Stephen Smalley > National Security Agency > > > > > > > -- > Respectfully, > > William C Roberts > > > > > > > > -- > Respectfully, > > William C Roberts > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 18:15 ` Stephen Smalley @ 2012-09-18 18:25 ` William Roberts 2012-09-18 18:26 ` William Roberts 2012-09-18 18:52 ` Stephen Smalley 0 siblings, 2 replies; 22+ messages in thread From: William Roberts @ 2012-09-18 18:25 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 8020 bytes --] Ahh yeah you are correct, it would have to be resident in kernel memory. With that argument that api sounds sufficient. Could we configure the policy version independent of the makefile. This way oem's can control what version they want, maybe something like POLICYVERS variable could be overridden too. I think we could just drop the version suffix unless it gets us something that we may need in the future. If it might be beneficial for unforeseen future growth, then we would keep it an have system_server parse the first few bytes out for the version suffix. On Tue, Sep 18, 2012 at 11:15 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Tue, 2012-09-18 at 10:54 -0700, William Roberts wrote: > > Actually on second thought, lets ditch the version. Either your have a > > supported version or not, and if you don't have a supported version > > you've done something very wrong, and can extract dmesg and use > > libsepol on the host to solve your problem. I would imagine dmesg > > would have "cannot load policy error" and libsepol on the host could > > tell your version number. > > The reason for the version number suffix is so that you can have > multiple versions installed simultaneously for different kernels, > allowing you to install a new version for a new kernel yet still back > out to the old version/old kernel if necessary. > > If we do drop the version suffix, do we do it only for > the /data/system/sepolicy or also for /sepolicy? Requires a coordinated > change across external/sepolicy and external/libselinux (and for 4.0.4, > system/core since it still has the old policy loading logic directly > within init). > > Also, do we continue to force the policy version to 24 in > external/sepolicy Android.mk or let it go with whatever checkpolicy > supports. We were capping it at policy.24 because that is the least > common denominator for all of the AOSP kernels (going back to the > emulator kernel), and because that was the latest version supported by > Ubuntu 10.04 (but that doesn't matter now that there is a copy of > checkpolicy in AOSP, which we might want to get updated btw). > > > On Tue, Sep 18, 2012 at 10:46 AM, William Roberts > > <bill.c.roberts@gmail.com> wrote: > > How hard is it to parse the header, is it a simple fixed with > > field? > > > > > > I could go either way on this, I like have the version number > > in the file name myself. > > > > > > On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley > > <sds@tycho.nsa.gov> wrote: > > On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley > > wrote: > > > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle > > wrote: > > > > Stephen Smalley wrote: > > > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua > > Brindle wrote: > > > > >> I was looking at this: > > > > >> > > < > https://android-review.googlesource.com/#/c/36321/4/init/init.c> > > > > >> > > > > >> and remembered that years ago we had a > > discussion about the .policyver > > > > >> filename syntax. I kind of get it for SELinux > > machines where there is > > > > >> managed policy and could be multiple policies > > on the system but since > > > > >> SEAndroid is targeting non-device managed > > policies, it adds extra code > > > > >> to search for the right extension and you can > > tell what version the > > > > >> policy is as soon as you open it, why not ditch > > the suffix? > > > > > > > > > > First, that patch doesn't introduce the use of > > the version suffix > > > > > (that's in the already merged code); it just > > preserves it in the new > > > > > logic for reloading policy at runtime. > > > > > > > > I know, it just reminded me that I wanted to > > mention it :) > > > > > > > > > > > > > > I'm open to removing the use of the policy > > version suffix in a follow-on > > > > > patch, although that would need to be > > coordinated across sepolicy and > > > > > system/core. But the current code is consistent > > with existing practice > > > > > in Linux distributions (so follows principle of > > least surprise) and it > > > > > > > > From what I can tell most people doing anything > > with SEAndroid have never been > > > > exposed to SELinux so it probably is surprising to > > them that the file extension > > > > would change version to version. > > > > > > > > > allows for different versions to be installed > > simultaneously (thereby > > > > > supporting booting multiple kernels). Also, we > > don't have libsepol on > > > > > > > > I don't think this will ever be an issue on mobile > > devices (and I don't think it > > > > ever was an issue on real machines, more likely > > that stale policies were being > > > > enforced if there was some kernel or library > > change) > > > > > > > > > the device so we cannot in fact determine the > > version when we open it > > > > > there presently. So I'm not convinced we should > > remove the suffix. > > > > > > > > We don't need libsepol, just read the first few > > bytes, a la file. > > > > > > We need libsepol at least if we want to support > > automatic downgrading of > > > the policy to a version supported by the kernel. So > > unless we think we > > > can guarantee that Android userspace + kernel are > > always updated in > > > lock-step and one will never want to support > > multiple kernels, it seems > > > a bit inflexible to drop the versioning. > > > > > > So this issue has come up again in the context of > > implementing device > > admin APIs and a sample device admin app. The device > > admin API > > implementation in the system_server needs to know how > > to name the file > > it creates under /data/system for the kernel policy, > > but it has no way > > to determine the actual policy version of the supplied > > policy. So it > > doesn't know what suffix to use. Options: > > - Get rid of the version suffix altogether, or at > > least for the sepolicy > > file under /data/system. > > - Have the system_server parse the header of the > > policy image to > > determine the policy version, and use that as the > > suffix. > > > > Thoughts? > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > > > > > > > > > -- > > Respectfully, > > > > William C Roberts > > > > > > > > > > > > > > > > -- > > Respectfully, > > > > William C Roberts > > > > > > > > -- > Stephen Smalley > National Security Agency > > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 9978 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 18:25 ` William Roberts @ 2012-09-18 18:26 ` William Roberts 2012-09-18 18:52 ` Stephen Smalley 1 sibling, 0 replies; 22+ messages in thread From: William Roberts @ 2012-09-18 18:26 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 8464 bytes --] Yes, I would imagine right now the api is pretty much reload policy, get booleans /set boolean type of api. On Tue, Sep 18, 2012 at 11:25 AM, William Roberts <bill.c.roberts@gmail.com>wrote: > Ahh yeah you are correct, it would have to be resident in kernel memory. > With that argument that api sounds sufficient. > > Could we configure the policy version independent of the makefile. This > way oem's can control what version they want, maybe something like > POLICYVERS variable could be overridden too. I think we could just drop the > version suffix unless it gets us something that we may need in the future. > If it might be beneficial for unforeseen future growth, then we would keep > it an have system_server parse the first few bytes out for the version > suffix. > > > On Tue, Sep 18, 2012 at 11:15 AM, Stephen Smalley <sds@tycho.nsa.gov>wrote: > >> On Tue, 2012-09-18 at 10:54 -0700, William Roberts wrote: >> > Actually on second thought, lets ditch the version. Either your have a >> > supported version or not, and if you don't have a supported version >> > you've done something very wrong, and can extract dmesg and use >> > libsepol on the host to solve your problem. I would imagine dmesg >> > would have "cannot load policy error" and libsepol on the host could >> > tell your version number. >> >> The reason for the version number suffix is so that you can have >> multiple versions installed simultaneously for different kernels, >> allowing you to install a new version for a new kernel yet still back >> out to the old version/old kernel if necessary. >> >> If we do drop the version suffix, do we do it only for >> the /data/system/sepolicy or also for /sepolicy? Requires a coordinated >> change across external/sepolicy and external/libselinux (and for 4.0.4, >> system/core since it still has the old policy loading logic directly >> within init). >> >> Also, do we continue to force the policy version to 24 in >> external/sepolicy Android.mk or let it go with whatever checkpolicy >> supports. We were capping it at policy.24 because that is the least >> common denominator for all of the AOSP kernels (going back to the >> emulator kernel), and because that was the latest version supported by >> Ubuntu 10.04 (but that doesn't matter now that there is a copy of >> checkpolicy in AOSP, which we might want to get updated btw). >> >> > On Tue, Sep 18, 2012 at 10:46 AM, William Roberts >> > <bill.c.roberts@gmail.com> wrote: >> > How hard is it to parse the header, is it a simple fixed with >> > field? >> > >> > >> > I could go either way on this, I like have the version number >> > in the file name myself. >> > >> > >> > On Tue, Sep 18, 2012 at 10:33 AM, Stephen Smalley >> > <sds@tycho.nsa.gov> wrote: >> > On Wed, 2012-07-11 at 15:49 -0400, Stephen Smalley >> > wrote: >> > > On Wed, 2012-07-11 at 15:45 -0400, Joshua Brindle >> > wrote: >> > > > Stephen Smalley wrote: >> > > > > On Tue, 2012-07-10 at 20:07 -0400, Joshua >> > Brindle wrote: >> > > > >> I was looking at this: >> > > > >> >> > < >> https://android-review.googlesource.com/#/c/36321/4/init/init.c> >> > > > >> >> > > > >> and remembered that years ago we had a >> > discussion about the .policyver >> > > > >> filename syntax. I kind of get it for SELinux >> > machines where there is >> > > > >> managed policy and could be multiple policies >> > on the system but since >> > > > >> SEAndroid is targeting non-device managed >> > policies, it adds extra code >> > > > >> to search for the right extension and you can >> > tell what version the >> > > > >> policy is as soon as you open it, why not ditch >> > the suffix? >> > > > > >> > > > > First, that patch doesn't introduce the use of >> > the version suffix >> > > > > (that's in the already merged code); it just >> > preserves it in the new >> > > > > logic for reloading policy at runtime. >> > > > >> > > > I know, it just reminded me that I wanted to >> > mention it :) >> > > > >> > > > > >> > > > > I'm open to removing the use of the policy >> > version suffix in a follow-on >> > > > > patch, although that would need to be >> > coordinated across sepolicy and >> > > > > system/core. But the current code is consistent >> > with existing practice >> > > > > in Linux distributions (so follows principle of >> > least surprise) and it >> > > > >> > > > From what I can tell most people doing anything >> > with SEAndroid have never been >> > > > exposed to SELinux so it probably is surprising to >> > them that the file extension >> > > > would change version to version. >> > > > >> > > > > allows for different versions to be installed >> > simultaneously (thereby >> > > > > supporting booting multiple kernels). Also, we >> > don't have libsepol on >> > > > >> > > > I don't think this will ever be an issue on mobile >> > devices (and I don't think it >> > > > ever was an issue on real machines, more likely >> > that stale policies were being >> > > > enforced if there was some kernel or library >> > change) >> > > > >> > > > > the device so we cannot in fact determine the >> > version when we open it >> > > > > there presently. So I'm not convinced we should >> > remove the suffix. >> > > > >> > > > We don't need libsepol, just read the first few >> > bytes, a la file. >> > > >> > > We need libsepol at least if we want to support >> > automatic downgrading of >> > > the policy to a version supported by the kernel. So >> > unless we think we >> > > can guarantee that Android userspace + kernel are >> > always updated in >> > > lock-step and one will never want to support >> > multiple kernels, it seems >> > > a bit inflexible to drop the versioning. >> > >> > >> > So this issue has come up again in the context of >> > implementing device >> > admin APIs and a sample device admin app. The device >> > admin API >> > implementation in the system_server needs to know how >> > to name the file >> > it creates under /data/system for the kernel policy, >> > but it has no way >> > to determine the actual policy version of the supplied >> > policy. So it >> > doesn't know what suffix to use. Options: >> > - Get rid of the version suffix altogether, or at >> > least for the sepolicy >> > file under /data/system. >> > - Have the system_server parse the header of the >> > policy image to >> > determine the policy version, and use that as the >> > suffix. >> > >> > Thoughts? >> > >> > -- >> > Stephen Smalley >> > National Security Agency >> > >> > >> > >> > >> > >> > >> > -- >> > Respectfully, >> > >> > William C Roberts >> > >> > >> > >> > >> > >> > >> > >> > -- >> > Respectfully, >> > >> > William C Roberts >> > >> > >> > >> >> -- >> Stephen Smalley >> National Security Agency >> >> > > > -- > Respectfully, > > William C Roberts > > > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 10547 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 18:25 ` William Roberts 2012-09-18 18:26 ` William Roberts @ 2012-09-18 18:52 ` Stephen Smalley 2012-09-18 18:59 ` William Roberts 2012-09-18 19:04 ` Joshua Brindle 1 sibling, 2 replies; 22+ messages in thread From: Stephen Smalley @ 2012-09-18 18:52 UTC (permalink / raw) To: William Roberts; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 432 bytes --] Attached are patches for libselinux and sepolicy to drop the policy version suffix. We still force generation of a version 24 policy by default, although this can be overridden via make command-line or environment setting (e.g. export POLICYVERS=26). Does this seem sane? Note that seandroid-4.0.4 requires changes to system/core as well, so this only fixes it for master and 4.1.1. -- Stephen Smalley National Security Agency [-- Attachment #2: libselinux-dropverssuffix.diff --] [-- Type: text/x-patch, Size: 1351 bytes --] diff --git a/src/android.c b/src/android.c index ae3f624..af6c79c 100644 --- a/src/android.c +++ b/src/android.c @@ -36,7 +36,7 @@ static const struct selinux_opt seopts[] = { { SELABEL_OPT_PATH, "/file_contexts" }, { 0, NULL } }; -static const char *const sepolicy_prefix[] = { +static const char *const sepolicy_file[] = { "/data/system/sepolicy", "/sepolicy", 0 }; @@ -671,29 +671,15 @@ struct selabel_handle* selinux_android_file_context_handle(void) int selinux_android_reload_policy(void) { char path[PATH_MAX]; - int fd = -1, rc, vers; + int fd = -1, rc; struct stat sb; void *map = NULL; int i = 0; - vers = security_policyvers(); - if (vers <= 0) { - selinux_log(SELINUX_ERROR, "SELinux: Unable to read policy version\n"); - return -1; - } - selinux_log(SELINUX_INFO, "SELinux: Maximum supported policy version: %d\n", vers); - - while (fd < 0 && sepolicy_prefix[i]) { - snprintf(path, sizeof(path), "%s.%d", - sepolicy_prefix[i], vers); + while (fd < 0 && sepolicy_file[i]) { + snprintf(path, sizeof(path), "%s", + sepolicy_file[i]); fd = open(path, O_RDONLY); - - int max_vers = vers; - while (fd < 0 && errno == ENOENT && --max_vers) { - snprintf(path, sizeof(path), "%s.%d", - sepolicy_prefix[i], max_vers); - fd = open(path, O_RDONLY); - } i++; } if (fd < 0) { [-- Attachment #3: sepolicy-dropverssuffix.diff --] [-- Type: text/x-patch, Size: 1223 bytes --] diff --git a/Android.mk b/Android.mk index 194dbf7..d3b21bb 100644 --- a/Android.mk +++ b/Android.mk @@ -9,7 +9,7 @@ include $(CLEAR_VARS) # SELinux policy version. # Must be <= /selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. -POLICYVERS := 24 +POLICYVERS ?= 24 MLS_SENS=1 MLS_CATS=1024 @@ -31,7 +31,6 @@ include $(CLEAR_VARS) LOCAL_MODULE := sepolicy LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_SUFFIX := .$(POLICYVERS) LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) include $(BUILD_SYSTEM)/base_rules.mk @@ -79,9 +78,9 @@ $(seapp_contexts.tmp): $(LOCAL_PATH)/seapp_contexts $(LOCAL_POLICY_SC) @mkdir -p $(dir $@) $(hide) m4 -s $^ > $@ -$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(TARGET_ROOT_OUT)/sepolicy.$(POLICYVERS) $(HOST_OUT_EXECUTABLES)/checkseapp +$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(TARGET_ROOT_OUT)/sepolicy $(HOST_OUT_EXECUTABLES)/checkseapp @mkdir -p $(dir $@) - $(HOST_OUT_EXECUTABLES)/checkseapp -p $(TARGET_ROOT_OUT)/sepolicy.24 -o $@ $< + $(HOST_OUT_EXECUTABLES)/checkseapp -p $(TARGET_ROOT_OUT)/sepolicy -o $@ $< seapp_contexts.tmp := ################################## ^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 18:52 ` Stephen Smalley @ 2012-09-18 18:59 ` William Roberts 2012-09-18 19:04 ` Joshua Brindle 1 sibling, 0 replies; 22+ messages in thread From: William Roberts @ 2012-09-18 18:59 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 849 bytes --] Those look fine with me. Only a few will export the POLICYVERS, but it would be nice to override in the of chance you need to. The biggest thing will be to worry about AOSP but make it easy to support oem's so they can configure it without having to edit the base code. Bill On Tue, Sep 18, 2012 at 11:52 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > Attached are patches for libselinux and sepolicy to drop the policy > version suffix. We still force generation of a version 24 policy by > default, although this can be overridden via make command-line or > environment setting (e.g. export POLICYVERS=26). Does this seem sane? > Note that seandroid-4.0.4 requires changes to system/core as well, so > this only fixes it for master and 4.1.1. > > > -- > Stephen Smalley > National Security Agency > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 1288 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 18:52 ` Stephen Smalley 2012-09-18 18:59 ` William Roberts @ 2012-09-18 19:04 ` Joshua Brindle 2012-09-18 19:07 ` William Roberts 1 sibling, 1 reply; 22+ messages in thread From: Joshua Brindle @ 2012-09-18 19:04 UTC (permalink / raw) To: Stephen Smalley; +Cc: William Roberts, selinux, Joman Chu Stephen Smalley wrote: > Attached are patches for libselinux and sepolicy to drop the policy > version suffix. We still force generation of a version 24 policy by > default, although this can be overridden via make command-line or > environment setting (e.g. export POLICYVERS=26). Does this seem sane? > Note that seandroid-4.0.4 requires changes to system/core as well, so > this only fixes it for master and 4.1.1. > Looks fine to me. Any chance that POLICYVERS could be set in a device makefile? Since you'll know what kernel you are using to build a particular device it would be nice to set it there and not have to figure out/remember what version each device uses. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 19:04 ` Joshua Brindle @ 2012-09-18 19:07 ` William Roberts 2012-09-18 19:10 ` Joshua Brindle 0 siblings, 1 reply; 22+ messages in thread From: William Roberts @ 2012-09-18 19:07 UTC (permalink / raw) To: Joshua Brindle; +Cc: Stephen Smalley, selinux, Joman Chu [-- Attachment #1: Type: text/plain, Size: 906 bytes --] Isn't that what ?= will let you do since it defers expansion? Again, I am no make guru... On Tue, Sep 18, 2012 at 12:04 PM, Joshua Brindle <jbrindle@tresys.com>wrote: > Stephen Smalley wrote: > >> Attached are patches for libselinux and sepolicy to drop the policy >> version suffix. We still force generation of a version 24 policy by >> default, although this can be overridden via make command-line or >> environment setting (e.g. export POLICYVERS=26). Does this seem sane? >> Note that seandroid-4.0.4 requires changes to system/core as well, so >> this only fixes it for master and 4.1.1. >> >> > Looks fine to me. Any chance that POLICYVERS could be set in a device > makefile? Since you'll know what kernel you are using to build a particular > device it would be nice to set it there and not have to figure out/remember > what version each device uses. > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 1361 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: seandroid and policy version 2012-09-18 19:07 ` William Roberts @ 2012-09-18 19:10 ` Joshua Brindle 0 siblings, 0 replies; 22+ messages in thread From: Joshua Brindle @ 2012-09-18 19:10 UTC (permalink / raw) To: William Roberts; +Cc: Stephen Smalley, selinux, Joman Chu Oh right, the precedence in this build system gets me sometimes... William Roberts wrote: > Isn't that what ?= will let you do since it defers expansion? Again, I > am no make guru... > > On Tue, Sep 18, 2012 at 12:04 PM, Joshua Brindle <jbrindle@tresys.com > <mailto:jbrindle@tresys.com>> wrote: > > Stephen Smalley wrote: > > Attached are patches for libselinux and sepolicy to drop the policy > version suffix. We still force generation of a version 24 policy by > default, although this can be overridden via make command-line or > environment setting (e.g. export POLICYVERS=26). Does this seem > sane? > Note that seandroid-4.0.4 requires changes to system/core as > well, so > this only fixes it for master and 4.1.1. > > > Looks fine to me. Any chance that POLICYVERS could be set in a > device makefile? Since you'll know what kernel you are using to > build a particular device it would be nice to set it there and not > have to figure out/remember what version each device uses. > > > > > -- > Respectfully, > > William C Roberts > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2012-09-18 19:10 UTC | newest] Thread overview: 22+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-07-11 0:07 seandroid and policy version Joshua Brindle 2012-07-11 12:50 ` Stephen Smalley 2012-07-11 19:45 ` Joshua Brindle 2012-07-11 19:49 ` Stephen Smalley 2012-09-18 17:33 ` Stephen Smalley 2012-09-18 17:40 ` Joshua Brindle 2012-09-18 17:43 ` Stephen Smalley 2012-09-18 17:56 ` Joshua Brindle 2012-09-18 18:21 ` Stephen Smalley 2012-09-18 17:46 ` William Roberts 2012-09-18 17:50 ` Stephen Smalley 2012-09-18 17:54 ` William Roberts 2012-09-18 17:57 ` William Roberts 2012-09-18 18:10 ` Stephen Smalley 2012-09-18 18:15 ` Stephen Smalley 2012-09-18 18:25 ` William Roberts 2012-09-18 18:26 ` William Roberts 2012-09-18 18:52 ` Stephen Smalley 2012-09-18 18:59 ` William Roberts 2012-09-18 19:04 ` Joshua Brindle 2012-09-18 19:07 ` William Roberts 2012-09-18 19:10 ` Joshua Brindle
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.