Security server responses always based on class?

Security server responses always based on class?

[dE]

Does the object manager always queries the security server based on 
classes? And does the security server always respond with an access vector?

OR

Can the object manager query the security server on specific permissions 
(which make up a class) without querying for a response for the whole 
security class?

Re: Security server responses always based on class?

[Stephen Smalley]

On 04/11/2014 02:45 AM, dE wrote:
> Does the object manager always queries the security server based on
> classes? And does the security server always respond with an access vector?
> 
> OR
> 
> Can the object manager query the security server on specific permissions
> (which make up a class) without querying for a response for the whole
> security class?

The security server interface is security_compute_av(), which always
computes the entire access vector for the class.

Object managers however will typically call the Access Vector Cache
(AVC) interface avc_has_perm(), which checks particular permissions.
Internally, the AVC calls security_compute_av() if the access vector is
not already cached for the (source context, target context, target
class) triple and caches the result.

More recent work on userspace object managers has introduced a higher
level API, selinux_check_access(), which internally handles the mapping
of contexts to SIDs and the mapping of class and permission strings to
values and calls avc_has_perm().

All of these APIs are provided by libselinux and have corresponding man
pages.

Re: Security server responses always based on class?

[Stephen Smalley]

On 04/11/2014 08:17 AM, Stephen Smalley wrote:
> On 04/11/2014 02:45 AM, dE wrote:
>> Does the object manager always queries the security server based on
>> classes? And does the security server always respond with an access vector?
>>
>> OR
>>
>> Can the object manager query the security server on specific permissions
>> (which make up a class) without querying for a response for the whole
>> security class?
> 
> The security server interface is security_compute_av(), which always
> computes the entire access vector for the class.
> 
> Object managers however will typically call the Access Vector Cache
> (AVC) interface avc_has_perm(), which checks particular permissions.
> Internally, the AVC calls security_compute_av() if the access vector is
> not already cached for the (source context, target context, target
> class) triple and caches the result.
> 
> More recent work on userspace object managers has introduced a higher
> level API, selinux_check_access(), which internally handles the mapping
> of contexts to SIDs and the mapping of class and permission strings to
> values and calls avc_has_perm().
> 
> All of these APIs are provided by libselinux and have corresponding man
> pages.

I forgot to mention:  the security_compute_av() API takes a requested
permission argument to indicate the permissions being checked by the
caller, and the returned av_decision structure includes a decided access
vector to indicate which permissions were actually computed in the
allowed/auditallow/auditdeny vectors.  That allowed the security server
to optionally only compute the subset of permissions directly requested
by the caller and force the object manager to call again if any other
permissions are later requested.  However, this was optimized away from
the kernel a while back as it was unused by our security server so the
kernel always returns a decided vector with all-bits-set now.

Re: Security server responses always based on class?

[dE]

On 04/11/14 17:53, Stephen Smalley wrote:
> On 04/11/2014 08:17 AM, Stephen Smalley wrote:
>> On 04/11/2014 02:45 AM, dE wrote:
>>> Does the object manager always queries the security server based on
>>> classes? And does the security server always respond with an access vector?
>>>
>>> OR
>>>
>>> Can the object manager query the security server on specific permissions
>>> (which make up a class) without querying for a response for the whole
>>> security class?
>> The security server interface is security_compute_av(), which always
>> computes the entire access vector for the class.
>>
>> Object managers however will typically call the Access Vector Cache
>> (AVC) interface avc_has_perm(), which checks particular permissions.
>> Internally, the AVC calls security_compute_av() if the access vector is
>> not already cached for the (source context, target context, target
>> class) triple and caches the result.
>>
>> More recent work on userspace object managers has introduced a higher
>> level API, selinux_check_access(), which internally handles the mapping
>> of contexts to SIDs and the mapping of class and permission strings to
>> values and calls avc_has_perm().
>>
>> All of these APIs are provided by libselinux and have corresponding man
>> pages.
> I forgot to mention:  the security_compute_av() API takes a requested
> permission argument to indicate the permissions being checked by the
> caller, and the returned av_decision structure includes a decided access
> vector to indicate which permissions were actually computed in the
> allowed/auditallow/auditdeny vectors.  That allowed the security server
> to optionally only compute the subset of permissions directly requested
> by the caller and force the object manager to call again if any other
> permissions are later requested.  However, this was optimized away from
> the kernel a while back as it was unused by our security server so the
> kernel always returns a decided vector with all-bits-set now.

Ok, so it has the ability to decide on certain permissions.

Thanks for explaining that!