* [PATCH 1/3] selinux: convert avtab hash table to flex_array
@ 2015-03-24 20:54 Stephen Smalley
2015-03-24 20:54 ` [PATCH 2/3] selinux: Use a better hash function for avtab Stephen Smalley
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Stephen Smalley @ 2015-03-24 20:54 UTC (permalink / raw)
To: selinux; +Cc: Stephen Smalley
Previously we shrank the avtab max hash buckets to avoid
high order memory allocations, but this causes avtab lookups to
degenerate to very long linear searches for the Fedora policy. Convert to
using a flex_array instead so that we can increase the buckets
without such limitations.
This change does not alter the max hash buckets; that is left to a
separate follow-on change.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/ss/avtab.c | 31 +++++++++++++++++++------------
security/selinux/ss/avtab.h | 4 +++-
2 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index a3dd9fa..3ea0198 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -46,8 +46,12 @@ avtab_insert_node(struct avtab *h, int hvalue,
newnode->next = prev->next;
prev->next = newnode;
} else {
- newnode->next = h->htable[hvalue];
- h->htable[hvalue] = newnode;
+ newnode->next = flex_array_get_ptr(h->htable, hvalue);
+ if (flex_array_put_ptr(h->htable, hvalue, newnode,
+ GFP_KERNEL|__GFP_ZERO)) {
+ kmem_cache_free(avtab_node_cachep, newnode);
+ return NULL;
+ }
}
h->nel++;
@@ -64,7 +68,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
return -EINVAL;
hvalue = avtab_hash(key, h->mask);
- for (prev = NULL, cur = h->htable[hvalue];
+ for (prev = NULL, cur = flex_array_get_ptr(h->htable, hvalue);
cur;
prev = cur, cur = cur->next) {
if (key->source_type == cur->key.source_type &&
@@ -104,7 +108,7 @@ avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datu
if (!h || !h->htable)
return NULL;
hvalue = avtab_hash(key, h->mask);
- for (prev = NULL, cur = h->htable[hvalue];
+ for (prev = NULL, cur = flex_array_get_ptr(h->htable, hvalue);
cur;
prev = cur, cur = cur->next) {
if (key->source_type == cur->key.source_type &&
@@ -135,7 +139,8 @@ struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
return NULL;
hvalue = avtab_hash(key, h->mask);
- for (cur = h->htable[hvalue]; cur; cur = cur->next) {
+ for (cur = flex_array_get_ptr(h->htable, hvalue); cur;
+ cur = cur->next) {
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
@@ -170,7 +175,8 @@ avtab_search_node(struct avtab *h, struct avtab_key *key)
return NULL;
hvalue = avtab_hash(key, h->mask);
- for (cur = h->htable[hvalue]; cur; cur = cur->next) {
+ for (cur = flex_array_get_ptr(h->htable, hvalue); cur;
+ cur = cur->next) {
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
@@ -228,15 +234,14 @@ void avtab_destroy(struct avtab *h)
return;
for (i = 0; i < h->nslot; i++) {
- cur = h->htable[i];
+ cur = flex_array_get_ptr(h->htable, i);
while (cur) {
temp = cur;
cur = cur->next;
kmem_cache_free(avtab_node_cachep, temp);
}
- h->htable[i] = NULL;
}
- kfree(h->htable);
+ flex_array_free(h->htable);
h->htable = NULL;
h->nslot = 0;
h->mask = 0;
@@ -270,7 +275,8 @@ int avtab_alloc(struct avtab *h, u32 nrules)
nslot = MAX_AVTAB_HASH_BUCKETS;
mask = nslot - 1;
- h->htable = kcalloc(nslot, sizeof(*(h->htable)), GFP_KERNEL);
+ h->htable = flex_array_alloc(sizeof(struct avtab_node *), nslot,
+ GFP_KERNEL | __GFP_ZERO);
if (!h->htable)
return -ENOMEM;
@@ -293,7 +299,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
max_chain_len = 0;
chain2_len_sum = 0;
for (i = 0; i < h->nslot; i++) {
- cur = h->htable[i];
+ cur = flex_array_get_ptr(h->htable, i);
if (cur) {
slots_used++;
chain_len = 0;
@@ -534,7 +540,8 @@ int avtab_write(struct policydb *p, struct avtab *a, void *fp)
return rc;
for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
+ for (cur = flex_array_get_ptr(a->htable, i); cur;
+ cur = cur->next) {
rc = avtab_write_item(p, cur, fp);
if (rc)
return rc;
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 63ce2f9..9318b2b 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -23,6 +23,8 @@
#ifndef _SS_AVTAB_H_
#define _SS_AVTAB_H_
+#include <linux/flex_array.h>
+
struct avtab_key {
u16 source_type; /* source type */
u16 target_type; /* target type */
@@ -51,7 +53,7 @@ struct avtab_node {
};
struct avtab {
- struct avtab_node **htable;
+ struct flex_array *htable;
u32 nel; /* number of elements */
u32 nslot; /* number of hash slots */
u16 mask; /* mask to compute hash func */
--
1.9.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] selinux: Use a better hash function for avtab
2015-03-24 20:54 [PATCH 1/3] selinux: convert avtab hash table to flex_array Stephen Smalley
@ 2015-03-24 20:54 ` Stephen Smalley
2015-03-24 20:54 ` [PATCH 3/3] selinux: increase avtab max buckets Stephen Smalley
2015-03-30 9:38 ` [PATCH 1/3] selinux: convert avtab hash table to flex_array Paul Moore
2 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2015-03-24 20:54 UTC (permalink / raw)
To: selinux; +Cc: Stephen Smalley
From: John Brooks <john.brooks@jolla.com>
This function, based on murmurhash3, has much better distribution than
the original. Using the current default of 2048 buckets, there are many
fewer collisions:
Before:
101421 entries and 2048/2048 buckets used, longest chain length 374
After:
101421 entries and 2048/2048 buckets used, longest chain length 81
The difference becomes much more significant when buckets are increased.
A naive attempt to expand the current function to larger outputs doesn't
yield any significant improvement; so this function is a prerequisite
for increasing the bucket size.
sds: Adapted from the original patches for libsepol to the kernel.
Signed-off-by: John Brooks <john.brooks@jolla.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/ss/avtab.c | 41 +++++++++++++++++++++++++++++++++++++----
security/selinux/ss/avtab.h | 2 +-
2 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 3ea0198..b64f277 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -25,10 +25,43 @@
static struct kmem_cache *avtab_node_cachep;
-static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
+/* Based on MurmurHash3, written by Austin Appleby and placed in the
+ * public domain.
+ */
+static inline int avtab_hash(struct avtab_key *keyp, u32 mask)
{
- return ((keyp->target_class + (keyp->target_type << 2) +
- (keyp->source_type << 9)) & mask);
+ static const u32 c1 = 0xcc9e2d51;
+ static const u32 c2 = 0x1b873593;
+ static const u32 r1 = 15;
+ static const u32 r2 = 13;
+ static const u32 m = 5;
+ static const u32 n = 0xe6546b64;
+
+ u32 hash = 0;
+
+#define mix(input) { \
+ u32 v = input; \
+ v *= c1; \
+ v = (v << r1) | (v >> (32 - r1)); \
+ v *= c2; \
+ hash ^= v; \
+ hash = (hash << r2) | (hash >> (32 - r2)); \
+ hash = hash * m + n; \
+}
+
+ mix(keyp->target_class);
+ mix(keyp->target_type);
+ mix(keyp->source_type);
+
+#undef mix
+
+ hash ^= hash >> 16;
+ hash *= 0x85ebca6b;
+ hash ^= hash >> 13;
+ hash *= 0xc2b2ae35;
+ hash ^= hash >> 16;
+
+ return hash & mask;
}
static struct avtab_node*
@@ -256,7 +289,7 @@ int avtab_init(struct avtab *h)
int avtab_alloc(struct avtab *h, u32 nrules)
{
- u16 mask = 0;
+ u32 mask = 0;
u32 shift = 0;
u32 work = nrules;
u32 nslot = 0;
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 9318b2b..6d794a2 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -56,7 +56,7 @@ struct avtab {
struct flex_array *htable;
u32 nel; /* number of elements */
u32 nslot; /* number of hash slots */
- u16 mask; /* mask to compute hash func */
+ u32 mask; /* mask to compute hash func */
};
--
1.9.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] selinux: increase avtab max buckets
2015-03-24 20:54 [PATCH 1/3] selinux: convert avtab hash table to flex_array Stephen Smalley
2015-03-24 20:54 ` [PATCH 2/3] selinux: Use a better hash function for avtab Stephen Smalley
@ 2015-03-24 20:54 ` Stephen Smalley
2015-03-30 9:38 ` [PATCH 1/3] selinux: convert avtab hash table to flex_array Paul Moore
2 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2015-03-24 20:54 UTC (permalink / raw)
To: selinux; +Cc: Stephen Smalley
Now that we can safely increase the avtab max buckets without
triggering high order allocations and have a hash function that
will make better use of the larger number of buckets, increase
the max buckets to 2^16.
Original:
101421 entries and 2048/2048 buckets used, longest chain length 374
With new hash function:
101421 entries and 2048/2048 buckets used, longest chain length 81
With increased max buckets:
101421 entries and 31078/32768 buckets used, longest chain length 12
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/ss/avtab.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 6d794a2..adb451c 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -86,7 +86,7 @@ struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified
void avtab_cache_init(void);
void avtab_cache_destroy(void);
-#define MAX_AVTAB_HASH_BITS 11
+#define MAX_AVTAB_HASH_BITS 16
#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
#endif /* _SS_AVTAB_H_ */
--
1.9.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] selinux: convert avtab hash table to flex_array
2015-03-24 20:54 [PATCH 1/3] selinux: convert avtab hash table to flex_array Stephen Smalley
2015-03-24 20:54 ` [PATCH 2/3] selinux: Use a better hash function for avtab Stephen Smalley
2015-03-24 20:54 ` [PATCH 3/3] selinux: increase avtab max buckets Stephen Smalley
@ 2015-03-30 9:38 ` Paul Moore
2015-03-30 12:37 ` Policy Constraints Dominick Grift
2 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2015-03-30 9:38 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
A nice set of patches, thank you.
All three have been merged and are currently sitting in selinux#next.
On Tue, Mar 24, 2015 at 4:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Previously we shrank the avtab max hash buckets to avoid
> high order memory allocations, but this causes avtab lookups to
> degenerate to very long linear searches for the Fedora policy. Convert to
> using a flex_array instead so that we can increase the buckets
> without such limitations.
>
> This change does not alter the max hash buckets; that is left to a
> separate follow-on change.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/ss/avtab.c | 31 +++++++++++++++++++------------
> security/selinux/ss/avtab.h | 4 +++-
> 2 files changed, 22 insertions(+), 13 deletions(-)
>
> diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
> index a3dd9fa..3ea0198 100644
> --- a/security/selinux/ss/avtab.c
> +++ b/security/selinux/ss/avtab.c
> @@ -46,8 +46,12 @@ avtab_insert_node(struct avtab *h, int hvalue,
> newnode->next = prev->next;
> prev->next = newnode;
> } else {
> - newnode->next = h->htable[hvalue];
> - h->htable[hvalue] = newnode;
> + newnode->next = flex_array_get_ptr(h->htable, hvalue);
> + if (flex_array_put_ptr(h->htable, hvalue, newnode,
> + GFP_KERNEL|__GFP_ZERO)) {
> + kmem_cache_free(avtab_node_cachep, newnode);
> + return NULL;
> + }
> }
>
> h->nel++;
> @@ -64,7 +68,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
> return -EINVAL;
>
> hvalue = avtab_hash(key, h->mask);
> - for (prev = NULL, cur = h->htable[hvalue];
> + for (prev = NULL, cur = flex_array_get_ptr(h->htable, hvalue);
> cur;
> prev = cur, cur = cur->next) {
> if (key->source_type == cur->key.source_type &&
> @@ -104,7 +108,7 @@ avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datu
> if (!h || !h->htable)
> return NULL;
> hvalue = avtab_hash(key, h->mask);
> - for (prev = NULL, cur = h->htable[hvalue];
> + for (prev = NULL, cur = flex_array_get_ptr(h->htable, hvalue);
> cur;
> prev = cur, cur = cur->next) {
> if (key->source_type == cur->key.source_type &&
> @@ -135,7 +139,8 @@ struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
> return NULL;
>
> hvalue = avtab_hash(key, h->mask);
> - for (cur = h->htable[hvalue]; cur; cur = cur->next) {
> + for (cur = flex_array_get_ptr(h->htable, hvalue); cur;
> + cur = cur->next) {
> if (key->source_type == cur->key.source_type &&
> key->target_type == cur->key.target_type &&
> key->target_class == cur->key.target_class &&
> @@ -170,7 +175,8 @@ avtab_search_node(struct avtab *h, struct avtab_key *key)
> return NULL;
>
> hvalue = avtab_hash(key, h->mask);
> - for (cur = h->htable[hvalue]; cur; cur = cur->next) {
> + for (cur = flex_array_get_ptr(h->htable, hvalue); cur;
> + cur = cur->next) {
> if (key->source_type == cur->key.source_type &&
> key->target_type == cur->key.target_type &&
> key->target_class == cur->key.target_class &&
> @@ -228,15 +234,14 @@ void avtab_destroy(struct avtab *h)
> return;
>
> for (i = 0; i < h->nslot; i++) {
> - cur = h->htable[i];
> + cur = flex_array_get_ptr(h->htable, i);
> while (cur) {
> temp = cur;
> cur = cur->next;
> kmem_cache_free(avtab_node_cachep, temp);
> }
> - h->htable[i] = NULL;
> }
> - kfree(h->htable);
> + flex_array_free(h->htable);
> h->htable = NULL;
> h->nslot = 0;
> h->mask = 0;
> @@ -270,7 +275,8 @@ int avtab_alloc(struct avtab *h, u32 nrules)
> nslot = MAX_AVTAB_HASH_BUCKETS;
> mask = nslot - 1;
>
> - h->htable = kcalloc(nslot, sizeof(*(h->htable)), GFP_KERNEL);
> + h->htable = flex_array_alloc(sizeof(struct avtab_node *), nslot,
> + GFP_KERNEL | __GFP_ZERO);
> if (!h->htable)
> return -ENOMEM;
>
> @@ -293,7 +299,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
> max_chain_len = 0;
> chain2_len_sum = 0;
> for (i = 0; i < h->nslot; i++) {
> - cur = h->htable[i];
> + cur = flex_array_get_ptr(h->htable, i);
> if (cur) {
> slots_used++;
> chain_len = 0;
> @@ -534,7 +540,8 @@ int avtab_write(struct policydb *p, struct avtab *a, void *fp)
> return rc;
>
> for (i = 0; i < a->nslot; i++) {
> - for (cur = a->htable[i]; cur; cur = cur->next) {
> + for (cur = flex_array_get_ptr(a->htable, i); cur;
> + cur = cur->next) {
> rc = avtab_write_item(p, cur, fp);
> if (rc)
> return rc;
> diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
> index 63ce2f9..9318b2b 100644
> --- a/security/selinux/ss/avtab.h
> +++ b/security/selinux/ss/avtab.h
> @@ -23,6 +23,8 @@
> #ifndef _SS_AVTAB_H_
> #define _SS_AVTAB_H_
>
> +#include <linux/flex_array.h>
> +
> struct avtab_key {
> u16 source_type; /* source type */
> u16 target_type; /* target type */
> @@ -51,7 +53,7 @@ struct avtab_node {
> };
>
> struct avtab {
> - struct avtab_node **htable;
> + struct flex_array *htable;
> u32 nel; /* number of elements */
> u32 nslot; /* number of hash slots */
> u16 mask; /* mask to compute hash func */
> --
> 1.9.3
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Policy Constraints
2015-03-30 9:38 ` [PATCH 1/3] selinux: convert avtab hash table to flex_array Paul Moore
@ 2015-03-30 12:37 ` Dominick Grift
2015-03-30 13:17 ` Stephen Smalley
2015-03-30 14:05 ` Steve Lawrence
0 siblings, 2 replies; 7+ messages in thread
From: Dominick Grift @ 2015-03-30 12:37 UTC (permalink / raw)
To: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I vaguely recall me touching on the following before. I forgot what, if any, outcome there was. Consider the following:
I have a constraint like this:
(constrain (process (sigchld sigkill sigstop signull signal ptrace
getsched setsched getsession getpgid setpgid getcap setcap
share getattr setrlimit))
(or (or (or (or (or (eq u1 u2)
(eq u1 system_u))
(eq u1 staff_u))
(eq u1 sysadm_u))
(eq u2 system_u))
(neq t1 ubac_constrained_subject_type)))
The sysadm_u and staff_u identities are supposed to be optional and so I change the above to this:
(constrain (process (sigchld sigkill sigstop signull signal ptrace
getsched setsched getsession getpgid setpgid getcap setcap
share getattr setrlimit))
(or (or (or (eq u1 u2)
(eq u1 system_u))
(eq u2 system_u))
(neq t1 ubac_constrained_subject_type)))
(optional staff
(constrain (process (sigchld sigkill sigstop signull signal ptrace
getsched setsched getsession getpgid setpgid getcap setcap
share getattr setrlimit))
(eq u1 staff_u)))
(optional sysadm
(constrain (process (sigchld sigkill sigstop signull signal ptrace
getsched setsched getsession getpgid setpgid getcap setcap
share getattr setrlimit))
(eq u1 sysadm_u)))
The above builds and seinfo shows the three blocks, but for some reason it is not honored. Eg. The First example works but the latter does not.
Is this a known issue , or known limitation? Should this work?
We have roleattributes, typeattributes but not identityattributes. Identityattributes would help with this requirement.
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJVGUNuAAoJENAR6kfG5xmcfxEL/3mgmy0hi8adTQWy2UCe7X56
zSSXevDMeLD0uFPYH8hi0K74eKEKsp8MlzwT/zHq7w/h47vzLKmc5Ywt8FEttsLu
9Huc8/78ByiK4k2TA9iC6k6F7lYUYUBzoEdE3+qjXKTmQCrN5PelriOVyMXJycKA
Hy3iR1ytoVPFIYz+gxBGEojjr2FXvCyWypU+byoyeZ6qiJatYtSSl0IpGC4MRSOQ
xx3gIUxf7kpS+yHCdvhPX5GgCnl1orosdV0RfAJMyb7XtlEufO4g/PCUqY2wv7Ei
hRA4mJeG698mmkqtDo+O7+mfDDwWyxlYIa5m2S1NjtnHOXk8KLmb6iL9V9hcRFDB
Iz4oN32EJu0WVNgbQUze41uR5bKpVLu8KqVAF0DKLnzmQGdq5O0RYbDAjkDaqV02
twarkO4v+JH0AOvjE1mWluDyjkOwWHxn1aLPUVS3BkPwgNof9e8zrA5BBwZWbVRV
LKJQ2ZjFGQfk6fMH4fjVQ0iixwvxKDWNeLeyQ4AoXg==
=Dfox
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Policy Constraints
2015-03-30 12:37 ` Policy Constraints Dominick Grift
@ 2015-03-30 13:17 ` Stephen Smalley
2015-03-30 14:05 ` Steve Lawrence
1 sibling, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2015-03-30 13:17 UTC (permalink / raw)
To: selinux
On 03/30/2015 08:37 AM, Dominick Grift wrote:
> I vaguely recall me touching on the following before. I forgot what, if any, outcome there was. Consider the following:
>
> I have a constraint like this:
>
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (or (or (or (or (or (eq u1 u2)
> (eq u1 system_u))
> (eq u1 staff_u))
> (eq u1 sysadm_u))
> (eq u2 system_u))
> (neq t1 ubac_constrained_subject_type)))
>
> The sysadm_u and staff_u identities are supposed to be optional and so I change the above to this:
>
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (or (or (or (eq u1 u2)
> (eq u1 system_u))
> (eq u2 system_u))
> (neq t1 ubac_constrained_subject_type)))
>
> (optional staff
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (eq u1 staff_u)))
>
> (optional sysadm
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (eq u1 sysadm_u)))
>
> The above builds and seinfo shows the three blocks, but for some reason it is not honored. Eg. The First example works but the latter does not.
>
> Is this a known issue , or known limitation? Should this work?
>
> We have roleattributes, typeattributes but not identityattributes. Identityattributes would help with this requirement.
I can't speak to the CIL aspects of this, but as far as kernel policy is
concerned, if you write multiple constraints on a single
class/permission, then each constraint must evaluate to true in order
for the permission to be allowed, i.e. they are ANDed, not ORed.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Policy Constraints
2015-03-30 12:37 ` Policy Constraints Dominick Grift
2015-03-30 13:17 ` Stephen Smalley
@ 2015-03-30 14:05 ` Steve Lawrence
1 sibling, 0 replies; 7+ messages in thread
From: Steve Lawrence @ 2015-03-30 14:05 UTC (permalink / raw)
To: selinux
On 03/30/2015 08:37 AM, Dominick Grift wrote:
> I vaguely recall me touching on the following before. I forgot what, if any, outcome there was. Consider the following:
>
> I have a constraint like this:
>
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (or (or (or (or (or (eq u1 u2)
> (eq u1 system_u))
> (eq u1 staff_u))
> (eq u1 sysadm_u))
> (eq u2 system_u))
> (neq t1 ubac_constrained_subject_type)))
>
> The sysadm_u and staff_u identities are supposed to be optional and so I change the above to this:
>
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (or (or (or (eq u1 u2)
> (eq u1 system_u))
> (eq u2 system_u))
> (neq t1 ubac_constrained_subject_type)))
>
> (optional staff
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (eq u1 staff_u)))
>
> (optional sysadm
> (constrain (process (sigchld sigkill sigstop signull signal ptrace
> getsched setsched getsession getpgid setpgid getcap setcap
> share getattr setrlimit))
> (eq u1 sysadm_u)))
>
> The above builds and seinfo shows the three blocks, but for some reason it is not honored. Eg. The First example works but the latter does not.
>
> Is this a known issue , or known limitation? Should this work?
>
> We have roleattributes, typeattributes but not identityattributes. Identityattributes would help with this requirement.
>
I agree, we would need an identityattribute (or userattribute for
consistency) rule in CIL to support this. It probably wouldn't be too
difficult to add since it would be very similar to how roleattributes work.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-03-30 14:06 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-24 20:54 [PATCH 1/3] selinux: convert avtab hash table to flex_array Stephen Smalley
2015-03-24 20:54 ` [PATCH 2/3] selinux: Use a better hash function for avtab Stephen Smalley
2015-03-24 20:54 ` [PATCH 3/3] selinux: increase avtab max buckets Stephen Smalley
2015-03-30 9:38 ` [PATCH 1/3] selinux: convert avtab hash table to flex_array Paul Moore
2015-03-30 12:37 ` Policy Constraints Dominick Grift
2015-03-30 13:17 ` Stephen Smalley
2015-03-30 14:05 ` Steve Lawrence
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.