| Message ID | 20230612093107.1066410-2-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | Introduce an initial SID for early boot processes | expand |
On Mon, Jun 12, 2023 at 5:50 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > Many of the initial SIDs are no longer used by the kernel, so > translating them to the legacy names doesn't bring much value. Clear the > legacy names from the table and let the code translate them to the > fallback "unknown" names instead. > > Note that this only affects the generated text output when converting > policies from binary to text form. The text policy languages let the > policy define its own names for the initial SIDs based on the order in > which they are declared, so the table is never used to convert from name > to SID. Thus this is just a cosmetic change and has no functional > impact. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> For these two patches: Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/kernel_to_cil.c | 4 ++-- > libsepol/src/kernel_to_common.h | 36 ++++++++++++++++----------------- > libsepol/src/kernel_to_conf.c | 4 ++-- > libsepol/src/module_to_cil.c | 2 +- > 4 files changed, 23 insertions(+), 23 deletions(-) > > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > index e9cd89c2..bd04c087 100644 > --- a/libsepol/src/kernel_to_cil.c > +++ b/libsepol/src/kernel_to_cil.c > @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, > > for (isid = isids; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - if (i < num_sids) { > + if (i < num_sids && sid_to_str[i]) { > sid = (char *)sid_to_str[i]; > } else { > snprintf(unknown, 18, "%s%u", "UNKNOWN", i); > @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const > > for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - if (i < num_sids) { > + if (i < num_sids && sid_to_str[i]) { > sid = (char *)sid_to_str[i]; > } else { > snprintf(unknown, 18, "%s%u", "UNKNOWN", i); > diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h > index 159c4289..6073ff3a 100644 > --- a/libsepol/src/kernel_to_common.h > +++ b/libsepol/src/kernel_to_common.h > @@ -13,33 +13,33 @@ > // initial sid names aren't actually stored in the pp files, need to a have > // a mapping, taken from the linux kernel > static const char * const selinux_sid_to_str[] = { > - "null", > + NULL, > "kernel", > "security", > "unlabeled", > - "fs", > + NULL, > "file", > - "file_labels", > - "init", > + NULL, > + NULL, > "any_socket", > "port", > "netif", > "netmsg", > "node", > - "igmp_packet", > - "icmp_socket", > - "tcp_socket", > - "sysctl_modprobe", > - "sysctl", > - "sysctl_fs", > - "sysctl_kernel", > - "sysctl_net", > - "sysctl_net_unix", > - "sysctl_vm", > - "sysctl_dev", > - "kmod", > - "policy", > - "scmp_packet", > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > + NULL, > "devnull", > }; > > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index c48a7114..3be87184 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, > > for (isid = isids; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - if (i < num_sids) { > + if (i < num_sids && sid_to_str[i]) { > sid = (char *)sid_to_str[i]; > } else { > snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); > @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons > > for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - if (i < num_sids) { > + if (i < num_sids && sid_to_str[i]) { > sid = (char *)sid_to_str[i]; > } else { > snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index e7bc6ee6..a46775ca 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ > > for (isid = isids; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - if (i < num_sids) { > + if (i < num_sids && sid_to_string[i]) { > sid = (char*)sid_to_string[i]; > } else { > snprintf(unknown, 18, "%s%u", "UNKNOWN", i); > -- > 2.40.1 >
James Carter <jwcart2@gmail.com> writes: > On Mon, Jun 12, 2023 at 5:50 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: >> >> Many of the initial SIDs are no longer used by the kernel, so >> translating them to the legacy names doesn't bring much value. Clear the >> legacy names from the table and let the code translate them to the >> fallback "unknown" names instead. >> >> Note that this only affects the generated text output when converting >> policies from binary to text form. The text policy languages let the >> policy define its own names for the initial SIDs based on the order in >> which they are declared, so the table is never used to convert from name >> to SID. Thus this is just a cosmetic change and has no functional >> impact. >> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > For these two patches: > Acked-by: James Carter <jwcart2@gmail.com> Both merged. Thanks! >> --- >> libsepol/src/kernel_to_cil.c | 4 ++-- >> libsepol/src/kernel_to_common.h | 36 ++++++++++++++++----------------- >> libsepol/src/kernel_to_conf.c | 4 ++-- >> libsepol/src/module_to_cil.c | 2 +- >> 4 files changed, 23 insertions(+), 23 deletions(-) >> >> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c >> index e9cd89c2..bd04c087 100644 >> --- a/libsepol/src/kernel_to_cil.c >> +++ b/libsepol/src/kernel_to_cil.c >> @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, >> >> for (isid = isids; isid != NULL; isid = isid->next) { >> i = isid->sid[0]; >> - if (i < num_sids) { >> + if (i < num_sids && sid_to_str[i]) { >> sid = (char *)sid_to_str[i]; >> } else { >> snprintf(unknown, 18, "%s%u", "UNKNOWN", i); >> @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const >> >> for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { >> i = isid->sid[0]; >> - if (i < num_sids) { >> + if (i < num_sids && sid_to_str[i]) { >> sid = (char *)sid_to_str[i]; >> } else { >> snprintf(unknown, 18, "%s%u", "UNKNOWN", i); >> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h >> index 159c4289..6073ff3a 100644 >> --- a/libsepol/src/kernel_to_common.h >> +++ b/libsepol/src/kernel_to_common.h >> @@ -13,33 +13,33 @@ >> // initial sid names aren't actually stored in the pp files, need to a have >> // a mapping, taken from the linux kernel >> static const char * const selinux_sid_to_str[] = { >> - "null", >> + NULL, >> "kernel", >> "security", >> "unlabeled", >> - "fs", >> + NULL, >> "file", >> - "file_labels", >> - "init", >> + NULL, >> + NULL, >> "any_socket", >> "port", >> "netif", >> "netmsg", >> "node", >> - "igmp_packet", >> - "icmp_socket", >> - "tcp_socket", >> - "sysctl_modprobe", >> - "sysctl", >> - "sysctl_fs", >> - "sysctl_kernel", >> - "sysctl_net", >> - "sysctl_net_unix", >> - "sysctl_vm", >> - "sysctl_dev", >> - "kmod", >> - "policy", >> - "scmp_packet", >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> + NULL, >> "devnull", >> }; >> >> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c >> index c48a7114..3be87184 100644 >> --- a/libsepol/src/kernel_to_conf.c >> +++ b/libsepol/src/kernel_to_conf.c >> @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, >> >> for (isid = isids; isid != NULL; isid = isid->next) { >> i = isid->sid[0]; >> - if (i < num_sids) { >> + if (i < num_sids && sid_to_str[i]) { >> sid = (char *)sid_to_str[i]; >> } else { >> snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); >> @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons >> >> for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { >> i = isid->sid[0]; >> - if (i < num_sids) { >> + if (i < num_sids && sid_to_str[i]) { >> sid = (char *)sid_to_str[i]; >> } else { >> snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); >> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c >> index e7bc6ee6..a46775ca 100644 >> --- a/libsepol/src/module_to_cil.c >> +++ b/libsepol/src/module_to_cil.c >> @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ >> >> for (isid = isids; isid != NULL; isid = isid->next) { >> i = isid->sid[0]; >> - if (i < num_sids) { >> + if (i < num_sids && sid_to_string[i]) { >> sid = (char*)sid_to_string[i]; >> } else { >> snprintf(unknown, 18, "%s%u", "UNKNOWN", i); >> -- >> 2.40.1 >>
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index e9cd89c2..bd04c087 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, 18, "%s%u", "UNKNOWN", i); @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, 18, "%s%u", "UNKNOWN", i); diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 159c4289..6073ff3a 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -13,33 +13,33 @@ // initial sid names aren't actually stored in the pp files, need to a have // a mapping, taken from the linux kernel static const char * const selinux_sid_to_str[] = { - "null", + NULL, "kernel", "security", "unlabeled", - "fs", + NULL, "file", - "file_labels", - "init", + NULL, + NULL, "any_socket", "port", "netif", "netmsg", "node", - "igmp_packet", - "icmp_socket", - "tcp_socket", - "sysctl_modprobe", - "sysctl", - "sysctl_fs", - "sysctl_kernel", - "sysctl_net", - "sysctl_net_unix", - "sysctl_vm", - "sysctl_dev", - "kmod", - "policy", - "scmp_packet", + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, "devnull", }; diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index c48a7114..3be87184 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_str[i]) { sid = (char *)sid_to_str[i]; } else { snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index e7bc6ee6..a46775ca 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - if (i < num_sids) { + if (i < num_sids && sid_to_string[i]) { sid = (char*)sid_to_string[i]; } else { snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
Many of the initial SIDs are no longer used by the kernel, so translating them to the legacy names doesn't bring much value. Clear the legacy names from the table and let the code translate them to the fallback "unknown" names instead. Note that this only affects the generated text output when converting policies from binary to text form. The text policy languages let the policy define its own names for the initial SIDs based on the order in which they are declared, so the table is never used to convert from name to SID. Thus this is just a cosmetic change and has no functional impact. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- libsepol/src/kernel_to_cil.c | 4 ++-- libsepol/src/kernel_to_common.h | 36 ++++++++++++++++----------------- libsepol/src/kernel_to_conf.c | 4 ++-- libsepol/src/module_to_cil.c | 2 +- 4 files changed, 23 insertions(+), 23 deletions(-)