| Message ID | 20200806183418.50128-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | scripts/selinux,selinux: update mdp to enable policy capabilities | expand |
On Thu, Aug 6, 2020 at 2:34 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > Presently mdp does not enable any SELinux policy capabilities > in the dummy policy it generates. Thus, policies derived from > it will by default lack various features commonly used in modern > policies such as open permission, extended socket classes, network > peer controls, etc. Split the policy capability definitions out into > their own headers so that we can include them into mdp without pulling in > other kernel headers and extend mdp generate policycap statements for the > policy capabilities known to the kernel. Policy authors may wish to > selectively remove some of these from the generated policy. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > scripts/selinux/mdp/mdp.c | 7 +++++++ > security/selinux/include/policycap.h | 20 ++++++++++++++++++++ > security/selinux/include/policycap_names.h | 18 ++++++++++++++++++ > security/selinux/include/security.h | 16 +--------------- > security/selinux/ss/services.c | 12 +----------- > 5 files changed, 47 insertions(+), 26 deletions(-) > create mode 100644 security/selinux/include/policycap.h > create mode 100644 security/selinux/include/policycap_names.h Seems reasonable to me, but obviously needs to wait until the merge window closes.
On Thu, Aug 6, 2020 at 11:46 PM Paul Moore <paul@paul-moore.com> wrote: > > On Thu, Aug 6, 2020 at 2:34 PM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > Presently mdp does not enable any SELinux policy capabilities > > in the dummy policy it generates. Thus, policies derived from > > it will by default lack various features commonly used in modern > > policies such as open permission, extended socket classes, network > > peer controls, etc. Split the policy capability definitions out into > > their own headers so that we can include them into mdp without pulling in > > other kernel headers and extend mdp generate policycap statements for the > > policy capabilities known to the kernel. Policy authors may wish to > > selectively remove some of these from the generated policy. > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > --- > > scripts/selinux/mdp/mdp.c | 7 +++++++ > > security/selinux/include/policycap.h | 20 ++++++++++++++++++++ > > security/selinux/include/policycap_names.h | 18 ++++++++++++++++++ > > security/selinux/include/security.h | 16 +--------------- > > security/selinux/ss/services.c | 12 +----------- > > 5 files changed, 47 insertions(+), 26 deletions(-) > > create mode 100644 security/selinux/include/policycap.h > > create mode 100644 security/selinux/include/policycap_names.h > > Seems reasonable to me, but obviously needs to wait until the merge > window closes. I just merged this into selinux/next, thanks Stephen.
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 6ceb88eb9b59..105c1c31a316 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -35,6 +35,9 @@ struct security_class_mapping { #include "classmap.h" #include "initial_sid_to_string.h" +#include "policycap_names.h" + +#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) int main(int argc, char *argv[]) { @@ -115,6 +118,10 @@ int main(int argc, char *argv[]) } } + /* enable all policy capabilities */ + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]); + /* types, roles, and allows */ fprintf(fout, "type base_t;\n"); fprintf(fout, "role base_r;\n"); diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h new file mode 100644 index 000000000000..2ec038efbb03 --- /dev/null +++ b/security/selinux/include/policycap.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _SELINUX_POLICYCAP_H_ +#define _SELINUX_POLICYCAP_H_ + +/* Policy capabilities */ +enum { + POLICYDB_CAPABILITY_NETPEER, + POLICYDB_CAPABILITY_OPENPERM, + POLICYDB_CAPABILITY_EXTSOCKCLASS, + POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_CGROUPSECLABEL, + POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, + POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, + __POLICYDB_CAPABILITY_MAX +}; +#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) + +extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX]; + +#endif /* _SELINUX_POLICYCAP_H_ */ diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h new file mode 100644 index 000000000000..b89289f092c9 --- /dev/null +++ b/security/selinux/include/policycap_names.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _SELINUX_POLICYCAP_NAMES_H_ +#define _SELINUX_POLICYCAP_NAMES_H_ + +#include "policycap.h" + +/* Policy capability names */ +const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { + "network_peer_controls", + "open_perms", + "extended_socket_class", + "always_check_network", + "cgroup_seclabel", + "nnp_nosuid_transition", + "genfs_seclabel_symlinks" +}; + +#endif /* _SELINUX_POLICYCAP_NAMES_H_ */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 7fa67bfb2f9f..c68ed2beadff 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -16,6 +16,7 @@ #include <linux/refcount.h> #include <linux/workqueue.h> #include "flask.h" +#include "policycap.h" #define SECSID_NULL 0x00000000 /* unspecified SID */ #define SECSID_WILD 0xffffffff /* wildcard SID */ @@ -72,21 +73,6 @@ struct netlbl_lsm_secattr; extern int selinux_enabled_boot; -/* Policy capabilities */ -enum { - POLICYDB_CAPABILITY_NETPEER, - POLICYDB_CAPABILITY_OPENPERM, - POLICYDB_CAPABILITY_EXTSOCKCLASS, - POLICYDB_CAPABILITY_ALWAYSNETWORK, - POLICYDB_CAPABILITY_CGROUPSECLABEL, - POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, - POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, - __POLICYDB_CAPABILITY_MAX -}; -#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) - -extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX]; - /* * type_datum properties * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 937cb0805dc6..394fda88c374 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -64,17 +64,7 @@ #include "xfrm.h" #include "ebitmap.h" #include "audit.h" - -/* Policy capability names */ -const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { - "network_peer_controls", - "open_perms", - "extended_socket_class", - "always_check_network", - "cgroup_seclabel", - "nnp_nosuid_transition", - "genfs_seclabel_symlinks" -}; +#include "policycap_names.h" static struct selinux_ss selinux_ss;
Presently mdp does not enable any SELinux policy capabilities in the dummy policy it generates. Thus, policies derived from it will by default lack various features commonly used in modern policies such as open permission, extended socket classes, network peer controls, etc. Split the policy capability definitions out into their own headers so that we can include them into mdp without pulling in other kernel headers and extend mdp generate policycap statements for the policy capabilities known to the kernel. Policy authors may wish to selectively remove some of these from the generated policy. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- scripts/selinux/mdp/mdp.c | 7 +++++++ security/selinux/include/policycap.h | 20 ++++++++++++++++++++ security/selinux/include/policycap_names.h | 18 ++++++++++++++++++ security/selinux/include/security.h | 16 +--------------- security/selinux/ss/services.c | 12 +----------- 5 files changed, 47 insertions(+), 26 deletions(-) create mode 100644 security/selinux/include/policycap.h create mode 100644 security/selinux/include/policycap_names.h