From patchwork Thu Aug 6 18:34:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11703945 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 29D821731 for ; Thu, 6 Aug 2020 18:35:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7E196221E3 for ; Thu, 6 Aug 2020 18:35:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jjS2c5OF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728381AbgHFSfy (ORCPT ); Thu, 6 Aug 2020 14:35:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728418AbgHFSex (ORCPT ); Thu, 6 Aug 2020 14:34:53 -0400 Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89FE6C061A13 for ; Thu, 6 Aug 2020 11:34:41 -0700 (PDT) Received: by mail-qt1-x842.google.com with SMTP id e5so23083154qth.5 for ; Thu, 06 Aug 2020 11:34:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gOcQo9I1luiRmUv0GS/aPmFOnQlx6Ae6SiphJ0gJOMM=; b=jjS2c5OFlT97mFBUM/vrYWMSnwUEf16TxcggOr/ftn96Thz50dhCIsmdSClntlAt+B 6FrjVlXN8rz1ec9l4q9GUCP7q5VrF/6ayX7dHQEH78BZoL6f4FFRjasssCE/RXCIcD6d e0QLRRfEgXql/3aSjAhZMjBETkhyPryo/AkScoji7xHRgOSkNr6AcW84CkUpndq386Dv MJec0obXN5lBjTj4X6+KwQsN4nLlnfRUk6Q6aGc7uo9WHBaUllDRlUyPrar3fciBQ+Dz yPW/BdP3D0bceokOkDGuA9LNH5dXLWrA9n8LjPG9dSn37jGz5sDbsvEgChW4NbRt7dn6 6BAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gOcQo9I1luiRmUv0GS/aPmFOnQlx6Ae6SiphJ0gJOMM=; b=LMEL0DfcTyDShV7EA7FL+e6x3dVoJyzqVWh/0OoPDaUs7+2Kle4ge71NvtS3XFMzCe c2S0Un9HcsOt2MsZv7m3UgObBwF1n62unUavPpLg1thjqBaiWXiBMqMe3r5eshuEklbf +7PzUO8UHn2VzBHjMu/CWSnW3HCixW9dhSoTOYvJ5T8f93TWdX/DLwt/w9dZ5VkaFD4g OyrsWKMpnFJ2Hp2gecCOyiG1CO7/rYGsIin+8kQ961Gv50fr36UMJqNtwSpMmQEvnP9Y DqOjruvb/vVyNe77bBKSVLjEbT3/g+OlGW3OkYCsurtXUl+c0XgUyWZkn0v/8vBewJWK YvXw== X-Gm-Message-State: AOAM533ZxVcsUA/XK2QZUk9NZsebztexELsSJQk47RquIGMTHSRetoQ8 1eB4Oyn1zBql42U4nsksUDs= X-Google-Smtp-Source: ABdhPJyFD7OCJYxNJbn+8RcNitEH7EAybmU7VKn5bs8h6G8A9it2kv3gz10yQ9V2xy8QNDhE4ZieUw== X-Received: by 2002:aed:36c7:: with SMTP id f65mr10582595qtb.39.1596738880691; Thu, 06 Aug 2020 11:34:40 -0700 (PDT) Received: from puritycontrol.fios-router.home (pool-68-134-6-11.bltmmd.fios.verizon.net. [68.134.6.11]) by smtp.gmail.com with ESMTPSA id q7sm4849239qkf.35.2020.08.06.11.34.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Aug 2020 11:34:40 -0700 (PDT) From: Stephen Smalley To: paul@paul-moore.com Cc: omosnace@redhat.com, selinux@vger.kernel.org, Stephen Smalley Subject: [PATCH] scripts/selinux,selinux: update mdp to enable policy capabilities Date: Thu, 6 Aug 2020 14:34:18 -0400 Message-Id: <20200806183418.50128-1-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Presently mdp does not enable any SELinux policy capabilities in the dummy policy it generates. Thus, policies derived from it will by default lack various features commonly used in modern policies such as open permission, extended socket classes, network peer controls, etc. Split the policy capability definitions out into their own headers so that we can include them into mdp without pulling in other kernel headers and extend mdp generate policycap statements for the policy capabilities known to the kernel. Policy authors may wish to selectively remove some of these from the generated policy. Signed-off-by: Stephen Smalley --- scripts/selinux/mdp/mdp.c | 7 +++++++ security/selinux/include/policycap.h | 20 ++++++++++++++++++++ security/selinux/include/policycap_names.h | 18 ++++++++++++++++++ security/selinux/include/security.h | 16 +--------------- security/selinux/ss/services.c | 12 +----------- 5 files changed, 47 insertions(+), 26 deletions(-) create mode 100644 security/selinux/include/policycap.h create mode 100644 security/selinux/include/policycap_names.h diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 6ceb88eb9b59..105c1c31a316 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -35,6 +35,9 @@ struct security_class_mapping { #include "classmap.h" #include "initial_sid_to_string.h" +#include "policycap_names.h" + +#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) int main(int argc, char *argv[]) { @@ -115,6 +118,10 @@ int main(int argc, char *argv[]) } } + /* enable all policy capabilities */ + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]); + /* types, roles, and allows */ fprintf(fout, "type base_t;\n"); fprintf(fout, "role base_r;\n"); diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h new file mode 100644 index 000000000000..2ec038efbb03 --- /dev/null +++ b/security/selinux/include/policycap.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _SELINUX_POLICYCAP_H_ +#define _SELINUX_POLICYCAP_H_ + +/* Policy capabilities */ +enum { + POLICYDB_CAPABILITY_NETPEER, + POLICYDB_CAPABILITY_OPENPERM, + POLICYDB_CAPABILITY_EXTSOCKCLASS, + POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_CGROUPSECLABEL, + POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, + POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, + __POLICYDB_CAPABILITY_MAX +}; +#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) + +extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX]; + +#endif /* _SELINUX_POLICYCAP_H_ */ diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h new file mode 100644 index 000000000000..b89289f092c9 --- /dev/null +++ b/security/selinux/include/policycap_names.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _SELINUX_POLICYCAP_NAMES_H_ +#define _SELINUX_POLICYCAP_NAMES_H_ + +#include "policycap.h" + +/* Policy capability names */ +const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { + "network_peer_controls", + "open_perms", + "extended_socket_class", + "always_check_network", + "cgroup_seclabel", + "nnp_nosuid_transition", + "genfs_seclabel_symlinks" +}; + +#endif /* _SELINUX_POLICYCAP_NAMES_H_ */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 7fa67bfb2f9f..c68ed2beadff 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -16,6 +16,7 @@ #include #include #include "flask.h" +#include "policycap.h" #define SECSID_NULL 0x00000000 /* unspecified SID */ #define SECSID_WILD 0xffffffff /* wildcard SID */ @@ -72,21 +73,6 @@ struct netlbl_lsm_secattr; extern int selinux_enabled_boot; -/* Policy capabilities */ -enum { - POLICYDB_CAPABILITY_NETPEER, - POLICYDB_CAPABILITY_OPENPERM, - POLICYDB_CAPABILITY_EXTSOCKCLASS, - POLICYDB_CAPABILITY_ALWAYSNETWORK, - POLICYDB_CAPABILITY_CGROUPSECLABEL, - POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, - POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, - __POLICYDB_CAPABILITY_MAX -}; -#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) - -extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX]; - /* * type_datum properties * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 937cb0805dc6..394fda88c374 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -64,17 +64,7 @@ #include "xfrm.h" #include "ebitmap.h" #include "audit.h" - -/* Policy capability names */ -const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { - "network_peer_controls", - "open_perms", - "extended_socket_class", - "always_check_network", - "cgroup_seclabel", - "nnp_nosuid_transition", - "genfs_seclabel_symlinks" -}; +#include "policycap_names.h" static struct selinux_ss selinux_ss;