| Message ID | 20241202113816.55299-1-cgoettsche@seltendoof.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC] Introduce POLICYDB_VERSION_KERNEL_MAX | expand |
On Mon, Dec 2, 2024 at 6:38 AM Christian Göttsche <cgoettsche@seltendoof.de> wrote: > > From: Christian Göttsche <cgzones@googlemail.com> > > SELinux userspace currently (and importantly in 3.8-rc1) supports > extended permissions in conditional blocks, while the kernel does not > and support will earliest arrive in 6.14. > Introduce a new version macro defining the maximum policy the current > stable kernel (at the time of the expected next userspace release) > supports, which then all tools can use as the default output policy > version. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > This is an alternative to reverting the support. > > I bundled all changes into one patch for this draft, but I can split it > in further revisions. Apologies if you explained elsewhere, but I don't understand why this is necessary or desirable. The way things are supposed to work is that the policy compiler toolchain builds the latest version it supports, then libselinux/libsepol downgrade if necessary to the kernel-supported version at load time. At least that is how it has worked in the past. And it is already possible to select a specific target version if desired through libsemanage configuration or checkpolicy/secilc command-line options as appropriate. > --- > checkpolicy/checkpolicy.c | 8 ++++---- > checkpolicy/tests/test_roundtrip.sh | 4 ++-- > libsemanage/man/man5/semanage.conf.5 | 2 +- > libsemanage/src/semanage.conf | 2 +- > libsepol/cil/src/cil.c | 2 +- > libsepol/include/sepol/policydb/policydb.h | 3 +++ > libsepol/src/expand.c | 2 +- > libsepol/src/policydb_public.c | 4 ++-- > secilc/Makefile | 6 +++--- > secilc/secilc.c | 4 ++-- > 10 files changed, 20 insertions(+), 17 deletions(-) > > diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c > index ede2b6ad..34e51312 100644 > --- a/checkpolicy/checkpolicy.c > +++ b/checkpolicy/checkpolicy.c > @@ -514,7 +514,7 @@ int main(int argc, char **argv) > > if (show_version) { > printf("%d (compatibility range %d-%d)\n", > - policyvers ? policyvers : POLICYDB_VERSION_MAX , > + policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX , > POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); > exit(0); > } > @@ -595,7 +595,7 @@ int main(int argc, char **argv) > policydbp->policyvers = policyvers; > } > } else { > - policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; > + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX; > } > } else { > if (conf) { > @@ -611,7 +611,7 @@ int main(int argc, char **argv) > /* Let sepol know if we are dealing with MLS support */ > parse_policy.mls = mlspol; > parse_policy.handle_unknown = handle_unknown; > - parse_policy.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; > + parse_policy.policyvers = policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX; > > policydbp = &parse_policy; > > @@ -636,7 +636,7 @@ int main(int argc, char **argv) > fprintf(stderr, "Error while expanding policy\n"); > exit(1); > } > - policydb.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; > + policydb.policyvers = policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX; > policydb_destroy(policydbp); > policydbp = &policydb; > } > diff --git a/checkpolicy/tests/test_roundtrip.sh b/checkpolicy/tests/test_roundtrip.sh > index d05b36bb..f2c7702f 100755 > --- a/checkpolicy/tests/test_roundtrip.sh > +++ b/checkpolicy/tests/test_roundtrip.sh > @@ -31,8 +31,8 @@ check_policy policy_minimal.conf policy_minimal.conf '-E > check_policy policy_minimal_mls.conf policy_minimal_mls.conf '-M -E' > check_policy policy_minimal_mls.conf policy_minimal_mls.conf '-M -E -S -O' > > -check_policy policy_allonce.conf policy_allonce.expected.conf '' > -check_policy policy_allonce.conf policy_allonce.expected_opt.conf '-S -O' > +check_policy policy_allonce.conf policy_allonce.expected.conf '-c 34' > +check_policy policy_allonce.conf policy_allonce.expected_opt.conf '-c 34 -S -O' > > check_policy policy_allonce_mls.conf policy_allonce_mls.expected.conf '-M' > check_policy policy_allonce_mls.conf policy_allonce_mls.expected_opt.conf '-M -S -O' > diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5 > index b22e65bd..ea2292c8 100644 > --- a/libsemanage/man/man5/semanage.conf.5 > +++ b/libsemanage/man/man5/semanage.conf.5 > @@ -48,7 +48,7 @@ If the cache is ignored, then all CIL modules are recompiled from their HLL modu > .B policy-version > When generating the policy, by default > .BR semanage > -will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different > +will set the policy version to POLICYDB_VERSION_KERNEL_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different > version needs to be set for the policy. > > .TP > diff --git a/libsemanage/src/semanage.conf b/libsemanage/src/semanage.conf > index 98d769b5..674c0550 100644 > --- a/libsemanage/src/semanage.conf > +++ b/libsemanage/src/semanage.conf > @@ -32,7 +32,7 @@ > module-store = direct > > # When generating the final linked and expanded policy, by default > -# semanage will set the policy version to POLICYDB_VERSION_MAX, as > +# semanage will set the policy version to POLICYDB_VERSION_KERNEL_MAX, as > # given in <sepol/policydb.h>. Change this setting if a different > # version is necessary. > #policy-version = 19 > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c > index 5521c7ea..b4063515 100644 > --- a/libsepol/cil/src/cil.c > +++ b/libsepol/cil/src/cil.c > @@ -464,7 +464,7 @@ void cil_db_init(struct cil_db **db) > (*db)->multiple_decls = CIL_FALSE; > (*db)->qualified_names = CIL_FALSE; > (*db)->target_platform = SEPOL_TARGET_SELINUX; > - (*db)->policy_version = POLICYDB_VERSION_MAX; > + (*db)->policy_version = POLICYDB_VERSION_KERNEL_MAX; > } > > static void cil_declared_strings_list_destroy(struct cil_list **strings) > diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h > index f833354b..73520b61 100644 > --- a/libsepol/include/sepol/policydb/policydb.h > +++ b/libsepol/include/sepol/policydb/policydb.h > @@ -765,6 +765,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); > #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE > #define POLICYDB_VERSION_MAX POLICYDB_VERSION_COND_XPERMS > > +/* Policy version stable Linux kernel understands */ > +#define POLICYDB_VERSION_KERNEL_MAX POLICYDB_VERSION_COMP_FTRANS > + > /* Module versions and specific changes*/ > #define MOD_POLICYDB_VERSION_BASE 4 > #define MOD_POLICYDB_VERSION_VALIDATETRANS 5 > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index 7032a83f..8bb9fda9 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -2993,7 +2993,7 @@ int expand_module(sepol_handle_t * handle, > } > > state.out->policy_type = POLICY_KERN; > - state.out->policyvers = POLICYDB_VERSION_MAX; > + state.out->policyvers = POLICYDB_VERSION_KERNEL_MAX; > if (state.base->name) { > state.out->name = strdup(state.base->name); > if (!state.out->name) { > diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c > index 0218c940..a102c954 100644 > --- a/libsepol/src/policydb_public.c > +++ b/libsepol/src/policydb_public.c > @@ -91,7 +91,7 @@ int sepol_policy_kern_vers_min(void) > > int sepol_policy_kern_vers_max(void) > { > - return POLICYDB_VERSION_MAX; > + return POLICYDB_VERSION_KERNEL_MAX; > } > > int sepol_policydb_set_typevers(sepol_policydb_t * sp, unsigned int type) > @@ -99,7 +99,7 @@ int sepol_policydb_set_typevers(sepol_policydb_t * sp, unsigned int type) > struct policydb *p = &sp->p; > switch (type) { > case POLICY_KERN: > - p->policyvers = POLICYDB_VERSION_MAX; > + p->policyvers = POLICYDB_VERSION_KERNEL_MAX; > break; > case POLICY_BASE: > case POLICY_MOD: > diff --git a/secilc/Makefile b/secilc/Makefile > index ef7bc8cd..78b9ad73 100644 > --- a/secilc/Makefile > +++ b/secilc/Makefile > @@ -21,7 +21,7 @@ XMLTO = xmlto > DIFF = diff > > CHECKPOLICY = checkpolicy > -POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') > +MAX_POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 4 -d ' ' | cut -f 1 -d '-') > > CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused > > @@ -34,8 +34,8 @@ $(SECILC): $(SECILC_OBJS) > $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) > > test: $(SECILC) > - ./$(SECILC) test/policy.cil > - ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil > + ./$(SECILC) -c $(MAX_POL_VERS) test/policy.cil > + ./$(SECILC) -c $(MAX_POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil > $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null > $(DIFF) test/opt-expected.cil opt-actual.cil > > diff --git a/secilc/secilc.c b/secilc/secilc.c > index f3102ca9..83639c2f 100644 > --- a/secilc/secilc.c > +++ b/secilc/secilc.c > @@ -56,7 +56,7 @@ static __attribute__((__noreturn__)) void usage(const char *prog) > printf(" This will override the (mls boolean) statement\n"); > printf(" if present in the policy\n"); > printf(" -c, --policyvers=<version> build a binary policy with a given <version>\n"); > - printf(" (default: %i)\n", POLICYDB_VERSION_MAX); > + printf(" (default: %i)\n", POLICYDB_VERSION_KERNEL_MAX); > printf(" -U, --handle-unknown=<action> how to handle unknown classes or permissions.\n"); > printf(" may be deny, allow, or reject. (default: deny)\n"); > printf(" This will override the (handleunknown action)\n"); > @@ -99,7 +99,7 @@ int main(int argc, char *argv[]) > int preserve_tunables = 0; > int qualified_names = 0; > int handle_unknown = -1; > - int policyvers = POLICYDB_VERSION_MAX; > + int policyvers = POLICYDB_VERSION_KERNEL_MAX; > int attrs_expand_generated = 0; > int attrs_expand_size = -1; > int optimize = 0; > -- > 2.45.2 > >
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index ede2b6ad..34e51312 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -514,7 +514,7 @@ int main(int argc, char **argv) if (show_version) { printf("%d (compatibility range %d-%d)\n", - policyvers ? policyvers : POLICYDB_VERSION_MAX , + policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX , POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); exit(0); } @@ -595,7 +595,7 @@ int main(int argc, char **argv) policydbp->policyvers = policyvers; } } else { - policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX; } } else { if (conf) { @@ -611,7 +611,7 @@ int main(int argc, char **argv) /* Let sepol know if we are dealing with MLS support */ parse_policy.mls = mlspol; parse_policy.handle_unknown = handle_unknown; - parse_policy.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; + parse_policy.policyvers = policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX; policydbp = &parse_policy; @@ -636,7 +636,7 @@ int main(int argc, char **argv) fprintf(stderr, "Error while expanding policy\n"); exit(1); } - policydb.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; + policydb.policyvers = policyvers ? policyvers : POLICYDB_VERSION_KERNEL_MAX; policydb_destroy(policydbp); policydbp = &policydb; } diff --git a/checkpolicy/tests/test_roundtrip.sh b/checkpolicy/tests/test_roundtrip.sh index d05b36bb..f2c7702f 100755 --- a/checkpolicy/tests/test_roundtrip.sh +++ b/checkpolicy/tests/test_roundtrip.sh @@ -31,8 +31,8 @@ check_policy policy_minimal.conf policy_minimal.conf '-E check_policy policy_minimal_mls.conf policy_minimal_mls.conf '-M -E' check_policy policy_minimal_mls.conf policy_minimal_mls.conf '-M -E -S -O' -check_policy policy_allonce.conf policy_allonce.expected.conf '' -check_policy policy_allonce.conf policy_allonce.expected_opt.conf '-S -O' +check_policy policy_allonce.conf policy_allonce.expected.conf '-c 34' +check_policy policy_allonce.conf policy_allonce.expected_opt.conf '-c 34 -S -O' check_policy policy_allonce_mls.conf policy_allonce_mls.expected.conf '-M' check_policy policy_allonce_mls.conf policy_allonce_mls.expected_opt.conf '-M -S -O' diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5 index b22e65bd..ea2292c8 100644 --- a/libsemanage/man/man5/semanage.conf.5 +++ b/libsemanage/man/man5/semanage.conf.5 @@ -48,7 +48,7 @@ If the cache is ignored, then all CIL modules are recompiled from their HLL modu .B policy-version When generating the policy, by default .BR semanage -will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different +will set the policy version to POLICYDB_VERSION_KERNEL_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different version needs to be set for the policy. .TP diff --git a/libsemanage/src/semanage.conf b/libsemanage/src/semanage.conf index 98d769b5..674c0550 100644 --- a/libsemanage/src/semanage.conf +++ b/libsemanage/src/semanage.conf @@ -32,7 +32,7 @@ module-store = direct # When generating the final linked and expanded policy, by default -# semanage will set the policy version to POLICYDB_VERSION_MAX, as +# semanage will set the policy version to POLICYDB_VERSION_KERNEL_MAX, as # given in <sepol/policydb.h>. Change this setting if a different # version is necessary. #policy-version = 19 diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 5521c7ea..b4063515 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -464,7 +464,7 @@ void cil_db_init(struct cil_db **db) (*db)->multiple_decls = CIL_FALSE; (*db)->qualified_names = CIL_FALSE; (*db)->target_platform = SEPOL_TARGET_SELINUX; - (*db)->policy_version = POLICYDB_VERSION_MAX; + (*db)->policy_version = POLICYDB_VERSION_KERNEL_MAX; } static void cil_declared_strings_list_destroy(struct cil_list **strings) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index f833354b..73520b61 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -765,6 +765,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #define POLICYDB_VERSION_MAX POLICYDB_VERSION_COND_XPERMS +/* Policy version stable Linux kernel understands */ +#define POLICYDB_VERSION_KERNEL_MAX POLICYDB_VERSION_COMP_FTRANS + /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 #define MOD_POLICYDB_VERSION_VALIDATETRANS 5 diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 7032a83f..8bb9fda9 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -2993,7 +2993,7 @@ int expand_module(sepol_handle_t * handle, } state.out->policy_type = POLICY_KERN; - state.out->policyvers = POLICYDB_VERSION_MAX; + state.out->policyvers = POLICYDB_VERSION_KERNEL_MAX; if (state.base->name) { state.out->name = strdup(state.base->name); if (!state.out->name) { diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c index 0218c940..a102c954 100644 --- a/libsepol/src/policydb_public.c +++ b/libsepol/src/policydb_public.c @@ -91,7 +91,7 @@ int sepol_policy_kern_vers_min(void) int sepol_policy_kern_vers_max(void) { - return POLICYDB_VERSION_MAX; + return POLICYDB_VERSION_KERNEL_MAX; } int sepol_policydb_set_typevers(sepol_policydb_t * sp, unsigned int type) @@ -99,7 +99,7 @@ int sepol_policydb_set_typevers(sepol_policydb_t * sp, unsigned int type) struct policydb *p = &sp->p; switch (type) { case POLICY_KERN: - p->policyvers = POLICYDB_VERSION_MAX; + p->policyvers = POLICYDB_VERSION_KERNEL_MAX; break; case POLICY_BASE: case POLICY_MOD: diff --git a/secilc/Makefile b/secilc/Makefile index ef7bc8cd..78b9ad73 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -21,7 +21,7 @@ XMLTO = xmlto DIFF = diff CHECKPOLICY = checkpolicy -POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') +MAX_POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 4 -d ' ' | cut -f 1 -d '-') CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused @@ -34,8 +34,8 @@ $(SECILC): $(SECILC_OBJS) $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) test: $(SECILC) - ./$(SECILC) test/policy.cil - ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil + ./$(SECILC) -c $(MAX_POL_VERS) test/policy.cil + ./$(SECILC) -c $(MAX_POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null $(DIFF) test/opt-expected.cil opt-actual.cil diff --git a/secilc/secilc.c b/secilc/secilc.c index f3102ca9..83639c2f 100644 --- a/secilc/secilc.c +++ b/secilc/secilc.c @@ -56,7 +56,7 @@ static __attribute__((__noreturn__)) void usage(const char *prog) printf(" This will override the (mls boolean) statement\n"); printf(" if present in the policy\n"); printf(" -c, --policyvers=<version> build a binary policy with a given <version>\n"); - printf(" (default: %i)\n", POLICYDB_VERSION_MAX); + printf(" (default: %i)\n", POLICYDB_VERSION_KERNEL_MAX); printf(" -U, --handle-unknown=<action> how to handle unknown classes or permissions.\n"); printf(" may be deny, allow, or reject. (default: deny)\n"); printf(" This will override the (handleunknown action)\n"); @@ -99,7 +99,7 @@ int main(int argc, char *argv[]) int preserve_tunables = 0; int qualified_names = 0; int handle_unknown = -1; - int policyvers = POLICYDB_VERSION_MAX; + int policyvers = POLICYDB_VERSION_KERNEL_MAX; int attrs_expand_generated = 0; int attrs_expand_size = -1; int optimize = 0;