From patchwork Wed Aug 5 19:40:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 11702433 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0F25D14B7 for ; Wed, 5 Aug 2020 19:50:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D157C206A2 for ; Wed, 5 Aug 2020 19:50:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="oyKbrmX6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728194AbgHETuJ (ORCPT ); Wed, 5 Aug 2020 15:50:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728368AbgHETuH (ORCPT ); Wed, 5 Aug 2020 15:50:07 -0400 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 94AD4C0617A2 for ; Wed, 5 Aug 2020 12:41:06 -0700 (PDT) Received: from localhost.localdomain (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id E7A862A0EFE; Wed, 5 Aug 2020 21:41:00 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl E7A862A0EFE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1596656461; bh=Ee81R8FFJLllU0gVDOmtDG3uifPv6wKzu801713Jm3o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oyKbrmX6qBZHd6OzolcaxowVnOjeLMmxoTglKx587pfisOpaOfHemXC94MDmmZSLc KE54rVIXhPdi4zF9ft/SjPxp+3YRy3cNLnzP3Vp9sSyDwHRh31eWpnH4uZ12kr8PAE QAaEGcEmhZuGM6SqpvZXLwawKGj3t9c9BKlF7E3E= From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [SELinux-notebook PATCH v6] type_statements: document expandattribute Date: Wed, 5 Aug 2020 21:40:48 +0200 Message-Id: <20200805194048.490708-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200804073310.195204-1-dominick.grift@defensec.nl> References: <20200804073310.195204-1-dominick.grift@defensec.nl> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This functionality was added for Androids Treble in 2017. Signed-off-by: Dominick Grift Acked-by: James Carter --- v2: change expandtypeattribute to expandattribute v3: overriden is overridden v4: convert to markdown v5: copied and pasted description from James Carter and changed default_value to expand_value v6: can be used in if conditionals and update description from James Carter src/type_statements.md | 693 ++++++++++++++++++----------------------- 1 file changed, 302 insertions(+), 391 deletions(-) diff --git a/src/type_statements.md b/src/type_statements.md index 61c7191..a20403b 100644 --- a/src/type_statements.md +++ b/src/type_statements.md @@ -1,7 +1,7 @@ # Type Statements These statements share the same namespace, therefore the general -convention is to use `_t` as the final two characters of a type +convention is to use *_t* as the final two characters of a type identifier to differentiate it from an attribute identifier as shown in the following examples: @@ -13,12 +13,10 @@ type bin_t; # A type identifier generally ends with _t attribute file_type; # An attribute identifier generally ends with _type ``` -
+## *type* -## `type` - -The `type` statement declares the type identifier and any optional -associated `alias` or `attribute` identifiers. Type identifiers are a +The *type* statement declares the type identifier and any optional +associated *alias* or *attribute* identifiers. Type identifiers are a component of the [**Security Context**](security_context.md#security-context). **The statement definition is:** @@ -27,57 +25,44 @@ component of the [**Security Context**](security_context.md#security-context). **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
typeThe type keyword.
type_idThe type identifier.
aliasOptional alias keyword that signifies alternate identifiers for the type_id that are declared in the alias_id list.
alias_idOne or more alias identifiers that have been previously declared by the typealias statement. Multiple entries consist of a space separated list enclosed in braces '{}'.
attribute_idOne or more optional attribute identifiers that have been previously declared by the attribute statement. Multiple entries consist of a comma ',' separated list, also note the lead comma.
+*type* + +The *type* keyword. + +*type_id* + +The *type* identifier. + +*alias* + +Optional *alias* keyword that signifies alternate identifiers for the *type_id* +that are declared in the *alias_id* list. + +*alias_id* + +One or more *alias* identifiers that have been previously declared by the +[*typealias*](#typealias) statement. Multiple entries consist of a space +separated list enclosed in braces '{}'. + +*attribute_id* + +One or more optional *attribute* identifiers that have been previously declared +by the [*attribute*](#attribute) statement. Multiple entries consist of a comma +',' separated list, also note the lead comma. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -134,12 +119,10 @@ attribute server_packet_type; # declare attribute 2 type ssh_server_packet_t, packet_type, server_packet_type; ``` -
- -## `attribute` +## *attribute* -An `attribute` statement declares an identifier that can then be used to -refer to a group of `type` identifiers. +An *attribute* statement declares an identifier that can then be used to +refer to a group of *type* identifiers. **The statement definition is:** @@ -147,45 +130,27 @@ refer to a group of `type` identifiers. **Where:** - - - - - - - - - - - -
attributeThe attribute keyword.
attribute_idThe attribute identifier.
+*attribute* + +The *attribute* keyword. + +*attribute_id* + +The *attribute* identifier. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesYes
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | Yes | **Examples:** @@ -199,11 +164,68 @@ attribute file_type; attribute non_security_file_type; ``` -
+## *expandattribute* + +Overrides the compiler defaults for the expansion of one or more +previously declared [*attribute*](#attribute) identifiers. + +This rule gives more control over type attribute expansion and +removal. When the value is true, all rules involving the type +attribute will be expanded and the type attribute will be removed from +the policy. When the value is false, the type attribute will not be +removed from the policy, even if the default expand rules or "-X" +option cause the rules involving the type attribute to be expanded. + +**The statement definition is:** + +`expandattribute attribute_id expand_value;` + +**Where:** + +*expandattribute* + +The *expandattribute* keyword. + +*attribute_id* + +One or more *attribute* identifiers that have been previously declared by the +[*attribute*](#attribute) statement. Multiple entries consist of a space +separated list enclosed in braces '{}'. + +*expand_value* + +Either true or false. + +**The statement is valid in:** + +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +**Examples:** + +``` +# Using the expandattribute statement to forcibly expand a +# previously declared domain attribute. + +# The previously declared attribute: +attribute domain; -## `typeattribute` +# The attribute stripping using the expandattribute statement: +expandattribute domain true; +``` + +## *typeattribute* -The `typeattribute` statement allows the association of previously +The *typeattribute* statement allows the association of previously declared types to one or more previously declared attributes. **The statement definition is:** @@ -212,49 +234,32 @@ declared types to one or more previously declared attributes. **Where:** - - - - - - - - - - - - - - - -
typeattributeThe typeattribute keyword.
type_idThe identifier of a previously declared type.
attribute_idOne or more previously declared attribute identifiers. Multiple entries consist of a comma ',' separated list.
+*typeattribute* + +The *typeattribute* keyword. + +*type_id* + +The identifier of a previously declared *type*. + +*attribute_id* + +One or more previously declared *attribute* identifiers. Multiple entries +consist of a comma ',' separated list. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -289,13 +294,11 @@ type setroubleshootd_exec_t; typeattribute setroubleshootd_exec_t file_type, non_security_file_type; ``` -
+## *typealias* -## `typealias` - -The `typealias` statement allows the association of a previously declared -`type` to one or more `alias` identifiers (an alternative way is to use the -`type` statement. +The *typealias* statement allows the association of a previously declared +*type* to one or more *alias* identifiers (an alternative way is to use the +*type* statement. **The statement definition is:** @@ -303,53 +306,36 @@ The `typealias` statement allows the association of a previously declared **Where:** - - - - - - - - - - - - - - - - - - - -
typealiasThe typealias keyword.
type_idThe identifier of a previously declared type.
aliasThe alias keyword.
alias_idOne or more alias identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.
+*typealias* + +The *typealias* keyword. + +*type_id* + +The identifier of a previously declared *type*. + +*alias* + +The *alias* keyword. + +*alias_id* + +One or more *alias* identifiers. Multiple entries consist of a space separated +list enclosed in braces '{}'. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -374,14 +360,12 @@ type netif_t; typealias netif_t alias { lo_netif_t netif_lo_t }; ``` -
+## *permissive* -## `permissive` - -Policy version 23 introduced the `permissive` statement to allow the named +Policy version 23 introduced the *permissive* statement to allow the named domain to run in permissive mode instead of running all SELinux domains in permissive mode (that was the only option prior to version 23). Note -that the `permissive` statement only tests the source context for any +that the *permissive* statement only tests the source context for any policy denial. **The statement definition is:** @@ -390,45 +374,27 @@ policy denial. **Where:** - - - - - - - - - - - -
permissiveThe permissive keyword.
type_idThe type identifier of the domain that will be run in permissive mode.
+*permissive* + +The *permissive* keyword. + +*type_id* + +The *type* identifier of the domain that will be run in permissive mode. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
NoYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | Yes | No | **Examples:** @@ -463,16 +429,13 @@ require { permissive unconfined_t; ``` -
- - -## `type_transition` +## *type_transition* The type_transition rule specifies the default type to be used for domain transistion or object creation. Kernels from 2.6.39 with Policy versions from 25 also support the 'name transition rule' extension. See the [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) -section for more details. Note than an `allow` rule must be used to authorise +section for more details. Note than an *allow* rule must be used to authorise the transition. **The statement definitions are:** @@ -486,59 +449,46 @@ however, this is only appropriate for the file classes: **Where:** - - - - - - - - - - - - - - - - - - - - - - - -
type_transitionThe type_transition rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
default_typeA single type or typealias identifier that will become the default process type for a domain transition or the type for object transitions.
object_nameFor the 'name transition' rule this is matched against the objects name (i.e. the last component of a path). If object_name exactly matches the object name, then use default_type for the type.
+*type_transition* + +The *type_transition* rule keyword. + +*source_type* +*target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces '{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces '{}'. + +*default_type* + +A single *type* or *typealias* identifier that will become the default process +*type* for a domain transition or the *type* for object transitions. + +*object_name* + +For the 'name transition' rule this is matched against the objects name +(i.e. the last component of a path). If *object_name* exactly matches the +object name, then use *default_type* for the *type*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | **Example - Domain Transition:** @@ -607,14 +557,12 @@ type_transition unconfined_t etc_t : file system_conf_t eric; # an exact strcmp) it should be labeled system_conf_t. ``` -
+## *type_change* -## `type_change` - -The `type_change` rule specifies a default `type` when relabeling an +The *type_change* rule specifies a default *type* when relabeling an existing object. For example userspace SELinux-aware applications would -use ***security_compute_relabel**(3)* and `type_change` rules in -policy to determine the new context to be applied. Note that an `allow` +use ***security_compute_relabel**(3)* and *type_change* rules in +policy to determine the new context to be applied. Note that an *allow* rule must be used to authorise access. See the [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) section for more details. @@ -625,55 +573,38 @@ section for more details. **Where:** - - - - - - - - - - - - - - - - - - - -
type_changeThe type_change rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
change_typeA single type or typealias identifier that will become the new type.
+*type_change* + +The *type_change* rule keyword. + +*source_type* +*target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces '{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces '{}'. + +*change_type* +A single *type* or *typealias* identifier that will become the new *type*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | **Examples:** @@ -694,15 +625,13 @@ type_change auditadm_t sysadm_devpts_t:chr_file auditadm_devpts_t; type_change staff_t server_ptynode:chr_file staff_devpts_t; ``` -
+## *type_member* -## `type_member` - -The `type_member` rule specifies a default type when creating a +The *type_member* rule specifies a default type when creating a polyinstantiated object. For example a userspace SELinux-aware application would use ***avc_compute_member**(3)* or -***security_compute_member**(3)* with `type_member` rules in policy -to determine the context to be applied. Note that an `allow` rule must +***security_compute_member**(3)* with *type_member* rules in policy +to determine the context to be applied. Note that an *allow* rule must be used to authorise access. See the [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) section for more details. @@ -713,55 +642,40 @@ section for more details. **Where:** - - - - - - - - - - - - - - - - - - - -
type_memberThe type_member rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.

-

Entries can be excluded from the list by using the negative operator '-'.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
member_typeA single type or typealias identifier that will become the polyinstantiated type.
+*type_member* + +The *type_member* rule keyword. + +*source_type* +*target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces '{}'. +Entries can be excluded from the list by using the negative operator '-'. + +*class* + +One or more object classes. Multiple entries consist of a space separated list +enclosed in braces '{}'. + +*member_type* + +A single *type* or *typealias* identifier that will become the polyinstantiated +*type*. **The statement is valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
YesYesNo
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | **Example:** @@ -774,9 +688,6 @@ section for more details. type_member sysadm_t user_home_dir_t:dir user_home_dir_t; ``` - -
- ---