Commit Graph

101 Commits

Author SHA1 Message Date
Christian Göttsche
d192e4d937 libsepol: support const avtab_t pointer in avtab_map()
The access vector table itself is not modified in avtab_map() thus
support passing a const pointer.

Logically the content might be changed by the passed callback, but C
does not support transitive const-ness well, and C also does not support
function overloading, e.g. like for strchr(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:34 -04:00
Christian Göttsche
6f9e682c15 libsepol: add ebitmap_init_range
Add an initializer for ebitmaps that sets all bits in a given range to
save node traversals for each bit to set, compared to calling
ebitmap_init() followed by iterating ebitmap_set_bit().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:13 -04:00
Christian Göttsche
65b3f695be libsepol: enclose macro parameters and replacement lists in parentheses
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:06 -04:00
Christian Göttsche
85e73a22ff libsepol: include necessary headers in headers
Include policydb header file required for typedef policydb_t.

This is for example helpful when working with an IDE, which needs to
resolve those symbols.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:03 -04:00
Christian Göttsche
12beafe7ce libsepol: break circular include
Since `struct type_set` is forward declared including
policydb/policydb.h is not necessary and creates a circular include.

Also drop the unnecessary forward declaration of `struct policydb`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:00 -04:00
Ondrej Mosnacek
9e096e6ef0 libsepol,checkpolicy: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the TE language level and adds the support to the module policydb
format. Note that changing the kernel policydb format is not necessary
at all, as type transitions are always expanded in the kernel policydb.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:17 -04:00
Christian Göttsche
3ae07ec36f libsepol: introduce sepol_const_security_context_t typedef
The typedef `sepol_security_context_t` is used for contexts.  For the
read-only input parameter in `sepol_context_to_sid()`
`const sepol_security_context_t` is used as type, which does not expand
to the expected `const char*` but `char *const`.

Introduce a corresponding typedef for `const char*`.

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:13 -04:00
Christian Göttsche
f0e085f684 libsepol: add sepol_av_perm_to_string
Add a wrapper around the utility function sepol_av_to_string() on the
service internal policy.  This allows callers to convert a permission
bit set into a string representation without access to the internal
policy structure.

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:11 -04:00
Christian Göttsche
6359946633 libsepol: mark immutable mls and context parameter const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:46:10 +02:00
Richard Haines
0d84ebcbc4 libsepol: Shorten the policy capability enum names
Shorten "CAPABILITY" to "CAP" following the kernel naming convention.

The SELinux policy capability enum names should now follow the
"POLICYDB_CAP_XXX" format.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-03-11 10:16:15 -05:00
Richard Haines
71bcdcc943 libsepol: Add 'ioctl_skip_cloexec' policy capability
If 'ioctl_skip_cloexec' set, kernel will always allow FIOCLEX and FIONCLEX
ioctls.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2022-03-03 12:10:47 -05:00
Christian Göttsche
e1491388d5
libsepol: avoid implicit conversions
Avoid implicit conversions from signed to unsigned values, found by
UB sanitizers, by using unsigned values in the first place.

    expand.c:1644:18: runtime error: implicit conversion from type 'int' of value -1 (32-bit, signed) to type 'uint32_t' (aka 'unsigned int') changed the value to 4294967295 (32-bit, unsigned)

    expand.c:2892:24: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned int' changed the value to 4294967294 (32-bit, unsigned)

    policy_define.c:2344:4: runtime error: implicit conversion from type 'int' of value -1048577 (32-bit, signed) to type 'unsigned int' changed the value to 4293918719 (32-bit, unsigned)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:01:07 +02:00
Christian Göttsche
8eec1bb502 libsepol: mark read-only parameters of type_set_ interfaces const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-06-24 09:40:24 -04:00
Christian Göttsche
390ec54d27 libsepol: mark read-only parameters of ebitmap interfaces const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-06-24 09:40:18 -04:00
James Carter
8f5409cf4c libsepol: Create function ebitmap_highest_set_bit()
Create the function ebitmap_highest_set_bit() which returns the position
of the highest bit set in the ebitmap.

The return value is valid only if the ebitmap is not empty. An empty
ebitmap will return 0.

Signed-off-by: James Carter <jwcart2@gmail.com>
2021-02-19 16:30:11 +01:00
Nicolas Iooss
72a88d753d
libsepol: remove unused files
libsepol/src/roles.c contains functions which do not match its header
file libsepol/include/sepol/roles.h:

    // In roles.c
    int sepol_role_exists(sepol_handle_t * handle __attribute__ ((unused)),
                          sepol_policydb_t * p, const char *role, int *response)
    // In roles.h
    extern int sepol_role_exists(const sepol_policydb_t * policydb,
                                 const char *role, int *response);

and:

    // In roles.c
    int sepol_role_list(sepol_handle_t * handle,
                        sepol_policydb_t * p, char ***roles, unsigned int *nroles)
    // In roles.h
    extern int sepol_role_list(const sepol_policydb_t * policydb,
                               char ***roles, unsigned int *nroles);

Instead of fixing the parameter type (using sepol_handle_t or
sepol_policydb_t but not different ones), remove these functions, as
they appear not to be used. They are not exported in libsepol.so.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2021-02-05 10:19:30 +01:00
Petr Lautrbach
506c7b95b8
libsepol: Drop deprecated functions
These functions were converted to no-op by commit
c3f9492d7f ("selinux: Remove legacy local boolean and user code") and
left in libsepol/src/deprecated_functions.c to preserve API/ABI. As we
change libsepol ABI dropping duplicate symbols it's time to drop these
functions too.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:39 +02:00
Ondrej Mosnacek
8206b8cb00 libsepol: implement POLICYDB_VERSION_COMP_FTRANS
Implement a new, more space-efficient form of storing filename
transitions in the binary policy. The internal structures have already
been converted to this new representation; this patch just implements
reading/writing an equivalent representation from/to the binary policy.

This new format reduces the size of Fedora policy from 7.6 MB to only
3.3 MB (with policy optimization enabled in both cases). With the
unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-08-03 08:52:12 -04:00
Ondrej Mosnacek
42ae834a74 libsepol,checkpolicy: optimize storage of filename transitions
In preparation to support a new policy format with a more optimal
representation of filename transition rules, this patch applies an
equivalent change from kernel commit c3a276111ea2 ("selinux: optimize
storage of filename transitions").

See the kernel commit's description [1] for the rationale behind this
representation. This change doesn't bring any measurable difference of
policy build performance (semodule -B) on Fedora.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-08-03 08:52:12 -04:00
Stephen Smalley
f8c110c8a6 libsepol,checkpolicy: remove use of hardcoded security class values
libsepol carried its own (outdated) copy of flask.h with the generated
security class and initial SID values for use by the policy
compiler and the forked copy of the security server code
leveraged by tools such as audit2why.  Convert libsepol and
checkpolicy entirely to looking up class values from the policy,
remove the SECCLASS_* definitions from its flask.h header, and move
the header with its remaining initial SID definitions private to
libsepol.  While we are here, fix the sepol_compute_sid() logic to
properly support features long since added to the policy and kernel,
although there are no users of it other than checkpolicy -d (debug)
and it is not exported to users of the shared library.  There
are still some residual differences between the kernel logic and
libsepol.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-03-12 07:50:55 +01:00
Ondrej Mosnacek
9fe58752e8 Revert "libsepol: cache ebitmap cardinality value"
This reverts commit 542e878690.

After 6968ea9775 ("libsepol: make ebitmap_cardinality() of linear
complexity"), the caching only saves ~0.06 % of total semodule -BN
running time (on x86_64 without using the POPCNT instruction), so it's
no longer worth the added complexity.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-03-09 08:39:51 -04:00
James Carter
d1d81b6c1f libsepol: Create the macro ebitmap_is_empty() and use it where needed
Create the macro ebitmap_is_empty() to check if an ebitmap is empty.
Use ebitmap_is_empty(), instead of ebitmap_cardinality() or
ebitmap_length(), to check whether or not an ebitmap is empty.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-02 13:23:59 +01:00
Ondrej Mosnacek
00bdfefcce libsepol, newrole: remove unused hashtab functions
hashtab_replace() and hashtab_map_remove_on_error() aren't used
anywhere, no need to keep them around...

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-02-21 15:15:41 -05:00
Ondrej Mosnacek
542e878690 libsepol: cache ebitmap cardinality value
According to profiling of semodule -BN, ebitmap_cardinality() is called
quite often and contributes a lot to the total runtime. Cache its result
in the ebitmap struct to reduce this overhead. The cached value is
invalidated on most modifying operations, but ebitmap_cardinality() is
usually called once the ebitmap doesn't change any more.

After this patch, the time to do 'semodule -BN' on Fedora Rawhide has
decreased from ~10.9s to ~8.9s (2s saved).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
[sds@tycho.nsa.gov: correct times per follow-up on list]
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-02-18 10:36:21 -05:00
Christian Göttsche
3854698833 libsepol: add support for new polcap genfs_seclabel_symlinks
Add support for new SELinux policy capability genfs_seclabel_symlinks.
With this capability enabled symlinks on kernel filesystems will receive
contexts based on genfscon statements, like directories and files,
and not be restricted to the respective filesystem root sid.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-02-06 10:50:54 -05:00
Nicolas Iooss
b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Joshua Brindle
9ba35fe8c2 Add default_range glblub support
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00
Richard Haines
c3f9492d7f
selinux: Remove legacy local boolean and user code
Remove legacy local boolean and user code, and to preserve API/ABI
compatibility the following functions int values should be set to '0'
as they are no longer used:
  selinux_mkload_policy(int preservebools)
  security_set_boolean_list(.... int permanent)
and the following are now no-op and return '-1':
  security_load_booleans()
  sepol_genusers()
  sepol_set_delusers()
  sepol_genbools()
  sepol_genbools_array()
and these still return their paths for compatibility, however they are
marked as deprecated:
  selinux_booleans_path()
  selinux_users_path()

These have been removed as they are local functions only:
  sepol_genusers_policydb()
  sepol_genbools_policydb()

Also "SETLOCALDEFS" removed from SELinux config file and code.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-07-29 23:46:24 +02:00
Ondrej Mosnacek
b8213acff8 libsepol: add a function to optimize kernel policy
Add sepol_policydb_optimize(), which checks a kernel policy for
redundant rules (i.e. those that are covered by an existing more general
rule) and removes them.

Results on Fedora 29 policy:

WITHOUT OPTIMIZATION:
    # time semodule -B
    real    0m21,280s
    user    0m18,636s
    sys     0m2,525s

    $ wc -c /sys/fs/selinux/policy
    8692158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:            113159
      Dontaudit:         10297
      Total:            123156

WITH OPTIMIZATION ENABLED:
    # time semodule -B
    real    0m22,825s
    user    0m20,178s
    sys     0m2,520s

    $ wc -c /sys/fs/selinux/policy
    8096158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:             66334
      Dontaudit:          7480
      Total:             73814

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Ondrej Mosnacek
3e506bda3b libsepol: add ebitmap_for_each_set_bit macro
Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-20 14:00:32 -04:00
James Carter
b816808e7f libsepol: Create policydb_sort_ocontexts()
Create the function called policydb_sort_ocontexts() that calls
the internal function sort_ocontexts() to sort the ocontexts of
a policydb.

The function sort_ocontexts() is already used by
sepol_kernel_policydb_to_conf() and sepol_kernel_policydb_to_cil()
when converting a binary policy to cil or policy.conf format.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-12 13:38:00 -04:00
Nick Kralevich via Selinux
0a71c5f3eb whitespace and spelling cleanup
Signed-off-by: Nick Kralevich <nnk@google.com>
2018-09-25 08:05:41 -07:00
Stephen Smalley
38e49c7187 libsepol: remove unused function and type
Fix the following build warning:
policydb.c: In function ‘get_symtab_destroy_func’:
policydb.c:1581:9: error: cast between incompatible function types from ‘int (*)(char *, void *, void *)’ to ‘void (*)(char *, void *, void *)’ [-Werror=cast-function-type]
  return (hashtab_destroy_func_t) destroy_f[sym_num];
         ^

It turns out that this function and type are long unused in libsepol
and are not exported APIs for the shared library, so just remove them.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Richard Haines via Selinux
cf0ab12414 selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 12:34:29 -04:00
Marcus Folkesson
f8532f1773 libsepol: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:36 +01:00
Stephen Smalley
53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Stephen Smalley
ae1cd12076 libsepol: Define nnp_nosuid_transition policy capability
Define the nnp_nosuid_transition policy capability used to enable
SELinux domain transitions under NNP or nosuid if the
nnp_transition permission or nosuid_transition permission is
allowed between the old and new contexts. When this capability is not
enabled, such transitions remain limited to bounded transitions as they
were prior to the introduction of this capability.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:42:36 -04:00
Patrick Steinhardt
34dc7bcc31 libsepol: replace non-standard use of __BEGIN_DECLS
While most header files already use the common pattern of `extern "C"`
declarations to enable compiling in a C++ project, some header files in
libsepol instead use the macros `__BEGIN_DECLS` and `__END_DECLS`. These
macros are defined in the "sys/cdefs.h" header file, which provides
some non-standard extensions for glibc.

Convert usage of these declarations with the standard `extern "C"`
pattern. This improves compatibility with other libc implementations,
e.g. musl libc.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-20 11:03:12 -04:00
Daniel Jurgens
9a3d2c7a9b semanage: Update semanage to allow runtime labeling of ibendports
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
6a7a5aafe5 semanage: Update semanage to allow runtime labeling of Infiniband Pkeys
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
118c0cd103 libsepol: Add ibendport ocontext handling
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
5bc05dd2a5 checkpolicy: Add support for ibendportcon labels
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
9fbb311276 libsepol: Add ibpkey ocontext handling
Add support for reading, writing, and copying Infiniband Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00
Daniel Jurgens
5b203145fd checkpolicy: Add support for ibpkeycon labels
Add checkpolicy support for scanning and parsing ibpkeycon labels. Also
create a new ocontext for Infiniband Pkeys and define a new policydb
version for infiniband support.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00
Stephen Smalley
58962eb3d8 libsepol,checkpolicy: add binary module support for xperms
Presently we support xperms rules in source policy and in CIL modules.
The binary policy module format however was never extended for xperms.
This limitation inhibits use of xperms in refpolicy-based policy modules
(including the selinux-testsuite policy).  Update libsepol to support
linking, reading, and writing a new binary policy module version that
supports xperms rules.  Update dismod to display xperms rules in binary
policy modules.

Also, to support use of a non-base binary policy module with a newer
version on a system using a base policy module with an older version,
automatically upgrade the version during module linking.  This facilitates
usage of newer features in non-base modules without requiring rebuilding
the base module.

Tests:
1. Add an allowxperms rule to the selinux-testsuite policy and
confirm that it is properly written to the binary policy module
(displayed by dismod), converted to CIL (the latter was already supported),
and included in the kernel policy (via dispol and kernel test).

2. Use semodule_link and semodule_expand to manually link and expand
all of the .pp files via libsepol, and confirm that the allowxperms rule
is correctly propagated to the kernel policy.  This test is required to
exercise the legacy link/expand code path for binary modules that predated
CIL.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 09:35:52 -04:00
Jeff Vander Stoep
1089665e31 Add attribute expansion options
This commit adds attribute expansion statements to the policy
language allowing compiler defaults to be overridden.

Always expands an attribute example:
expandattribute { foo } true;
CIL example:
(expandtypeattribute (foo) true)

Never expand an attribute example:
expandattribute { bar } false;
CIL example:
(expandtypeattribute (bar) false)

Adding the annotations directly to policy was chosen over other
methods as it is consistent with how targeted runtime optimizations
are specified in other languages. For example, in C the "inline"
command.

Motivation

expandattribute true:
Android has been moving away from a monolithic policy binary to
a two part split policy representing the Android platform and the
underlying vendor-provided hardware interface. The goal is a stable
API allowing these two parts to be updated independently of each
other. Attributes provide an important mechanism for compatibility.
For example, when the vendor provides a HAL for the platform,
permissions needed by clients of the HAL can be granted to an
attribute. Clients need only be assigned the attribute and do not
need to be aware of the underlying types and permissions being
granted.

Inheriting permissions via attribute creates a convenient mechanism
for independence between vendor and platform policy, but results
in the creation of many attributes, and the potential for performance
issues when processes are clients of many HALs. [1] Annotating these
attributes for expansion at compile time allows us to retain the
compatibility benefits of using attributes without the performance
costs. [2]

expandattribute false:
Commit 0be23c3f15 added the capability to aggresively remove unused
attributes. This is generally useful as too many attributes assigned
to a type results in lengthy policy look up times when there is a
cache miss. However, removing attributes can also result in loss of
information used in external tests. On Android, we're considering
stripping neverallow rules from on-device policy. This is consistent
with the kernel policy binary which also did not contain neverallows.
Removing neverallow rules results in a 5-10% decrease in on-device
policy build and load and a policy size decrease of ~250k. Neverallow
rules are still asserted at build time and during device
certification (CTS). If neverallow rules are absent when secilc is
run, some attributes are being stripped from policy and neverallow
tests in CTS may be violated. [3] This change retains the aggressive
attribute stripping behavior but adds an override mechanism to
preserve attributes marked as necessary.

[1] https://github.com/SELinuxProject/cil/issues/9
[2] Annotating all HAL client attributes for expansion resulted in
    system_server's dropping from 19 attributes to 8. Because these
    attributes were not widely applied to other types, the final
    policy size change was negligible.
[3] data_file_type and service_manager_type are stripped from AOSP
    policy when using secilc's -G option. This impacts 11 neverallow
    tests in CTS.

Test: Build and boot Marlin with all hal_*_client attributes marked
    for expansion. Verify (using seinfo and sesearch) that permissions
    are correctly expanded from attributes to types.
Test: Mark types being stripped by secilc with "preserve" and verify
    that they are retained in policy and applied to the same types.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-09 12:09:46 -04:00
James Carter
0a08fd1e69 libsepol: Add ability to convert binary policy to policy.conf file
It would sometimes be helpful for debugging or verification purposes
to be able to convert a binary policy to a human-readable form.

Create new function, sepol_kernel_policydb_to_conf(), that takes a
policydb created from a binary policy and writes a policy.conf file
to the provided FILE pointer.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-05 12:23:25 -04:00
James Carter
70a480bfcd libsepol: Add ability to convert binary policy to CIL
It would sometimes be helpful for debugging or verification purposes
to be able to convert a binary policy to a human-readable form.

Create new function, sepol_kernel_policydb_to_cil(), that takes a
policydb created from a binary policy and writes CIL policy to the
provided FILE pointer.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-05 12:23:05 -04:00
Nicolas Iooss
b6579d262e libsepol: constify sepol_genbools()'s boolpath parameter
This allows removing an unnecessary cast to (char *) in libselinux.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-29 10:26:44 -04:00
Stephen Smalley
43b24f0132 libsepol: Define cgroup_seclabel policy capability
Define the new cgroup_seclabel policy capability used to
enable userspace setting of security labels on cgroup files
via setfscreatecon() aka /proc/self/attr/fscreate and/or
setfilecon() aka setxattr().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-02 12:39:13 -05:00