Skip to content

Commit

Permalink
libsepol,checkpolicy: support omitting unused initial sid contexts
Browse files Browse the repository at this point in the history
Remove restrictions in libsepol and checkpolicy that required all
declared initial SIDs to be assigned a context.  With this patch,
it is possible to build and load a policy that drops the sid <sidname>
<context> declarations for the unused initial SIDs.  It is still
required to retain the sid <sidname> declarations (in the flask
definitions) in order to preserve the initial SID ordering/values.
The unused initial SIDs can be renamed, e.g. to add an unused_
prefix or similar, if desired, since the names used in the policy
are not stored in the kernel binary policy.

In CIL policies, the (sid ...) and (sidorder (...)) statements
must be left intact for compatibility but the (sidcontext ...)
statements for the unused initial SIDs can be omitted after this change.

With current kernels, if one removes an unused initial SID context
from policy, builds policy with this change applied and loads the
policy into the kernel, cat /sys/fs/selinux/initial_contexts/<sidname>
will show the unlabeled context.  With the kernel patch to remove unused
initial SIDs, the /sys/fs/selinux/initial_contexts/<sidname>
file will not be created for unused initial SIDs in the first place.

NB If an unused initial SID was assigned a context different from
the unlabeled context in existing policy, then it is not safe to
remove that initial SID context from policy and reload policy on
the running kernel that was booted with the original policy.  This
is because that kernel may have assigned that SID to various kernel
objects already and those objects will then be treated as having
the unlabeled context after the removal.  In refpolicy, examples
of such initial SIDs are the "fs" SID and the "sysctl" SID.  Even
though these initial SIDs are not directly used (in code) by the current
kernel, their contexts are being applied to filesystems and sysctl files by
policy and therefore the SIDs are being assigned to objects.

NB The "sysctl" SID was in use by the kernel up until
commit 8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc ("security/selinux:
fix /proc/sys/ labeling) circa v2.6.39.  Removing its context from
policy will cause sysctl(2) or /proc/sys accesses to end up
performing permission checks against the unlabeled context and
likely encounter denials for kernels < 2.6.39.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  • Loading branch information
stephensmalley committed Jan 29, 2020
1 parent a551b2d commit 8677ce5
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 23 deletions.
4 changes: 2 additions & 2 deletions checkpolicy/test/dismod.c
Original file line number Diff line number Diff line change
Expand Up @@ -445,8 +445,8 @@ void display_initial_sids(policydb_t * p, FILE * fp)
user = p->p_user_val_to_name[cur->context[0].user - 1];
role = p->p_role_val_to_name[cur->context[0].role - 1];
type = p->p_type_val_to_name[cur->context[0].type - 1];
fprintf(fp, "\t%s: sid %d, context %s:%s:%s\n",
cur->u.name, cur->sid[0], user, role, type);
fprintf(fp, "\tsid %d, context %s:%s:%s\n",
cur->sid[0], user, role, type);
}
#if 0
fprintf(fp, "Policy Initial SIDs:\n");
Expand Down
4 changes: 3 additions & 1 deletion libsepol/cil/src/cil_binary.c
Original file line number Diff line number Diff line change
Expand Up @@ -3068,9 +3068,11 @@ int cil_sidorder_to_policydb(policydb_t *pdb, const struct cil_db *db)
struct cil_sid *cil_sid = (struct cil_sid*)curr->data;
struct cil_context *cil_context = cil_sid->context;

/* even if no context, we must preserve initial SID values */
count++;

if (cil_context != NULL) {
ocontext_t *new_ocon = cil_add_ocontext(&pdb->ocontexts[OCON_ISID], &tail);
count++;
new_ocon->sid[0] = count;
new_ocon->u.name = cil_strdup(cil_sid->datum.fqn);
rc = __cil_context_to_sepol_context(pdb, cil_context, &new_ocon->context[0]);
Expand Down
3 changes: 1 addition & 2 deletions libsepol/cil/src/cil_verify.c
Original file line number Diff line number Diff line change
Expand Up @@ -439,8 +439,7 @@ int __cil_verify_initsids(struct cil_list *sids)
struct cil_sid *sid = i->data;
if (sid->context == NULL) {
struct cil_tree_node *node = sid->datum.nodes->head->data;
cil_tree_log(node, CIL_ERR, "No context assigned to SID %s declared",sid->datum.name);
rc = SEPOL_ERR;
cil_tree_log(node, CIL_INFO, "No context assigned to SID %s, omitting from policy",sid->datum.name);
}
}

Expand Down
24 changes: 12 additions & 12 deletions libsepol/src/expand.c
Original file line number Diff line number Diff line change
Expand Up @@ -2093,6 +2093,12 @@ static int ocontext_copy_xen(expand_state_t *state)
for (i = 0; i < OCON_NUM; i++) {
l = NULL;
for (c = state->base->ocontexts[i]; c; c = c->next) {
if (i == OCON_XEN_ISID && !c->context[0].user) {
INFO(state->handle,
"No context assigned to SID %s, omitting from policy",
c->u.name);
continue;
}
n = malloc(sizeof(ocontext_t));
if (!n) {
ERR(state->handle, "Out of memory!");
Expand All @@ -2106,12 +2112,6 @@ static int ocontext_copy_xen(expand_state_t *state)
l = n;
switch (i) {
case OCON_XEN_ISID:
if (c->context[0].user == 0) {
ERR(state->handle,
"Missing context for %s initial sid",
c->u.name);
return -1;
}
n->sid[0] = c->sid[0];
break;
case OCON_XEN_PIRQ:
Expand Down Expand Up @@ -2159,6 +2159,12 @@ static int ocontext_copy_selinux(expand_state_t *state)
for (i = 0; i < OCON_NUM; i++) {
l = NULL;
for (c = state->base->ocontexts[i]; c; c = c->next) {
if (i == OCON_ISID && !c->context[0].user) {
INFO(state->handle,
"No context assigned to SID %s, omitting from policy",
c->u.name);
continue;
}
n = malloc(sizeof(ocontext_t));
if (!n) {
ERR(state->handle, "Out of memory!");
Expand All @@ -2172,12 +2178,6 @@ static int ocontext_copy_selinux(expand_state_t *state)
l = n;
switch (i) {
case OCON_ISID:
if (c->context[0].user == 0) {
ERR(state->handle,
"Missing context for %s initial sid",
c->u.name);
return -1;
}
n->sid[0] = c->sid[0];
break;
case OCON_FS: /* FALLTHROUGH */
Expand Down
4 changes: 0 additions & 4 deletions libsepol/src/policydb.c
Original file line number Diff line number Diff line change
Expand Up @@ -1611,10 +1611,6 @@ int policydb_load_isids(policydb_t * p, sidtab_t * s)

head = p->ocontexts[OCON_ISID];
for (c = head; c; c = c->next) {
if (!c->context[0].user) {
ERR(NULL, "SID %s was never defined", c->u.name);
return -1;
}
if (sepol_sidtab_insert(s, c->sid[0], &c->context[0])) {
ERR(NULL, "unable to load initial SID %s", c->u.name);
return -1;
Expand Down
22 changes: 20 additions & 2 deletions libsepol/src/write.c
Original file line number Diff line number Diff line change
Expand Up @@ -1294,15 +1294,24 @@ static int ocontext_write_xen(struct policydb_compat_info *info, policydb_t *p,
ocontext_t *c;
for (i = 0; i < info->ocon_num; i++) {
nel = 0;
for (c = p->ocontexts[i]; c; c = c->next)
for (c = p->ocontexts[i]; c; c = c->next) {
if (i == OCON_XEN_ISID && !c->context[0].user) {
INFO(fp->handle,
"No context assigned to SID %s, omitting from policy",
c->u.name);
continue;
}
nel++;
}
buf[0] = cpu_to_le32(nel);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
return POLICYDB_ERROR;
for (c = p->ocontexts[i]; c; c = c->next) {
switch (i) {
case OCON_XEN_ISID:
if (!c->context[0].user)
break;
buf[0] = cpu_to_le32(c->sid[0]);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
Expand Down Expand Up @@ -1393,15 +1402,24 @@ static int ocontext_write_selinux(struct policydb_compat_info *info,
ocontext_t *c;
for (i = 0; i < info->ocon_num; i++) {
nel = 0;
for (c = p->ocontexts[i]; c; c = c->next)
for (c = p->ocontexts[i]; c; c = c->next) {
if (i == OCON_ISID && !c->context[0].user) {
INFO(fp->handle,
"No context assigned to SID %s, omitting from policy",
c->u.name);
continue;
}
nel++;
}
buf[0] = cpu_to_le32(nel);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
return POLICYDB_ERROR;
for (c = p->ocontexts[i]; c; c = c->next) {
switch (i) {
case OCON_ISID:
if (!c->context[0].user)
break;
buf[0] = cpu_to_le32(c->sid[0]);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
Expand Down

0 comments on commit 8677ce5

Please sign in to comment.