From: jwcart2@tycho.nsa.gov (James Carter)
Date: Wed, 25 Aug 2010 10:19:31 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to
not have caller supply the "-"
In-Reply-To: <4C751517.40203@tresys.com>
References: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
<4C751517.40203@tresys.com>
Message-ID: <1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > The *_except interfaces expect the caller to call it like this:
> > files_read_all_dirs_except(foo_t, - bar_t)
> >
> > This makes the call argument hard to deal with because it is neither a
> > type nor a set. Also an argument like $2 -shadow_t could either be a
> > set or an MLS range.
> >
> > The *_except interfaces are never used except for in the *_except_shadow
> > interfaces. The calls to the *_except_shadow interfaces never specify a
> > second argument.
> >
> > files_manage_all_files is called only in portage.te (with no exception)
> > and authlogin.if.
>
> Theres two issues with this change:
>
> 1. It breaks API stability.
That may be true, but the current interface makes no sense to me. If I
use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
access to file_type and bar_t. It doesn't exclude anything.
> 2. It doesn't work if you want to specify a set, e.g.
>
> files_read_all_dirs_except(foo_t, { bar_t baz_t })
>
Why doesn't that work? Doesn't that give
{ file_type - { bar_t baz_t } }?
Again, if you don't like the changes, that's fine. It is just something
that will have to be worked around. Any changes that you do accept just
makes life a easier.
> > ---
> > policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
> > policy/modules/system/authlogin.if | 10 ++--
> > 2 files changed, 79 insertions(+), 23 deletions(-)
> >
> > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> > index 5302dac..9212dea 100644
> > --- a/policy/modules/kernel/files.if
> > +++ b/policy/modules/kernel/files.if
> > @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> > attribute file_type;
> > ')
> >
> > - allow $1 { file_type $2 }:dir list_dir_perms;
> > + allow $1 { file_type - $2 }:dir list_dir_perms;
> > ')
> >
> > ########################################
> > @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> > attribute file_type;
> > ')
> >
> > - read_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > ')
> >
> > ########################################
> > @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> > attribute file_type;
> > ')
> >
> > - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > ')
> >
> > ########################################
> > @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >
> > ########################################
> > ##
> > +## Relabel all files on the filesystem
> > +##
> > +##
> > +##
> > +## The type of the domain perfoming this action.
> > +##
> > +##
> > +##
> > +#
> > +interface(`files_relabel_all_files',`
> > + gen_require(`
> > + attribute file_type;
> > + ')
> > +
> > + allow $1 file_type : dir list_dir_perms;
> > + relabel_dirs_pattern($1, file_type, file_type)
> > + relabel_files_pattern($1, file_type, file_type)
> > + relabel_lnk_files_pattern($1, file_type, file_type)
> > + relabel_fifo_files_pattern($1, file_type, file_type)
> > + relabel_sock_files_pattern($1, file_type, file_type)
> > + relabelfrom_blk_files_pattern($1, file_type, file_type)
> > + relabelfrom_chr_files_pattern($1, file_type, file_type)
> > +
> > + # satisfy the assertions:
> > + seutil_relabelto_bin_policy($1)
> > +')
> > +
> > +########################################
> > +##
> > ## Relabel all files on the filesystem, except
> > ## the listed exceptions.
> > ##
> > @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> > ##
> > ##
> > #
> > -interface(`files_relabel_all_files',`
> > +interface(`files_relabel_all_files_except',`
> > gen_require(`
> > attribute file_type;
> > ')
> >
> > - allow $1 { file_type $2 }:dir list_dir_perms;
> > - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + allow $1 { file_type - $2 }:dir list_dir_perms;
> > + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > # this is only relabelfrom since there should be no
> > # device nodes with file types.
> > - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> > # satisfy the assertions:
> > seutil_relabelto_bin_policy($1)
> > @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >
> > ########################################
> > ##
> > +## Manage all files on the filesystem.
> > +##
> > +##
> > +##
> > +## The type of the domain perfoming this action.
> > +##
> > +##
> > +##
> > +#
> > +interface(`files_manage_all_files',`
> > + gen_require(`
> > + attribute file_type;
> > + ')
> > +
> > + manage_dirs_pattern($1, file_type, file_type)
> > + manage_files_pattern($1, file_type, file_type)
> > + manage_lnk_files_pattern($1, file_type, file_type)
> > + manage_fifo_files_pattern($1, file_type, file_type)
> > + manage_sock_files_pattern($1, file_type, file_type)
> > +
> > + # satisfy the assertions:
> > + seutil_create_bin_policy($1)
> > + files_manage_kernel_modules($1)
> > +')
> > +
> > +########################################
> > +##
> > ## Manage all files on the filesystem, except
> > ## the listed exceptions.
> > ##
> > @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> > ##
> > ##
> > #
> > -interface(`files_manage_all_files',`
> > +interface(`files_manage_all_files_except',`
> > gen_require(`
> > attribute file_type;
> > ')
> >
> > - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> > # satisfy the assertions:
> > seutil_create_bin_policy($1)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index 7fddc24..c116df6 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_read_all_dirs_except($1,$2 -shadow_t)
> > + files_read_all_dirs_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_read_all_files_except($1,$2 -shadow_t)
> > + files_read_all_files_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_read_all_symlinks_except($1,$2 -shadow_t)
> > + files_read_all_symlinks_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_relabel_all_files($1,$2 -shadow_t)
> > + files_relabel_all_files_except($1, shadow_t)
> > ')
> >
> > ########################################
> > @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> > type shadow_t;
> > ')
> >
> > - files_manage_all_files($1,$2 -shadow_t)
> > + files_manage_all_files_except($1, shadow_t)
> > ')
> >
> > ########################################
> >
>
>
--
James Carter
National Security Agency