From: jwcart2@tycho.nsa.gov (James Carter)
Date: Wed, 25 Aug 2010 10:19:31 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to
 not have caller supply the "-"
In-Reply-To: <4C751517.40203@tresys.com>
References: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
	<4C751517.40203@tresys.com>
Message-ID: <1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > The *_except interfaces expect the caller to call it like this:
> > files_read_all_dirs_except(foo_t, - bar_t)
> >
> > This makes the call argument hard to deal with because it is neither a
> > type nor a set.  Also an argument like $2 -shadow_t could either be a
> > set or an MLS range.
> >
> > The *_except interfaces are never used except for in the *_except_shadow
> > interfaces.  The calls to the *_except_shadow interfaces never specify a
> > second argument.
> >
> > files_manage_all_files is called only in portage.te (with no exception)
> > and authlogin.if.
> 
> Theres two issues with this change:
> 
> 1. It breaks API stability.

That may be true, but the current interface makes no sense to me.  If I
use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
access to file_type and bar_t.  It doesn't exclude anything.

> 2. It doesn't work if you want to specify a set, e.g.
> 
> files_read_all_dirs_except(foo_t, { bar_t baz_t })
> 
Why doesn't that work?  Doesn't that give 
{ file_type - { bar_t baz_t } }?

Again, if you don't like the changes, that's fine.  It is just something
that will have to be worked around.  Any changes that you do accept just
makes life a easier.

> > ---
> >   policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
> >   policy/modules/system/authlogin.if |   10 ++--
> >   2 files changed, 79 insertions(+), 23 deletions(-)
> >
> > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> > index 5302dac..9212dea 100644
> > --- a/policy/modules/kernel/files.if
> > +++ b/policy/modules/kernel/files.if
> > @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> >                  attribute file_type;
> >          ')
> >
> > -       allow $1 { file_type $2 }:dir list_dir_perms;
> > +       allow $1 { file_type - $2 }:dir list_dir_perms;
> >   ')
> >
> >   ########################################
> > @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> >                  attribute file_type;
> >          ')
> >
> > -       read_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >   ')
> >
> >   ########################################
> > @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> >                  attribute file_type;
> >          ')
> >
> > -       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >   ')
> >
> >   ########################################
> > @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >
> >   ########################################
> >   ##<summary>
> > +##     Relabel all files on the filesystem
> > +##</summary>
> > +##<param name="domain">
> > +##<summary>
> > +##     The type of the domain perfoming this action.
> > +##</summary>
> > +##</param>
> > +##<rolecap/>
> > +#
> > +interface(`files_relabel_all_files',`
> > +       gen_require(`
> > +               attribute file_type;
> > +       ')
> > +
> > +       allow $1 file_type : dir list_dir_perms;
> > +       relabel_dirs_pattern($1, file_type, file_type)
> > +       relabel_files_pattern($1, file_type, file_type)
> > +       relabel_lnk_files_pattern($1, file_type, file_type)
> > +       relabel_fifo_files_pattern($1, file_type, file_type)
> > +       relabel_sock_files_pattern($1, file_type, file_type)
> > +       relabelfrom_blk_files_pattern($1, file_type, file_type)
> > +       relabelfrom_chr_files_pattern($1, file_type, file_type)
> > +
> > +       # satisfy the assertions:
> > +       seutil_relabelto_bin_policy($1)
> > +')
> > +
> > +########################################
> > +##<summary>
> >   ##     Relabel all files on the filesystem, except
> >   ##     the listed exceptions.
> >   ##</summary>
> > @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> >   ##</param>
> >   ##<rolecap/>
> >   #
> > -interface(`files_relabel_all_files',`
> > +interface(`files_relabel_all_files_except',`
> >          gen_require(`
> >                  attribute file_type;
> >          ')
> >
> > -       allow $1 { file_type $2 }:dir list_dir_perms;
> > -       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       allow $1 { file_type - $2 }:dir list_dir_perms;
> > +       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >          # this is only relabelfrom since there should be no
> >          # device nodes with file types.
> > -       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> >          # satisfy the assertions:
> >          seutil_relabelto_bin_policy($1)
> > @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >
> >   ########################################
> >   ##<summary>
> > +##     Manage all files on the filesystem.
> > +##</summary>
> > +##<param name="domain">
> > +##<summary>
> > +##     The type of the domain perfoming this action.
> > +##</summary>
> > +##</param>
> > +##<rolecap/>
> > +#
> > +interface(`files_manage_all_files',`
> > +       gen_require(`
> > +               attribute file_type;
> > +       ')
> > +
> > +       manage_dirs_pattern($1, file_type, file_type)
> > +       manage_files_pattern($1, file_type, file_type)
> > +       manage_lnk_files_pattern($1, file_type, file_type)
> > +       manage_fifo_files_pattern($1, file_type, file_type)
> > +       manage_sock_files_pattern($1, file_type, file_type)
> > +
> > +       # satisfy the assertions:
> > +       seutil_create_bin_policy($1)
> > +       files_manage_kernel_modules($1)
> > +')
> > +
> > +########################################
> > +##<summary>
> >   ##     Manage all files on the filesystem, except
> >   ##     the listed exceptions.
> >   ##</summary>
> > @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> >   ##</param>
> >   ##<rolecap/>
> >   #
> > -interface(`files_manage_all_files',`
> > +interface(`files_manage_all_files_except',`
> >          gen_require(`
> >                  attribute file_type;
> >          ')
> >
> > -       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> > -       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> > +       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> > +       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >
> >          # satisfy the assertions:
> >          seutil_create_bin_policy($1)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index 7fddc24..c116df6 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_read_all_dirs_except($1,$2 -shadow_t)
> > +       files_read_all_dirs_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_read_all_files_except($1,$2 -shadow_t)
> > +       files_read_all_files_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_read_all_symlinks_except($1,$2 -shadow_t)
> > +       files_read_all_symlinks_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_relabel_all_files($1,$2 -shadow_t)
> > +       files_relabel_all_files_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> > @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> >                  type shadow_t;
> >          ')
> >
> > -       files_manage_all_files($1,$2 -shadow_t)
> > +       files_manage_all_files_except($1, shadow_t)
> >   ')
> >
> >   ########################################
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency