From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 25 Aug 2010 11:56:30 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to
not have caller supply the "-"
In-Reply-To: <1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
References: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
<4C751517.40203@tresys.com>
<1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
Message-ID: <4C753D2E.60208@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 08/25/10 10:19, James Carter wrote:
> On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
>> On 08/24/10 15:50, James Carter wrote:
>>> The *_except interfaces expect the caller to call it like this:
>>> files_read_all_dirs_except(foo_t, - bar_t)
>>>
>>> This makes the call argument hard to deal with because it is neither a
>>> type nor a set. Also an argument like $2 -shadow_t could either be a
>>> set or an MLS range.
>>>
>>> The *_except interfaces are never used except for in the *_except_shadow
>>> interfaces. The calls to the *_except_shadow interfaces never specify a
>>> second argument.
>>>
>>> files_manage_all_files is called only in portage.te (with no exception)
>>> and authlogin.if.
>>
>> Theres two issues with this change:
>>
>> 1. It breaks API stability.
>
> That may be true, but the current interface makes no sense to me. If I
> use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> access to file_type and bar_t. It doesn't exclude anything.
>
>> 2. It doesn't work if you want to specify a set, e.g.
>>
>> files_read_all_dirs_except(foo_t, { bar_t baz_t })
>>
> Why doesn't that work? Doesn't that give
> { file_type - { bar_t baz_t } }?
I didn't think that was valid. Is it?
> Again, if you don't like the changes, that's fine. It is just something
> that will have to be worked around. Any changes that you do accept just
> makes life a easier.
I'd like to get rid of the interfaces completely. I just haven't come
up with a better way of getting { files_type -shadow_t } without
breaking encapsulation. Perhaps we just have to rethink the access or
concept.
>>> ---
>>> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
>>> policy/modules/system/authlogin.if | 10 ++--
>>> 2 files changed, 79 insertions(+), 23 deletions(-)
>>>
>>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
>>> index 5302dac..9212dea 100644
>>> --- a/policy/modules/kernel/files.if
>>> +++ b/policy/modules/kernel/files.if
>>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - allow $1 { file_type $2 }:dir list_dir_perms;
>>> + allow $1 { file_type - $2 }:dir list_dir_perms;
>>> ')
>>>
>>> ########################################
>>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> ')
>>>
>>> ########################################
>>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
>>> attribute file_type;
>>> ')
>>>
>>> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> ')
>>>
>>> ########################################
>>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>>>
>>> ########################################
>>> ##
>>> +## Relabel all files on the filesystem
>>> +##
>>> +##
>>> +##
>>> +## The type of the domain perfoming this action.
>>> +##
>>> +##
>>> +##
>>> +#
>>> +interface(`files_relabel_all_files',`
>>> + gen_require(`
>>> + attribute file_type;
>>> + ')
>>> +
>>> + allow $1 file_type : dir list_dir_perms;
>>> + relabel_dirs_pattern($1, file_type, file_type)
>>> + relabel_files_pattern($1, file_type, file_type)
>>> + relabel_lnk_files_pattern($1, file_type, file_type)
>>> + relabel_fifo_files_pattern($1, file_type, file_type)
>>> + relabel_sock_files_pattern($1, file_type, file_type)
>>> + relabelfrom_blk_files_pattern($1, file_type, file_type)
>>> + relabelfrom_chr_files_pattern($1, file_type, file_type)
>>> +
>>> + # satisfy the assertions:
>>> + seutil_relabelto_bin_policy($1)
>>> +')
>>> +
>>> +########################################
>>> +##
>>> ## Relabel all files on the filesystem, except
>>> ## the listed exceptions.
>>> ##
>>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
>>> ##
>>> ##
>>> #
>>> -interface(`files_relabel_all_files',`
>>> +interface(`files_relabel_all_files_except',`
>>> gen_require(`
>>> attribute file_type;
>>> ')
>>>
>>> - allow $1 { file_type $2 }:dir list_dir_perms;
>>> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + allow $1 { file_type - $2 }:dir list_dir_perms;
>>> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> # this is only relabelfrom since there should be no
>>> # device nodes with file types.
>>> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>> # satisfy the assertions:
>>> seutil_relabelto_bin_policy($1)
>>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>>>
>>> ########################################
>>> ##
>>> +## Manage all files on the filesystem.
>>> +##
>>> +##
>>> +##
>>> +## The type of the domain perfoming this action.
>>> +##
>>> +##
>>> +##
>>> +#
>>> +interface(`files_manage_all_files',`
>>> + gen_require(`
>>> + attribute file_type;
>>> + ')
>>> +
>>> + manage_dirs_pattern($1, file_type, file_type)
>>> + manage_files_pattern($1, file_type, file_type)
>>> + manage_lnk_files_pattern($1, file_type, file_type)
>>> + manage_fifo_files_pattern($1, file_type, file_type)
>>> + manage_sock_files_pattern($1, file_type, file_type)
>>> +
>>> + # satisfy the assertions:
>>> + seutil_create_bin_policy($1)
>>> + files_manage_kernel_modules($1)
>>> +')
>>> +
>>> +########################################
>>> +##
>>> ## Manage all files on the filesystem, except
>>> ## the listed exceptions.
>>> ##
>>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
>>> ##
>>> ##
>>> #
>>> -interface(`files_manage_all_files',`
>>> +interface(`files_manage_all_files_except',`
>>> gen_require(`
>>> attribute file_type;
>>> ')
>>>
>>> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
>>> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>>>
>>> # satisfy the assertions:
>>> seutil_create_bin_policy($1)
>>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
>>> index 7fddc24..c116df6 100644
>>> --- a/policy/modules/system/authlogin.if
>>> +++ b/policy/modules/system/authlogin.if
>>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_dirs_except($1,$2 -shadow_t)
>>> + files_read_all_dirs_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_files_except($1,$2 -shadow_t)
>>> + files_read_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_read_all_symlinks_except($1,$2 -shadow_t)
>>> + files_read_all_symlinks_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_relabel_all_files($1,$2 -shadow_t)
>>> + files_relabel_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
>>> type shadow_t;
>>> ')
>>>
>>> - files_manage_all_files($1,$2 -shadow_t)
>>> + files_manage_all_files_except($1, shadow_t)
>>> ')
>>>
>>> ########################################
>>>
>>
>>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com