From: jwcart2@tycho.nsa.gov (James Carter)
Date: Wed, 25 Aug 2010 13:10:43 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to
not have caller supply the "-"
In-Reply-To: <4C753D2E.60208@tresys.com>
References: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
<4C751517.40203@tresys.com>
<1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
<4C753D2E.60208@tresys.com>
Message-ID: <1282756243.25778.49.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Wed, 2010-08-25 at 11:56 -0400, Christopher J. PeBenito wrote:
> On 08/25/10 10:19, James Carter wrote:
> > On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> >> On 08/24/10 15:50, James Carter wrote:
> >>> The *_except interfaces expect the caller to call it like this:
> >>> files_read_all_dirs_except(foo_t, - bar_t)
> >>>
> >>> This makes the call argument hard to deal with because it is neither a
> >>> type nor a set. Also an argument like $2 -shadow_t could either be a
> >>> set or an MLS range.
> >>>
> >>> The *_except interfaces are never used except for in the *_except_shadow
> >>> interfaces. The calls to the *_except_shadow interfaces never specify a
> >>> second argument.
> >>>
> >>> files_manage_all_files is called only in portage.te (with no exception)
> >>> and authlogin.if.
> >>
> >> Theres two issues with this change:
> >>
> >> 1. It breaks API stability.
> >
> > That may be true, but the current interface makes no sense to me. If I
> > use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> > access to file_type and bar_t. It doesn't exclude anything.
> >
> >> 2. It doesn't work if you want to specify a set, e.g.
> >>
> >> files_read_all_dirs_except(foo_t, { bar_t baz_t })
> >>
> > Why doesn't that work? Doesn't that give
> > { file_type - { bar_t baz_t } }?
>
> I didn't think that was valid. Is it?
You're right. It's not valid. I didn't realize the set expressions
were that limited. And I went through all that trouble making sure that
my parser could handle arbitrary set expressions.
>
> > Again, if you don't like the changes, that's fine. It is just something
> > that will have to be worked around. Any changes that you do accept just
> > makes life a easier.
>
> I'd like to get rid of the interfaces completely. I just haven't come
> up with a better way of getting { files_type -shadow_t } without
> breaking encapsulation. Perhaps we just have to rethink the access or
> concept.
>
The interfaces are only used in Refpolicy for shadow_t. If special
interfaces could be made for shadow_t, while retaining the old ones for
compatibility, then at least Refpolicy itself would not have "-shadow_t"
as an argument. That would help a bunch.
> >>> ---
> >>> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
> >>> policy/modules/system/authlogin.if | 10 ++--
> >>> 2 files changed, 79 insertions(+), 23 deletions(-)
> >>>
> >>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> >>> index 5302dac..9212dea 100644
> >>> --- a/policy/modules/kernel/files.if
> >>> +++ b/policy/modules/kernel/files.if
> >>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - allow $1 { file_type $2 }:dir list_dir_perms;
> >>> + allow $1 { file_type - $2 }:dir list_dir_perms;
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >>>
> >>> ########################################
> >>> ##
> >>> +## Relabel all files on the filesystem
> >>> +##
> >>> +##
> >>> +##
> >>> +## The type of the domain perfoming this action.
> >>> +##
> >>> +##
> >>> +##
> >>> +#
> >>> +interface(`files_relabel_all_files',`
> >>> + gen_require(`
> >>> + attribute file_type;
> >>> + ')
> >>> +
> >>> + allow $1 file_type : dir list_dir_perms;
> >>> + relabel_dirs_pattern($1, file_type, file_type)
> >>> + relabel_files_pattern($1, file_type, file_type)
> >>> + relabel_lnk_files_pattern($1, file_type, file_type)
> >>> + relabel_fifo_files_pattern($1, file_type, file_type)
> >>> + relabel_sock_files_pattern($1, file_type, file_type)
> >>> + relabelfrom_blk_files_pattern($1, file_type, file_type)
> >>> + relabelfrom_chr_files_pattern($1, file_type, file_type)
> >>> +
> >>> + # satisfy the assertions:
> >>> + seutil_relabelto_bin_policy($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##
> >>> ## Relabel all files on the filesystem, except
> >>> ## the listed exceptions.
> >>> ##
> >>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> >>> ##
> >>> ##
> >>> #
> >>> -interface(`files_relabel_all_files',`
> >>> +interface(`files_relabel_all_files_except',`
> >>> gen_require(`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - allow $1 { file_type $2 }:dir list_dir_perms;
> >>> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + allow $1 { file_type - $2 }:dir list_dir_perms;
> >>> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> # this is only relabelfrom since there should be no
> >>> # device nodes with file types.
> >>> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>> # satisfy the assertions:
> >>> seutil_relabelto_bin_policy($1)
> >>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >>>
> >>> ########################################
> >>> ##
> >>> +## Manage all files on the filesystem.
> >>> +##
> >>> +##
> >>> +##
> >>> +## The type of the domain perfoming this action.
> >>> +##
> >>> +##
> >>> +##
> >>> +#
> >>> +interface(`files_manage_all_files',`
> >>> + gen_require(`
> >>> + attribute file_type;
> >>> + ')
> >>> +
> >>> + manage_dirs_pattern($1, file_type, file_type)
> >>> + manage_files_pattern($1, file_type, file_type)
> >>> + manage_lnk_files_pattern($1, file_type, file_type)
> >>> + manage_fifo_files_pattern($1, file_type, file_type)
> >>> + manage_sock_files_pattern($1, file_type, file_type)
> >>> +
> >>> + # satisfy the assertions:
> >>> + seutil_create_bin_policy($1)
> >>> + files_manage_kernel_modules($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##
> >>> ## Manage all files on the filesystem, except
> >>> ## the listed exceptions.
> >>> ##
> >>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> >>> ##
> >>> ##
> >>> #
> >>> -interface(`files_manage_all_files',`
> >>> +interface(`files_manage_all_files_except',`
> >>> gen_require(`
> >>> attribute file_type;
> >>> ')
> >>>
> >>> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>> # satisfy the assertions:
> >>> seutil_create_bin_policy($1)
> >>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> >>> index 7fddc24..c116df6 100644
> >>> --- a/policy/modules/system/authlogin.if
> >>> +++ b/policy/modules/system/authlogin.if
> >>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_read_all_dirs_except($1,$2 -shadow_t)
> >>> + files_read_all_dirs_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_read_all_files_except($1,$2 -shadow_t)
> >>> + files_read_all_files_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_read_all_symlinks_except($1,$2 -shadow_t)
> >>> + files_read_all_symlinks_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_relabel_all_files($1,$2 -shadow_t)
> >>> + files_relabel_all_files_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> >>> type shadow_t;
> >>> ')
> >>>
> >>> - files_manage_all_files($1,$2 -shadow_t)
> >>> + files_manage_all_files_except($1, shadow_t)
> >>> ')
> >>>
> >>> ########################################
> >>>
> >>
> >>
> >
>
>
--
James Carter
National Security Agency