From: jwcart2@tycho.nsa.gov (James Carter)
Date: Wed, 25 Aug 2010 13:10:43 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to
 not have caller supply the "-"
In-Reply-To: <4C753D2E.60208@tresys.com>
References: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
	<4C751517.40203@tresys.com>
	<1282745971.25778.25.camel@moss-lions.epoch.ncsc.mil>
	<4C753D2E.60208@tresys.com>
Message-ID: <1282756243.25778.49.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-08-25 at 11:56 -0400, Christopher J. PeBenito wrote:
> On 08/25/10 10:19, James Carter wrote:
> > On Wed, 2010-08-25 at 09:05 -0400, Christopher J. PeBenito wrote:
> >> On 08/24/10 15:50, James Carter wrote:
> >>> The *_except interfaces expect the caller to call it like this:
> >>> files_read_all_dirs_except(foo_t, - bar_t)
> >>>
> >>> This makes the call argument hard to deal with because it is neither a
> >>> type nor a set.  Also an argument like $2 -shadow_t could either be a
> >>> set or an MLS range.
> >>>
> >>> The *_except interfaces are never used except for in the *_except_shadow
> >>> interfaces.  The calls to the *_except_shadow interfaces never specify a
> >>> second argument.
> >>>
> >>> files_manage_all_files is called only in portage.te (with no exception)
> >>> and authlogin.if.
> >>
> >> Theres two issues with this change:
> >>
> >> 1. It breaks API stability.
> >
> > That may be true, but the current interface makes no sense to me.  If I
> > use files_read_all_dirs_except(foo_t, bar_t) the resulting policy allows
> > access to file_type and bar_t.  It doesn't exclude anything.
> >
> >> 2. It doesn't work if you want to specify a set, e.g.
> >>
> >> files_read_all_dirs_except(foo_t, { bar_t baz_t })
> >>
> > Why doesn't that work?  Doesn't that give
> > { file_type - { bar_t baz_t } }?
> 
> I didn't think that was valid.  Is it?

You're right.  It's not valid.  I didn't realize the set expressions
were that limited.  And I went through all that trouble making sure that
my parser could handle arbitrary set expressions.

> 
> > Again, if you don't like the changes, that's fine.  It is just something
> > that will have to be worked around.  Any changes that you do accept just
> > makes life a easier.
> 
> I'd like to get rid of the interfaces completely.  I just haven't come 
> up with a better way of getting { files_type -shadow_t } without 
> breaking encapsulation.  Perhaps we just have to rethink the access or 
> concept.
> 

The interfaces are only used in Refpolicy for shadow_t.  If special
interfaces could be made for shadow_t, while retaining the old ones for
compatibility, then at least Refpolicy itself would not have "-shadow_t"
as an argument.  That would help a bunch.

> >>> ---
> >>>    policy/modules/kernel/files.if     |   92 +++++++++++++++++++++++++++++--------
> >>>    policy/modules/system/authlogin.if |   10 ++--
> >>>    2 files changed, 79 insertions(+), 23 deletions(-)
> >>>
> >>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> >>> index 5302dac..9212dea 100644
> >>> --- a/policy/modules/kernel/files.if
> >>> +++ b/policy/modules/kernel/files.if
> >>> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       allow $1 { file_type $2 }:dir list_dir_perms;
> >>> +       allow $1 { file_type - $2 }:dir list_dir_perms;
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       read_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
> >>>
> >>>    ########################################
> >>>    ##<summary>
> >>> +##     Relabel all files on the filesystem
> >>> +##</summary>
> >>> +##<param name="domain">
> >>> +##<summary>
> >>> +##     The type of the domain perfoming this action.
> >>> +##</summary>
> >>> +##</param>
> >>> +##<rolecap/>
> >>> +#
> >>> +interface(`files_relabel_all_files',`
> >>> +       gen_require(`
> >>> +               attribute file_type;
> >>> +       ')
> >>> +
> >>> +       allow $1 file_type : dir list_dir_perms;
> >>> +       relabel_dirs_pattern($1, file_type, file_type)
> >>> +       relabel_files_pattern($1, file_type, file_type)
> >>> +       relabel_lnk_files_pattern($1, file_type, file_type)
> >>> +       relabel_fifo_files_pattern($1, file_type, file_type)
> >>> +       relabel_sock_files_pattern($1, file_type, file_type)
> >>> +       relabelfrom_blk_files_pattern($1, file_type, file_type)
> >>> +       relabelfrom_chr_files_pattern($1, file_type, file_type)
> >>> +
> >>> +       # satisfy the assertions:
> >>> +       seutil_relabelto_bin_policy($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##<summary>
> >>>    ##     Relabel all files on the filesystem, except
> >>>    ##     the listed exceptions.
> >>>    ##</summary>
> >>> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> >>>    ##</param>
> >>>    ##<rolecap/>
> >>>    #
> >>> -interface(`files_relabel_all_files',`
> >>> +interface(`files_relabel_all_files_except',`
> >>>           gen_require(`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       allow $1 { file_type $2 }:dir list_dir_perms;
> >>> -       relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       allow $1 { file_type - $2 }:dir list_dir_perms;
> >>> +       relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>           # this is only relabelfrom since there should be no
> >>>           # device nodes with file types.
> >>> -       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>>           # satisfy the assertions:
> >>>           seutil_relabelto_bin_policy($1)
> >>> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
> >>>
> >>>    ########################################
> >>>    ##<summary>
> >>> +##     Manage all files on the filesystem.
> >>> +##</summary>
> >>> +##<param name="domain">
> >>> +##<summary>
> >>> +##     The type of the domain perfoming this action.
> >>> +##</summary>
> >>> +##</param>
> >>> +##<rolecap/>
> >>> +#
> >>> +interface(`files_manage_all_files',`
> >>> +       gen_require(`
> >>> +               attribute file_type;
> >>> +       ')
> >>> +
> >>> +       manage_dirs_pattern($1, file_type, file_type)
> >>> +       manage_files_pattern($1, file_type, file_type)
> >>> +       manage_lnk_files_pattern($1, file_type, file_type)
> >>> +       manage_fifo_files_pattern($1, file_type, file_type)
> >>> +       manage_sock_files_pattern($1, file_type, file_type)
> >>> +
> >>> +       # satisfy the assertions:
> >>> +       seutil_create_bin_policy($1)
> >>> +       files_manage_kernel_modules($1)
> >>> +')
> >>> +
> >>> +########################################
> >>> +##<summary>
> >>>    ##     Manage all files on the filesystem, except
> >>>    ##     the listed exceptions.
> >>>    ##</summary>
> >>> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> >>>    ##</param>
> >>>    ##<rolecap/>
> >>>    #
> >>> -interface(`files_manage_all_files',`
> >>> +interface(`files_manage_all_files_except',`
> >>>           gen_require(`
> >>>                   attribute file_type;
> >>>           ')
> >>>
> >>> -       manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> -       manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> >>> +       manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>> +       manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> >>>
> >>>           # satisfy the assertions:
> >>>           seutil_create_bin_policy($1)
> >>> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> >>> index 7fddc24..c116df6 100644
> >>> --- a/policy/modules/system/authlogin.if
> >>> +++ b/policy/modules/system/authlogin.if
> >>> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_read_all_dirs_except($1,$2 -shadow_t)
> >>> +       files_read_all_dirs_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_read_all_files_except($1,$2 -shadow_t)
> >>> +       files_read_all_files_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_read_all_symlinks_except($1,$2 -shadow_t)
> >>> +       files_read_all_symlinks_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_relabel_all_files($1,$2 -shadow_t)
> >>> +       files_relabel_all_files_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> >>>                   type shadow_t;
> >>>           ')
> >>>
> >>> -       files_manage_all_files($1,$2 -shadow_t)
> >>> +       files_manage_all_files_except($1, shadow_t)
> >>>    ')
> >>>
> >>>    ########################################
> >>>
> >>
> >>
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency