--- Paul Moore <[EMAIL PROTECTED]> wrote:
> On Monday, July 16 2007 10:59:41 pm Casey Schaufler wrote:
> > --- Paul Moore <[EMAIL PROTECTED]> wrote:
> > > On Saturday, July 14 2007 5:47:38 pm Casey Schaufler wrote:
> > > +#include "../../net/netlabel/netlabel_domainhash.h"
> > > +#include <net/cipso_ipv4.h>
> > > +
> > > + {snip}
> > > +
> > > +static void smk_cipso_doi(void)
> > > +{
> > > + int rc;
> > > + struct cipso_v4_doi *doip;
> > > + struct netlbl_dom_map *ndmp;
> > > + struct netlbl_audit audit_info;
> > > +
> > > + if (smk_cipso_doied != 0)
> > > + return;
> > > + smk_cipso_doied = 1;
> > > +
> > > + doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
> > > + if (doip == NULL)
> > > + panic("smack: Failed to initialize cipso DOI.\n");
> > > + doip->map.std = NULL;
> > > +
> > > + ndmp = kmalloc(sizeof(struct netlbl_dom_map), GFP_KERNEL);
> > > + if (ndmp == NULL)
> > > + panic("smack: Failed to initialize cipso ndmp.\n");
> > > +
> > > + doip->doi = SMACK_CIPSO_DOI;
> > > + doip->type = CIPSO_V4_MAP_PASS;
> > > + doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
> > > + for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
> > > + doip->tags[rc] = CIPSO_V4_TAG_INVALID;
> > > +
> > > + rc = cipso_v4_doi_add(doip);
> > > + printk("%s:%d add doi rc = %d\n", __FUNCTION__, __LINE__, rc);
> > > +
> > > + /*
> > > + rc = cipso_v4_doi_domhsh_add(doip, SMACK_CIPSO_DOMAIN_NAME);
> > > + printk("%s:%d hash doi rc = %d\n", __FUNCTION__, __LINE__, rc);
> > > + */
> > > + ndmp->domain = SMACK_CIPSO_DOMAIN_NAME;
> > > + ndmp->type = NETLBL_NLTYPE_CIPSOV4;
> > > + ndmp->type_def.cipsov4 = doip;
> > > + rc = netlbl_domhsh_add(ndmp, &audit_info);
> > > + printk("%s:%d hash doi rc = %d\n", __FUNCTION__, __LINE__, rc);
> > > +}
> > >
> > > If SMACK gets an OK for upstream we need to find a better solution than
> > > the above. The smk_cipso_doi() function pokes into too many NetLabel
> > > internals.
> > >
> > > The two obvious options are to rely on userspace (netlabel_tools) to
> > > configure NetLabel for SMACK, like SELinux, or to create a new NetLabel
> > > API for allowing LSMs to manipulate the NetLabel domain mapping.
> >
> > A userspace scheme is a non-starter, it goes against the project
> > goals of minimal dependence on helper applications. I would be happy
> > to work with you to create an appropriate API.
>
> All right, that's fair. For the time being just throw a comment in the code
> and we'll work on something.
Sounds like a plan. Thank you.
> > > Also, any reason why you don't just use the NetLabel default domain
> > > mapping?
> >
> > Uh, only that I couldn't figure out how to go about doing so. If it
> > simplifies (there's that word again) things I'm all for it. I would
> > be happy to have my ignorance dispelled.
>
> Two things:
>
> 1. change "ndmp->domain = SMACK_CIPSO_DOMAIN_NAME" to "ndmp->domain = NULL"
> 2. change "netlbl_domhsh_add()" to "netlbl_domhsh_add_default()"
>
> If you want to get really nitpicky the second step is optional, but I'd
> prefer
> you use it in case we ever need to do something radically different for the
> default NetLabel domain mapping (it's really easy as they take the same
> arguments in the same order, just change the function name).
I'll give it a try.
> > > +/*
> > > + * CIPSO domain information.
> > > + * Casey says that these may wind up being configurable
> > > + * at some point.
> > > + */
> > > +#define SMACK_CIPSO_DOMAIN_NAME "SmackCIPSO"
> > > +#define SMACK_CIPSO_DOI 3
> > > +#define SMACK_CIPSO_DIRECT 250 /* Arbitrary and bad */
> > >
> > > Yes, SMACK_CIPSO_DIRECT is bad.
> > > There has to be a cleaner solution than this,
> > > think harder ;)
> >
> > The cleanest solution is already in the code, where there's a 1:1
> > mapping of Smack labels to Cipso level/catset maintained via
> > /smack/cipso, and set administratively. A purist can always set
> > this up to be complete.
> >
> > On the other hand, it has already been acknowledged that mapping one
> > set of CIPSO tags to another is necessary in some cases, for example
> > when one machine's bit 6 represents another's bits 2 and 3.
>
> My main complaint is the "magic number" of 250. Constants that are visible
> outside a subsystem make me very nervous, especially when they are "Arbitrary
>
> and bad". I understand the desire to have a direct mapping, that isn't my
> concern, my worry is how you specify to the other end that it is a direct
> mapping.
Ah, in that case I will make the DOI and CIPSO_DIRECT configurable.
If I switch to the default domain there's no point in configuring that.
> > > +static smack_t smack_from_secattr(struct netlbl_lsm_secattr *sap)
> > > +{
> > > + struct smk_cipso_entry *scp;
> > > + smack_t smack = 0LL;
> > > + int pcat;
> > > +
> > > + if ((sap->flags & NETLBL_SECATTR_MLS_LVL) == 0) {
> > > + /*
> > > + * If there are flags but no level netlabel isn't
> > > + * behaving the way we expect it to.
> > > + *
> > > + * Without guidance regarding the smack value
> > > + * for the packet fall back on the network
> > > + * ambient value.
> > > + */
> > > + return smack_net_ambient;
> > > + }
> > > + /*
> > > + * Get the categories, if any
> > > + */
> > > + if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0)
> > > + for (pcat = -1;;) {
> > > + pcat = netlbl_secattr_catmap_walk(sap->mls_cat, pcat+1);
> > > + if (pcat < 0)
> > > + break;
> > > + smack_catset_bit(pcat, &smack);
> > > + }
> > > + /*
> > > + * If it is CIPSO using smack direct mapping
> > > + * we are already done. WeeHee.
> > > + */
> > > + if (sap->mls_lvl == SMACK_CIPSO_DIRECT)
> > > + return smack;
> > > +
> > > + /*
> > > + * Look it up in the supplied table if it is not a direct mapping.
> > > + */
> > > + for (scp = smack_cipso; scp != NULL; scp = scp->smk_next)
> > > + if (scp->smk_level == sap->mls_lvl && scp->smk_catset == smack)
> > > + return scp->smk_smack;
> > >
> > > The NetLabel caching mechanism can help make this a lot less painful,
> > > i.e. direct return of the correct "smack" instead of traversing an
> > > unordered linked list each time.
> >
> > I got the impression that that might be the case, but as with the
> > default domain, the details of how I might do so did not seem obvious
> > to me. Again, I would welcome enlightenment.
>
> Look at security/selinux/ss/services.c, down near the bottom at the NetLabel
> glue code left there. Making use of the NetLabel cache involves the
> following things:
>
> * Define a cache data structure, in the case of SELinux this is
> "struct selinux_netlbl_cache", I imagine in your case it might just be
> a smack pointer
> * Define a callback function to free the cache structure, in SELinux this is
> "security_netlbl_cache_free()"
> * When you resolve a netlbl_lsm_secattr struct to a smack value you populate
> your cache data structure with whatever you want returned to you later and
> assign it to a new netlbl_lsm_secattr struct which you use in a call to
> netlbl_cache_add(), look at security_netlbl_cache_add() for the SELinux
> example[1].
> * When you get a new netlbl_lsm_secattr struct from NetLabel check to see if
> the cache flag is set, if so use the cached value directly, see
> security_netlbl_secattr_to_sid() for the SELinux example.
Thank you. This may take a little while, but I'll have a go at it.
> [1] I just realized that security_netlbl_cache_add() does everything but the
> final call to netlbl_cache_add(), oops. I think it was mistakenly dropped in
>
> the patchset that split most of the NetLabel code out of ss/services.c, my
> mistake.
Thanks again.
Casey Schaufler
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
