Re: [PATCH 2/9] libsepol: Add ibpkey ocontext handling
On 5/11/2017 10:18 AM, James Carter wrote: > libsepol now has the functionality to write cil or a policy.conf from a > kernel > policy, so kernel_to_cil.c and kernel_to_conf.c need to be updated as well. > Doing that shouldn't be any more complicated than what was done for > module_to_c. > > Jim Added. Thanks for reviewing, completely missed when those files were added. > > On 05/09/2017 04:50 PM, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> Add support for reading, writing, and copying Infinabinda Pkey ocontext >> data. Also add support for querying a Pkey sid to checkpolicy. >>
Re: [PATCH 2/9] libsepol: Add ibpkey ocontext handling
libsepol now has the functionality to write cil or a policy.conf from a kernel
policy, so kernel_to_cil.c and kernel_to_conf.c need to be updated as well.
Doing that shouldn't be any more complicated than what was done for module_to_c.
Jim
On 05/09/2017 04:50 PM, Dan Jurgens wrote:
From: Daniel Jurgens
Add support for reading, writing, and copying Infinabinda Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.
Signed-off-by: Daniel Jurgens
---
checkpolicy/checkpolicy.c | 27 +
libsepol/include/sepol/policydb/services.h | 11 +
libsepol/src/expand.c |9
libsepol/src/libsepol.map.in |1 +
libsepol/src/module_to_cil.c | 39 ++
libsepol/src/policydb.c| 47 ++
libsepol/src/services.c| 59
libsepol/src/write.c | 16 +++
8 files changed, 209 insertions(+), 0 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 534fc22..0f12347 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -22,6 +22,7 @@
*
*Policy Module support.
*
+ * Copyright (C) 2017 Mellanox Technologies Inc.
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2005 Tresys Technology, LLC
* Copyright (C) 2003 Red Hat, Inc., James Morris
@@ -699,6 +700,7 @@ int main(int argc, char **argv)
printf("h) change a boolean value\n");
printf("i) display constraint expressions\n");
printf("j) display validatetrans expressions\n");
+ printf("k) Call ibpkey_sid\n");
#ifdef EQUIVTYPES
printf("z) Show equivalent types\n");
#endif
@@ -1220,6 +1222,31 @@ int main(int argc, char **argv)
"\nNo validatetrans expressions found.\n");
}
break;
+ case 'k':
+ {
+ char *p;
+ int len;
+ struct in6_addr addr6;
+ unsigned int pkey;
+
+ printf("subnet prefix? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ p = (char *)&addr6;
+ len = sizeof(addr6);
+
+ if (inet_pton(AF_INET6, ans, p) < 1) {
+ printf("error parsing subnet prefix\n");
+ break;
+ }
+
+ printf("pkey? ");
+ FGETS(ans, sizeof(ans), stdin);
+ pkey = atoi(ans);
+ sepol_ibpkey_sid(0, 0, p, len, pkey, &ssid);
+ printf("sid %d\n", ssid);
+ }
+ break;
#ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git a/libsepol/include/sepol/policydb/services.h
b/libsepol/include/sepol/policydb/services.h
index 9162149..2d7aed1 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -188,6 +188,17 @@ extern int sepol_port_sid(uint16_t domain,
uint16_t port, sepol_security_id_t * out_sid);
/*
+ * Return the SID of the ibpkey specified by
+ * `domain', `type', `subnet prefix', and `pkey'.
+ */
+extern int sepol_ibpkey_sid(uint16_t domain,
+ uint16_t type,
+ void *subnet_prefix_p,
+ size_t splen,
+ uint16_t pkey,
+ sepol_security_id_t *out_sid);
+
+/*
* Return the SIDs to use for a network interface
* with the name `name'. The `if_sid' SID is returned for
* the interface and the `msg_sid' SID is returned as
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 54bf781..c45ecbe 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -4,6 +4,7 @@
*
* Copyright (C) 2004-2005 Tresys Technology, LLC
* Copyright (C) 2007 Red Hat, Inc.
+ * Copyright (C) 2017 Mellanox Technologies, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -2217,6 +2218,14 @@ static int ocontext_copy_selinux(expand_state_t *state)
return -1;
}
break;
+ case OCON_IBPKEY:
+ n->u.ibpkey.subnet_prefix[0] =
c->u.ibpkey.subnet_prefix[0];
+ n->u.ibpkey.subnet
Re: [PATCH 2/9] libsepol: Add ibpkey ocontext handling
On 5/10/2017 1:51 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add support for reading, writing, and copying Infinabinda Pkey
> s/Infinabinda/Infiniband/
Done
>
>> --- a/libsepol/include/sepol/policydb/services.h
>> +++ b/libsepol/include/sepol/policydb/services.h
>> @@ -188,6 +188,17 @@ extern int sepol_port_sid(uint16_t domain,
>>uint16_t port, sepol_security_id_t *
>> out_sid);
>>
>> /*
>> + * Return the SID of the ibpkey specified by
>> + * `domain', `type', `subnet prefix', and `pkey'.
>> + */
> Can you explain why you are passing a (domain,type) pair to this
> interface and why subnet_prefix is not fixed length as it is in
> corresponding kernel interface (security_pkey_sid)? Will these
> arguments ever be used? Could the length change in the future?
>
> For that matter, and I guess I should have asked this on the kernel
> patches, why are you storing and passing the subnet prefix as a
> complete IPv6 address? Is that just for the convenience of being able
> to use inet_pton() and inet_ntop()? Is this typical for handling of IB
> subnet prefixes? Seems a bit wasteful.
I modeled it after sepol_port_sid, which has the unused type and domain. They
are not needed and I've removed them. The length was also not needed, it is
always the same size and will never change.
Regarding using an IPv6 address for the subnet prefix, it is for convenience.
There is already code to deal with IPv6 addresses, not just inet_pton and
inet_ntop, but in the CIL code as well. The subnet prefix is just the top half
of the IPv6 address. Using IPv6 address to store it allowed code reuse. When
the policy is loaded into the kernel the lower 8 bytes are not stored, subnet
prefix is stored as a u64, so the space is not permanently wasted.
>>
>> @@ -2583,6 +2584,7 @@ static int ocontext_selinux_isid_to_cil(struct
>> policydb *pdb, struct ocontext *i
>> "policy",
>> "scmp_packet",
>> "devnull",
>> +"ibpkey",
> I thought we dropped the separate initial SID for it?
You're right. Overlooked this when I changed that during the kernel series
review.
>>
>> @@ -185,6 +186,21 @@ static struct policydb_compat_info
>> policydb_compat[] = {
>> .ocon_num = OCON_NODE6 + 1,
>> .target_platform = SEPOL_TARGET_SELINUX,
>> },
>> +
>> +{
>> + .type = POLICY_KERN,
>> + .version = POLICYDB_VERSION_XPERMS_IOCTL,
>> + .sym_num = SYM_NUM,
>> + .ocon_num = OCON_NODE6 + 1,
>> + .target_platform = SEPOL_TARGET_SELINUX,
>> +},
> This seems duplicated?
Removed
>> @@ -2782,6 +2812,23 @@ static int ocontext_read_selinux(struct
>> policydb_compat_info *info,
>> (&c->context[1], p, fp))
>> return -1;
>> break;
>> +case OCON_IBPKEY:
>> +rc = next_entry(buf, fp,
>> sizeof(uint32_t) * 6);
>> +if (rc < 0)
>> +return -1;
>> +
>> +c->u.ibpkey.subnet_prefix[0] =
>> buf[0];
>> +c->u.ibpkey.subnet_prefix[1] =
>> buf[1];
>> +c->u.ibpkey.subnet_prefix[2] =
>> buf[2];
>> +c->u.ibpkey.subnet_prefix[3] =
>> buf[3];
> Why load all the values rather than just confirming that [2] and [3]
> are zero as in the kernel?
Changed to confirm they are 0.
Re: [PATCH 2/9] libsepol: Add ibpkey ocontext handling
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add support for reading, writing, and copying Infinabinda Pkey
s/Infinabinda/Infiniband/
> ocontext
> data. Also add support for querying a Pkey sid to checkpolicy.
>
> Signed-off-by: Daniel Jurgens
> ---
> checkpolicy/checkpolicy.c | 27 +
> libsepol/include/sepol/policydb/services.h | 11 +
> libsepol/src/expand.c |9
> libsepol/src/libsepol.map.in |1 +
> libsepol/src/module_to_cil.c | 39 ++
> libsepol/src/policydb.c| 47
> ++
> libsepol/src/services.c| 59
>
> libsepol/src/write.c | 16 +++
> 8 files changed, 209 insertions(+), 0 deletions(-)
>
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index 534fc22..0f12347 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -22,6 +22,7 @@
> *
> * Policy Module support.
> *
> + * Copyright (C) 2017 Mellanox Technologies Inc.
> * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
> * Copyright (C) 2003 - 2005 Tresys Technology, LLC
> * Copyright (C) 2003 Red Hat, Inc., James Morris m>
> @@ -699,6 +700,7 @@ int main(int argc, char **argv)
> printf("h) change a boolean value\n");
> printf("i) display constraint expressions\n");
> printf("j) display validatetrans expressions\n");
> + printf("k) Call ibpkey_sid\n");
> #ifdef EQUIVTYPES
> printf("z) Show equivalent types\n");
> #endif
> @@ -1220,6 +1222,31 @@ int main(int argc, char **argv)
> "\nNo validatetrans expressions
> found.\n");
> }
> break;
> + case 'k':
> + {
> + char *p;
> + int len;
> + struct in6_addr addr6;
> + unsigned int pkey;
> +
> + printf("subnet prefix? ");
> + FGETS(ans, sizeof(ans), stdin);
> + ans[strlen(ans) - 1] = 0;
> + p = (char *)&addr6;
> + len = sizeof(addr6);
> +
> + if (inet_pton(AF_INET6, ans, p) < 1)
> {
> + printf("error parsing subnet
> prefix\n");
> + break;
> + }
> +
> + printf("pkey? ");
> + FGETS(ans, sizeof(ans), stdin);
> + pkey = atoi(ans);
> + sepol_ibpkey_sid(0, 0, p, len, pkey,
> &ssid);
> + printf("sid %d\n", ssid);
> + }
> + break;
> #ifdef EQUIVTYPES
> case 'z':
> identify_equiv_types();
> diff --git a/libsepol/include/sepol/policydb/services.h
> b/libsepol/include/sepol/policydb/services.h
> index 9162149..2d7aed1 100644
> --- a/libsepol/include/sepol/policydb/services.h
> +++ b/libsepol/include/sepol/policydb/services.h
> @@ -188,6 +188,17 @@ extern int sepol_port_sid(uint16_t domain,
> uint16_t port, sepol_security_id_t *
> out_sid);
>
> /*
> + * Return the SID of the ibpkey specified by
> + * `domain', `type', `subnet prefix', and `pkey'.
> + */
Can you explain why you are passing a (domain,type) pair to this
interface and why subnet_prefix is not fixed length as it is in
corresponding kernel interface (security_pkey_sid)? Will these
arguments ever be used? Could the length change in the future?
For that matter, and I guess I should have asked this on the kernel
patches, why are you storing and passing the subnet prefix as a
complete IPv6 address? Is that just for the convenience of being able
to use inet_pton() and inet_ntop()? Is this typical for handling of IB
subnet prefixes? Seems a bit wasteful.
> +extern int sepol_ibpkey_sid(uint16_t domain,
> + uint16_t type,
> + void *subnet_prefix_p,
> + size_t splen,
> + uint16_t pkey,
> + sepol_security_id_t *out_sid);
> +
> +/*
> * Return the SIDs to use for a network interface
> * with the name `name'. The `if_sid' SID is returned for
> * the interface and the `msg_sid' SID is returned as
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 54bf781..c45ecbe 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -4,6 +4,7 @@
> *
> * Copyright (C) 2004-2005 Tresys Technology, LLC
> * Copyright (C) 2007 Red Hat, Inc.
> + * Copyright (C) 2017 Mellanox Technologies, Inc.
> *
> * This library is free softwar
[PATCH 2/9] libsepol: Add ibpkey ocontext handling
From: Daniel Jurgens
Add support for reading, writing, and copying Infinabinda Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.
Signed-off-by: Daniel Jurgens
---
checkpolicy/checkpolicy.c | 27 +
libsepol/include/sepol/policydb/services.h | 11 +
libsepol/src/expand.c |9
libsepol/src/libsepol.map.in |1 +
libsepol/src/module_to_cil.c | 39 ++
libsepol/src/policydb.c| 47 ++
libsepol/src/services.c| 59
libsepol/src/write.c | 16 +++
8 files changed, 209 insertions(+), 0 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 534fc22..0f12347 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -22,6 +22,7 @@
*
* Policy Module support.
*
+ * Copyright (C) 2017 Mellanox Technologies Inc.
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2005 Tresys Technology, LLC
* Copyright (C) 2003 Red Hat, Inc., James Morris
@@ -699,6 +700,7 @@ int main(int argc, char **argv)
printf("h) change a boolean value\n");
printf("i) display constraint expressions\n");
printf("j) display validatetrans expressions\n");
+ printf("k) Call ibpkey_sid\n");
#ifdef EQUIVTYPES
printf("z) Show equivalent types\n");
#endif
@@ -1220,6 +1222,31 @@ int main(int argc, char **argv)
"\nNo validatetrans expressions found.\n");
}
break;
+ case 'k':
+ {
+ char *p;
+ int len;
+ struct in6_addr addr6;
+ unsigned int pkey;
+
+ printf("subnet prefix? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ p = (char *)&addr6;
+ len = sizeof(addr6);
+
+ if (inet_pton(AF_INET6, ans, p) < 1) {
+ printf("error parsing subnet prefix\n");
+ break;
+ }
+
+ printf("pkey? ");
+ FGETS(ans, sizeof(ans), stdin);
+ pkey = atoi(ans);
+ sepol_ibpkey_sid(0, 0, p, len, pkey, &ssid);
+ printf("sid %d\n", ssid);
+ }
+ break;
#ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git a/libsepol/include/sepol/policydb/services.h
b/libsepol/include/sepol/policydb/services.h
index 9162149..2d7aed1 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -188,6 +188,17 @@ extern int sepol_port_sid(uint16_t domain,
uint16_t port, sepol_security_id_t * out_sid);
/*
+ * Return the SID of the ibpkey specified by
+ * `domain', `type', `subnet prefix', and `pkey'.
+ */
+extern int sepol_ibpkey_sid(uint16_t domain,
+ uint16_t type,
+ void *subnet_prefix_p,
+ size_t splen,
+ uint16_t pkey,
+ sepol_security_id_t *out_sid);
+
+/*
* Return the SIDs to use for a network interface
* with the name `name'. The `if_sid' SID is returned for
* the interface and the `msg_sid' SID is returned as
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 54bf781..c45ecbe 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -4,6 +4,7 @@
*
* Copyright (C) 2004-2005 Tresys Technology, LLC
* Copyright (C) 2007 Red Hat, Inc.
+ * Copyright (C) 2017 Mellanox Technologies, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -2217,6 +2218,14 @@ static int ocontext_copy_selinux(expand_state_t *state)
return -1;
}
break;
+ case OCON_IBPKEY:
+ n->u.ibpkey.subnet_prefix[0] =
c->u.ibpkey.subnet_prefix[0];
+ n->u.ibpkey.subnet_prefix[1] =
c->u.ibpkey.subnet_prefix[1];
+ n->u.ibpkey.subnet_prefix[2] =
c->u.ibpkey.subnet_prefix[2];
+ n->u.ibpkey.subnet_prefix[3] =
c->u.ibpkey.subnet_prefix[3];
+ n->u.ibpkey.low_pkey = c->u.ibpkey.low_pkey;
+
