Skip Research MenusResearch Menu
|
[SEPOL][SEMANAGE] Nodecon Support: Try 1
Hi, this patch is here to gather feedback, as I wouldn't want to mess up
Joshua's pending merge - I will resync after that.
I also suspect I'll have to do some changes to the patch. Note: patch
also is based on top of the PyList swig file, since that patch hasn't
been rejected or accepted yet. If you'd like me to rebase on the
previous swig file, that's not very hard to do.
The patch implements nodecon support in libsepol and libsemanage (but
not yet in the semanage utility).
Important points:
- The record - represents a nodecon entry as (addr, addr_sz, mask,
mask_sz, proto, con), where addr and mask are byte arrays. The key is
(addr, addr_sz, mask, mask_sz, proto). This is a bit different from
other records, where we've worked with strings, but I think it's the
better approach. I provide get and set functions for both name strings
(get/set_addr, get/set_mask), and byte arrays (get/set_addr_bytes,
get/set_mask_bytes). When working with strings, pton/ntop are used to
convert to byte arrays, which are the record's internal representation -
more compact, and allows comparison of two addresses. This means the
protocol is passed into set_addr() and set_mask() to control which
function is used (see below on the protocol being made explicit).
- The sepol support - does not divide records into ipv4/6. It handles
both in the same set of functions (exists, query, modify, count,
iterate). The protocol is used to disambiguate. Count and iterate loop
over both ipv4 and 6 addresses.
- The semanage file support - I've modified the format of a nodecon
entry for the semanage internal format to this:
nodecon <proto> <addr> <mask> <con>, where proto = ipv4 or ipv6. I
prefer this approach, since I think the protocol should be explicitly
specified, instead of guessing what it is based on format. This seems
more correct to me, and makes the code easier. As with other semanage
files, arbitrary whitespace and multiple lines are allowed.
- Comparison... is kept simple, following precedent set by ports. Match
if (addr, mask) match exactly, otherwise use some sort of ordering
scheme to return either -1 or 1 consistently.
Unresolved issues:
- Joshua raised the point that set_addr and set_addr_bytes do the same
thing, so only set_addr_bytes should exist, and a converter function
should be exposed to convert string -> bytes. This is easy to do, but I
favor the current approach - exposing a converter function makes it more
difficult for the client to use the API.
- The get_bytes, and set_bytes work in byte arrays. An alternative
approach is to use integer arrays. I have no strong preference on this,
but it seems that byte arrays are more general. I'm not sure what would
be more useful to a client.
- Related to 2 is the issue of byte order. get_bytes and set_bytes
currently use network byte order. Should they be changed to use host
byte order? If so, should the byte order be changed with respect to the
whole array, or by integer (i.e. flip all 16 bytes, or flip in groups of 4).
- Ordering by netmask specificity... is not yet implemented. This
requires adding insertion sort support for arbitrary records to the list
dbase. I'd rather do it in a separate patch.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Received on Sun 5 Feb 2006 - 16:02:22 EST
|
|