Hi, this patch is here to gather feedback, as I wouldn't want to mess up Joshua's pending merge - I will resync after that. I also suspect I'll have to do some changes to the patch. Note: patch also is based on top of the PyList swig file, since that patch hasn't been rejected or accepted yet. If you'd like me to rebase on the previous swig file, that's not very hard to do.

The patch implements nodecon support in libsepol and libsemanage (but not yet in the semanage utility).
Important points:

1. The record - represents a nodecon entry as (addr, addr_sz, mask, mask_sz, proto, con), where addr and mask are byte arrays. The key is
   (addr, addr_sz, mask, mask_sz, proto). This is a bit different from
   other records, where we've worked with strings, but I think it's the better approach. I provide get and set functions for both name strings
   (get/set_addr, get/set_mask), and byte arrays (get/set_addr_bytes,
   get/set_mask_bytes). When working with strings, pton/ntop are used to convert to byte arrays, which are the record's internal representation - more compact, and allows comparison of two addresses. This means the protocol is passed into set_addr() and set_mask() to control which function is used (see below on the protocol being made explicit).
2. The sepol support - does not divide records into ipv4/6. It handles both in the same set of functions (exists, query, modify, count, iterate). The protocol is used to disambiguate. Count and iterate loop over both ipv4 and 6 addresses.
3. The semanage file support - I've modified the format of a nodecon entry for the semanage internal format to this: nodecon <proto> <addr> <mask> <con>, where proto = ipv4 or ipv6. I prefer this approach, since I think the protocol should be explicitly specified, instead of guessing what it is based on format. This seems more correct to me, and makes the code easier. As with other semanage files, arbitrary whitespace and multiple lines are allowed.
4. Comparison... is kept simple, following precedent set by ports. Match if (addr, mask) match exactly, otherwise use some sort of ordering scheme to return either -1 or 1 consistently.

Unresolved issues:

1. Joshua raised the point that set_addr and set_addr_bytes do the same thing, so only set_addr_bytes should exist, and a converter function should be exposed to convert string -> bytes. This is easy to do, but I favor the current approach - exposing a converter function makes it more difficult for the client to use the API.
2. The get_bytes, and set_bytes work in byte arrays. An alternative approach is to use integer arrays. I have no strong preference on this, but it seems that byte arrays are more general. I'm not sure what would be more useful to a client.
3. Related to 2 is the issue of byte order. get_bytes and set_bytes currently use network byte order. Should they be changed to use host byte order? If so, should the byte order be changed with respect to the whole array, or by integer (i.e. flip all 16 bytes, or flip in groups of 4).
4. Ordering by netmask specificity... is not yet implemented. This requires adding insertion sort support for arbitrary records to the list dbase. I'd rather do it in a separate patch.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/x-bzip attachment: libsepol.semanage.nodecon.diff.bz2