SCC: recognize that SELinux levels can be logically equivalent

[php-coder]

For example: s0:c0,c6 is the same as s0:c6,c0

Fixes #15627

[adelton]

We should be able to support ranges, like s0-s0:c0.c255. Also, the categories shouldn't be sorted as strings as the numerical part can have multiple digits.

I'm also not sure that we are looking for equality here -- don't we look for dominance and superset instead?

[php-coder]

We should be able to support ranges, like s0-s0:c0.c255.

Ok, I'll add it.

Also, the categories shouldn't be sorted as strings as the numerical part can have multiple digits.

It doesn't matter how they are sorted as we're sorting both parts. In other words, the sorting logic doesn't affect the result.

[php-coder]

We should be able to support ranges, like s0-s0:c0.c255.

Added. @adelton PTAL

[php-coder]

/retest

[adelton]

It doesn't matter how they are sorted as we're sorting both parts. In other words, the sorting logic doesn't affect the result.

But are we really looking for equality? IMHO, s0:c0.c2 should admit pod which asks for s0:c1, shouldn't it?

[rhatdan]

I think we should omit single category labels altogether. People understand the uniqueness, they don't understand dominance. MCS Separation has a hidden secret, dominance. In order to stop people confusion we should stick to a single count of Categories, and guarantee uniqueness.

[php-coder]

@adelton @rhatdan I don't understand what are you talking about unfortunately :( If you want me to edit this PR somehow then could you be more specific, please?

[smarterclayton]

why isn't this

categories := strings.Split('.')
sort.Strings(categories)

? Why are you go into deeper parsing?

[smarterclayton]

Oh, I see that this is an expansion. Please add godoc to the method

[smarterclayton]

need some additional tests, test edges cases and multiple equivalences.

[php-coder]

What do you mean by "multiple equivalences"?

[Miciah]

Maybe the parseFoo functions would be better named canonicalizeFoo, assuming I correctly understand the intent.

[Miciah]

s/c3"/"c3"/

[Miciah]

This will go out of bounds if categoryRange[0] is not c0 (e.g., parseCategories("c1.c4") panics—might be a good test case). You cannot use the same variable for the index and the format, at least not without some arithmetic.

[php-coder]

@Miciah Indeed, good catch, thanks!

[php-coder]

More code and tests were added. Feedback is highly appreciated!

[php-coder]

Test flake #14085
/test extended_conformance_gce

[php-coder]

Test flake #16402
/test cmd

[php-coder]

Bug in Kubernetes: kubernetes/kubernetes#53590
/test origin-ut

[php-coder]

@openshift/sig-security PTAL

[php-coder]

Ping.

[adelton]

In general, my question is if the SCC allows c0.c4 and the pod asks for c0, should it be permitted or not?

[php-coder]

In general, my question is if the SCC allows c0.c4 and the pod asks for c0, should it be permitted or not?

<semushin> pweil, WDYT? Sounds like yes, a pod should be permitted; but it could be a case for another PR.
<pweil> semushin, yes, I think that would match, probably a lower priority follow up

@adelton Could you create an issue (or even a PR) for that?

[eparis]

What dan is saying in #16432 (comment) is that you should NOT try to determine dominance or any special relationship between category sets. That is all policy and you can't know what policy says. Some policies may have very wierd inter-relations between level and category sets. Please only account of exact equivalence.

This really needs to be a libselinux function :-(

@stephensmalley I can't find a libselinux function to really help us. We just want to know is the string s-s0:c1,c2,c3 the same as so:c1.c3. I was hoping that a combination of context_new, context_str and selinux_file_context_cmp could be used to get this answer but it doesn't look like we have anything which does some form of semantic category normalization...

So maybe this PR is the best thing we can do.

[stephensmalley]

security_canonicalize_context(3) from libselinux. Oddly, no man page.
Sample usage:

$ cat canon.c
#include <selinux/selinux.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
	const char *ctx;
	char *canoncon;
	int rc;

	ctx = argv[1];
	rc = security_canonicalize_context(ctx, &canoncon);
	if (rc < 0)
		perror(ctx);
	else {
		printf("%s\n", canoncon);
		free(canoncon);
	}
	exit(rc);
}
$ make LDLIBS+=-lselinux canon
$ $ ./canon unconfined_u:unconfined_r:unconfined_t:s0:c0,c1,c2
unconfined_u:unconfined_r:unconfined_t:s0:c0.c2

[php-coder]

The PR has been updated. In order to merge in the upstream, it was decided to make it as simple as possible and solve only the original issue with ordering. No support for ranges and expansion at this point.

@openshift/sig-security PTAL

[php-coder]

I decided to use PSP's utils instead of duplicating them. That's why this PR has vendor-update tag.

[pweil-]

@php-coder do you think there is any benefit to just using the PSP strategy that is going to merge upstream for the comparison functions? They're just taking strings so it isn't type specific. It would require a change to the upstream PR but would reduce duplication here if we went that route. WDYT?

In any case this matches upstream and is LGTM

[simo5]

@pweil- given we will eventually migrate away from SCC to PSP, I think I prefer to just copy here for now, or we'll have public functions in PSP that are used by nothing but PSP once we drop SCC. Also any change to PSP would end up with more maintenance to keep SCC working until we can drop it.
So IMO it is good as proposed.

[simo5]

Actually I would even endorse copying the psputil function as a private function for mustrunas.go and avoid the vendoring warnings.

[pweil-]

@pweil- given we will eventually migrate away from SCC to PSP, I think I prefer to just copy here for now, or we'll have public functions in PSP that are used by nothing but PSP once we drop SCC. Also any change to PSP would end up with more maintenance to keep SCC working until we can drop it.
So IMO it is good as proposed.

I'm ok with this strategy, however if the comparisons were exposed in psputil and used then any changes we do upstream to enhance it wouldn't have to be copied, we'd just get them upon rebase. It is also not something we'd need to do an in depth review on when we decide to migrate to make sure we're not missing a difference. That burden is on your team though so it's your call. 👍

[php-coder]

@pweil- @simo5 Thanks for the feedback!

I updated the PR and removed the dependency to PSP's util package.

[simo5]

/lgtm

[pweil-]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: php-coder, pweil-, simo5

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/security/OWNERS [pweil-,simo5]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[php-coder]

/test gcp

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[php-coder]

/test gcp

[openshift-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 16432, 18308, 18311).

[openshift-ci-robot]

@php-coder: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/gcp	bcd5b33	link	/test gcp

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.