lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SELinux: Add class support to the role_trans structure

Browse Source 
If kernel policy version is >= 26, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.

If kernel policy version is < 26, then the class field would be default
to the process class.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Harry Ciao
2011-03-25 13:51:56 +08:00
committed by Eric Paris
parent fe3fa43039
commit 8023976cf4
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
security/selinux/include/security.h
View File

@@ -30,13 +30,14 @@
#define POLICYDB_VERSION_PERMISSIVE 23 #define POLICYDB_VERSION_PERMISSIVE 23
#define POLICYDB_VERSION_BOUNDARY 24 #define POLICYDB_VERSION_BOUNDARY 24
#define POLICYDB_VERSION_FILENAME_TRANS 25 #define POLICYDB_VERSION_FILENAME_TRANS 25
#define POLICYDB_VERSION_ROLETRANS 26
/* Range of policy versions we understand*/ /* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
#else #else
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS #define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
#endif #endif
/* Mask for just the mount related flags */ /* Mask for just the mount related flags */

14
security/selinux/ss/policydb.c
View File

@@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
.sym_num = SYM_NUM, .sym_num = SYM_NUM,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{
.version = POLICYDB_VERSION_ROLETRANS,
.sym_num = SYM_NUM,
.ocon_num = OCON_NUM,
},
}; };
static struct policydb_compat_info *policydb_lookup_compat(int version) static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
tr->role = le32_to_cpu(buf[0]); tr->role = le32_to_cpu(buf[0]);
tr->type = le32_to_cpu(buf[1]); tr->type = le32_to_cpu(buf[1]);
tr->new_role = le32_to_cpu(buf[2]); tr->new_role = le32_to_cpu(buf[2]);
if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
rc = next_entry(buf, fp, sizeof(u32));
if (rc)
goto bad;
tr->tclass = le32_to_cpu(buf[0]);
} else
tr->tclass = p->process_class;
if (!policydb_role_isvalid(p, tr->role) || if (!policydb_role_isvalid(p, tr->role) ||
!policydb_type_isvalid(p, tr->type) || !policydb_type_isvalid(p, tr->type) ||
!policydb_class_isvalid(p, tr->tclass) ||
!policydb_role_isvalid(p, tr->new_role)) !policydb_role_isvalid(p, tr->new_role))
goto bad; goto bad;
ltr = tr; ltr = tr;

3
security/selinux/ss/policydb.h
View File

@@ -72,7 +72,8 @@ struct role_datum {
struct role_trans { struct role_trans {
u32 role; /* current role */ u32 role; /* current role */
u32 type; /* program executable type */ u32 type; /* program executable type, or new object type */
u32 tclass; /* process class, or new object class */
u32 new_role; /* new role */ u32 new_role; /* new role */
struct role_trans *next; struct role_trans *next;
}; };