首頁 探索 說明
註冊 登入
phyus
/
linux-vybrid_public
8
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

SELinux: Add class support to the role_trans structure

If kernel policy version is >= 26, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.

If kernel policy version is < 26, then the class field would be default
to the process class.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Harry Ciao 14 年之前
父節點
fe3fa43039
當前提交
8023976cf4
共有 3 個文件被更改,包括 18 次插入2 次删除
分割檢視 顯示文件統計
  1. 2 1
      security/selinux/include/security.h
  2. 14 0
      security/selinux/ss/policydb.c
  3. 2 1
      security/selinux/ss/policydb.h

+ 2 - 1
security/selinux/include/security.h
查看文件 

@@ -30,13 +30,14 @@
 
 #define POLICYDB_VERSION_PERMISSIVE	23
 
 #define POLICYDB_VERSION_BOUNDARY	24
 
 #define POLICYDB_VERSION_FILENAME_TRANS	25
 
+#define POLICYDB_VERSION_ROLETRANS	26
 
 
 /* Range of policy versions we understand*/
 
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 
 #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 
 #else
 
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_FILENAME_TRANS
 
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
 
 #endif
 
 
 /* Mask for just the mount related flags */

+ 14 - 0
security/selinux/ss/policydb.c
查看文件 

@@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
 
 		.sym_num	= SYM_NUM,
 
 		.ocon_num	= OCON_NUM,
 
 	},
 
+	{
 
+		.version	= POLICYDB_VERSION_ROLETRANS,
 
+		.sym_num	= SYM_NUM,
 
+		.ocon_num	= OCON_NUM,
 
+	},
 
 };
 
 
 static struct policydb_compat_info *policydb_lookup_compat(int version)
 
@@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
 
 		tr->role = le32_to_cpu(buf[0]);
 
 		tr->type = le32_to_cpu(buf[1]);
 
 		tr->new_role = le32_to_cpu(buf[2]);
 
+		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
 
+			rc = next_entry(buf, fp, sizeof(u32));
 
+			if (rc)
 
+				goto bad;
 
+			tr->tclass = le32_to_cpu(buf[0]);
 
+		} else
 
+			tr->tclass = p->process_class;
 
+
 
 		if (!policydb_role_isvalid(p, tr->role) ||
 
 		    !policydb_type_isvalid(p, tr->type) ||
 
+		    !policydb_class_isvalid(p, tr->tclass) ||
 
 		    !policydb_role_isvalid(p, tr->new_role))
 
 			goto bad;
 
 		ltr = tr;

+ 2 - 1
security/selinux/ss/policydb.h
查看文件 

@@ -72,7 +72,8 @@ struct role_datum {
 
 
 struct role_trans {
 
 	u32 role;		/* current role */
 
-	u32 type;		/* program executable type */
 
+	u32 type;		/* program executable type, or new object type */
 
+	u32 tclass;		/* process class, or new object class */
 
 	u32 new_role;		/* new role */
 
 	struct role_trans *next;
 
 };