1 files changed, 26 insertions, 0 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c9e92daedee..f5f3e6da5da 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -103,6 +103,8 @@ enum sel_inos {
        SEL_MEMBER,     /* compute polyinstantiation membership decision */
        SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
        SEL_COMPAT_NET, /* whether to use old compat network packet controls */
+        SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */
+        SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */
        SEL_INO_NEXT,   /* The next inode number to use */
 };
@@ -177,6 +179,23 @@ static const struct file_operations sel_enforce_ops = {
        .write          = sel_write_enforce,
 };
+static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf,
+                                        size_t count, loff_t *ppos)
+{
+        char tmpbuf[TMPBUFLEN];
+        ssize_t length;
+        ino_t ino = filp->f_path.dentry->d_inode->i_ino;
+        int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ?
+                security_get_reject_unknown() : !security_get_allow_unknown();
+        length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown);
+        return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+static const struct file_operations sel_handle_unknown_ops = {
+        .read           = sel_read_handle_unknown,
+};
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 static ssize_t sel_write_disable(struct file * file, const char __user * buf,
                                 size_t count, loff_t *ppos)
@@ -309,6 +328,11 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
                length = count;
 out1:
+        printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
+               (security_get_reject_unknown() ? "reject" :
+                (security_get_allow_unknown() ? "allow" : "deny")));
        audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
                "policy loaded auid=%u",
                audit_get_loginuid(current->audit_context));
@@ -1575,6 +1599,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
                [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
                [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
                [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
+                [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
+                [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
                /* last one */ {""}
        };
        ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c9e92daedee..f5f3e6da5da 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c
@@ -103,6 +103,8 @@ enum sel_inos {
103	SEL_MEMBER, /* compute polyinstantiation membership decision */	103	SEL_MEMBER, /* compute polyinstantiation membership decision */
104	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */	104	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
105	SEL_COMPAT_NET, /* whether to use old compat network packet controls */	105	SEL_COMPAT_NET, /* whether to use old compat network packet controls */
		106	SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */
		107	SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */
106	SEL_INO_NEXT, /* The next inode number to use */	108	SEL_INO_NEXT, /* The next inode number to use */
107	};	109	};
108		110
@@ -177,6 +179,23 @@ static const struct file_operations sel_enforce_ops = {
177	.write = sel_write_enforce,	179	.write = sel_write_enforce,
178	};	180	};
179		181
		182	static ssize_t sel_read_handle_unknown(struct file filp, char __user buf,
		183	size_t count, loff_t *ppos)
		184	{
		185	char tmpbuf[TMPBUFLEN];
		186	ssize_t length;
		187	ino_t ino = filp->f_path.dentry->d_inode->i_ino;
		188	int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ?
		189	security_get_reject_unknown() : !security_get_allow_unknown();
		190
		191	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown);
		192	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
		193	}
		194
		195	static const struct file_operations sel_handle_unknown_ops = {
		196	.read = sel_read_handle_unknown,
		197	};
		198
180	#ifdef CONFIG_SECURITY_SELINUX_DISABLE	199	#ifdef CONFIG_SECURITY_SELINUX_DISABLE
181	static ssize_t sel_write_disable(struct file * file, const char __user * buf,	200	static ssize_t sel_write_disable(struct file * file, const char __user * buf,
182	size_t count, loff_t *ppos)	201	size_t count, loff_t *ppos)
@@ -309,6 +328,11 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
309	length = count;	328	length = count;
310		329
311	out1:	330	out1:
		331
		332	printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
		333	(security_get_reject_unknown() ? "reject" :
		334	(security_get_allow_unknown() ? "allow" : "deny")));
		335
312	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,	336	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
313	"policy loaded auid=%u",	337	"policy loaded auid=%u",
314	audit_get_loginuid(current->audit_context));	338	audit_get_loginuid(current->audit_context));
@@ -1575,6 +1599,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
1575	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},	1599	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},
1576	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},	1600	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},
1577	[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO\|S_IWUSR},	1601	[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO\|S_IWUSR},
		1602	[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
		1603	[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1578	/* last one */ {""}	1604	/* last one */ {""}
1579	};	1605	};
1580	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);	1606	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);