3 files changed, 38 insertions, 0 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 325551cd7fc..6bdb0ff6a92 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -111,6 +111,11 @@ static struct policydb_compat_info policydb_compat[] = {
                .version        = POLICYDB_VERSION_POLCAP,
                .sym_num        = SYM_NUM,
                .ocon_num       = OCON_NUM,
+        },
+        {
+                .version        = POLICYDB_VERSION_PERMISSIVE,
+                .sym_num        = SYM_NUM,
+                .ocon_num       = OCON_NUM,
        }
 };
@@ -194,6 +199,7 @@ static int policydb_init(struct policydb *p)
                goto out_free_symtab;
        ebitmap_init(&p->policycaps);
+        ebitmap_init(&p->permissive_map);
 out:
        return rc;
@@ -687,6 +693,7 @@ void policydb_destroy(struct policydb *p)
        kfree(p->type_attr_map);
        kfree(p->undefined_perms);
        ebitmap_destroy(&p->policycaps);
+        ebitmap_destroy(&p->permissive_map);
        return;
 }
@@ -1570,6 +1577,10 @@ int policydb_read(struct policydb *p, void *fp)
            ebitmap_read(&p->policycaps, fp) != 0)
                goto bad;
+        if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
+            ebitmap_read(&p->permissive_map, fp) != 0)
+                goto bad;
        info = policydb_lookup_compat(p->policyvers);
        if (!info) {
                printk(KERN_ERR "SELinux:  unable to find policy compat info "
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index c4ce996e202..ba593a3da87 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -243,6 +243,8 @@ struct policydb {
        struct ebitmap policycaps;
+        struct ebitmap permissive_map;
        unsigned int policyvers;
        unsigned int reject_unknown : 1;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index face5795c76..eefa89ce77a 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -417,6 +417,31 @@ inval_class:
        return -EINVAL;
 }
+/*
+ * Given a sid find if the type has the permissive flag set
+ */
+int security_permissive_sid(u32 sid)
+{
+        struct context *context;
+        u32 type;
+        int rc;
+        POLICY_RDLOCK;
+        context = sidtab_search(&sidtab, sid);
+        BUG_ON(!context);
+        type = context->type;
+        /*
+         * we are intentionally using type here, not type-1, the 0th bit may
+         * someday indicate that we are globally setting permissive in policy.
+         */
+        rc = ebitmap_get_bit(&policydb.permissive_map, type);
+        POLICY_RDUNLOCK;
+        return rc;
+}
 static int security_validtrans_handle_fail(struct context *ocontext,
                                           struct context *ncontext,
                                           struct context *tcontext,

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 325551cd7fc..6bdb0ff6a92 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c
@@ -111,6 +111,11 @@ static struct policydb_compat_info policydb_compat[] = {
111	.version = POLICYDB_VERSION_POLCAP,	111	.version = POLICYDB_VERSION_POLCAP,
112	.sym_num = SYM_NUM,	112	.sym_num = SYM_NUM,
113	.ocon_num = OCON_NUM,	113	.ocon_num = OCON_NUM,
		114	},
		115	{
		116	.version = POLICYDB_VERSION_PERMISSIVE,
		117	.sym_num = SYM_NUM,
		118	.ocon_num = OCON_NUM,
114	}	119	}
115	};	120	};
116		121
@@ -194,6 +199,7 @@ static int policydb_init(struct policydb *p)
194	goto out_free_symtab;	199	goto out_free_symtab;
195		200
196	ebitmap_init(&p->policycaps);	201	ebitmap_init(&p->policycaps);
		202	ebitmap_init(&p->permissive_map);
197		203
198	out:	204	out:
199	return rc;	205	return rc;
@@ -687,6 +693,7 @@ void policydb_destroy(struct policydb *p)
687	kfree(p->type_attr_map);	693	kfree(p->type_attr_map);
688	kfree(p->undefined_perms);	694	kfree(p->undefined_perms);
689	ebitmap_destroy(&p->policycaps);	695	ebitmap_destroy(&p->policycaps);
		696	ebitmap_destroy(&p->permissive_map);
690		697
691	return;	698	return;
692	}	699	}
@@ -1570,6 +1577,10 @@ int policydb_read(struct policydb p, void fp)
1570	ebitmap_read(&p->policycaps, fp) != 0)	1577	ebitmap_read(&p->policycaps, fp) != 0)
1571	goto bad;	1578	goto bad;
1572		1579
		1580	if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
		1581	ebitmap_read(&p->permissive_map, fp) != 0)
		1582	goto bad;
		1583
1573	info = policydb_lookup_compat(p->policyvers);	1584	info = policydb_lookup_compat(p->policyvers);
1574	if (!info) {	1585	if (!info) {
1575	printk(KERN_ERR "SELinux: unable to find policy compat info "	1586	printk(KERN_ERR "SELinux: unable to find policy compat info "


diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index c4ce996e202..ba593a3da87 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h
@@ -243,6 +243,8 @@ struct policydb {
243		243
244	struct ebitmap policycaps;	244	struct ebitmap policycaps;
245		245
		246	struct ebitmap permissive_map;
		247
246	unsigned int policyvers;	248	unsigned int policyvers;
247		249
248	unsigned int reject_unknown : 1;	250	unsigned int reject_unknown : 1;


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index face5795c76..eefa89ce77a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -417,6 +417,31 @@ inval_class:
417	return -EINVAL;	417	return -EINVAL;
418	}	418	}
419		419
		420	/*
		421	* Given a sid find if the type has the permissive flag set
		422	*/
		423	int security_permissive_sid(u32 sid)
		424	{
		425	struct context *context;
		426	u32 type;
		427	int rc;
		428
		429	POLICY_RDLOCK;
		430
		431	context = sidtab_search(&sidtab, sid);
		432	BUG_ON(!context);
		433
		434	type = context->type;
		435	/*
		436	* we are intentionally using type here, not type-1, the 0th bit may
		437	* someday indicate that we are globally setting permissive in policy.
		438	*/
		439	rc = ebitmap_get_bit(&policydb.permissive_map, type);
		440
		441	POLICY_RDUNLOCK;
		442	return rc;
		443	}
		444
420	static int security_validtrans_handle_fail(struct context *ocontext,	445	static int security_validtrans_handle_fail(struct context *ocontext,
421	struct context *ncontext,	446	struct context *ncontext,
422	struct context *tcontext,	447	struct context *tcontext,