aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/selinuxfs.c
diff options
context:
space:
mode:
authorKaiGai Kohei <kaigai@ak.jp.nec.com>2009-03-31 21:07:57 -0400
committerJames Morris <jmorris@namei.org>2009-04-01 18:23:45 -0400
commit8a6f83afd0c5355db6d11394a798e94950306239 (patch)
treef7cb84de87f67eeba0dd68681907696f8a5774d1 /security/selinux/selinuxfs.c
parentc31f403de62415c738ddc9e673cf8e722c82f861 (diff)
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/selinuxfs.c')
-rw-r--r--security/selinux/selinuxfs.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2d5136ec3d54..8d4007fbe0e9 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -527,10 +527,10 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
527 goto out2; 527 goto out2;
528 528
529 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 529 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
530 "%x %x %x %x %u", 530 "%x %x %x %x %u %x",
531 avd.allowed, 0xffffffff, 531 avd.allowed, 0xffffffff,
532 avd.auditallow, avd.auditdeny, 532 avd.auditallow, avd.auditdeny,
533 avd.seqno); 533 avd.seqno, avd.flags);
534out2: 534out2:
535 kfree(tcon); 535 kfree(tcon);
536out: 536out: