SELinux: allow userspace to read policy back out of the kernel

There is interest in being able to see what the actual policy is that was
loaded into the kernel.  The patch creates a new selinuxfs file
/selinux/policy which can be read by userspace.  The actual policy that is
loaded into the kernel will be written back out to userspace.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 42 insertions, 0 deletions

diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 77a917ccc045..a3dd9faa19c0 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -501,6 +501,48 @@ bad:
         goto out;
 }
 
+int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp)
+{
+        __le16 buf16[4];
+        __le32 buf32[1];
+        int rc;
+
+        buf16[0] = cpu_to_le16(cur->key.source_type);
+        buf16[1] = cpu_to_le16(cur->key.target_type);
+        buf16[2] = cpu_to_le16(cur->key.target_class);
+        buf16[3] = cpu_to_le16(cur->key.specified);
+        rc = put_entry(buf16, sizeof(u16), 4, fp);
+        if (rc)
+                return rc;
+        buf32[0] = cpu_to_le32(cur->datum.data);
+        rc = put_entry(buf32, sizeof(u32), 1, fp);
+        if (rc)
+                return rc;
+        return 0;
+}
+
+int avtab_write(struct policydb *p, struct avtab *a, void *fp)
+{
+        unsigned int i;
+        int rc = 0;
+        struct avtab_node *cur;
+        __le32 buf[1];
+
+        buf[0] = cpu_to_le32(a->nel);
+        rc = put_entry(buf, sizeof(u32), 1, fp);
+        if (rc)
+                return rc;
+
+        for (i = 0; i < a->nslot; i++) {
+                for (cur = a->htable[i]; cur; cur = cur->next) {
+                        rc = avtab_write_item(p, cur, fp);
+                        if (rc)
+                                return rc;
+                }
+        }
+
+        return rc;
+}
 void avtab_cache_init(void)
 {
         avtab_node_cachep = kmem_cache_create("avtab_node",