diff options
| author | Eric Paris <eparis@redhat.com> | 2008-03-30 21:17:33 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-04-18 06:26:11 -0400 |
| commit | 64dbf07474d011540ca479a2e87fe998f570d6e3 (patch) | |
| tree | 364ae3f3a29f06246dd2097674586fe508c4445f /security/selinux/ss/policydb.c | |
| parent | 0356357c5158c71d4cbf20196b2f784435dd916c (diff) | |
selinux: introduce permissive types
Introduce the concept of a permissive type. A new ebitmap is introduced to
the policy database which indicates if a given type has the permissive bit
set or not. This bit is tested for the scontext of any denial. The bit is
meaningless on types which only appear as the target of a decision and never
the source. A domain running with a permissive type will be allowed to
perform any action similarly to when the system is globally set permissive.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss/policydb.c')
| -rw-r--r-- | security/selinux/ss/policydb.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 325551cd7fc7..6bdb0ff6a927 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
| @@ -111,6 +111,11 @@ static struct policydb_compat_info policydb_compat[] = { | |||
| 111 | .version = POLICYDB_VERSION_POLCAP, | 111 | .version = POLICYDB_VERSION_POLCAP, |
| 112 | .sym_num = SYM_NUM, | 112 | .sym_num = SYM_NUM, |
| 113 | .ocon_num = OCON_NUM, | 113 | .ocon_num = OCON_NUM, |
| 114 | }, | ||
| 115 | { | ||
| 116 | .version = POLICYDB_VERSION_PERMISSIVE, | ||
| 117 | .sym_num = SYM_NUM, | ||
| 118 | .ocon_num = OCON_NUM, | ||
| 114 | } | 119 | } |
| 115 | }; | 120 | }; |
| 116 | 121 | ||
| @@ -194,6 +199,7 @@ static int policydb_init(struct policydb *p) | |||
| 194 | goto out_free_symtab; | 199 | goto out_free_symtab; |
| 195 | 200 | ||
| 196 | ebitmap_init(&p->policycaps); | 201 | ebitmap_init(&p->policycaps); |
| 202 | ebitmap_init(&p->permissive_map); | ||
| 197 | 203 | ||
| 198 | out: | 204 | out: |
| 199 | return rc; | 205 | return rc; |
| @@ -687,6 +693,7 @@ void policydb_destroy(struct policydb *p) | |||
| 687 | kfree(p->type_attr_map); | 693 | kfree(p->type_attr_map); |
| 688 | kfree(p->undefined_perms); | 694 | kfree(p->undefined_perms); |
| 689 | ebitmap_destroy(&p->policycaps); | 695 | ebitmap_destroy(&p->policycaps); |
| 696 | ebitmap_destroy(&p->permissive_map); | ||
| 690 | 697 | ||
| 691 | return; | 698 | return; |
| 692 | } | 699 | } |
| @@ -1570,6 +1577,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
| 1570 | ebitmap_read(&p->policycaps, fp) != 0) | 1577 | ebitmap_read(&p->policycaps, fp) != 0) |
| 1571 | goto bad; | 1578 | goto bad; |
| 1572 | 1579 | ||
| 1580 | if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE && | ||
| 1581 | ebitmap_read(&p->permissive_map, fp) != 0) | ||
| 1582 | goto bad; | ||
| 1583 | |||
| 1573 | info = policydb_lookup_compat(p->policyvers); | 1584 | info = policydb_lookup_compat(p->policyvers); |
| 1574 | if (!info) { | 1585 | if (!info) { |
| 1575 | printk(KERN_ERR "SELinux: unable to find policy compat info " | 1586 | printk(KERN_ERR "SELinux: unable to find policy compat info " |