SELinux: allow default source/target selectors for user/role/range

When new objects are created we have great and flexible rules to determine the type of the new object. We aren't quite as flexible or mature when it comes to determining the user, role, and range. This patch adds a new ability to specify the place a new objects user, role, and range should come from. For users and roles it can come from either the source or the target of the operation. aka for files the user can either come from the source (the running process and todays default) or it can come from the target (aka the parent directory of the new file) examples always are done with directory context: system_u:object_r:mnt_t:s0-s0:c0.c512 process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [no rule] unconfined_u:object_r:mnt_t:s0 test_none [default user source] unconfined_u:object_r:mnt_t:s0 test_user_source [default user target] system_u:object_r:mnt_t:s0 test_user_target [default role source] unconfined_u:unconfined_r:mnt_t:s0 test_role_source [default role target] unconfined_u:object_r:mnt_t:s0 test_role_target [default range source low] unconfined_u:object_r:mnt_t:s0 test_range_source_low [default range source high] unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high [default range source low-high] unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high [default range target low] unconfined_u:object_r:mnt_t:s0 test_range_target_low [default range target high] unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high [default range target low-high] unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-03-20 14:35:12 -0400
committer: Eric Paris <eparis@redhat.com> 2012-04-09 12:22:47 -0400
commit: aa893269de6277b44be88e25dcd5331c934c29c4 (patch)
tree: f994e023f787c1665b65725f2c009a9f5a021be7 /security/selinux/ss/policydb.c
parent: 6ce74ec75ca690c4fb3a3c5f8b7767d094d93215 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index a7f61d52f05c..2bb9c2fd5f1a 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -133,6 +133,11 @@ static struct policydb_compat_info policydb_compat[] = {
                .sym_num        = SYM_NUM,
                .ocon_num       = OCON_NUM,
        },
+        {
+                .version        = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
+                .sym_num        = SYM_NUM,
+                .ocon_num       = OCON_NUM,
+        },
 };
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -1306,6 +1311,16 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
                        goto bad;
        }
+        if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
+                rc = next_entry(buf, fp, sizeof(u32) * 3);
+                if (rc)
+                        goto bad;
+                cladatum->default_user = le32_to_cpu(buf[0]);
+                cladatum->default_role = le32_to_cpu(buf[1]);
+                cladatum->default_range = le32_to_cpu(buf[2]);
+        }
        rc = hashtab_insert(h, key, cladatum);
        if (rc)
                goto bad;
@@ -2832,6 +2847,16 @@ static int class_write(void *vkey, void *datum, void *ptr)
        if (rc)
                return rc;
+        if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
+                buf[0] = cpu_to_le32(cladatum->default_user);
+                buf[1] = cpu_to_le32(cladatum->default_role);
+                buf[2] = cpu_to_le32(cladatum->default_range);
+                rc = put_entry(buf, sizeof(uint32_t), 3, fp);
+                if (rc)
+                        return rc;
+        }
        return 0;
 }
author	Eric Paris <eparis@redhat.com>	2012-03-20 14:35:12 -0400
committer	Eric Paris <eparis@redhat.com>	2012-04-09 12:22:47 -0400
commit	aa893269de6277b44be88e25dcd5331c934c29c4 (patch)
tree	f994e023f787c1665b65725f2c009a9f5a021be7 /security/selinux/ss/policydb.c
parent	6ce74ec75ca690c4fb3a3c5f8b7767d094d93215 (diff)

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index a7f61d52f05c..2bb9c2fd5f1a 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c
@@ -133,6 +133,11 @@ static struct policydb_compat_info policydb_compat[] = {
133	.sym_num = SYM_NUM,	133	.sym_num = SYM_NUM,
134	.ocon_num = OCON_NUM,	134	.ocon_num = OCON_NUM,
135	},	135	},
		136	{
		137	.version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
		138	.sym_num = SYM_NUM,
		139	.ocon_num = OCON_NUM,
		140	},
136	};	141	};
137		142
138	static struct policydb_compat_info *policydb_lookup_compat(int version)	143	static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -1306,6 +1311,16 @@ static int class_read(struct policydb p, struct hashtab h, void *fp)
1306	goto bad;	1311	goto bad;
1307	}	1312	}
1308		1313
		1314	if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
		1315	rc = next_entry(buf, fp, sizeof(u32) * 3);
		1316	if (rc)
		1317	goto bad;
		1318
		1319	cladatum->default_user = le32_to_cpu(buf[0]);
		1320	cladatum->default_role = le32_to_cpu(buf[1]);
		1321	cladatum->default_range = le32_to_cpu(buf[2]);
		1322	}
		1323
1309	rc = hashtab_insert(h, key, cladatum);	1324	rc = hashtab_insert(h, key, cladatum);
1310	if (rc)	1325	if (rc)
1311	goto bad;	1326	goto bad;
@@ -2832,6 +2847,16 @@ static int class_write(void vkey, void datum, void *ptr)
2832	if (rc)	2847	if (rc)
2833	return rc;	2848	return rc;
2834		2849
		2850	if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
		2851	buf[0] = cpu_to_le32(cladatum->default_user);
		2852	buf[1] = cpu_to_le32(cladatum->default_role);
		2853	buf[2] = cpu_to_le32(cladatum->default_range);
		2854
		2855	rc = put_entry(buf, sizeof(uint32_t), 3, fp);
		2856	if (rc)
		2857	return rc;
		2858	}
		2859
2835	return 0;	2860	return 0;
2836	}	2861	}
2837		2862