diff options
| author | Eric Paris <eparis@redhat.com> | 2011-02-01 11:05:40 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2011-02-01 11:12:30 -0500 |
| commit | 652bb9b0d6ce007f37c098947b2cc0c45efa3f66 (patch) | |
| tree | 7bf76f04a1fcaa401761a9a734b94682e2ac8b8c /security/selinux/ss/policydb.h | |
| parent | 2a7dba391e5628ad665ce84ef9a6648da541ebab (diff) | |
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/ss/policydb.h')
| -rw-r--r-- | security/selinux/ss/policydb.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 4e3ab9d0b315..732ea4a68682 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h | |||
| @@ -77,6 +77,15 @@ struct role_trans { | |||
| 77 | struct role_trans *next; | 77 | struct role_trans *next; |
| 78 | }; | 78 | }; |
| 79 | 79 | ||
| 80 | struct filename_trans { | ||
| 81 | struct filename_trans *next; | ||
| 82 | u32 stype; /* current process */ | ||
| 83 | u32 ttype; /* parent dir context */ | ||
| 84 | u16 tclass; /* class of new object */ | ||
| 85 | const char *name; /* last path component */ | ||
| 86 | u32 otype; /* expected of new object */ | ||
| 87 | }; | ||
| 88 | |||
| 80 | struct role_allow { | 89 | struct role_allow { |
| 81 | u32 role; /* current role */ | 90 | u32 role; /* current role */ |
| 82 | u32 new_role; /* new role */ | 91 | u32 new_role; /* new role */ |
| @@ -217,6 +226,9 @@ struct policydb { | |||
| 217 | /* role transitions */ | 226 | /* role transitions */ |
| 218 | struct role_trans *role_tr; | 227 | struct role_trans *role_tr; |
| 219 | 228 | ||
| 229 | /* file transitions with the last path component */ | ||
| 230 | struct filename_trans *filename_trans; | ||
| 231 | |||
| 220 | /* bools indexed by (value - 1) */ | 232 | /* bools indexed by (value - 1) */ |
| 221 | struct cond_bool_datum **bool_val_to_struct; | 233 | struct cond_bool_datum **bool_val_to_struct; |
| 222 | /* type enforcement conditional access vectors and transitions */ | 234 | /* type enforcement conditional access vectors and transitions */ |
| @@ -302,7 +314,7 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) | |||
| 302 | return 0; | 314 | return 0; |
| 303 | } | 315 | } |
| 304 | 316 | ||
| 305 | static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file *fp) | 317 | static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp) |
| 306 | { | 318 | { |
| 307 | size_t len = bytes * num; | 319 | size_t len = bytes * num; |
| 308 | 320 | ||