SELinux: allow userspace to read policy back out of the kernel

There is interest in being able to see what the actual policy is that was loaded into the kernel. The patch creates a new selinuxfs file /selinux/policy which can be read by userspace. The actual policy that is loaded into the kernel will be written back out to userspace. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2010-10-13 17:50:25 -0400
committer: James Morris <jmorris@namei.org> 2010-10-20 19:12:58 -0400
commit: cee74f47a6baba0ac457e87687fdcf0abd599f0a (patch)
tree: 3d9fdb073050664e62d9cdb6c28112090cd138da /security/selinux/ss/services.c
parent: 00d85c83ac52e2c1a66397f1abc589f80c543425 (diff)
1 files changed, 48 insertions, 0 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 60964d79e5eb..7565d16aac31 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1776,6 +1776,7 @@ int security_load_policy(void *data, size_t len)
                        return rc;
                }
+                policydb.len = len;
                rc = selinux_set_mapping(&policydb, secclass_map,
                                         &current_mapping,
                                         &current_mapping_size);
@@ -1812,6 +1813,7 @@ int security_load_policy(void *data, size_t len)
        if (rc)
                return rc;
+        newpolicydb.len = len;
        /* If switching between different policy types, log MLS status */
        if (policydb.mls_enabled && !newpolicydb.mls_enabled)
                printk(KERN_INFO "SELinux: Disabling MLS support...\n");
@@ -1892,6 +1894,17 @@ err:
 }
+size_t security_policydb_len(void)
+{
+        size_t len;
+        read_lock(&policy_rwlock);
+        len = policydb.len;
+        read_unlock(&policy_rwlock);
+        return len;
+}
 /**
 * security_port_sid - Obtain the SID for a port.
 * @protocol: protocol number
@@ -3139,3 +3152,38 @@ netlbl_sid_to_secattr_failure:
        return rc;
 }
 #endif /* CONFIG_NETLABEL */
+/**
+ * security_read_policy - read the policy.
+ * @data: binary policy data
+ * @len: length of data in bytes
+ *
+ */
+int security_read_policy(void **data, ssize_t *len)
+{
+        int rc;
+        struct policy_file fp;
+        if (!ss_initialized)
+                return -EINVAL;
+        *len = security_policydb_len();
+        *data = vmalloc(*len);
+        if (!*data)
+                return -ENOMEM;
+        fp.data = *data;
+        fp.len = *len;
+        read_lock(&policy_rwlock);
+        rc = policydb_write(&policydb, &fp);
+        read_unlock(&policy_rwlock);
+        if (rc)
+                return rc;
+        *len = (unsigned long)fp.data - (unsigned long)*data;
+        return 0;
+}
author	Eric Paris <eparis@redhat.com>	2010-10-13 17:50:25 -0400
committer	James Morris <jmorris@namei.org>	2010-10-20 19:12:58 -0400
commit	cee74f47a6baba0ac457e87687fdcf0abd599f0a (patch)
tree	3d9fdb073050664e62d9cdb6c28112090cd138da /security/selinux/ss/services.c
parent	00d85c83ac52e2c1a66397f1abc589f80c543425 (diff)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 60964d79e5eb..7565d16aac31 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -1776,6 +1776,7 @@ int security_load_policy(void *data, size_t len)
1776	return rc;	1776	return rc;
1777	}	1777	}
1778		1778
		1779	policydb.len = len;
1779	rc = selinux_set_mapping(&policydb, secclass_map,	1780	rc = selinux_set_mapping(&policydb, secclass_map,
1780	&current_mapping,	1781	&current_mapping,
1781	&current_mapping_size);	1782	&current_mapping_size);
@@ -1812,6 +1813,7 @@ int security_load_policy(void *data, size_t len)
1812	if (rc)	1813	if (rc)
1813	return rc;	1814	return rc;
1814		1815
		1816	newpolicydb.len = len;
1815	/* If switching between different policy types, log MLS status */	1817	/* If switching between different policy types, log MLS status */
1816	if (policydb.mls_enabled && !newpolicydb.mls_enabled)	1818	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
1817	printk(KERN_INFO "SELinux: Disabling MLS support...\n");	1819	printk(KERN_INFO "SELinux: Disabling MLS support...\n");
@@ -1892,6 +1894,17 @@ err:
1892		1894
1893	}	1895	}
1894		1896
		1897	size_t security_policydb_len(void)
		1898	{
		1899	size_t len;
		1900
		1901	read_lock(&policy_rwlock);
		1902	len = policydb.len;
		1903	read_unlock(&policy_rwlock);
		1904
		1905	return len;
		1906	}
		1907
1895	/**	1908	/**
1896	* security_port_sid - Obtain the SID for a port.	1909	* security_port_sid - Obtain the SID for a port.
1897	* @protocol: protocol number	1910	* @protocol: protocol number
@@ -3139,3 +3152,38 @@ netlbl_sid_to_secattr_failure:
3139	return rc;	3152	return rc;
3140	}	3153	}
3141	#endif /* CONFIG_NETLABEL */	3154	#endif /* CONFIG_NETLABEL */
		3155
		3156	/**
		3157	* security_read_policy - read the policy.
		3158	* @data: binary policy data
		3159	* @len: length of data in bytes
		3160	*
		3161	*/
		3162	int security_read_policy(void *data, ssize_t len)
		3163	{
		3164	int rc;
		3165	struct policy_file fp;
		3166
		3167	if (!ss_initialized)
		3168	return -EINVAL;
		3169
		3170	*len = security_policydb_len();
		3171
		3172	data = vmalloc(len);
		3173	if (!*data)
		3174	return -ENOMEM;
		3175
		3176	fp.data = *data;
		3177	fp.len = *len;
		3178
		3179	read_lock(&policy_rwlock);
		3180	rc = policydb_write(&policydb, &fp);
		3181	read_unlock(&policy_rwlock);
		3182
		3183	if (rc)
		3184	return rc;
		3185
		3186	len = (unsigned long)fp.data - (unsigned long)data;
		3187	return 0;
		3188
		3189	}