Permissive domain in userspace object manager

This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
author: KaiGai Kohei <kaigai@ak.jp.nec.com> 2009-03-31 21:07:57 -0400
committer: James Morris <jmorris@namei.org> 2009-04-01 18:23:45 -0400
commit: 8a6f83afd0c5355db6d11394a798e94950306239 (patch)
tree: f7cb84de87f67eeba0dd68681907696f8a5774d1 /security/selinux/ss
parent: c31f403de62415c738ddc9e673cf8e722c82f861 (diff)
1 files changed, 5 insertions, 25 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index deeec6c013ae..500e6f78e115 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
        avd->auditallow = 0;
        avd->auditdeny = 0xffffffff;
        avd->seqno = latest_granting;
+        avd->flags = 0;
        /*
         * Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
        return 0;
 }
-/*
- * Given a sid find if the type has the permissive flag set
- */
-int security_permissive_sid(u32 sid)
-{
-        struct context *context;
-        u32 type;
-        int rc;
-        read_lock(&policy_rwlock);
-        context = sidtab_search(&sidtab, sid);
-        BUG_ON(!context);
-        type = context->type;
-        /*
-         * we are intentionally using type here, not type-1, the 0th bit may
-         * someday indicate that we are globally setting permissive in policy.
-         */
-        rc = ebitmap_get_bit(&policydb.permissive_map, type);
-        read_unlock(&policy_rwlock);
-        return rc;
-}
 static int security_validtrans_handle_fail(struct context *ocontext,
                                           struct context *ncontext,
                                           struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
        rc = context_struct_compute_av(scontext, tcontext, tclass,
                                       requested, avd);
+        /* permissive domain? */
+        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+            avd->flags |= AVD_FLAGS_PERMISSIVE;
 out:
        read_unlock(&policy_rwlock);
        return rc;
author	KaiGai Kohei <kaigai@ak.jp.nec.com>	2009-03-31 21:07:57 -0400
committer	James Morris <jmorris@namei.org>	2009-04-01 18:23:45 -0400
commit	8a6f83afd0c5355db6d11394a798e94950306239 (patch)
tree	f7cb84de87f67eeba0dd68681907696f8a5774d1 /security/selinux/ss
parent	c31f403de62415c738ddc9e673cf8e722c82f861 (diff)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index deeec6c013ae..500e6f78e115 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
410	avd->auditallow = 0;	410	avd->auditallow = 0;
411	avd->auditdeny = 0xffffffff;	411	avd->auditdeny = 0xffffffff;
412	avd->seqno = latest_granting;	412	avd->seqno = latest_granting;
		413	avd->flags = 0;
413		414
414	/*	415	/*
415	* Check for all the invalid cases.	416	* Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
528	return 0;	529	return 0;
529	}	530	}
530		531
531	/*
532	* Given a sid find if the type has the permissive flag set
533	*/
534	int security_permissive_sid(u32 sid)
535	{
536	struct context *context;
537	u32 type;
538	int rc;
539
540	read_lock(&policy_rwlock);
541
542	context = sidtab_search(&sidtab, sid);
543	BUG_ON(!context);
544
545	type = context->type;
546	/*
547	* we are intentionally using type here, not type-1, the 0th bit may
548	* someday indicate that we are globally setting permissive in policy.
549	*/
550	rc = ebitmap_get_bit(&policydb.permissive_map, type);
551
552	read_unlock(&policy_rwlock);
553	return rc;
554	}
555
556	static int security_validtrans_handle_fail(struct context *ocontext,	532	static int security_validtrans_handle_fail(struct context *ocontext,
557	struct context *ncontext,	533	struct context *ncontext,
558	struct context *tcontext,	534	struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
767		743
768	rc = context_struct_compute_av(scontext, tcontext, tclass,	744	rc = context_struct_compute_av(scontext, tcontext, tclass,
769	requested, avd);	745	requested, avd);
		746
		747	/* permissive domain? */
		748	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
		749	avd->flags \|= AVD_FLAGS_PERMISSIVE;
770	out:	750	out:
771	read_unlock(&policy_rwlock);	751	read_unlock(&policy_rwlock);
772	return rc;	752	return rc;