aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorChad Sellers <csellers@tresys.com>2006-11-06 12:38:15 -0500
committerJames Morris <jmorris@namei.org>2006-11-28 12:04:35 -0500
commit5a64d4438ed1e759ccd30d9e90842bf360f19298 (patch)
treeb9165ff810788cc934778345201d442f8e869a00 /security/selinux
parent2ea5814472c3c910aed5c5b60f1f3b1000e353f1 (diff)
SELinux: remove current object class and permission validation mechanism
Removes the current SELinux object class and permission validation code, as the current code makes it impossible to change or remove object classes and permissions on a running system. Additionally, the current code does not actually validate that the classes and permissions are correct, but instead merely validates that they do not change between policy reloads. Signed-off-by: Chad Sellers <csellers@tresys.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/ss/services.c91
1 files changed, 0 insertions, 91 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index bfe122764c98..33ae1020091e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1018,89 +1018,6 @@ int security_change_sid(u32 ssid,
1018 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1018 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1019} 1019}
1020 1020
1021/*
1022 * Verify that each permission that is defined under the
1023 * existing policy is still defined with the same value
1024 * in the new policy.
1025 */
1026static int validate_perm(void *key, void *datum, void *p)
1027{
1028 struct hashtab *h;
1029 struct perm_datum *perdatum, *perdatum2;
1030 int rc = 0;
1031
1032
1033 h = p;
1034 perdatum = datum;
1035
1036 perdatum2 = hashtab_search(h, key);
1037 if (!perdatum2) {
1038 printk(KERN_ERR "security: permission %s disappeared",
1039 (char *)key);
1040 rc = -ENOENT;
1041 goto out;
1042 }
1043 if (perdatum->value != perdatum2->value) {
1044 printk(KERN_ERR "security: the value of permission %s changed",
1045 (char *)key);
1046 rc = -EINVAL;
1047 }
1048out:
1049 return rc;
1050}
1051
1052/*
1053 * Verify that each class that is defined under the
1054 * existing policy is still defined with the same
1055 * attributes in the new policy.
1056 */
1057static int validate_class(void *key, void *datum, void *p)
1058{
1059 struct policydb *newp;
1060 struct class_datum *cladatum, *cladatum2;
1061 int rc;
1062
1063 newp = p;
1064 cladatum = datum;
1065
1066 cladatum2 = hashtab_search(newp->p_classes.table, key);
1067 if (!cladatum2) {
1068 printk(KERN_ERR "security: class %s disappeared\n",
1069 (char *)key);
1070 rc = -ENOENT;
1071 goto out;
1072 }
1073 if (cladatum->value != cladatum2->value) {
1074 printk(KERN_ERR "security: the value of class %s changed\n",
1075 (char *)key);
1076 rc = -EINVAL;
1077 goto out;
1078 }
1079 if ((cladatum->comdatum && !cladatum2->comdatum) ||
1080 (!cladatum->comdatum && cladatum2->comdatum)) {
1081 printk(KERN_ERR "security: the inherits clause for the access "
1082 "vector definition for class %s changed\n", (char *)key);
1083 rc = -EINVAL;
1084 goto out;
1085 }
1086 if (cladatum->comdatum) {
1087 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1088 cladatum2->comdatum->permissions.table);
1089 if (rc) {
1090 printk(" in the access vector definition for class "
1091 "%s\n", (char *)key);
1092 goto out;
1093 }
1094 }
1095 rc = hashtab_map(cladatum->permissions.table, validate_perm,
1096 cladatum2->permissions.table);
1097 if (rc)
1098 printk(" in access vector definition for class %s\n",
1099 (char *)key);
1100out:
1101 return rc;
1102}
1103
1104/* Clone the SID into the new SID table. */ 1021/* Clone the SID into the new SID table. */
1105static int clone_sid(u32 sid, 1022static int clone_sid(u32 sid,
1106 struct context *context, 1023 struct context *context,
@@ -1265,14 +1182,6 @@ int security_load_policy(void *data, size_t len)
1265 1182
1266 sidtab_init(&newsidtab); 1183 sidtab_init(&newsidtab);
1267 1184
1268 /* Verify that the existing classes did not change. */
1269 if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1270 printk(KERN_ERR "security: the definition of an existing "
1271 "class changed\n");
1272 rc = -EINVAL;
1273 goto err;
1274 }
1275
1276 /* Clone the SID table. */ 1185 /* Clone the SID table. */
1277 sidtab_shutdown(&sidtab); 1186 sidtab_shutdown(&sidtab);
1278 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1187 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {