aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Carter <jwcart2@tycho.nsa.gov>2007-04-04 10:11:29 -0400
committerJames Morris <jmorris@namei.org>2007-04-26 01:36:00 -0400
commitf0ee2e467ffa68c3122128b704c1540ee294b748 (patch)
tree1fb9bf27386233b88406b50ff69b83a2c9cdbe38 /security
parenta764ae4b0781fac75f9657bc737c37ae59888389 (diff)
selinux: export initial SID contexts via selinuxfs
Make the initial SID contexts accessible to userspace via selinuxfs. An initial use of this support will be to make the unlabeled context available to libselinux for use for invalidated userspace SIDs. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/include/security.h2
-rw-r--r--security/selinux/selinuxfs.c67
-rw-r--r--security/selinux/ss/services.c7
3 files changed, 76 insertions, 0 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index bfe562c36469..b94378afea25 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -123,5 +123,7 @@ static inline int security_netlbl_sid_to_secattr(u32 sid,
123} 123}
124#endif /* CONFIG_NETLABEL */ 124#endif /* CONFIG_NETLABEL */
125 125
126const char *security_get_initial_sid_context(u32 sid);
127
126#endif /* _SELINUX_SECURITY_H_ */ 128#endif /* _SELINUX_SECURITY_H_ */
127 129
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 93b3177c7585..e24235c59ddf 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -102,6 +102,9 @@ enum sel_inos {
102 SEL_COMPAT_NET, /* whether to use old compat network packet controls */ 102 SEL_COMPAT_NET, /* whether to use old compat network packet controls */
103}; 103};
104 104
105#define SEL_INITCON_INO_OFFSET 0x01000000
106#define SEL_INO_MASK 0x00ffffff
107
105#define TMPBUFLEN 12 108#define TMPBUFLEN 12
106static ssize_t sel_read_enforce(struct file *filp, char __user *buf, 109static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
107 size_t count, loff_t *ppos) 110 size_t count, loff_t *ppos)
@@ -1240,6 +1243,55 @@ out:
1240 return ret; 1243 return ret;
1241} 1244}
1242 1245
1246static ssize_t sel_read_initcon(struct file * file, char __user *buf,
1247 size_t count, loff_t *ppos)
1248{
1249 struct inode *inode;
1250 char *con;
1251 u32 sid, len;
1252 ssize_t ret;
1253
1254 inode = file->f_path.dentry->d_inode;
1255 sid = inode->i_ino&SEL_INO_MASK;
1256 ret = security_sid_to_context(sid, &con, &len);
1257 if (ret < 0)
1258 return ret;
1259
1260 ret = simple_read_from_buffer(buf, count, ppos, con, len);
1261 kfree(con);
1262 return ret;
1263}
1264
1265static const struct file_operations sel_initcon_ops = {
1266 .read = sel_read_initcon,
1267};
1268
1269static int sel_make_initcon_files(struct dentry *dir)
1270{
1271 int i, ret = 0;
1272
1273 for (i = 1; i <= SECINITSID_NUM; i++) {
1274 struct inode *inode;
1275 struct dentry *dentry;
1276 dentry = d_alloc_name(dir, security_get_initial_sid_context(i));
1277 if (!dentry) {
1278 ret = -ENOMEM;
1279 goto out;
1280 }
1281
1282 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1283 if (!inode) {
1284 ret = -ENOMEM;
1285 goto out;
1286 }
1287 inode->i_fop = &sel_initcon_ops;
1288 inode->i_ino = i|SEL_INITCON_INO_OFFSET;
1289 d_add(dentry, inode);
1290 }
1291out:
1292 return ret;
1293}
1294
1243static int sel_make_dir(struct inode *dir, struct dentry *dentry) 1295static int sel_make_dir(struct inode *dir, struct dentry *dentry)
1244{ 1296{
1245 int ret = 0; 1297 int ret = 0;
@@ -1336,6 +1388,21 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
1336 ret = sel_make_avc_files(dentry); 1388 ret = sel_make_avc_files(dentry);
1337 if (ret) 1389 if (ret)
1338 goto err; 1390 goto err;
1391
1392 dentry = d_alloc_name(sb->s_root, "initial_contexts");
1393 if (!dentry) {
1394 ret = -ENOMEM;
1395 goto err;
1396 }
1397
1398 ret = sel_make_dir(root_inode, dentry);
1399 if (ret)
1400 goto err;
1401
1402 ret = sel_make_initcon_files(dentry);
1403 if (ret)
1404 goto err;
1405
1339out: 1406out:
1340 return ret; 1407 return ret;
1341err: 1408err:
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index d3698568a213..21b8318979e3 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -593,6 +593,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
593 593
594#include "initial_sid_to_string.h" 594#include "initial_sid_to_string.h"
595 595
596const char *security_get_initial_sid_context(u32 sid)
597{
598 if (unlikely(sid > SECINITSID_NUM))
599 return NULL;
600 return initial_sid_to_string[sid];
601}
602
596/** 603/**
597 * security_sid_to_context - Obtain a context for a given SID. 604 * security_sid_to_context - Obtain a context for a given SID.
598 * @sid: security identifier, SID 605 * @sid: security identifier, SID