diff options
-rw-r--r-- | security/selinux/include/security.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 19 | ||||
-rw-r--r-- | security/selinux/ss/policydb.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 14 |
4 files changed, 33 insertions, 6 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ba53400195c0..dde2005407aa 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -32,13 +32,14 @@ | |||
32 | #define POLICYDB_VERSION_FILENAME_TRANS 25 | 32 | #define POLICYDB_VERSION_FILENAME_TRANS 25 |
33 | #define POLICYDB_VERSION_ROLETRANS 26 | 33 | #define POLICYDB_VERSION_ROLETRANS 26 |
34 | #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 | 34 | #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 |
35 | #define POLICYDB_VERSION_DEFAULT_TYPE 28 | ||
35 | 36 | ||
36 | /* Range of policy versions we understand*/ | 37 | /* Range of policy versions we understand*/ |
37 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE | 38 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE |
38 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX | 39 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX |
39 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE | 40 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE |
40 | #else | 41 | #else |
41 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS | 42 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE |
42 | #endif | 43 | #endif |
43 | 44 | ||
44 | /* Mask for just the mount related flags */ | 45 | /* Mask for just the mount related flags */ |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 2bb9c2fd5f1a..9cd9b7c661ec 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -138,6 +138,11 @@ static struct policydb_compat_info policydb_compat[] = { | |||
138 | .sym_num = SYM_NUM, | 138 | .sym_num = SYM_NUM, |
139 | .ocon_num = OCON_NUM, | 139 | .ocon_num = OCON_NUM, |
140 | }, | 140 | }, |
141 | { | ||
142 | .version = POLICYDB_VERSION_DEFAULT_TYPE, | ||
143 | .sym_num = SYM_NUM, | ||
144 | .ocon_num = OCON_NUM, | ||
145 | }, | ||
141 | }; | 146 | }; |
142 | 147 | ||
143 | static struct policydb_compat_info *policydb_lookup_compat(int version) | 148 | static struct policydb_compat_info *policydb_lookup_compat(int version) |
@@ -1321,6 +1326,13 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1321 | cladatum->default_range = le32_to_cpu(buf[2]); | 1326 | cladatum->default_range = le32_to_cpu(buf[2]); |
1322 | } | 1327 | } |
1323 | 1328 | ||
1329 | if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) { | ||
1330 | rc = next_entry(buf, fp, sizeof(u32) * 1); | ||
1331 | if (rc) | ||
1332 | goto bad; | ||
1333 | cladatum->default_type = le32_to_cpu(buf[0]); | ||
1334 | } | ||
1335 | |||
1324 | rc = hashtab_insert(h, key, cladatum); | 1336 | rc = hashtab_insert(h, key, cladatum); |
1325 | if (rc) | 1337 | if (rc) |
1326 | goto bad; | 1338 | goto bad; |
@@ -2857,6 +2869,13 @@ static int class_write(void *vkey, void *datum, void *ptr) | |||
2857 | return rc; | 2869 | return rc; |
2858 | } | 2870 | } |
2859 | 2871 | ||
2872 | if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) { | ||
2873 | buf[0] = cpu_to_le32(cladatum->default_type); | ||
2874 | rc = put_entry(buf, sizeof(uint32_t), 1, fp); | ||
2875 | if (rc) | ||
2876 | return rc; | ||
2877 | } | ||
2878 | |||
2860 | return 0; | 2879 | return 0; |
2861 | } | 2880 | } |
2862 | 2881 | ||
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index a949f1ad43bb..da637471d4ce 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h | |||
@@ -60,11 +60,12 @@ struct class_datum { | |||
60 | struct symtab permissions; /* class-specific permission symbol table */ | 60 | struct symtab permissions; /* class-specific permission symbol table */ |
61 | struct constraint_node *constraints; /* constraints on class permissions */ | 61 | struct constraint_node *constraints; /* constraints on class permissions */ |
62 | struct constraint_node *validatetrans; /* special transition rules */ | 62 | struct constraint_node *validatetrans; /* special transition rules */ |
63 | /* Options how a new object user and role should be decided */ | 63 | /* Options how a new object user, role, and type should be decided */ |
64 | #define DEFAULT_SOURCE 1 | 64 | #define DEFAULT_SOURCE 1 |
65 | #define DEFAULT_TARGET 2 | 65 | #define DEFAULT_TARGET 2 |
66 | char default_user; | 66 | char default_user; |
67 | char default_role; | 67 | char default_role; |
68 | char default_type; | ||
68 | /* Options how a new object range should be decided */ | 69 | /* Options how a new object range should be decided */ |
69 | #define DEFAULT_SOURCE_LOW 1 | 70 | #define DEFAULT_SOURCE_LOW 1 |
70 | #define DEFAULT_SOURCE_HIGH 2 | 71 | #define DEFAULT_SOURCE_HIGH 2 |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2ea108c2c048..1ded0ec7e8c2 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1472,12 +1472,18 @@ static int security_compute_sid(u32 ssid, | |||
1472 | } | 1472 | } |
1473 | 1473 | ||
1474 | /* Set the type to default values. */ | 1474 | /* Set the type to default values. */ |
1475 | if ((tclass == policydb.process_class) || (sock == true)) { | 1475 | if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { |
1476 | /* Use the type of process. */ | ||
1477 | newcontext.type = scontext->type; | 1476 | newcontext.type = scontext->type; |
1478 | } else { | 1477 | } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { |
1479 | /* Use the type of the related object. */ | ||
1480 | newcontext.type = tcontext->type; | 1478 | newcontext.type = tcontext->type; |
1479 | } else { | ||
1480 | if ((tclass == policydb.process_class) || (sock == true)) { | ||
1481 | /* Use the type of process. */ | ||
1482 | newcontext.type = scontext->type; | ||
1483 | } else { | ||
1484 | /* Use the type of the related object. */ | ||
1485 | newcontext.type = tcontext->type; | ||
1486 | } | ||
1481 | } | 1487 | } |
1482 | 1488 | ||
1483 | /* Look for a type transition/member/change rule. */ | 1489 | /* Look for a type transition/member/change rule. */ |