aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/policydb.c19
-rw-r--r--security/selinux/ss/policydb.h3
-rw-r--r--security/selinux/ss/services.c14
4 files changed, 33 insertions, 6 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ba53400195c0..dde2005407aa 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -32,13 +32,14 @@
32#define POLICYDB_VERSION_FILENAME_TRANS 25 32#define POLICYDB_VERSION_FILENAME_TRANS 25
33#define POLICYDB_VERSION_ROLETRANS 26 33#define POLICYDB_VERSION_ROLETRANS 26
34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
35#define POLICYDB_VERSION_DEFAULT_TYPE 28
35 36
36/* Range of policy versions we understand*/ 37/* Range of policy versions we understand*/
37#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 38#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
38#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 39#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
39#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 40#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
40#else 41#else
41#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 42#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
42#endif 43#endif
43 44
44/* Mask for just the mount related flags */ 45/* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 2bb9c2fd5f1a..9cd9b7c661ec 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -138,6 +138,11 @@ static struct policydb_compat_info policydb_compat[] = {
138 .sym_num = SYM_NUM, 138 .sym_num = SYM_NUM,
139 .ocon_num = OCON_NUM, 139 .ocon_num = OCON_NUM,
140 }, 140 },
141 {
142 .version = POLICYDB_VERSION_DEFAULT_TYPE,
143 .sym_num = SYM_NUM,
144 .ocon_num = OCON_NUM,
145 },
141}; 146};
142 147
143static struct policydb_compat_info *policydb_lookup_compat(int version) 148static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -1321,6 +1326,13 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1321 cladatum->default_range = le32_to_cpu(buf[2]); 1326 cladatum->default_range = le32_to_cpu(buf[2]);
1322 } 1327 }
1323 1328
1329 if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
1330 rc = next_entry(buf, fp, sizeof(u32) * 1);
1331 if (rc)
1332 goto bad;
1333 cladatum->default_type = le32_to_cpu(buf[0]);
1334 }
1335
1324 rc = hashtab_insert(h, key, cladatum); 1336 rc = hashtab_insert(h, key, cladatum);
1325 if (rc) 1337 if (rc)
1326 goto bad; 1338 goto bad;
@@ -2857,6 +2869,13 @@ static int class_write(void *vkey, void *datum, void *ptr)
2857 return rc; 2869 return rc;
2858 } 2870 }
2859 2871
2872 if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
2873 buf[0] = cpu_to_le32(cladatum->default_type);
2874 rc = put_entry(buf, sizeof(uint32_t), 1, fp);
2875 if (rc)
2876 return rc;
2877 }
2878
2860 return 0; 2879 return 0;
2861} 2880}
2862 2881
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index a949f1ad43bb..da637471d4ce 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -60,11 +60,12 @@ struct class_datum {
60 struct symtab permissions; /* class-specific permission symbol table */ 60 struct symtab permissions; /* class-specific permission symbol table */
61 struct constraint_node *constraints; /* constraints on class permissions */ 61 struct constraint_node *constraints; /* constraints on class permissions */
62 struct constraint_node *validatetrans; /* special transition rules */ 62 struct constraint_node *validatetrans; /* special transition rules */
63 /* Options how a new object user and role should be decided */ 63/* Options how a new object user, role, and type should be decided */
64#define DEFAULT_SOURCE 1 64#define DEFAULT_SOURCE 1
65#define DEFAULT_TARGET 2 65#define DEFAULT_TARGET 2
66 char default_user; 66 char default_user;
67 char default_role; 67 char default_role;
68 char default_type;
68/* Options how a new object range should be decided */ 69/* Options how a new object range should be decided */
69#define DEFAULT_SOURCE_LOW 1 70#define DEFAULT_SOURCE_LOW 1
70#define DEFAULT_SOURCE_HIGH 2 71#define DEFAULT_SOURCE_HIGH 2
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2ea108c2c048..1ded0ec7e8c2 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1472,12 +1472,18 @@ static int security_compute_sid(u32 ssid,
1472 } 1472 }
1473 1473
1474 /* Set the type to default values. */ 1474 /* Set the type to default values. */
1475 if ((tclass == policydb.process_class) || (sock == true)) { 1475 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1476 /* Use the type of process. */
1477 newcontext.type = scontext->type; 1476 newcontext.type = scontext->type;
1478 } else { 1477 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1479 /* Use the type of the related object. */
1480 newcontext.type = tcontext->type; 1478 newcontext.type = tcontext->type;
1479 } else {
1480 if ((tclass == policydb.process_class) || (sock == true)) {
1481 /* Use the type of process. */
1482 newcontext.type = scontext->type;
1483 } else {
1484 /* Use the type of the related object. */
1485 newcontext.type = tcontext->type;
1486 }
1481 } 1487 }
1482 1488
1483 /* Look for a type transition/member/change rule. */ 1489 /* Look for a type transition/member/change rule. */