Commit eed7795d authored by Eric Paris's avatar Eric Paris

SELinux: add default_type statements

Because Fedora shipped userspace based on my development tree we now
have policy version 27 in the wild defining only default user, role, and
range.  Thus to add default_type we need a policy.28.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent aa893269
...@@ -32,13 +32,14 @@ ...@@ -32,13 +32,14 @@
#define POLICYDB_VERSION_FILENAME_TRANS 25 #define POLICYDB_VERSION_FILENAME_TRANS 25
#define POLICYDB_VERSION_ROLETRANS 26 #define POLICYDB_VERSION_ROLETRANS 26
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
#define POLICYDB_VERSION_DEFAULT_TYPE 28
/* Range of policy versions we understand*/ /* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
#else #else
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS #define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
#endif #endif
/* Mask for just the mount related flags */ /* Mask for just the mount related flags */
......
...@@ -138,6 +138,11 @@ static struct policydb_compat_info policydb_compat[] = { ...@@ -138,6 +138,11 @@ static struct policydb_compat_info policydb_compat[] = {
.sym_num = SYM_NUM, .sym_num = SYM_NUM,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{
.version = POLICYDB_VERSION_DEFAULT_TYPE,
.sym_num = SYM_NUM,
.ocon_num = OCON_NUM,
},
}; };
static struct policydb_compat_info *policydb_lookup_compat(int version) static struct policydb_compat_info *policydb_lookup_compat(int version)
...@@ -1321,6 +1326,13 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1321,6 +1326,13 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
cladatum->default_range = le32_to_cpu(buf[2]); cladatum->default_range = le32_to_cpu(buf[2]);
} }
if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
rc = next_entry(buf, fp, sizeof(u32) * 1);
if (rc)
goto bad;
cladatum->default_type = le32_to_cpu(buf[0]);
}
rc = hashtab_insert(h, key, cladatum); rc = hashtab_insert(h, key, cladatum);
if (rc) if (rc)
goto bad; goto bad;
...@@ -2857,6 +2869,13 @@ static int class_write(void *vkey, void *datum, void *ptr) ...@@ -2857,6 +2869,13 @@ static int class_write(void *vkey, void *datum, void *ptr)
return rc; return rc;
} }
if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
buf[0] = cpu_to_le32(cladatum->default_type);
rc = put_entry(buf, sizeof(uint32_t), 1, fp);
if (rc)
return rc;
}
return 0; return 0;
} }
......
...@@ -60,11 +60,12 @@ struct class_datum { ...@@ -60,11 +60,12 @@ struct class_datum {
struct symtab permissions; /* class-specific permission symbol table */ struct symtab permissions; /* class-specific permission symbol table */
struct constraint_node *constraints; /* constraints on class permissions */ struct constraint_node *constraints; /* constraints on class permissions */
struct constraint_node *validatetrans; /* special transition rules */ struct constraint_node *validatetrans; /* special transition rules */
/* Options how a new object user and role should be decided */ /* Options how a new object user, role, and type should be decided */
#define DEFAULT_SOURCE 1 #define DEFAULT_SOURCE 1
#define DEFAULT_TARGET 2 #define DEFAULT_TARGET 2
char default_user; char default_user;
char default_role; char default_role;
char default_type;
/* Options how a new object range should be decided */ /* Options how a new object range should be decided */
#define DEFAULT_SOURCE_LOW 1 #define DEFAULT_SOURCE_LOW 1
#define DEFAULT_SOURCE_HIGH 2 #define DEFAULT_SOURCE_HIGH 2
......
...@@ -1472,6 +1472,11 @@ static int security_compute_sid(u32 ssid, ...@@ -1472,6 +1472,11 @@ static int security_compute_sid(u32 ssid,
} }
/* Set the type to default values. */ /* Set the type to default values. */
if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
newcontext.type = scontext->type;
} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
newcontext.type = tcontext->type;
} else {
if ((tclass == policydb.process_class) || (sock == true)) { if ((tclass == policydb.process_class) || (sock == true)) {
/* Use the type of process. */ /* Use the type of process. */
newcontext.type = scontext->type; newcontext.type = scontext->type;
...@@ -1479,6 +1484,7 @@ static int security_compute_sid(u32 ssid, ...@@ -1479,6 +1484,7 @@ static int security_compute_sid(u32 ssid,
/* Use the type of the related object. */ /* Use the type of the related object. */
newcontext.type = tcontext->type; newcontext.type = tcontext->type;
} }
}
/* Look for a type transition/member/change rule. */ /* Look for a type transition/member/change rule. */
avkey.source_type = scontext->type; avkey.source_type = scontext->type;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment