Re: [PATCH] libselinux: introduce enforcing mode override option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-11-06 at 16:50 -0500, Eamon Walsh wrote:
> Smalley wrote:
> > On Mon, 2007-11-05 at 15:15 -0500, Eamon Walsh wrote:
> >   
> >> Introduces an enforcing mode override option, so the object manager
> >> can bring up the AVC in permissive mode on an enforcing system, or
> >> vice versa.
> >>     
> >
> > I don't see a way for the object manager to change the enforcing status
> > after avc_open().
> >   
> 
> I didn't think to include that.  Do we want it?  If so it can be added 
> later.

Ultimately, yes - I can envision a userspace object manager exporting
its own interface for changing enforcing mode much as the kernel does,
so admins can do "setenforce [kernel|x|postgres|dbus|...] [0|1]" or the
like.

> 
> > attribute aligned diffs can be a separate patch.
> >
> >   
> 
> I committed those two lines already.  Rebased patch below.
> 
> Introduces an enforcing mode override option, so the object manager
> can bring up the AVC in permissive mode on an enforcing system, or
> vice versa.
> 
> Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>

Acked-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>

Merge at will.

> ---
> 
>  include/selinux/avc.h |   11 ++++++++++-
>  src/avc.c             |   29 ++++++++++++++++++++---------
>  src/avc_internal.c    |    3 +++
>  src/avc_internal.h    |    1 +
>  4 files changed, 34 insertions(+), 10 deletions(-)
> 
> 
> Index: include/selinux/avc.h
> ===================================================================
> --- include/selinux/avc.h	(revision 2679)
> +++ include/selinux/avc.h	(working copy)
> @@ -157,6 +157,15 @@
>  };
>  
>  /*
> + * Available options
> + */
> +
> +/* no-op option, useful for unused slots in an array of options */
> +#define AVC_OPT_UNUSED		0
> +/* override kernel enforcing mode (boolean value) */
> +#define AVC_OPT_SETENFORCE	1
> +
> +/*
>   * AVC operations
>   */
>  
> @@ -188,7 +197,7 @@
>   *
>   * This function is identical to avc_init(), except the message prefix
>   * is set to "avc" and any callbacks desired should be specified via
> - * selinux_set_callback().  No options are currently supported.
> + * selinux_set_callback().  Available options are listed above.
>   */
>  int avc_open(struct selinux_opt *opts, unsigned nopts);
>  
> Index: src/avc.c
> ===================================================================
> --- src/avc.c	(revision 2679)
> +++ src/avc.c	(working copy)
> @@ -157,10 +157,19 @@
>  	return rc;
>  }
>  
> -int avc_open(struct selinux_opt *opts __attribute__((unused)),
> -	     unsigned nopts __attribute__((unused)))
> +int avc_open(struct selinux_opt *opts, unsigned nopts)
>  {
> -    return avc_init("avc", NULL, NULL, NULL, NULL);
> +	avc_setenforce = 0;
> +
> +	while (nopts--)
> +		switch(opts[nopts].type) {
> +		case AVC_OPT_SETENFORCE:
> +			avc_setenforce = 1;
> +			avc_enforcing = !!opts[nopts].value;
> +			break;
> +		}
> +
> +	return avc_init("avc", NULL, NULL, NULL, NULL);
>  }
>  
>  int avc_init(const char *prefix,
> @@ -213,13 +222,15 @@
>  		avc_node_freelist = new;
>  	}
>  
> -	rc = security_getenforce();
> -	if (rc < 0) {
> -		avc_log("%s:  could not determine enforcing mode\n",
> -			avc_prefix);
> -		goto out;
> +	if (!avc_setenforce) {
> +		rc = security_getenforce();
> +		if (rc < 0) {
> +			avc_log("%s:  could not determine enforcing mode\n",
> +				avc_prefix);
> +			goto out;
> +		}
> +		avc_enforcing = rc;
>  	}
> -	avc_enforcing = rc;
>  
>  	rc = avc_netlink_open(avc_using_threads);
>  	if (rc < 0) {
> Index: src/avc_internal.c
> ===================================================================
> --- src/avc_internal.c	(revision 2679)
> +++ src/avc_internal.c	(working copy)
> @@ -46,6 +46,7 @@
>  char avc_prefix[AVC_PREFIX_SIZE] = "uavc";
>  int avc_running = 0;
>  int avc_enforcing = 1;
> +int avc_setenforce = 0;
>  int avc_netlink_trouble = 0;
>  
>  /* netlink socket code */
> @@ -151,6 +152,8 @@
>  		struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
>  		avc_log("%s:  received setenforce notice (enforcing=%d)\n",
>  			avc_prefix, msg->val);
> +		if (avc_setenforce)
> +			break;
>  		avc_enforcing = msg->val;
>  		if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
>  			avc_log("%s:  cache reset returned %d (errno %d)\n",
> Index: src/avc_internal.h
> ===================================================================
> --- src/avc_internal.h	(revision 2679)
> +++ src/avc_internal.h	(working copy)
> @@ -74,6 +74,7 @@
>  extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
>  extern int avc_running hidden;
>  extern int avc_enforcing hidden;
> +extern int avc_setenforce hidden;
>  
>  /* user-supplied callback interface for avc */
>  static inline void *avc_malloc(size_t size)
> 
> 
> 
> -- 
> Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
> National Security Agency
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux