[4/3] sample program and policy
The attached files are sample program and policy.
The policy provides definitions of unconfined_XXXX_t as child domains of
unconfined_t. You can run this sample program on your shell (unconfined_t).
This sample program makes four threads, and they tries to change its domain.
The number in leftside shows its thread id. Three of them succeeded to change,
but rest of them cannot.
The unconfined_red_t and unconfined_blue_t is a hierarchical child domain of
unconfined_t and the forth thread (12868) does not change its domain, so they
are allowed to have its security context different from others.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <pthread.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <selinux/selinux.h>
static void *worker(void *arg)
{
security_context_t context
= (security_context_t) arg;
int rc;
rc = setcon(context);
printf("%u: setcon(%s) = %d (%s)\n",
syscall(SYS_gettid), context, rc, strerror(errno));
if (rc)
return NULL;
if (getcon(&context)) {
printf("%u: getcon() failed (%s)\n",
syscall(SYS_gettid), strerror(errno));
return NULL;
}
printf("%u: Now I'm running in %s\n",
syscall(SYS_gettid), context);
freecon(context);
sleep(1); /* to keep mm->mm_users > 1 for a while */
return NULL;
}
static char *test_contexts[] = {
"unconfined_u:unconfined_r:unconfined_red_t:s0",
"unconfined_u:unconfined_r:unconfined_blue_t:s0",
"unconfined_u:unconfined_r:unconfined_green_t:s0",
"unconfined_u:unconfined_r:unconfined_t:s0",
};
#define NUM_TEST (sizeof(test_contexts) / sizeof(test_contexts[0]))
int main(int argc, char *argv[])
{
security_context_t context;
pthread_t thread[NUM_TEST];
int i;
if (!getcon(&context))
printf("%u: Now leader is running at %s\n",
syscall(SYS_gettid), context);
for (i=0; i < NUM_TEST; i++)
pthread_create(&thread[i], NULL, worker, test_contexts[i]);
for (i=0; i < NUM_TEST; i++)
pthread_join(thread[i], NULL);
return 0;
}
policy_module(thread-context, 1.0)
gen_require(`
type unconfined_t;
type unconfined_devpts_t;
role unconfined_r;
')
attribute unconfined_colors;
#--- red ---
type unconfined_red_t, unconfined_colors;
domain_type(unconfined_red_t);
role unconfined_r types unconfined_red_t;
#--- blue ---
type unconfined_blue_t, unconfined_colors;
domain_type(unconfined_blue_t);
role unconfined_r types unconfined_blue_t;
#--- green ---
type unconfined_green_t, unconfined_colors;
domain_type(unconfined_green_t);
role unconfined_r types unconfined_green_t;
#--- hierarchy ---
typedominate unconfined_t unconfined_red_t;
typedominate unconfined_t unconfined_blue_t;
# typedominate unconfined_t unconfined_green_t;
#--- process:dyntransition
allow unconfined_t unconfined_colors : process { dyntransition };
allow unconfined_colors unconfined_t : fd { use };
allow unconfined_colors unconfined_devpts_t : chr_file { write };
#--- /proc permissions
kernel_search_proc(unconfined_colors)
allow unconfined_colors unconfined_t : dir search_dir_perms;
allow unconfined_colors self : file read_file_perms;
