On Fri, 2011-03-25 at 13:51 +0800, Harry Ciao wrote:
> If kernel policy version is >= 26, then the binary representation of
> the role_trans structure supports specifying the class for the current
> subject or the newly created object.
>
> If kernel policy version is < 26, then the class field would be default
> to the process class.
>
> Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
> ---
> security/selinux/include/security.h | 3 ++-
> security/selinux/ss/policydb.c | 14 ++++++++++++++
> security/selinux/ss/policydb.h | 3 ++-
> 3 files changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 348eb00..bfc5218 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -30,13 +30,14 @@
> #define POLICYDB_VERSION_PERMISSIVE 23
> #define POLICYDB_VERSION_BOUNDARY 24
> #define POLICYDB_VERSION_FILENAME_TRANS 25
> +#define POLICYDB_VERSION_ROLETRANS 26
>
> /* Range of policy versions we understand*/
> #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
> #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
> #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
> #else
> -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS
> +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
> #endif
>
> /* Mask for just the mount related flags */
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index e7b850a..fd62c50 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
> .sym_num = SYM_NUM,
> .ocon_num = OCON_NUM,
> },
> + {
> + .version = POLICYDB_VERSION_ROLETRANS,
> + .sym_num = SYM_NUM,
> + .ocon_num = OCON_NUM,
> + },
> };
>
> static struct policydb_compat_info *policydb_lookup_compat(int version)
> @@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
> tr->role = le32_to_cpu(buf[0]);
> tr->type = le32_to_cpu(buf[1]);
> tr->new_role = le32_to_cpu(buf[2]);
> + if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> + rc = next_entry(buf, fp, sizeof(u32));
> + if (rc)
> + goto bad;
> + tr->tclass = le32_to_cpu(buf[0]);
> + } else
> + tr->tclass = p->process_class;
This doesn't work as p->process_class isn't set until about 100 lines
later. This means that a policy.X < 26 always fails on the next test
since policydb_class_isvalid(p, 0) is going to fail. I can try to find
a way to handle this tomorrow, but hopefully you will find something
sooner!
Thanks!
-Eric
> +
> if (!policydb_role_isvalid(p, tr->role) ||
> !policydb_type_isvalid(p, tr->type) ||
> + !policydb_class_isvalid(p, tr->tclass) ||
> !policydb_role_isvalid(p, tr->new_role))
> goto bad;
> ltr = tr;
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index 732ea4a..801175f 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -72,7 +72,8 @@ struct role_datum {
>
> struct role_trans {
> u32 role; /* current role */
> - u32 type; /* program executable type */
> + u32 type; /* program executable type, or new object type */
> + u32 tclass; /* process class, or new object class */
> u32 new_role; /* new role */
> struct role_trans *next;
> };
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
