On 04/11/14 17:53, Stephen Smalley wrote:
On 04/11/2014 08:17 AM, Stephen Smalley wrote:
On 04/11/2014 02:45 AM, dE wrote:
Does the object manager always queries the security server based on
classes? And does the security server always respond with an access vector?
OR
Can the object manager query the security server on specific permissions
(which make up a class) without querying for a response for the whole
security class?
The security server interface is security_compute_av(), which always
computes the entire access vector for the class.
Object managers however will typically call the Access Vector Cache
(AVC) interface avc_has_perm(), which checks particular permissions.
Internally, the AVC calls security_compute_av() if the access vector is
not already cached for the (source context, target context, target
class) triple and caches the result.
More recent work on userspace object managers has introduced a higher
level API, selinux_check_access(), which internally handles the mapping
of contexts to SIDs and the mapping of class and permission strings to
values and calls avc_has_perm().
All of these APIs are provided by libselinux and have corresponding man
pages.
I forgot to mention: the security_compute_av() API takes a requested
permission argument to indicate the permissions being checked by the
caller, and the returned av_decision structure includes a decided access
vector to indicate which permissions were actually computed in the
allowed/auditallow/auditdeny vectors. That allowed the security server
to optionally only compute the subset of permissions directly requested
by the caller and force the object manager to call again if any other
permissions are later requested. However, this was optimized away from
the kernel a while back as it was unused by our security server so the
kernel always returns a decided vector with all-bits-set now.
Ok, so it has the ability to decide on certain permissions.
Thanks for explaining that!
