2019-05-31 16:09:32 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* A policy database (policydb) specifies the
|
|
|
|
* configuration data for the security policy.
|
|
|
|
*
|
2017-08-18 01:32:36 +08:00
|
|
|
* Author : Stephen Smalley, <sds@tycho.nsa.gov>
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
|
|
|
|
*
|
|
|
|
* Support for enhanced MLS infrastructure.
|
|
|
|
*
|
|
|
|
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
|
|
|
|
*
|
2008-04-23 05:46:17 +08:00
|
|
|
* Added conditional policy language extensions
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
|
|
|
|
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _SS_POLICYDB_H_
|
|
|
|
#define _SS_POLICYDB_H_
|
|
|
|
|
|
|
|
#include "symtab.h"
|
|
|
|
#include "avtab.h"
|
|
|
|
#include "sidtab.h"
|
2010-02-03 23:40:20 +08:00
|
|
|
#include "ebitmap.h"
|
|
|
|
#include "mls_types.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "context.h"
|
|
|
|
#include "constraint.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* A datum type is defined for each kind of symbol
|
|
|
|
* in the configuration data: individual permissions,
|
|
|
|
* common prefixes for access vectors, classes,
|
|
|
|
* users, roles, types, sensitivities, categories, etc.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Permission attributes */
|
|
|
|
struct perm_datum {
|
|
|
|
u32 value; /* permission bit + 1 */
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Attributes of a common prefix for access vectors */
|
|
|
|
struct common_datum {
|
|
|
|
u32 value; /* internal common value */
|
|
|
|
struct symtab permissions; /* common permissions */
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Class attributes */
|
|
|
|
struct class_datum {
|
|
|
|
u32 value; /* class value */
|
|
|
|
char *comkey; /* common name */
|
|
|
|
struct common_datum *comdatum; /* common datum */
|
|
|
|
struct symtab permissions; /* class-specific permission symbol table */
|
|
|
|
struct constraint_node *constraints; /* constraints on class permissions */
|
|
|
|
struct constraint_node *validatetrans; /* special transition rules */
|
2012-03-21 02:35:12 +08:00
|
|
|
/* Options how a new object user, role, and type should be decided */
|
2012-03-21 02:35:12 +08:00
|
|
|
#define DEFAULT_SOURCE 1
|
|
|
|
#define DEFAULT_TARGET 2
|
|
|
|
char default_user;
|
|
|
|
char default_role;
|
2012-03-21 02:35:12 +08:00
|
|
|
char default_type;
|
2012-03-21 02:35:12 +08:00
|
|
|
/* Options how a new object range should be decided */
|
|
|
|
#define DEFAULT_SOURCE_LOW 1
|
|
|
|
#define DEFAULT_SOURCE_HIGH 2
|
|
|
|
#define DEFAULT_SOURCE_LOW_HIGH 3
|
|
|
|
#define DEFAULT_TARGET_LOW 4
|
|
|
|
#define DEFAULT_TARGET_HIGH 5
|
|
|
|
#define DEFAULT_TARGET_LOW_HIGH 6
|
2019-09-05 05:03:23 +08:00
|
|
|
#define DEFAULT_GLBLUB 7
|
2012-03-21 02:35:12 +08:00
|
|
|
char default_range;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Role attributes */
|
|
|
|
struct role_datum {
|
|
|
|
u32 value; /* internal role value */
|
2008-08-28 15:35:57 +08:00
|
|
|
u32 bounds; /* boundary of role */
|
2005-04-17 06:20:36 +08:00
|
|
|
struct ebitmap dominates; /* set of roles dominated by this role */
|
|
|
|
struct ebitmap types; /* set of authorized types for role */
|
|
|
|
};
|
|
|
|
|
|
|
|
struct role_trans {
|
|
|
|
u32 role; /* current role */
|
2011-03-25 13:51:56 +08:00
|
|
|
u32 type; /* program executable type, or new object type */
|
|
|
|
u32 tclass; /* process class, or new object class */
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 new_role; /* new role */
|
|
|
|
struct role_trans *next;
|
|
|
|
};
|
|
|
|
|
selinux: optimize storage of filename transitions
In these rules, each rule with the same (target type, target class,
filename) values is (in practice) always mapped to the same result type.
Therefore, it is much more efficient to group the rules by (ttype,
tclass, filename).
Thus, this patch drops the stype field from the key and changes the
datum to be a linked list of one or more structures that contain a
result type and an ebitmap of source types that map the given target to
the given result type under the given filename. The size of the hash
table is also incremented to 2048 to be more optimal for Fedora policy
(which currently has ~2500 unique (ttype, tclass, filename) tuples,
regardless of whether the 'unconfined' module is enabled).
Not only does this dramtically reduce memory usage when the policy
contains a lot of unconfined domains (ergo a lot of filename based
transitions), but it also slightly reduces memory usage of strongly
confined policies (modeled on Fedora policy with 'unconfined' module
disabled) and significantly reduces lookup times of these rules on
Fedora (roughly matches the performance of the rhashtable conversion
patch [1] posted recently to selinux@vger.kernel.org).
An obvious next step is to change binary policy format to match this
layout, so that disk space is also saved. However, since that requires
more work (including matching userspace changes) and this patch is
already beneficial on its own, I'm posting it separately.
Performance/memory usage comparison:
Kernel | Policy load | Policy load | Mem usage | Mem usage | openbench
| | (-unconfined) | | (-unconfined) | (createfiles)
-----------------|-------------|---------------|-----------|---------------|--------------
reference | 1,30s | 0,91s | 90MB | 77MB | 55 us/file
rhashtable patch | 0.98s | 0,85s | 85MB | 75MB | 38 us/file
this patch | 0,95s | 0,87s | 75MB | 75MB | 40 us/file
(Memory usage is measured after boot. With SELinux disabled the memory
usage was ~60MB on the same system.)
[1] https://lore.kernel.org/selinux/20200116213937.77795-1-dev@lynxeye.de/T/
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-18 19:27:34 +08:00
|
|
|
struct filename_trans_key {
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
u32 ttype; /* parent dir context */
|
|
|
|
u16 tclass; /* class of new object */
|
|
|
|
const char *name; /* last path component */
|
2011-04-29 03:11:21 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
struct filename_trans_datum {
|
selinux: optimize storage of filename transitions
In these rules, each rule with the same (target type, target class,
filename) values is (in practice) always mapped to the same result type.
Therefore, it is much more efficient to group the rules by (ttype,
tclass, filename).
Thus, this patch drops the stype field from the key and changes the
datum to be a linked list of one or more structures that contain a
result type and an ebitmap of source types that map the given target to
the given result type under the given filename. The size of the hash
table is also incremented to 2048 to be more optimal for Fedora policy
(which currently has ~2500 unique (ttype, tclass, filename) tuples,
regardless of whether the 'unconfined' module is enabled).
Not only does this dramtically reduce memory usage when the policy
contains a lot of unconfined domains (ergo a lot of filename based
transitions), but it also slightly reduces memory usage of strongly
confined policies (modeled on Fedora policy with 'unconfined' module
disabled) and significantly reduces lookup times of these rules on
Fedora (roughly matches the performance of the rhashtable conversion
patch [1] posted recently to selinux@vger.kernel.org).
An obvious next step is to change binary policy format to match this
layout, so that disk space is also saved. However, since that requires
more work (including matching userspace changes) and this patch is
already beneficial on its own, I'm posting it separately.
Performance/memory usage comparison:
Kernel | Policy load | Policy load | Mem usage | Mem usage | openbench
| | (-unconfined) | | (-unconfined) | (createfiles)
-----------------|-------------|---------------|-----------|---------------|--------------
reference | 1,30s | 0,91s | 90MB | 77MB | 55 us/file
rhashtable patch | 0.98s | 0,85s | 85MB | 75MB | 38 us/file
this patch | 0,95s | 0,87s | 75MB | 75MB | 40 us/file
(Memory usage is measured after boot. With SELinux disabled the memory
usage was ~60MB on the same system.)
[1] https://lore.kernel.org/selinux/20200116213937.77795-1-dev@lynxeye.de/T/
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-18 19:27:34 +08:00
|
|
|
struct ebitmap stypes; /* bitmap of source types for this otype */
|
|
|
|
u32 otype; /* resulting type of new object */
|
|
|
|
struct filename_trans_datum *next; /* record for next otype*/
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct role_allow {
|
|
|
|
u32 role; /* current role */
|
|
|
|
u32 new_role; /* new role */
|
|
|
|
struct role_allow *next;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Type attributes */
|
|
|
|
struct type_datum {
|
|
|
|
u32 value; /* internal type value */
|
2008-08-28 15:35:57 +08:00
|
|
|
u32 bounds; /* boundary of type */
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned char primary; /* primary name? */
|
2008-08-28 15:35:57 +08:00
|
|
|
unsigned char attribute;/* attribute ?*/
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
/* User attributes */
|
|
|
|
struct user_datum {
|
|
|
|
u32 value; /* internal user value */
|
2008-08-28 15:35:57 +08:00
|
|
|
u32 bounds; /* bounds of user */
|
2005-04-17 06:20:36 +08:00
|
|
|
struct ebitmap roles; /* set of authorized roles for user */
|
|
|
|
struct mls_range range; /* MLS range (min - max) for user */
|
|
|
|
struct mls_level dfltlevel; /* default login MLS level for user */
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* Sensitivity attributes */
|
|
|
|
struct level_datum {
|
|
|
|
struct mls_level *level; /* sensitivity and associated categories */
|
|
|
|
unsigned char isalias; /* is this sensitivity an alias for another? */
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Category attributes */
|
|
|
|
struct cat_datum {
|
|
|
|
u32 value; /* internal category bit + 1 */
|
|
|
|
unsigned char isalias; /* is this category an alias for another? */
|
|
|
|
};
|
|
|
|
|
|
|
|
struct range_trans {
|
2006-09-26 14:31:59 +08:00
|
|
|
u32 source_type;
|
|
|
|
u32 target_type;
|
|
|
|
u32 target_class;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Boolean data type */
|
|
|
|
struct cond_bool_datum {
|
|
|
|
__u32 value; /* internal type value */
|
|
|
|
int state;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct cond_node;
|
|
|
|
|
2013-11-20 06:34:23 +08:00
|
|
|
/*
|
|
|
|
* type set preserves data needed to determine constraint info from
|
|
|
|
* policy source. This is not used by the kernel policy but allows
|
|
|
|
* utilities such as audit2allow to determine constraint denials.
|
|
|
|
*/
|
|
|
|
struct type_set {
|
|
|
|
struct ebitmap types;
|
|
|
|
struct ebitmap negset;
|
|
|
|
u32 flags;
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* The configuration data includes security contexts for
|
|
|
|
* initial SIDs, unlabeled file systems, TCP and UDP port numbers,
|
|
|
|
* network interfaces, and nodes. This structure stores the
|
|
|
|
* relevant data for one such entry. Entries of the same kind
|
|
|
|
* (e.g. all initial SIDs) are linked together into a list.
|
|
|
|
*/
|
|
|
|
struct ocontext {
|
|
|
|
union {
|
|
|
|
char *name; /* name of initial SID, fs, netif, fstype, path */
|
|
|
|
struct {
|
|
|
|
u8 protocol;
|
|
|
|
u16 low_port;
|
|
|
|
u16 high_port;
|
|
|
|
} port; /* TCP or UDP port information */
|
|
|
|
struct {
|
|
|
|
u32 addr;
|
|
|
|
u32 mask;
|
|
|
|
} node; /* node information */
|
|
|
|
struct {
|
|
|
|
u32 addr[4];
|
|
|
|
u32 mask[4];
|
|
|
|
} node6; /* IPv6 node information */
|
2017-05-19 20:48:55 +08:00
|
|
|
struct {
|
|
|
|
u64 subnet_prefix;
|
|
|
|
u16 low_pkey;
|
|
|
|
u16 high_pkey;
|
|
|
|
} ibpkey;
|
|
|
|
struct {
|
|
|
|
char *dev_name;
|
|
|
|
u8 port;
|
|
|
|
} ibendport;
|
2005-04-17 06:20:36 +08:00
|
|
|
} u;
|
|
|
|
union {
|
|
|
|
u32 sclass; /* security class for genfs */
|
|
|
|
u32 behavior; /* labeling behavior for fs_use */
|
|
|
|
} v;
|
|
|
|
struct context context[2]; /* security context(s) */
|
|
|
|
u32 sid[2]; /* SID(s) */
|
|
|
|
struct ocontext *next;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct genfs {
|
|
|
|
char *fstype;
|
|
|
|
struct ocontext *head;
|
|
|
|
struct genfs *next;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* symbol table array indices */
|
|
|
|
#define SYM_COMMONS 0
|
|
|
|
#define SYM_CLASSES 1
|
|
|
|
#define SYM_ROLES 2
|
|
|
|
#define SYM_TYPES 3
|
|
|
|
#define SYM_USERS 4
|
|
|
|
#define SYM_BOOLS 5
|
|
|
|
#define SYM_LEVELS 6
|
|
|
|
#define SYM_CATS 7
|
|
|
|
#define SYM_NUM 8
|
|
|
|
|
|
|
|
/* object context array indices */
|
2017-05-19 20:48:55 +08:00
|
|
|
#define OCON_ISID 0 /* initial SIDs */
|
|
|
|
#define OCON_FS 1 /* unlabeled file systems */
|
|
|
|
#define OCON_PORT 2 /* TCP and UDP port numbers */
|
|
|
|
#define OCON_NETIF 3 /* network interfaces */
|
|
|
|
#define OCON_NODE 4 /* nodes */
|
|
|
|
#define OCON_FSUSE 5 /* fs_use */
|
|
|
|
#define OCON_NODE6 6 /* IPv6 nodes */
|
|
|
|
#define OCON_IBPKEY 7 /* Infiniband PKeys */
|
|
|
|
#define OCON_IBENDPORT 8 /* Infiniband end ports */
|
|
|
|
#define OCON_NUM 9
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* The policy database */
|
|
|
|
struct policydb {
|
2010-02-03 23:40:20 +08:00
|
|
|
int mls_enabled;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* symbol tables */
|
|
|
|
struct symtab symtab[SYM_NUM];
|
|
|
|
#define p_commons symtab[SYM_COMMONS]
|
|
|
|
#define p_classes symtab[SYM_CLASSES]
|
|
|
|
#define p_roles symtab[SYM_ROLES]
|
|
|
|
#define p_types symtab[SYM_TYPES]
|
|
|
|
#define p_users symtab[SYM_USERS]
|
|
|
|
#define p_bools symtab[SYM_BOOLS]
|
|
|
|
#define p_levels symtab[SYM_LEVELS]
|
|
|
|
#define p_cats symtab[SYM_CATS]
|
|
|
|
|
|
|
|
/* symbol names indexed by (value - 1) */
|
2019-03-12 14:31:10 +08:00
|
|
|
char **sym_val_to_name[SYM_NUM];
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* class, role, and user attributes indexed by (value - 1) */
|
|
|
|
struct class_datum **class_val_to_struct;
|
|
|
|
struct role_datum **role_val_to_struct;
|
|
|
|
struct user_datum **user_val_to_struct;
|
2019-07-29 16:41:17 +08:00
|
|
|
struct type_datum **type_val_to_struct;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* type enforcement access vectors and transitions */
|
|
|
|
struct avtab te_avtab;
|
|
|
|
|
|
|
|
/* role transitions */
|
|
|
|
struct role_trans *role_tr;
|
|
|
|
|
2011-04-29 03:11:21 +08:00
|
|
|
/* file transitions with the last path component */
|
2011-04-29 03:11:21 +08:00
|
|
|
/* quickly exclude lookups when parent ttype has no rules */
|
|
|
|
struct ebitmap filename_trans_ttypes;
|
2011-04-29 03:11:21 +08:00
|
|
|
/* actual set of filename_trans rules */
|
|
|
|
struct hashtab *filename_trans;
|
selinux: optimize storage of filename transitions
In these rules, each rule with the same (target type, target class,
filename) values is (in practice) always mapped to the same result type.
Therefore, it is much more efficient to group the rules by (ttype,
tclass, filename).
Thus, this patch drops the stype field from the key and changes the
datum to be a linked list of one or more structures that contain a
result type and an ebitmap of source types that map the given target to
the given result type under the given filename. The size of the hash
table is also incremented to 2048 to be more optimal for Fedora policy
(which currently has ~2500 unique (ttype, tclass, filename) tuples,
regardless of whether the 'unconfined' module is enabled).
Not only does this dramtically reduce memory usage when the policy
contains a lot of unconfined domains (ergo a lot of filename based
transitions), but it also slightly reduces memory usage of strongly
confined policies (modeled on Fedora policy with 'unconfined' module
disabled) and significantly reduces lookup times of these rules on
Fedora (roughly matches the performance of the rhashtable conversion
patch [1] posted recently to selinux@vger.kernel.org).
An obvious next step is to change binary policy format to match this
layout, so that disk space is also saved. However, since that requires
more work (including matching userspace changes) and this patch is
already beneficial on its own, I'm posting it separately.
Performance/memory usage comparison:
Kernel | Policy load | Policy load | Mem usage | Mem usage | openbench
| | (-unconfined) | | (-unconfined) | (createfiles)
-----------------|-------------|---------------|-----------|---------------|--------------
reference | 1,30s | 0,91s | 90MB | 77MB | 55 us/file
rhashtable patch | 0.98s | 0,85s | 85MB | 75MB | 38 us/file
this patch | 0,95s | 0,87s | 75MB | 75MB | 40 us/file
(Memory usage is measured after boot. With SELinux disabled the memory
usage was ~60MB on the same system.)
[1] https://lore.kernel.org/selinux/20200116213937.77795-1-dev@lynxeye.de/T/
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-18 19:27:34 +08:00
|
|
|
u32 filename_trans_count;
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* bools indexed by (value - 1) */
|
|
|
|
struct cond_bool_datum **bool_val_to_struct;
|
|
|
|
/* type enforcement conditional access vectors and transitions */
|
|
|
|
struct avtab te_cond_avtab;
|
2020-02-03 19:27:20 +08:00
|
|
|
/* array indexing te_cond_avtab by conditional */
|
2008-04-23 05:46:17 +08:00
|
|
|
struct cond_node *cond_list;
|
2020-02-03 19:27:20 +08:00
|
|
|
u32 cond_list_len;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* role allows */
|
|
|
|
struct role_allow *role_allow;
|
|
|
|
|
|
|
|
/* security contexts of initial SIDs, unlabeled file systems,
|
|
|
|
TCP or UDP port numbers, network interfaces and nodes */
|
|
|
|
struct ocontext *ocontexts[OCON_NUM];
|
|
|
|
|
2008-04-23 05:46:17 +08:00
|
|
|
/* security contexts for files in filesystems that cannot support
|
2005-04-17 06:20:36 +08:00
|
|
|
a persistent label mapping or use another
|
|
|
|
fixed labeling behavior. */
|
2008-04-23 05:46:17 +08:00
|
|
|
struct genfs *genfs;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-01-08 04:55:16 +08:00
|
|
|
/* range transitions table (range_trans_key -> mls_range) */
|
|
|
|
struct hashtab *range_tr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2005-09-04 06:55:16 +08:00
|
|
|
/* type -> attribute reverse mapping */
|
2019-03-12 14:31:10 +08:00
|
|
|
struct ebitmap *type_attr_map_array;
|
2005-09-04 06:55:16 +08:00
|
|
|
|
2008-01-29 21:38:19 +08:00
|
|
|
struct ebitmap policycaps;
|
|
|
|
|
2008-03-31 09:17:33 +08:00
|
|
|
struct ebitmap permissive_map;
|
|
|
|
|
2010-10-14 05:50:25 +08:00
|
|
|
/* length of this policy when it was loaded */
|
|
|
|
size_t len;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned int policyvers;
|
2007-09-22 02:37:10 +08:00
|
|
|
|
|
|
|
unsigned int reject_unknown : 1;
|
|
|
|
unsigned int allow_unknown : 1;
|
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.
The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.
The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.
The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-01 01:37:50 +08:00
|
|
|
|
|
|
|
u16 process_class;
|
|
|
|
u32 process_trans_perms;
|
2019-12-14 04:28:38 +08:00
|
|
|
} __randomize_layout;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
extern void policydb_destroy(struct policydb *p);
|
|
|
|
extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
|
|
|
|
extern int policydb_context_isvalid(struct policydb *p, struct context *c);
|
2007-11-07 23:08:00 +08:00
|
|
|
extern int policydb_class_isvalid(struct policydb *p, unsigned int class);
|
|
|
|
extern int policydb_type_isvalid(struct policydb *p, unsigned int type);
|
|
|
|
extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int policydb_read(struct policydb *p, void *fp);
|
2010-10-14 05:50:25 +08:00
|
|
|
extern int policydb_write(struct policydb *p, void *fp);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#define POLICYDB_CONFIG_MLS 1
|
|
|
|
|
2007-09-22 02:37:10 +08:00
|
|
|
/* the config flags related to unknown classes/perms are bits 2 and 3 */
|
|
|
|
#define REJECT_UNKNOWN 0x00000002
|
|
|
|
#define ALLOW_UNKNOWN 0x00000004
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#define OBJECT_R "object_r"
|
|
|
|
#define OBJECT_R_VAL 1
|
|
|
|
|
|
|
|
#define POLICYDB_MAGIC SELINUX_MAGIC
|
|
|
|
#define POLICYDB_STRING "SE Linux"
|
|
|
|
|
|
|
|
struct policy_file {
|
|
|
|
char *data;
|
|
|
|
size_t len;
|
|
|
|
};
|
|
|
|
|
2010-10-14 05:50:25 +08:00
|
|
|
struct policy_data {
|
|
|
|
struct policydb *p;
|
|
|
|
void *fp;
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
|
|
|
|
{
|
|
|
|
if (bytes > fp->len)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
memcpy(buf, fp->data, bytes);
|
|
|
|
fp->data += bytes;
|
|
|
|
fp->len -= bytes;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
2011-02-02 00:05:40 +08:00
|
|
|
static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
|
2010-10-14 05:50:25 +08:00
|
|
|
{
|
|
|
|
size_t len = bytes * num;
|
|
|
|
|
|
|
|
memcpy(fp->data, buf, len);
|
|
|
|
fp->data += len;
|
|
|
|
fp->len -= len;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-11-30 04:47:09 +08:00
|
|
|
static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
|
|
|
|
{
|
2019-03-12 14:31:10 +08:00
|
|
|
return p->sym_val_to_name[sym_num][element_nr];
|
2010-11-30 04:47:09 +08:00
|
|
|
}
|
|
|
|
|
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.
The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.
The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.
The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-10-01 01:37:50 +08:00
|
|
|
extern u16 string_to_security_class(struct policydb *p, const char *name);
|
|
|
|
extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif /* _SS_POLICYDB_H_ */
|
|
|
|
|