[Selinux-commits] SF.net SVN: selinux: [2325] trunk

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 2325
          http://svn.sourceforge.net/selinux/?rev=2325&view=rev
Author:   ssmalley
Date:     2007-04-09 11:02:21 -0700 (Mon, 09 Apr 2007)

Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: libselinux: add support for getting contexts for kernel initial SIDs from selinuxfs
Date: Fri, 06 Apr 2007 15:37:20 -0400

Adds support to libselinux to get the context for a kernel initial
security identifier specified by name from the selinuxfs interface.

Signed-off-by: James Carter <jw...@ty...>

Modified Paths:
--------------
    trunk/libselinux/include/selinux/selinux.h
    trunk/libselinux/man/man3/security_compute_av.3
    trunk/libselinux/src/Makefile
    trunk/libselinux/src/load_policy.c
    trunk/libselinux/src/selinux_internal.h
    trunk/libsepol/src/Makefile

Added Paths:
-----------
    trunk/libselinux/man/man3/security_get_initial_context.3

Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================

--- trunk/libselinux/include/selinux/selinux.h	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/include/selinux/selinux.h	2007-04-09 18:02:21 UTC (rev 2325)
@@ -189,6 +189,13 @@
 /* Load a policy configuration. */
 	extern int security_load_policy(void *data, size_t len);
 
+/* Get the context of an initial kernel security identifier by name.  
+   Caller must free via freecon */
+	extern int security_get_initial_context(const char * name, 
+						security_context_t * con);
+	extern int security_get_initial_context_raw(const char * name, 
+						    security_context_t * con);
+
 /*
  * Make a policy image and load it.
  * This function provides a higher level interface for loading policy

Modified: trunk/libselinux/man/man3/security_compute_av.3
===================================================================
--- trunk/libselinux/man/man3/security_compute_av.3	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/man/man3/security_compute_av.3	2007-04-09 18:02:21 UTC (rev 2325)
@@ -1,6 +1,7 @@
 .TH "security_compute_av" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-security_compute_av, security_compute_create, security_compute_relabel, security_compute_user \- query
+security_compute_av, security_compute_create, security_compute_relabel,
+security_compute_user, security_get_initial_context \- query
 the SELinux policy database in the kernel.
 
 .SH "SYNOPSIS"
@@ -16,6 +17,9 @@
 .sp
 .BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
 .sp
+.BI "int security_get_initial_context(const char *" name ", security_context_t
+"con );
+.sp
 .BI "int checkPasswdAccess(access_vector_t " requested );
 
 .SH "DESCRIPTION"
@@ -44,6 +48,9 @@
 source context. Is mainly used by
 .B get_ordered_context_list.
 
+.B security_get_initial_context
+is used to get the context of an initial kernel security identifier by name.
+
 .B checkPasswdAccess
 This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
 

Added: trunk/libselinux/man/man3/security_get_initial_context.3
===================================================================
--- trunk/libselinux/man/man3/security_get_initial_context.3	                        (rev 0)
+++ trunk/libselinux/man/man3/security_get_initial_context.3	2007-04-09 18:02:21 UTC (rev 2325)
@@ -0,0 +1 @@
+.so man3/security_compute_av.3

Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/Makefile	2007-04-09 18:02:21 UTC (rev 2325)
@@ -18,10 +18,27 @@
 SWIGSO=_selinux.so
 SWIGFILES=$(SWIGSO) selinux.py 
 LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(filter-out $(SWIGCOUT),$(wildcard *.c))) 
-LOBJS= $(patsubst %.c,%.lo,$(filter-out $(SWIGCOUT),$(wildcard *.c)))
+
+LSEPOL=-lsepol
+SRCS=$(filter-out $(SWIGCOUT),$(wildcard *.c))
+ifeq ($(EMBEDDED),1)
+UNUSED_SRCS=avc.c avc_internal.c avc_sidtab.c
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+endif
+ifeq ($(DISABLE_SEPOL),1)
+UNUSED_SRCS+=booleans.c
+LSEPOL=
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+endif
+
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
 CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
 override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
+ifeq ($(DISABLE_SEPOL),1)
+override CFLAGS += -DDISABLE_SEPOL
+endif
+
 RANLIB=ranlib
 
 ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -48,7 +65,7 @@
 	$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(LDFLAGS) -shared -o $@ $^ -ldl -lsepol -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+	$(CC) $(LDFLAGS) -shared -o $@ $^ -ldl $(LSEPOL) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
 	ln -sf $@ $(TARGET) 
 
 %.o:  %.c policy.h

Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/load_policy.c	2007-04-09 18:02:21 UTC (rev 2325)
@@ -41,7 +41,56 @@
 
 int load_setlocaldefs hidden = 1;
 
-int selinux_mkload_policy(int preservebools)
+/* 
+  This function is used only if DISABLE_SEPOL is defined.
+  Size of libsepol is big, so you may want to disable libsepol for embedded devices.
+  This function is selinux_mkload_policy with limitations.
+  Limitations:
+  - Binary policy file name is assumed as "policy.<value in /selinux/policyvers>".
+  - Preserve boolean is not supported, so it is recommended not to use boolean,
+    if you want to disable sepol.
+  - system.users and local.users are not supported.
+*/
+static int selinux_mkload_policy_nosepol(int preservebools) {
+	int rc = -1;
+	char path[PATH_MAX];
+	size_t size;
+	void *data;
+	int fd;	
+	struct stat sb;
+
+	if (preservebools) {
+		return -1;
+	}
+
+	snprintf(path, sizeof(path), "%s", selinux_binary_policy_path());
+
+	fd = open(path, O_RDONLY);
+	if (fd < 0)
+		return -1;
+	
+	if (fstat(fd, &sb) < 0)
+		goto close;
+
+	size = sb.st_size;
+	data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (data == MAP_FAILED)
+		goto close;
+
+	rc = security_load_policy(data, size);
+
+ close:
+	close(fd);
+	return rc;
+	
+}
+
+#ifndef DISABLE_SEPOL
+/*
+  selinux_mkload_policy with full features.
+  This is used usually(when DISABLE_SEPOL is not defined).
+*/
+static int selinux_mkload_policy_sepol(int preservebools)
 {
 	int vers = sepol_policy_kern_vers_max();
 	int kernvers = security_policyvers();
@@ -154,7 +203,16 @@
 	close(fd);
 	return rc;
 }
+#endif /*ifndef DISABLE_SEPOL*/
 
+int selinux_mkload_policy(int preservebools) {
+#ifdef DISABLE_SEPOL
+	return selinux_mkload_policy_nosepol(preservebools);
+#else
+	return selinux_mkload_policy_sepol(preservebools);
+#endif
+}
+
 hidden_def(selinux_mkload_policy)
 
 /*

Modified: trunk/libselinux/src/selinux_internal.h
===================================================================
--- trunk/libselinux/src/selinux_internal.h	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/selinux_internal.h	2007-04-09 18:02:21 UTC (rev 2325)
@@ -76,6 +76,8 @@
 hidden_proto(selinux_getpolicytype);
 hidden_proto(selinux_raw_to_trans_context);
 hidden_proto(selinux_trans_to_raw_context);
+hidden_proto(security_get_initial_context);
+hidden_proto(security_get_initial_context_raw);
 
 extern int load_setlocaldefs hidden;
 extern int require_seusers hidden;

Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libsepol/src/Makefile	2007-04-09 18:02:21 UTC (rev 2325)
@@ -8,11 +8,18 @@
 LIBA=libsepol.a 
 TARGET=libsepol.so
 LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
-LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
+
+SRCS=$(wildcard *.c)
+ifeq ($(EMBEDDED),1)
+UNUSED_SRCS=link.c nodes.c roles.c iface_record.c module.c port_record.c user_record.c interfaces.c  node_record.c ports.c users.c
+SRCS= $(filter-out $(UNUSED_SRCS), $(wildcard *.c))
+endif
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
 CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
 override CFLAGS += -I. -I../include -D_GNU_SOURCE
 
+
 all: $(LIBA) $(LIBSO)
 
 $(LIBA):  $(OBJS)


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


