Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2325] trunk
|
From: <ssm...@us...> - 2007-04-09 18:03:43
|
Revision: 2325
http://svn.sourceforge.net/selinux/?rev=2325&view=rev
Author: ssmalley
Date: 2007-04-09 11:02:21 -0700 (Mon, 09 Apr 2007)
Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: libselinux: add support for getting contexts for kernel initial SIDs from selinuxfs
Date: Fri, 06 Apr 2007 15:37:20 -0400
Adds support to libselinux to get the context for a kernel initial
security identifier specified by name from the selinuxfs interface.
Signed-off-by: James Carter <jw...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/selinux.h
trunk/libselinux/man/man3/security_compute_av.3
trunk/libselinux/src/Makefile
trunk/libselinux/src/load_policy.c
trunk/libselinux/src/selinux_internal.h
trunk/libsepol/src/Makefile
Added Paths:
-----------
trunk/libselinux/man/man3/security_get_initial_context.3
Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================
--- trunk/libselinux/include/selinux/selinux.h 2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/include/selinux/selinux.h 2007-04-09 18:02:21 UTC (rev 2325)
@@ -189,6 +189,13 @@
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
+/* Get the context of an initial kernel security identifier by name.
+ Caller must free via freecon */
+ extern int security_get_initial_context(const char * name,
+ security_context_t * con);
+ extern int security_get_initial_context_raw(const char * name,
+ security_context_t * con);
+
/*
* Make a policy image and load it.
* This function provides a higher level interface for loading policy
Modified: trunk/libselinux/man/man3/security_compute_av.3
===================================================================
--- trunk/libselinux/man/man3/security_compute_av.3 2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/man/man3/security_compute_av.3 2007-04-09 18:02:21 UTC (rev 2325)
@@ -1,6 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
.SH "NAME"
-security_compute_av, security_compute_create, security_compute_relabel, security_compute_user \- query
+security_compute_av, security_compute_create, security_compute_relabel,
+security_compute_user, security_get_initial_context \- query
the SELinux policy database in the kernel.
.SH "SYNOPSIS"
@@ -16,6 +17,9 @@
.sp
.BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
.sp
+.BI "int security_get_initial_context(const char *" name ", security_context_t
+"con );
+.sp
.BI "int checkPasswdAccess(access_vector_t " requested );
.SH "DESCRIPTION"
@@ -44,6 +48,9 @@
source context. Is mainly used by
.B get_ordered_context_list.
+.B security_get_initial_context
+is used to get the context of an initial kernel security identifier by name.
+
.B checkPasswdAccess
This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
Added: trunk/libselinux/man/man3/security_get_initial_context.3
===================================================================
--- trunk/libselinux/man/man3/security_get_initial_context.3 (rev 0)
+++ trunk/libselinux/man/man3/security_get_initial_context.3 2007-04-09 18:02:21 UTC (rev 2325)
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile 2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/Makefile 2007-04-09 18:02:21 UTC (rev 2325)
@@ -18,10 +18,27 @@
SWIGSO=_selinux.so
SWIGFILES=$(SWIGSO) selinux.py
LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(filter-out $(SWIGCOUT),$(wildcard *.c)))
-LOBJS= $(patsubst %.c,%.lo,$(filter-out $(SWIGCOUT),$(wildcard *.c)))
+
+LSEPOL=-lsepol
+SRCS=$(filter-out $(SWIGCOUT),$(wildcard *.c))
+ifeq ($(EMBEDDED),1)
+UNUSED_SRCS=avc.c avc_internal.c avc_sidtab.c
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+endif
+ifeq ($(DISABLE_SEPOL),1)
+UNUSED_SRCS+=booleans.c
+LSEPOL=
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+endif
+
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
+ifeq ($(DISABLE_SEPOL),1)
+override CFLAGS += -DDISABLE_SEPOL
+endif
+
RANLIB=ranlib
ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -48,7 +65,7 @@
$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
$(LIBSO): $(LOBJS)
- $(CC) $(LDFLAGS) -shared -o $@ $^ -ldl -lsepol -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+ $(CC) $(LDFLAGS) -shared -o $@ $^ -ldl $(LSEPOL) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET)
%.o: %.c policy.h
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/load_policy.c 2007-04-09 18:02:21 UTC (rev 2325)
@@ -41,7 +41,56 @@
int load_setlocaldefs hidden = 1;
-int selinux_mkload_policy(int preservebools)
+/*
+ This function is used only if DISABLE_SEPOL is defined.
+ Size of libsepol is big, so you may want to disable libsepol for embedded devices.
+ This function is selinux_mkload_policy with limitations.
+ Limitations:
+ - Binary policy file name is assumed as "policy.<value in /selinux/policyvers>".
+ - Preserve boolean is not supported, so it is recommended not to use boolean,
+ if you want to disable sepol.
+ - system.users and local.users are not supported.
+*/
+static int selinux_mkload_policy_nosepol(int preservebools) {
+ int rc = -1;
+ char path[PATH_MAX];
+ size_t size;
+ void *data;
+ int fd;
+ struct stat sb;
+
+ if (preservebools) {
+ return -1;
+ }
+
+ snprintf(path, sizeof(path), "%s", selinux_binary_policy_path());
+
+ fd = open(path, O_RDONLY);
+ if (fd < 0)
+ return -1;
+
+ if (fstat(fd, &sb) < 0)
+ goto close;
+
+ size = sb.st_size;
+ data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (data == MAP_FAILED)
+ goto close;
+
+ rc = security_load_policy(data, size);
+
+ close:
+ close(fd);
+ return rc;
+
+}
+
+#ifndef DISABLE_SEPOL
+/*
+ selinux_mkload_policy with full features.
+ This is used usually(when DISABLE_SEPOL is not defined).
+*/
+static int selinux_mkload_policy_sepol(int preservebools)
{
int vers = sepol_policy_kern_vers_max();
int kernvers = security_policyvers();
@@ -154,7 +203,16 @@
close(fd);
return rc;
}
+#endif /*ifndef DISABLE_SEPOL*/
+int selinux_mkload_policy(int preservebools) {
+#ifdef DISABLE_SEPOL
+ return selinux_mkload_policy_nosepol(preservebools);
+#else
+ return selinux_mkload_policy_sepol(preservebools);
+#endif
+}
+
hidden_def(selinux_mkload_policy)
/*
Modified: trunk/libselinux/src/selinux_internal.h
===================================================================
--- trunk/libselinux/src/selinux_internal.h 2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/selinux_internal.h 2007-04-09 18:02:21 UTC (rev 2325)
@@ -76,6 +76,8 @@
hidden_proto(selinux_getpolicytype);
hidden_proto(selinux_raw_to_trans_context);
hidden_proto(selinux_trans_to_raw_context);
+hidden_proto(security_get_initial_context);
+hidden_proto(security_get_initial_context_raw);
extern int load_setlocaldefs hidden;
extern int require_seusers hidden;
Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile 2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libsepol/src/Makefile 2007-04-09 18:02:21 UTC (rev 2325)
@@ -8,11 +8,18 @@
LIBA=libsepol.a
TARGET=libsepol.so
LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
-LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
+
+SRCS=$(wildcard *.c)
+ifeq ($(EMBEDDED),1)
+UNUSED_SRCS=link.c nodes.c roles.c iface_record.c module.c port_record.c user_record.c interfaces.c node_record.c ports.c users.c
+SRCS= $(filter-out $(UNUSED_SRCS), $(wildcard *.c))
+endif
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
override CFLAGS += -I. -I../include -D_GNU_SOURCE
+
all: $(LIBA) $(LIBSO)
$(LIBA): $(OBJS)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
