Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2680] trunk/libselinux
|
From: <ew...@us...> - 2007-11-09 00:44:15
|
Revision: 2680
http://selinux.svn.sourceforge.net/selinux/?rev=2680&view=rev
Author: ewalsh
Date: 2007-11-08 16:44:11 -0800 (Thu, 08 Nov 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: introduce enforcing mode override option
Date: Tue, 06 Nov 2007 16:50:53 -0500
Introduces an enforcing mode override option, so the object manager
can bring up the AVC in permissive mode on an enforcing system, or
vice versa.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/avc.h
trunk/libselinux/src/avc.c
trunk/libselinux/src/avc_internal.c
trunk/libselinux/src/avc_internal.h
Modified: trunk/libselinux/include/selinux/avc.h
===================================================================
--- trunk/libselinux/include/selinux/avc.h 2007-11-06 21:35:51 UTC (rev 2679)
+++ trunk/libselinux/include/selinux/avc.h 2007-11-09 00:44:11 UTC (rev 2680)
@@ -157,6 +157,15 @@
};
/*
+ * Available options
+ */
+
+/* no-op option, useful for unused slots in an array of options */
+#define AVC_OPT_UNUSED 0
+/* override kernel enforcing mode (boolean value) */
+#define AVC_OPT_SETENFORCE 1
+
+/*
* AVC operations
*/
@@ -188,7 +197,7 @@
*
* This function is identical to avc_init(), except the message prefix
* is set to "avc" and any callbacks desired should be specified via
- * selinux_set_callback(). No options are currently supported.
+ * selinux_set_callback(). Available options are listed above.
*/
int avc_open(struct selinux_opt *opts, unsigned nopts);
Modified: trunk/libselinux/src/avc.c
===================================================================
--- trunk/libselinux/src/avc.c 2007-11-06 21:35:51 UTC (rev 2679)
+++ trunk/libselinux/src/avc.c 2007-11-09 00:44:11 UTC (rev 2680)
@@ -157,10 +157,19 @@
return rc;
}
-int avc_open(struct selinux_opt *opts __attribute__((unused)),
- unsigned nopts __attribute__((unused)))
+int avc_open(struct selinux_opt *opts, unsigned nopts)
{
- return avc_init("avc", NULL, NULL, NULL, NULL);
+ avc_setenforce = 0;
+
+ while (nopts--)
+ switch(opts[nopts].type) {
+ case AVC_OPT_SETENFORCE:
+ avc_setenforce = 1;
+ avc_enforcing = !!opts[nopts].value;
+ break;
+ }
+
+ return avc_init("avc", NULL, NULL, NULL, NULL);
}
int avc_init(const char *prefix,
@@ -213,13 +222,15 @@
avc_node_freelist = new;
}
- rc = security_getenforce();
- if (rc < 0) {
- avc_log("%s: could not determine enforcing mode\n",
- avc_prefix);
- goto out;
+ if (!avc_setenforce) {
+ rc = security_getenforce();
+ if (rc < 0) {
+ avc_log("%s: could not determine enforcing mode\n",
+ avc_prefix);
+ goto out;
+ }
+ avc_enforcing = rc;
}
- avc_enforcing = rc;
rc = avc_netlink_open(avc_using_threads);
if (rc < 0) {
Modified: trunk/libselinux/src/avc_internal.c
===================================================================
--- trunk/libselinux/src/avc_internal.c 2007-11-06 21:35:51 UTC (rev 2679)
+++ trunk/libselinux/src/avc_internal.c 2007-11-09 00:44:11 UTC (rev 2680)
@@ -46,6 +46,7 @@
char avc_prefix[AVC_PREFIX_SIZE] = "uavc";
int avc_running = 0;
int avc_enforcing = 1;
+int avc_setenforce = 0;
int avc_netlink_trouble = 0;
/* netlink socket code */
@@ -151,6 +152,8 @@
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
avc_log("%s: received setenforce notice (enforcing=%d)\n",
avc_prefix, msg->val);
+ if (avc_setenforce)
+ break;
avc_enforcing = msg->val;
if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
avc_log("%s: cache reset returned %d (errno %d)\n",
Modified: trunk/libselinux/src/avc_internal.h
===================================================================
--- trunk/libselinux/src/avc_internal.h 2007-11-06 21:35:51 UTC (rev 2679)
+++ trunk/libselinux/src/avc_internal.h 2007-11-09 00:44:11 UTC (rev 2680)
@@ -74,6 +74,7 @@
extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
extern int avc_running hidden;
extern int avc_enforcing hidden;
+extern int avc_setenforce hidden;
/* user-supplied callback interface for avc */
static inline void *avc_malloc(size_t size)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
