Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2007-04-09 18:22:29
|
Revision: 2328
http://svn.sourceforge.net/selinux/?rev=2328&view=rev
Author: ssmalley
Date: 2007-04-09 11:22:10 -0700 (Mon, 09 Apr 2007)
Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: libselinux: add support for getting contexts for kernel initial SIDs from selinuxfs
Date: Fri, 06 Apr 2007 15:37:20 -0400
Adds support to libselinux to get the context for a kernel initial
security identifier specified by name from the selinuxfs interface.
Signed-off-by: James Carter <jw...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/selinux.h
trunk/libselinux/man/man3/security_compute_av.3
trunk/libselinux/src/selinux_internal.h
Added Paths:
-----------
trunk/libselinux/man/man3/security_get_initial_context.3
Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================
--- trunk/libselinux/include/selinux/selinux.h 2007-04-09 18:18:02 UTC (rev 2327)
+++ trunk/libselinux/include/selinux/selinux.h 2007-04-09 18:22:10 UTC (rev 2328)
@@ -189,6 +189,13 @@
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
+/* Get the context of an initial kernel security identifier by name.
+ Caller must free via freecon */
+ extern int security_get_initial_context(const char * name,
+ security_context_t * con);
+ extern int security_get_initial_context_raw(const char * name,
+ security_context_t * con);
+
/*
* Make a policy image and load it.
* This function provides a higher level interface for loading policy
Modified: trunk/libselinux/man/man3/security_compute_av.3
===================================================================
--- trunk/libselinux/man/man3/security_compute_av.3 2007-04-09 18:18:02 UTC (rev 2327)
+++ trunk/libselinux/man/man3/security_compute_av.3 2007-04-09 18:22:10 UTC (rev 2328)
@@ -1,6 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
.SH "NAME"
-security_compute_av, security_compute_create, security_compute_relabel, security_compute_user \- query
+security_compute_av, security_compute_create, security_compute_relabel,
+security_compute_user, security_get_initial_context \- query
the SELinux policy database in the kernel.
.SH "SYNOPSIS"
@@ -16,6 +17,9 @@
.sp
.BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
.sp
+.BI "int security_get_initial_context(const char *" name ", security_context_t
+"con );
+.sp
.BI "int checkPasswdAccess(access_vector_t " requested );
.SH "DESCRIPTION"
@@ -44,6 +48,9 @@
source context. Is mainly used by
.B get_ordered_context_list.
+.B security_get_initial_context
+is used to get the context of an initial kernel security identifier by name.
+
.B checkPasswdAccess
This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
Added: trunk/libselinux/man/man3/security_get_initial_context.3
===================================================================
--- trunk/libselinux/man/man3/security_get_initial_context.3 (rev 0)
+++ trunk/libselinux/man/man3/security_get_initial_context.3 2007-04-09 18:22:10 UTC (rev 2328)
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
Modified: trunk/libselinux/src/selinux_internal.h
===================================================================
--- trunk/libselinux/src/selinux_internal.h 2007-04-09 18:18:02 UTC (rev 2327)
+++ trunk/libselinux/src/selinux_internal.h 2007-04-09 18:22:10 UTC (rev 2328)
@@ -76,6 +76,8 @@
hidden_proto(selinux_getpolicytype);
hidden_proto(selinux_raw_to_trans_context);
hidden_proto(selinux_trans_to_raw_context);
+hidden_proto(security_get_initial_context);
+hidden_proto(security_get_initial_context_raw);
extern int load_setlocaldefs hidden;
extern int require_seusers hidden;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-09 18:34:40
|
Revision: 2330
http://svn.sourceforge.net/selinux/?rev=2330&view=rev
Author: ssmalley
Date: 2007-04-09 11:34:19 -0700 (Mon, 09 Apr 2007)
Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: libselinux: add support for getting contexts for kernel initial SIDs from selinuxfs (resend)
Date: Mon, 09 Apr 2007 14:27:00 -0400
Add support to libselinux to get a userspace SID for a kernel initial
security identifier specified by name from the selinuxfs interface. It
is a convenience function that calls security_get_initial_context_raw()
and avc_context_to_sid_raw().
Signed-off-by: James Carter <jw...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/avc.h
trunk/libselinux/man/man3/avc_context_to_sid.3
trunk/libselinux/src/avc.c
Added Paths:
-----------
trunk/libselinux/man/man3/avc_get_initial_context.3
Modified: trunk/libselinux/include/selinux/avc.h
===================================================================
--- trunk/libselinux/include/selinux/avc.h 2007-04-09 18:26:02 UTC (rev 2329)
+++ trunk/libselinux/include/selinux/avc.h 2007-04-09 18:34:19 UTC (rev 2330)
@@ -78,6 +78,17 @@
*/
int sidput(security_id_t sid);
+/**
+ * avc_get_initial_sid - get SID for an initial kernel security identifier
+ * @name: input name of initial kernel security identifier
+ * @sid: pointer to a SID reference
+ *
+ * Get the context for an initial kernel security identifier specified by
+ * @name using security_get_initial_context() and then call
+ * avc_context_to_sid() to get the corresponding SID.
+ */
+ int avc_get_initial_sid(const char * name, security_id_t * sid);
+
/*
* AVC entry
*/
Modified: trunk/libselinux/man/man3/avc_context_to_sid.3
===================================================================
--- trunk/libselinux/man/man3/avc_context_to_sid.3 2007-04-09 18:26:02 UTC (rev 2329)
+++ trunk/libselinux/man/man3/avc_context_to_sid.3 2007-04-09 18:34:19 UTC (rev 2330)
@@ -3,7 +3,7 @@
.\" Author: Eamon Walsh (ew...@ep...) 2004
.TH "avc_context_to_sid" "3" "27 May 2004" "" "SE Linux API documentation"
.SH "NAME"
-avc_context_to_sid, avc_sid_to_context, sidput, sidget \- obtain and manipulate SELinux security ID's.
+avc_context_to_sid, avc_sid_to_context, sidput, sidget, avc_get_initial_sid \- obtain and manipulate SELinux security ID's.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.br
@@ -16,6 +16,8 @@
.BI "int sidget(security_id_t " sid ");"
.sp
.BI "int sidput(security_id_t " sid ");"
+.BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");"
+.sp
.SH "DESCRIPTION"
Security ID's (SID's) are reference-counted, opaque representations of security contexts.
@@ -45,6 +47,9 @@
by 1. If the count ever reaches zero, the SID becomes
invalid and must not be used any further.
+.B avc_get_initial_sid
+returns a SID for the initial kernel security identifier specified by name
+
.SH "RETURN VALUE"
.B sidget
and
Added: trunk/libselinux/man/man3/avc_get_initial_context.3
===================================================================
--- trunk/libselinux/man/man3/avc_get_initial_context.3 (rev 0)
+++ trunk/libselinux/man/man3/avc_get_initial_context.3 2007-04-09 18:34:19 UTC (rev 2330)
@@ -0,0 +1 @@
+.so man3/avc_context_to_sid.3
Modified: trunk/libselinux/src/avc.c
===================================================================
--- trunk/libselinux/src/avc.c 2007-04-09 18:26:02 UTC (rev 2329)
+++ trunk/libselinux/src/avc.c 2007-04-09 18:34:19 UTC (rev 2330)
@@ -280,6 +280,21 @@
return rc;
}
+int avc_get_initial_sid(const char * name, security_id_t * sid)
+{
+ int rc;
+ security_context_t con;
+
+ rc = security_get_initial_context_raw(name, &con);
+ if (rc < 0)
+ return rc;
+ rc = avc_context_to_sid_raw(con, sid);
+
+ freecon(con);
+
+ return rc;
+}
+
int avc_init(const char *prefix,
const struct avc_memory_callback *mem_cb,
const struct avc_log_callback *log_cb,
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-09 21:30:00
|
Revision: 2332
http://svn.sourceforge.net/selinux/?rev=2332&view=rev
Author: ssmalley
Date: 2007-04-09 14:29:58 -0700 (Mon, 09 Apr 2007)
Log Message:
-----------
Updated ChangeLog and VERSION.
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-04-09 21:28:57 UTC (rev 2331)
+++ trunk/libselinux/ChangeLog 2007-04-09 21:29:58 UTC (rev 2332)
@@ -1,3 +1,6 @@
+2.0.12 2007-04-09
+ * Merged support for getting initial contexts from James Carter.
+
2.0.11 2007-04-05
* Merged userspace AVC patch to follow kernel's behavior for permissive mode in caching previous denials from Eamon Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-04-09 21:28:57 UTC (rev 2331)
+++ trunk/libselinux/VERSION 2007-04-09 21:29:58 UTC (rev 2332)
@@ -1 +1 @@
-2.0.11
+2.0.12
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-12 18:13:18
|
Revision: 2340
http://svn.sourceforge.net/selinux/?rev=2340&view=rev
Author: ssmalley
Date: 2007-04-12 11:13:16 -0700 (Thu, 12 Apr 2007)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: libselinux patch with corrected call to get_all
Date: Wed, 11 Apr 2007 14:35:57 -0400
Modified Paths:
--------------
trunk/libselinux/man/man8/matchpathcon.8
trunk/libselinux/src/selinuxswig.i
trunk/libselinux/src/selinuxswig_wrap.c
trunk/libselinux/utils/getsebool.c
Modified: trunk/libselinux/man/man8/matchpathcon.8
===================================================================
--- trunk/libselinux/man/man8/matchpathcon.8 2007-04-12 16:19:56 UTC (rev 2339)
+++ trunk/libselinux/man/man8/matchpathcon.8 2007-04-12 18:13:16 UTC (rev 2340)
@@ -28,4 +28,4 @@
.SH "SEE ALSO"
.BR selinux "(8), "
-.BR mathpathcon "(3), "
+.BR matchpathcon "(3), "
Modified: trunk/libselinux/src/selinuxswig.i
===================================================================
--- trunk/libselinux/src/selinuxswig.i 2007-04-12 16:19:56 UTC (rev 2339)
+++ trunk/libselinux/src/selinuxswig.i 2007-04-12 18:13:16 UTC (rev 2340)
@@ -115,9 +115,38 @@
extern const char *selinux_path(void);
extern int selinux_check_passwd_access(access_vector_t requested);
extern int checkPasswdAccess(access_vector_t requested);
+
+// This tells SWIG to treat char ** as a special case
+%typemap(python,in) char ** {
+ /* Check if is a list */
+ if (PyList_Check($input)) {
+ int size = PyList_Size($input);
+ int i = 0;
+ $1 = (char **) malloc((size+1)*sizeof(char *));
+ if ($1 == NULL) {
+ PyErr_SetString(PyExc_MemoryError,"Out of memory");
+ return NULL;
+ }
+ for (i = 0; i < size; i++) {
+ PyObject *o = PyList_GetItem($input,i);
+ if (PyString_Check(o))
+ $1[i] = PyString_AsString(PyList_GetItem($input,i));
+ else {
+ PyErr_SetString(PyExc_TypeError,"list must contain strings");
+ free($1);
+ return NULL;
+ }
+ }
+ $1[i] = 0;
+ } else {
+ PyErr_SetString(PyExc_TypeError,"not a list");
+ return NULL;
+ }
+}
+
extern int rpm_execcon(unsigned int verified,
const char *filename,
- char *const argv[], char *const envp[]);
+ char **, char **);
extern int is_context_customizable (security_context_t scontext);
Modified: trunk/libselinux/src/selinuxswig_wrap.c
===================================================================
--- trunk/libselinux/src/selinuxswig_wrap.c 2007-04-12 16:19:56 UTC (rev 2339)
+++ trunk/libselinux/src/selinuxswig_wrap.c 2007-04-12 18:13:16 UTC (rev 2340)
@@ -4145,18 +4145,14 @@
PyObject *resultobj = 0;
unsigned int arg1 ;
char *arg2 = (char *) 0 ;
- char **arg3 ;
- char **arg4 ;
+ char **arg3 = (char **) 0 ;
+ char **arg4 = (char **) 0 ;
int result;
unsigned int val1 ;
int ecode1 = 0 ;
int res2 ;
char *buf2 = 0 ;
int alloc2 = 0 ;
- void *argp3 = 0 ;
- int res3 = 0 ;
- void *argp4 = 0 ;
- int res4 = 0 ;
PyObject * obj0 = 0 ;
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
@@ -4173,17 +4169,59 @@
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "rpm_execcon" "', argument " "2"" of type '" "char const *""'");
}
arg2 = (char *)(buf2);
- res3 = SWIG_ConvertPtr(obj2, &argp3,SWIGTYPE_p_p_char, 0 | 0 );
- if (!SWIG_IsOK(res3)) {
- SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "rpm_execcon" "', argument " "3"" of type '" "char *const []""'");
- }
- arg3 = (char **)(argp3);
- res4 = SWIG_ConvertPtr(obj3, &argp4,SWIGTYPE_p_p_char, 0 | 0 );
- if (!SWIG_IsOK(res4)) {
- SWIG_exception_fail(SWIG_ArgError(res4), "in method '" "rpm_execcon" "', argument " "4"" of type '" "char *const []""'");
- }
- arg4 = (char **)(argp4);
- result = (int)rpm_execcon(arg1,(char const *)arg2,(char *const (*))arg3,(char *const (*))arg4);
+ {
+ /* Check if is a list */
+ if (PyList_Check(obj2)) {
+ int size = PyList_Size(obj2);
+ int i = 0;
+ arg3 = (char **) malloc((size+1)*sizeof(char *));
+ if (arg3 == NULL) {
+ PyErr_SetString(PyExc_MemoryError,"Out of memory");
+ return NULL;
+ }
+ for (i = 0; i < size; i++) {
+ PyObject *o = PyList_GetItem(obj2,i);
+ if (PyString_Check(o))
+ arg3[i] = PyString_AsString(PyList_GetItem(obj2,i));
+ else {
+ PyErr_SetString(PyExc_TypeError,"list must contain strings");
+ free(arg3);
+ return NULL;
+ }
+ }
+ arg3[i] = 0;
+ } else {
+ PyErr_SetString(PyExc_TypeError,"not a list");
+ return NULL;
+ }
+ }
+ {
+ /* Check if is a list */
+ if (PyList_Check(obj3)) {
+ int size = PyList_Size(obj3);
+ int i = 0;
+ arg4 = (char **) malloc((size+1)*sizeof(char *));
+ if (arg4 == NULL) {
+ PyErr_SetString(PyExc_MemoryError,"Out of memory");
+ return NULL;
+ }
+ for (i = 0; i < size; i++) {
+ PyObject *o = PyList_GetItem(obj3,i);
+ if (PyString_Check(o))
+ arg4[i] = PyString_AsString(PyList_GetItem(obj3,i));
+ else {
+ PyErr_SetString(PyExc_TypeError,"list must contain strings");
+ free(arg4);
+ return NULL;
+ }
+ }
+ arg4[i] = 0;
+ } else {
+ PyErr_SetString(PyExc_TypeError,"not a list");
+ return NULL;
+ }
+ }
+ result = (int)rpm_execcon(arg1,(char const *)arg2,arg3,arg4);
resultobj = SWIG_From_int((int)(result));
if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
return resultobj;
Modified: trunk/libselinux/utils/getsebool.c
===================================================================
--- trunk/libselinux/utils/getsebool.c 2007-04-12 16:19:56 UTC (rev 2339)
+++ trunk/libselinux/utils/getsebool.c 2007-04-12 18:13:16 UTC (rev 2340)
@@ -14,7 +14,7 @@
int main(int argc, char **argv)
{
- int i, rc = 0, active, pending, len = 0, opt;
+ int i, get_all = 0, rc = 0, active, pending, len = 0, opt;
char **names;
while ((opt = getopt(argc, argv, "a")) > 0) {
@@ -39,6 +39,7 @@
printf("No booleans\n");
return 0;
}
+ get_all = 1;
break;
default:
usage(argv[0]);
@@ -72,6 +73,8 @@
for (i = 0; i < len; i++) {
active = security_get_boolean_active(names[i]);
if (active < 0) {
+ if (get_all && errno == EACCES)
+ continue;
fprintf(stderr, "Error getting active value for %s\n",
names[i]);
rc = -1;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-12 18:30:30
|
Revision: 2341
http://svn.sourceforge.net/selinux/?rev=2341&view=rev
Author: ssmalley
Date: 2007-04-12 11:30:29 -0700 (Thu, 12 Apr 2007)
Log Message:
-----------
libselinux 2.0.13
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-04-12 18:13:16 UTC (rev 2340)
+++ trunk/libselinux/ChangeLog 2007-04-12 18:30:29 UTC (rev 2341)
@@ -1,3 +1,6 @@
+2.0.13 2007-04-12
+ * Merged rpm_execcon python binding fix, matchpathcon man page fix, and getsebool -a handling for EACCES from Dan Walsh.
+
2.0.12 2007-04-09
* Merged support for getting initial contexts from James Carter.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-04-12 18:13:16 UTC (rev 2340)
+++ trunk/libselinux/VERSION 2007-04-12 18:30:29 UTC (rev 2341)
@@ -1 +1 @@
-2.0.12
+2.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-24 13:47:59
|
Revision: 2360
http://svn.sourceforge.net/selinux/?rev=2360&view=rev
Author: ssmalley
Date: 2007-04-24 06:47:44 -0700 (Tue, 24 Apr 2007)
Log Message:
-----------
Updated ChangeLog and VERSION.
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-04-24 13:45:38 UTC (rev 2359)
+++ trunk/libselinux/ChangeLog 2007-04-24 13:47:44 UTC (rev 2360)
@@ -1,3 +1,6 @@
+2.0.14 2007-04-24
+ * Merged build fix for avc_internal.c from Joshua Brindle.
+
2.0.13 2007-04-12
* Merged rpm_execcon python binding fix, matchpathcon man page fix, and getsebool -a handling for EACCES from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-04-24 13:45:38 UTC (rev 2359)
+++ trunk/libselinux/VERSION 2007-04-24 13:47:44 UTC (rev 2360)
@@ -1 +1 @@
-2.0.13
+2.0.14
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-27 16:35:00
|
Revision: 2412
http://svn.sourceforge.net/selinux/?rev=2412&view=rev
Author: ssmalley
Date: 2007-04-27 09:34:56 -0700 (Fri, 27 Apr 2007)
Log Message:
-----------
updated libselinux to version 2.0.15
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-04-27 16:32:08 UTC (rev 2411)
+++ trunk/libselinux/ChangeLog 2007-04-27 16:34:56 UTC (rev 2412)
@@ -1,3 +1,6 @@
+2.0.15 2007-04-27
+ * Merged helpful message when selinuxfs mount fails patch from Dax Kelson.
+
2.0.14 2007-04-24
* Merged build fix for avc_internal.c from Joshua Brindle.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-04-27 16:32:08 UTC (rev 2411)
+++ trunk/libselinux/VERSION 2007-04-27 16:34:56 UTC (rev 2412)
@@ -1 +1 @@
-2.0.14
+2.0.15
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-05-09 14:54:18
|
Revision: 2434
http://svn.sourceforge.net/selinux/?rev=2434&view=rev
Author: ssmalley
Date: 2007-05-09 07:54:17 -0700 (Wed, 09 May 2007)
Log Message:
-----------
updated libselinux to version 2.0.16
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-05-09 14:53:30 UTC (rev 2433)
+++ trunk/libselinux/ChangeLog 2007-05-09 14:54:17 UTC (rev 2434)
@@ -1,3 +1,6 @@
+2.0.16 2007-05-09
+ * Merged additional swig python bindings from Dan Walsh.
+
2.0.15 2007-04-27
* Merged helpful message when selinuxfs mount fails patch from Dax Kelson.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-05-09 14:53:30 UTC (rev 2433)
+++ trunk/libselinux/VERSION 2007-05-09 14:54:17 UTC (rev 2434)
@@ -1 +1 @@
-2.0.15
+2.0.16
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-05-31 20:54:23
|
Revision: 2453
http://svn.sourceforge.net/selinux/?rev=2453&view=rev
Author: ewalsh
Date: 2007-05-31 13:54:23 -0700 (Thu, 31 May 2007)
Log Message:
-----------
updated libselinux to version 2.0.17
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-05-31 20:44:19 UTC (rev 2452)
+++ trunk/libselinux/ChangeLog 2007-05-31 20:54:23 UTC (rev 2453)
@@ -1,3 +1,6 @@
+2.0.17 2007-05-31
+ * Updated Lindent script and reindented two header files.
+
2.0.16 2007-05-09
* Merged additional swig python bindings from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-05-31 20:44:19 UTC (rev 2452)
+++ trunk/libselinux/VERSION 2007-05-31 20:54:23 UTC (rev 2453)
@@ -1 +1 @@
-2.0.16
+2.0.17
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-05-31 20:57:47
|
Revision: 2454
http://svn.sourceforge.net/selinux/?rev=2454&view=rev
Author: ssmalley
Date: 2007-05-31 13:57:45 -0700 (Thu, 31 May 2007)
Log Message:
-----------
Author: Yuichi Nakamura
Email: yn...@hi...
Subject: Reducing size of libselinux/libsepol: 3rd
Date: Wed, 23 May 2007 10:39:36 +0900
Hi.
As discussed in previous threads,
http://marc.info/?t=117609454600002&r=1&w=2
http://marc.info/?t=117886013000001&r=1&w=2
I would like to submit patch to reduce size of libselinux+libsepol, again.
1. Background
Current libselinux+libsepol size is big for embedded devices.
libselinux.so.1: 115348 byte
libsepol.so.1:302067
Total: 417415 byte
It uses more than 400kbyte.
Needs for embedded device is various, because hardware resource is various.
If device is rich enough, people may want full-featured SELinux.
If device is not rich, people want to reduce binary size by removing
some features.
For example, some may not want modular policy, may not want boolean.
We thought size of libselinux+libsepol can be reduced
by removing libsepol and removing unnecessary functions from libselinux.
2. What this patch does
1) libsepol is separated from libselinux
libsepol is not required by libselinux.
So you do not have to compile libsepol,
if you do not need libsepol functions.
2) Some features are disabled in libselinux
By typing "make EMBEDDED=y" in libselinux dir, what happens is following.
Following values are defined in Makefile.
>ifeq ($(EMBEDDED),y)
> override DISABLE_AVC=y
> override DISABLE_SETRANS=y
> override DISABLE_RPM=y
> override DISABLE_BOOL=y
>endif
* DISABLE_AVC
Disables user space avc support, avc.c avc_internal.c avc_sidtab.c are not compiled.
* DISABLE_SETRANS
Some functions of translations are replaced with stubs in setrans_client.c
* DISABLE_RPM
Disables rpm features, rpm.c are not compiled.
* DISABLE_BOOL
Disable boolean features, booleans.c are not compiled.
3) Fixes to libselinux/utils
* -lsepol is removed
* When make EMBEDDED=y, some utils are not compiled.
3. Size measurement
Compiled libselinux/libsepol in trunk by gcc(x86).
* Before
libselinux.so.1: 115348 byte
libsepol.so.1:302067
Total: 417415 byte
* After
libselinux.so.1: 77103 byte
libsepol.so.1:0 byte(do not have to compile)
Total: 77103 byte
Please consider merging this patch.
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/Makefile
trunk/libselinux/src/Makefile
trunk/libselinux/src/load_policy.c
trunk/libselinux/src/policy.h
trunk/libselinux/src/policyvers.c
trunk/libselinux/src/setrans_client.c
trunk/libselinux/utils/Makefile
Modified: trunk/libselinux/Makefile
===================================================================
--- trunk/libselinux/Makefile 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/Makefile 2007-05-31 20:57:45 UTC (rev 2454)
@@ -1,3 +1,21 @@
+DISABLE_AVC ?= n
+DISABLE_SETRANS ?= n
+DISABLE_RPM ?= n
+DISABLE_BOOL ?= n
+ifeq ($(EMBEDDED),y)
+ override DISABLE_AVC=y
+ override DISABLE_SETRANS=y
+ override DISABLE_RPM=y
+ override DISABLE_BOOL=y
+endif
+ifeq ($(DISABLE_BOOL),y)
+ EMFLAGS+= -DDISABLE_BOOL
+endif
+ifeq ($(DISABLE_SETRANS),y)
+ EMFLAGS+= -DDISABLE_SETRANS
+endif
+export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
+
all:
$(MAKE) -C src
$(MAKE) -C utils
Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/src/Makefile 2007-05-31 20:57:45 UTC (rev 2454)
@@ -18,10 +18,22 @@
SWIGSO=_selinux.so
SWIGFILES=$(SWIGSO) selinux.py
LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(filter-out $(SWIGCOUT),$(wildcard *.c)))
-LOBJS= $(patsubst %.c,%.lo,$(filter-out $(SWIGCOUT),$(wildcard *.c)))
+
+ifeq ($(DISABLE_AVC),y)
+ UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c
+endif
+ifeq ($(DISABLE_BOOL),y)
+ UNUSED_SRCS+=booleans.c
+endif
+ifeq ($(DISABLE_RPM),y)
+ UNUSED_SRCS+=rpm.c
+endif
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $(EMFLAGS)
RANLIB=ranlib
ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -48,7 +60,7 @@
$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
$(LIBSO): $(LOBJS)
- $(CC) $(LDFLAGS) -shared -o $@ $^ -ldl -lsepol -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+ $(CC) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET)
%.o: %.c policy.h
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/src/load_policy.c 2007-05-31 20:57:45 UTC (rev 2454)
@@ -12,6 +12,7 @@
#include "selinux_internal.h"
#include <sepol/sepol.h>
#include <sepol/policydb.h>
+#include <dlfcn.h>
#include "policy.h"
#include <limits.h>
@@ -42,9 +43,9 @@
int load_setlocaldefs hidden = 1;
int selinux_mkload_policy(int preservebools)
-{
- int vers = sepol_policy_kern_vers_max();
+{
int kernvers = security_policyvers();
+ int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
char path[PATH_MAX], **names;
struct stat sb;
size_t size;
@@ -52,20 +53,95 @@
int fd, rc = -1, *values, len, i, prot;
sepol_policydb_t *policydb;
sepol_policy_file_t *pf;
+ int usesepol = 0;
+ int (*vers_max)(void) = NULL;
+ int (*vers_min)(void) = NULL;
+ int (*policy_file_create)(sepol_policy_file_t **) = NULL;
+ void (*policy_file_free)(sepol_policy_file_t *) = NULL;
+ void (*policy_file_set_mem)(sepol_policy_file_t *, char*, size_t) = NULL;
+ int (*policydb_create)(sepol_policydb_t **) = NULL;
+ void (*policydb_free)(sepol_policydb_t *) = NULL;
+ int (*policydb_read)(sepol_policydb_t *, sepol_policy_file_t *) = NULL;
+ int (*policydb_set_vers)(sepol_policydb_t *, unsigned int) = NULL;
+ int (*policydb_to_image)(sepol_handle_t *, sepol_policydb_t *, void **, size_t *) = NULL;
+ int (*genbools_array)(void *data, size_t len, char **names, int *values, int nel) = NULL;
+ int (*genusers)(void *data, size_t len, const char *usersdir, void **newdata, size_t * newlen) = NULL;
+ int (*genbools)(void *data, size_t len, char *boolpath) = NULL;
+#ifdef SHARED
+ char *errormsg = NULL;
+ void *libsepolh = NULL;
+ libsepolh = dlopen("libsepol.so", RTLD_NOW);
+ if (libsepolh) {
+ usesepol = 1;
+ dlerror();
+#define DLERR() if ((errormsg = dlerror())) goto dlclose;
+ vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max");
+ DLERR();
+ vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min");
+ DLERR();
+
+ policy_file_create = dlsym(libsepolh, "sepol_policy_file_create");
+ DLERR();
+ policy_file_free = dlsym(libsepolh, "sepol_policy_file_free");
+ DLERR();
+ policy_file_set_mem = dlsym(libsepolh, "sepol_policy_file_set_mem");
+ DLERR();
+ policydb_create = dlsym(libsepolh, "sepol_policydb_create");
+ DLERR();
+ policydb_free = dlsym(libsepolh, "sepol_policydb_free");
+ DLERR();
+ policydb_read = dlsym(libsepolh, "sepol_policydb_read");
+ DLERR();
+ policydb_set_vers = dlsym(libsepolh, "sepol_policydb_set_vers");
+ DLERR();
+ policydb_to_image = dlsym(libsepolh, "sepol_policydb_to_image");
+ DLERR();
+ genbools_array = dlsym(libsepolh, "sepol_genbools_array");
+ DLERR();
+ genusers = dlsym(libsepolh, "sepol_genusers");
+ DLERR();
+ genbools = dlsym(libsepolh, "sepol_genbools");
+ DLERR();
+
+#undef DLERR
+ }
+#else
+ usesepol = 1;
+ vers_max = sepol_policy_kern_vers_max;
+ vers_min = sepol_policy_kern_vers_min;
+ policy_file_create = sepol_policy_file_create;
+ policy_file_free = sepol_policy_file_free;
+ policy_file_set_mem = sepol_policy_file_set_mem;
+ policydb_create = sepol_policydb_create;
+ policydb_free = sepol_policydb_free;
+ policydb_read = sepol_policydb_read;
+ policydb_set_vers = sepol_policydb_set_vers;
+ policydb_to_image = sepol_policydb_to_image;
+ genbools_array = sepol_genbools_array;
+ genusers = sepol_genusers;
+ genbools = sepol_genbools;
+
+#endif
+
+ if (usesepol) {
+ vers = vers_max();
+ minvers = vers_min();
+ }
+
search:
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
fd = open(path, O_RDONLY);
while (fd < 0 && errno == ENOENT
- && --vers >= sepol_policy_kern_vers_min()) {
+ && --vers >= minvers) {
/* Check prior versions to see if old policy is available */
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
fd = open(path, O_RDONLY);
}
if (fd < 0)
- return -1;
+ goto dlclose;
if (fstat(fd, &sb) < 0)
goto close;
@@ -79,71 +155,76 @@
if (map == MAP_FAILED)
goto close;
- if (vers > kernvers) {
+ if (vers > kernvers && usesepol) {
/* Need to downgrade to kernel-supported version. */
- if (sepol_policy_file_create(&pf))
+ if (policy_file_create(&pf))
goto unmap;
- if (sepol_policydb_create(&policydb)) {
- sepol_policy_file_free(pf);
+ if (policydb_create(&policydb)) {
+ policy_file_free(pf);
goto unmap;
}
- sepol_policy_file_set_mem(pf, data, size);
- if (sepol_policydb_read(policydb, pf)) {
- sepol_policy_file_free(pf);
- sepol_policydb_free(policydb);
+ policy_file_set_mem(pf, data, size);
+ if (policydb_read(policydb, pf)) {
+ policy_file_free(pf);
+ policydb_free(policydb);
goto unmap;
}
- if (sepol_policydb_set_vers(policydb, kernvers) ||
- sepol_policydb_to_image(NULL, policydb, &data, &size)) {
+ if (policydb_set_vers(policydb, kernvers) ||
+ policydb_to_image(NULL, policydb, &data, &size)) {
/* Downgrade failed, keep searching. */
- sepol_policy_file_free(pf);
- sepol_policydb_free(policydb);
+ policy_file_free(pf);
+ policydb_free(policydb);
munmap(map, sb.st_size);
close(fd);
vers--;
goto search;
}
- sepol_policy_file_free(pf);
- sepol_policydb_free(policydb);
+ policy_file_free(pf);
+ policydb_free(policydb);
}
- if (load_setlocaldefs) {
- void *olddata = data;
- size_t oldsize = size;
- rc = sepol_genusers(olddata, oldsize, selinux_users_path(),
- &data, &size);
- if (rc < 0) {
- /* Fall back to the prior image if genusers failed. */
- data = olddata;
- size = oldsize;
- rc = 0;
- } else {
- if (olddata != map)
- free(olddata);
+ if (usesepol) {
+ if (load_setlocaldefs) {
+ void *olddata = data;
+ size_t oldsize = size;
+ rc = genusers(olddata, oldsize, selinux_users_path(),
+ &data, &size);
+ if (rc < 0) {
+ /* Fall back to the prior image if genusers failed. */
+ data = olddata;
+ size = oldsize;
+ rc = 0;
+ } else {
+ if (olddata != map)
+ free(olddata);
+ }
}
- }
-
- if (preservebools) {
- rc = security_get_boolean_names(&names, &len);
- if (!rc) {
- values = malloc(sizeof(int) * len);
- if (!values)
- goto unmap;
- for (i = 0; i < len; i++)
- values[i] =
- security_get_boolean_active(names[i]);
- (void)sepol_genbools_array(data, size, names, values,
- len);
- free(values);
- for (i = 0; i < len; i++)
- free(names[i]);
- free(names);
+
+#ifndef DISABLE_BOOL
+ if (preservebools) {
+ rc = security_get_boolean_names(&names, &len);
+ if (!rc) {
+ values = malloc(sizeof(int) * len);
+ if (!values)
+ goto unmap;
+ for (i = 0; i < len; i++)
+ values[i] =
+ security_get_boolean_active(names[i]);
+ (void)genbools_array(data, size, names, values,
+ len);
+ free(values);
+ for (i = 0; i < len; i++)
+ free(names[i]);
+ free(names);
+ }
+ } else if (load_setlocaldefs) {
+ (void)genbools(data, size,
+ (char *)selinux_booleans_path());
}
- } else if (load_setlocaldefs) {
- (void)sepol_genbools(data, size,
- (char *)selinux_booleans_path());
+#endif
}
+
rc = security_load_policy(data, size);
unmap:
@@ -152,6 +233,13 @@
munmap(map, sb.st_size);
close:
close(fd);
+ dlclose:
+#ifdef SHARED
+ if (errormsg)
+ fprintf(stderr, "libselinux: %s\n", errormsg);
+ if (libsepolh)
+ dlclose(libsepolh);
+#endif
return rc;
}
Modified: trunk/libselinux/src/policy.h
===================================================================
--- trunk/libselinux/src/policy.h 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/src/policy.h 2007-05-31 20:57:45 UTC (rev 2454)
@@ -20,4 +20,6 @@
#define FILECONTEXTS "/etc/security/selinux/file_contexts"
+#define DEFAULT_POLICY_VERSION 15
+
#endif
Modified: trunk/libselinux/src/policyvers.c
===================================================================
--- trunk/libselinux/src/policyvers.c 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/src/policyvers.c 2007-05-31 20:57:45 UTC (rev 2454)
@@ -10,8 +10,6 @@
#include "dso.h"
#include <limits.h>
-#define DEFAULT_POLICY_VERSION 15
-
int security_policyvers(void)
{
int fd, ret;
Modified: trunk/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/src/setrans_client.c 2007-05-31 20:57:45 UTC (rev 2454)
@@ -1,4 +1,10 @@
-/* Copyright (c) 2006 Trusted Computer Solutions, Inc. */
+/* Copyright (c) 2006 Trusted Computer Solutions, Inc.
+ *
+ * Modified:
+ * Yuichi Nakamura <yn...@hi...>
+ - Stubs are used when DISABLE_SETRANS is defined,
+ it is to reduce size for such as embedded devices.
+*/
#include <sys/types.h>
#include <sys/socket.h>
@@ -16,6 +22,7 @@
#include "selinux_internal.h"
#include "setrans_internal.h"
+#ifndef DISABLE_SETRANS
static int mls_enabled = -1;
// Simple cache
@@ -290,3 +297,43 @@
}
hidden_def(selinux_raw_to_trans_context)
+#else /*DISABLE_SETRANS*/
+
+hidden void fini_context_translations(void)
+{
+}
+
+hidden int init_context_translations(void)
+{
+ return 0;
+}
+
+int selinux_trans_to_raw_context(security_context_t trans,
+ security_context_t * rawp)
+{
+ if (!trans) {
+ *rawp = NULL;
+ return 0;
+ }
+
+ *rawp = strdup(trans);
+
+ return *rawp ? 0 : -1;
+}
+
+hidden_def(selinux_trans_to_raw_context)
+
+int selinux_raw_to_trans_context(security_context_t raw,
+ security_context_t * transp)
+{
+ if (!raw) {
+ *transp = NULL;
+ return 0;
+ }
+ *transp = strdup(raw);
+
+ return *transp ? 0 : -1;
+}
+
+hidden_def(selinux_raw_to_trans_context)
+#endif /*DISABLE_SETRANS*/
Modified: trunk/libselinux/utils/Makefile
===================================================================
--- trunk/libselinux/utils/Makefile 2007-05-31 20:54:23 UTC (rev 2453)
+++ trunk/libselinux/utils/Makefile 2007-05-31 20:57:45 UTC (rev 2454)
@@ -4,10 +4,17 @@
BINDIR ?= $(PREFIX)/sbin
CFLAGS ?= -Wall
-override CFLAGS += -I../include -D_GNU_SOURCE
-LDLIBS += -L../src -lselinux -lsepol -L$(LIBDIR)
+override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
+LDLIBS += -L../src -lselinux -L$(LIBDIR)
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+ifeq ($(DISABLE_AVC),y)
+ UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
+endif
+ifeq ($(DISABLE_BOOL),y)
+ UNUSED_TARGETS+=getsebool togglesebool
+endif
+TARGETS:= $(filter-out $(UNUSED_TARGETS), $(TARGETS))
all: $(TARGETS)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-05-31 21:00:32
|
Revision: 2455
http://svn.sourceforge.net/selinux/?rev=2455&view=rev
Author: ssmalley
Date: 2007-05-31 14:00:31 -0700 (Thu, 31 May 2007)
Log Message:
-----------
updated libselinux to version 2.0.18
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-05-31 20:57:45 UTC (rev 2454)
+++ trunk/libselinux/ChangeLog 2007-05-31 21:00:31 UTC (rev 2455)
@@ -1,3 +1,7 @@
+2.0.18 2007-05-31
+ * Merged patch to reduce size of libselinux and remove need for libsepol for embedded systems from Yuichi Nakamura.
+ This patch also turns the link-time dependency on libsepol into a runtime (dlopen) dependency even in the non-embedded case.
+
2.0.17 2007-05-31
* Updated Lindent script and reindented two header files.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-05-31 20:57:45 UTC (rev 2454)
+++ trunk/libselinux/VERSION 2007-05-31 21:00:31 UTC (rev 2455)
@@ -1 +1 @@
-2.0.17
+2.0.18
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-05 19:30:54
|
Revision: 2464
http://svn.sourceforge.net/selinux/?rev=2464&view=rev
Author: ewalsh
Date: 2007-06-05 12:30:40 -0700 (Tue, 05 Jun 2007)
Log Message:
-----------
updated libselinux to version 2.0.19
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-06-05 19:27:23 UTC (rev 2463)
+++ trunk/libselinux/ChangeLog 2007-06-05 19:30:40 UTC (rev 2464)
@@ -1,3 +1,6 @@
+2.0.19 2007-06-05
+ * Refactoring and errno support in string representation code.
+
2.0.18 2007-05-31
* Merged patch to reduce size of libselinux and remove need for libsepol for embedded systems from Yuichi Nakamura.
This patch also turns the link-time dependency on libsepol into a runtime (dlopen) dependency even in the non-embedded case.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-06-05 19:27:23 UTC (rev 2463)
+++ trunk/libselinux/VERSION 2007-06-05 19:30:40 UTC (rev 2464)
@@ -1 +1 @@
-2.0.18
+2.0.19
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-07 18:42:45
|
Revision: 2470
http://svn.sourceforge.net/selinux/?rev=2470&view=rev
Author: ewalsh
Date: 2007-06-07 11:42:44 -0700 (Thu, 07 Jun 2007)
Log Message:
-----------
updated libselinux to version 2.0.20
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-06-07 18:41:30 UTC (rev 2469)
+++ trunk/libselinux/ChangeLog 2007-06-07 18:42:44 UTC (rev 2470)
@@ -1,3 +1,6 @@
+2.0.20 2007-06-07
+ * Object class discovery support patches from Chris PeBenito
+
2.0.19 2007-06-05
* Refactoring and errno support in string representation code.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-06-07 18:41:30 UTC (rev 2469)
+++ trunk/libselinux/VERSION 2007-06-07 18:42:44 UTC (rev 2470)
@@ -1 +1 @@
-2.0.19
+2.0.20
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-11 16:59:15
|
Revision: 2471
http://svn.sourceforge.net/selinux/?rev=2471&view=rev
Author: ewalsh
Date: 2007-06-11 09:59:08 -0700 (Mon, 11 Jun 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: class and permission mapping support (try 3)
Date: Fri, 08 Jun 2007 13:26:21 -0400
Changes from the second version: rebase to object class discovery
patchset; flush the AVC when setting a mapping.
Changes from the first version: disallow a NULL mapping with
error EINVAL; add assert statements to the map/unmap helpers
to catch out-of-bounds value bugs in callers.
This provides support for userspace object managers to register a
mapping of class and permission values. After the mapping is
registered all libselinux functions that take a security class
or permission value must be provided with mapped values instead
of the "real," kernel values.
Changes from the original interface proposal: No selinux_init()
function, just a straight set_mapping() function. Also, to
simplify things the incoming mapping does not include explicit
values; the classes and permissions are numbered implicitly by
their ordering. NULL strings are used to terminate the lists.
Tested with X server, no problems encountered.
This patch includes the interface and implementation of the
mapping set function.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/selinux.h
Added Paths:
-----------
trunk/libselinux/src/mapping.c
Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================
--- trunk/libselinux/include/selinux/selinux.h 2007-06-07 18:42:44 UTC (rev 2470)
+++ trunk/libselinux/include/selinux/selinux.h 2007-06-11 16:59:08 UTC (rev 2471)
@@ -280,6 +280,14 @@
/* Commit the pending values for the booleans */
extern int security_commit_booleans(void);
+/* Userspace class mapping support */
+struct security_class_mapping {
+ const char *name;
+ const char *perms[sizeof(access_vector_t) * 8 + 1];
+};
+
+int selinux_set_mapping(struct security_class_mapping *map);
+
/* Common helpers */
/* Convert between security class values and string names */
Added: trunk/libselinux/src/mapping.c
===================================================================
--- trunk/libselinux/src/mapping.c (rev 0)
+++ trunk/libselinux/src/mapping.c 2007-06-11 16:59:08 UTC (rev 2471)
@@ -0,0 +1,189 @@
+/*
+ * Class and permission mappings.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <assert.h>
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#include "mapping.h"
+
+/*
+ * Class and permission mappings
+ */
+
+struct selinux_mapping {
+ security_class_t value; /* real, kernel value */
+ unsigned num_perms;
+ access_vector_t perms[sizeof(access_vector_t) * 8];
+};
+
+static struct selinux_mapping *current_mapping = NULL;
+static security_class_t current_mapping_size = 0;
+
+/*
+ * Mapping setting function
+ */
+
+int
+selinux_set_mapping(struct security_class_mapping *map)
+{
+ size_t size = sizeof(struct selinux_mapping);
+ security_class_t i, j;
+ unsigned k;
+
+ free(current_mapping);
+ current_mapping = NULL;
+ current_mapping_size = 0;
+
+ if (avc_reset() < 0)
+ goto err;
+
+ /* Find number of classes in the input mapping */
+ if (!map) {
+ errno = EINVAL;
+ goto err;
+ }
+ i = 0;
+ while (map[i].name)
+ i++;
+
+ /* Allocate space for the class records, plus one for class zero */
+ current_mapping = (struct selinux_mapping *)calloc(++i, size);
+ if (!current_mapping)
+ goto err;
+
+ /* Store the raw class and permission values */
+ j = 0;
+ while (map[j].name) {
+ struct security_class_mapping *p_in = map + (j++);
+ struct selinux_mapping *p_out = current_mapping + j;
+
+ p_out->value = string_to_security_class(p_in->name);
+ if (!p_out->value)
+ goto err2;
+
+ k = 0;
+ while (p_in->perms && p_in->perms[k]) {
+ p_out->perms[k] = string_to_av_perm(p_out->value,
+ p_in->perms[k]);
+ if (!p_out->perms[k])
+ goto err2;
+ k++;
+ }
+ p_out->num_perms = k;
+ }
+
+ /* Set the mapping size here so the above lookups are "raw" */
+ current_mapping_size = i;
+ return 0;
+err2:
+ free(current_mapping);
+ current_mapping = NULL;
+ current_mapping_size = 0;
+err:
+ return -1;
+}
+
+/*
+ * Get real, kernel values from mapped values
+ */
+
+security_class_t
+unmap_class(security_class_t tclass)
+{
+ if (tclass < current_mapping_size)
+ return current_mapping[tclass].value;
+
+ assert(current_mapping_size == 0);
+ return tclass;
+}
+
+access_vector_t
+unmap_perm(security_class_t tclass, access_vector_t tperm)
+{
+ if (tclass < current_mapping_size) {
+ unsigned i;
+ access_vector_t kperm = 0;
+
+ for (i=0; i<current_mapping[tclass].num_perms; i++)
+ if (tperm & (1<<i)) {
+ kperm |= current_mapping[tclass].perms[i];
+ tperm &= ~(1<<i);
+ }
+ assert(tperm == 0);
+ return kperm;
+ }
+
+ assert(current_mapping_size == 0);
+ return tperm;
+}
+
+/*
+ * Get mapped values from real, kernel values
+ */
+
+security_class_t
+map_class(security_class_t kclass)
+{
+ security_class_t i;
+
+ for (i=0; i<current_mapping_size; i++)
+ if (current_mapping[i].value == kclass)
+ return i;
+
+ assert(current_mapping_size == 0);
+ return kclass;
+}
+
+access_vector_t
+map_perm(security_class_t tclass, access_vector_t kperm)
+{
+ if (tclass < current_mapping_size) {
+ unsigned i;
+ access_vector_t tperm = 0;
+
+ for (i=0; i<current_mapping[tclass].num_perms; i++)
+ if (kperm & current_mapping[tclass].perms[i]) {
+ tperm |= 1<<i;
+ kperm &= ~current_mapping[tclass].perms[i];
+ }
+ assert(kperm == 0);
+ return tperm;
+ }
+
+ assert(current_mapping_size == 0);
+ return kperm;
+}
+
+void
+map_decision(security_class_t tclass, struct av_decision *avd)
+{
+ if (tclass < current_mapping_size) {
+ unsigned i;
+ access_vector_t result;
+
+ for (i=0, result=0; i<current_mapping[tclass].num_perms; i++)
+ if (avd->allowed & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ avd->allowed = result;
+
+ for (i=0, result=0; i<current_mapping[tclass].num_perms; i++)
+ if (avd->decided & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ avd->decided = result;
+
+ for (i=0, result=0; i<current_mapping[tclass].num_perms; i++)
+ if (avd->auditallow & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ avd->auditallow = result;
+
+ for (i=0, result=0; i<current_mapping[tclass].num_perms; i++)
+ if (avd->auditdeny & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ avd->auditdeny = result;
+ }
+}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-11 17:01:48
|
Revision: 2474
http://svn.sourceforge.net/selinux/?rev=2474&view=rev
Author: ewalsh
Date: 2007-06-11 10:01:45 -0700 (Mon, 11 Jun 2007)
Log Message:
-----------
updated libselinux to version 2.0.21
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-06-11 17:00:58 UTC (rev 2473)
+++ trunk/libselinux/ChangeLog 2007-06-11 17:01:45 UTC (rev 2474)
@@ -1,5 +1,8 @@
+2.0.21 2007-06-11
+ * Class and permission mapping support patches from Eamon Walsh.
+
2.0.20 2007-06-07
- * Object class discovery support patches from Chris PeBenito
+ * Object class discovery support patches from Chris PeBenito.
2.0.19 2007-06-05
* Refactoring and errno support in string representation code.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-06-11 17:00:58 UTC (rev 2473)
+++ trunk/libselinux/VERSION 2007-06-11 17:01:45 UTC (rev 2474)
@@ -1 +1 @@
-2.0.20
+2.0.21
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-20 18:31:19
|
Revision: 2479
http://svn.sourceforge.net/selinux/?rev=2479&view=rev
Author: ewalsh
Date: 2007-06-20 11:31:12 -0700 (Wed, 20 Jun 2007)
Log Message:
-----------
This is a labeling API that provides a common way to map from various
string namespaces into security contexts.
Changes from the third version: remove handle typedef, includes patch
for setfiles, rebases matchpathcon code to use new interface, includes
X backend, fixes setfiles -c, rolls in callback interface patch.
This version of the patchset simplifies the lookup model down to
(string,number) to context. There are no void pointers or variadic
functions which was one of the objections to the previous patchsets.
A lot of the file contexts stuff such as the inode tracking support
has also been dropped with the understanding that this stuff should
be in the setfiles code, not libselinux. This is a pure lookup
interface only.
This patchset includes 3 backends, for file contexts, media contexts
and X. Future work would include libsemanage interfaces for
managing the data the way the file contexts data is currently done.
This patch includes the new callback interface.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/selinux.h
Added Paths:
-----------
trunk/libselinux/src/callbacks.c
trunk/libselinux/src/callbacks.h
Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================
--- trunk/libselinux/include/selinux/selinux.h 2007-06-20 16:57:15 UTC (rev 2478)
+++ trunk/libselinux/include/selinux/selinux.h 2007-06-20 18:31:12 UTC (rev 2479)
@@ -132,6 +132,37 @@
unsigned int seqno;
};
+/* Structure for passing options, used by AVC and label subsystems */
+struct selinux_opt {
+ int type;
+ const char *value;
+};
+
+/* Callback facilities */
+union selinux_callback {
+ /* log the printf-style format and arguments,
+ with the type code indicating the type of message */
+ int (*func_log) (int type, const char *fmt, ...);
+ /* store a string representation of auditdata (corresponding
+ to the given security class) into msgbuf. */
+ int (*func_audit) (void *auditdata, security_class_t cls,
+ char *msgbuf, size_t msgbufsize);
+ /* validate the supplied context, modifying if necessary */
+ int (*func_validate) (security_context_t *ctx);
+};
+
+#define SELINUX_CB_LOG 0
+#define SELINUX_CB_AUDIT 1
+#define SELINUX_CB_VALIDATE 2
+
+extern void selinux_set_callback(int type, union selinux_callback cb);
+
+ /* Logging type codes, passed to the logging callback */
+#define SELINUX_ERROR 0
+#define SELINUX_WARNING 1
+#define SELINUX_INFO 2
+#define SELINUX_AVC 3
+
/* Compute an access decision. */
extern int security_compute_av(security_context_t scon,
security_context_t tcon,
Added: trunk/libselinux/src/callbacks.c
===================================================================
--- trunk/libselinux/src/callbacks.c (rev 0)
+++ trunk/libselinux/src/callbacks.c 2007-06-20 18:31:12 UTC (rev 2479)
@@ -0,0 +1,67 @@
+/*
+ * User-supplied callbacks and default implementations.
+ * Class and permission mappings.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <selinux/selinux.h>
+#include "callbacks.h"
+
+/* default implementations */
+static int __attribute__ ((format(printf, 2, 3)))
+default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
+{
+ int rc;
+ va_list ap;
+ va_start(ap, fmt);
+ rc = vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ return rc;
+}
+
+static int
+default_selinux_audit(void *ptr __attribute__((unused)),
+ security_class_t cls __attribute__((unused)),
+ char *buf __attribute__((unused)),
+ size_t len __attribute__((unused)))
+{
+ return 0;
+}
+
+static int
+default_selinux_validate(security_context_t *ctx)
+{
+ return security_check_context(*ctx);
+}
+
+/* callback pointers */
+int __attribute__ ((format(printf, 2, 3)))
+(*selinux_log)(int, const char *, ...) =
+ default_selinux_log;
+
+int
+(*selinux_audit) (void *, security_class_t, char *, size_t) =
+ default_selinux_audit;
+
+int
+(*selinux_validate)(security_context_t *ctx) =
+ default_selinux_validate;
+
+/* callback setting function */
+void
+selinux_set_callback(int type, union selinux_callback cb)
+{
+ switch (type) {
+ case SELINUX_CB_LOG:
+ selinux_log = cb.func_log;
+ break;
+ case SELINUX_CB_AUDIT:
+ selinux_audit = cb.func_audit;
+ break;
+ case SELINUX_CB_VALIDATE:
+ selinux_validate = cb.func_validate;
+ break;
+ }
+}
Added: trunk/libselinux/src/callbacks.h
===================================================================
--- trunk/libselinux/src/callbacks.h (rev 0)
+++ trunk/libselinux/src/callbacks.h 2007-06-20 18:31:12 UTC (rev 2479)
@@ -0,0 +1,24 @@
+/*
+ * This file describes the callbacks passed to selinux_init() and available
+ * for use from the library code. They all have default implementations.
+ */
+#ifndef _SELINUX_CALLBACKS_H_
+#define _SELINUX_CALLBACKS_H_
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include "dso.h"
+
+/* callback pointers */
+extern int __attribute__ ((format(printf, 2, 3)))
+(*selinux_log) (int type, const char *, ...) hidden;
+
+extern int
+(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
+
+extern int
+(*selinux_validate)(security_context_t *ctx) hidden;
+
+#endif /* _SELINUX_CALLBACKS_H_ */
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-20 18:32:12
|
Revision: 2480
http://svn.sourceforge.net/selinux/?rev=2480&view=rev
Author: ewalsh
Date: 2007-06-20 11:32:04 -0700 (Wed, 20 Jun 2007)
Log Message:
-----------
This patch includes the interface and generic handle code. Tested
with some sample input values, worked OK.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Added Paths:
-----------
trunk/libselinux/include/selinux/label.h
trunk/libselinux/src/label.c
trunk/libselinux/src/label_internal.h
Added: trunk/libselinux/include/selinux/label.h
===================================================================
--- trunk/libselinux/include/selinux/label.h (rev 0)
+++ trunk/libselinux/include/selinux/label.h 2007-06-20 18:32:04 UTC (rev 2480)
@@ -0,0 +1,119 @@
+/*
+ * Labeling interface for userspace object managers and others.
+ *
+ * Author : Eamon Walsh <ew...@ty...>
+ */
+#ifndef _SELABEL_H_
+#define _SELABEL_H_
+
+#include <sys/types.h>
+#include <selinux/selinux.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Opaque type used for all label handles.
+ */
+
+struct selabel_handle;
+
+/*
+ * Available backends.
+ */
+
+/* file contexts */
+#define SELABEL_CTX_FILE 0
+/* media contexts */
+#define SELABEL_CTX_MEDIA 1
+/* x contexts */
+#define SELABEL_CTX_X 2
+
+/*
+ * Available options
+ */
+
+/* no-op option, useful for unused slots in an array of options */
+#define SELABEL_OPT_UNUSED 0
+/* validate contexts before returning them (boolean value) */
+#define SELABEL_OPT_VALIDATE 1
+/* don't use local customizations to backend data (boolean value) */
+#define SELABEL_OPT_BASEONLY 2
+/* specify an alternate path to use when loading backend data */
+#define SELABEL_OPT_PATH 3
+/* select a subset of the search space as an optimization (file backend) */
+#define SELABEL_OPT_SUBSET 4
+/* total number of options */
+#define SELABEL_NOPT 5
+
+/*
+ * Label operations
+ */
+
+/**
+ * selabel_open - Create a labeling handle.
+ * @backend: one of the constants specifying a supported labeling backend.
+ * @opts: array of selabel_opt structures specifying label options or NULL.
+ * @nopts: number of elements in opts array or zero for no options.
+ *
+ * Open a labeling backend for use. The available backend identifiers are
+ * listed above. Options may be provided via the opts parameter; available
+ * options are listed above. Not all options may be supported by every
+ * backend. Return value is the created handle on success or NULL with
+ * @errno set on failure.
+ */
+struct selabel_handle *selabel_open(unsigned int backend,
+ struct selinux_opt *opts, unsigned nopts);
+
+/**
+ * selabel_close - Close a labeling handle.
+ * @handle: specifies handle to close
+ *
+ * Destroy the specified handle, closing files, freeing allocated memory,
+ * etc. The handle may not be further used after it has been closed.
+ */
+void selabel_close(struct selabel_handle *handle);
+
+/**
+ * selabel_lookup - Perform labeling lookup operation.
+ * @handle: specifies backend instance to query
+ * @con: returns the appropriate context with which to label the object
+ * @key: string input to lookup operation
+ * @type: numeric input to the lookup operation
+ *
+ * Perform a labeling lookup operation. Return %0 on success, -%1 with
+ * @errno set on failure. The key and type arguments are the inputs to the
+ * lookup operation; appropriate values are dictated by the backend in use.
+ * The result is returned in the memory pointed to by @con and must be freed
+ * by the user with freecon().
+ */
+int selabel_lookup(struct selabel_handle *handle, security_context_t *con,
+ const char *key, int type);
+int selabel_lookup_raw(struct selabel_handle *handle, security_context_t *con,
+ const char *key, int type);
+
+/**
+ * selabel_stats - log labeling operation statistics.
+ * @handle: specifies backend instance to query
+ *
+ * Log a message with information about the number of queries performed,
+ * number of unused matching entries, or other operational statistics.
+ * Message is backend-specific, some backends may not output a message.
+ */
+void selabel_stats(struct selabel_handle *handle);
+
+/*
+ * Type codes used by specific backends
+ */
+
+/* X backend */
+#define SELABEL_X_PROP 1
+#define SELABEL_X_EXT 2
+#define SELABEL_X_CLIENT 3
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _SELABEL_H_ */
Added: trunk/libselinux/src/label.c
===================================================================
--- trunk/libselinux/src/label.c (rev 0)
+++ trunk/libselinux/src/label.c 2007-06-20 18:32:04 UTC (rev 2480)
@@ -0,0 +1,140 @@
+/*
+ * Generalized labeling frontend for userspace object managers.
+ *
+ * Author : Eamon Walsh <ew...@ep...>
+ */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "callbacks.h"
+#include "label_internal.h"
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+typedef int (*selabel_initfunc)(struct selabel_handle *rec,
+ struct selinux_opt *opts, unsigned nopts);
+
+static selabel_initfunc initfuncs[] = {
+ &selabel_file_init,
+ &selabel_media_init,
+ &selabel_x_init
+};
+
+/*
+ * Validation functions
+ */
+
+static inline int selabel_is_validate_set(struct selinux_opt *opts, unsigned n)
+{
+ while (n--)
+ if (opts[n].type == SELABEL_OPT_VALIDATE)
+ return !!opts[n].value;
+
+ return 0;
+}
+
+int selabel_validate(struct selabel_handle *rec,
+ struct selabel_lookup_rec *contexts)
+{
+ int rc = 0;
+
+ if (!rec->validating || contexts->validated)
+ goto out;
+
+ rc = selinux_validate(&contexts->ctx_raw);
+ if (rc < 0)
+ goto out;
+
+ contexts->validated = 1;
+out:
+ return rc;
+}
+
+/*
+ * Public API
+ */
+
+struct selabel_handle *selabel_open(unsigned int backend,
+ struct selinux_opt *opts, unsigned nopts)
+{
+ struct selabel_handle *rec = NULL;
+
+ if (backend >= ARRAY_SIZE(initfuncs)) {
+ errno = EINVAL;
+ goto out;
+ }
+
+ rec = (struct selabel_handle *)malloc(sizeof(*rec));
+ if (!rec)
+ goto out;
+
+ memset(rec, 0, sizeof(*rec));
+ rec->backend = backend;
+ rec->validating = selabel_is_validate_set(opts, nopts);
+
+ if ((*initfuncs[backend])(rec, opts, nopts)) {
+ free(rec);
+ rec = NULL;
+ }
+
+out:
+ return rec;
+}
+
+static struct selabel_lookup_rec *
+selabel_lookup_common(struct selabel_handle *rec, int translating,
+ const char *key, int type)
+{
+ struct selabel_lookup_rec *lr = rec->func_lookup(rec, key, type);
+ if (!lr)
+ return NULL;
+
+ if (compat_validate(rec, lr, "file_contexts", 0))
+ return NULL;
+
+ if (translating &&
+ selinux_raw_to_trans_context(lr->ctx_raw, &lr->ctx_trans))
+ return NULL;
+
+ return lr;
+}
+
+int selabel_lookup(struct selabel_handle *rec, security_context_t *con,
+ const char *key, int type)
+{
+ struct selabel_lookup_rec *lr;
+
+ lr = selabel_lookup_common(rec, 1, key, type);
+ if (!lr)
+ return -1;
+
+ *con = strdup(lr->ctx_trans);
+ return *con ? 0 : -1;
+}
+
+int selabel_lookup_raw(struct selabel_handle *rec, security_context_t *con,
+ const char *key, int type)
+{
+ struct selabel_lookup_rec *lr;
+
+ lr = selabel_lookup_common(rec, 0, key, type);
+ if (!lr)
+ return -1;
+
+ *con = strdup(lr->ctx_raw);
+ return *con ? 0 : -1;
+}
+
+void selabel_close(struct selabel_handle *rec)
+{
+ rec->func_close(rec);
+ free(rec);
+}
+
+void selabel_stats(struct selabel_handle *rec)
+{
+ rec->func_stats(rec);
+}
Added: trunk/libselinux/src/label_internal.h
===================================================================
--- trunk/libselinux/src/label_internal.h (rev 0)
+++ trunk/libselinux/src/label_internal.h 2007-06-20 18:32:04 UTC (rev 2480)
@@ -0,0 +1,74 @@
+/*
+ * This file describes the internal interface used by the labeler
+ * for calling the user-supplied memory allocation, validation,
+ * and locking routine.
+ *
+ * Author : Eamon Walsh <ew...@ep...>
+ */
+#ifndef _SELABEL_INTERNAL_H_
+#define _SELABEL_INTERNAL_H_
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#include "dso.h"
+
+/*
+ * Installed backends
+ */
+int selabel_file_init(struct selabel_handle *rec, struct selinux_opt *opts,
+ unsigned nopts) hidden;
+int selabel_media_init(struct selabel_handle *rec, struct selinux_opt *opts,
+ unsigned nopts) hidden;
+int selabel_x_init(struct selabel_handle *rec, struct selinux_opt *opts,
+ unsigned nopts) hidden;
+
+/*
+ * Labeling internal structures
+ */
+struct selabel_lookup_rec {
+ security_context_t ctx_raw;
+ security_context_t ctx_trans;
+ int validated;
+};
+
+struct selabel_handle {
+ /* arguments that were passed to selabel_open */
+ unsigned int backend;
+ int validating;
+
+ /* labeling operations */
+ struct selabel_lookup_rec *(*func_lookup) (struct selabel_handle *h,
+ const char *key, int type);
+ void (*func_close) (struct selabel_handle *h);
+ void (*func_stats) (struct selabel_handle *h);
+
+ /* supports backend-specific state information */
+ void *data;
+};
+
+/*
+ * Validation function
+ */
+extern int
+selabel_validate(struct selabel_handle *rec,
+ struct selabel_lookup_rec *contexts) hidden;
+
+/*
+ * Compatibility support
+ */
+extern void __attribute__ ((format(printf, 1, 2)))
+(*myprintf) (const char *fmt,...);
+
+#define COMPAT_LOG(type, fmt...) if (myprintf) \
+ myprintf(fmt); \
+ else \
+ selinux_log(type, fmt);
+
+extern int
+compat_validate(struct selabel_handle *rec,
+ struct selabel_lookup_rec *contexts,
+ const char *path, unsigned lineno) hidden;
+
+#endif /* _SELABEL_INTERNAL_H_ */
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-06-22 19:38:16
|
Revision: 2490
http://svn.sourceforge.net/selinux/?rev=2490&view=rev
Author: ssmalley
Date: 2007-06-22 12:38:14 -0700 (Fri, 22 Jun 2007)
Log Message:
-----------
updated libselinux to version 2.0.23
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-06-22 19:36:04 UTC (rev 2489)
+++ trunk/libselinux/ChangeLog 2007-06-22 19:38:14 UTC (rev 2490)
@@ -1,3 +1,6 @@
+2.0.23 2007-06-22
+ * Refactored SWIG bindings from James Athey.
+
2.0.22 2007-06-20
* Labeling and callback interface patches from Eamon Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-06-22 19:36:04 UTC (rev 2489)
+++ trunk/libselinux/VERSION 2007-06-22 19:38:14 UTC (rev 2490)
@@ -1 +1 @@
-2.0.22
+2.0.23
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2007-07-09 17:38:22
|
Revision: 2492
http://svn.sourceforge.net/selinux/?rev=2492&view=rev
Author: madmethod
Date: 2007-07-09 10:38:19 -0700 (Mon, 09 Jul 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: fix getfilecon handling of zero-length context
Date: Mon, 09 Jul 2007 12:45:53 -0400
As observed by John Ramsdell, *getfilecon() on a /proc/sys inode on
returns garbage and can lead to memory corruption upon later freecon.
This happens on 2.6.21 and later due to the proc sysctl rewrite in the
kernel. The *getfilecon_raw() functions correctly return zero in this
case, but the non-raw functions are not handling that result properly.
Initialize *context on entry to *getfilecon() so that it has a
well-defined value even if *getfilecon_raw() returns zero.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-By: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
trunk/libselinux/src/fgetfilecon.c
trunk/libselinux/src/getfilecon.c
trunk/libselinux/src/lgetfilecon.c
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-07-09 17:35:49 UTC (rev 2491)
+++ trunk/libselinux/ChangeLog 2007-07-09 17:38:19 UTC (rev 2492)
@@ -1,3 +1,6 @@
+2.0.24 2007-09-07
+ * Fix for getfilecon() for zero-length contexts from Stephen Smalley.
+
2.0.23 2007-06-22
* Refactored SWIG bindings from James Athey.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-07-09 17:35:49 UTC (rev 2491)
+++ trunk/libselinux/VERSION 2007-07-09 17:38:19 UTC (rev 2492)
@@ -1 +1 @@
-2.0.23
+2.0.24
Modified: trunk/libselinux/src/fgetfilecon.c
===================================================================
--- trunk/libselinux/src/fgetfilecon.c 2007-07-09 17:35:49 UTC (rev 2491)
+++ trunk/libselinux/src/fgetfilecon.c 2007-07-09 17:38:19 UTC (rev 2492)
@@ -51,6 +51,8 @@
security_context_t rcontext;
int ret;
+ *context = NULL;
+
ret = fgetfilecon_raw(fd, &rcontext);
if (ret > 0) {
Modified: trunk/libselinux/src/getfilecon.c
===================================================================
--- trunk/libselinux/src/getfilecon.c 2007-07-09 17:35:49 UTC (rev 2491)
+++ trunk/libselinux/src/getfilecon.c 2007-07-09 17:38:19 UTC (rev 2492)
@@ -51,6 +51,8 @@
int ret;
security_context_t rcontext;
+ *context = NULL;
+
ret = getfilecon_raw(path, &rcontext);
if (ret > 0) {
Modified: trunk/libselinux/src/lgetfilecon.c
===================================================================
--- trunk/libselinux/src/lgetfilecon.c 2007-07-09 17:35:49 UTC (rev 2491)
+++ trunk/libselinux/src/lgetfilecon.c 2007-07-09 17:38:19 UTC (rev 2492)
@@ -51,6 +51,8 @@
int ret;
security_context_t rcontext;
+ *context = NULL;
+
ret = lgetfilecon_raw(path, &rcontext);
if (ret > 0) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2007-07-23 15:53:30
|
Revision: 2497
http://svn.sourceforge.net/selinux/?rev=2497&view=rev
Author: madmethod
Date: 2007-07-23 08:53:27 -0700 (Mon, 23 Jul 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: fix type mismatch in string_to_security_class
Date: Mon, 23 Jul 2007 10:21:57 -0400
Fix type mismatch in string_to_security_class, produces seg fault on x86_64.
For https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249038
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-By: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
trunk/libselinux/src/stringrep.c
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-07-18 15:10:34 UTC (rev 2496)
+++ trunk/libselinux/ChangeLog 2007-07-23 15:53:27 UTC (rev 2497)
@@ -1,3 +1,7 @@
+2.0.25 2007-07-23
+ * Fix for string_to_security_class segfault on x86_64 from Stephen
+ Smalley.
+
2.0.24 2007-09-07
* Fix for getfilecon() for zero-length contexts from Stephen Smalley.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-07-18 15:10:34 UTC (rev 2496)
+++ trunk/libselinux/VERSION 2007-07-23 15:53:27 UTC (rev 2497)
@@ -1 +1 @@
-2.0.24
+2.0.25
Modified: trunk/libselinux/src/stringrep.c
===================================================================
--- trunk/libselinux/src/stringrep.c 2007-07-18 15:10:34 UTC (rev 2496)
+++ trunk/libselinux/src/stringrep.c 2007-07-23 15:53:27 UTC (rev 2497)
@@ -236,7 +236,7 @@
dentry = readdir(dir);
while (dentry != NULL) {
- size_t value;
+ unsigned int value;
struct stat m;
snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
@@ -258,7 +258,7 @@
if (ret < 0)
goto err4;
- if (sscanf(buf, "%u", (unsigned int *)&value) != 1)
+ if (sscanf(buf, "%u", &value) != 1)
goto err4;
node->perms[value-1] = strdup(dentry->d_name);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-07-23 17:04:04
|
Revision: 2500
http://svn.sourceforge.net/selinux/?rev=2500&view=rev
Author: ssmalley
Date: 2007-07-23 10:04:00 -0700 (Mon, 23 Jul 2007)
Log Message:
-----------
updated libselinux to version 2.0.26
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-07-23 16:14:23 UTC (rev 2499)
+++ trunk/libselinux/ChangeLog 2007-07-23 17:04:00 UTC (rev 2500)
@@ -1,3 +1,7 @@
+2.0.26 2007-07-23
+ * Updated av_permissions.h and flask.h to include new nscd permissions from Dan Walsh.
+ * Added swigify to top-level Makefile from Dan Walsh.
+
2.0.25 2007-07-23
* Fix for string_to_security_class segfault on x86_64 from Stephen
Smalley.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-07-23 16:14:23 UTC (rev 2499)
+++ trunk/libselinux/VERSION 2007-07-23 17:04:00 UTC (rev 2500)
@@ -1 +1 @@
-2.0.25
+2.0.26
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-07-25 14:25:45
|
Revision: 2502
http://selinux.svn.sourceforge.net/selinux/?rev=2502&view=rev
Author: ssmalley
Date: 2007-07-25 07:25:44 -0700 (Wed, 25 Jul 2007)
Log Message:
-----------
updated libselinux to version 2.0.27
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-07-25 14:20:41 UTC (rev 2501)
+++ trunk/libselinux/ChangeLog 2007-07-25 14:25:44 UTC (rev 2502)
@@ -1,3 +1,6 @@
+2.0.27 2007-07-25
+ * Fix markup problems in selinux man pages from Dan Walsh.
+
2.0.26 2007-07-23
* Updated av_permissions.h and flask.h to include new nscd permissions from Dan Walsh.
* Added swigify to top-level Makefile from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-07-25 14:20:41 UTC (rev 2501)
+++ trunk/libselinux/VERSION 2007-07-25 14:25:44 UTC (rev 2502)
@@ -1 +1 @@
-2.0.26
+2.0.27
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-08-01 18:49:37
|
Revision: 2503
http://selinux.svn.sourceforge.net/selinux/?rev=2503&view=rev
Author: ssmalley
Date: 2007-08-01 11:49:34 -0700 (Wed, 01 Aug 2007)
Log Message:
-----------
Author: Yuichi Nakamura
Email: yn...@hi...
Subject: Update for libselinux embedded build support
Date: Mon, 30 Jul 2007 10:22:54 +0900
On Wed, 25 Jul 2007 08:47:40 -0400
Stephen Smalley wrote:
> On Wed, 2007-07-25 at 12:10 +0900, Yuichi Nakamura wrote:
...
> > Index: libselinux/src/compute_create.c
> > ===================================================================
> > --- libselinux/src/compute_create.c (revision 2500)
> > +++ libselinux/src/compute_create.c (working copy)
> > @@ -36,7 +36,12 @@
> > ret = -1;
> > goto out;
> > }
> > +
> > +#ifdef DISABLE_AVC
> > + snprintf(buf, size, "%s %s %hu", scon, tcon, tclass);
> > +#else
> > snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass));
> > +#endif
>
> As with the kernel, we don't want #ifdef's sprinkled through the code.
> Instead, just #define unmap_class(x) x and #define unmap_perm(x,y) y in
> mapping.h #ifdef DISABLE_AVC.
Fixed, below is updated patch.
Acked-by: Stephen Smalley <sd...@ty...>
Revision Links:
--------------
http://selinux.svn.sourceforge.net/selinux/?rev=2500&view=rev
Modified Paths:
--------------
trunk/libselinux/Makefile
trunk/libselinux/src/Makefile
trunk/libselinux/src/mapping.h
Modified: trunk/libselinux/Makefile
===================================================================
--- trunk/libselinux/Makefile 2007-07-25 14:25:44 UTC (rev 2502)
+++ trunk/libselinux/Makefile 2007-08-01 18:49:34 UTC (rev 2503)
@@ -8,6 +8,9 @@
override DISABLE_RPM=y
override DISABLE_BOOL=y
endif
+ifeq ($(DISABLE_AVC),y)
+ EMFLAGS+= -DDISABLE_AVC
+endif
ifeq ($(DISABLE_BOOL),y)
EMFLAGS+= -DDISABLE_BOOL
endif
Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile 2007-07-25 14:25:44 UTC (rev 2502)
+++ trunk/libselinux/src/Makefile 2007-08-01 18:49:34 UTC (rev 2503)
@@ -20,7 +20,7 @@
LIBSO=$(TARGET).$(LIBVERSION)
ifeq ($(DISABLE_AVC),y)
- UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c
+ UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c mapping.c stringrep.c checkAccess.c
endif
ifeq ($(DISABLE_BOOL),y)
UNUSED_SRCS+=booleans.c
Modified: trunk/libselinux/src/mapping.h
===================================================================
--- trunk/libselinux/src/mapping.h 2007-07-25 14:25:44 UTC (rev 2502)
+++ trunk/libselinux/src/mapping.h 2007-08-01 18:49:34 UTC (rev 2503)
@@ -31,4 +31,11 @@
extern void
map_decision(security_class_t tclass, struct av_decision *avd);
+/*mapping is not used for embedded build*/
+#ifdef DISABLE_AVC
+#define unmap_perm(x,y) y
+#define unmap_class(x) x
+#define map_decision(x,y)
+#endif
+
#endif /* _SELINUX_MAPPING_H_ */
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-08-01 18:51:59
|
Revision: 2504
http://selinux.svn.sourceforge.net/selinux/?rev=2504&view=rev
Author: ssmalley
Date: 2007-08-01 11:51:58 -0700 (Wed, 01 Aug 2007)
Log Message:
-----------
updated libselinux to version 2.0.28
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-08-01 18:49:34 UTC (rev 2503)
+++ trunk/libselinux/ChangeLog 2007-08-01 18:51:58 UTC (rev 2504)
@@ -1,3 +1,6 @@
+2.0.28 2007-08-01
+ * Fix build for EMBEDDED=y from Yuichi Nakamura.
+
2.0.27 2007-07-25
* Fix markup problems in selinux man pages from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-08-01 18:49:34 UTC (rev 2503)
+++ trunk/libselinux/VERSION 2007-08-01 18:51:58 UTC (rev 2504)
@@ -1 +1 @@
-2.0.27
+2.0.28
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-08-02 19:30:41
|
Revision: 2508
http://selinux.svn.sourceforge.net/selinux/?rev=2508&view=rev
Author: ewalsh
Date: 2007-08-02 12:29:50 -0700 (Thu, 02 Aug 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: add x_contexts path lookup function
Date: Wed, 20 Jun 2007 16:10:53 -0400
This patch adds an selinux_x_context_path() function identical to
selinux_media_context_path(), fixing a hardcoded path in the X label
backend.
I'm bothered that some of these pathnames are exposed in the interface.
I assume that this done so libsemanage knows where to look. But
having them in the interface could encourage users to depend on them
instead of libsemanage.
There are also a lot of these functions, maybe we should just expose
the internal function that takes a type code.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/selinux.h
trunk/libselinux/src/file_path_suffixes.h
trunk/libselinux/src/label_x.c
trunk/libselinux/src/selinux_config.c
trunk/libselinux/src/selinux_internal.h
Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================
--- trunk/libselinux/include/selinux/selinux.h 2007-08-01 19:38:34 UTC (rev 2507)
+++ trunk/libselinux/include/selinux/selinux.h 2007-08-02 19:29:50 UTC (rev 2508)
@@ -454,6 +454,7 @@
extern const char *selinux_file_context_local_path(void);
extern const char *selinux_homedir_context_path(void);
extern const char *selinux_media_context_path(void);
+extern const char *selinux_x_context_path(void);
extern const char *selinux_contexts_path(void);
extern const char *selinux_securetty_types_path(void);
extern const char *selinux_booleans_path(void);
Modified: trunk/libselinux/src/file_path_suffixes.h
===================================================================
--- trunk/libselinux/src/file_path_suffixes.h 2007-08-01 19:38:34 UTC (rev 2507)
+++ trunk/libselinux/src/file_path_suffixes.h 2007-08-02 19:29:50 UTC (rev 2508)
@@ -18,3 +18,4 @@
S_(NETFILTER_CONTEXTS, "/contexts/netfilter_contexts")
S_(FILE_CONTEXTS_HOMEDIR, "/contexts/files/file_contexts.homedir")
S_(FILE_CONTEXTS_LOCAL, "/contexts/files/file_contexts.local")
+ S_(X_CONTEXTS, "/contexts/x_contexts")
Modified: trunk/libselinux/src/label_x.c
===================================================================
--- trunk/libselinux/src/label_x.c 2007-08-01 19:38:34 UTC (rev 2507)
+++ trunk/libselinux/src/label_x.c 2007-08-02 19:29:50 UTC (rev 2508)
@@ -107,7 +107,7 @@
/* Open the specification file. */
if (!path)
- path = "/etc/selinux/refpolicy/contexts/x_contexts";
+ path = selinux_x_context_path();
if ((fp = fopen(path, "r")) == NULL)
return -1;
__fsetlocking(fp, FSETLOCKING_BYCALLER);
Modified: trunk/libselinux/src/selinux_config.c
===================================================================
--- trunk/libselinux/src/selinux_config.c 2007-08-01 19:38:34 UTC (rev 2507)
+++ trunk/libselinux/src/selinux_config.c 2007-08-02 19:29:50 UTC (rev 2508)
@@ -38,7 +38,8 @@
#define FILE_CONTEXTS_HOMEDIR 16
#define FILE_CONTEXTS_LOCAL 17
#define SECURETTY_TYPES 18
-#define NEL 19
+#define X_CONTEXTS 19
+#define NEL 20
/* New layout is relative to SELINUXDIR/policytype. */
static char *file_paths[NEL];
@@ -369,3 +370,10 @@
}
hidden_def(selinux_file_context_local_path)
+
+const char *selinux_x_context_path()
+{
+ return get_path(X_CONTEXTS);
+}
+
+hidden_def(selinux_x_context_path)
Modified: trunk/libselinux/src/selinux_internal.h
===================================================================
--- trunk/libselinux/src/selinux_internal.h 2007-08-01 19:38:34 UTC (rev 2507)
+++ trunk/libselinux/src/selinux_internal.h 2007-08-02 19:29:50 UTC (rev 2508)
@@ -65,6 +65,7 @@
hidden_proto(selinux_booleans_path)
hidden_proto(selinux_customizable_types_path)
hidden_proto(selinux_media_context_path)
+ hidden_proto(selinux_x_context_path)
hidden_proto(selinux_path)
hidden_proto(selinux_check_passwd_access)
hidden_proto(selinux_check_securetty_context)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X