Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
This commit is contained in:
James Morris
@@ -143,6 +143,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
|
||||
}
|
||||
|
||||
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
||||
#define AVC_EXTENDED_PERMS 2 /* update extended permissions */
|
||||
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 requested,
|
||||
unsigned flags,
|
||||
@@ -156,6 +157,10 @@ int avc_has_perm_flags(u32 ssid, u32 tsid,
|
||||
struct common_audit_data *auditdata,
|
||||
int flags);
|
||||
|
||||
int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
|
||||
u8 driver, u8 perm, struct common_audit_data *ad);
|
||||
|
||||
|
||||
u32 avc_policy_seqno(void);
|
||||
|
||||
#define AVC_CALLBACK_GRANT 1
|
||||
@@ -166,6 +171,7 @@ u32 avc_policy_seqno(void);
|
||||
#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
|
||||
#define AVC_CALLBACK_AUDITDENY_ENABLE 64
|
||||
#define AVC_CALLBACK_AUDITDENY_DISABLE 128
|
||||
#define AVC_CALLBACK_ADD_XPERMS 256
|
||||
|
||||
int avc_add_callback(int (*callback)(u32 event), u32 events);
|
||||
|
||||
|
||||
@@ -35,13 +35,14 @@
|
||||
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
|
||||
#define POLICYDB_VERSION_DEFAULT_TYPE 28
|
||||
#define POLICYDB_VERSION_CONSTRAINT_NAMES 29
|
||||
#define POLICYDB_VERSION_XPERMS_IOCTL 30
|
||||
|
||||
/* Range of policy versions we understand*/
|
||||
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
|
||||
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
|
||||
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
|
||||
#else
|
||||
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES
|
||||
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_XPERMS_IOCTL
|
||||
#endif
|
||||
|
||||
/* Mask for just the mount related flags */
|
||||
@@ -109,11 +110,38 @@ struct av_decision {
|
||||
u32 flags;
|
||||
};
|
||||
|
||||
#define XPERMS_ALLOWED 1
|
||||
#define XPERMS_AUDITALLOW 2
|
||||
#define XPERMS_DONTAUDIT 4
|
||||
|
||||
#define security_xperm_set(perms, x) (perms[x >> 5] |= 1 << (x & 0x1f))
|
||||
#define security_xperm_test(perms, x) (1 & (perms[x >> 5] >> (x & 0x1f)))
|
||||
struct extended_perms_data {
|
||||
u32 p[8];
|
||||
};
|
||||
|
||||
struct extended_perms_decision {
|
||||
u8 used;
|
||||
u8 driver;
|
||||
struct extended_perms_data *allowed;
|
||||
struct extended_perms_data *auditallow;
|
||||
struct extended_perms_data *dontaudit;
|
||||
};
|
||||
|
||||
struct extended_perms {
|
||||
u16 len; /* length associated decision chain */
|
||||
struct extended_perms_data drivers; /* flag drivers that are used */
|
||||
};
|
||||
|
||||
/* definitions of av_decision.flags */
|
||||
#define AVD_FLAGS_PERMISSIVE 0x0001
|
||||
|
||||
void security_compute_av(u32 ssid, u32 tsid,
|
||||
u16 tclass, struct av_decision *avd);
|
||||
u16 tclass, struct av_decision *avd,
|
||||
struct extended_perms *xperms);
|
||||
|
||||
void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass,
|
||||
u8 driver, struct extended_perms_decision *xpermd);
|
||||
|
||||
void security_compute_av_user(u32 ssid, u32 tsid,
|
||||
u16 tclass, struct av_decision *avd);
|
||||
|
||||
Reference in New Issue
Block a user