summaryrefslogtreecommitdiffstats
path: root/security/selinux/ss/policydb.h
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2011-02-01 11:05:40 -0500
committerEric Paris <eparis@redhat.com>2011-02-01 11:12:30 -0500
commit652bb9b0d6ce007f37c098947b2cc0c45efa3f66 (patch)
tree7bf76f04a1fcaa401761a9a734b94682e2ac8b8c /security/selinux/ss/policydb.h
parent2a7dba391e5628ad665ce84ef9a6648da541ebab (diff)
downloadlinux-652bb9b0d6ce007f37c098947b2cc0c45efa3f66.tar.gz
linux-652bb9b0d6ce007f37c098947b2cc0c45efa3f66.tar.bz2
linux-652bb9b0d6ce007f37c098947b2cc0c45efa3f66.zip
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd. There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/ss/policydb.h')
-rw-r--r--security/selinux/ss/policydb.h14
1 files changed, 13 insertions, 1 deletions
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 4e3ab9d0b315..732ea4a68682 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -77,6 +77,15 @@ struct role_trans {
struct role_trans *next;
};
+struct filename_trans {
+ struct filename_trans *next;
+ u32 stype; /* current process */
+ u32 ttype; /* parent dir context */
+ u16 tclass; /* class of new object */
+ const char *name; /* last path component */
+ u32 otype; /* expected of new object */
+};
+
struct role_allow {
u32 role; /* current role */
u32 new_role; /* new role */
@@ -217,6 +226,9 @@ struct policydb {
/* role transitions */
struct role_trans *role_tr;
+ /* file transitions with the last path component */
+ struct filename_trans *filename_trans;
+
/* bools indexed by (value - 1) */
struct cond_bool_datum **bool_val_to_struct;
/* type enforcement conditional access vectors and transitions */
@@ -302,7 +314,7 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
return 0;
}
-static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file *fp)
+static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
{
size_t len = bytes * num;