Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC] Ability to allow unknown class and permissions -v4
From: Eric Paris <eparis_at_redhat.com>
Date: Wed, 02 May 2007 17:11:33 -0400
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c It does get rid of the special casing but it isn't much less complex. Anyone see a way to make this bit better? -Eric @@ -322,6 +316,38 @@ static int context_struct_compute_av(struct context *scontext, avd->seqno = latest_granting; /* + * Check for all the invalid cases. + * - tclass 0 + * - tclass > policy and > kernel + * - tclass > policy but is a userspace class + * - tclass > policy but we do not allow unknowns + */ + if (unlikely(!tclass)) + goto inval_class; + if (unlikely(tclass > policydb.p_class.nprim)) + if (tclass > kdefs->cts_len || + !kdefs->class_to_string[tclass - 1] || + policydb.handle_unknown != ALLOW_UNKOWN) + goto inval_class; + + /* + * Kernel class and we ALLOW_UNKNOWN so pad the allow decision + * the pad will be all 1 for unknown classes. + */ + if (tclass <= kdefs->cts_len && (policydb.handle_unknown == ALLOW_UNKNOWN)) + avd->allowed = policydb.undefined_perms[tclass - 1]; + + /* + * Kernel class not in policy and we ALLOW_UNKNOWN. Since decision is + * completed return. + */ + if (unlikely(tclass > policydb.p_class.nprim && + tclass <= kdefs->cts_len)) + return 0; + + tclass_datum = policydb.class_val_to_struct[tclass - 1]; + + /* * If a specific type enforcement rule was defined for * this permission check, then use it. */ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 2 May 2007 - 17:11:38 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |