Eamon Walsh wrote:
> Here's a first go at an interface. It's an init function
> that is a replacement for avc_init(). It takes flags, the
> class/permission mapping to use, and callback functions.
>
> This is trying to solve a few other problems at the same time, namely:
>
> - selinux prefix on the function name

So the client callsites will have to change then, oh well, we wanted to do this anyway..

> - drops support for memory, threading, and locking callbacks
> (would just always use malloc and pthread)

Were these ever used or were they a remnant of the early implementations?

> - adds type code to logging callback
>
> ---
>
> selinux.h | 37 +++++++++++++++++++++++++++++++++++++
> 1 file changed, 37 insertions(+)
>
>
> Index: libselinux/include/selinux/selinux.h
> ===================================================================
> --- libselinux/include/selinux/selinux.h (revision 2445)
> +++ libselinux/include/selinux/selinux.h (working copy) @@ -132,6
> +132,43 @@ unsigned int seqno;
> };
>
> + struct av_mapping {
> + const char *name;
> + const access_vector_t value;
> + };
> +

Should this be a linked list?

> + struct security_class_mapping {
> + const char *name;
> + const security_class_t value;
> + const struct av_mapping *perms;
> + };
> +
> +/* Initialization routine for caching functions offered by
> the library
> +*/
> +
> + struct selinux_callbacks {
> + /* log the printf-style format and arguments,
> + with the type code indicating the type of message */
> + int (*func_log) (int type, const char *fmt, ...);
> + /* store a string representation of auditdata
> (corresponding
> + to the given security class) into msgbuf. */
> + void (*func_audit) (void *auditdata,
> security_class_t cls,
> + char *msgbuf, size_t msgbufsize);
> + };
> +
> + extern int selinux_init(int flags,
> + const struct
> security_class_mapping *map,
> + const struct selinux_callbacks
> *callbacks);
> +

Shouldn't the security_class_mapping either be an array here or be a linked list above?

> + /* Available flags */
> +#define SELINUX_THREAD 1
> +#define SELINUX_AVC 2
> +
> + /* Logging type codes, passed to the logging callback */
> +#define SELINUX_ERROR 0
> +#define SELINUX_WARNING 1
> +#define SELINUX_INFO 2
> +#define SELINUX_AVC_DENIAL 3
> +
> /* Compute an access decision. */
> extern int security_compute_av(security_context_t scon,
> security_context_t tcon,

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.