[PATCH] libselinux: raw string_to_class/string_to_av_perm variants

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eamon Walsh <ewalsh@tycho.nsa.gov>
To: SELinux@tycho.nsa.gov
Cc: Joshua Brindle <jbrindle@tresys.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH] libselinux: raw string_to_class/string_to_av_perm variants
Date: Wed, 07 Oct 2009 15:12:32 -0400	[thread overview]
Message-ID: <4ACCE820.4080007@tycho.nsa.gov> (raw)

This is the first patch in a series to add dynamic class and permission 
remapping support.  The kernel has recently gained support for such 
remapping, where the class and permission values exposed in 
/selinux/class may change on policy reload.  Hence libselinux must do 
its own remapping in response to policy reloads.

This patch adds internal "raw" variants of string_to_security_class() 
and string_to_av_perm().  These are used by the mapping code when 
setting up a new mapping.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
---

  mapping.h   |   11 +++++++++++
  stringrep.c |   21 +++++++++++++++------
  2 files changed, 26 insertions(+), 6 deletions(-)


diff --git a/libselinux/src/mapping.h b/libselinux/src/mapping.h
index b96756b..b9e9c44 100644
--- a/libselinux/src/mapping.h
+++ b/libselinux/src/mapping.h
@@ -7,6 +7,17 @@
  #define _SELINUX_MAPPING_H_

  #include<selinux/selinux.h>
+#include "dso.h"
+
+/*
+ * Raw stringrep functions
+ */
+
+extern security_class_t
+string_to_security_class_raw(const char *s) hidden;
+
+extern access_vector_t
+string_to_av_perm_raw(security_class_t kclass, const char *s) hidden;

  /*
   * Get real, kernel values from mapped values
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index b19bce7..c82d07a 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -434,7 +434,7 @@ static const char *security_av_perm_to_string_compat(security_class_t tclass,
  	return NULL;
  }

-security_class_t string_to_security_class(const char *s)
+security_class_t string_to_security_class_raw(const char *s)
  {
  	struct discover_class_node *node;

@@ -453,31 +453,40 @@ security_class_t string_to_security_class(const char *s)
  		}
  	}

-	return map_class(node->value);
+	return node->value;
  }

-access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
+security_class_t string_to_security_class(const char *s)
+{
+	return map_class(string_to_security_class_raw(s));
+}
+
+access_vector_t string_to_av_perm_raw(security_class_t kclass, const char *s)
  {
  	struct discover_class_node *node;
-	security_class_t kclass = unmap_class(tclass);

  	__selinux_once(once, init_obj_class_compat);

  	if (obj_class_compat)
-		return map_perm(tclass, string_to_av_perm_compat(kclass, s));
+		return string_to_av_perm_compat(kclass, s);

  	node = get_class_cache_entry_value(kclass);
  	if (node != NULL) {
  		size_t i;
  		for (i=0; i<MAXVECTORS&&  node->perms[i] != NULL; i++)
  			if (strcmp(node->perms[i],s) == 0)
-				return map_perm(tclass, 1<<i);
+				return 1<<i;
  	}

  	errno = EINVAL;
  	return 0;
  }

+access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
+{
+	return map_perm(tclass, string_to_av_perm_raw(map_class(tclass), s));
+}
+
  const char *security_class_to_string(security_class_t tclass)
  {
  	struct discover_class_node *node;


-- 
Eamon Walsh<ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next             reply	other threads:[~2009-10-07 19:12 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-07 19:12 Eamon Walsh [this message]
2009-10-07 19:50 ` [PATCH] libselinux: raw string_to_class/string_to_av_perm variants Eamon Walsh
2009-10-08 12:23   ` Stephen Smalley
2009-10-08 12:30   ` Stephen Smalley
2009-10-08 17:19     ` Eamon Walsh
2009-10-08 12:13 ` Stephen Smalley

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b96756b dfblob:b9e9c44 dfblob:b19bce7 dfblob:c82d07a )
 OR (
bs:"[PATCH] libselinux: raw string_to_class/string_to_av_perm variants" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4ACCE820.4080007@tycho.nsa.gov \
    --to=ewalsh@tycho.nsa.gov \
    --cc=SELinux@tycho.nsa.gov \
    --cc=jbrindle@tresys.com \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.