]>
Commit | Line | Data |
---|---|---|
cc0a4653 SS |
1 | diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h |
2 | index 1848a7b..f53a499 100644 | |
3 | --- a/libsepol/include/sepol/policydb/policydb.h | |
4 | +++ b/libsepol/include/sepol/policydb/policydb.h | |
5 | @@ -111,6 +111,19 @@ typedef struct class_datum { | |
6 | symtab_t permissions; /* class-specific permission symbol table */ | |
7 | constraint_node_t *constraints; /* constraints on class permissions */ | |
8 | constraint_node_t *validatetrans; /* special transition rules */ | |
9 | +/* Options how a new object user and role should be decided */ | |
10 | +#define DEFAULT_SOURCE 1 | |
11 | +#define DEFAULT_TARGET 2 | |
12 | + char default_user; | |
13 | + char default_role; | |
14 | +/* Options how a new object range should be decided */ | |
15 | +#define DEFAULT_SOURCE_LOW 1 | |
16 | +#define DEFAULT_SOURCE_HIGH 2 | |
17 | +#define DEFAULT_SOURCE_LOW_HIGH 3 | |
18 | +#define DEFAULT_TARGET_LOW 4 | |
19 | +#define DEFAULT_TARGET_HIGH 5 | |
20 | +#define DEFAULT_TARGET_LOW_HIGH 6 | |
21 | + char default_range; | |
22 | } class_datum_t; | |
23 | ||
24 | /* Role attributes */ | |
25 | @@ -667,10 +680,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); | |
26 | #define POLICYDB_VERSION_BOUNDARY 24 | |
27 | #define POLICYDB_VERSION_FILENAME_TRANS 25 | |
28 | #define POLICYDB_VERSION_ROLETRANS 26 | |
29 | +#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 | |
30 | ||
31 | /* Range of policy versions we understand*/ | |
32 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE | |
33 | -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS | |
34 | +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS | |
35 | ||
36 | /* Module versions and specific changes*/ | |
37 | #define MOD_POLICYDB_VERSION_BASE 4 | |
38 | @@ -686,9 +700,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); | |
39 | #define MOD_POLICYDB_VERSION_ROLETRANS 12 | |
40 | #define MOD_POLICYDB_VERSION_ROLEATTRIB 13 | |
41 | #define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 | |
42 | +#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 | |
43 | ||
44 | #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE | |
45 | -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_TUNABLE_SEP | |
46 | +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS | |
47 | ||
48 | #define POLICYDB_CONFIG_MLS 1 | |
49 | ||
50 | diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c | |
51 | index 493e478..73b9107 100644 | |
52 | --- a/libsepol/src/expand.c | |
53 | +++ b/libsepol/src/expand.c | |
54 | @@ -358,6 +358,35 @@ static int constraint_node_clone(constraint_node_t ** dst, | |
55 | return -1; | |
56 | } | |
57 | ||
58 | +static int class_copy_default_new_object(expand_state_t *state, | |
59 | + class_datum_t *olddatum, | |
60 | + class_datum_t *newdatum) | |
61 | +{ | |
62 | + if (olddatum->default_user) { | |
63 | + if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { | |
64 | + ERR(state->handle, "Found conflicting default user definitions"); | |
65 | + return SEPOL_ENOTSUP; | |
66 | + } | |
67 | + newdatum->default_user = olddatum->default_user; | |
68 | + | |
69 | + } | |
70 | + if (olddatum->default_role) { | |
71 | + if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { | |
72 | + ERR(state->handle, "Found conflicting default role definitions"); | |
73 | + return SEPOL_ENOTSUP; | |
74 | + } | |
75 | + newdatum->default_role = olddatum->default_role; | |
76 | + } | |
77 | + if (olddatum->default_range) { | |
78 | + if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { | |
79 | + ERR(state->handle, "Found conflicting default range definitions"); | |
80 | + return SEPOL_ENOTSUP; | |
81 | + } | |
82 | + newdatum->default_range = olddatum->default_range; | |
83 | + } | |
84 | + return 0; | |
85 | +} | |
86 | + | |
87 | static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, | |
88 | void *data) | |
89 | { | |
90 | @@ -393,6 +422,12 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, | |
91 | new_class->s.value = class->s.value; | |
92 | state->out->p_classes.nprim++; | |
93 | ||
94 | + ret = class_copy_default_new_object(state, class, new_class); | |
95 | + if (ret) { | |
96 | + free(new_class); | |
97 | + return ret; | |
98 | + } | |
99 | + | |
100 | new_id = strdup(id); | |
101 | if (!new_id) { | |
102 | ERR(state->handle, "Out of memory!"); | |
103 | diff --git a/libsepol/src/link.c b/libsepol/src/link.c | |
104 | index ee9675b..01d3231 100644 | |
105 | --- a/libsepol/src/link.c | |
106 | +++ b/libsepol/src/link.c | |
107 | @@ -205,6 +205,34 @@ static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum, | |
108 | return ret; | |
109 | } | |
110 | ||
111 | +static int class_copy_default_new_object(link_state_t *state, | |
112 | + class_datum_t *olddatum, | |
113 | + class_datum_t *newdatum) | |
114 | +{ | |
115 | + if (olddatum->default_user) { | |
116 | + if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { | |
117 | + ERR(state->handle, "Found conflicting default user definitions"); | |
118 | + return SEPOL_ENOTSUP; | |
119 | + } | |
120 | + newdatum->default_user = olddatum->default_user; | |
121 | + } | |
122 | + if (olddatum->default_role) { | |
123 | + if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { | |
124 | + ERR(state->handle, "Found conflicting default role definitions"); | |
125 | + return SEPOL_ENOTSUP; | |
126 | + } | |
127 | + newdatum->default_role = olddatum->default_role; | |
128 | + } | |
129 | + if (olddatum->default_range) { | |
130 | + if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { | |
131 | + ERR(state->handle, "Found conflicting default range definitions"); | |
132 | + return SEPOL_ENOTSUP; | |
133 | + } | |
134 | + newdatum->default_range = olddatum->default_range; | |
135 | + } | |
136 | + return 0; | |
137 | +} | |
138 | + | |
139 | static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, | |
140 | void *data) | |
141 | { | |
142 | @@ -287,6 +315,11 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, | |
143 | state->dest_class = new_class; | |
144 | state->dest_class_name = (char *)key; | |
145 | ||
146 | + /* copy default new object rules */ | |
147 | + ret = class_copy_default_new_object(state, cladatum, new_class); | |
148 | + if (ret) | |
149 | + return ret; | |
150 | + | |
151 | ret = | |
152 | hashtab_map(cladatum->permissions.table, permission_copy_callback, | |
153 | state); | |
154 | diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c | |
155 | index 136b450..a84de2f 100644 | |
156 | --- a/libsepol/src/policydb.c | |
157 | +++ b/libsepol/src/policydb.c | |
158 | @@ -151,6 +151,13 @@ static struct policydb_compat_info policydb_compat[] = { | |
159 | .target_platform = SEPOL_TARGET_SELINUX, | |
160 | }, | |
161 | { | |
162 | + .type = POLICY_KERN, | |
163 | + .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, | |
164 | + .sym_num = SYM_NUM, | |
165 | + .ocon_num = OCON_NODE6 + 1, | |
166 | + .target_platform = SEPOL_TARGET_SELINUX, | |
167 | + }, | |
168 | + { | |
169 | .type = POLICY_BASE, | |
170 | .version = MOD_POLICYDB_VERSION_BASE, | |
171 | .sym_num = SYM_NUM, | |
172 | @@ -228,6 +235,13 @@ static struct policydb_compat_info policydb_compat[] = { | |
173 | .target_platform = SEPOL_TARGET_SELINUX, | |
174 | }, | |
175 | { | |
176 | + .type = POLICY_BASE, | |
177 | + .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, | |
178 | + .sym_num = SYM_NUM, | |
179 | + .ocon_num = OCON_NODE6 + 1, | |
180 | + .target_platform = SEPOL_TARGET_SELINUX, | |
181 | + }, | |
182 | + { | |
183 | .type = POLICY_MOD, | |
184 | .version = MOD_POLICYDB_VERSION_BASE, | |
185 | .sym_num = SYM_NUM, | |
186 | @@ -304,6 +318,13 @@ static struct policydb_compat_info policydb_compat[] = { | |
187 | .ocon_num = 0, | |
188 | .target_platform = SEPOL_TARGET_SELINUX, | |
189 | }, | |
190 | + { | |
191 | + .type = POLICY_MOD, | |
192 | + .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, | |
193 | + .sym_num = SYM_NUM, | |
194 | + .ocon_num = 0, | |
195 | + .target_platform = SEPOL_TARGET_SELINUX, | |
196 | + }, | |
197 | }; | |
198 | ||
199 | #if 0 | |
200 | @@ -2064,6 +2085,18 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) | |
201 | goto bad; | |
202 | } | |
203 | ||
204 | + if ((p->policy_type == POLICY_KERN && | |
205 | + p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || | |
206 | + (p->policy_type == POLICY_BASE && | |
207 | + p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { | |
208 | + rc = next_entry(buf, fp, sizeof(uint32_t) * 3); | |
209 | + if (rc < 0) | |
210 | + goto bad; | |
211 | + cladatum->default_user = le32_to_cpu(buf[0]); | |
212 | + cladatum->default_role = le32_to_cpu(buf[1]); | |
213 | + cladatum->default_range = le32_to_cpu(buf[2]); | |
214 | + } | |
215 | + | |
216 | if (hashtab_insert(h, key, cladatum)) | |
217 | goto bad; | |
218 | ||
219 | diff --git a/libsepol/src/write.c b/libsepol/src/write.c | |
220 | index e34ab52..22e6143 100644 | |
221 | --- a/libsepol/src/write.c | |
222 | +++ b/libsepol/src/write.c | |
223 | @@ -976,6 +976,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) | |
224 | return POLICYDB_ERROR; | |
225 | } | |
226 | ||
227 | + if ((p->policy_type == POLICY_KERN && | |
228 | + p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || | |
229 | + (p->policy_type == POLICY_BASE && | |
230 | + p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { | |
231 | + buf[0] = cpu_to_le32(cladatum->default_user); | |
232 | + buf[1] = cpu_to_le32(cladatum->default_role); | |
233 | + buf[2] = cpu_to_le32(cladatum->default_range); | |
234 | + items = put_entry(buf, sizeof(uint32_t), 3, fp); | |
235 | + if (items != 3) | |
236 | + return POLICYDB_ERROR; | |
237 | + } | |
238 | + | |
239 | return POLICYDB_SUCCESS; | |
240 | } | |
241 |