From 64dbf07474d011540ca479a2e87fe998f570d6e3 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 31 Mar 2008 12:17:33 +1100 Subject: selinux: introduce permissive types Introduce the concept of a permissive type. A new ebitmap is introduced to the policy database which indicates if a given type has the permissive bit set or not. This bit is tested for the scontext of any denial. The bit is meaningless on types which only appear as the target of a decision and never the source. A domain running with a permissive type will be allowed to perform any action similarly to when the system is globally set permissive. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/ss/services.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index face5795c760..eefa89ce77a7 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -417,6 +417,31 @@ inval_class: return -EINVAL; } +/* + * Given a sid find if the type has the permissive flag set + */ +int security_permissive_sid(u32 sid) +{ + struct context *context; + u32 type; + int rc; + + POLICY_RDLOCK; + + context = sidtab_search(&sidtab, sid); + BUG_ON(!context); + + type = context->type; + /* + * we are intentionally using type here, not type-1, the 0th bit may + * someday indicate that we are globally setting permissive in policy. + */ + rc = ebitmap_get_bit(&policydb.permissive_map, type); + + POLICY_RDUNLOCK; + return rc; +} + static int security_validtrans_handle_fail(struct context *ocontext, struct context *ncontext, struct context *tcontext, -- cgit v1.2.3