diff options
author | Eric Paris <eparis@redhat.com> | 2007-09-21 14:37:10 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-10-17 08:59:33 +1000 |
commit | 3f12070e27b4a213d62607d2bff139793089a77d (patch) | |
tree | b6b614737f916c7c3102f66e6ad9e682b9c9bf04 /security/selinux/ss/policydb.h | |
parent | 788e7dd4c22e6f41b3a118fd8c291f831f6fddbb (diff) | |
download | op-kernel-dev-3f12070e27b4a213d62607d2bff139793089a77d.zip op-kernel-dev-3f12070e27b4a213d62607d2bff139793089a77d.tar.gz |
SELinux: policy selectable handling of unknown classes and perms
Allow policy to select, in much the same way as it selects MLS support, how
the kernel should handle access decisions which contain either unknown
classes or unknown permissions in known classes. The three choices for the
policy flags are
0 - Deny unknown security access. (default)
2 - reject loading policy if it does not contain all definitions
4 - allow unknown security access
The policy's choice is exported through 2 booleans in
selinuxfs. /selinux/deny_unknown and /selinux/reject_unknown.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss/policydb.h')
-rw-r--r-- | security/selinux/ss/policydb.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 8319d5f..844d310 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -242,6 +242,10 @@ struct policydb { struct ebitmap *type_attr_map; unsigned int policyvers; + + unsigned int reject_unknown : 1; + unsigned int allow_unknown : 1; + u32 *undefined_perms; }; extern void policydb_destroy(struct policydb *p); @@ -253,6 +257,10 @@ extern int policydb_read(struct policydb *p, void *fp); #define POLICYDB_CONFIG_MLS 1 +/* the config flags related to unknown classes/perms are bits 2 and 3 */ +#define REJECT_UNKNOWN 0x00000002 +#define ALLOW_UNKNOWN 0x00000004 + #define OBJECT_R "object_r" #define OBJECT_R_VAL 1 |