ddd80eeb74
- Eliminate use of security_compute_user()
125 lines
4.3 KiB
Diff
125 lines
4.3 KiB
Diff
From 48de56d96b15a6879f653d8dad57f6862a3cbaa0 Mon Sep 17 00:00:00 2001
|
|
From: Stephen Smalley <sds@tycho.nsa.gov>
|
|
Date: Tue, 21 Jan 2020 11:18:22 -0500
|
|
Subject: [PATCH] libselinux: export flush_class_cache(), call it on policyload
|
|
|
|
Rename flush_class_cache() to selinux_flush_class_cache(), export it
|
|
for direct use by userspace policy enforcers, and call it on all policy
|
|
load notifications rather than only when using selinux_check_access().
|
|
This ensures that policy reloads that change a userspace class or
|
|
permission value will be reflected by subsequent string_to_security_class()
|
|
or string_to_av_perm() calls.
|
|
|
|
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
---
|
|
libselinux/include/selinux/selinux.h | 3 +++
|
|
libselinux/src/avc_internal.c | 2 ++
|
|
libselinux/src/checkAccess.c | 13 -------------
|
|
libselinux/src/selinux_internal.h | 3 +--
|
|
libselinux/src/stringrep.c | 4 +++-
|
|
5 files changed, 9 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
|
index fe46e681488d..7922d96b70c7 100644
|
|
--- a/libselinux/include/selinux/selinux.h
|
|
+++ b/libselinux/include/selinux/selinux.h
|
|
@@ -418,6 +418,9 @@ extern int security_av_string(security_class_t tclass,
|
|
/* Display an access vector in a string representation. */
|
|
extern void print_access_vector(security_class_t tclass, access_vector_t av);
|
|
|
|
+/* Flush the SELinux class cache, e.g. upon a policy reload. */
|
|
+extern void selinux_flush_class_cache(void);
|
|
+
|
|
/* Set the function used by matchpathcon_init when displaying
|
|
errors about the file_contexts configuration. If not set,
|
|
then this defaults to fprintf(stderr, fmt, ...). */
|
|
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
|
|
index 49cecc96daee..568a3d928ac1 100644
|
|
--- a/libselinux/src/avc_internal.c
|
|
+++ b/libselinux/src/avc_internal.c
|
|
@@ -23,6 +23,7 @@
|
|
#include "callbacks.h"
|
|
#include "selinux_netlink.h"
|
|
#include "avc_internal.h"
|
|
+#include "selinux_internal.h"
|
|
|
|
#ifndef NETLINK_SELINUX
|
|
#define NETLINK_SELINUX 7
|
|
@@ -207,6 +208,7 @@ static int avc_netlink_process(void *buf)
|
|
avc_prefix, rc, errno);
|
|
return rc;
|
|
}
|
|
+ selinux_flush_class_cache();
|
|
rc = selinux_netlink_policyload(msg->seqno);
|
|
if (rc < 0)
|
|
return rc;
|
|
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
|
|
index 16bfcfb63f85..7227ffe51eac 100644
|
|
--- a/libselinux/src/checkAccess.c
|
|
+++ b/libselinux/src/checkAccess.c
|
|
@@ -10,25 +10,12 @@
|
|
static pthread_once_t once = PTHREAD_ONCE_INIT;
|
|
static int selinux_enabled;
|
|
|
|
-static int avc_reset_callback(uint32_t event __attribute__((unused)),
|
|
- security_id_t ssid __attribute__((unused)),
|
|
- security_id_t tsid __attribute__((unused)),
|
|
- security_class_t tclass __attribute__((unused)),
|
|
- access_vector_t perms __attribute__((unused)),
|
|
- access_vector_t *out_retained __attribute__((unused)))
|
|
-{
|
|
- flush_class_cache();
|
|
- return 0;
|
|
-}
|
|
-
|
|
static void avc_init_once(void)
|
|
{
|
|
selinux_enabled = is_selinux_enabled();
|
|
if (selinux_enabled == 1) {
|
|
if (avc_open(NULL, 0))
|
|
return;
|
|
- avc_add_callback(avc_reset_callback, AVC_CALLBACK_RESET,
|
|
- 0, 0, 0, 0);
|
|
}
|
|
}
|
|
|
|
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
|
|
index 8b4bed2fd0d1..61b78aaa7c10 100644
|
|
--- a/libselinux/src/selinux_internal.h
|
|
+++ b/libselinux/src/selinux_internal.h
|
|
@@ -107,8 +107,7 @@ hidden_proto(selinux_trans_to_raw_context);
|
|
hidden_proto(security_get_initial_context);
|
|
hidden_proto(security_get_initial_context_raw);
|
|
hidden_proto(selinux_reset_config);
|
|
-
|
|
-hidden void flush_class_cache(void);
|
|
+hidden_proto(selinux_flush_class_cache);
|
|
|
|
extern int require_seusers hidden;
|
|
extern int selinux_page_size hidden;
|
|
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
|
|
index 4db95398e138..29757b750878 100644
|
|
--- a/libselinux/src/stringrep.c
|
|
+++ b/libselinux/src/stringrep.c
|
|
@@ -158,7 +158,7 @@ err1:
|
|
return NULL;
|
|
}
|
|
|
|
-hidden void flush_class_cache(void)
|
|
+void selinux_flush_class_cache(void)
|
|
{
|
|
struct discover_class_node *cur = discover_class_cache, *prev = NULL;
|
|
size_t i;
|
|
@@ -180,6 +180,8 @@ hidden void flush_class_cache(void)
|
|
discover_class_cache = NULL;
|
|
}
|
|
|
|
+hidden_def(selinux_flush_class_cache)
|
|
+
|
|
security_class_t string_to_security_class(const char *s)
|
|
{
|
|
struct discover_class_node *node;
|
|
--
|
|
2.25.1
|
|
|