Cross Reference: /external/selinux/libselinux/src/selinux

History log of /external/selinux/libselinux/src/selinux_internal.h
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
09d99e8bec6e112598518c08a90d9423e61c8540	22-Sep-2016	Jason Zaman <jason@perfinion.com>	libselinux: Add openrc_contexts functions The file will initially contain: run_init=run_init_t There can not be any spaces around the = since OpenRC's existing config files and the methods it uses require it. Signed-off-by: Jason Zaman <jason@perfinion.com> /external/selinux/libselinux/src/selinux_internal.h
b2c1b0baaf52d79f8050fc1e3c146c698ef0ad7a	20-Jun-2016	Petr Lautrbach <plautrba@redhat.com>	libselinux: add selinux_snapperd_contexts_path() Snapper needs a way how to set a proper selinux context on btrfs subvolumes originating in snapshot create command. Fs can't handle it on its own so snapper will enforce .snapshots subvolume relabeling according to a file returned by selinux_snapperd_contexts_path(). The format of the file will be similar to other contexts file: snapperd_data = system_u:object_r:snapperd_data_t:s0 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1247530 https://bugzilla.redhat.com/show_bug.cgi?id=1247532 Signed-off-by: Petr Lautrbach <plautrba@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
b408d72ca9104cb0c1bc4e154d8732cc7c0a9190	18-Sep-2015	Stephen Smalley <sds@tycho.nsa.gov>	libselinux: flush the class/perm string mapping cache on policy reload This improves the robustness of programs using selinux_check_access() in the face of policy updates that alter the values of the class or permissions that they are checking. Otherwise, a policy update can trigger false permission denials, as in https://bugzilla.redhat.com/show_bug.cgi?id=1264051 Changes to the userspace class/permission definitions should still be handled with care, as not all userspace object managers have been converted to use selinux_check_access() and even those that do use it are still not entirely safe against an interleaving of a policy reload and a call to selinux_check_access(). The change does however address the issue in the above bug and avoids the need to restart systemd. This change restores the flush_class_cache() function that was removed in commit 435fae64a931 ("libselinux: Remove unused flush_class_cache method") because it had no users at the time, but makes it hidden to avoid exposing it as part of the libselinux ABI. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
8d7c2854c579a2bc85b49b62ccbf38a98fbdd475	21-May-2015	Petr Lautrbach <plautrba@redhat.com>	libselinux: add selinux_openssh_contexts_path() openssh in Fedora uses "sshd_net_t" type for privilege separated processes in the preauthentication phase. Similarly, openssh portable uses "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal. Therefore selinux_openssh_contexts_path() was created to get a path where sshd can get a correct types prepared by a distribution or an administrator. Signed-off-by: Petr Lautrbach <plautrba@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
c08c4eacab8d55598b9e5caaef8a871a7a476cab	11-May-2015	Stephen Smalley <sds@tycho.nsa.gov>	libselinux: is_selinux_enabled: Add /etc/selinux/config test. To avoid regressions such as the one reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1219045 add a test for /etc/selinux/config to is_selinux_enabled(). This ensures that systems that do not install selinux-policy will continue to return 0 from is_selinux_enabled(). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
7eec00a5be8b5cebcbbc9a30b42b34f4a623c587	09-Oct-2013	Dan Walsh <dwalsh@redhat.com>	Add selinux_current_policy_path, which returns the a pointer to the loaded policy Also change audit2why to look at the loaded policy rather then searching on disk for the policy file. It is more likely that you are examining the running policy. /external/selinux/libselinux/src/selinux_internal.h
ce2a8848ad45e375cfdb58cebe28bc12431bb3db	09-Oct-2013	Dan Walsh <dwalsh@redhat.com>	Add selinux_systemd_contexts_path systemd has some internal contexts like generated systemd unit files that we want to allow it to check against processes trying to manage them. /external/selinux/libselinux/src/selinux_internal.h
ee6901618c9da360515474145504c7b58258441f	11-Jun-2012	Dan Walsh <dwalsh@redhat.com>	libselinux: expose selinux_boolean_sub Make selinux_boolean_sub a public method so getsebool can use it, as well as potentially used within libsemanage. Signed-off-by: Eric Paris <eparis@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
88c35241535803247bd3044187c6c3b3c7f02c79	18-Apr-2012	Eric Paris <eparis@redhat.com>	libselinux: boolean name equivalency Add support for booleans.subs file. Basically this allows us to finally change badly named booleans to some standard name. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
c802d4a6d53120a7c067c29625a17b09f922f4d3	18-Apr-2012	Dan Walsh <dwalsh@redhat.com>	libselinux: Add support for lxc_contexts_path In order for lxc to look up its process and file labels we add new libselinux support. This is what we do for everything else, like libvirt, seposgresql, etc. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
2b5a0530e7c06150c84fc233fbfab40c57130f84	25-Mar-2012	Kohei KaiGai <kaigai@kaigai.gr.jp>	libselinux: security_compute_create_name(3) I'd like to use this interface to implement special case handling for the default labeling behavior on temporary database objects. Allow userspace to use the filename_trans rules added to policy. Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> Signed-off-by: Eric Paris <eparis@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
b3b19fdce58ff6ddfa6dfb8e5576c922c96e1e45	22-Sep-2011	Eric Paris <eparis@redhat.com>	libselinux: load_policy: handle selinux=0 and /sys/fs/selinux not exist Handle situation where selinux=0 passed to the kernel and both /selinux and /sys/fs/selinux directories do not exist. We used to handle selinux=0 (or kernel compile without selinux) by getting ENODEV when we tried to mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux won't exist and we never create the real directory /selinux at all. So we get ENOENT instead of ENODEV. The solution is to check to see if the mount failure was for ENODEV and if not to check if selinuxfs exists in /proc/filesystems at all. If it doesn't exist, that's equivalent to ENODEV. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
20b43b3fd3d392c4f12a963a4e46c264e7ed5163	06-Apr-2011	Daniel J Walsh <dwalsh@redhat.com>	This patch adds a new subs_dist file. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The idea is to allow distributions to ship a subs file as well as let the user modify subs. In F16 we are looking at shipping a file_contexts.subs_dist file like this cat file_contexts.subs_dist /run /var/run /run/lock /var/lock /var/run/lock /var/lock /lib64 /lib /usr/lib64 /usr/lib The we will remove all (64)? from policy. This will allow us to make sure all /usr/lib/libBLAH is labeled the same as /usr/lib64/libBLAH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6 QT0An0ihA60di9CRsEqEdVbSaHOwtte5 =LXgd -----END PGP SIGNATURE----- Signed-off-by: Steve Lawrence <slawrence@tresys.com> /external/selinux/libselinux/src/selinux_internal.h
1629d2f89a8c5f758413b87b94740aaaa5f21144	06-Apr-2011	Daniel J Walsh <dwalsh@redhat.com>	This patch cleans up a couple of crashes caused by libselinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you fail to load_policy in the init or SELinux is disabled, you need to free the selinux_mnt variable and clear the memory. systemd was calling load_polcy on a DISABLED system then later on it would call is_selinux_enabled() and get incorrect response, since selinux_mnt still had valid data. The second bug in libselinux, resolves around calling the selinux_key_delete(destructor_key) if the selinux_key_create call had never been called. This was causing data to be freed in other applications that loaded an unloaded the libselinux library but never setup setrans or matchpathcon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj =jpyr -----END PGP SIGNATURE----- Signed-off-by: Steve Lawrence <slawrence@tresys.com> /external/selinux/libselinux/src/selinux_internal.h
f0b3127ca3c99ae218dba43a6e3f7430081c412b	09-Mar-2011	Eamon Walsh <ewalsh@tycho.nsa.gov>	Use library destructors to destroy per-thread keys. This prevents the key destructors, intented to free per-thread heap storage, from being called after libselinux has been unloaded. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=680887 Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
a29ff33baf366825c0fbe721d30b12b5b96a64e1	02-Dec-2010	Eamon Walsh <ewalsh@tycho.nsa.gov>	Implement destructors for thread-local heap data. Description of problem: Use of __thread variables is great for creating a thread-safe variable, but only insofar as the contents of that variable can safely be abandoned on pthread_exit(). The moment you store malloc()d data into a __thread void* variable, you have leaked memory when the thread exits, since there is no way to associate a destructor with __thread variables. The _only_ safe way to use thread-local caching of malloc()d data is to use pthread_key_create, and associate a destructor that will call free() on the resulting data when the thread exits. libselinux is guilty of abusing __thread variables to store malloc()d data as a form of a cache, to minimize computation by reusing earlier results from the same thread. As a result of this memory leak, repeated starting and stopping of domains via libvirt can result in the OOM killer triggering, since libvirt fires up a thread per domain, and each thread uses selinux calls such as fgetfilecon. Version-Release number of selected component (if applicable): libselinux-2.0.94-2.el6.x86_64 libvirt-0.8.1-27.el6.x86_64 How reproducible: 100% Steps to Reproduce: 0. These steps are run as root, assuming hardware kvm support and existence of a VM named fedora (adjust the steps below as appropriate); if desired, I can reduce this to a simpler test case that does not rely on libvirt, by using a single .c file that links against libselinux and repeatedly spawns threads. 1. service libvirtd stop 2. valgrind --quiet --leak-check=full /usr/sbin/libvirtd& pid=$! 3. virsh start fedora 4. kill $pid Actual results: The biggest leak reported is due to libselinux' abuse of __thread: ==26696== 829,730 (40 direct, 829,690 indirect) bytes in 1 blocks are definitely lost in loss record 500 of 500 ==26696== at 0x4A0515D: malloc (vg_replace_malloc.c:195) ==26696== by 0x3022E0D48C: selabel_open (label.c:165) ==26696== by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296) ==26696== by 0x3022E1190D: matchpathcon (matchpathcon.c:317) ==26696== by 0x3033ED7FB5: SELinuxRestoreSecurityFileLabel (security_selinux.c:381) ==26696== by 0x3033ED8539: SELinuxRestoreSecurityAllLabel (security_selinux.c:749) ==26696== by 0x459153: qemuSecurityStackedRestoreSecurityAllLabel (qemu_security_stacked.c:257) ==26696== by 0x43F0C5: qemudShutdownVMDaemon (qemu_driver.c:4311) ==26696== by 0x4555C9: qemudStartVMDaemon (qemu_driver.c:4234) ==26696== by 0x458416: qemudDomainObjStart (qemu_driver.c:7268) ==26696== by 0x45896F: qemudDomainStart (qemu_driver.c:7308) ==26696== by 0x3033E75412: virDomainCreate (libvirt.c:4881) ==26696== Basically, libvirt created a thread that used matchpathcon during 'virsh start fedora', and matchpathcon stuffed over 800k of malloc'd data into: static __thread char **con_array; which are then inaccessible when libvirt exits the thread as part of shutting down on SIGTERM. Expected results: valgrind should not report any memory leaks related to libselinux. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> Reported-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> /external/selinux/libselinux/src/selinux_internal.h
70aeeb918aa721ad90ed8e1b433a55c8ecf2cb83	15-Mar-2010	Eamon Walsh <ewalsh@tycho.nsa.gov>	This patch allows selabel_() interfaces to provide an expected security context for the given database object identified by its name and object class. It is necessary to implement a feature something like the restorecon on databases. The specfile shall be described as follows: ------------------------ # # The specfile for database objects # (for SE-PostgreSQL) # # <object class> <object name> <security context> # db_database system_u:object_r:sepgsql_db_t:s0 db_schema .pg_catalog system_u:obejct_r:sepgsql_sys_schema_t:s0 db_schema .* system_u:object_r:sepgsql_schema_t:s0 db_table .pg_catalog. system_u:object_r:sepgsql_sysobj_t:s0 db_table ..* system_u:object_r:sepgsql_table_t:s0 ------------------------ - All the characters after the '#' are ignored. - Wildcards ('' and '?') are available. - It returns the first match security context. Note that hierarchy of the namespace of database objects depends on RDBMS. So, author of the specfile needs to write correct patterns which are suitable for the target RDBMS. The patched selabel_() interfaces don't have any heuristics for the namespace hierarchy to be suitable for widespread RDBMSs. In the case of SE-PgSQL, when we lookup an expected security context for the 'my_table' table in the 'public' schema and 'postgres' database, the caller shall provide 'postgres.public.my_table' as a key. In the default, it tries to read a specfile which maps database objects and security context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts. Note that when another RDBMS uses this interface, it needs to give an explicit SELABEL_OPT_PATH option on the selabel_open(). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
7d19f9df510daef5dc929df5854c2dda2a64f475	20-Oct-2009	Chad Sellers <csellers@tresys.com>	libselinux: Export reset_selinux_config() In integrating SELinux policy into rpm, we have a need to be able to reset the configuration data (e.g. policy type) loaded into libselinux. These values are currently loaded lazily by a number of different functions (e.g. matchpatchcon_init()). Since we are changing rpm to install policy, including initial base policy, we need to be able to reload these configuration items after the policy has been installed. reset_selinux_config() already exists and is used by selinux_init_load_policy() for a similar reason, but it is not exported. This was probably intentionaly since it is not thread safe at all. That said, rpm needs to do the same thing. This patch makes the function public, and places a warning in the header comment that it is not thread safe. Signed-off-by: Chad Sellers <csellers@tresys.com> /external/selinux/libselinux/src/selinux_internal.h
8c372f665db44cf753bb299e2ee7dcf6143b9e9e	01-Jul-2009	Stephen Smalley <sds@tycho.nsa.gov>	libselinux: lazy init Revive Steve Grubb's patch for libselinux lazy init and extend it to address not only the reading of /etc/selinux/config but also probing for /selinux/class and reading of /selinux/mls. This should reduce the need for dontaudit rules for programs that link with libselinux and it should reduce unnecessary overhead. I did not convert init_selinuxmnt over to lazy init since the functions that use selinux_mnt are not localized, and it only requires stat'ing of /selinux in the common case. I couldn't see a valid reason why we needed fini_obj_class_compat(), as the existence of /selinux/class will only change across a reboot with different kernel versions. fini_context_translations() already had a comment saying that it was unnecessary as well. Before: $ strace ls 2> err $ grep selinux err open("/lib/libselinux.so.1", O_RDONLY) = 3 open("/etc/selinux/config", O_RDONLY\|O_LARGEFILE) = 3 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat64("/selinux/class", {st_mode=S_IFDIR\|0555, st_size=0, ...}) = 0 open("/selinux/mls", O_RDONLY\|O_LARGEFILE) = 3 After: $ strace ls 2> err $ grep selinux err open("/lib/libselinux.so.1", O_RDONLY) = 3 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 Original-patch-by: Steve Grubb <linux_4ever@yahoo.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
20271d94ed2b26b94b052ba6ed90b63566cecbb7	04-Jun-2009	Daniel J Walsh <dwalsh@redhat.com>	Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: SELinux context patch Date: Mon, 18 May 2009 14:16:12 -0400 This patch adds context files for virtual_domain and virtual_image, these are both being used to locat the default context to be executed by svirt. I also included the subs patch which I submitted before. This patch allows us to substitute prefixes to matchpathcon. So we can say /export/home == /home and /web == /var/www Author: Chad Sellers Email: csellers@tresys.com Flipped free()'s in original patch when strdup'd fail to proper order. Signed-off-by: Chad Sellers <csellers@tresys.com> /external/selinux/libselinux/src/selinux_internal.h
433a99d4032706af724ff779d8d9d539f20793f8	08-Apr-2009	KaiGai Kohei <kaigai@ak.jp.nec.com>	It is useful for userspace object manager, if libselinux has an interface something like: int security_deny_unknown(void); This interface can suggest applications preferable behavior when string_to_security_class() or string_to_av_perm() returns invalid value which means the security policy does not define required ones. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> /external/selinux/libselinux/src/selinux_internal.h
55ed6e7fa6b7d55c628fa04508521920e60a43f7	08-Apr-2009	KaiGai Kohei <kaigai@ak.jp.nec.com>	This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> /external/selinux/libselinux/src/selinux_internal.h
f9b1f1a2a17298b60a94780ab5899a8d91cbf100	01-Jan-2009	Eamon Walsh <ewalsh@tycho.nsa.gov>	Add config path function for secolor.conf file. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
cfa3cb6fa5d0cc00fde75ee74ec2da577f62e141	26-Nov-2008	Eamon Walsh <ewalsh@tycho.nsa.gov>	Add client routines for translating raw security contexts into colors. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> /external/selinux/libselinux/src/selinux_internal.h
13cd4c8960688af11ad23b4c946149015c80d549	19-Aug-2008	Joshua Brindle <method@manicmethod.com>	initial import from svn trunk revision 2950 /external/selinux/libselinux/src/selinux_internal.h