Ticket #21 (closed Feature: fixed)

Opened 2 years ago

Last modified 2 years ago

flask header updates

Reported by: pebenito Assigned to: ccase
Priority: Normal Component: Infrastructure
Version: SVN HEAD Keywords:
Cc: sds@tycho.nsa.gov

Description (Last modified by pebenito)

Change the flask header generation scripts to create two sets of headers, one for libselinux which has all definitions, and one for the kernel, which does not include userland object classes. 

> > Given the class/permission validation patches by Chad, we should modify
> > the policy scripts that generate the Flask headers to use the existing #
> > userspace annotations in security_classes to generate two sets of
> > headers, one for the kernel that only includes the kernel definitions
> > and one for libselinux that has them all.
> 
> Let me just clarify this:
> 
> > The values will stay the same, but the kernel doesn't need the
> > userspace definitions and we don't want the kernel imposing
> > restrictions on the ability to modify those userspace definitions
> > later.
> 
> So basically you're just suggesting we drop out the userspace permission
> definitions in av_permissions.h and in av_perm_to_string.h for the
> kernel?  All the class definitions will still have to stick around so
> the offsets for the classes to remain correct.

We have to keep the kernel class values the same, but I don't see why we
need to emit the #define's for the userspace classes in the kernel's
flask.h.  We would need a way of marking holes in the class_to_string.h
table for the kernel to tell the validation code to skip them, e.g. we
could use S_("null") for userspace classes, and have the validation code
skip all such entries.  The kernel policy loading validation code
shouldn't check userspace classes or permissions at all.

Change History

11/14/06 08:15:17 changed by pebenito

  • description changed.

12/12/06 13:18:58 changed by ccase

  • status changed from new to assigned.

02/06/07 10:13:38 changed by ccase

The new header generation is complete. Please review.

Caleb

04/02/07 08:07:57 changed by pebenito

  • status changed from assigned to closed.
  • resolution set to fixed.