Lines Matching defs:policy
15 * Added conditional policy language extensions
20 * Added support for the policy capability bitmap
32 * Added support for runtime switching of the policy type
129 pr_info("SELinux: Class %s not defined in policy.\n",
148 pr_info("SELinux: Permission %s in class %s not defined in policy.\n",
173 * Get real, policy values from mapped values
185 * Get kernel value for class from its policy value
241 struct selinux_policy *policy;
247 policy = rcu_dereference(selinux_state.policy);
248 mls_enabled = policy->policydb.mls_enabled;
678 * the MLS policy).
716 static int security_validtrans_handle_fail(struct selinux_policy *policy,
722 struct policydb *p = &policy->policydb;
723 struct sidtab *sidtab = policy->sidtab;
750 struct selinux_policy *policy;
767 policy = rcu_dereference(selinux_state.policy);
768 policydb = &policy->policydb;
769 sidtab = policy->sidtab;
772 tclass = unmap_class(&policy->map, orig_tclass);
814 rc = security_validtrans_handle_fail(policy,
854 struct selinux_policy *policy;
866 policy = rcu_dereference(selinux_state.policy);
867 policydb = &policy->policydb;
868 sidtab = policy->sidtab;
934 static void avd_init(struct selinux_policy *policy, struct av_decision *avd)
939 if (policy)
940 avd->seqno = policy->latest_granting;
1006 struct selinux_policy *policy;
1027 policy = rcu_dereference(selinux_state.policy);
1028 policydb = &policy->policydb;
1029 sidtab = policy->sidtab;
1045 tclass = unmap_class(&policy->map, orig_tclass);
1101 struct selinux_policy *policy;
1108 policy = rcu_dereference(selinux_state.policy);
1109 avd_init(policy, avd);
1114 policydb = &policy->policydb;
1115 sidtab = policy->sidtab;
1135 tclass = unmap_class(&policy->map, orig_tclass);
1143 map_decision(&policy->map, orig_tclass, avd,
1158 struct selinux_policy *policy;
1164 policy = rcu_dereference(selinux_state.policy);
1165 avd_init(policy, avd);
1169 policydb = &policy->policydb;
1170 sidtab = policy->sidtab;
1284 struct selinux_policy *policy;
1294 policy = rcu_dereference(selinux_state.policy);
1295 rc = sidtab_hash_stats(policy->sidtab, page);
1312 struct selinux_policy *policy;
1343 policy = rcu_dereference(selinux_state.policy);
1344 policydb = &policy->policydb;
1345 sidtab = policy->sidtab;
1401 * context is invalid in the current policy. Set @scontext to point to
1497 struct selinux_policy *policy;
1538 policy = rcu_dereference(selinux_state.policy);
1539 policydb = &policy->policydb;
1540 sidtab = policy->sidtab;
1627 struct selinux_policy *policy,
1633 struct policydb *policydb = &policy->policydb;
1634 struct sidtab *sidtab = policy->sidtab;
1702 struct selinux_policy *policy;
1732 policy = rcu_dereference(selinux_state.policy);
1735 tclass = unmap_class(&policy->map, orig_tclass);
1739 sock = security_is_socket_class(map_class(&policy->map,
1743 policydb = &policy->policydb;
1744 sidtab = policy->sidtab;
1864 rc = compute_sid_handle_invalid_context(policy, sentry,
1985 * specified in the policy @args->oldp to the values specified in the policy
1987 * context is valid under the new policy.
2063 * Switching between non-MLS and MLS policy:
2103 static void security_load_policycaps(struct selinux_policy *policy)
2109 p = &policy->policydb;
2116 pr_info("SELinux: policy capability %s=%d\n",
2122 pr_info("SELinux: unknown policy capability %u\n",
2130 static void selinux_policy_free(struct selinux_policy *policy)
2132 if (!policy)
2135 sidtab_destroy(policy->sidtab);
2136 kfree(policy->map.mapping);
2137 policydb_destroy(&policy->policydb);
2138 kfree(policy->sidtab);
2139 kfree(policy);
2142 static void selinux_policy_cond_free(struct selinux_policy *policy)
2144 cond_policydb_destroy_dup(&policy->policydb);
2145 kfree(policy);
2153 oldpolicy = rcu_dereference_protected(state->policy,
2157 selinux_policy_free(load_state->policy);
2163 /* Flush external caches and notify userspace of policy load */
2175 struct selinux_policy *oldpolicy, *newpolicy = load_state->policy;
2179 oldpolicy = rcu_dereference_protected(state->policy,
2182 /* If switching between different policy types, log MLS status */
2190 /* Set latest granting seqno for new policy. */
2197 /* Install the new policy. */
2200 rcu_assign_pointer(state->policy, newpolicy);
2203 rcu_assign_pointer(state->policy, newpolicy);
2206 /* Load the policycaps from the new policy */
2211 * After first policy load, the security server is
2213 * any objects created prior to policy load are then labeled.
2219 /* Free the old policy */
2224 /* Notify others of the policy change */
2229 * security_load_policy - Load a security policy configuration.
2230 * @data: binary policy data
2232 * @load_state: policy load state
2234 * Load a new set of security policy configuration data,
2237 * loading the new policy.
2275 /* First policy load, so no need to preserve state from old policy */
2276 load_state->policy = newpolicy;
2281 oldpolicy = rcu_dereference_protected(state->policy,
2284 /* Preserve active boolean values from the old policy */
2316 load_state->policy = newpolicy;
2348 * must retry the operation after re-acquiring the policy pointer!
2381 struct selinux_policy *policy;
2395 policy = rcu_dereference(selinux_state.policy);
2396 policydb = &policy->policydb;
2397 sidtab = policy->sidtab;
2433 struct selinux_policy *policy;
2447 policy = rcu_dereference(selinux_state.policy);
2448 policydb = &policy->policydb;
2449 sidtab = policy->sidtab;
2485 struct selinux_policy *policy;
2499 policy = rcu_dereference(selinux_state.policy);
2500 policydb = &policy->policydb;
2501 sidtab = policy->sidtab;
2537 struct selinux_policy *policy;
2551 policy = rcu_dereference(selinux_state.policy);
2552 policydb = &policy->policydb;
2553 sidtab = policy->sidtab;
2603 struct selinux_policy *policy;
2616 policy = rcu_dereference(selinux_state.policy);
2617 policydb = &policy->policydb;
2618 sidtab = policy->sidtab;
2697 struct selinux_policy *policy;
2721 policy = rcu_dereference(selinux_state.policy);
2722 policydb = &policy->policydb;
2723 sidtab = policy->sidtab;
2803 * @policy: policy
2814 * must retry the operation after re-acquiring the policy pointer!
2816 static inline int __security_genfs_sid(struct selinux_policy *policy,
2822 struct policydb *policydb = &policy->policydb;
2823 struct sidtab *sidtab = policy->sidtab;
2832 sclass = unmap_class(&policy->map, orig_sclass);
2872 struct selinux_policy *policy;
2882 policy = rcu_dereference(selinux_state.policy);
2883 retval = __security_genfs_sid(policy, fstype, path,
2890 int selinux_policy_genfs_sid(struct selinux_policy *policy,
2896 /* no lock required, policy is not yet accessible by other threads */
2897 return __security_genfs_sid(policy, fstype, path, orig_sclass, sid);
2906 struct selinux_policy *policy;
2922 policy = rcu_dereference(selinux_state.policy);
2923 policydb = &policy->policydb;
2924 sidtab = policy->sidtab;
2943 rc = __security_genfs_sid(policy, fstype, "/",
2962 int security_get_bools(struct selinux_policy *policy,
2969 policydb = &policy->policydb;
3025 oldpolicy = rcu_dereference_protected(state->policy,
3067 /* Set latest granting seqno for new policy */
3071 /* Install the new policy */
3072 rcu_assign_pointer(state->policy, newpolicy);
3076 * that were copied for the new policy, and the oldpolicy
3082 /* Notify others of the policy change */
3089 struct selinux_policy *policy;
3098 policy = rcu_dereference(selinux_state.policy);
3099 policydb = &policy->policydb;
3147 struct selinux_policy *policy;
3167 policy = rcu_dereference(selinux_state.policy);
3168 policydb = &policy->policydb;
3169 sidtab = policy->sidtab;
3258 struct selinux_policy *policy;
3286 policy = rcu_dereference(selinux_state.policy);
3287 policydb = &policy->policydb;
3288 sidtab = policy->sidtab;
3342 int security_get_classes(struct selinux_policy *policy,
3348 policydb = &policy->policydb;
3383 int security_get_permissions(struct selinux_policy *policy,
3391 policydb = &policy->policydb;
3431 struct selinux_policy *policy;
3438 policy = rcu_dereference(selinux_state.policy);
3439 value = policy->policydb.reject_unknown;
3446 struct selinux_policy *policy;
3453 policy = rcu_dereference(selinux_state.policy);
3454 value = policy->policydb.allow_unknown;
3460 * security_policycap_supported - Check for a specific policy capability
3464 * This function queries the currently loaded policy to see if it supports the
3471 struct selinux_policy *policy;
3478 policy = rcu_dereference(selinux_state.policy);
3479 rc = ebitmap_get_bit(&policy->policydb.policycaps, req_cap);
3504 struct selinux_policy *policy;
3548 policy = rcu_dereference(state->policy);
3549 policydb = &policy->policydb;
3550 tmprule->au_seqno = policy->latest_granting;
3629 struct selinux_policy *policy;
3645 policy = rcu_dereference(state->policy);
3647 if (rule->au_seqno < policy->latest_granting) {
3652 ctxt = sidtab_search(policy->sidtab, sid);
3809 struct selinux_policy *policy;
3824 policy = rcu_dereference(selinux_state.policy);
3825 policydb = &policy->policydb;
3826 sidtab = policy->sidtab;
3884 struct selinux_policy *policy;
3893 policy = rcu_dereference(selinux_state.policy);
3894 policydb = &policy->policydb;
3897 ctx = sidtab_search(policy->sidtab, sid);
3918 * __security_read_policy - read the policy.
3919 * @policy: SELinux policy
3920 * @data: binary policy data
3924 static int __security_read_policy(struct selinux_policy *policy,
3933 rc = policydb_write(&policy->policydb, &fp);
3942 * security_read_policy - read the policy.
3943 * @data: binary policy data
3950 struct selinux_policy *policy;
3952 policy = rcu_dereference_protected(
3953 state->policy, lockdep_is_held(&state->policy_mutex));
3954 if (!policy)
3957 *len = policy->policydb.len;
3962 return __security_read_policy(policy, *data, len);
3966 * security_read_state_kernel - read the policy.
3967 * @data: binary policy data
3970 * Allocates kernel memory for reading SELinux policy.
3980 struct selinux_policy *policy;
3982 policy = rcu_dereference_protected(
3983 state->policy, lockdep_is_held(&state->policy_mutex));
3984 if (!policy)
3987 *len = policy->policydb.len;
3992 err = __security_read_policy(policy, *data, len);