[PATCH] SELINUX: add policyvers to selinuxfs

From: James Morris <jmorris@redhat.com>

This patch adds a file to the root selinuxfs directory which returns the
security policy version associated with the currently running kernel.  Its
purpose is to allow scripts to determine which version of policy to load.

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 15b92012851e9a01ccf384f041e4957f14f068af..3d595091dba0bfba1e7f6667e18bab09f077238c 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -13,6 +13,7 @@
 #define SECCLASS_NULL                  0x0000 /* no class */
 
 #define SELINUX_MAGIC 0xf97cff8c
+#define POLICYDB_VERSION 15
 
 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 extern int selinux_enabled;

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 0c0ea83d04568f8241e40a87f54a1581d6351e6b..482513614d975abcbf75708ff233df9fe481897c 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -37,7 +37,8 @@ enum sel_inos {
        SEL_ACCESS,     /* compute access decision */
        SEL_CREATE,     /* compute create labeling decision */
        SEL_RELABEL,    /* compute relabeling decision */
-       SEL_USER        /* compute reachable user contexts */
+       SEL_USER,       /* compute reachable user contexts */
+       SEL_POLICYVERS  /* return policy version for this kernel */
 };
 
 static ssize_t sel_read_enforce(struct file *filp, char *buf,
@@ -125,6 +126,46 @@ static struct file_operations sel_enforce_ops = {
        .write          = sel_write_enforce,
 };
 
+static ssize_t sel_read_policyvers(struct file *filp, char *buf,
+                                   size_t count, loff_t *ppos)
+{
+       char *page;
+       ssize_t length;
+       ssize_t end;
+
+       if (count < 0 || count > PAGE_SIZE)
+               return -EINVAL;
+       if (!(page = (char*)__get_free_page(GFP_KERNEL)))
+               return -ENOMEM;
+       memset(page, 0, PAGE_SIZE);
+
+       length = snprintf(page, PAGE_SIZE, "%u", POLICYDB_VERSION);
+       if (length < 0) {
+               free_page((unsigned long)page);
+               return length;
+       }
+
+       if (*ppos >= length) {
+               free_page((unsigned long)page);
+               return 0;
+       }
+       if (count + *ppos > length)
+               count = length - *ppos;
+       end = count + *ppos;
+       if (copy_to_user(buf, (char *) page + *ppos, count)) {
+               count = -EFAULT;
+               goto out;
+       }
+       *ppos = end;
+out:
+       free_page((unsigned long)page);
+       return count;
+}
+
+static struct file_operations sel_policyvers_ops = {
+       .read           = sel_read_policyvers,
+};
+
 static ssize_t sel_write_load(struct file * file, const char * buf,
                              size_t count, loff_t *ppos)
 
@@ -568,6 +609,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
                [SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},
                [SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO},
                [SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO},
+               [SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO},
                /* last one */ {""}
        };
        return simple_fill_super(sb, SELINUX_MAGIC, selinux_files);

diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index b6c2a4ea9e82bb9a9379581cc652eacd22276b38..9e4394b1332fe26e727091cc3d595bd2f319654e 100644 (file)
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -225,7 +225,6 @@ extern int policydb_read(struct policydb *p, void *fp);
 
 #define PERM_SYMTAB_SIZE 32
 
-#define POLICYDB_VERSION 15
 #define POLICYDB_CONFIG_MLS    1
 
 #define OBJECT_R "object_r"