mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-23 14:32:08 +00:00
01723ac2ce
Currently the packet class in SELinux is not checked if there are no SECMARK rules in the security or mangle netfilter tables. Similarly, the peer class is not checked if there is no NetLabel or labeled IPSEC. Some systems prefer that these classes are always checked, for example, to protect the system should the netfilter rules fail to load or if the nefilter rules were maliciously flushed. Add the always_check_network policy capability which, when enabled, treats these mechanisms as enabled, even if there are no labeling rules. Signed-off-by: Chris PeBenito <cpebenito@tresys.com> Signed-off-by: Eric Paris <eparis@redhat.com>
36 lines
789 B
C
36 lines
789 B
C
/*
|
|
* Policy capability support functions
|
|
*/
|
|
|
|
#include <string.h>
|
|
#include <sepol/policydb/polcaps.h>
|
|
|
|
static const char *polcap_names[] = {
|
|
"network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
|
|
"open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
|
|
"redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
|
|
"always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
|
|
NULL
|
|
};
|
|
|
|
int sepol_polcap_getnum(const char *name)
|
|
{
|
|
int capnum;
|
|
|
|
for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
|
|
if (polcap_names[capnum] == NULL)
|
|
continue;
|
|
if (strcasecmp(polcap_names[capnum], name) == 0)
|
|
return capnum;
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
const char *sepol_polcap_getname(int capnum)
|
|
{
|
|
if (capnum > POLICYDB_CAPABILITY_MAX)
|
|
return NULL;
|
|
|
|
return polcap_names[capnum];
|
|
}
|