pub struct PermissionCheck<'a> { /* private fields */ }
Expand description
Implements the has_permission()
API, based on supplied SecurityServer
and
AccessVectorCache
implementations.
Implementations§
Source§impl<'a> PermissionCheck<'a>
impl<'a> PermissionCheck<'a>
Sourcepub fn has_permission<P: ClassPermission + Into<KernelPermission> + Clone + 'static>(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
permission: P,
) -> PermissionCheckResult
pub fn has_permission<P: ClassPermission + Into<KernelPermission> + Clone + 'static>( &self, source_sid: SecurityId, target_sid: SecurityId, permission: P, ) -> PermissionCheckResult
Returns whether the source_sid
has the specified permission
on target_sid
.
The result indicates both whether permission
is permit
ted, and whether the caller
should audit
log the query.
Sourcepub fn has_extended_permission<P: ClassPermission + Into<KernelPermission> + Clone + 'static>(
&self,
xperms_kind: XpermsKind,
source_sid: SecurityId,
target_sid: SecurityId,
permission: P,
xperm: u16,
) -> PermissionCheckResult
pub fn has_extended_permission<P: ClassPermission + Into<KernelPermission> + Clone + 'static>( &self, xperms_kind: XpermsKind, source_sid: SecurityId, target_sid: SecurityId, permission: P, xperm: u16, ) -> PermissionCheckResult
Returns whether the source_sid
has both a base permission (i.e. ioctl
or nlmsg
) and
the specified extended permission on target_sid
, and whether the decision should be
audited.
A request is allowed if the base permission is allow
ed and either the numeric extended
permission of this xperms_kind
is included in an allowxperm
statement, or extended
permissions of this kind are not filtered for this domain.
A granted request is audited if the base permission is auditallow
and the extended
permission is auditallowxperm
.
A denied request is audited if the base permission is dontaudit
or the extended
permission is dontauditxperm
.
pub fn security_server(&self) -> &SecurityServer
Sourcepub fn compute_new_fs_node_sid(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
fs_node_class: FsNodeClass,
fs_node_name: NullessByteStr<'_>,
) -> Result<SecurityId, Error>
pub fn compute_new_fs_node_sid( &self, source_sid: SecurityId, target_sid: SecurityId, fs_node_class: FsNodeClass, fs_node_name: NullessByteStr<'_>, ) -> Result<SecurityId, Error>
Returns the SID with which to label a new file_class
instance created by subject_sid
, with target_sid
as its parent, taking into account role & type transition rules, and filename-transition rules.
If a filename-transition rule matches the fs_node_name
then that will be used, otherwise the
filename-independent computation will be applied.
Sourcepub fn compute_access_decision(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
target_class: ObjectClass,
) -> AccessDecision
pub fn compute_access_decision( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: ObjectClass, ) -> AccessDecision
Returns the raw AccessDecision
for a specified source, target and class.
Auto Trait Implementations§
impl<'a> Freeze for PermissionCheck<'a>
impl<'a> !RefUnwindSafe for PermissionCheck<'a>
impl<'a> Send for PermissionCheck<'a>
impl<'a> Sync for PermissionCheck<'a>
impl<'a> Unpin for PermissionCheck<'a>
impl<'a> !UnwindSafe for PermissionCheck<'a>
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
§impl<T, D> Encode<Ambiguous1, D> for Twhere
D: ResourceDialect,
impl<T, D> Encode<Ambiguous1, D> for Twhere
D: ResourceDialect,
§impl<T, D> Encode<Ambiguous2, D> for Twhere
D: ResourceDialect,
impl<T, D> Encode<Ambiguous2, D> for Twhere
D: ResourceDialect,
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more