selinux::policy

Struct Policy

Source 
pub struct Policy<PS: ParseStrategy>(/* private fields */);

Implementations§

Source§

impl<PS: ParseStrategy> Policy<PS>

Source

pub fn policy_version(&self) -> u32

The policy version stored in the underlying binary policy.

Source

pub fn handle_unknown(&self) -> HandleUnknown

The way “unknown” policy decisions should be handed according to the underlying binary policy.

Source

pub fn conditional_booleans<'a>(&'a self) -> Vec<(&'a [u8], bool)>

Source

pub fn classes<'a>(&'a self) -> Vec<ClassInfo<'a>>

The set of class names and their respective class identifiers.

Source

pub fn find_class_permissions_by_name( &self, class_name: &str, ) -> Result<Vec<(ClassPermissionId, Vec<u8>)>, ()>

Returns the set of permissions for the given class, including both the explicitly owned permissions and the inherited ones from common symbols. Each permission is a tuple of the permission identifier (in the scope of the given class) and the permission name.

Source

pub fn fs_use_label_and_type( &self, fs_type: NullessByteStr<'_>, ) -> Option<FsUseLabelAndType>

If there is an fs_use statement for the given filesystem type, returns the associated SecurityContext and FsUseType.

Source

pub fn genfscon_label_for_fs_and_path( &self, fs_type: NullessByteStr<'_>, node_path: NullessByteStr<'_>, class_id: Option<ClassId>, ) -> Option<SecurityContext>

If there is a genfscon statement for the given filesystem type, returns the associated SecurityContext.

Source

pub fn initial_context(&self, id: InitialSid) -> SecurityContext

Returns the SecurityContext defined by this policy for the specified well-known (or “initial”) Id.

Source

pub fn parse_security_context( &self, security_context: NullessByteStr<'_>, ) -> Result<SecurityContext, SecurityContextError>

Returns a SecurityContext with fields parsed from the supplied Security Context string.

Source

pub fn validate_security_context( &self, security_context: &SecurityContext, ) -> Result<(), SecurityContextError>

Validates a SecurityContext against this policy’s constraints.

Source

pub fn serialize_security_context( &self, security_context: &SecurityContext, ) -> Vec<u8>

Returns a byte string describing the supplied SecurityContext.

Source

pub fn new_file_security_context( &self, source: &SecurityContext, target: &SecurityContext, class: &FsNodeClass, ) -> SecurityContext

Returns the security context that should be applied to a newly created file-like SELinux object according to source and target security contexts, as well as the new object’s class. This context should be used only if no filename-transition match is found, via [new_file_security_context_by_name()].

Source

pub fn new_file_security_context_by_name( &self, source: &SecurityContext, target: &SecurityContext, class: &FsNodeClass, name: NullessByteStr<'_>, ) -> Option<SecurityContext>

Returns the security context that should be applied to a newly created file-like SELinux object according to source and target security contexts, as well as the new object’s class and name. If no filename-transition rule matches the supplied arguments then None is returned, and the caller should fall-back to filename-independent labeling via [new_file_security_context()]

Source

pub fn new_security_context( &self, source: &SecurityContext, target: &SecurityContext, class: &KernelClass, ) -> SecurityContext

Returns the security context that should be applied to a newly created SELinux object according to source and target security contexts, as well as the new object’s class. Defaults to the source security context if the policy does not specify transitions or defaults for the source, target or class components.

Returns an error if the security context for such an object is not well-defined by this Policy.

Source

pub fn compute_access_decision( &self, source_context: &SecurityContext, target_context: &SecurityContext, object_class: &KernelClass, ) -> AccessDecision

Computes the access vector that associates type source_type_name and target_type_name via an explicit allow [...]; statement in the binary policy, subject to any matching constraint statements. Computes AccessVector::NONE if no such statement exists.

Access decisions are currently based on explicit “allow” rules and “constrain” or “mlsconstrain” statements. A permission is allowed if it is allowed by an explicit “allow”, and if in addition, all matching constraints are satisfied.

Source

pub fn compute_access_decision_custom( &self, source_context: &SecurityContext, target_context: &SecurityContext, target_class_name: &str, ) -> AccessDecision

Computes the access vector that associates type source_type_name and target_type_name via an explicit allow [...]; statement in the binary policy, subject to any matching constraint statements. Computes AccessVector::NONE if no such statement exists. This is the “custom” form of this API because target_class_name is associated with a crate::ObjectClass::Custom value.

Source

pub fn compute_ioctl_access_decision( &self, source_context: &SecurityContext, target_context: &SecurityContext, object_class: &KernelClass, ioctl_prefix: u8, ) -> IoctlAccessDecision

Computes the ioctl extended permissions that should be allowed, audited when allowed, and audited when denied, for a given source context, target context, target class, and ioctl prefix byte.

Source

pub fn compute_ioctl_access_decision_custom( &self, source_context: &SecurityContext, target_context: &SecurityContext, target_class_name: &str, ioctl_prefix: u8, ) -> IoctlAccessDecision

Computes the ioctl extended permissions that should be allowed, audited when allowed, and audited when denied, for a given source context, target context, target_class, and ioctl prefix byte. This is the “custom” form of this API because target_class_name is associated with a crate::ObjectClass::Custom value.

Source

pub fn is_bounded_by(&self, bounded_type: TypeId, parent_type: TypeId) -> bool

Source

pub fn is_permissive(&self, type_: TypeId) -> bool

Returns true if the policy has the marked the type/domain for permissive checks.

Trait Implementations§

Source§

impl<PS: ParseStrategy> AccessVectorComputer for Policy<PS>

Source§

fn access_vector_from_permissions<P: ClassPermission + Into<KernelPermission> + Clone + 'static>( &self, permissions: &[P], ) -> Option<AccessVector>

Returns an AccessVector containing the supplied kernel permissions. Read more
Source§

impl<PS: Debug + ParseStrategy> Debug for Policy<PS>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl<PS> Freeze for Policy<PS>
where <PS as ParseStrategy>::Output<Magic>: Freeze, <PS as ParseStrategy>::Output<PolicyVersion>: Freeze, <PS as ParseStrategy>::Output<Counts>: Freeze, <PS as ParseStrategy>::Output<U32<LittleEndian>>: Freeze, <PS as ParseStrategy>::Output<SignatureMetadata>: Freeze, <PS as ParseStrategy>::Slice<u8>: Freeze, <PS as ParseStrategy>::Output<Metadata>: Freeze, <PS as ParseStrategy>::Slice<MapItem>: Freeze, <PS as ParseStrategy>::Output<Metadata>: Freeze, <PS as ParseStrategy>::Slice<RoleTransition>: Freeze, <PS as ParseStrategy>::Slice<RoleAllow>: Freeze,

§

impl<PS> RefUnwindSafe for Policy<PS>
where <PS as ParseStrategy>::Output<Magic>: RefUnwindSafe, <PS as ParseStrategy>::Output<PolicyVersion>: RefUnwindSafe, <PS as ParseStrategy>::Output<Counts>: RefUnwindSafe, <PS as ParseStrategy>::Output<U32<LittleEndian>>: RefUnwindSafe, <PS as ParseStrategy>::Output<SignatureMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Slice<u8>: RefUnwindSafe, <PS as ParseStrategy>::Output<Metadata>: RefUnwindSafe, <PS as ParseStrategy>::Slice<MapItem>: RefUnwindSafe, <PS as ParseStrategy>::Output<Metadata>: RefUnwindSafe, PS: RefUnwindSafe, <PS as ParseStrategy>::Slice<RoleTransition>: RefUnwindSafe, <PS as ParseStrategy>::Slice<RoleAllow>: RefUnwindSafe, <PS as ParseStrategy>::Output<AccessVectorRuleMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<PortMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<[U32<LittleEndian>; 4]>: RefUnwindSafe, <PS as ParseStrategy>::Output<RangeTransitionMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ClassDefaults>: RefUnwindSafe, <PS as ParseStrategy>::Output<DeprecatedFilenameTransitionMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ContextMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<FsUseMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<TypeMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ConditionalBooleanMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<CategoryMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ConditionalNodeMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Slice<ConditionalNodeDatum>: RefUnwindSafe, <PS as ParseStrategy>::Output<InfinitiBandEndPortMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ClassValidateTransitionsCount>: RefUnwindSafe, <PS as ParseStrategy>::Output<RoleStaticMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<UserMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<SensitivityStaticMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<CommonSymbolStaticMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<PermissionMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ConstraintTermMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ClassMetadata>: RefUnwindSafe, <PS as ParseStrategy>::Output<ConstraintTermCount>: RefUnwindSafe,

§

impl<PS> Send for Policy<PS>
where <PS as ParseStrategy>::Output<Magic>: Send, <PS as ParseStrategy>::Output<PolicyVersion>: Send, <PS as ParseStrategy>::Output<Counts>: Send, <PS as ParseStrategy>::Output<U32<LittleEndian>>: Send, <PS as ParseStrategy>::Output<SignatureMetadata>: Send, <PS as ParseStrategy>::Slice<u8>: Send, <PS as ParseStrategy>::Output<Metadata>: Send, <PS as ParseStrategy>::Slice<MapItem>: Send, <PS as ParseStrategy>::Output<Metadata>: Send, PS: Send, <PS as ParseStrategy>::Slice<RoleTransition>: Send, <PS as ParseStrategy>::Slice<RoleAllow>: Send, <PS as ParseStrategy>::Output<AccessVectorRuleMetadata>: Send, <PS as ParseStrategy>::Output<PortMetadata>: Send, <PS as ParseStrategy>::Output<[U32<LittleEndian>; 4]>: Send, <PS as ParseStrategy>::Output<RangeTransitionMetadata>: Send, <PS as ParseStrategy>::Output<ClassDefaults>: Send, <PS as ParseStrategy>::Output<DeprecatedFilenameTransitionMetadata>: Send, <PS as ParseStrategy>::Output<ContextMetadata>: Send, <PS as ParseStrategy>::Output<FsUseMetadata>: Send, <PS as ParseStrategy>::Output<TypeMetadata>: Send, <PS as ParseStrategy>::Output<ConditionalBooleanMetadata>: Send, <PS as ParseStrategy>::Output<CategoryMetadata>: Send, <PS as ParseStrategy>::Output<ConditionalNodeMetadata>: Send, <PS as ParseStrategy>::Slice<ConditionalNodeDatum>: Send, <PS as ParseStrategy>::Output<InfinitiBandEndPortMetadata>: Send, <PS as ParseStrategy>::Output<ClassValidateTransitionsCount>: Send, <PS as ParseStrategy>::Output<RoleStaticMetadata>: Send, <PS as ParseStrategy>::Output<UserMetadata>: Send, <PS as ParseStrategy>::Output<SensitivityStaticMetadata>: Send, <PS as ParseStrategy>::Output<CommonSymbolStaticMetadata>: Send, <PS as ParseStrategy>::Output<PermissionMetadata>: Send, <PS as ParseStrategy>::Output<ConstraintTermMetadata>: Send, <PS as ParseStrategy>::Output<ClassMetadata>: Send, <PS as ParseStrategy>::Output<ConstraintTermCount>: Send,

§

impl<PS> Sync for Policy<PS>
where <PS as ParseStrategy>::Output<Magic>: Sync, <PS as ParseStrategy>::Output<PolicyVersion>: Sync, <PS as ParseStrategy>::Output<Counts>: Sync, <PS as ParseStrategy>::Output<U32<LittleEndian>>: Sync, <PS as ParseStrategy>::Output<SignatureMetadata>: Sync, <PS as ParseStrategy>::Slice<u8>: Sync, <PS as ParseStrategy>::Output<Metadata>: Sync, <PS as ParseStrategy>::Slice<MapItem>: Sync, <PS as ParseStrategy>::Output<Metadata>: Sync, PS: Sync, <PS as ParseStrategy>::Slice<RoleTransition>: Sync, <PS as ParseStrategy>::Slice<RoleAllow>: Sync, <PS as ParseStrategy>::Output<AccessVectorRuleMetadata>: Sync, <PS as ParseStrategy>::Output<PortMetadata>: Sync, <PS as ParseStrategy>::Output<[U32<LittleEndian>; 4]>: Sync, <PS as ParseStrategy>::Output<RangeTransitionMetadata>: Sync, <PS as ParseStrategy>::Output<ClassDefaults>: Sync, <PS as ParseStrategy>::Output<DeprecatedFilenameTransitionMetadata>: Sync, <PS as ParseStrategy>::Output<ContextMetadata>: Sync, <PS as ParseStrategy>::Output<FsUseMetadata>: Sync, <PS as ParseStrategy>::Output<TypeMetadata>: Sync, <PS as ParseStrategy>::Output<ConditionalBooleanMetadata>: Sync, <PS as ParseStrategy>::Output<CategoryMetadata>: Sync, <PS as ParseStrategy>::Output<ConditionalNodeMetadata>: Sync, <PS as ParseStrategy>::Slice<ConditionalNodeDatum>: Sync, <PS as ParseStrategy>::Output<InfinitiBandEndPortMetadata>: Sync, <PS as ParseStrategy>::Output<ClassValidateTransitionsCount>: Sync, <PS as ParseStrategy>::Output<RoleStaticMetadata>: Sync, <PS as ParseStrategy>::Output<UserMetadata>: Sync, <PS as ParseStrategy>::Output<SensitivityStaticMetadata>: Sync, <PS as ParseStrategy>::Output<CommonSymbolStaticMetadata>: Sync, <PS as ParseStrategy>::Output<PermissionMetadata>: Sync, <PS as ParseStrategy>::Output<ConstraintTermMetadata>: Sync, <PS as ParseStrategy>::Output<ClassMetadata>: Sync, <PS as ParseStrategy>::Output<ConstraintTermCount>: Sync,

§

impl<PS> Unpin for Policy<PS>
where <PS as ParseStrategy>::Output<Magic>: Unpin, <PS as ParseStrategy>::Output<PolicyVersion>: Unpin, <PS as ParseStrategy>::Output<Counts>: Unpin, <PS as ParseStrategy>::Output<U32<LittleEndian>>: Unpin, <PS as ParseStrategy>::Output<SignatureMetadata>: Unpin, <PS as ParseStrategy>::Slice<u8>: Unpin, <PS as ParseStrategy>::Output<Metadata>: Unpin, <PS as ParseStrategy>::Slice<MapItem>: Unpin, <PS as ParseStrategy>::Output<Metadata>: Unpin, PS: Unpin, <PS as ParseStrategy>::Slice<RoleTransition>: Unpin, <PS as ParseStrategy>::Slice<RoleAllow>: Unpin, <PS as ParseStrategy>::Output<AccessVectorRuleMetadata>: Unpin, <PS as ParseStrategy>::Output<PortMetadata>: Unpin, <PS as ParseStrategy>::Output<[U32<LittleEndian>; 4]>: Unpin, <PS as ParseStrategy>::Output<RangeTransitionMetadata>: Unpin, <PS as ParseStrategy>::Output<ClassDefaults>: Unpin, <PS as ParseStrategy>::Output<DeprecatedFilenameTransitionMetadata>: Unpin, <PS as ParseStrategy>::Output<ContextMetadata>: Unpin, <PS as ParseStrategy>::Output<FsUseMetadata>: Unpin, <PS as ParseStrategy>::Output<TypeMetadata>: Unpin, <PS as ParseStrategy>::Output<ConditionalBooleanMetadata>: Unpin, <PS as ParseStrategy>::Output<CategoryMetadata>: Unpin, <PS as ParseStrategy>::Output<ConditionalNodeMetadata>: Unpin, <PS as ParseStrategy>::Slice<ConditionalNodeDatum>: Unpin, <PS as ParseStrategy>::Output<InfinitiBandEndPortMetadata>: Unpin, <PS as ParseStrategy>::Output<ClassValidateTransitionsCount>: Unpin, <PS as ParseStrategy>::Output<RoleStaticMetadata>: Unpin, <PS as ParseStrategy>::Output<UserMetadata>: Unpin, <PS as ParseStrategy>::Output<SensitivityStaticMetadata>: Unpin, <PS as ParseStrategy>::Output<CommonSymbolStaticMetadata>: Unpin, <PS as ParseStrategy>::Output<PermissionMetadata>: Unpin, <PS as ParseStrategy>::Output<ConstraintTermMetadata>: Unpin, <PS as ParseStrategy>::Output<ClassMetadata>: Unpin, <PS as ParseStrategy>::Output<ConstraintTermCount>: Unpin,

§

impl<PS> UnwindSafe for Policy<PS>
where <PS as ParseStrategy>::Output<Magic>: UnwindSafe, <PS as ParseStrategy>::Output<PolicyVersion>: UnwindSafe, <PS as ParseStrategy>::Output<Counts>: UnwindSafe, <PS as ParseStrategy>::Output<U32<LittleEndian>>: UnwindSafe, <PS as ParseStrategy>::Output<SignatureMetadata>: UnwindSafe, <PS as ParseStrategy>::Slice<u8>: UnwindSafe, <PS as ParseStrategy>::Output<Metadata>: UnwindSafe, <PS as ParseStrategy>::Slice<MapItem>: UnwindSafe, <PS as ParseStrategy>::Output<Metadata>: UnwindSafe, PS: UnwindSafe, <PS as ParseStrategy>::Slice<RoleTransition>: UnwindSafe, <PS as ParseStrategy>::Slice<RoleAllow>: UnwindSafe, <PS as ParseStrategy>::Output<AccessVectorRuleMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<PortMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<[U32<LittleEndian>; 4]>: UnwindSafe, <PS as ParseStrategy>::Output<RangeTransitionMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ClassDefaults>: UnwindSafe, <PS as ParseStrategy>::Output<DeprecatedFilenameTransitionMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ContextMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<FsUseMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<TypeMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ConditionalBooleanMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<CategoryMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ConditionalNodeMetadata>: UnwindSafe, <PS as ParseStrategy>::Slice<ConditionalNodeDatum>: UnwindSafe, <PS as ParseStrategy>::Output<InfinitiBandEndPortMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ClassValidateTransitionsCount>: UnwindSafe, <PS as ParseStrategy>::Output<RoleStaticMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<UserMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<SensitivityStaticMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<CommonSymbolStaticMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<PermissionMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ConstraintTermMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ClassMetadata>: UnwindSafe, <PS as ParseStrategy>::Output<ConstraintTermCount>: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T, D> Encode<Ambiguous1, D> for T
where D: ResourceDialect,

Source§

unsafe fn encode( self, _encoder: &mut Encoder<'_, D>, _offset: usize, _depth: Depth, ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
Source§

impl<T, D> Encode<Ambiguous2, D> for T
where D: ResourceDialect,

Source§

unsafe fn encode( self, _encoder: &mut Encoder<'_, D>, _offset: usize, _depth: Depth, ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
§

impl<T> Pointable for T

§

const ALIGN: usize

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<B, A> LockBefore<B> for A
where B: LockAfter<A>,

§

impl<B, A> LockEqualOrBefore<B> for A
where A: LockBefore<B>,