Struct selinux::security_server::SecurityServer
source · pub struct SecurityServer { /* private fields */ }
Implementations§
source§impl SecurityServer
impl SecurityServer
pub fn new(mode: Mode) -> Arc<Self>
sourcepub fn as_permission_check<'a>(self: &'a Arc<Self>) -> impl PermissionCheck + 'a
pub fn as_permission_check<'a>(self: &'a Arc<Self>) -> impl PermissionCheck + 'a
Converts a shared pointer to SecurityServer
to a PermissionCheck
without consuming
the pointer.
sourcepub fn security_context_to_sid(
&self,
security_context: &[u8]
) -> Result<SecurityId, Error>
pub fn security_context_to_sid( &self, security_context: &[u8] ) -> Result<SecurityId, Error>
Returns the security ID mapped to security_context
, creating it if it does not exist.
All objects with the same security context will have the same SID associated.
sourcepub fn sid_to_security_context(&self, sid: SecurityId) -> Option<Vec<u8>>
pub fn sid_to_security_context(&self, sid: SecurityId) -> Option<Vec<u8>>
Returns the Security Context string for the requested sid
.
This is used only where Contexts need to be stringified to expose to userspace, as
is the case for e.g. the /proc/*/attr/
filesystem.
sourcepub fn load_policy(&self, binary_policy: Vec<u8>) -> Result<(), Error>
pub fn load_policy(&self, binary_policy: Vec<u8>) -> Result<(), Error>
Applies the supplied policy to the security server.
sourcepub fn get_binary_policy(&self) -> Vec<u8> ⓘ
pub fn get_binary_policy(&self) -> Vec<u8> ⓘ
Returns the active policy in binary form.
sourcepub fn has_policy(&self) -> bool
pub fn has_policy(&self) -> bool
Returns true if a policy has been loaded.
sourcepub fn set_enforcing(&self, enforcing: bool)
pub fn set_enforcing(&self, enforcing: bool)
Set to enforcing mode if enforce
is true, permissive mode otherwise.
pub fn is_enforcing(&self) -> bool
sourcepub fn deny_unknown(&self) -> bool
pub fn deny_unknown(&self) -> bool
Returns true if the policy requires unknown class / permissions to be denied. Defaults to true until a policy is loaded.
sourcepub fn reject_unknown(&self) -> bool
pub fn reject_unknown(&self) -> bool
Returns true if the policy requires unknown class / permissions to be rejected. Defaults to false until a policy is loaded.
sourcepub fn conditional_booleans(&self) -> Vec<String>
pub fn conditional_booleans(&self) -> Vec<String>
Returns the list of names of boolean conditionals defined by the loaded policy.
sourcepub fn get_boolean(&self, name: &str) -> Result<(bool, bool), ()>
pub fn get_boolean(&self, name: &str) -> Result<(bool, bool), ()>
Returns the active and pending values of a policy boolean, if it exists.
sourcepub fn set_pending_boolean(&self, name: &str, value: bool) -> Result<(), ()>
pub fn set_pending_boolean(&self, name: &str, value: bool) -> Result<(), ()>
Sets the pending value of a boolean, if it is defined in the policy.
sourcepub fn commit_pending_booleans(&self)
pub fn commit_pending_booleans(&self)
Commits all pending changes to conditional booleans.
sourcepub fn compute_access_vector(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
target_class: AbstractObjectClass
) -> AccessVector
pub fn compute_access_vector( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: AbstractObjectClass ) -> AccessVector
Computes the precise access vector for source_sid
targeting target_sid
as class
target_class
.
TODO(http://b/305722921): Implement complete access decision logic. For now, the security
server abides by explicit allow [source] [target]:[class] [permissions..];
statements.
sourcepub fn compute_new_file_sid(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
file_class: FileClass
) -> Result<SecurityId, Error>
pub fn compute_new_file_sid( &self, source_sid: SecurityId, target_sid: SecurityId, file_class: FileClass ) -> Result<SecurityId, Error>
Computes the appropriate security identifier (SID) for the security context of a file-like
object of class file_class
created by source_sid
targeting target_sid
.
pub fn compute_new_sid( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: ObjectClass ) -> Result<SecurityId, Error>
sourcepub fn get_status_vmo(&self) -> Arc<Vmo>
pub fn get_status_vmo(&self) -> Arc<Vmo>
Returns a read-only VMO containing the SELinux “status” structure.
Returns a reference to the shared access vector cache that delebates cache misses to self
.
sourcepub fn new_thread_local_avc(&self) -> impl QueryMut
pub fn new_thread_local_avc(&self) -> impl QueryMut
Returns a newly constructed thread-local access vector cache that delegates cache misses to
any shared caches owned by self.avc_manager
, which ultimately delegate to self
. The
returned cache will be reset when this security server’s policy is reset.
pub fn is_fake(&self) -> bool
Trait Implementations§
source§impl AccessVectorComputer for SecurityServer
impl AccessVectorComputer for SecurityServer
source§fn access_vector_from_permission<P: ClassPermission + Into<Permission> + 'static>(
&self,
permission: P
) -> AccessVector
fn access_vector_from_permission<P: ClassPermission + Into<Permission> + 'static>( &self, permission: P ) -> AccessVector
AccessVector
] with a single bit set that corresponds to permission
.source§fn access_vector_from_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>(
&self,
permissions: PI
) -> AccessVector
fn access_vector_from_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &self, permissions: PI ) -> AccessVector
AccessVector
] where the only bits set are those that correspond to
all permissions
. This operation fails if permissions
contain permissions that refer to
different object classes because an access vector specifies permission bits associated with
one specific object class.source§impl Query for SecurityServer
impl Query for SecurityServer
source§fn query(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
target_class: AbstractObjectClass
) -> AccessVector
fn query( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: AbstractObjectClass ) -> AccessVector
AccessVector
] permitted to source_sid
for accessing target_sid
, an
object of of type target_class
.Auto Trait Implementations§
impl !Freeze for SecurityServer
impl !RefUnwindSafe for SecurityServer
impl Send for SecurityServer
impl Sync for SecurityServer
impl Unpin for SecurityServer
impl !UnwindSafe for SecurityServer
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<Q> PermissionCheck for Qwhere
Q: AccessVectorComputer + Query,
impl<Q> PermissionCheck for Qwhere
Q: AccessVectorComputer + Query,
source§fn has_permission<P: ClassPermission + Into<Permission> + 'static>(
&self,
source_sid: SecurityId,
target_sid: SecurityId,
permission: P
) -> bool
fn has_permission<P: ClassPermission + Into<Permission> + 'static>( &self, source_sid: SecurityId, target_sid: SecurityId, permission: P ) -> bool
permissions
are granted to source_sid
acting on
target_sid
as a target_class
. Read morefn has_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &self, source_sid: SecurityId, target_sid: SecurityId, permissions: PI ) -> bool
source§impl<QM> PermissionCheckMut for QMwhere
QM: AccessVectorComputer + QueryMut,
impl<QM> PermissionCheckMut for QMwhere
QM: AccessVectorComputer + QueryMut,
source§fn has_permission<P: ClassPermission + Into<Permission> + 'static>(
&mut self,
source_sid: SecurityId,
target_sid: SecurityId,
permission: P
) -> bool
fn has_permission<P: ClassPermission + Into<Permission> + 'static>( &mut self, source_sid: SecurityId, target_sid: SecurityId, permission: P ) -> bool
permissions
are granted to source_sid
acting on
target_sid
as a target_class
. Read morefn has_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &mut self, source_sid: SecurityId, target_sid: SecurityId, permissions: PI ) -> bool
source§impl<Q> QueryMut for Qwhere
Q: Query,
impl<Q> QueryMut for Qwhere
Q: Query,
source§fn query(
&mut self,
source_sid: SecurityId,
target_sid: SecurityId,
target_class: AbstractObjectClass
) -> AccessVector
fn query( &mut self, source_sid: SecurityId, target_sid: SecurityId, target_class: AbstractObjectClass ) -> AccessVector
AccessVector
] permitted to source_sid
for accessing target_sid
, an
object of type target_class
.