selinux::security_server

Struct SecurityServer

Source 
pub struct SecurityServer { /* private fields */ }

Implementations§

Source§

impl SecurityServer

Source

pub fn new() -> Arc<Self>

Source

pub fn as_permission_check<'a>(&'a self) -> PermissionCheck<'a>

Converts a shared pointer to SecurityServer to a PermissionCheck without consuming the pointer.

Source

pub fn security_context_to_sid( &self, security_context: NullessByteStr<'_>, ) -> Result<SecurityId, Error>

Returns the security ID mapped to security_context, creating it if it does not exist.

All objects with the same security context will have the same SID associated.

Source

pub fn sid_to_security_context(&self, sid: SecurityId) -> Option<Vec<u8>>

Returns the Security Context string for the requested sid. This is used only where Contexts need to be stringified to expose to userspace, as is the case for e.g. the /proc/*/attr/ filesystem and security.selinux extended attribute values.

Source

pub fn load_policy(&self, binary_policy: Vec<u8>) -> Result<(), Error>

Applies the supplied policy to the security server.

Source

pub fn get_binary_policy(&self) -> Vec<u8>

Returns the active policy in binary form.

Source

pub fn has_policy(&self) -> bool

Returns true if a policy has been loaded.

Source

pub fn set_enforcing(&self, enforcing: bool)

Set to enforcing mode if enforce is true, permissive mode otherwise.

Source

pub fn is_enforcing(&self) -> bool

Source

pub fn deny_unknown(&self) -> bool

Returns true if the policy requires unknown class / permissions to be denied. Defaults to true until a policy is loaded.

Source

pub fn reject_unknown(&self) -> bool

Returns true if the policy requires unknown class / permissions to be rejected. Defaults to false until a policy is loaded.

Source

pub fn conditional_booleans(&self) -> Vec<String>

Returns the list of names of boolean conditionals defined by the loaded policy.

Source

pub fn get_boolean(&self, name: &str) -> Result<(bool, bool), ()>

Returns the active and pending values of a policy boolean, if it exists.

Source

pub fn set_pending_boolean(&self, name: &str, value: bool) -> Result<(), ()>

Sets the pending value of a boolean, if it is defined in the policy.

Source

pub fn commit_pending_booleans(&self)

Commits all pending changes to conditional booleans.

Source

pub fn avc_cache_stats(&self) -> CacheStats

Returns a snapshot of the AVC usage statistics.

Source

pub fn class_names(&self) -> Result<Vec<Vec<u8>>, ()>

Returns the list of all class names.

Source

pub fn class_id_by_name(&self, name: &str) -> Result<ClassId, ()>

Returns the class identifier of a class, if it exists.

Source

pub fn class_permissions_by_name( &self, name: &str, ) -> Result<Vec<(u32, Vec<u8>)>, ()>

Returns the class identifier of a class, if it exists.

Source

pub fn resolve_fs_label( &self, fs_type: NullessByteStr<'_>, mount_options: &FileSystemMountOptions, ) -> FileSystemLabel

Determines the appropriate FileSystemLabel for a mounted filesystem given this security server’s loaded policy, the name of the filesystem type (“ext4” or “tmpfs”, for example), and the security-relevant mount options passed for the mount operation.

Source

pub fn genfscon_label_for_fs_and_path( &self, fs_type: NullessByteStr<'_>, node_path: NullessByteStr<'_>, class_id: Option<ClassId>, ) -> Option<SecurityId>

If there is a genfscon statement for the given filesystem type, returns the [SecurityContext] that should be used for a node in path node_path. When node_path is the root path (“/”) the label additionally corresponds to the FileSystem label.

Source

pub fn compute_new_sid( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: ObjectClass, ) -> Result<SecurityId, Error>

Source

pub fn is_bounded_by( &self, bounded_sid: SecurityId, parent_sid: SecurityId, ) -> bool

Returns true if the bounded_sid is bounded by the parent_sid. Bounds relationships are mostly enforced by policy tooling, so this only requires validating that the policy entry for the TypeId of bounded_sid has the TypeId of parent_sid specified in its bounds.

Source

pub fn set_status_publisher( &self, status_holder: Box<dyn SeLinuxStatusPublisher>, )

Assign a SeLinuxStatusPublisher to be used for pushing updates to the security server’s policy status. This should be invoked exactly once when selinuxfs is initialized.

§Panics

This will panic on debug builds if it is invoked multiple times.

Source

pub fn get_shared_avc(&self) -> &impl Query

Returns a reference to the shared access vector cache that delebates cache misses to self.

Source

pub fn new_thread_local_avc(&self) -> impl QueryMut

Returns a newly constructed thread-local access vector cache that delegates cache misses to any shared caches owned by self.avc_manager, which ultimately delegate to self. The returned cache will be reset when this security server’s policy is reset.

Trait Implementations§

Source§

impl AccessVectorComputer for SecurityServer

Source§

fn access_vector_from_permissions<P: ClassPermission + Into<Permission> + Clone + 'static>( &self, permissions: &[P], ) -> Option<AccessVector>

Returns an AccessVector containing the supplied kernel permissions. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T, D> Encode<Ambiguous1, D> for T
where D: ResourceDialect,

Source§

unsafe fn encode( self, _encoder: &mut Encoder<'_, D>, _offset: usize, _depth: Depth, ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
Source§

impl<T, D> Encode<Ambiguous2, D> for T
where D: ResourceDialect,

Source§

unsafe fn encode( self, _encoder: &mut Encoder<'_, D>, _offset: usize, _depth: Depth, ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> Pointable for T

§

const ALIGN: usize = _

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<B, A> LockBefore<B> for A
where B: LockAfter<A>,

§

impl<B, A> LockEqualOrBefore<B> for A
where A: LockBefore<B>,