Struct selinux::security_server::SecurityServer

source · 
pub struct SecurityServer { /* private fields */ }

Implementations§

source§

impl SecurityServer

source

pub fn new(mode: Mode) -> Arc<Self>

source

pub fn as_permission_check<'a>(self: &'a Arc<Self>) -> impl PermissionCheck + 'a

Converts a shared pointer to SecurityServer to a PermissionCheck without consuming the pointer.

source

pub fn security_context_to_sid( &self, security_context: &[u8] ) -> Result<SecurityId, Error>

Returns the security ID mapped to security_context, creating it if it does not exist.

All objects with the same security context will have the same SID associated.

source

pub fn sid_to_security_context(&self, sid: SecurityId) -> Option<Vec<u8>>

Returns the Security Context string for the requested sid. This is used only where Contexts need to be stringified to expose to userspace, as is the case for e.g. the /proc/*/attr/ filesystem.

source

pub fn load_policy(&self, binary_policy: Vec<u8>) -> Result<(), Error>

Applies the supplied policy to the security server.

source

pub fn get_binary_policy(&self) -> Vec<u8>

Returns the active policy in binary form.

source

pub fn has_policy(&self) -> bool

Returns true if a policy has been loaded.

source

pub fn set_enforcing(&self, enforcing: bool)

Set to enforcing mode if enforce is true, permissive mode otherwise.

source

pub fn is_enforcing(&self) -> bool

source

pub fn deny_unknown(&self) -> bool

Returns true if the policy requires unknown class / permissions to be denied. Defaults to true until a policy is loaded.

source

pub fn reject_unknown(&self) -> bool

Returns true if the policy requires unknown class / permissions to be rejected. Defaults to false until a policy is loaded.

source

pub fn conditional_booleans(&self) -> Vec<String>

Returns the list of names of boolean conditionals defined by the loaded policy.

source

pub fn get_boolean(&self, name: &str) -> Result<(bool, bool), ()>

Returns the active and pending values of a policy boolean, if it exists.

source

pub fn set_pending_boolean(&self, name: &str, value: bool) -> Result<(), ()>

Sets the pending value of a boolean, if it is defined in the policy.

source

pub fn commit_pending_booleans(&self)

Commits all pending changes to conditional booleans.

source

pub fn compute_access_vector( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: AbstractObjectClass ) -> AccessVector

Computes the precise access vector for source_sid targeting target_sid as class target_class.

TODO(http://b/305722921): Implement complete access decision logic. For now, the security server abides by explicit allow [source] [target]:[class] [permissions..]; statements.

source

pub fn compute_new_file_sid( &self, source_sid: SecurityId, target_sid: SecurityId, file_class: FileClass ) -> Result<SecurityId, Error>

Computes the appropriate security identifier (SID) for the security context of a file-like object of class file_class created by source_sid targeting target_sid.

source

pub fn compute_new_sid( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: ObjectClass ) -> Result<SecurityId, Error>

source

pub fn get_status_vmo(&self) -> Arc<Vmo>

Returns a read-only VMO containing the SELinux “status” structure.

source

pub fn get_shared_avc(&self) -> &impl Query

Returns a reference to the shared access vector cache that delebates cache misses to self.

source

pub fn new_thread_local_avc(&self) -> impl QueryMut

Returns a newly constructed thread-local access vector cache that delegates cache misses to any shared caches owned by self.avc_manager, which ultimately delegate to self. The returned cache will be reset when this security server’s policy is reset.

source

pub fn is_fake(&self) -> bool

Trait Implementations§

source§

impl AccessVectorComputer for SecurityServer

source§

fn access_vector_from_permission<P: ClassPermission + Into<Permission> + 'static>( &self, permission: P ) -> AccessVector

Returns an [AccessVector] with a single bit set that corresponds to permission.
source§

fn access_vector_from_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &self, permissions: PI ) -> AccessVector

Computes an [AccessVector] where the only bits set are those that correspond to all permissions. This operation fails if permissions contain permissions that refer to different object classes because an access vector specifies permission bits associated with one specific object class.
source§

impl Query for SecurityServer

source§

fn query( &self, source_sid: SecurityId, target_sid: SecurityId, target_class: AbstractObjectClass ) -> AccessVector

Computes the [AccessVector] permitted to source_sid for accessing target_sid, an object of of type target_class.

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<Q> PermissionCheck for Q
where Q: AccessVectorComputer + Query,

source§

fn has_permission<P: ClassPermission + Into<Permission> + 'static>( &self, source_sid: SecurityId, target_sid: SecurityId, permission: P ) -> bool

Returns true if and only if all permissions are granted to source_sid acting on target_sid as a target_class. Read more
source§

fn has_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &self, source_sid: SecurityId, target_sid: SecurityId, permissions: PI ) -> bool

source§

impl<QM> PermissionCheckMut for QM
where QM: AccessVectorComputer + QueryMut,

source§

fn has_permission<P: ClassPermission + Into<Permission> + 'static>( &mut self, source_sid: SecurityId, target_sid: SecurityId, permission: P ) -> bool

Returns true if and only if all permissions are granted to source_sid acting on target_sid as a target_class. Read more
source§

fn has_permissions<P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &mut self, source_sid: SecurityId, target_sid: SecurityId, permissions: PI ) -> bool

source§

impl<Q> QueryMut for Q
where Q: Query,

source§

fn query( &mut self, source_sid: SecurityId, target_sid: SecurityId, target_class: AbstractObjectClass ) -> AccessVector

Computes the [AccessVector] permitted to source_sid for accessing target_sid, an object of type target_class.
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<B, A> LockBefore<B> for A
where B: LockAfter<A>,

source§

impl<B, A> LockEqualOrBefore<B> for A
where A: LockBefore<B>,