Struct selinux_policy::Policy
source · pub struct Policy<PS: ParseStrategy>(/* private fields */);
Implementations§
source§impl<PS: ParseStrategy> Policy<PS>
impl<PS: ParseStrategy> Policy<PS>
sourcepub fn policy_version(&self) -> u32
pub fn policy_version(&self) -> u32
The policy version stored in the underlying binary policy.
sourcepub fn handle_unknown(&self) -> &HandleUnknown
pub fn handle_unknown(&self) -> &HandleUnknown
The way “unknown” policy decisions should be handed according to the underlying binary policy.
pub fn conditional_booleans<'a>(&'a self) -> Vec<(&'a [u8], bool)>
sourcepub fn initial_context(&self, id: InitialSid) -> SecurityContext
pub fn initial_context(&self, id: InitialSid) -> SecurityContext
Returns the SecurityContext
defined by this policy for the specified
well-known (or “initial”) Id.
sourcepub fn parse_security_context(
&self,
security_context: &[u8]
) -> Result<SecurityContext, SecurityContextError>
pub fn parse_security_context( &self, security_context: &[u8] ) -> Result<SecurityContext, SecurityContextError>
Returns a SecurityContext
with fields parsed from the supplied Security Context string.
sourcepub fn serialize_security_context(
&self,
security_context: &SecurityContext
) -> Vec<u8> ⓘ
pub fn serialize_security_context( &self, security_context: &SecurityContext ) -> Vec<u8> ⓘ
Returns a byte string describing the supplied SecurityContext
.
sourcepub fn new_file_security_context(
&self,
source: &SecurityContext,
target: &SecurityContext,
class: &FileClass
) -> Result<SecurityContext, NewSecurityContextError>
pub fn new_file_security_context( &self, source: &SecurityContext, target: &SecurityContext, class: &FileClass ) -> Result<SecurityContext, NewSecurityContextError>
Returns the security context that should be applied to a newly created file-like SELinux
object according to source
and target
security contexts, as well as the new object’s
class
. Returns an error if the security context for such an object is not well-defined
by this Policy
.
sourcepub fn new_security_context(
&self,
source: &SecurityContext,
target: &SecurityContext,
class: &ObjectClass
) -> Result<SecurityContext, NewSecurityContextError>
pub fn new_security_context( &self, source: &SecurityContext, target: &SecurityContext, class: &ObjectClass ) -> Result<SecurityContext, NewSecurityContextError>
Returns the security context that should be applied to a newly created SELinux
object according to source
and target
security contexts, as well as the new object’s
class
.
Defaults to the source
security context if the policy does not specify transitions or
defaults for the source
, target
or class
components.
Returns an error if the security context for such an object is not well-defined
by this Policy
.
sourcepub fn is_explicitly_allowed(
&self,
source_type: TypeId,
target_type: TypeId,
permission: Permission
) -> Result<bool, QueryError>
pub fn is_explicitly_allowed( &self, source_type: TypeId, target_type: TypeId, permission: Permission ) -> Result<bool, QueryError>
Returns whether the input types are explicitly granted permission
via an allow [...];
policy statement.
§Panics
If supplied with type Ids not previously obtained from the Policy
itself; validation
ensures that all such Ids have corresponding definitions.
sourcepub fn is_explicitly_allowed_custom(
&self,
source_type: TypeId,
target_type: TypeId,
target_class_name: &str,
permission_name: &str
) -> Result<bool, QueryError>
pub fn is_explicitly_allowed_custom( &self, source_type: TypeId, target_type: TypeId, target_class_name: &str, permission_name: &str ) -> Result<bool, QueryError>
Returns whether the input types are explicitly granted the permission named
permission_name
via an allow [...];
policy statement, or an error if looking up the
input types fails. This is the “custom” form of this API because permission_name
is
associated with a selinux_common::AbstractPermission::Custom::permission
value.
§Panics
If supplied with type Ids not previously obtained from the Policy
itself; validation
ensures that all such Ids have corresponding definitions.
sourcepub fn compute_explicitly_allowed(
&self,
source_type: TypeId,
target_type: TypeId,
object_class: ObjectClass
) -> Result<AccessVector, QueryError>
pub fn compute_explicitly_allowed( &self, source_type: TypeId, target_type: TypeId, object_class: ObjectClass ) -> Result<AccessVector, QueryError>
Computes the access vector that associates type source_type_name
and target_type_name
via an explicit allow [...];
statement in the binary policy. Computes AccessVector::NONE
if no such statement exists.
sourcepub fn compute_explicitly_allowed_custom(
&self,
source_type: TypeId,
target_type: TypeId,
target_class_name: &str
) -> Result<AccessVector, QueryError>
pub fn compute_explicitly_allowed_custom( &self, source_type: TypeId, target_type: TypeId, target_class_name: &str ) -> Result<AccessVector, QueryError>
Computes the access vector that associates type source_type_name
and target_type_name
via an explicit allow [...];
statement in the binary policy. Computes AccessVector::NONE
if no such statement exists. This is the “custom” form of this API because
target_class_name
is associated with a selinux_common::AbstractObjectClass::Custom
value.
Trait Implementations§
source§impl<PS: ParseStrategy> AccessVectorComputer for Policy<PS>
impl<PS: ParseStrategy> AccessVectorComputer for Policy<PS>
source§fn access_vector_from_permission<P: ClassPermission + Into<Permission> + 'static>(
&self,
permission: P
) -> AccessVector
fn access_vector_from_permission<P: ClassPermission + Into<Permission> + 'static>( &self, permission: P ) -> AccessVector
AccessVector
with a single bit set that corresponds to permission
.source§fn access_vector_from_permissions<'a, P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>(
&self,
permissions: PI
) -> AccessVector
fn access_vector_from_permissions<'a, P: ClassPermission + Into<Permission> + 'static, PI: IntoIterator<Item = P>>( &self, permissions: PI ) -> AccessVector
AccessVector
where the only bits set are those that correspond to
all permissions
. This operation fails if permissions
contain permissions that refer to
different object classes because an access vector specifies permission bits associated with
one specific object class.