)]}'
{
  "commit": "c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c",
  "tree": "1a5475b4370655a22670fd6eb35e54d8b131b362",
  "parents": [
    "23acb98de5a4109a60b5fe3f0439389218b039d7"
  ],
  "author": {
    "name": "Stephen Smalley",
    "email": "sds@tycho.nsa.gov",
    "time": "Wed Sep 30 13:37:50 2009 -0400"
  },
  "committer": {
    "name": "James Morris",
    "email": "jmorris@namei.org",
    "time": "Wed Oct 07 21:56:42 2009 +1100"
  },
  "message": "selinux: dynamic class/perm discovery\n\nModify SELinux to dynamically discover class and permission values\nupon policy load, based on the dynamic object class/perm discovery\nlogic from libselinux.  A mapping is created between kernel-private\nclass and permission indices used outside the security server and the\npolicy values used within the security server.\n\nThe mappings are only applied upon kernel-internal computations;\nsimilar mappings for the private indices of userspace object managers\nis handled on a per-object manager basis by the userspace AVC.  The\ninterfaces for compute_av and transition_sid are split for kernel\nvs. userspace; the userspace functions are distinguished by a _user\nsuffix.\n\nThe kernel-private class indices are no longer tied to the policy\nvalues and thus do not need to skip indices for userspace classes;\nthus the kernel class index values are compressed.  The flask.h\ndefinitions were regenerated by deleting the userspace classes from\nrefpolicy\u0027s definitions and then regenerating the headers.  Going\nforward, we can just maintain the flask.h, av_permissions.h, and\nclassmap.h definitions separately from policy as they are no longer\ntied to the policy values.  The next patch introduces a utility to\nautomate generation of flask.h and av_permissions.h from the\nclassmap.h definitions.\n\nThe older kernel class and permission string tables are removed and\nreplaced by a single security class mapping table that is walked at\npolicy load to generate the mapping.  The old kernel class validation\nlogic is completely replaced by the mapping logic.\n\nThe handle unknown logic is reworked.  reject_unknown\u003d1 is handled\nwhen the mappings are computed at policy load time, similar to the old\nhandling by the class validation logic.  allow_unknown\u003d1 is handled\nwhen computing and mapping decisions - if the permission was not able\nto be mapped (i.e. undefined, mapped to zero), then it is\nautomatically added to the allowed vector.  If the class was not able\nto be mapped (i.e. undefined, mapped to zero), then all permissions\nare allowed for it if allow_unknown\u003d1.\n\navc_audit leverages the new security class mapping table to lookup the\nclass and permission names from the kernel-private indices.\n\nThe mdp program is updated to use the new table when generating the\nclass definitions and allow rules for a minimal boot policy for the\nkernel.  It should be noted that this policy will not include any\nuserspace classes, nor will its policy index values for the kernel\nclasses correspond with the ones in refpolicy (they will instead match\nthe kernel-private indices).\n\nSigned-off-by:  Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "b4ced8562587b088f698058fb0fa185410f9987d",
      "old_mode": 33188,
      "old_path": "scripts/selinux/mdp/mdp.c",
      "new_id": "62b34ce1f50dd16a0aed513ad40a31baead586ac",
      "new_mode": 33188,
      "new_path": "scripts/selinux/mdp/mdp.c"
    },
    {
      "type": "modify",
      "old_id": "b4b5da1c0a421ff69a12b80312d65c456148a47d",
      "old_mode": 33188,
      "old_path": "security/selinux/avc.c",
      "new_id": "18f4103e02b798937f5594c845f6c200f18b363e",
      "new_mode": 33188,
      "new_path": "security/selinux/avc.c"
    },
    {
      "type": "delete",
      "old_id": "abedcd704daef7c47ef2f392799dc80024fd7b4e",
      "old_mode": 33188,
      "old_path": "security/selinux/include/av_inherit.h",
      "new_id": "0000000000000000000000000000000000000000",
      "new_mode": 0,
      "new_path": "/dev/null"
    },
    {
      "type": "delete",
      "old_id": "2b683ad83d21ceb42b8d16fe48f9f610398d30e2",
      "old_mode": 33188,
      "old_path": "security/selinux/include/av_perm_to_string.h",
      "new_id": "0000000000000000000000000000000000000000",
      "new_mode": 0,
      "new_path": "/dev/null"
    },
    {
      "type": "modify",
      "old_id": "0546d616ccacc2fae2fd8b5ca003d6cdc091a54f",
      "old_mode": 33188,
      "old_path": "security/selinux/include/av_permissions.h",
      "new_id": "fef2582b734d180115aacb54da2c25112e121458",
      "new_mode": 33188,
      "new_path": "security/selinux/include/av_permissions.h"
    },
    {
      "type": "modify",
      "old_id": "bb1ec801bdfe1dda2984b27da8ecef52c2715755",
      "old_mode": 33188,
      "old_path": "security/selinux/include/avc_ss.h",
      "new_id": "4677aa519b0471b2f4dd7bad0cf79c737f93bd8d",
      "new_mode": 33188,
      "new_path": "security/selinux/include/avc_ss.h"
    },
    {
      "type": "delete",
      "old_id": "7ab9299bfb6bb3b18c6d941effcd88e6a0d5524d",
      "old_mode": 33188,
      "old_path": "security/selinux/include/class_to_string.h",
      "new_id": "0000000000000000000000000000000000000000",
      "new_mode": 0,
      "new_path": "/dev/null"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "8b32e959bb2e47cc559e29aaf7468576d63974a5",
      "new_mode": 33188,
      "new_path": "security/selinux/include/classmap.h"
    },
    {
      "type": "delete",
      "old_id": "ce5b6e2fe9dd10e4944378cea07f65acbb2c23a8",
      "old_mode": 33188,
      "old_path": "security/selinux/include/common_perm_to_string.h",
      "new_id": "0000000000000000000000000000000000000000",
      "new_mode": 0,
      "new_path": "/dev/null"
    },
    {
      "type": "modify",
      "old_id": "f248500a1e3c3c197efa6eb5dfa6e6b0567f7960",
      "old_mode": 33188,
      "old_path": "security/selinux/include/flask.h",
      "new_id": "5359ca2abf21ad4f7b54c34c099a7552c3db0817",
      "new_mode": 33188,
      "new_path": "security/selinux/include/flask.h"
    },
    {
      "type": "modify",
      "old_id": "ca835795a8b322e7e4398d065d2eb0976741e2ad",
      "old_mode": 33188,
      "old_path": "security/selinux/include/security.h",
      "new_id": "2553266ad793ff76c6cf30d4a4383f285e66a2e4",
      "new_mode": 33188,
      "new_path": "security/selinux/include/security.h"
    },
    {
      "type": "modify",
      "old_id": "b4fc506e7a87c8aa69a71ccc1a9c1b6c55c00ce8",
      "old_mode": 33188,
      "old_path": "security/selinux/selinuxfs.c",
      "new_id": "fab36fdf2769f0e0bce984bb0f40f84c63fff144",
      "new_mode": 33188,
      "new_path": "security/selinux/selinuxfs.c"
    },
    {
      "type": "modify",
      "old_id": "b5407f16c2a4e71b06550beb671ddb9de14591b3",
      "old_mode": 33188,
      "old_path": "security/selinux/ss/mls.c",
      "new_id": "3f2b2706b5bbc9226b9e211c9fd46191c5856e23",
      "new_mode": 33188,
      "new_path": "security/selinux/ss/mls.c"
    },
    {
      "type": "modify",
      "old_id": "72e4a54973aae503c9c9378aa392750f7f4adb20",
      "old_mode": 33188,
      "old_path": "security/selinux/ss/policydb.c",
      "new_id": "f03667213ea8d4c1d0cb94ed270c4da8e8752dea",
      "new_mode": 33188,
      "new_path": "security/selinux/ss/policydb.c"
    },
    {
      "type": "modify",
      "old_id": "55152d498b5342aba65d04c0a6be1b79f784a9f5",
      "old_mode": 33188,
      "old_path": "security/selinux/ss/policydb.h",
      "new_id": "cdcc5700946f7f850dfb251f8c8ccb0596ac3c74",
      "new_mode": 33188,
      "new_path": "security/selinux/ss/policydb.h"
    },
    {
      "type": "modify",
      "old_id": "ff17820d35ec73bedfab174d3adfb7c87b762420",
      "old_mode": 33188,
      "old_path": "security/selinux/ss/services.c",
      "new_id": "e19baa81fdec4e372b1d38ba1be9effd6e1fef3a",
      "new_mode": 33188,
      "new_path": "security/selinux/ss/services.c"
    }
  ]
}