On 05/22/2013 11:00 PM, William Roberts wrote:
Is their a struct or docs somewhere that defines the format of the SELinux
binary policy? A cursory 2 minute glance at the kernel and checkpolicy
didn't reveal much.
It is just a simple serialized representation of the policy data
structures; there is no struct or document that describes it beyond the
code.
policydb_read() is the function that parses a binary policy file into an
in-core policydb data structure, and policydb_write() is the function
that takes an in-core policydb data structure and writes out the binary
policy file. You can find copies of those functions in both the kernel
(both in security/selinux/ss/policydb.c) and in libsepol (in
src/policydb.c and src/write.c). The kernel code is a bit simpler to
follow as it only deals with the kernel's format, whereas the libsepol
code has to handle both the kernel and binary policy module formats.
And policydb_write() code flow is simpler than policydb_read().
The header of the policy file consists of:
32-bit magic number to identify the file as a SELinux policy file.
32-bit string length followed by variable-length string, originally also
as an alternative form of identification of the file as a SELinux policy
file and now also used to identify a target platform (e.g. Linux vs Xen).
32-bit policy version number to identify the policy format version.
32-bit config flags field. 1 bit used to identify whether the policy is
MLS or non-MLS, 2 bits used to identify how to handle unknown
permissions, other bits presently unused.
32-bit number of symbol tables
32-bit number of object context tables
Then the rest of the policy content follows, interpreted based on the
policy format version number.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
