diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:37:59 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:19 -0500 |
| commit | 16efd45435fa695b501b7f73c3259bd7c77cc12c (patch) | |
| tree | f26eb84f65192eb0a17aca399fd405100e4be974 | |
| parent | 1c3fad936acaf87b75055b95be781437e97d787f (diff) | |
NetLabel: Add secid token support to the NetLabel secattr struct
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetLabel kernel API.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | include/net/netlabel.h | 91 | ||||
| -rw-r--r-- | net/ipv4/cipso_ipv4.c | 59 | ||||
| -rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 1 | ||||
| -rw-r--r-- | security/selinux/ss/mls.c | 10 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 5 |
5 files changed, 120 insertions, 46 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 2e5b2f6f9fa0..18b73cf507df 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
| @@ -105,17 +105,49 @@ struct netlbl_dom_map; | |||
| 105 | /* Domain mapping operations */ | 105 | /* Domain mapping operations */ |
| 106 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); | 106 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); |
| 107 | 107 | ||
| 108 | /* LSM security attributes */ | 108 | /* |
| 109 | * LSM security attributes | ||
| 110 | */ | ||
| 111 | |||
| 112 | /** | ||
| 113 | * struct netlbl_lsm_cache - NetLabel LSM security attribute cache | ||
| 114 | * @refcount: atomic reference counter | ||
| 115 | * @free: LSM supplied function to free the cache data | ||
| 116 | * @data: LSM supplied cache data | ||
| 117 | * | ||
| 118 | * Description: | ||
| 119 | * This structure is provided for LSMs which wish to make use of the NetLabel | ||
| 120 | * caching mechanism to store LSM specific data/attributes in the NetLabel | ||
| 121 | * cache. If the LSM has to perform a lot of translation from the NetLabel | ||
| 122 | * security attributes into it's own internal representation then the cache | ||
| 123 | * mechanism can provide a way to eliminate some or all of that translation | ||
| 124 | * overhead on a cache hit. | ||
| 125 | * | ||
| 126 | */ | ||
| 109 | struct netlbl_lsm_cache { | 127 | struct netlbl_lsm_cache { |
| 110 | atomic_t refcount; | 128 | atomic_t refcount; |
| 111 | void (*free) (const void *data); | 129 | void (*free) (const void *data); |
| 112 | void *data; | 130 | void *data; |
| 113 | }; | 131 | }; |
| 114 | /* The catmap bitmap field MUST be a power of two in length and large | 132 | |
| 133 | /** | ||
| 134 | * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap | ||
| 135 | * @startbit: the value of the lowest order bit in the bitmap | ||
| 136 | * @bitmap: the category bitmap | ||
| 137 | * @next: pointer to the next bitmap "node" or NULL | ||
| 138 | * | ||
| 139 | * Description: | ||
| 140 | * This structure is used to represent category bitmaps. Due to the large | ||
| 141 | * number of categories supported by most labeling protocols it is not | ||
| 142 | * practical to transfer a full bitmap internally so NetLabel adopts a sparse | ||
| 143 | * bitmap structure modeled after SELinux's ebitmap structure. | ||
| 144 | * The catmap bitmap field MUST be a power of two in length and large | ||
| 115 | * enough to hold at least 240 bits. Special care (i.e. check the code!) | 145 | * enough to hold at least 240 bits. Special care (i.e. check the code!) |
| 116 | * should be used when changing these values as the LSM implementation | 146 | * should be used when changing these values as the LSM implementation |
| 117 | * probably has functions which rely on the sizes of these types to speed | 147 | * probably has functions which rely on the sizes of these types to speed |
| 118 | * processing. */ | 148 | * processing. |
| 149 | * | ||
| 150 | */ | ||
| 119 | #define NETLBL_CATMAP_MAPTYPE u64 | 151 | #define NETLBL_CATMAP_MAPTYPE u64 |
| 120 | #define NETLBL_CATMAP_MAPCNT 4 | 152 | #define NETLBL_CATMAP_MAPCNT 4 |
| 121 | #define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8) | 153 | #define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8) |
| @@ -127,22 +159,48 @@ struct netlbl_lsm_secattr_catmap { | |||
| 127 | NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT]; | 159 | NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT]; |
| 128 | struct netlbl_lsm_secattr_catmap *next; | 160 | struct netlbl_lsm_secattr_catmap *next; |
| 129 | }; | 161 | }; |
| 162 | |||
| 163 | /** | ||
| 164 | * struct netlbl_lsm_secattr - NetLabel LSM security attributes | ||
| 165 | * @flags: indicate which attributes are contained in this structure | ||
| 166 | * @type: indicate the NLTYPE of the attributes | ||
| 167 | * @domain: the NetLabel LSM domain | ||
| 168 | * @cache: NetLabel LSM specific cache | ||
| 169 | * @attr.mls: MLS sensitivity label | ||
| 170 | * @attr.mls.cat: MLS category bitmap | ||
| 171 | * @attr.mls.lvl: MLS sensitivity level | ||
| 172 | * @attr.secid: LSM specific secid token | ||
| 173 | * | ||
| 174 | * Description: | ||
| 175 | * This structure is used to pass security attributes between NetLabel and the | ||
| 176 | * LSM modules. The flags field is used to specify which fields within the | ||
| 177 | * struct are valid and valid values can be created by bitwise OR'ing the | ||
| 178 | * NETLBL_SECATTR_* defines. The domain field is typically set by the LSM to | ||
| 179 | * specify domain specific configuration settings and is not usually used by | ||
| 180 | * NetLabel itself when returning security attributes to the LSM. | ||
| 181 | * | ||
| 182 | */ | ||
| 130 | #define NETLBL_SECATTR_NONE 0x00000000 | 183 | #define NETLBL_SECATTR_NONE 0x00000000 |
| 131 | #define NETLBL_SECATTR_DOMAIN 0x00000001 | 184 | #define NETLBL_SECATTR_DOMAIN 0x00000001 |
| 132 | #define NETLBL_SECATTR_CACHE 0x00000002 | 185 | #define NETLBL_SECATTR_CACHE 0x00000002 |
| 133 | #define NETLBL_SECATTR_MLS_LVL 0x00000004 | 186 | #define NETLBL_SECATTR_MLS_LVL 0x00000004 |
| 134 | #define NETLBL_SECATTR_MLS_CAT 0x00000008 | 187 | #define NETLBL_SECATTR_MLS_CAT 0x00000008 |
| 188 | #define NETLBL_SECATTR_SECID 0x00000010 | ||
| 135 | #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ | 189 | #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ |
| 136 | NETLBL_SECATTR_MLS_CAT) | 190 | NETLBL_SECATTR_MLS_CAT | \ |
| 191 | NETLBL_SECATTR_SECID) | ||
| 137 | struct netlbl_lsm_secattr { | 192 | struct netlbl_lsm_secattr { |
| 138 | u32 flags; | 193 | u32 flags; |
| 139 | 194 | u32 type; | |
| 140 | char *domain; | 195 | char *domain; |
| 141 | |||
| 142 | u32 mls_lvl; | ||
| 143 | struct netlbl_lsm_secattr_catmap *mls_cat; | ||
| 144 | |||
| 145 | struct netlbl_lsm_cache *cache; | 196 | struct netlbl_lsm_cache *cache; |
| 197 | union { | ||
| 198 | struct { | ||
| 199 | struct netlbl_lsm_secattr_catmap *cat; | ||
| 200 | u32 lvl; | ||
| 201 | } mls; | ||
| 202 | u32 secid; | ||
| 203 | } attr; | ||
| 146 | }; | 204 | }; |
| 147 | 205 | ||
| 148 | /* | 206 | /* |
| @@ -231,10 +289,7 @@ static inline void netlbl_secattr_catmap_free( | |||
| 231 | */ | 289 | */ |
| 232 | static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) | 290 | static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) |
| 233 | { | 291 | { |
| 234 | secattr->flags = 0; | 292 | memset(secattr, 0, sizeof(*secattr)); |
| 235 | secattr->domain = NULL; | ||
| 236 | secattr->mls_cat = NULL; | ||
| 237 | secattr->cache = NULL; | ||
| 238 | } | 293 | } |
| 239 | 294 | ||
| 240 | /** | 295 | /** |
| @@ -248,11 +303,11 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) | |||
| 248 | */ | 303 | */ |
| 249 | static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) | 304 | static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) |
| 250 | { | 305 | { |
| 251 | if (secattr->cache) | ||
| 252 | netlbl_secattr_cache_free(secattr->cache); | ||
| 253 | kfree(secattr->domain); | 306 | kfree(secattr->domain); |
| 254 | if (secattr->mls_cat) | 307 | if (secattr->flags & NETLBL_SECATTR_CACHE) |
| 255 | netlbl_secattr_catmap_free(secattr->mls_cat); | 308 | netlbl_secattr_cache_free(secattr->cache); |
| 309 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) | ||
| 310 | netlbl_secattr_catmap_free(secattr->attr.mls.cat); | ||
| 256 | } | 311 | } |
| 257 | 312 | ||
| 258 | /** | 313 | /** |
| @@ -300,7 +355,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, | |||
| 300 | gfp_t flags); | 355 | gfp_t flags); |
| 301 | 356 | ||
| 302 | /* | 357 | /* |
| 303 | * LSM protocol operations | 358 | * LSM protocol operations (NetLabel LSM/kernel API) |
| 304 | */ | 359 | */ |
| 305 | int netlbl_enabled(void); | 360 | int netlbl_enabled(void); |
| 306 | int netlbl_sock_setattr(struct sock *sk, | 361 | int netlbl_sock_setattr(struct sock *sk, |
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index d4dc4eb48d95..a2241060113b 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
| @@ -348,6 +348,7 @@ static int cipso_v4_cache_check(const unsigned char *key, | |||
| 348 | atomic_inc(&entry->lsm_data->refcount); | 348 | atomic_inc(&entry->lsm_data->refcount); |
| 349 | secattr->cache = entry->lsm_data; | 349 | secattr->cache = entry->lsm_data; |
| 350 | secattr->flags |= NETLBL_SECATTR_CACHE; | 350 | secattr->flags |= NETLBL_SECATTR_CACHE; |
| 351 | secattr->type = NETLBL_NLTYPE_CIPSOV4; | ||
| 351 | if (prev_entry == NULL) { | 352 | if (prev_entry == NULL) { |
| 352 | spin_unlock_bh(&cipso_v4_cache[bkt].lock); | 353 | spin_unlock_bh(&cipso_v4_cache[bkt].lock); |
| 353 | return 0; | 354 | return 0; |
| @@ -865,7 +866,7 @@ static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def, | |||
| 865 | } | 866 | } |
| 866 | 867 | ||
| 867 | for (;;) { | 868 | for (;;) { |
| 868 | host_spot = netlbl_secattr_catmap_walk(secattr->mls_cat, | 869 | host_spot = netlbl_secattr_catmap_walk(secattr->attr.mls.cat, |
| 869 | host_spot + 1); | 870 | host_spot + 1); |
| 870 | if (host_spot < 0) | 871 | if (host_spot < 0) |
| 871 | break; | 872 | break; |
| @@ -948,7 +949,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def, | |||
| 948 | return -EPERM; | 949 | return -EPERM; |
| 949 | break; | 950 | break; |
| 950 | } | 951 | } |
| 951 | ret_val = netlbl_secattr_catmap_setbit(secattr->mls_cat, | 952 | ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat, |
| 952 | host_spot, | 953 | host_spot, |
| 953 | GFP_ATOMIC); | 954 | GFP_ATOMIC); |
| 954 | if (ret_val != 0) | 955 | if (ret_val != 0) |
| @@ -1014,7 +1015,8 @@ static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def, | |||
| 1014 | u32 cat_iter = 0; | 1015 | u32 cat_iter = 0; |
| 1015 | 1016 | ||
| 1016 | for (;;) { | 1017 | for (;;) { |
| 1017 | cat = netlbl_secattr_catmap_walk(secattr->mls_cat, cat + 1); | 1018 | cat = netlbl_secattr_catmap_walk(secattr->attr.mls.cat, |
| 1019 | cat + 1); | ||
| 1018 | if (cat < 0) | 1020 | if (cat < 0) |
| 1019 | break; | 1021 | break; |
| 1020 | if ((cat_iter + 2) > net_cat_len) | 1022 | if ((cat_iter + 2) > net_cat_len) |
| @@ -1049,7 +1051,7 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def, | |||
| 1049 | u32 iter; | 1051 | u32 iter; |
| 1050 | 1052 | ||
| 1051 | for (iter = 0; iter < net_cat_len; iter += 2) { | 1053 | for (iter = 0; iter < net_cat_len; iter += 2) { |
| 1052 | ret_val = netlbl_secattr_catmap_setbit(secattr->mls_cat, | 1054 | ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat, |
| 1053 | ntohs(get_unaligned((__be16 *)&net_cat[iter])), | 1055 | ntohs(get_unaligned((__be16 *)&net_cat[iter])), |
| 1054 | GFP_ATOMIC); | 1056 | GFP_ATOMIC); |
| 1055 | if (ret_val != 0) | 1057 | if (ret_val != 0) |
| @@ -1130,7 +1132,8 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def, | |||
| 1130 | return -ENOSPC; | 1132 | return -ENOSPC; |
| 1131 | 1133 | ||
| 1132 | for (;;) { | 1134 | for (;;) { |
| 1133 | iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1); | 1135 | iter = netlbl_secattr_catmap_walk(secattr->attr.mls.cat, |
| 1136 | iter + 1); | ||
| 1134 | if (iter < 0) | 1137 | if (iter < 0) |
| 1135 | break; | 1138 | break; |
| 1136 | cat_size += (iter == 0 ? 0 : sizeof(u16)); | 1139 | cat_size += (iter == 0 ? 0 : sizeof(u16)); |
| @@ -1138,7 +1141,8 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def, | |||
| 1138 | return -ENOSPC; | 1141 | return -ENOSPC; |
| 1139 | array[array_cnt++] = iter; | 1142 | array[array_cnt++] = iter; |
| 1140 | 1143 | ||
| 1141 | iter = netlbl_secattr_catmap_walk_rng(secattr->mls_cat, iter); | 1144 | iter = netlbl_secattr_catmap_walk_rng(secattr->attr.mls.cat, |
| 1145 | iter); | ||
| 1142 | if (iter < 0) | 1146 | if (iter < 0) |
| 1143 | return -EFAULT; | 1147 | return -EFAULT; |
| 1144 | cat_size += sizeof(u16); | 1148 | cat_size += sizeof(u16); |
| @@ -1191,7 +1195,7 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def, | |||
| 1191 | else | 1195 | else |
| 1192 | cat_low = 0; | 1196 | cat_low = 0; |
| 1193 | 1197 | ||
| 1194 | ret_val = netlbl_secattr_catmap_setrng(secattr->mls_cat, | 1198 | ret_val = netlbl_secattr_catmap_setrng(secattr->attr.mls.cat, |
| 1195 | cat_low, | 1199 | cat_low, |
| 1196 | cat_high, | 1200 | cat_high, |
| 1197 | GFP_ATOMIC); | 1201 | GFP_ATOMIC); |
| @@ -1251,7 +1255,9 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 1251 | if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0) | 1255 | if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0) |
| 1252 | return -EPERM; | 1256 | return -EPERM; |
| 1253 | 1257 | ||
| 1254 | ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->mls_lvl, &level); | 1258 | ret_val = cipso_v4_map_lvl_hton(doi_def, |
| 1259 | secattr->attr.mls.lvl, | ||
| 1260 | &level); | ||
| 1255 | if (ret_val != 0) | 1261 | if (ret_val != 0) |
| 1256 | return ret_val; | 1262 | return ret_val; |
| 1257 | 1263 | ||
| @@ -1303,12 +1309,13 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 1303 | ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); | 1309 | ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); |
| 1304 | if (ret_val != 0) | 1310 | if (ret_val != 0) |
| 1305 | return ret_val; | 1311 | return ret_val; |
| 1306 | secattr->mls_lvl = level; | 1312 | secattr->attr.mls.lvl = level; |
| 1307 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; | 1313 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
| 1308 | 1314 | ||
| 1309 | if (tag_len > 4) { | 1315 | if (tag_len > 4) { |
| 1310 | secattr->mls_cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); | 1316 | secattr->attr.mls.cat = |
| 1311 | if (secattr->mls_cat == NULL) | 1317 | netlbl_secattr_catmap_alloc(GFP_ATOMIC); |
| 1318 | if (secattr->attr.mls.cat == NULL) | ||
| 1312 | return -ENOMEM; | 1319 | return -ENOMEM; |
| 1313 | 1320 | ||
| 1314 | ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def, | 1321 | ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def, |
| @@ -1316,7 +1323,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 1316 | tag_len - 4, | 1323 | tag_len - 4, |
| 1317 | secattr); | 1324 | secattr); |
| 1318 | if (ret_val != 0) { | 1325 | if (ret_val != 0) { |
| 1319 | netlbl_secattr_catmap_free(secattr->mls_cat); | 1326 | netlbl_secattr_catmap_free(secattr->attr.mls.cat); |
| 1320 | return ret_val; | 1327 | return ret_val; |
| 1321 | } | 1328 | } |
| 1322 | 1329 | ||
| @@ -1350,7 +1357,9 @@ static int cipso_v4_gentag_enum(const struct cipso_v4_doi *doi_def, | |||
| 1350 | if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL)) | 1357 | if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL)) |
| 1351 | return -EPERM; | 1358 | return -EPERM; |
| 1352 | 1359 | ||
| 1353 | ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->mls_lvl, &level); | 1360 | ret_val = cipso_v4_map_lvl_hton(doi_def, |
| 1361 | secattr->attr.mls.lvl, | ||
| 1362 | &level); | ||
| 1354 | if (ret_val != 0) | 1363 | if (ret_val != 0) |
| 1355 | return ret_val; | 1364 | return ret_val; |
| 1356 | 1365 | ||
| @@ -1396,12 +1405,13 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def, | |||
| 1396 | ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); | 1405 | ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); |
| 1397 | if (ret_val != 0) | 1406 | if (ret_val != 0) |
| 1398 | return ret_val; | 1407 | return ret_val; |
| 1399 | secattr->mls_lvl = level; | 1408 | secattr->attr.mls.lvl = level; |
| 1400 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; | 1409 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
| 1401 | 1410 | ||
| 1402 | if (tag_len > 4) { | 1411 | if (tag_len > 4) { |
| 1403 | secattr->mls_cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); | 1412 | secattr->attr.mls.cat = |
| 1404 | if (secattr->mls_cat == NULL) | 1413 | netlbl_secattr_catmap_alloc(GFP_ATOMIC); |
| 1414 | if (secattr->attr.mls.cat == NULL) | ||
| 1405 | return -ENOMEM; | 1415 | return -ENOMEM; |
| 1406 | 1416 | ||
| 1407 | ret_val = cipso_v4_map_cat_enum_ntoh(doi_def, | 1417 | ret_val = cipso_v4_map_cat_enum_ntoh(doi_def, |
| @@ -1409,7 +1419,7 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def, | |||
| 1409 | tag_len - 4, | 1419 | tag_len - 4, |
| 1410 | secattr); | 1420 | secattr); |
| 1411 | if (ret_val != 0) { | 1421 | if (ret_val != 0) { |
| 1412 | netlbl_secattr_catmap_free(secattr->mls_cat); | 1422 | netlbl_secattr_catmap_free(secattr->attr.mls.cat); |
| 1413 | return ret_val; | 1423 | return ret_val; |
| 1414 | } | 1424 | } |
| 1415 | 1425 | ||
| @@ -1443,7 +1453,9 @@ static int cipso_v4_gentag_rng(const struct cipso_v4_doi *doi_def, | |||
| 1443 | if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL)) | 1453 | if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL)) |
| 1444 | return -EPERM; | 1454 | return -EPERM; |
| 1445 | 1455 | ||
| 1446 | ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->mls_lvl, &level); | 1456 | ret_val = cipso_v4_map_lvl_hton(doi_def, |
| 1457 | secattr->attr.mls.lvl, | ||
| 1458 | &level); | ||
| 1447 | if (ret_val != 0) | 1459 | if (ret_val != 0) |
| 1448 | return ret_val; | 1460 | return ret_val; |
| 1449 | 1461 | ||
| @@ -1488,12 +1500,13 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def, | |||
| 1488 | ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); | 1500 | ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); |
| 1489 | if (ret_val != 0) | 1501 | if (ret_val != 0) |
| 1490 | return ret_val; | 1502 | return ret_val; |
| 1491 | secattr->mls_lvl = level; | 1503 | secattr->attr.mls.lvl = level; |
| 1492 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; | 1504 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
| 1493 | 1505 | ||
| 1494 | if (tag_len > 4) { | 1506 | if (tag_len > 4) { |
| 1495 | secattr->mls_cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); | 1507 | secattr->attr.mls.cat = |
| 1496 | if (secattr->mls_cat == NULL) | 1508 | netlbl_secattr_catmap_alloc(GFP_ATOMIC); |
| 1509 | if (secattr->attr.mls.cat == NULL) | ||
| 1497 | return -ENOMEM; | 1510 | return -ENOMEM; |
| 1498 | 1511 | ||
| 1499 | ret_val = cipso_v4_map_cat_rng_ntoh(doi_def, | 1512 | ret_val = cipso_v4_map_cat_rng_ntoh(doi_def, |
| @@ -1501,7 +1514,7 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def, | |||
| 1501 | tag_len - 4, | 1514 | tag_len - 4, |
| 1502 | secattr); | 1515 | secattr); |
| 1503 | if (ret_val != 0) { | 1516 | if (ret_val != 0) { |
| 1504 | netlbl_secattr_catmap_free(secattr->mls_cat); | 1517 | netlbl_secattr_catmap_free(secattr->attr.mls.cat); |
| 1505 | return ret_val; | 1518 | return ret_val; |
| 1506 | } | 1519 | } |
| 1507 | 1520 | ||
| @@ -1850,6 +1863,8 @@ static int cipso_v4_getattr(const unsigned char *cipso, | |||
| 1850 | ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr); | 1863 | ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr); |
| 1851 | break; | 1864 | break; |
| 1852 | } | 1865 | } |
| 1866 | if (ret_val == 0) | ||
| 1867 | secattr->type = NETLBL_NLTYPE_CIPSOV4; | ||
| 1853 | 1868 | ||
| 1854 | getattr_return: | 1869 | getattr_return: |
| 1855 | rcu_read_unlock(); | 1870 | rcu_read_unlock(); |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index fd53c7ae2977..7f5df0cbc63f 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
| @@ -241,6 +241,7 @@ int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr) | |||
| 241 | if (netlabel_unlabel_acceptflg == 0) | 241 | if (netlabel_unlabel_acceptflg == 0) |
| 242 | return -ENOMSG; | 242 | return -ENOMSG; |
| 243 | netlbl_secattr_init(secattr); | 243 | netlbl_secattr_init(secattr); |
| 244 | secattr->type = NETLBL_NLTYPE_UNLABELED; | ||
| 244 | return 0; | 245 | return 0; |
| 245 | } | 246 | } |
| 246 | 247 | ||
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 3bbcb5369af9..feaf0a5b828f 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
| @@ -562,7 +562,7 @@ void mls_export_netlbl_lvl(struct context *context, | |||
| 562 | if (!selinux_mls_enabled) | 562 | if (!selinux_mls_enabled) |
| 563 | return; | 563 | return; |
| 564 | 564 | ||
| 565 | secattr->mls_lvl = context->range.level[0].sens - 1; | 565 | secattr->attr.mls.lvl = context->range.level[0].sens - 1; |
| 566 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; | 566 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
| 567 | } | 567 | } |
| 568 | 568 | ||
| @@ -582,7 +582,7 @@ void mls_import_netlbl_lvl(struct context *context, | |||
| 582 | if (!selinux_mls_enabled) | 582 | if (!selinux_mls_enabled) |
| 583 | return; | 583 | return; |
| 584 | 584 | ||
| 585 | context->range.level[0].sens = secattr->mls_lvl + 1; | 585 | context->range.level[0].sens = secattr->attr.mls.lvl + 1; |
| 586 | context->range.level[1].sens = context->range.level[0].sens; | 586 | context->range.level[1].sens = context->range.level[0].sens; |
| 587 | } | 587 | } |
| 588 | 588 | ||
| @@ -605,8 +605,8 @@ int mls_export_netlbl_cat(struct context *context, | |||
| 605 | return 0; | 605 | return 0; |
| 606 | 606 | ||
| 607 | rc = ebitmap_netlbl_export(&context->range.level[0].cat, | 607 | rc = ebitmap_netlbl_export(&context->range.level[0].cat, |
| 608 | &secattr->mls_cat); | 608 | &secattr->attr.mls.cat); |
| 609 | if (rc == 0 && secattr->mls_cat != NULL) | 609 | if (rc == 0 && secattr->attr.mls.cat != NULL) |
| 610 | secattr->flags |= NETLBL_SECATTR_MLS_CAT; | 610 | secattr->flags |= NETLBL_SECATTR_MLS_CAT; |
| 611 | 611 | ||
| 612 | return rc; | 612 | return rc; |
| @@ -633,7 +633,7 @@ int mls_import_netlbl_cat(struct context *context, | |||
| 633 | return 0; | 633 | return 0; |
| 634 | 634 | ||
| 635 | rc = ebitmap_netlbl_import(&context->range.level[0].cat, | 635 | rc = ebitmap_netlbl_import(&context->range.level[0].cat, |
| 636 | secattr->mls_cat); | 636 | secattr->attr.mls.cat); |
| 637 | if (rc != 0) | 637 | if (rc != 0) |
| 638 | goto import_netlbl_cat_failure; | 638 | goto import_netlbl_cat_failure; |
| 639 | 639 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 4bf715d4cf29..0f97ef578370 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -2550,6 +2550,9 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, | |||
| 2550 | default: | 2550 | default: |
| 2551 | goto netlbl_secattr_to_sid_return; | 2551 | goto netlbl_secattr_to_sid_return; |
| 2552 | } | 2552 | } |
| 2553 | } else if (secattr->flags & NETLBL_SECATTR_SECID) { | ||
| 2554 | *sid = secattr->attr.secid; | ||
| 2555 | rc = 0; | ||
| 2553 | } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { | 2556 | } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { |
| 2554 | ctx = sidtab_search(&sidtab, base_sid); | 2557 | ctx = sidtab_search(&sidtab, base_sid); |
| 2555 | if (ctx == NULL) | 2558 | if (ctx == NULL) |
| @@ -2561,7 +2564,7 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, | |||
| 2561 | mls_import_netlbl_lvl(&ctx_new, secattr); | 2564 | mls_import_netlbl_lvl(&ctx_new, secattr); |
| 2562 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { | 2565 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { |
| 2563 | if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, | 2566 | if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, |
| 2564 | secattr->mls_cat) != 0) | 2567 | secattr->attr.mls.cat) != 0) |
| 2565 | goto netlbl_secattr_to_sid_return; | 2568 | goto netlbl_secattr_to_sid_return; |
| 2566 | ctx_new.range.level[1].cat.highbit = | 2569 | ctx_new.range.level[1].cat.highbit = |
| 2567 | ctx_new.range.level[0].cat.highbit; | 2570 | ctx_new.range.level[0].cat.highbit; |