aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-07-25 02:27:16 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:21 -0400
commit08554d6b33e60aa8ee40bbef94505941c0eefef2 (patch)
tree1610750ccd13872a33fffffcce057e10aa785d2e /security
parent51bd39860ff829475aef611a3234309e37e090d9 (diff)
[MLSXFRM]: Define new SELinux service routine
This defines a routine that combines the Type Enforcement portion of one sid with the MLS portion from the other sid to arrive at a new sid. This would be used to define a sid for a security association that is to be negotiated by IKE as well as for determing the sid for open requests and connection-oriented child sockets. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/include/security.h2
-rw-r--r--security/selinux/ss/mls.c20
-rw-r--r--security/selinux/ss/mls.h20
-rw-r--r--security/selinux/ss/services.c69
4 files changed, 91 insertions, 20 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 063af47bb231..911954a692fa 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -78,6 +78,8 @@ int security_node_sid(u16 domain, void *addr, u32 addrlen,
78int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 78int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
79 u16 tclass); 79 u16 tclass);
80 80
81int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
82
81#define SECURITY_FS_USE_XATTR 1 /* use xattr */ 83#define SECURITY_FS_USE_XATTR 1 /* use xattr */
82#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ 84#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
83#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ 85#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 7bc5b6440f70..e15f7e0399b8 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -212,26 +212,6 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
212} 212}
213 213
214/* 214/*
215 * Copies the MLS range from `src' into `dst'.
216 */
217static inline int mls_copy_context(struct context *dst,
218 struct context *src)
219{
220 int l, rc = 0;
221
222 /* Copy the MLS range from the source context */
223 for (l = 0; l < 2; l++) {
224 dst->range.level[l].sens = src->range.level[l].sens;
225 rc = ebitmap_cpy(&dst->range.level[l].cat,
226 &src->range.level[l].cat);
227 if (rc)
228 break;
229 }
230
231 return rc;
232}
233
234/*
235 * Set the MLS fields in the security context structure 215 * Set the MLS fields in the security context structure
236 * `context' based on the string representation in 216 * `context' based on the string representation in
237 * the string `*scontext'. Update `*scontext' to 217 * the string `*scontext'. Update `*scontext' to
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index fbb42f07dd7c..90c5e88987fa 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -17,6 +17,26 @@
17#include "context.h" 17#include "context.h"
18#include "policydb.h" 18#include "policydb.h"
19 19
20/*
21 * Copies the MLS range from `src' into `dst'.
22 */
23static inline int mls_copy_context(struct context *dst,
24 struct context *src)
25{
26 int l, rc = 0;
27
28 /* Copy the MLS range from the source context */
29 for (l = 0; l < 2; l++) {
30 dst->range.level[l].sens = src->range.level[l].sens;
31 rc = ebitmap_cpy(&dst->range.level[l].cat,
32 &src->range.level[l].cat);
33 if (rc)
34 break;
35 }
36
37 return rc;
38}
39
20int mls_compute_context_len(struct context *context); 40int mls_compute_context_len(struct context *context);
21void mls_sid_to_context(struct context *context, char **scontext); 41void mls_sid_to_context(struct context *context, char **scontext);
22int mls_context_isvalid(struct policydb *p, struct context *c); 42int mls_context_isvalid(struct policydb *p, struct context *c);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 85e429884393..b00ec69f0ffd 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1817,6 +1817,75 @@ out:
1817 return rc; 1817 return rc;
1818} 1818}
1819 1819
1820/*
1821 * security_sid_mls_copy() - computes a new sid based on the given
1822 * sid and the mls portion of mls_sid.
1823 */
1824int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
1825{
1826 struct context *context1;
1827 struct context *context2;
1828 struct context newcon;
1829 char *s;
1830 u32 len;
1831 int rc = 0;
1832
1833 if (!ss_initialized) {
1834 *new_sid = sid;
1835 goto out;
1836 }
1837
1838 context_init(&newcon);
1839
1840 POLICY_RDLOCK;
1841 context1 = sidtab_search(&sidtab, sid);
1842 if (!context1) {
1843 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID "
1844 "%d\n", sid);
1845 rc = -EINVAL;
1846 goto out_unlock;
1847 }
1848
1849 context2 = sidtab_search(&sidtab, mls_sid);
1850 if (!context2) {
1851 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID "
1852 "%d\n", mls_sid);
1853 rc = -EINVAL;
1854 goto out_unlock;
1855 }
1856
1857 newcon.user = context1->user;
1858 newcon.role = context1->role;
1859 newcon.type = context1->type;
1860 rc = mls_copy_context(&newcon, context2);
1861 if (rc)
1862 goto out_unlock;
1863
1864
1865 /* Check the validity of the new context. */
1866 if (!policydb_context_isvalid(&policydb, &newcon)) {
1867 rc = convert_context_handle_invalid_context(&newcon);
1868 if (rc)
1869 goto bad;
1870 }
1871
1872 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
1873 goto out_unlock;
1874
1875bad:
1876 if (!context_struct_to_string(&newcon, &s, &len)) {
1877 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1878 "security_sid_mls_copy: invalid context %s", s);
1879 kfree(s);
1880 }
1881
1882out_unlock:
1883 POLICY_RDUNLOCK;
1884 context_destroy(&newcon);
1885out:
1886 return rc;
1887}
1888
1820struct selinux_audit_rule { 1889struct selinux_audit_rule {
1821 u32 au_seqno; 1890 u32 au_seqno;
1822 struct context au_ctxt; 1891 struct context au_ctxt;