diff options
author | Paul Moore <paul.moore@hp.com> | 2006-11-17 17:38:46 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:24:07 -0500 |
commit | 701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch) | |
tree | 5fed88e6707e9122d7f16e4c5d8fea7c69e090ac /security | |
parent | c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff) |
NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.
Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/ss/services.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 408820486af0..1f5bbb246d28 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -2254,8 +2254,6 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) | |||
2254 | cache = kzalloc(sizeof(*cache), GFP_ATOMIC); | 2254 | cache = kzalloc(sizeof(*cache), GFP_ATOMIC); |
2255 | if (cache == NULL) | 2255 | if (cache == NULL) |
2256 | goto netlbl_cache_add_return; | 2256 | goto netlbl_cache_add_return; |
2257 | secattr.cache->free = selinux_netlbl_cache_free; | ||
2258 | secattr.cache->data = (void *)cache; | ||
2259 | 2257 | ||
2260 | cache->type = NETLBL_CACHE_T_MLS; | 2258 | cache->type = NETLBL_CACHE_T_MLS; |
2261 | if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, | 2259 | if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, |
@@ -2268,6 +2266,10 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) | |||
2268 | cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; | 2266 | cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; |
2269 | cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; | 2267 | cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; |
2270 | 2268 | ||
2269 | secattr.cache->free = selinux_netlbl_cache_free; | ||
2270 | secattr.cache->data = (void *)cache; | ||
2271 | secattr.flags = NETLBL_SECATTR_CACHE; | ||
2272 | |||
2271 | netlbl_cache_add(skb, &secattr); | 2273 | netlbl_cache_add(skb, &secattr); |
2272 | 2274 | ||
2273 | netlbl_cache_add_return: | 2275 | netlbl_cache_add_return: |
@@ -2313,7 +2315,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
2313 | 2315 | ||
2314 | POLICY_RDLOCK; | 2316 | POLICY_RDLOCK; |
2315 | 2317 | ||
2316 | if (secattr->cache) { | 2318 | if (secattr->flags & NETLBL_SECATTR_CACHE) { |
2317 | cache = NETLBL_CACHE(secattr->cache->data); | 2319 | cache = NETLBL_CACHE(secattr->cache->data); |
2318 | switch (cache->type) { | 2320 | switch (cache->type) { |
2319 | case NETLBL_CACHE_T_SID: | 2321 | case NETLBL_CACHE_T_SID: |
@@ -2346,7 +2348,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
2346 | default: | 2348 | default: |
2347 | goto netlbl_secattr_to_sid_return; | 2349 | goto netlbl_secattr_to_sid_return; |
2348 | } | 2350 | } |
2349 | } else if (secattr->mls_lvl_vld) { | 2351 | } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { |
2350 | ctx = sidtab_search(&sidtab, base_sid); | 2352 | ctx = sidtab_search(&sidtab, base_sid); |
2351 | if (ctx == NULL) | 2353 | if (ctx == NULL) |
2352 | goto netlbl_secattr_to_sid_return; | 2354 | goto netlbl_secattr_to_sid_return; |
@@ -2355,7 +2357,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
2355 | ctx_new.role = ctx->role; | 2357 | ctx_new.role = ctx->role; |
2356 | ctx_new.type = ctx->type; | 2358 | ctx_new.type = ctx->type; |
2357 | mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); | 2359 | mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); |
2358 | if (secattr->mls_cat) { | 2360 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { |
2359 | if (mls_import_cat(&ctx_new, | 2361 | if (mls_import_cat(&ctx_new, |
2360 | secattr->mls_cat, | 2362 | secattr->mls_cat, |
2361 | secattr->mls_cat_len, | 2363 | secattr->mls_cat_len, |
@@ -2414,11 +2416,13 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | |||
2414 | 2416 | ||
2415 | netlbl_secattr_init(&secattr); | 2417 | netlbl_secattr_init(&secattr); |
2416 | rc = netlbl_skbuff_getattr(skb, &secattr); | 2418 | rc = netlbl_skbuff_getattr(skb, &secattr); |
2417 | if (rc == 0) | 2419 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
2418 | rc = selinux_netlbl_secattr_to_sid(skb, | 2420 | rc = selinux_netlbl_secattr_to_sid(skb, |
2419 | &secattr, | 2421 | &secattr, |
2420 | base_sid, | 2422 | base_sid, |
2421 | sid); | 2423 | sid); |
2424 | else | ||
2425 | *sid = SECSID_NULL; | ||
2422 | netlbl_secattr_destroy(&secattr); | 2426 | netlbl_secattr_destroy(&secattr); |
2423 | 2427 | ||
2424 | return rc; | 2428 | return rc; |
@@ -2455,7 +2459,6 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) | |||
2455 | secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], | 2459 | secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], |
2456 | GFP_ATOMIC); | 2460 | GFP_ATOMIC); |
2457 | mls_export_lvl(ctx, &secattr.mls_lvl, NULL); | 2461 | mls_export_lvl(ctx, &secattr.mls_lvl, NULL); |
2458 | secattr.mls_lvl_vld = 1; | ||
2459 | rc = mls_export_cat(ctx, | 2462 | rc = mls_export_cat(ctx, |
2460 | &secattr.mls_cat, | 2463 | &secattr.mls_cat, |
2461 | &secattr.mls_cat_len, | 2464 | &secattr.mls_cat_len, |
@@ -2464,6 +2467,10 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) | |||
2464 | if (rc != 0) | 2467 | if (rc != 0) |
2465 | goto netlbl_socket_setsid_return; | 2468 | goto netlbl_socket_setsid_return; |
2466 | 2469 | ||
2470 | secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; | ||
2471 | if (secattr.mls_cat) | ||
2472 | secattr.flags |= NETLBL_SECATTR_MLS_CAT; | ||
2473 | |||
2467 | rc = netlbl_socket_setattr(sock, &secattr); | 2474 | rc = netlbl_socket_setattr(sock, &secattr); |
2468 | if (rc == 0) | 2475 | if (rc == 0) |
2469 | sksec->nlbl_state = NLBL_LABELED; | 2476 | sksec->nlbl_state = NLBL_LABELED; |
@@ -2564,6 +2571,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
2564 | 2571 | ||
2565 | netlbl_secattr_init(&secattr); | 2572 | netlbl_secattr_init(&secattr); |
2566 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | 2573 | if (netlbl_sock_getattr(sk, &secattr) == 0 && |
2574 | secattr.flags != NETLBL_SECATTR_NONE && | ||
2567 | selinux_netlbl_secattr_to_sid(NULL, | 2575 | selinux_netlbl_secattr_to_sid(NULL, |
2568 | &secattr, | 2576 | &secattr, |
2569 | SECINITSID_UNLABELED, | 2577 | SECINITSID_UNLABELED, |
@@ -2756,7 +2764,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, | |||
2756 | sksec->nlbl_state == NLBL_LABELED) { | 2764 | sksec->nlbl_state == NLBL_LABELED) { |
2757 | netlbl_secattr_init(&secattr); | 2765 | netlbl_secattr_init(&secattr); |
2758 | rc = netlbl_socket_getattr(sock, &secattr); | 2766 | rc = netlbl_socket_getattr(sock, &secattr); |
2759 | if (rc == 0 && (secattr.cache || secattr.mls_lvl_vld)) | 2767 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
2760 | rc = -EACCES; | 2768 | rc = -EACCES; |
2761 | netlbl_secattr_destroy(&secattr); | 2769 | netlbl_secattr_destroy(&secattr); |
2762 | } | 2770 | } |