aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-11-17 17:38:46 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:24:07 -0500
commit701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch)
tree5fed88e6707e9122d7f16e4c5d8fea7c69e090ac /security
parentc6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff)
NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand
The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c24
1 files changed, 16 insertions, 8 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 408820486af0..1f5bbb246d28 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2254,8 +2254,6 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
2254 cache = kzalloc(sizeof(*cache), GFP_ATOMIC); 2254 cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
2255 if (cache == NULL) 2255 if (cache == NULL)
2256 goto netlbl_cache_add_return; 2256 goto netlbl_cache_add_return;
2257 secattr.cache->free = selinux_netlbl_cache_free;
2258 secattr.cache->data = (void *)cache;
2259 2257
2260 cache->type = NETLBL_CACHE_T_MLS; 2258 cache->type = NETLBL_CACHE_T_MLS;
2261 if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, 2259 if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
@@ -2268,6 +2266,10 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
2268 cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; 2266 cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
2269 cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; 2267 cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
2270 2268
2269 secattr.cache->free = selinux_netlbl_cache_free;
2270 secattr.cache->data = (void *)cache;
2271 secattr.flags = NETLBL_SECATTR_CACHE;
2272
2271 netlbl_cache_add(skb, &secattr); 2273 netlbl_cache_add(skb, &secattr);
2272 2274
2273netlbl_cache_add_return: 2275netlbl_cache_add_return:
@@ -2313,7 +2315,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2313 2315
2314 POLICY_RDLOCK; 2316 POLICY_RDLOCK;
2315 2317
2316 if (secattr->cache) { 2318 if (secattr->flags & NETLBL_SECATTR_CACHE) {
2317 cache = NETLBL_CACHE(secattr->cache->data); 2319 cache = NETLBL_CACHE(secattr->cache->data);
2318 switch (cache->type) { 2320 switch (cache->type) {
2319 case NETLBL_CACHE_T_SID: 2321 case NETLBL_CACHE_T_SID:
@@ -2346,7 +2348,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2346 default: 2348 default:
2347 goto netlbl_secattr_to_sid_return; 2349 goto netlbl_secattr_to_sid_return;
2348 } 2350 }
2349 } else if (secattr->mls_lvl_vld) { 2351 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
2350 ctx = sidtab_search(&sidtab, base_sid); 2352 ctx = sidtab_search(&sidtab, base_sid);
2351 if (ctx == NULL) 2353 if (ctx == NULL)
2352 goto netlbl_secattr_to_sid_return; 2354 goto netlbl_secattr_to_sid_return;
@@ -2355,7 +2357,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2355 ctx_new.role = ctx->role; 2357 ctx_new.role = ctx->role;
2356 ctx_new.type = ctx->type; 2358 ctx_new.type = ctx->type;
2357 mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); 2359 mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);
2358 if (secattr->mls_cat) { 2360 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
2359 if (mls_import_cat(&ctx_new, 2361 if (mls_import_cat(&ctx_new,
2360 secattr->mls_cat, 2362 secattr->mls_cat,
2361 secattr->mls_cat_len, 2363 secattr->mls_cat_len,
@@ -2414,11 +2416,13 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
2414 2416
2415 netlbl_secattr_init(&secattr); 2417 netlbl_secattr_init(&secattr);
2416 rc = netlbl_skbuff_getattr(skb, &secattr); 2418 rc = netlbl_skbuff_getattr(skb, &secattr);
2417 if (rc == 0) 2419 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
2418 rc = selinux_netlbl_secattr_to_sid(skb, 2420 rc = selinux_netlbl_secattr_to_sid(skb,
2419 &secattr, 2421 &secattr,
2420 base_sid, 2422 base_sid,
2421 sid); 2423 sid);
2424 else
2425 *sid = SECSID_NULL;
2422 netlbl_secattr_destroy(&secattr); 2426 netlbl_secattr_destroy(&secattr);
2423 2427
2424 return rc; 2428 return rc;
@@ -2455,7 +2459,6 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2455 secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2459 secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
2456 GFP_ATOMIC); 2460 GFP_ATOMIC);
2457 mls_export_lvl(ctx, &secattr.mls_lvl, NULL); 2461 mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
2458 secattr.mls_lvl_vld = 1;
2459 rc = mls_export_cat(ctx, 2462 rc = mls_export_cat(ctx,
2460 &secattr.mls_cat, 2463 &secattr.mls_cat,
2461 &secattr.mls_cat_len, 2464 &secattr.mls_cat_len,
@@ -2464,6 +2467,10 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2464 if (rc != 0) 2467 if (rc != 0)
2465 goto netlbl_socket_setsid_return; 2468 goto netlbl_socket_setsid_return;
2466 2469
2470 secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
2471 if (secattr.mls_cat)
2472 secattr.flags |= NETLBL_SECATTR_MLS_CAT;
2473
2467 rc = netlbl_socket_setattr(sock, &secattr); 2474 rc = netlbl_socket_setattr(sock, &secattr);
2468 if (rc == 0) 2475 if (rc == 0)
2469 sksec->nlbl_state = NLBL_LABELED; 2476 sksec->nlbl_state = NLBL_LABELED;
@@ -2564,6 +2571,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2564 2571
2565 netlbl_secattr_init(&secattr); 2572 netlbl_secattr_init(&secattr);
2566 if (netlbl_sock_getattr(sk, &secattr) == 0 && 2573 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
2574 secattr.flags != NETLBL_SECATTR_NONE &&
2567 selinux_netlbl_secattr_to_sid(NULL, 2575 selinux_netlbl_secattr_to_sid(NULL,
2568 &secattr, 2576 &secattr,
2569 SECINITSID_UNLABELED, 2577 SECINITSID_UNLABELED,
@@ -2756,7 +2764,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
2756 sksec->nlbl_state == NLBL_LABELED) { 2764 sksec->nlbl_state == NLBL_LABELED) {
2757 netlbl_secattr_init(&secattr); 2765 netlbl_secattr_init(&secattr);
2758 rc = netlbl_socket_getattr(sock, &secattr); 2766 rc = netlbl_socket_getattr(sock, &secattr);
2759 if (rc == 0 && (secattr.cache || secattr.mls_lvl_vld)) 2767 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
2760 rc = -EACCES; 2768 rc = -EACCES;
2761 netlbl_secattr_destroy(&secattr); 2769 netlbl_secattr_destroy(&secattr);
2762 } 2770 }