diff options
| author | Paul Moore <paul.moore@hp.com> | 2006-11-17 17:38:46 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:24:07 -0500 |
| commit | 701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch) | |
| tree | 5fed88e6707e9122d7f16e4c5d8fea7c69e090ac /security | |
| parent | c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff) | |
NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.
Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/ss/services.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 408820486af0..1f5bbb246d28 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -2254,8 +2254,6 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) | |||
| 2254 | cache = kzalloc(sizeof(*cache), GFP_ATOMIC); | 2254 | cache = kzalloc(sizeof(*cache), GFP_ATOMIC); |
| 2255 | if (cache == NULL) | 2255 | if (cache == NULL) |
| 2256 | goto netlbl_cache_add_return; | 2256 | goto netlbl_cache_add_return; |
| 2257 | secattr.cache->free = selinux_netlbl_cache_free; | ||
| 2258 | secattr.cache->data = (void *)cache; | ||
| 2259 | 2257 | ||
| 2260 | cache->type = NETLBL_CACHE_T_MLS; | 2258 | cache->type = NETLBL_CACHE_T_MLS; |
| 2261 | if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, | 2259 | if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, |
| @@ -2268,6 +2266,10 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) | |||
| 2268 | cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; | 2266 | cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; |
| 2269 | cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; | 2267 | cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; |
| 2270 | 2268 | ||
| 2269 | secattr.cache->free = selinux_netlbl_cache_free; | ||
| 2270 | secattr.cache->data = (void *)cache; | ||
| 2271 | secattr.flags = NETLBL_SECATTR_CACHE; | ||
| 2272 | |||
| 2271 | netlbl_cache_add(skb, &secattr); | 2273 | netlbl_cache_add(skb, &secattr); |
| 2272 | 2274 | ||
| 2273 | netlbl_cache_add_return: | 2275 | netlbl_cache_add_return: |
| @@ -2313,7 +2315,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
| 2313 | 2315 | ||
| 2314 | POLICY_RDLOCK; | 2316 | POLICY_RDLOCK; |
| 2315 | 2317 | ||
| 2316 | if (secattr->cache) { | 2318 | if (secattr->flags & NETLBL_SECATTR_CACHE) { |
| 2317 | cache = NETLBL_CACHE(secattr->cache->data); | 2319 | cache = NETLBL_CACHE(secattr->cache->data); |
| 2318 | switch (cache->type) { | 2320 | switch (cache->type) { |
| 2319 | case NETLBL_CACHE_T_SID: | 2321 | case NETLBL_CACHE_T_SID: |
| @@ -2346,7 +2348,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
| 2346 | default: | 2348 | default: |
| 2347 | goto netlbl_secattr_to_sid_return; | 2349 | goto netlbl_secattr_to_sid_return; |
| 2348 | } | 2350 | } |
| 2349 | } else if (secattr->mls_lvl_vld) { | 2351 | } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { |
| 2350 | ctx = sidtab_search(&sidtab, base_sid); | 2352 | ctx = sidtab_search(&sidtab, base_sid); |
| 2351 | if (ctx == NULL) | 2353 | if (ctx == NULL) |
| 2352 | goto netlbl_secattr_to_sid_return; | 2354 | goto netlbl_secattr_to_sid_return; |
| @@ -2355,7 +2357,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
| 2355 | ctx_new.role = ctx->role; | 2357 | ctx_new.role = ctx->role; |
| 2356 | ctx_new.type = ctx->type; | 2358 | ctx_new.type = ctx->type; |
| 2357 | mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); | 2359 | mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); |
| 2358 | if (secattr->mls_cat) { | 2360 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { |
| 2359 | if (mls_import_cat(&ctx_new, | 2361 | if (mls_import_cat(&ctx_new, |
| 2360 | secattr->mls_cat, | 2362 | secattr->mls_cat, |
| 2361 | secattr->mls_cat_len, | 2363 | secattr->mls_cat_len, |
| @@ -2414,11 +2416,13 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | |||
| 2414 | 2416 | ||
| 2415 | netlbl_secattr_init(&secattr); | 2417 | netlbl_secattr_init(&secattr); |
| 2416 | rc = netlbl_skbuff_getattr(skb, &secattr); | 2418 | rc = netlbl_skbuff_getattr(skb, &secattr); |
| 2417 | if (rc == 0) | 2419 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
| 2418 | rc = selinux_netlbl_secattr_to_sid(skb, | 2420 | rc = selinux_netlbl_secattr_to_sid(skb, |
| 2419 | &secattr, | 2421 | &secattr, |
| 2420 | base_sid, | 2422 | base_sid, |
| 2421 | sid); | 2423 | sid); |
| 2424 | else | ||
| 2425 | *sid = SECSID_NULL; | ||
| 2422 | netlbl_secattr_destroy(&secattr); | 2426 | netlbl_secattr_destroy(&secattr); |
| 2423 | 2427 | ||
| 2424 | return rc; | 2428 | return rc; |
| @@ -2455,7 +2459,6 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) | |||
| 2455 | secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], | 2459 | secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], |
| 2456 | GFP_ATOMIC); | 2460 | GFP_ATOMIC); |
| 2457 | mls_export_lvl(ctx, &secattr.mls_lvl, NULL); | 2461 | mls_export_lvl(ctx, &secattr.mls_lvl, NULL); |
| 2458 | secattr.mls_lvl_vld = 1; | ||
| 2459 | rc = mls_export_cat(ctx, | 2462 | rc = mls_export_cat(ctx, |
| 2460 | &secattr.mls_cat, | 2463 | &secattr.mls_cat, |
| 2461 | &secattr.mls_cat_len, | 2464 | &secattr.mls_cat_len, |
| @@ -2464,6 +2467,10 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) | |||
| 2464 | if (rc != 0) | 2467 | if (rc != 0) |
| 2465 | goto netlbl_socket_setsid_return; | 2468 | goto netlbl_socket_setsid_return; |
| 2466 | 2469 | ||
| 2470 | secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; | ||
| 2471 | if (secattr.mls_cat) | ||
| 2472 | secattr.flags |= NETLBL_SECATTR_MLS_CAT; | ||
| 2473 | |||
| 2467 | rc = netlbl_socket_setattr(sock, &secattr); | 2474 | rc = netlbl_socket_setattr(sock, &secattr); |
| 2468 | if (rc == 0) | 2475 | if (rc == 0) |
| 2469 | sksec->nlbl_state = NLBL_LABELED; | 2476 | sksec->nlbl_state = NLBL_LABELED; |
| @@ -2564,6 +2571,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
| 2564 | 2571 | ||
| 2565 | netlbl_secattr_init(&secattr); | 2572 | netlbl_secattr_init(&secattr); |
| 2566 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | 2573 | if (netlbl_sock_getattr(sk, &secattr) == 0 && |
| 2574 | secattr.flags != NETLBL_SECATTR_NONE && | ||
| 2567 | selinux_netlbl_secattr_to_sid(NULL, | 2575 | selinux_netlbl_secattr_to_sid(NULL, |
| 2568 | &secattr, | 2576 | &secattr, |
| 2569 | SECINITSID_UNLABELED, | 2577 | SECINITSID_UNLABELED, |
| @@ -2756,7 +2764,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, | |||
| 2756 | sksec->nlbl_state == NLBL_LABELED) { | 2764 | sksec->nlbl_state == NLBL_LABELED) { |
| 2757 | netlbl_secattr_init(&secattr); | 2765 | netlbl_secattr_init(&secattr); |
| 2758 | rc = netlbl_socket_getattr(sock, &secattr); | 2766 | rc = netlbl_socket_getattr(sock, &secattr); |
| 2759 | if (rc == 0 && (secattr.cache || secattr.mls_lvl_vld)) | 2767 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
| 2760 | rc = -EACCES; | 2768 | rc = -EACCES; |
| 2761 | netlbl_secattr_destroy(&secattr); | 2769 | netlbl_secattr_destroy(&secattr); |
| 2762 | } | 2770 | } |