diff options
| -rw-r--r-- | security/selinux/ss/context.h | 23 | ||||
| -rw-r--r-- | security/selinux/ss/mls.c | 30 | ||||
| -rw-r--r-- | security/selinux/ss/mls.h | 20 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 3 |
4 files changed, 29 insertions, 47 deletions
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h index 0562bacb7b99..2eee0dab524d 100644 --- a/security/selinux/ss/context.h +++ b/security/selinux/ss/context.h | |||
| @@ -55,6 +55,29 @@ out: | |||
| 55 | return rc; | 55 | return rc; |
| 56 | } | 56 | } |
| 57 | 57 | ||
| 58 | /* | ||
| 59 | * Sets both levels in the MLS range of 'dst' to the low level of 'src'. | ||
| 60 | */ | ||
| 61 | static inline int mls_context_cpy_low(struct context *dst, struct context *src) | ||
| 62 | { | ||
| 63 | int rc; | ||
| 64 | |||
| 65 | if (!selinux_mls_enabled) | ||
| 66 | return 0; | ||
| 67 | |||
| 68 | dst->range.level[0].sens = src->range.level[0].sens; | ||
| 69 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); | ||
| 70 | if (rc) | ||
| 71 | goto out; | ||
| 72 | |||
| 73 | dst->range.level[1].sens = src->range.level[0].sens; | ||
| 74 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat); | ||
| 75 | if (rc) | ||
| 76 | ebitmap_destroy(&dst->range.level[0].cat); | ||
| 77 | out: | ||
| 78 | return rc; | ||
| 79 | } | ||
| 80 | |||
| 58 | static inline int mls_context_cmp(struct context *c1, struct context *c2) | 81 | static inline int mls_context_cmp(struct context *c1, struct context *c2) |
| 59 | { | 82 | { |
| 60 | if (!selinux_mls_enabled) | 83 | if (!selinux_mls_enabled) |
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index b4f682dc13ff..4a8bab2f3c71 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
| @@ -270,7 +270,7 @@ int mls_context_to_sid(char oldc, | |||
| 270 | if (!defcon) | 270 | if (!defcon) |
| 271 | goto out; | 271 | goto out; |
| 272 | 272 | ||
| 273 | rc = mls_copy_context(context, defcon); | 273 | rc = mls_context_cpy(context, defcon); |
| 274 | goto out; | 274 | goto out; |
| 275 | } | 275 | } |
| 276 | 276 | ||
| @@ -401,26 +401,6 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) | |||
| 401 | } | 401 | } |
| 402 | 402 | ||
| 403 | /* | 403 | /* |
| 404 | * Copies the effective MLS range from `src' into `dst'. | ||
| 405 | */ | ||
| 406 | static inline int mls_scopy_context(struct context *dst, | ||
| 407 | struct context *src) | ||
| 408 | { | ||
| 409 | int l, rc = 0; | ||
| 410 | |||
| 411 | /* Copy the MLS range from the source context */ | ||
| 412 | for (l = 0; l < 2; l++) { | ||
| 413 | dst->range.level[l].sens = src->range.level[0].sens; | ||
| 414 | rc = ebitmap_cpy(&dst->range.level[l].cat, | ||
| 415 | &src->range.level[0].cat); | ||
| 416 | if (rc) | ||
| 417 | break; | ||
| 418 | } | ||
| 419 | |||
| 420 | return rc; | ||
| 421 | } | ||
| 422 | |||
| 423 | /* | ||
| 424 | * Copies the MLS range `range' into `context'. | 404 | * Copies the MLS range `range' into `context'. |
| 425 | */ | 405 | */ |
| 426 | static inline int mls_range_set(struct context *context, | 406 | static inline int mls_range_set(struct context *context, |
| @@ -552,19 +532,19 @@ int mls_compute_sid(struct context *scontext, | |||
| 552 | case AVTAB_CHANGE: | 532 | case AVTAB_CHANGE: |
| 553 | if (tclass == SECCLASS_PROCESS) | 533 | if (tclass == SECCLASS_PROCESS) |
| 554 | /* Use the process MLS attributes. */ | 534 | /* Use the process MLS attributes. */ |
| 555 | return mls_copy_context(newcontext, scontext); | 535 | return mls_context_cpy(newcontext, scontext); |
| 556 | else | 536 | else |
| 557 | /* Use the process effective MLS attributes. */ | 537 | /* Use the process effective MLS attributes. */ |
| 558 | return mls_scopy_context(newcontext, scontext); | 538 | return mls_context_cpy_low(newcontext, scontext); |
| 559 | case AVTAB_MEMBER: | 539 | case AVTAB_MEMBER: |
| 560 | /* Only polyinstantiate the MLS attributes if | 540 | /* Only polyinstantiate the MLS attributes if |
| 561 | the type is being polyinstantiated */ | 541 | the type is being polyinstantiated */ |
| 562 | if (newcontext->type != tcontext->type) { | 542 | if (newcontext->type != tcontext->type) { |
| 563 | /* Use the process effective MLS attributes. */ | 543 | /* Use the process effective MLS attributes. */ |
| 564 | return mls_scopy_context(newcontext, scontext); | 544 | return mls_context_cpy_low(newcontext, scontext); |
| 565 | } else { | 545 | } else { |
| 566 | /* Use the related object MLS attributes. */ | 546 | /* Use the related object MLS attributes. */ |
| 567 | return mls_copy_context(newcontext, tcontext); | 547 | return mls_context_cpy(newcontext, tcontext); |
| 568 | } | 548 | } |
| 569 | default: | 549 | default: |
| 570 | return -EINVAL; | 550 | return -EINVAL; |
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index 661d6fc76966..096d1b4ef7fb 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h | |||
| @@ -24,26 +24,6 @@ | |||
| 24 | #include "context.h" | 24 | #include "context.h" |
| 25 | #include "policydb.h" | 25 | #include "policydb.h" |
| 26 | 26 | ||
| 27 | /* | ||
| 28 | * Copies the MLS range from `src' into `dst'. | ||
| 29 | */ | ||
| 30 | static inline int mls_copy_context(struct context *dst, | ||
| 31 | struct context *src) | ||
| 32 | { | ||
| 33 | int l, rc = 0; | ||
| 34 | |||
| 35 | /* Copy the MLS range from the source context */ | ||
| 36 | for (l = 0; l < 2; l++) { | ||
| 37 | dst->range.level[l].sens = src->range.level[l].sens; | ||
| 38 | rc = ebitmap_cpy(&dst->range.level[l].cat, | ||
| 39 | &src->range.level[l].cat); | ||
| 40 | if (rc) | ||
| 41 | break; | ||
| 42 | } | ||
| 43 | |||
| 44 | return rc; | ||
| 45 | } | ||
| 46 | |||
| 47 | int mls_compute_context_len(struct context *context); | 27 | int mls_compute_context_len(struct context *context); |
| 48 | void mls_sid_to_context(struct context *context, char **scontext); | 28 | void mls_sid_to_context(struct context *context, char **scontext); |
| 49 | int mls_context_isvalid(struct policydb *p, struct context *c); | 29 | int mls_context_isvalid(struct policydb *p, struct context *c); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ee0581557966..372eaade3ca6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1916,11 +1916,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) | |||
| 1916 | newcon.user = context1->user; | 1916 | newcon.user = context1->user; |
| 1917 | newcon.role = context1->role; | 1917 | newcon.role = context1->role; |
| 1918 | newcon.type = context1->type; | 1918 | newcon.type = context1->type; |
| 1919 | rc = mls_copy_context(&newcon, context2); | 1919 | rc = mls_context_cpy(&newcon, context2); |
| 1920 | if (rc) | 1920 | if (rc) |
| 1921 | goto out_unlock; | 1921 | goto out_unlock; |
| 1922 | 1922 | ||
| 1923 | |||
| 1924 | /* Check the validity of the new context. */ | 1923 | /* Check the validity of the new context. */ |
| 1925 | if (!policydb_context_isvalid(&policydb, &newcon)) { | 1924 | if (!policydb_context_isvalid(&policydb, &newcon)) { |
| 1926 | rc = convert_context_handle_invalid_context(&newcon); | 1925 | rc = convert_context_handle_invalid_context(&newcon); |