1 files changed, 51 insertions, 105 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 2cca8e251624..b4f682dc13ff 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -13,7 +13,7 @@
 /*
 * Updated: Hewlett-Packard <paul.moore@hp.com>
 *
- *      Added support to import/export the MLS label
+ *      Added support to import/export the MLS label from NetLabel
 *
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 */
@@ -22,6 +22,7 @@
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/errno.h>
+#include <net/netlabel.h>
 #include "sidtab.h"
 #include "mls.h"
 #include "policydb.h"
@@ -571,163 +572,108 @@ int mls_compute_sid(struct context *scontext,
        return -EINVAL;
 }
+#ifdef CONFIG_NETLABEL
 /**
- * mls_export_lvl - Export the MLS sensitivity levels
+ * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
 * @context: the security context
- * @low: the low sensitivity level
+ * @secattr: the NetLabel security attributes
- * @high: the high sensitivity level
 *
 * Description:
- * Given the security context copy the low MLS sensitivity level into lvl_low
+ * Given the security context copy the low MLS sensitivity level into the
- * and the high sensitivity level in lvl_high.  The MLS levels are only
+ * NetLabel MLS sensitivity level field.
- * exported if the pointers are not NULL, if they are NULL then that level is
- * not exported.
 *
 */
-void mls_export_lvl(const struct context *context, u32 *low, u32 *high)
+void mls_export_netlbl_lvl(struct context *context,
+                           struct netlbl_lsm_secattr *secattr)
 {
        if (!selinux_mls_enabled)
                return;
-        if (low != NULL)
+        secattr->mls_lvl = context->range.level[0].sens - 1;
-                *low = context->range.level[0].sens - 1;
+        secattr->flags |= NETLBL_SECATTR_MLS_LVL;
-        if (high != NULL)
-                *high = context->range.level[1].sens - 1;
 }
 /**
- * mls_import_lvl - Import the MLS sensitivity levels
+ * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
 * @context: the security context
- * @low: the low sensitivity level
+ * @secattr: the NetLabel security attributes
- * @high: the high sensitivity level
 *
 * Description:
- * Given the security context and the two sensitivty levels, set the MLS levels
+ * Given the security context and the NetLabel security attributes, copy the
- * in the context according the two given as parameters.  Returns zero on
+ * NetLabel MLS sensitivity level into the context.
- * success, negative values on failure.
 *
 */
-void mls_import_lvl(struct context *context, u32 low, u32 high)
+void mls_import_netlbl_lvl(struct context *context,
+                           struct netlbl_lsm_secattr *secattr)
 {
        if (!selinux_mls_enabled)
                return;
-        context->range.level[0].sens = low + 1;
+        context->range.level[0].sens = secattr->mls_lvl + 1;
-        context->range.level[1].sens = high + 1;
+        context->range.level[1].sens = context->range.level[0].sens;
 }
 /**
- * mls_export_cat - Export the MLS categories
+ * mls_export_netlbl_cat - Export the MLS categories to NetLabel
 * @context: the security context
- * @low: the low category
+ * @secattr: the NetLabel security attributes
- * @low_len: length of the cat_low bitmap in bytes
- * @high: the high category
- * @high_len: length of the cat_high bitmap in bytes
 *
 * Description:
- * Given the security context export the low MLS category bitmap into cat_low
+ * Given the security context copy the low MLS categories into the NetLabel
- * and the high category bitmap into cat_high.  The MLS categories are only
+ * MLS category field.  Returns zero on success, negative values on failure.
- * exported if the pointers are not NULL, if they are NULL then that level is
- * not exported.  The caller is responsibile for freeing the memory when
- * finished.  Returns zero on success, negative values on failure.
 *
 */
-int mls_export_cat(const struct context *context,
+int mls_export_netlbl_cat(struct context *context,
-                   unsigned char **low,
+                          struct netlbl_lsm_secattr *secattr)
-                   size_t *low_len,
-                   unsigned char **high,
-                   size_t *high_len)
 {
-        int rc = -EPERM;
+        int rc;
-        if (!selinux_mls_enabled) {
+        if (!selinux_mls_enabled)
-                *low = NULL;
-                *low_len = 0;
-                *high = NULL;
-                *high_len = 0;
                return 0;
-        }
-        if (low != NULL) {
+        rc = ebitmap_netlbl_export(&context->range.level[0].cat,
-                rc = ebitmap_export(&context->range.level[0].cat,
+                                   &secattr->mls_cat);
-                                    low,
+        if (rc == 0 && secattr->mls_cat != NULL)
-                                    low_len);
+                secattr->flags |= NETLBL_SECATTR_MLS_CAT;
-                if (rc != 0)
-                        goto export_cat_failure;
-        }
-        if (high != NULL) {
-                rc = ebitmap_export(&context->range.level[1].cat,
-                                    high,
-                                    high_len);
-                if (rc != 0)
-                        goto export_cat_failure;
-        }
-        return 0;
-export_cat_failure:
-        if (low != NULL) {
-                kfree(*low);
-                *low = NULL;
-                *low_len = 0;
-        }
-        if (high != NULL) {
-                kfree(*high);
-                *high = NULL;
-                *high_len = 0;
-        }
        return rc;
 }
 /**
- * mls_import_cat - Import the MLS categories
+ * mls_import_netlbl_cat - Import the MLS categories from NetLabel
 * @context: the security context
- * @low: the low category
+ * @secattr: the NetLabel security attributes
- * @low_len: length of the cat_low bitmap in bytes
- * @high: the high category
- * @high_len: length of the cat_high bitmap in bytes
 *
 * Description:
- * Given the security context and the two category bitmap strings import the
+ * Copy the NetLabel security attributes into the SELinux context; since the
- * categories into the security context.  The MLS categories are only imported
+ * NetLabel security attribute only contains a single MLS category use it for
- * if the pointers are not NULL, if they are NULL they are skipped.  Returns
+ * both the low and high categories of the context.  Returns zero on success,
- * zero on success, negative values on failure.
+ * negative values on failure.
 *
 */
-int mls_import_cat(struct context *context,
+int mls_import_netlbl_cat(struct context *context,
-                   const unsigned char *low,
+                          struct netlbl_lsm_secattr *secattr)
-                   size_t low_len,
-                   const unsigned char *high,
-                   size_t high_len)
 {
-        int rc = -EPERM;
+        int rc;
        if (!selinux_mls_enabled)
                return 0;
-        if (low != NULL) {
+        rc = ebitmap_netlbl_import(&context->range.level[0].cat,
-                rc = ebitmap_import(low,
+                                   secattr->mls_cat);
-                                    low_len,
+        if (rc != 0)
-                                    &context->range.level[0].cat);
+                goto import_netlbl_cat_failure;
-                if (rc != 0)
-                        goto import_cat_failure;
+        rc = ebitmap_cpy(&context->range.level[1].cat,
-        }
+                         &context->range.level[0].cat);
-        if (high != NULL) {
+        if (rc != 0)
-                if (high == low)
+                goto import_netlbl_cat_failure;
-                        rc = ebitmap_cpy(&context->range.level[1].cat,
-                                         &context->range.level[0].cat);
-                else
-                        rc = ebitmap_import(high,
-                                            high_len,
-                                            &context->range.level[1].cat);
-                if (rc != 0)
-                        goto import_cat_failure;
-        }
        return 0;
-import_cat_failure:
+import_netlbl_cat_failure:
        ebitmap_destroy(&context->range.level[0].cat);
        ebitmap_destroy(&context->range.level[1].cat);
        return rc;
 }
+#endif /* CONFIG_NETLABEL */

diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 2cca8e251624..b4f682dc13ff 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c
@@ -13,7 +13,7 @@
13	/*	13	/*
14	* Updated: Hewlett-Packard <paul.moore@hp.com>	14	* Updated: Hewlett-Packard <paul.moore@hp.com>
15	*	15	*
16	* Added support to import/export the MLS label	16	* Added support to import/export the MLS label from NetLabel
17	*	17	*
18	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006	18	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
19	*/	19	*/
@@ -22,6 +22,7 @@
22	#include <linux/slab.h>	22	#include <linux/slab.h>
23	#include <linux/string.h>	23	#include <linux/string.h>
24	#include <linux/errno.h>	24	#include <linux/errno.h>
		25	#include <net/netlabel.h>
25	#include "sidtab.h"	26	#include "sidtab.h"
26	#include "mls.h"	27	#include "mls.h"
27	#include "policydb.h"	28	#include "policydb.h"
@@ -571,163 +572,108 @@ int mls_compute_sid(struct context *scontext,
571	return -EINVAL;	572	return -EINVAL;
572	}	573	}
573		574
		575	#ifdef CONFIG_NETLABEL
574	/**	576	/**
575	* mls_export_lvl - Export the MLS sensitivity levels	577	* mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
576	* @context: the security context	578	* @context: the security context
577	* @low: the low sensitivity level	579	* @secattr: the NetLabel security attributes
578	* @high: the high sensitivity level
579	*	580	*
580	* Description:	581	* Description:
581	* Given the security context copy the low MLS sensitivity level into lvl_low	582	* Given the security context copy the low MLS sensitivity level into the
582	* and the high sensitivity level in lvl_high. The MLS levels are only	583	* NetLabel MLS sensitivity level field.
583	* exported if the pointers are not NULL, if they are NULL then that level is
584	* not exported.
585	*	584	*
586	*/	585	*/
587	void mls_export_lvl(const struct context context, u32 low, u32 *high)	586	void mls_export_netlbl_lvl(struct context *context,
		587	struct netlbl_lsm_secattr *secattr)
588	{	588	{
589	if (!selinux_mls_enabled)	589	if (!selinux_mls_enabled)
590	return;	590	return;
591		591
592	if (low != NULL)	592	secattr->mls_lvl = context->range.level[0].sens - 1;
593	*low = context->range.level[0].sens - 1;	593	secattr->flags \|= NETLBL_SECATTR_MLS_LVL;
594	if (high != NULL)
595	*high = context->range.level[1].sens - 1;
596	}	594	}
597		595
598	/**	596	/**
599	* mls_import_lvl - Import the MLS sensitivity levels	597	* mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
600	* @context: the security context	598	* @context: the security context
601	* @low: the low sensitivity level	599	* @secattr: the NetLabel security attributes
602	* @high: the high sensitivity level
603	*	600	*
604	* Description:	601	* Description:
605	* Given the security context and the two sensitivty levels, set the MLS levels	602	* Given the security context and the NetLabel security attributes, copy the
606	* in the context according the two given as parameters. Returns zero on	603	* NetLabel MLS sensitivity level into the context.
607	* success, negative values on failure.
608	*	604	*
609	*/	605	*/
610	void mls_import_lvl(struct context *context, u32 low, u32 high)	606	void mls_import_netlbl_lvl(struct context *context,
		607	struct netlbl_lsm_secattr *secattr)
611	{	608	{
612	if (!selinux_mls_enabled)	609	if (!selinux_mls_enabled)
613	return;	610	return;
614		611
615	context->range.level[0].sens = low + 1;	612	context->range.level[0].sens = secattr->mls_lvl + 1;
616	context->range.level[1].sens = high + 1;	613	context->range.level[1].sens = context->range.level[0].sens;
617	}	614	}
618		615
619	/**	616	/**
620	* mls_export_cat - Export the MLS categories	617	* mls_export_netlbl_cat - Export the MLS categories to NetLabel
621	* @context: the security context	618	* @context: the security context
622	* @low: the low category	619	* @secattr: the NetLabel security attributes
623	* @low_len: length of the cat_low bitmap in bytes
624	* @high: the high category
625	* @high_len: length of the cat_high bitmap in bytes
626	*	620	*
627	* Description:	621	* Description:
628	* Given the security context export the low MLS category bitmap into cat_low	622	* Given the security context copy the low MLS categories into the NetLabel
629	* and the high category bitmap into cat_high. The MLS categories are only	623	* MLS category field. Returns zero on success, negative values on failure.
630	* exported if the pointers are not NULL, if they are NULL then that level is
631	* not exported. The caller is responsibile for freeing the memory when
632	* finished. Returns zero on success, negative values on failure.
633	*	624	*
634	*/	625	*/
635	int mls_export_cat(const struct context *context,	626	int mls_export_netlbl_cat(struct context *context,
636	unsigned char **low,	627	struct netlbl_lsm_secattr *secattr)
637	size_t *low_len,
638	unsigned char **high,
639	size_t *high_len)
640	{	628	{
641	int rc = -EPERM;	629	int rc;
642		630
643	if (!selinux_mls_enabled) {	631	if (!selinux_mls_enabled)
644	*low = NULL;
645	*low_len = 0;
646	*high = NULL;
647	*high_len = 0;
648	return 0;	632	return 0;
649	}
650		633
651	if (low != NULL) {	634	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
652	rc = ebitmap_export(&context->range.level[0].cat,	635	&secattr->mls_cat);
653	low,	636	if (rc == 0 && secattr->mls_cat != NULL)
654	low_len);	637	secattr->flags \|= NETLBL_SECATTR_MLS_CAT;
655	if (rc != 0)
656	goto export_cat_failure;
657	}
658	if (high != NULL) {
659	rc = ebitmap_export(&context->range.level[1].cat,
660	high,
661	high_len);
662	if (rc != 0)
663	goto export_cat_failure;
664	}
665
666	return 0;
667		638
668	export_cat_failure:
669	if (low != NULL) {
670	kfree(*low);
671	*low = NULL;
672	*low_len = 0;
673	}
674	if (high != NULL) {
675	kfree(*high);
676	*high = NULL;
677	*high_len = 0;
678	}
679	return rc;	639	return rc;
680	}	640	}
681		641
682	/**	642	/**
683	* mls_import_cat - Import the MLS categories	643	* mls_import_netlbl_cat - Import the MLS categories from NetLabel
684	* @context: the security context	644	* @context: the security context
685	* @low: the low category	645	* @secattr: the NetLabel security attributes
686	* @low_len: length of the cat_low bitmap in bytes
687	* @high: the high category
688	* @high_len: length of the cat_high bitmap in bytes
689	*	646	*
690	* Description:	647	* Description:
691	* Given the security context and the two category bitmap strings import the	648	* Copy the NetLabel security attributes into the SELinux context; since the
692	* categories into the security context. The MLS categories are only imported	649	* NetLabel security attribute only contains a single MLS category use it for
693	* if the pointers are not NULL, if they are NULL they are skipped. Returns	650	* both the low and high categories of the context. Returns zero on success,
694	* zero on success, negative values on failure.	651	* negative values on failure.
695	*	652	*
696	*/	653	*/
697	int mls_import_cat(struct context *context,	654	int mls_import_netlbl_cat(struct context *context,
698	const unsigned char *low,	655	struct netlbl_lsm_secattr *secattr)
699	size_t low_len,
700	const unsigned char *high,
701	size_t high_len)
702	{	656	{
703	int rc = -EPERM;	657	int rc;
704		658
705	if (!selinux_mls_enabled)	659	if (!selinux_mls_enabled)
706	return 0;	660	return 0;
707		661
708	if (low != NULL) {	662	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
709	rc = ebitmap_import(low,	663	secattr->mls_cat);
710	low_len,	664	if (rc != 0)
711	&context->range.level[0].cat);	665	goto import_netlbl_cat_failure;
712	if (rc != 0)	666
713	goto import_cat_failure;	667	rc = ebitmap_cpy(&context->range.level[1].cat,
714	}	668	&context->range.level[0].cat);
715	if (high != NULL) {	669	if (rc != 0)
716	if (high == low)	670	goto import_netlbl_cat_failure;
717	rc = ebitmap_cpy(&context->range.level[1].cat,
718	&context->range.level[0].cat);
719	else
720	rc = ebitmap_import(high,
721	high_len,
722	&context->range.level[1].cat);
723	if (rc != 0)
724	goto import_cat_failure;
725	}
726		671
727	return 0;	672	return 0;
728		673
729	import_cat_failure:	674	import_netlbl_cat_failure:
730	ebitmap_destroy(&context->range.level[0].cat);	675	ebitmap_destroy(&context->range.level[0].cat);
731	ebitmap_destroy(&context->range.level[1].cat);	676	ebitmap_destroy(&context->range.level[1].cat);
732	return rc;	677	return rc;
733	}	678	}
		679	#endif /* CONFIG_NETLABEL */