diff options
Diffstat (limited to 'security/selinux/ss/mls.c')
| -rw-r--r-- | security/selinux/ss/mls.c | 42 |
1 files changed, 23 insertions, 19 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index d4c32c39ccc9..aaefac2921f1 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
| @@ -27,6 +27,7 @@ | |||
| 27 | int mls_compute_context_len(struct context * context) | 27 | int mls_compute_context_len(struct context * context) |
| 28 | { | 28 | { |
| 29 | int i, l, len, range; | 29 | int i, l, len, range; |
| 30 | struct ebitmap_node *node; | ||
| 30 | 31 | ||
| 31 | if (!selinux_mls_enabled) | 32 | if (!selinux_mls_enabled) |
| 32 | return 0; | 33 | return 0; |
| @@ -36,24 +37,24 @@ int mls_compute_context_len(struct context * context) | |||
| 36 | range = 0; | 37 | range = 0; |
| 37 | len += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]); | 38 | len += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]); |
| 38 | 39 | ||
| 39 | for (i = 1; i <= ebitmap_length(&context->range.level[l].cat); i++) { | 40 | ebitmap_for_each_bit(&context->range.level[l].cat, node, i) { |
| 40 | if (ebitmap_get_bit(&context->range.level[l].cat, i - 1)) { | 41 | if (ebitmap_node_get_bit(node, i)) { |
| 41 | if (range) { | 42 | if (range) { |
| 42 | range++; | 43 | range++; |
| 43 | continue; | 44 | continue; |
| 44 | } | 45 | } |
| 45 | 46 | ||
| 46 | len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1; | 47 | len += strlen(policydb.p_cat_val_to_name[i]) + 1; |
| 47 | range++; | 48 | range++; |
| 48 | } else { | 49 | } else { |
| 49 | if (range > 1) | 50 | if (range > 1) |
| 50 | len += strlen(policydb.p_cat_val_to_name[i - 2]) + 1; | 51 | len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1; |
| 51 | range = 0; | 52 | range = 0; |
| 52 | } | 53 | } |
| 53 | } | 54 | } |
| 54 | /* Handle case where last category is the end of range */ | 55 | /* Handle case where last category is the end of range */ |
| 55 | if (range > 1) | 56 | if (range > 1) |
| 56 | len += strlen(policydb.p_cat_val_to_name[i - 2]) + 1; | 57 | len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1; |
| 57 | 58 | ||
| 58 | if (l == 0) { | 59 | if (l == 0) { |
| 59 | if (mls_level_eq(&context->range.level[0], | 60 | if (mls_level_eq(&context->range.level[0], |
| @@ -77,6 +78,7 @@ void mls_sid_to_context(struct context *context, | |||
| 77 | { | 78 | { |
| 78 | char *scontextp; | 79 | char *scontextp; |
| 79 | int i, l, range, wrote_sep; | 80 | int i, l, range, wrote_sep; |
| 81 | struct ebitmap_node *node; | ||
| 80 | 82 | ||
| 81 | if (!selinux_mls_enabled) | 83 | if (!selinux_mls_enabled) |
| 82 | return; | 84 | return; |
| @@ -94,8 +96,8 @@ void mls_sid_to_context(struct context *context, | |||
| 94 | scontextp += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]); | 96 | scontextp += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]); |
| 95 | 97 | ||
| 96 | /* categories */ | 98 | /* categories */ |
| 97 | for (i = 1; i <= ebitmap_length(&context->range.level[l].cat); i++) { | 99 | ebitmap_for_each_bit(&context->range.level[l].cat, node, i) { |
| 98 | if (ebitmap_get_bit(&context->range.level[l].cat, i - 1)) { | 100 | if (ebitmap_node_get_bit(node, i)) { |
| 99 | if (range) { | 101 | if (range) { |
| 100 | range++; | 102 | range++; |
| 101 | continue; | 103 | continue; |
| @@ -106,8 +108,8 @@ void mls_sid_to_context(struct context *context, | |||
| 106 | wrote_sep = 1; | 108 | wrote_sep = 1; |
| 107 | } else | 109 | } else |
| 108 | *scontextp++ = ','; | 110 | *scontextp++ = ','; |
| 109 | strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]); | 111 | strcpy(scontextp, policydb.p_cat_val_to_name[i]); |
| 110 | scontextp += strlen(policydb.p_cat_val_to_name[i - 1]); | 112 | scontextp += strlen(policydb.p_cat_val_to_name[i]); |
| 111 | range++; | 113 | range++; |
| 112 | } else { | 114 | } else { |
| 113 | if (range > 1) { | 115 | if (range > 1) { |
| @@ -116,8 +118,8 @@ void mls_sid_to_context(struct context *context, | |||
| 116 | else | 118 | else |
| 117 | *scontextp++ = ','; | 119 | *scontextp++ = ','; |
| 118 | 120 | ||
| 119 | strcpy(scontextp, policydb.p_cat_val_to_name[i - 2]); | 121 | strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]); |
| 120 | scontextp += strlen(policydb.p_cat_val_to_name[i - 2]); | 122 | scontextp += strlen(policydb.p_cat_val_to_name[i - 1]); |
| 121 | } | 123 | } |
| 122 | range = 0; | 124 | range = 0; |
| 123 | } | 125 | } |
| @@ -130,8 +132,8 @@ void mls_sid_to_context(struct context *context, | |||
| 130 | else | 132 | else |
| 131 | *scontextp++ = ','; | 133 | *scontextp++ = ','; |
| 132 | 134 | ||
| 133 | strcpy(scontextp, policydb.p_cat_val_to_name[i - 2]); | 135 | strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]); |
| 134 | scontextp += strlen(policydb.p_cat_val_to_name[i - 2]); | 136 | scontextp += strlen(policydb.p_cat_val_to_name[i - 1]); |
| 135 | } | 137 | } |
| 136 | 138 | ||
| 137 | if (l == 0) { | 139 | if (l == 0) { |
| @@ -157,6 +159,7 @@ int mls_context_isvalid(struct policydb *p, struct context *c) | |||
| 157 | { | 159 | { |
| 158 | struct level_datum *levdatum; | 160 | struct level_datum *levdatum; |
| 159 | struct user_datum *usrdatum; | 161 | struct user_datum *usrdatum; |
| 162 | struct ebitmap_node *node; | ||
| 160 | int i, l; | 163 | int i, l; |
| 161 | 164 | ||
| 162 | if (!selinux_mls_enabled) | 165 | if (!selinux_mls_enabled) |
| @@ -179,11 +182,11 @@ int mls_context_isvalid(struct policydb *p, struct context *c) | |||
| 179 | if (!levdatum) | 182 | if (!levdatum) |
| 180 | return 0; | 183 | return 0; |
| 181 | 184 | ||
| 182 | for (i = 1; i <= ebitmap_length(&c->range.level[l].cat); i++) { | 185 | ebitmap_for_each_bit(&c->range.level[l].cat, node, i) { |
| 183 | if (ebitmap_get_bit(&c->range.level[l].cat, i - 1)) { | 186 | if (ebitmap_node_get_bit(node, i)) { |
| 184 | if (i > p->p_cats.nprim) | 187 | if (i > p->p_cats.nprim) |
| 185 | return 0; | 188 | return 0; |
| 186 | if (!ebitmap_get_bit(&levdatum->level->cat, i - 1)) | 189 | if (!ebitmap_get_bit(&levdatum->level->cat, i)) |
| 187 | /* | 190 | /* |
| 188 | * Category may not be associated with | 191 | * Category may not be associated with |
| 189 | * sensitivity in low level. | 192 | * sensitivity in low level. |
| @@ -468,6 +471,7 @@ int mls_convert_context(struct policydb *oldp, | |||
| 468 | struct level_datum *levdatum; | 471 | struct level_datum *levdatum; |
| 469 | struct cat_datum *catdatum; | 472 | struct cat_datum *catdatum; |
| 470 | struct ebitmap bitmap; | 473 | struct ebitmap bitmap; |
| 474 | struct ebitmap_node *node; | ||
| 471 | int l, i; | 475 | int l, i; |
| 472 | 476 | ||
| 473 | if (!selinux_mls_enabled) | 477 | if (!selinux_mls_enabled) |
| @@ -482,12 +486,12 @@ int mls_convert_context(struct policydb *oldp, | |||
| 482 | c->range.level[l].sens = levdatum->level->sens; | 486 | c->range.level[l].sens = levdatum->level->sens; |
| 483 | 487 | ||
| 484 | ebitmap_init(&bitmap); | 488 | ebitmap_init(&bitmap); |
| 485 | for (i = 1; i <= ebitmap_length(&c->range.level[l].cat); i++) { | 489 | ebitmap_for_each_bit(&c->range.level[l].cat, node, i) { |
| 486 | if (ebitmap_get_bit(&c->range.level[l].cat, i - 1)) { | 490 | if (ebitmap_node_get_bit(node, i)) { |
| 487 | int rc; | 491 | int rc; |
| 488 | 492 | ||
| 489 | catdatum = hashtab_search(newp->p_cats.table, | 493 | catdatum = hashtab_search(newp->p_cats.table, |
| 490 | oldp->p_cat_val_to_name[i - 1]); | 494 | oldp->p_cat_val_to_name[i]); |
| 491 | if (!catdatum) | 495 | if (!catdatum) |
| 492 | return -EINVAL; | 496 | return -EINVAL; |
| 493 | rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); | 497 | rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); |