diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/ss/ebitmap.c | 198 | ||||
-rw-r--r-- | security/selinux/ss/ebitmap.h | 26 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 156 | ||||
-rw-r--r-- | security/selinux/ss/mls.h | 46 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 23 |
5 files changed, 199 insertions, 250 deletions
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index d539346ab3a2..ce492a6b38ed 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c | |||
@@ -6,7 +6,7 @@ | |||
6 | /* | 6 | /* |
7 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 7 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
8 | * | 8 | * |
9 | * Added ebitmap_export() and ebitmap_import() | 9 | * Added support to import/export the NetLabel category bitmap |
10 | * | 10 | * |
11 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | 11 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 |
12 | */ | 12 | */ |
@@ -14,6 +14,7 @@ | |||
14 | #include <linux/kernel.h> | 14 | #include <linux/kernel.h> |
15 | #include <linux/slab.h> | 15 | #include <linux/slab.h> |
16 | #include <linux/errno.h> | 16 | #include <linux/errno.h> |
17 | #include <net/netlabel.h> | ||
17 | #include "ebitmap.h" | 18 | #include "ebitmap.h" |
18 | #include "policydb.h" | 19 | #include "policydb.h" |
19 | 20 | ||
@@ -67,141 +68,120 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src) | |||
67 | return 0; | 68 | return 0; |
68 | } | 69 | } |
69 | 70 | ||
71 | #ifdef CONFIG_NETLABEL | ||
70 | /** | 72 | /** |
71 | * ebitmap_export - Export an ebitmap to a unsigned char bitmap string | 73 | * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap |
72 | * @src: the ebitmap to export | 74 | * @ebmap: the ebitmap to export |
73 | * @dst: the resulting bitmap string | 75 | * @catmap: the NetLabel category bitmap |
74 | * @dst_len: length of dst in bytes | ||
75 | * | 76 | * |
76 | * Description: | 77 | * Description: |
77 | * Allocate a buffer at least src->highbit bits long and export the extensible | 78 | * Export a SELinux extensibile bitmap into a NetLabel category bitmap. |
78 | * bitmap into the buffer. The bitmap string will be in little endian format, | 79 | * Returns zero on success, negative values on error. |
79 | * i.e. LSB first. The value returned in dst_len may not the true size of the | ||
80 | * buffer as the length of the buffer is rounded up to a multiple of MAPTYPE. | ||
81 | * The caller must free the buffer when finished. Returns zero on success, | ||
82 | * negative values on failure. | ||
83 | * | 80 | * |
84 | */ | 81 | */ |
85 | int ebitmap_export(const struct ebitmap *src, | 82 | int ebitmap_netlbl_export(struct ebitmap *ebmap, |
86 | unsigned char **dst, | 83 | struct netlbl_lsm_secattr_catmap **catmap) |
87 | size_t *dst_len) | ||
88 | { | 84 | { |
89 | size_t bitmap_len; | 85 | struct ebitmap_node *e_iter = ebmap->node; |
90 | unsigned char *bitmap; | 86 | struct netlbl_lsm_secattr_catmap *c_iter; |
91 | struct ebitmap_node *iter_node; | 87 | u32 cmap_idx; |
92 | MAPTYPE node_val; | 88 | |
93 | size_t bitmap_byte; | 89 | /* This function is a much simpler because SELinux's MAPTYPE happens |
94 | unsigned char bitmask; | 90 | * to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is |
95 | 91 | * changed from a u64 this function will most likely need to be changed | |
96 | if (src->highbit == 0) { | 92 | * as well. It's not ideal but I think the tradeoff in terms of |
97 | *dst = NULL; | 93 | * neatness and speed is worth it. */ |
98 | *dst_len = 0; | 94 | |
95 | if (e_iter == NULL) { | ||
96 | *catmap = NULL; | ||
99 | return 0; | 97 | return 0; |
100 | } | 98 | } |
101 | 99 | ||
102 | bitmap_len = src->highbit / 8; | 100 | c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC); |
103 | if (src->highbit % 7) | 101 | if (c_iter == NULL) |
104 | bitmap_len += 1; | ||
105 | |||
106 | bitmap = kzalloc((bitmap_len & ~(sizeof(MAPTYPE) - 1)) + | ||
107 | sizeof(MAPTYPE), | ||
108 | GFP_ATOMIC); | ||
109 | if (bitmap == NULL) | ||
110 | return -ENOMEM; | 102 | return -ENOMEM; |
103 | *catmap = c_iter; | ||
104 | c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1); | ||
105 | |||
106 | while (e_iter != NULL) { | ||
107 | if (e_iter->startbit >= | ||
108 | (c_iter->startbit + NETLBL_CATMAP_SIZE)) { | ||
109 | c_iter->next = netlbl_secattr_catmap_alloc(GFP_ATOMIC); | ||
110 | if (c_iter->next == NULL) | ||
111 | goto netlbl_export_failure; | ||
112 | c_iter = c_iter->next; | ||
113 | c_iter->startbit = e_iter->startbit & | ||
114 | ~(NETLBL_CATMAP_SIZE - 1); | ||
115 | } | ||
116 | cmap_idx = (e_iter->startbit - c_iter->startbit) / | ||
117 | NETLBL_CATMAP_MAPSIZE; | ||
118 | c_iter->bitmap[cmap_idx] = e_iter->map; | ||
119 | e_iter = e_iter->next; | ||
120 | } | ||
111 | 121 | ||
112 | iter_node = src->node; | ||
113 | do { | ||
114 | bitmap_byte = iter_node->startbit / 8; | ||
115 | bitmask = 0x80; | ||
116 | node_val = iter_node->map; | ||
117 | do { | ||
118 | if (bitmask == 0) { | ||
119 | bitmap_byte++; | ||
120 | bitmask = 0x80; | ||
121 | } | ||
122 | if (node_val & (MAPTYPE)0x01) | ||
123 | bitmap[bitmap_byte] |= bitmask; | ||
124 | node_val >>= 1; | ||
125 | bitmask >>= 1; | ||
126 | } while (node_val > 0); | ||
127 | iter_node = iter_node->next; | ||
128 | } while (iter_node); | ||
129 | |||
130 | *dst = bitmap; | ||
131 | *dst_len = bitmap_len; | ||
132 | return 0; | 122 | return 0; |
123 | |||
124 | netlbl_export_failure: | ||
125 | netlbl_secattr_catmap_free(*catmap); | ||
126 | return -ENOMEM; | ||
133 | } | 127 | } |
134 | 128 | ||
135 | /** | 129 | /** |
136 | * ebitmap_import - Import an unsigned char bitmap string into an ebitmap | 130 | * ebitmap_netlbl_import - Import a NetLabel category bitmap into an ebitmap |
137 | * @src: the bitmap string | 131 | * @ebmap: the ebitmap to export |
138 | * @src_len: the bitmap length in bytes | 132 | * @catmap: the NetLabel category bitmap |
139 | * @dst: the empty ebitmap | ||
140 | * | 133 | * |
141 | * Description: | 134 | * Description: |
142 | * This function takes a little endian bitmap string in src and imports it into | 135 | * Import a NetLabel category bitmap into a SELinux extensibile bitmap. |
143 | * the ebitmap pointed to by dst. Returns zero on success, negative values on | 136 | * Returns zero on success, negative values on error. |
144 | * failure. | ||
145 | * | 137 | * |
146 | */ | 138 | */ |
147 | int ebitmap_import(const unsigned char *src, | 139 | int ebitmap_netlbl_import(struct ebitmap *ebmap, |
148 | size_t src_len, | 140 | struct netlbl_lsm_secattr_catmap *catmap) |
149 | struct ebitmap *dst) | ||
150 | { | 141 | { |
151 | size_t src_off = 0; | 142 | struct ebitmap_node *e_iter = NULL; |
152 | size_t node_limit; | 143 | struct ebitmap_node *emap_prev = NULL; |
153 | struct ebitmap_node *node_new; | 144 | struct netlbl_lsm_secattr_catmap *c_iter = catmap; |
154 | struct ebitmap_node *node_last = NULL; | 145 | u32 c_idx; |
155 | u32 i_byte; | ||
156 | u32 i_bit; | ||
157 | unsigned char src_byte; | ||
158 | |||
159 | while (src_off < src_len) { | ||
160 | if (src_len - src_off >= sizeof(MAPTYPE)) { | ||
161 | if (*(MAPTYPE *)&src[src_off] == 0) { | ||
162 | src_off += sizeof(MAPTYPE); | ||
163 | continue; | ||
164 | } | ||
165 | node_limit = sizeof(MAPTYPE); | ||
166 | } else { | ||
167 | for (src_byte = 0, i_byte = src_off; | ||
168 | i_byte < src_len && src_byte == 0; | ||
169 | i_byte++) | ||
170 | src_byte |= src[i_byte]; | ||
171 | if (src_byte == 0) | ||
172 | break; | ||
173 | node_limit = src_len - src_off; | ||
174 | } | ||
175 | 146 | ||
176 | node_new = kzalloc(sizeof(*node_new), GFP_ATOMIC); | 147 | /* This function is a much simpler because SELinux's MAPTYPE happens |
177 | if (unlikely(node_new == NULL)) { | 148 | * to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is |
178 | ebitmap_destroy(dst); | 149 | * changed from a u64 this function will most likely need to be changed |
179 | return -ENOMEM; | 150 | * as well. It's not ideal but I think the tradeoff in terms of |
180 | } | 151 | * neatness and speed is worth it. */ |
181 | node_new->startbit = src_off * 8; | ||
182 | for (i_byte = 0; i_byte < node_limit; i_byte++) { | ||
183 | src_byte = src[src_off++]; | ||
184 | for (i_bit = i_byte * 8; src_byte != 0; i_bit++) { | ||
185 | if (src_byte & 0x80) | ||
186 | node_new->map |= MAPBIT << i_bit; | ||
187 | src_byte <<= 1; | ||
188 | } | ||
189 | } | ||
190 | 152 | ||
191 | if (node_last != NULL) | 153 | do { |
192 | node_last->next = node_new; | 154 | for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) { |
193 | else | 155 | if (c_iter->bitmap[c_idx] == 0) |
194 | dst->node = node_new; | 156 | continue; |
195 | node_last = node_new; | 157 | |
196 | } | 158 | e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC); |
159 | if (e_iter == NULL) | ||
160 | goto netlbl_import_failure; | ||
161 | if (emap_prev == NULL) | ||
162 | ebmap->node = e_iter; | ||
163 | else | ||
164 | emap_prev->next = e_iter; | ||
165 | emap_prev = e_iter; | ||
197 | 166 | ||
198 | if (likely(node_last != NULL)) | 167 | e_iter->startbit = c_iter->startbit + |
199 | dst->highbit = node_last->startbit + MAPSIZE; | 168 | NETLBL_CATMAP_MAPSIZE * c_idx; |
169 | e_iter->map = c_iter->bitmap[c_idx]; | ||
170 | } | ||
171 | c_iter = c_iter->next; | ||
172 | } while (c_iter != NULL); | ||
173 | if (e_iter != NULL) | ||
174 | ebmap->highbit = e_iter->startbit + MAPSIZE; | ||
200 | else | 175 | else |
201 | ebitmap_init(dst); | 176 | ebitmap_destroy(ebmap); |
202 | 177 | ||
203 | return 0; | 178 | return 0; |
179 | |||
180 | netlbl_import_failure: | ||
181 | ebitmap_destroy(ebmap); | ||
182 | return -ENOMEM; | ||
204 | } | 183 | } |
184 | #endif /* CONFIG_NETLABEL */ | ||
205 | 185 | ||
206 | int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) | 186 | int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) |
207 | { | 187 | { |
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h index da2d4651b10d..1270e34b61c1 100644 --- a/security/selinux/ss/ebitmap.h +++ b/security/selinux/ss/ebitmap.h | |||
@@ -14,6 +14,8 @@ | |||
14 | #ifndef _SS_EBITMAP_H_ | 14 | #ifndef _SS_EBITMAP_H_ |
15 | #define _SS_EBITMAP_H_ | 15 | #define _SS_EBITMAP_H_ |
16 | 16 | ||
17 | #include <net/netlabel.h> | ||
18 | |||
17 | #define MAPTYPE u64 /* portion of bitmap in each node */ | 19 | #define MAPTYPE u64 /* portion of bitmap in each node */ |
18 | #define MAPSIZE (sizeof(MAPTYPE) * 8) /* number of bits in node bitmap */ | 20 | #define MAPSIZE (sizeof(MAPTYPE) * 8) /* number of bits in node bitmap */ |
19 | #define MAPBIT 1ULL /* a bit in the node bitmap */ | 21 | #define MAPBIT 1ULL /* a bit in the node bitmap */ |
@@ -69,16 +71,28 @@ static inline int ebitmap_node_get_bit(struct ebitmap_node * n, | |||
69 | 71 | ||
70 | int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); | 72 | int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); |
71 | int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); | 73 | int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); |
72 | int ebitmap_export(const struct ebitmap *src, | ||
73 | unsigned char **dst, | ||
74 | size_t *dst_len); | ||
75 | int ebitmap_import(const unsigned char *src, | ||
76 | size_t src_len, | ||
77 | struct ebitmap *dst); | ||
78 | int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); | 74 | int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); |
79 | int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); | 75 | int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); |
80 | int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); | 76 | int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); |
81 | void ebitmap_destroy(struct ebitmap *e); | 77 | void ebitmap_destroy(struct ebitmap *e); |
82 | int ebitmap_read(struct ebitmap *e, void *fp); | 78 | int ebitmap_read(struct ebitmap *e, void *fp); |
83 | 79 | ||
80 | #ifdef CONFIG_NETLABEL | ||
81 | int ebitmap_netlbl_export(struct ebitmap *ebmap, | ||
82 | struct netlbl_lsm_secattr_catmap **catmap); | ||
83 | int ebitmap_netlbl_import(struct ebitmap *ebmap, | ||
84 | struct netlbl_lsm_secattr_catmap *catmap); | ||
85 | #else | ||
86 | static inline int ebitmap_netlbl_export(struct ebitmap *ebmap, | ||
87 | struct netlbl_lsm_secattr_catmap **catmap) | ||
88 | { | ||
89 | return -ENOMEM; | ||
90 | } | ||
91 | static inline int ebitmap_netlbl_import(struct ebitmap *ebmap, | ||
92 | struct netlbl_lsm_secattr_catmap *catmap) | ||
93 | { | ||
94 | return -ENOMEM; | ||
95 | } | ||
96 | #endif | ||
97 | |||
84 | #endif /* _SS_EBITMAP_H_ */ | 98 | #endif /* _SS_EBITMAP_H_ */ |
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 2cca8e251624..b4f682dc13ff 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -13,7 +13,7 @@ | |||
13 | /* | 13 | /* |
14 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 14 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
15 | * | 15 | * |
16 | * Added support to import/export the MLS label | 16 | * Added support to import/export the MLS label from NetLabel |
17 | * | 17 | * |
18 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | 18 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 |
19 | */ | 19 | */ |
@@ -22,6 +22,7 @@ | |||
22 | #include <linux/slab.h> | 22 | #include <linux/slab.h> |
23 | #include <linux/string.h> | 23 | #include <linux/string.h> |
24 | #include <linux/errno.h> | 24 | #include <linux/errno.h> |
25 | #include <net/netlabel.h> | ||
25 | #include "sidtab.h" | 26 | #include "sidtab.h" |
26 | #include "mls.h" | 27 | #include "mls.h" |
27 | #include "policydb.h" | 28 | #include "policydb.h" |
@@ -571,163 +572,108 @@ int mls_compute_sid(struct context *scontext, | |||
571 | return -EINVAL; | 572 | return -EINVAL; |
572 | } | 573 | } |
573 | 574 | ||
575 | #ifdef CONFIG_NETLABEL | ||
574 | /** | 576 | /** |
575 | * mls_export_lvl - Export the MLS sensitivity levels | 577 | * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel |
576 | * @context: the security context | 578 | * @context: the security context |
577 | * @low: the low sensitivity level | 579 | * @secattr: the NetLabel security attributes |
578 | * @high: the high sensitivity level | ||
579 | * | 580 | * |
580 | * Description: | 581 | * Description: |
581 | * Given the security context copy the low MLS sensitivity level into lvl_low | 582 | * Given the security context copy the low MLS sensitivity level into the |
582 | * and the high sensitivity level in lvl_high. The MLS levels are only | 583 | * NetLabel MLS sensitivity level field. |
583 | * exported if the pointers are not NULL, if they are NULL then that level is | ||
584 | * not exported. | ||
585 | * | 584 | * |
586 | */ | 585 | */ |
587 | void mls_export_lvl(const struct context *context, u32 *low, u32 *high) | 586 | void mls_export_netlbl_lvl(struct context *context, |
587 | struct netlbl_lsm_secattr *secattr) | ||
588 | { | 588 | { |
589 | if (!selinux_mls_enabled) | 589 | if (!selinux_mls_enabled) |
590 | return; | 590 | return; |
591 | 591 | ||
592 | if (low != NULL) | 592 | secattr->mls_lvl = context->range.level[0].sens - 1; |
593 | *low = context->range.level[0].sens - 1; | 593 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
594 | if (high != NULL) | ||
595 | *high = context->range.level[1].sens - 1; | ||
596 | } | 594 | } |
597 | 595 | ||
598 | /** | 596 | /** |
599 | * mls_import_lvl - Import the MLS sensitivity levels | 597 | * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels |
600 | * @context: the security context | 598 | * @context: the security context |
601 | * @low: the low sensitivity level | 599 | * @secattr: the NetLabel security attributes |
602 | * @high: the high sensitivity level | ||
603 | * | 600 | * |
604 | * Description: | 601 | * Description: |
605 | * Given the security context and the two sensitivty levels, set the MLS levels | 602 | * Given the security context and the NetLabel security attributes, copy the |
606 | * in the context according the two given as parameters. Returns zero on | 603 | * NetLabel MLS sensitivity level into the context. |
607 | * success, negative values on failure. | ||
608 | * | 604 | * |
609 | */ | 605 | */ |
610 | void mls_import_lvl(struct context *context, u32 low, u32 high) | 606 | void mls_import_netlbl_lvl(struct context *context, |
607 | struct netlbl_lsm_secattr *secattr) | ||
611 | { | 608 | { |
612 | if (!selinux_mls_enabled) | 609 | if (!selinux_mls_enabled) |
613 | return; | 610 | return; |
614 | 611 | ||
615 | context->range.level[0].sens = low + 1; | 612 | context->range.level[0].sens = secattr->mls_lvl + 1; |
616 | context->range.level[1].sens = high + 1; | 613 | context->range.level[1].sens = context->range.level[0].sens; |
617 | } | 614 | } |
618 | 615 | ||
619 | /** | 616 | /** |
620 | * mls_export_cat - Export the MLS categories | 617 | * mls_export_netlbl_cat - Export the MLS categories to NetLabel |
621 | * @context: the security context | 618 | * @context: the security context |
622 | * @low: the low category | 619 | * @secattr: the NetLabel security attributes |
623 | * @low_len: length of the cat_low bitmap in bytes | ||
624 | * @high: the high category | ||
625 | * @high_len: length of the cat_high bitmap in bytes | ||
626 | * | 620 | * |
627 | * Description: | 621 | * Description: |
628 | * Given the security context export the low MLS category bitmap into cat_low | 622 | * Given the security context copy the low MLS categories into the NetLabel |
629 | * and the high category bitmap into cat_high. The MLS categories are only | 623 | * MLS category field. Returns zero on success, negative values on failure. |
630 | * exported if the pointers are not NULL, if they are NULL then that level is | ||
631 | * not exported. The caller is responsibile for freeing the memory when | ||
632 | * finished. Returns zero on success, negative values on failure. | ||
633 | * | 624 | * |
634 | */ | 625 | */ |
635 | int mls_export_cat(const struct context *context, | 626 | int mls_export_netlbl_cat(struct context *context, |
636 | unsigned char **low, | 627 | struct netlbl_lsm_secattr *secattr) |
637 | size_t *low_len, | ||
638 | unsigned char **high, | ||
639 | size_t *high_len) | ||
640 | { | 628 | { |
641 | int rc = -EPERM; | 629 | int rc; |
642 | 630 | ||
643 | if (!selinux_mls_enabled) { | 631 | if (!selinux_mls_enabled) |
644 | *low = NULL; | ||
645 | *low_len = 0; | ||
646 | *high = NULL; | ||
647 | *high_len = 0; | ||
648 | return 0; | 632 | return 0; |
649 | } | ||
650 | 633 | ||
651 | if (low != NULL) { | 634 | rc = ebitmap_netlbl_export(&context->range.level[0].cat, |
652 | rc = ebitmap_export(&context->range.level[0].cat, | 635 | &secattr->mls_cat); |
653 | low, | 636 | if (rc == 0 && secattr->mls_cat != NULL) |
654 | low_len); | 637 | secattr->flags |= NETLBL_SECATTR_MLS_CAT; |
655 | if (rc != 0) | ||
656 | goto export_cat_failure; | ||
657 | } | ||
658 | if (high != NULL) { | ||
659 | rc = ebitmap_export(&context->range.level[1].cat, | ||
660 | high, | ||
661 | high_len); | ||
662 | if (rc != 0) | ||
663 | goto export_cat_failure; | ||
664 | } | ||
665 | |||
666 | return 0; | ||
667 | 638 | ||
668 | export_cat_failure: | ||
669 | if (low != NULL) { | ||
670 | kfree(*low); | ||
671 | *low = NULL; | ||
672 | *low_len = 0; | ||
673 | } | ||
674 | if (high != NULL) { | ||
675 | kfree(*high); | ||
676 | *high = NULL; | ||
677 | *high_len = 0; | ||
678 | } | ||
679 | return rc; | 639 | return rc; |
680 | } | 640 | } |
681 | 641 | ||
682 | /** | 642 | /** |
683 | * mls_import_cat - Import the MLS categories | 643 | * mls_import_netlbl_cat - Import the MLS categories from NetLabel |
684 | * @context: the security context | 644 | * @context: the security context |
685 | * @low: the low category | 645 | * @secattr: the NetLabel security attributes |
686 | * @low_len: length of the cat_low bitmap in bytes | ||
687 | * @high: the high category | ||
688 | * @high_len: length of the cat_high bitmap in bytes | ||
689 | * | 646 | * |
690 | * Description: | 647 | * Description: |
691 | * Given the security context and the two category bitmap strings import the | 648 | * Copy the NetLabel security attributes into the SELinux context; since the |
692 | * categories into the security context. The MLS categories are only imported | 649 | * NetLabel security attribute only contains a single MLS category use it for |
693 | * if the pointers are not NULL, if they are NULL they are skipped. Returns | 650 | * both the low and high categories of the context. Returns zero on success, |
694 | * zero on success, negative values on failure. | 651 | * negative values on failure. |
695 | * | 652 | * |
696 | */ | 653 | */ |
697 | int mls_import_cat(struct context *context, | 654 | int mls_import_netlbl_cat(struct context *context, |
698 | const unsigned char *low, | 655 | struct netlbl_lsm_secattr *secattr) |
699 | size_t low_len, | ||
700 | const unsigned char *high, | ||
701 | size_t high_len) | ||
702 | { | 656 | { |
703 | int rc = -EPERM; | 657 | int rc; |
704 | 658 | ||
705 | if (!selinux_mls_enabled) | 659 | if (!selinux_mls_enabled) |
706 | return 0; | 660 | return 0; |
707 | 661 | ||
708 | if (low != NULL) { | 662 | rc = ebitmap_netlbl_import(&context->range.level[0].cat, |
709 | rc = ebitmap_import(low, | 663 | secattr->mls_cat); |
710 | low_len, | 664 | if (rc != 0) |
711 | &context->range.level[0].cat); | 665 | goto import_netlbl_cat_failure; |
712 | if (rc != 0) | 666 | |
713 | goto import_cat_failure; | 667 | rc = ebitmap_cpy(&context->range.level[1].cat, |
714 | } | 668 | &context->range.level[0].cat); |
715 | if (high != NULL) { | 669 | if (rc != 0) |
716 | if (high == low) | 670 | goto import_netlbl_cat_failure; |
717 | rc = ebitmap_cpy(&context->range.level[1].cat, | ||
718 | &context->range.level[0].cat); | ||
719 | else | ||
720 | rc = ebitmap_import(high, | ||
721 | high_len, | ||
722 | &context->range.level[1].cat); | ||
723 | if (rc != 0) | ||
724 | goto import_cat_failure; | ||
725 | } | ||
726 | 671 | ||
727 | return 0; | 672 | return 0; |
728 | 673 | ||
729 | import_cat_failure: | 674 | import_netlbl_cat_failure: |
730 | ebitmap_destroy(&context->range.level[0].cat); | 675 | ebitmap_destroy(&context->range.level[0].cat); |
731 | ebitmap_destroy(&context->range.level[1].cat); | 676 | ebitmap_destroy(&context->range.level[1].cat); |
732 | return rc; | 677 | return rc; |
733 | } | 678 | } |
679 | #endif /* CONFIG_NETLABEL */ | ||
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index df6032c6d492..661d6fc76966 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h | |||
@@ -13,7 +13,7 @@ | |||
13 | /* | 13 | /* |
14 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 14 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
15 | * | 15 | * |
16 | * Added support to import/export the MLS label | 16 | * Added support to import/export the MLS label from NetLabel |
17 | * | 17 | * |
18 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | 18 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 |
19 | */ | 19 | */ |
@@ -69,19 +69,37 @@ int mls_compute_sid(struct context *scontext, | |||
69 | int mls_setup_user_range(struct context *fromcon, struct user_datum *user, | 69 | int mls_setup_user_range(struct context *fromcon, struct user_datum *user, |
70 | struct context *usercon); | 70 | struct context *usercon); |
71 | 71 | ||
72 | void mls_export_lvl(const struct context *context, u32 *low, u32 *high); | 72 | #ifdef CONFIG_NETLABEL |
73 | void mls_import_lvl(struct context *context, u32 low, u32 high); | 73 | void mls_export_netlbl_lvl(struct context *context, |
74 | 74 | struct netlbl_lsm_secattr *secattr); | |
75 | int mls_export_cat(const struct context *context, | 75 | void mls_import_netlbl_lvl(struct context *context, |
76 | unsigned char **low, | 76 | struct netlbl_lsm_secattr *secattr); |
77 | size_t *low_len, | 77 | int mls_export_netlbl_cat(struct context *context, |
78 | unsigned char **high, | 78 | struct netlbl_lsm_secattr *secattr); |
79 | size_t *high_len); | 79 | int mls_import_netlbl_cat(struct context *context, |
80 | int mls_import_cat(struct context *context, | 80 | struct netlbl_lsm_secattr *secattr); |
81 | const unsigned char *low, | 81 | #else |
82 | size_t low_len, | 82 | static inline void mls_export_netlbl_lvl(struct context *context, |
83 | const unsigned char *high, | 83 | struct netlbl_lsm_secattr *secattr) |
84 | size_t high_len); | 84 | { |
85 | return; | ||
86 | } | ||
87 | static inline void mls_import_netlbl_lvl(struct context *context, | ||
88 | struct netlbl_lsm_secattr *secattr) | ||
89 | { | ||
90 | return; | ||
91 | } | ||
92 | static inline int mls_export_netlbl_cat(struct context *context, | ||
93 | struct netlbl_lsm_secattr *secattr) | ||
94 | { | ||
95 | return -ENOMEM; | ||
96 | } | ||
97 | static inline int mls_import_netlbl_cat(struct context *context, | ||
98 | struct netlbl_lsm_secattr *secattr) | ||
99 | { | ||
100 | return -ENOMEM; | ||
101 | } | ||
102 | #endif | ||
85 | 103 | ||
86 | #endif /* _SS_MLS_H */ | 104 | #endif /* _SS_MLS_H */ |
87 | 105 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b43dd803fd5e..bdb7070dd3dc 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -55,6 +55,7 @@ | |||
55 | #include "objsec.h" | 55 | #include "objsec.h" |
56 | #include "selinux_netlabel.h" | 56 | #include "selinux_netlabel.h" |
57 | #include "xfrm.h" | 57 | #include "xfrm.h" |
58 | #include "ebitmap.h" | ||
58 | 59 | ||
59 | extern void selnl_notify_policyload(u32 seqno); | 60 | extern void selnl_notify_policyload(u32 seqno); |
60 | unsigned int policydb_loaded_version; | 61 | unsigned int policydb_loaded_version; |
@@ -2384,13 +2385,10 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, | |||
2384 | ctx_new.user = ctx->user; | 2385 | ctx_new.user = ctx->user; |
2385 | ctx_new.role = ctx->role; | 2386 | ctx_new.role = ctx->role; |
2386 | ctx_new.type = ctx->type; | 2387 | ctx_new.type = ctx->type; |
2387 | mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); | 2388 | mls_import_netlbl_lvl(&ctx_new, secattr); |
2388 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { | 2389 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { |
2389 | if (mls_import_cat(&ctx_new, | 2390 | if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, |
2390 | secattr->mls_cat, | 2391 | secattr->mls_cat) != 0) |
2391 | secattr->mls_cat_len, | ||
2392 | NULL, | ||
2393 | 0) != 0) | ||
2394 | goto netlbl_secattr_to_sid_return; | 2392 | goto netlbl_secattr_to_sid_return; |
2395 | ctx_new.range.level[1].cat.highbit = | 2393 | ctx_new.range.level[1].cat.highbit = |
2396 | ctx_new.range.level[0].cat.highbit; | 2394 | ctx_new.range.level[0].cat.highbit; |
@@ -2486,19 +2484,12 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) | |||
2486 | 2484 | ||
2487 | secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], | 2485 | secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], |
2488 | GFP_ATOMIC); | 2486 | GFP_ATOMIC); |
2489 | mls_export_lvl(ctx, &secattr.mls_lvl, NULL); | 2487 | secattr.flags |= NETLBL_SECATTR_DOMAIN; |
2490 | rc = mls_export_cat(ctx, | 2488 | mls_export_netlbl_lvl(ctx, &secattr); |
2491 | &secattr.mls_cat, | 2489 | rc = mls_export_netlbl_cat(ctx, &secattr); |
2492 | &secattr.mls_cat_len, | ||
2493 | NULL, | ||
2494 | NULL); | ||
2495 | if (rc != 0) | 2490 | if (rc != 0) |
2496 | goto netlbl_socket_setsid_return; | 2491 | goto netlbl_socket_setsid_return; |
2497 | 2492 | ||
2498 | secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; | ||
2499 | if (secattr.mls_cat) | ||
2500 | secattr.flags |= NETLBL_SECATTR_MLS_CAT; | ||
2501 | |||
2502 | rc = netlbl_socket_setattr(sock, &secattr); | 2493 | rc = netlbl_socket_setattr(sock, &secattr); |
2503 | if (rc == 0) { | 2494 | if (rc == 0) { |
2504 | spin_lock(&sksec->nlbl_lock); | 2495 | spin_lock(&sksec->nlbl_lock); |