aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/ss/ebitmap.c198
-rw-r--r--security/selinux/ss/ebitmap.h26
-rw-r--r--security/selinux/ss/mls.c156
-rw-r--r--security/selinux/ss/mls.h46
-rw-r--r--security/selinux/ss/services.c23
5 files changed, 199 insertions, 250 deletions
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index d539346ab3a2..ce492a6b38ed 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -6,7 +6,7 @@
6/* 6/*
7 * Updated: Hewlett-Packard <paul.moore@hp.com> 7 * Updated: Hewlett-Packard <paul.moore@hp.com>
8 * 8 *
9 * Added ebitmap_export() and ebitmap_import() 9 * Added support to import/export the NetLabel category bitmap
10 * 10 *
11 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 11 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
12 */ 12 */
@@ -14,6 +14,7 @@
14#include <linux/kernel.h> 14#include <linux/kernel.h>
15#include <linux/slab.h> 15#include <linux/slab.h>
16#include <linux/errno.h> 16#include <linux/errno.h>
17#include <net/netlabel.h>
17#include "ebitmap.h" 18#include "ebitmap.h"
18#include "policydb.h" 19#include "policydb.h"
19 20
@@ -67,141 +68,120 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
67 return 0; 68 return 0;
68} 69}
69 70
71#ifdef CONFIG_NETLABEL
70/** 72/**
71 * ebitmap_export - Export an ebitmap to a unsigned char bitmap string 73 * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
72 * @src: the ebitmap to export 74 * @ebmap: the ebitmap to export
73 * @dst: the resulting bitmap string 75 * @catmap: the NetLabel category bitmap
74 * @dst_len: length of dst in bytes
75 * 76 *
76 * Description: 77 * Description:
77 * Allocate a buffer at least src->highbit bits long and export the extensible 78 * Export a SELinux extensibile bitmap into a NetLabel category bitmap.
78 * bitmap into the buffer. The bitmap string will be in little endian format, 79 * Returns zero on success, negative values on error.
79 * i.e. LSB first. The value returned in dst_len may not the true size of the
80 * buffer as the length of the buffer is rounded up to a multiple of MAPTYPE.
81 * The caller must free the buffer when finished. Returns zero on success,
82 * negative values on failure.
83 * 80 *
84 */ 81 */
85int ebitmap_export(const struct ebitmap *src, 82int ebitmap_netlbl_export(struct ebitmap *ebmap,
86 unsigned char **dst, 83 struct netlbl_lsm_secattr_catmap **catmap)
87 size_t *dst_len)
88{ 84{
89 size_t bitmap_len; 85 struct ebitmap_node *e_iter = ebmap->node;
90 unsigned char *bitmap; 86 struct netlbl_lsm_secattr_catmap *c_iter;
91 struct ebitmap_node *iter_node; 87 u32 cmap_idx;
92 MAPTYPE node_val; 88
93 size_t bitmap_byte; 89 /* This function is a much simpler because SELinux's MAPTYPE happens
94 unsigned char bitmask; 90 * to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is
95 91 * changed from a u64 this function will most likely need to be changed
96 if (src->highbit == 0) { 92 * as well. It's not ideal but I think the tradeoff in terms of
97 *dst = NULL; 93 * neatness and speed is worth it. */
98 *dst_len = 0; 94
95 if (e_iter == NULL) {
96 *catmap = NULL;
99 return 0; 97 return 0;
100 } 98 }
101 99
102 bitmap_len = src->highbit / 8; 100 c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
103 if (src->highbit % 7) 101 if (c_iter == NULL)
104 bitmap_len += 1;
105
106 bitmap = kzalloc((bitmap_len & ~(sizeof(MAPTYPE) - 1)) +
107 sizeof(MAPTYPE),
108 GFP_ATOMIC);
109 if (bitmap == NULL)
110 return -ENOMEM; 102 return -ENOMEM;
103 *catmap = c_iter;
104 c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
105
106 while (e_iter != NULL) {
107 if (e_iter->startbit >=
108 (c_iter->startbit + NETLBL_CATMAP_SIZE)) {
109 c_iter->next = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
110 if (c_iter->next == NULL)
111 goto netlbl_export_failure;
112 c_iter = c_iter->next;
113 c_iter->startbit = e_iter->startbit &
114 ~(NETLBL_CATMAP_SIZE - 1);
115 }
116 cmap_idx = (e_iter->startbit - c_iter->startbit) /
117 NETLBL_CATMAP_MAPSIZE;
118 c_iter->bitmap[cmap_idx] = e_iter->map;
119 e_iter = e_iter->next;
120 }
111 121
112 iter_node = src->node;
113 do {
114 bitmap_byte = iter_node->startbit / 8;
115 bitmask = 0x80;
116 node_val = iter_node->map;
117 do {
118 if (bitmask == 0) {
119 bitmap_byte++;
120 bitmask = 0x80;
121 }
122 if (node_val & (MAPTYPE)0x01)
123 bitmap[bitmap_byte] |= bitmask;
124 node_val >>= 1;
125 bitmask >>= 1;
126 } while (node_val > 0);
127 iter_node = iter_node->next;
128 } while (iter_node);
129
130 *dst = bitmap;
131 *dst_len = bitmap_len;
132 return 0; 122 return 0;
123
124netlbl_export_failure:
125 netlbl_secattr_catmap_free(*catmap);
126 return -ENOMEM;
133} 127}
134 128
135/** 129/**
136 * ebitmap_import - Import an unsigned char bitmap string into an ebitmap 130 * ebitmap_netlbl_import - Import a NetLabel category bitmap into an ebitmap
137 * @src: the bitmap string 131 * @ebmap: the ebitmap to export
138 * @src_len: the bitmap length in bytes 132 * @catmap: the NetLabel category bitmap
139 * @dst: the empty ebitmap
140 * 133 *
141 * Description: 134 * Description:
142 * This function takes a little endian bitmap string in src and imports it into 135 * Import a NetLabel category bitmap into a SELinux extensibile bitmap.
143 * the ebitmap pointed to by dst. Returns zero on success, negative values on 136 * Returns zero on success, negative values on error.
144 * failure.
145 * 137 *
146 */ 138 */
147int ebitmap_import(const unsigned char *src, 139int ebitmap_netlbl_import(struct ebitmap *ebmap,
148 size_t src_len, 140 struct netlbl_lsm_secattr_catmap *catmap)
149 struct ebitmap *dst)
150{ 141{
151 size_t src_off = 0; 142 struct ebitmap_node *e_iter = NULL;
152 size_t node_limit; 143 struct ebitmap_node *emap_prev = NULL;
153 struct ebitmap_node *node_new; 144 struct netlbl_lsm_secattr_catmap *c_iter = catmap;
154 struct ebitmap_node *node_last = NULL; 145 u32 c_idx;
155 u32 i_byte;
156 u32 i_bit;
157 unsigned char src_byte;
158
159 while (src_off < src_len) {
160 if (src_len - src_off >= sizeof(MAPTYPE)) {
161 if (*(MAPTYPE *)&src[src_off] == 0) {
162 src_off += sizeof(MAPTYPE);
163 continue;
164 }
165 node_limit = sizeof(MAPTYPE);
166 } else {
167 for (src_byte = 0, i_byte = src_off;
168 i_byte < src_len && src_byte == 0;
169 i_byte++)
170 src_byte |= src[i_byte];
171 if (src_byte == 0)
172 break;
173 node_limit = src_len - src_off;
174 }
175 146
176 node_new = kzalloc(sizeof(*node_new), GFP_ATOMIC); 147 /* This function is a much simpler because SELinux's MAPTYPE happens
177 if (unlikely(node_new == NULL)) { 148 * to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is
178 ebitmap_destroy(dst); 149 * changed from a u64 this function will most likely need to be changed
179 return -ENOMEM; 150 * as well. It's not ideal but I think the tradeoff in terms of
180 } 151 * neatness and speed is worth it. */
181 node_new->startbit = src_off * 8;
182 for (i_byte = 0; i_byte < node_limit; i_byte++) {
183 src_byte = src[src_off++];
184 for (i_bit = i_byte * 8; src_byte != 0; i_bit++) {
185 if (src_byte & 0x80)
186 node_new->map |= MAPBIT << i_bit;
187 src_byte <<= 1;
188 }
189 }
190 152
191 if (node_last != NULL) 153 do {
192 node_last->next = node_new; 154 for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) {
193 else 155 if (c_iter->bitmap[c_idx] == 0)
194 dst->node = node_new; 156 continue;
195 node_last = node_new; 157
196 } 158 e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
159 if (e_iter == NULL)
160 goto netlbl_import_failure;
161 if (emap_prev == NULL)
162 ebmap->node = e_iter;
163 else
164 emap_prev->next = e_iter;
165 emap_prev = e_iter;
197 166
198 if (likely(node_last != NULL)) 167 e_iter->startbit = c_iter->startbit +
199 dst->highbit = node_last->startbit + MAPSIZE; 168 NETLBL_CATMAP_MAPSIZE * c_idx;
169 e_iter->map = c_iter->bitmap[c_idx];
170 }
171 c_iter = c_iter->next;
172 } while (c_iter != NULL);
173 if (e_iter != NULL)
174 ebmap->highbit = e_iter->startbit + MAPSIZE;
200 else 175 else
201 ebitmap_init(dst); 176 ebitmap_destroy(ebmap);
202 177
203 return 0; 178 return 0;
179
180netlbl_import_failure:
181 ebitmap_destroy(ebmap);
182 return -ENOMEM;
204} 183}
184#endif /* CONFIG_NETLABEL */
205 185
206int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) 186int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2)
207{ 187{
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index da2d4651b10d..1270e34b61c1 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -14,6 +14,8 @@
14#ifndef _SS_EBITMAP_H_ 14#ifndef _SS_EBITMAP_H_
15#define _SS_EBITMAP_H_ 15#define _SS_EBITMAP_H_
16 16
17#include <net/netlabel.h>
18
17#define MAPTYPE u64 /* portion of bitmap in each node */ 19#define MAPTYPE u64 /* portion of bitmap in each node */
18#define MAPSIZE (sizeof(MAPTYPE) * 8) /* number of bits in node bitmap */ 20#define MAPSIZE (sizeof(MAPTYPE) * 8) /* number of bits in node bitmap */
19#define MAPBIT 1ULL /* a bit in the node bitmap */ 21#define MAPBIT 1ULL /* a bit in the node bitmap */
@@ -69,16 +71,28 @@ static inline int ebitmap_node_get_bit(struct ebitmap_node * n,
69 71
70int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); 72int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
71int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); 73int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
72int ebitmap_export(const struct ebitmap *src,
73 unsigned char **dst,
74 size_t *dst_len);
75int ebitmap_import(const unsigned char *src,
76 size_t src_len,
77 struct ebitmap *dst);
78int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); 74int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2);
79int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); 75int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
80int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); 76int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
81void ebitmap_destroy(struct ebitmap *e); 77void ebitmap_destroy(struct ebitmap *e);
82int ebitmap_read(struct ebitmap *e, void *fp); 78int ebitmap_read(struct ebitmap *e, void *fp);
83 79
80#ifdef CONFIG_NETLABEL
81int ebitmap_netlbl_export(struct ebitmap *ebmap,
82 struct netlbl_lsm_secattr_catmap **catmap);
83int ebitmap_netlbl_import(struct ebitmap *ebmap,
84 struct netlbl_lsm_secattr_catmap *catmap);
85#else
86static inline int ebitmap_netlbl_export(struct ebitmap *ebmap,
87 struct netlbl_lsm_secattr_catmap **catmap)
88{
89 return -ENOMEM;
90}
91static inline int ebitmap_netlbl_import(struct ebitmap *ebmap,
92 struct netlbl_lsm_secattr_catmap *catmap)
93{
94 return -ENOMEM;
95}
96#endif
97
84#endif /* _SS_EBITMAP_H_ */ 98#endif /* _SS_EBITMAP_H_ */
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 2cca8e251624..b4f682dc13ff 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -13,7 +13,7 @@
13/* 13/*
14 * Updated: Hewlett-Packard <paul.moore@hp.com> 14 * Updated: Hewlett-Packard <paul.moore@hp.com>
15 * 15 *
16 * Added support to import/export the MLS label 16 * Added support to import/export the MLS label from NetLabel
17 * 17 *
18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
19 */ 19 */
@@ -22,6 +22,7 @@
22#include <linux/slab.h> 22#include <linux/slab.h>
23#include <linux/string.h> 23#include <linux/string.h>
24#include <linux/errno.h> 24#include <linux/errno.h>
25#include <net/netlabel.h>
25#include "sidtab.h" 26#include "sidtab.h"
26#include "mls.h" 27#include "mls.h"
27#include "policydb.h" 28#include "policydb.h"
@@ -571,163 +572,108 @@ int mls_compute_sid(struct context *scontext,
571 return -EINVAL; 572 return -EINVAL;
572} 573}
573 574
575#ifdef CONFIG_NETLABEL
574/** 576/**
575 * mls_export_lvl - Export the MLS sensitivity levels 577 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
576 * @context: the security context 578 * @context: the security context
577 * @low: the low sensitivity level 579 * @secattr: the NetLabel security attributes
578 * @high: the high sensitivity level
579 * 580 *
580 * Description: 581 * Description:
581 * Given the security context copy the low MLS sensitivity level into lvl_low 582 * Given the security context copy the low MLS sensitivity level into the
582 * and the high sensitivity level in lvl_high. The MLS levels are only 583 * NetLabel MLS sensitivity level field.
583 * exported if the pointers are not NULL, if they are NULL then that level is
584 * not exported.
585 * 584 *
586 */ 585 */
587void mls_export_lvl(const struct context *context, u32 *low, u32 *high) 586void mls_export_netlbl_lvl(struct context *context,
587 struct netlbl_lsm_secattr *secattr)
588{ 588{
589 if (!selinux_mls_enabled) 589 if (!selinux_mls_enabled)
590 return; 590 return;
591 591
592 if (low != NULL) 592 secattr->mls_lvl = context->range.level[0].sens - 1;
593 *low = context->range.level[0].sens - 1; 593 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
594 if (high != NULL)
595 *high = context->range.level[1].sens - 1;
596} 594}
597 595
598/** 596/**
599 * mls_import_lvl - Import the MLS sensitivity levels 597 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
600 * @context: the security context 598 * @context: the security context
601 * @low: the low sensitivity level 599 * @secattr: the NetLabel security attributes
602 * @high: the high sensitivity level
603 * 600 *
604 * Description: 601 * Description:
605 * Given the security context and the two sensitivty levels, set the MLS levels 602 * Given the security context and the NetLabel security attributes, copy the
606 * in the context according the two given as parameters. Returns zero on 603 * NetLabel MLS sensitivity level into the context.
607 * success, negative values on failure.
608 * 604 *
609 */ 605 */
610void mls_import_lvl(struct context *context, u32 low, u32 high) 606void mls_import_netlbl_lvl(struct context *context,
607 struct netlbl_lsm_secattr *secattr)
611{ 608{
612 if (!selinux_mls_enabled) 609 if (!selinux_mls_enabled)
613 return; 610 return;
614 611
615 context->range.level[0].sens = low + 1; 612 context->range.level[0].sens = secattr->mls_lvl + 1;
616 context->range.level[1].sens = high + 1; 613 context->range.level[1].sens = context->range.level[0].sens;
617} 614}
618 615
619/** 616/**
620 * mls_export_cat - Export the MLS categories 617 * mls_export_netlbl_cat - Export the MLS categories to NetLabel
621 * @context: the security context 618 * @context: the security context
622 * @low: the low category 619 * @secattr: the NetLabel security attributes
623 * @low_len: length of the cat_low bitmap in bytes
624 * @high: the high category
625 * @high_len: length of the cat_high bitmap in bytes
626 * 620 *
627 * Description: 621 * Description:
628 * Given the security context export the low MLS category bitmap into cat_low 622 * Given the security context copy the low MLS categories into the NetLabel
629 * and the high category bitmap into cat_high. The MLS categories are only 623 * MLS category field. Returns zero on success, negative values on failure.
630 * exported if the pointers are not NULL, if they are NULL then that level is
631 * not exported. The caller is responsibile for freeing the memory when
632 * finished. Returns zero on success, negative values on failure.
633 * 624 *
634 */ 625 */
635int mls_export_cat(const struct context *context, 626int mls_export_netlbl_cat(struct context *context,
636 unsigned char **low, 627 struct netlbl_lsm_secattr *secattr)
637 size_t *low_len,
638 unsigned char **high,
639 size_t *high_len)
640{ 628{
641 int rc = -EPERM; 629 int rc;
642 630
643 if (!selinux_mls_enabled) { 631 if (!selinux_mls_enabled)
644 *low = NULL;
645 *low_len = 0;
646 *high = NULL;
647 *high_len = 0;
648 return 0; 632 return 0;
649 }
650 633
651 if (low != NULL) { 634 rc = ebitmap_netlbl_export(&context->range.level[0].cat,
652 rc = ebitmap_export(&context->range.level[0].cat, 635 &secattr->mls_cat);
653 low, 636 if (rc == 0 && secattr->mls_cat != NULL)
654 low_len); 637 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
655 if (rc != 0)
656 goto export_cat_failure;
657 }
658 if (high != NULL) {
659 rc = ebitmap_export(&context->range.level[1].cat,
660 high,
661 high_len);
662 if (rc != 0)
663 goto export_cat_failure;
664 }
665
666 return 0;
667 638
668export_cat_failure:
669 if (low != NULL) {
670 kfree(*low);
671 *low = NULL;
672 *low_len = 0;
673 }
674 if (high != NULL) {
675 kfree(*high);
676 *high = NULL;
677 *high_len = 0;
678 }
679 return rc; 639 return rc;
680} 640}
681 641
682/** 642/**
683 * mls_import_cat - Import the MLS categories 643 * mls_import_netlbl_cat - Import the MLS categories from NetLabel
684 * @context: the security context 644 * @context: the security context
685 * @low: the low category 645 * @secattr: the NetLabel security attributes
686 * @low_len: length of the cat_low bitmap in bytes
687 * @high: the high category
688 * @high_len: length of the cat_high bitmap in bytes
689 * 646 *
690 * Description: 647 * Description:
691 * Given the security context and the two category bitmap strings import the 648 * Copy the NetLabel security attributes into the SELinux context; since the
692 * categories into the security context. The MLS categories are only imported 649 * NetLabel security attribute only contains a single MLS category use it for
693 * if the pointers are not NULL, if they are NULL they are skipped. Returns 650 * both the low and high categories of the context. Returns zero on success,
694 * zero on success, negative values on failure. 651 * negative values on failure.
695 * 652 *
696 */ 653 */
697int mls_import_cat(struct context *context, 654int mls_import_netlbl_cat(struct context *context,
698 const unsigned char *low, 655 struct netlbl_lsm_secattr *secattr)
699 size_t low_len,
700 const unsigned char *high,
701 size_t high_len)
702{ 656{
703 int rc = -EPERM; 657 int rc;
704 658
705 if (!selinux_mls_enabled) 659 if (!selinux_mls_enabled)
706 return 0; 660 return 0;
707 661
708 if (low != NULL) { 662 rc = ebitmap_netlbl_import(&context->range.level[0].cat,
709 rc = ebitmap_import(low, 663 secattr->mls_cat);
710 low_len, 664 if (rc != 0)
711 &context->range.level[0].cat); 665 goto import_netlbl_cat_failure;
712 if (rc != 0) 666
713 goto import_cat_failure; 667 rc = ebitmap_cpy(&context->range.level[1].cat,
714 } 668 &context->range.level[0].cat);
715 if (high != NULL) { 669 if (rc != 0)
716 if (high == low) 670 goto import_netlbl_cat_failure;
717 rc = ebitmap_cpy(&context->range.level[1].cat,
718 &context->range.level[0].cat);
719 else
720 rc = ebitmap_import(high,
721 high_len,
722 &context->range.level[1].cat);
723 if (rc != 0)
724 goto import_cat_failure;
725 }
726 671
727 return 0; 672 return 0;
728 673
729import_cat_failure: 674import_netlbl_cat_failure:
730 ebitmap_destroy(&context->range.level[0].cat); 675 ebitmap_destroy(&context->range.level[0].cat);
731 ebitmap_destroy(&context->range.level[1].cat); 676 ebitmap_destroy(&context->range.level[1].cat);
732 return rc; 677 return rc;
733} 678}
679#endif /* CONFIG_NETLABEL */
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index df6032c6d492..661d6fc76966 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -13,7 +13,7 @@
13/* 13/*
14 * Updated: Hewlett-Packard <paul.moore@hp.com> 14 * Updated: Hewlett-Packard <paul.moore@hp.com>
15 * 15 *
16 * Added support to import/export the MLS label 16 * Added support to import/export the MLS label from NetLabel
17 * 17 *
18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
19 */ 19 */
@@ -69,19 +69,37 @@ int mls_compute_sid(struct context *scontext,
69int mls_setup_user_range(struct context *fromcon, struct user_datum *user, 69int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
70 struct context *usercon); 70 struct context *usercon);
71 71
72void mls_export_lvl(const struct context *context, u32 *low, u32 *high); 72#ifdef CONFIG_NETLABEL
73void mls_import_lvl(struct context *context, u32 low, u32 high); 73void mls_export_netlbl_lvl(struct context *context,
74 74 struct netlbl_lsm_secattr *secattr);
75int mls_export_cat(const struct context *context, 75void mls_import_netlbl_lvl(struct context *context,
76 unsigned char **low, 76 struct netlbl_lsm_secattr *secattr);
77 size_t *low_len, 77int mls_export_netlbl_cat(struct context *context,
78 unsigned char **high, 78 struct netlbl_lsm_secattr *secattr);
79 size_t *high_len); 79int mls_import_netlbl_cat(struct context *context,
80int mls_import_cat(struct context *context, 80 struct netlbl_lsm_secattr *secattr);
81 const unsigned char *low, 81#else
82 size_t low_len, 82static inline void mls_export_netlbl_lvl(struct context *context,
83 const unsigned char *high, 83 struct netlbl_lsm_secattr *secattr)
84 size_t high_len); 84{
85 return;
86}
87static inline void mls_import_netlbl_lvl(struct context *context,
88 struct netlbl_lsm_secattr *secattr)
89{
90 return;
91}
92static inline int mls_export_netlbl_cat(struct context *context,
93 struct netlbl_lsm_secattr *secattr)
94{
95 return -ENOMEM;
96}
97static inline int mls_import_netlbl_cat(struct context *context,
98 struct netlbl_lsm_secattr *secattr)
99{
100 return -ENOMEM;
101}
102#endif
85 103
86#endif /* _SS_MLS_H */ 104#endif /* _SS_MLS_H */
87 105
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b43dd803fd5e..bdb7070dd3dc 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -55,6 +55,7 @@
55#include "objsec.h" 55#include "objsec.h"
56#include "selinux_netlabel.h" 56#include "selinux_netlabel.h"
57#include "xfrm.h" 57#include "xfrm.h"
58#include "ebitmap.h"
58 59
59extern void selnl_notify_policyload(u32 seqno); 60extern void selnl_notify_policyload(u32 seqno);
60unsigned int policydb_loaded_version; 61unsigned int policydb_loaded_version;
@@ -2384,13 +2385,10 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2384 ctx_new.user = ctx->user; 2385 ctx_new.user = ctx->user;
2385 ctx_new.role = ctx->role; 2386 ctx_new.role = ctx->role;
2386 ctx_new.type = ctx->type; 2387 ctx_new.type = ctx->type;
2387 mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); 2388 mls_import_netlbl_lvl(&ctx_new, secattr);
2388 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 2389 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
2389 if (mls_import_cat(&ctx_new, 2390 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
2390 secattr->mls_cat, 2391 secattr->mls_cat) != 0)
2391 secattr->mls_cat_len,
2392 NULL,
2393 0) != 0)
2394 goto netlbl_secattr_to_sid_return; 2392 goto netlbl_secattr_to_sid_return;
2395 ctx_new.range.level[1].cat.highbit = 2393 ctx_new.range.level[1].cat.highbit =
2396 ctx_new.range.level[0].cat.highbit; 2394 ctx_new.range.level[0].cat.highbit;
@@ -2486,19 +2484,12 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2486 2484
2487 secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2485 secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
2488 GFP_ATOMIC); 2486 GFP_ATOMIC);
2489 mls_export_lvl(ctx, &secattr.mls_lvl, NULL); 2487 secattr.flags |= NETLBL_SECATTR_DOMAIN;
2490 rc = mls_export_cat(ctx, 2488 mls_export_netlbl_lvl(ctx, &secattr);
2491 &secattr.mls_cat, 2489 rc = mls_export_netlbl_cat(ctx, &secattr);
2492 &secattr.mls_cat_len,
2493 NULL,
2494 NULL);
2495 if (rc != 0) 2490 if (rc != 0)
2496 goto netlbl_socket_setsid_return; 2491 goto netlbl_socket_setsid_return;
2497 2492
2498 secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
2499 if (secattr.mls_cat)
2500 secattr.flags |= NETLBL_SECATTR_MLS_CAT;
2501
2502 rc = netlbl_socket_setattr(sock, &secattr); 2493 rc = netlbl_socket_setattr(sock, &secattr);
2503 if (rc == 0) { 2494 if (rc == 0) {
2504 spin_lock(&sksec->nlbl_lock); 2495 spin_lock(&sksec->nlbl_lock);