aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/context.h23
-rw-r--r--security/selinux/ss/mls.c30
-rw-r--r--security/selinux/ss/mls.h20
-rw-r--r--security/selinux/ss/services.c3
4 files changed, 29 insertions, 47 deletions
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index 0562bacb7b99..2eee0dab524d 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -55,6 +55,29 @@ out:
55 return rc; 55 return rc;
56} 56}
57 57
58/*
59 * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
60 */
61static inline int mls_context_cpy_low(struct context *dst, struct context *src)
62{
63 int rc;
64
65 if (!selinux_mls_enabled)
66 return 0;
67
68 dst->range.level[0].sens = src->range.level[0].sens;
69 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
70 if (rc)
71 goto out;
72
73 dst->range.level[1].sens = src->range.level[0].sens;
74 rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
75 if (rc)
76 ebitmap_destroy(&dst->range.level[0].cat);
77out:
78 return rc;
79}
80
58static inline int mls_context_cmp(struct context *c1, struct context *c2) 81static inline int mls_context_cmp(struct context *c1, struct context *c2)
59{ 82{
60 if (!selinux_mls_enabled) 83 if (!selinux_mls_enabled)
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b4f682dc13ff..4a8bab2f3c71 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -270,7 +270,7 @@ int mls_context_to_sid(char oldc,
270 if (!defcon) 270 if (!defcon)
271 goto out; 271 goto out;
272 272
273 rc = mls_copy_context(context, defcon); 273 rc = mls_context_cpy(context, defcon);
274 goto out; 274 goto out;
275 } 275 }
276 276
@@ -401,26 +401,6 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
401} 401}
402 402
403/* 403/*
404 * Copies the effective MLS range from `src' into `dst'.
405 */
406static inline int mls_scopy_context(struct context *dst,
407 struct context *src)
408{
409 int l, rc = 0;
410
411 /* Copy the MLS range from the source context */
412 for (l = 0; l < 2; l++) {
413 dst->range.level[l].sens = src->range.level[0].sens;
414 rc = ebitmap_cpy(&dst->range.level[l].cat,
415 &src->range.level[0].cat);
416 if (rc)
417 break;
418 }
419
420 return rc;
421}
422
423/*
424 * Copies the MLS range `range' into `context'. 404 * Copies the MLS range `range' into `context'.
425 */ 405 */
426static inline int mls_range_set(struct context *context, 406static inline int mls_range_set(struct context *context,
@@ -552,19 +532,19 @@ int mls_compute_sid(struct context *scontext,
552 case AVTAB_CHANGE: 532 case AVTAB_CHANGE:
553 if (tclass == SECCLASS_PROCESS) 533 if (tclass == SECCLASS_PROCESS)
554 /* Use the process MLS attributes. */ 534 /* Use the process MLS attributes. */
555 return mls_copy_context(newcontext, scontext); 535 return mls_context_cpy(newcontext, scontext);
556 else 536 else
557 /* Use the process effective MLS attributes. */ 537 /* Use the process effective MLS attributes. */
558 return mls_scopy_context(newcontext, scontext); 538 return mls_context_cpy_low(newcontext, scontext);
559 case AVTAB_MEMBER: 539 case AVTAB_MEMBER:
560 /* Only polyinstantiate the MLS attributes if 540 /* Only polyinstantiate the MLS attributes if
561 the type is being polyinstantiated */ 541 the type is being polyinstantiated */
562 if (newcontext->type != tcontext->type) { 542 if (newcontext->type != tcontext->type) {
563 /* Use the process effective MLS attributes. */ 543 /* Use the process effective MLS attributes. */
564 return mls_scopy_context(newcontext, scontext); 544 return mls_context_cpy_low(newcontext, scontext);
565 } else { 545 } else {
566 /* Use the related object MLS attributes. */ 546 /* Use the related object MLS attributes. */
567 return mls_copy_context(newcontext, tcontext); 547 return mls_context_cpy(newcontext, tcontext);
568 } 548 }
569 default: 549 default:
570 return -EINVAL; 550 return -EINVAL;
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 661d6fc76966..096d1b4ef7fb 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -24,26 +24,6 @@
24#include "context.h" 24#include "context.h"
25#include "policydb.h" 25#include "policydb.h"
26 26
27/*
28 * Copies the MLS range from `src' into `dst'.
29 */
30static inline int mls_copy_context(struct context *dst,
31 struct context *src)
32{
33 int l, rc = 0;
34
35 /* Copy the MLS range from the source context */
36 for (l = 0; l < 2; l++) {
37 dst->range.level[l].sens = src->range.level[l].sens;
38 rc = ebitmap_cpy(&dst->range.level[l].cat,
39 &src->range.level[l].cat);
40 if (rc)
41 break;
42 }
43
44 return rc;
45}
46
47int mls_compute_context_len(struct context *context); 27int mls_compute_context_len(struct context *context);
48void mls_sid_to_context(struct context *context, char **scontext); 28void mls_sid_to_context(struct context *context, char **scontext);
49int mls_context_isvalid(struct policydb *p, struct context *c); 29int mls_context_isvalid(struct policydb *p, struct context *c);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ee0581557966..372eaade3ca6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1916,11 +1916,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
1916 newcon.user = context1->user; 1916 newcon.user = context1->user;
1917 newcon.role = context1->role; 1917 newcon.role = context1->role;
1918 newcon.type = context1->type; 1918 newcon.type = context1->type;
1919 rc = mls_copy_context(&newcon, context2); 1919 rc = mls_context_cpy(&newcon, context2);
1920 if (rc) 1920 if (rc)
1921 goto out_unlock; 1921 goto out_unlock;
1922 1922
1923
1924 /* Check the validity of the new context. */ 1923 /* Check the validity of the new context. */
1925 if (!policydb_context_isvalid(&policydb, &newcon)) { 1924 if (!policydb_context_isvalid(&policydb, &newcon)) {
1926 rc = convert_context_handle_invalid_context(&newcon); 1925 rc = convert_context_handle_invalid_context(&newcon);