From 02752760359db6b00a3ffb1acfc13ef8d9eb1e3f Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 29 Nov 2006 13:18:18 -0500 Subject: NetLabel: convert to an extensibile/sparse category bitmap The original NetLabel category bitmap was a straight char bitmap which worked fine for the initial release as it only supported 240 bits due to limitations in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that straight char bitmap into an extensibile/sparse bitmap in order to lay the foundation for other CIPSO tag types and protocols. This patch also has a nice side effect in that all of the security attributes passed by NetLabel into the LSM are now in a format which is in the host's native byte/bit ordering which makes the LSM specific code much simpler; look at the changes in security/selinux/ss/ebitmap.c as an example. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/ss/services.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) (limited to 'security/selinux/ss/services.c') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b43dd803fd5e..bdb7070dd3dc 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -55,6 +55,7 @@ #include "objsec.h" #include "selinux_netlabel.h" #include "xfrm.h" +#include "ebitmap.h" extern void selnl_notify_policyload(u32 seqno); unsigned int policydb_loaded_version; @@ -2384,13 +2385,10 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, ctx_new.user = ctx->user; ctx_new.role = ctx->role; ctx_new.type = ctx->type; - mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl); + mls_import_netlbl_lvl(&ctx_new, secattr); if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { - if (mls_import_cat(&ctx_new, - secattr->mls_cat, - secattr->mls_cat_len, - NULL, - 0) != 0) + if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, + secattr->mls_cat) != 0) goto netlbl_secattr_to_sid_return; ctx_new.range.level[1].cat.highbit = ctx_new.range.level[0].cat.highbit; @@ -2486,19 +2484,12 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], GFP_ATOMIC); - mls_export_lvl(ctx, &secattr.mls_lvl, NULL); - rc = mls_export_cat(ctx, - &secattr.mls_cat, - &secattr.mls_cat_len, - NULL, - NULL); + secattr.flags |= NETLBL_SECATTR_DOMAIN; + mls_export_netlbl_lvl(ctx, &secattr); + rc = mls_export_netlbl_cat(ctx, &secattr); if (rc != 0) goto netlbl_socket_setsid_return; - secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; - if (secattr.mls_cat) - secattr.flags |= NETLBL_SECATTR_MLS_CAT; - rc = netlbl_socket_setattr(sock, &secattr); if (rc == 0) { spin_lock(&sksec->nlbl_lock); -- cgit v1.2.2