| mls.c (0bd2af46839ad6262d25714a6ec0365db9d6b98f) | mls.c (02752760359db6b00a3ffb1acfc13ef8d9eb1e3f) |
|---|---|
| 1/* 2 * Implementation of the multi-level security (MLS) policy. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6/* 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * 11 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 12 */ 13/* 14 * Updated: Hewlett-Packard <paul.moore@hp.com> 15 * | 1/* 2 * Implementation of the multi-level security (MLS) policy. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6/* 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * 11 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 12 */ 13/* 14 * Updated: Hewlett-Packard <paul.moore@hp.com> 15 * |
| 16 * Added support to import/export the MLS label | 16 * Added support to import/export the MLS label from NetLabel |
| 17 * 18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 19 */ 20 21#include <linux/kernel.h> 22#include <linux/slab.h> 23#include <linux/string.h> 24#include <linux/errno.h> | 17 * 18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 19 */ 20 21#include <linux/kernel.h> 22#include <linux/slab.h> 23#include <linux/string.h> 24#include <linux/errno.h> |
| 25#include <net/netlabel.h> |
|
| 25#include "sidtab.h" 26#include "mls.h" 27#include "policydb.h" 28#include "services.h" 29 30/* 31 * Return the length in bytes for the MLS fields of the 32 * security context string representation of `context'. --- 533 unchanged lines hidden (view full) --- 566 return mls_copy_context(newcontext, tcontext); 567 } 568 default: 569 return -EINVAL; 570 } 571 return -EINVAL; 572} 573 | 26#include "sidtab.h" 27#include "mls.h" 28#include "policydb.h" 29#include "services.h" 30 31/* 32 * Return the length in bytes for the MLS fields of the 33 * security context string representation of `context'. --- 533 unchanged lines hidden (view full) --- 567 return mls_copy_context(newcontext, tcontext); 568 } 569 default: 570 return -EINVAL; 571 } 572 return -EINVAL; 573} 574 |
| 575#ifdef CONFIG_NETLABEL |
|
| 574/** | 576/** |
| 575 * mls_export_lvl - Export the MLS sensitivity levels | 577 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel |
| 576 * @context: the security context | 578 * @context: the security context |
| 577 * @low: the low sensitivity level 578 * @high: the high sensitivity level | 579 * @secattr: the NetLabel security attributes |
| 579 * 580 * Description: | 580 * 581 * Description: |
| 581 * Given the security context copy the low MLS sensitivity level into lvl_low 582 * and the high sensitivity level in lvl_high. The MLS levels are only 583 * exported if the pointers are not NULL, if they are NULL then that level is 584 * not exported. | 582 * Given the security context copy the low MLS sensitivity level into the 583 * NetLabel MLS sensitivity level field. |
| 585 * 586 */ | 584 * 585 */ |
| 587void mls_export_lvl(const struct context *context, u32 *low, u32 *high) | 586void mls_export_netlbl_lvl(struct context *context, 587 struct netlbl_lsm_secattr *secattr) |
| 588{ 589 if (!selinux_mls_enabled) 590 return; 591 | 588{ 589 if (!selinux_mls_enabled) 590 return; 591 |
| 592 if (low != NULL) 593 *low = context->range.level[0].sens - 1; 594 if (high != NULL) 595 *high = context->range.level[1].sens - 1; | 592 secattr->mls_lvl = context->range.level[0].sens - 1; 593 secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
| 596} 597 598/** | 594} 595 596/** |
| 599 * mls_import_lvl - Import the MLS sensitivity levels | 597 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels |
| 600 * @context: the security context | 598 * @context: the security context |
| 601 * @low: the low sensitivity level 602 * @high: the high sensitivity level | 599 * @secattr: the NetLabel security attributes |
| 603 * 604 * Description: | 600 * 601 * Description: |
| 605 * Given the security context and the two sensitivty levels, set the MLS levels 606 * in the context according the two given as parameters. Returns zero on 607 * success, negative values on failure. | 602 * Given the security context and the NetLabel security attributes, copy the 603 * NetLabel MLS sensitivity level into the context. |
| 608 * 609 */ | 604 * 605 */ |
| 610void mls_import_lvl(struct context *context, u32 low, u32 high) | 606void mls_import_netlbl_lvl(struct context *context, 607 struct netlbl_lsm_secattr *secattr) |
| 611{ 612 if (!selinux_mls_enabled) 613 return; 614 | 608{ 609 if (!selinux_mls_enabled) 610 return; 611 |
| 615 context->range.level[0].sens = low + 1; 616 context->range.level[1].sens = high + 1; | 612 context->range.level[0].sens = secattr->mls_lvl + 1; 613 context->range.level[1].sens = context->range.level[0].sens; |
| 617} 618 619/** | 614} 615 616/** |
| 620 * mls_export_cat - Export the MLS categories | 617 * mls_export_netlbl_cat - Export the MLS categories to NetLabel |
| 621 * @context: the security context | 618 * @context: the security context |
| 622 * @low: the low category 623 * @low_len: length of the cat_low bitmap in bytes 624 * @high: the high category 625 * @high_len: length of the cat_high bitmap in bytes | 619 * @secattr: the NetLabel security attributes |
| 626 * 627 * Description: | 620 * 621 * Description: |
| 628 * Given the security context export the low MLS category bitmap into cat_low 629 * and the high category bitmap into cat_high. The MLS categories are only 630 * exported if the pointers are not NULL, if they are NULL then that level is 631 * not exported. The caller is responsibile for freeing the memory when 632 * finished. Returns zero on success, negative values on failure. | 622 * Given the security context copy the low MLS categories into the NetLabel 623 * MLS category field. Returns zero on success, negative values on failure. |
| 633 * 634 */ | 624 * 625 */ |
| 635int mls_export_cat(const struct context *context, 636 unsigned char **low, 637 size_t *low_len, 638 unsigned char **high, 639 size_t *high_len) | 626int mls_export_netlbl_cat(struct context *context, 627 struct netlbl_lsm_secattr *secattr) |
| 640{ | 628{ |
| 641 int rc = -EPERM; | 629 int rc; |
| 642 | 630 |
| 643 if (!selinux_mls_enabled) { 644 *low = NULL; 645 *low_len = 0; 646 *high = NULL; 647 *high_len = 0; | 631 if (!selinux_mls_enabled) |
| 648 return 0; | 632 return 0; |
| 649 } | |
| 650 | 633 |
| 651 if (low != NULL) { 652 rc = ebitmap_export(&context->range.level[0].cat, 653 low, 654 low_len); 655 if (rc != 0) 656 goto export_cat_failure; 657 } 658 if (high != NULL) { 659 rc = ebitmap_export(&context->range.level[1].cat, 660 high, 661 high_len); 662 if (rc != 0) 663 goto export_cat_failure; 664 } | 634 rc = ebitmap_netlbl_export(&context->range.level[0].cat, 635 &secattr->mls_cat); 636 if (rc == 0 && secattr->mls_cat != NULL) 637 secattr->flags |= NETLBL_SECATTR_MLS_CAT; |
| 665 | 638 |
| 666 return 0; 667 668export_cat_failure: 669 if (low != NULL) { 670 kfree(*low); 671 *low = NULL; 672 *low_len = 0; 673 } 674 if (high != NULL) { 675 kfree(*high); 676 *high = NULL; 677 *high_len = 0; 678 } | |
| 679 return rc; 680} 681 682/** | 639 return rc; 640} 641 642/** |
| 683 * mls_import_cat - Import the MLS categories | 643 * mls_import_netlbl_cat - Import the MLS categories from NetLabel |
| 684 * @context: the security context | 644 * @context: the security context |
| 685 * @low: the low category 686 * @low_len: length of the cat_low bitmap in bytes 687 * @high: the high category 688 * @high_len: length of the cat_high bitmap in bytes | 645 * @secattr: the NetLabel security attributes |
| 689 * 690 * Description: | 646 * 647 * Description: |
| 691 * Given the security context and the two category bitmap strings import the 692 * categories into the security context. The MLS categories are only imported 693 * if the pointers are not NULL, if they are NULL they are skipped. Returns 694 * zero on success, negative values on failure. | 648 * Copy the NetLabel security attributes into the SELinux context; since the 649 * NetLabel security attribute only contains a single MLS category use it for 650 * both the low and high categories of the context. Returns zero on success, 651 * negative values on failure. |
| 695 * 696 */ | 652 * 653 */ |
| 697int mls_import_cat(struct context *context, 698 const unsigned char *low, 699 size_t low_len, 700 const unsigned char *high, 701 size_t high_len) | 654int mls_import_netlbl_cat(struct context *context, 655 struct netlbl_lsm_secattr *secattr) |
| 702{ | 656{ |
| 703 int rc = -EPERM; | 657 int rc; |
| 704 705 if (!selinux_mls_enabled) 706 return 0; 707 | 658 659 if (!selinux_mls_enabled) 660 return 0; 661 |
| 708 if (low != NULL) { 709 rc = ebitmap_import(low, 710 low_len, 711 &context->range.level[0].cat); 712 if (rc != 0) 713 goto import_cat_failure; 714 } 715 if (high != NULL) { 716 if (high == low) 717 rc = ebitmap_cpy(&context->range.level[1].cat, 718 &context->range.level[0].cat); 719 else 720 rc = ebitmap_import(high, 721 high_len, 722 &context->range.level[1].cat); 723 if (rc != 0) 724 goto import_cat_failure; 725 } | 662 rc = ebitmap_netlbl_import(&context->range.level[0].cat, 663 secattr->mls_cat); 664 if (rc != 0) 665 goto import_netlbl_cat_failure; |
| 726 | 666 |
| 667 rc = ebitmap_cpy(&context->range.level[1].cat, 668 &context->range.level[0].cat); 669 if (rc != 0) 670 goto import_netlbl_cat_failure; 671 |
|
| 727 return 0; 728 | 672 return 0; 673 |
| 729import_cat_failure: | 674import_netlbl_cat_failure: |
| 730 ebitmap_destroy(&context->range.level[0].cat); 731 ebitmap_destroy(&context->range.level[1].cat); 732 return rc; 733} | 675 ebitmap_destroy(&context->range.level[0].cat); 676 ebitmap_destroy(&context->range.level[1].cat); 677 return rc; 678} |
| 679#endif /* CONFIG_NETLABEL */ |
|