| services.c (8e4e4c2f53ffcb0ef746dc3b87ce1a57c5c94c7d) | services.c (048be156491ff1aeb0fe5ff0862644d38cd39015) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> --- 54 unchanged lines hidden (view full) --- 63#include "objsec.h" 64#include "netlabel.h" 65#include "xfrm.h" 66#include "ebitmap.h" 67#include "audit.h" 68#include "policycap_names.h" 69#include "ima.h" 70 | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> --- 54 unchanged lines hidden (view full) --- 63#include "objsec.h" 64#include "netlabel.h" 65#include "xfrm.h" 66#include "ebitmap.h" 67#include "audit.h" 68#include "policycap_names.h" 69#include "ima.h" 70 |
| 71struct convert_context_args { 72 struct selinux_state *state; 73 struct policydb *oldp; 74 struct policydb *newp; 75}; 76 | |
| 77struct selinux_policy_convert_data { 78 struct convert_context_args args; 79 struct sidtab_convert_params sidtab_params; 80}; 81 82/* Forward declaration. */ 83static int context_struct_to_string(struct policydb *policydb, 84 struct context *context, --- 1924 unchanged lines hidden (view full) --- 2009 if (!context_struct_to_string(policydb, context, &s, &len)) { 2010 pr_warn("SELinux: Context %s would be invalid if enforcing\n", 2011 s); 2012 kfree(s); 2013 } 2014 return 0; 2015} 2016 | 71struct selinux_policy_convert_data { 72 struct convert_context_args args; 73 struct sidtab_convert_params sidtab_params; 74}; 75 76/* Forward declaration. */ 77static int context_struct_to_string(struct policydb *policydb, 78 struct context *context, --- 1924 unchanged lines hidden (view full) --- 2003 if (!context_struct_to_string(policydb, context, &s, &len)) { 2004 pr_warn("SELinux: Context %s would be invalid if enforcing\n", 2005 s); 2006 kfree(s); 2007 } 2008 return 0; 2009} 2010 |
| 2017/* 2018 * Convert the values in the security context 2019 * structure `oldc' from the values specified 2020 * in the policy `p->oldp' to the values specified 2021 * in the policy `p->newp', storing the new context 2022 * in `newc'. Verify that the context is valid 2023 * under the new policy. | 2011/** 2012 * services_convert_context - Convert a security context across policies. 2013 * @args: populated convert_context_args struct 2014 * @oldc: original context 2015 * @newc: converted context 2016 * 2017 * Convert the values in the security context structure @oldc from the values 2018 * specified in the policy @args->oldp to the values specified in the policy 2019 * @args->newp, storing the new context in @newc, and verifying that the 2020 * context is valid under the new policy. |
| 2024 */ | 2021 */ |
| 2025static int convert_context(struct context *oldc, struct context *newc, void *p, 2026 gfp_t gfp_flags) | 2022int services_convert_context(struct convert_context_args *args, 2023 struct context *oldc, struct context *newc) |
| 2027{ | 2024{ |
| 2028 struct convert_context_args *args; | |
| 2029 struct ocontext *oc; 2030 struct role_datum *role; 2031 struct type_datum *typdatum; 2032 struct user_datum *usrdatum; 2033 char *s; 2034 u32 len; 2035 int rc; 2036 | 2025 struct ocontext *oc; 2026 struct role_datum *role; 2027 struct type_datum *typdatum; 2028 struct user_datum *usrdatum; 2029 char *s; 2030 u32 len; 2031 int rc; 2032 |
| 2037 args = p; 2038 | |
| 2039 if (oldc->str) { | 2033 if (oldc->str) { |
| 2040 s = kstrdup(oldc->str, gfp_flags); | 2034 s = kstrdup(oldc->str, GFP_KERNEL); |
| 2041 if (!s) 2042 return -ENOMEM; 2043 | 2035 if (!s) 2036 return -ENOMEM; 2037 |
| 2044 rc = string_to_context_struct(args->newp, NULL, s, 2045 newc, SECSID_NULL); | 2038 rc = string_to_context_struct(args->newp, NULL, s, newc, SECSID_NULL); |
| 2046 if (rc == -EINVAL) { 2047 /* 2048 * Retain string representation for later mapping. 2049 * 2050 * IMPORTANT: We need to copy the contents of oldc->str 2051 * back into s again because string_to_context_struct() 2052 * may have garbled it. 2053 */ --- 14 unchanged lines hidden (view full) --- 2068 oldc->str); 2069 return 0; 2070 } 2071 2072 context_init(newc); 2073 2074 /* Convert the user. */ 2075 usrdatum = symtab_search(&args->newp->p_users, | 2039 if (rc == -EINVAL) { 2040 /* 2041 * Retain string representation for later mapping. 2042 * 2043 * IMPORTANT: We need to copy the contents of oldc->str 2044 * back into s again because string_to_context_struct() 2045 * may have garbled it. 2046 */ --- 14 unchanged lines hidden (view full) --- 2061 oldc->str); 2062 return 0; 2063 } 2064 2065 context_init(newc); 2066 2067 /* Convert the user. */ 2068 usrdatum = symtab_search(&args->newp->p_users, |
| 2076 sym_name(args->oldp, 2077 SYM_USERS, oldc->user - 1)); | 2069 sym_name(args->oldp, SYM_USERS, oldc->user - 1)); |
| 2078 if (!usrdatum) 2079 goto bad; 2080 newc->user = usrdatum->value; 2081 2082 /* Convert the role. */ 2083 role = symtab_search(&args->newp->p_roles, 2084 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); 2085 if (!role) 2086 goto bad; 2087 newc->role = role->value; 2088 2089 /* Convert the type. */ 2090 typdatum = symtab_search(&args->newp->p_types, | 2070 if (!usrdatum) 2071 goto bad; 2072 newc->user = usrdatum->value; 2073 2074 /* Convert the role. */ 2075 role = symtab_search(&args->newp->p_roles, 2076 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); 2077 if (!role) 2078 goto bad; 2079 newc->role = role->value; 2080 2081 /* Convert the type. */ 2082 typdatum = symtab_search(&args->newp->p_types, |
| 2091 sym_name(args->oldp, 2092 SYM_TYPES, oldc->type - 1)); | 2083 sym_name(args->oldp, SYM_TYPES, oldc->type - 1)); |
| 2093 if (!typdatum) 2094 goto bad; 2095 newc->type = typdatum->value; 2096 2097 /* Convert the MLS fields if dealing with MLS policies */ 2098 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 2099 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 2100 if (rc) --- 17 unchanged lines hidden (view full) --- 2118 rc = mls_range_set(newc, &oc->context[0].range); 2119 if (rc) 2120 goto bad; 2121 } 2122 2123 /* Check the validity of the new context. */ 2124 if (!policydb_context_isvalid(args->newp, newc)) { 2125 rc = convert_context_handle_invalid_context(args->state, | 2084 if (!typdatum) 2085 goto bad; 2086 newc->type = typdatum->value; 2087 2088 /* Convert the MLS fields if dealing with MLS policies */ 2089 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 2090 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 2091 if (rc) --- 17 unchanged lines hidden (view full) --- 2109 rc = mls_range_set(newc, &oc->context[0].range); 2110 if (rc) 2111 goto bad; 2112 } 2113 2114 /* Check the validity of the new context. */ 2115 if (!policydb_context_isvalid(args->newp, newc)) { 2116 rc = convert_context_handle_invalid_context(args->state, |
| 2126 args->oldp, 2127 oldc); | 2117 args->oldp, oldc); |
| 2128 if (rc) 2129 goto bad; 2130 } 2131 2132 return 0; 2133bad: 2134 /* Map old representation to string and save it. */ 2135 rc = context_struct_to_string(args->oldp, oldc, &s, &len); --- 192 unchanged lines hidden (view full) --- 2328 2329 /* Preserve active boolean values from the old policy */ 2330 rc = security_preserve_bools(oldpolicy, newpolicy); 2331 if (rc) { 2332 pr_err("SELinux: unable to preserve booleans\n"); 2333 goto err_free_isids; 2334 } 2335 | 2118 if (rc) 2119 goto bad; 2120 } 2121 2122 return 0; 2123bad: 2124 /* Map old representation to string and save it. */ 2125 rc = context_struct_to_string(args->oldp, oldc, &s, &len); --- 192 unchanged lines hidden (view full) --- 2318 2319 /* Preserve active boolean values from the old policy */ 2320 rc = security_preserve_bools(oldpolicy, newpolicy); 2321 if (rc) { 2322 pr_err("SELinux: unable to preserve booleans\n"); 2323 goto err_free_isids; 2324 } 2325 |
| 2326 /* 2327 * Convert the internal representations of contexts 2328 * in the new SID table. 2329 */ 2330 |
|
| 2336 convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL); 2337 if (!convert_data) { 2338 rc = -ENOMEM; 2339 goto err_free_isids; 2340 } 2341 | 2331 convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL); 2332 if (!convert_data) { 2333 rc = -ENOMEM; 2334 goto err_free_isids; 2335 } 2336 |
| 2342 /* 2343 * Convert the internal representations of contexts 2344 * in the new SID table. 2345 */ | |
| 2346 convert_data->args.state = state; 2347 convert_data->args.oldp = &oldpolicy->policydb; 2348 convert_data->args.newp = &newpolicy->policydb; 2349 | 2337 convert_data->args.state = state; 2338 convert_data->args.oldp = &oldpolicy->policydb; 2339 convert_data->args.newp = &newpolicy->policydb; 2340 |
| 2350 convert_data->sidtab_params.func = convert_context; | |
| 2351 convert_data->sidtab_params.args = &convert_data->args; 2352 convert_data->sidtab_params.target = newpolicy->sidtab; 2353 2354 rc = sidtab_convert(oldpolicy->sidtab, &convert_data->sidtab_params); 2355 if (rc) { 2356 pr_err("SELinux: unable to convert the internal" 2357 " representation of contexts in the new SID" 2358 " table\n"); --- 1714 unchanged lines hidden --- | 2341 convert_data->sidtab_params.args = &convert_data->args; 2342 convert_data->sidtab_params.target = newpolicy->sidtab; 2343 2344 rc = sidtab_convert(oldpolicy->sidtab, &convert_data->sidtab_params); 2345 if (rc) { 2346 pr_err("SELinux: unable to convert the internal" 2347 " representation of contexts in the new SID" 2348 " table\n"); --- 1714 unchanged lines hidden --- |