xref: /openbmc/linux/security/selinux/ss/context.h (revision 22246614)
1 /*
2  * A security context is a set of security attributes
3  * associated with each subject and object controlled
4  * by the security policy.  Security contexts are
5   * externally represented as variable-length strings
6  * that can be interpreted by a user or application
7  * with an understanding of the security policy.
8  * Internally, the security server uses a simple
9  * structure.  This structure is private to the
10  * security server and can be changed without affecting
11  * clients of the security server.
12  *
13  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
14  */
15 #ifndef _SS_CONTEXT_H_
16 #define _SS_CONTEXT_H_
17 
18 #include "ebitmap.h"
19 #include "mls_types.h"
20 #include "security.h"
21 
22 /*
23  * A security context consists of an authenticated user
24  * identity, a role, a type and a MLS range.
25  */
26 struct context {
27 	u32 user;
28 	u32 role;
29 	u32 type;
30 	struct mls_range range;
31 };
32 
33 static inline void mls_context_init(struct context *c)
34 {
35 	memset(&c->range, 0, sizeof(c->range));
36 }
37 
38 static inline int mls_context_cpy(struct context *dst, struct context *src)
39 {
40 	int rc;
41 
42 	if (!selinux_mls_enabled)
43 		return 0;
44 
45 	dst->range.level[0].sens = src->range.level[0].sens;
46 	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
47 	if (rc)
48 		goto out;
49 
50 	dst->range.level[1].sens = src->range.level[1].sens;
51 	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
52 	if (rc)
53 		ebitmap_destroy(&dst->range.level[0].cat);
54 out:
55 	return rc;
56 }
57 
58 /*
59  * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
60  */
61 static inline int mls_context_cpy_low(struct context *dst, struct context *src)
62 {
63 	int rc;
64 
65 	if (!selinux_mls_enabled)
66 		return 0;
67 
68 	dst->range.level[0].sens = src->range.level[0].sens;
69 	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
70 	if (rc)
71 		goto out;
72 
73 	dst->range.level[1].sens = src->range.level[0].sens;
74 	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
75 	if (rc)
76 		ebitmap_destroy(&dst->range.level[0].cat);
77 out:
78 	return rc;
79 }
80 
81 static inline int mls_context_cmp(struct context *c1, struct context *c2)
82 {
83 	if (!selinux_mls_enabled)
84 		return 1;
85 
86 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
87 		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
88 		(c1->range.level[1].sens == c2->range.level[1].sens) &&
89 		ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat));
90 }
91 
92 static inline void mls_context_destroy(struct context *c)
93 {
94 	if (!selinux_mls_enabled)
95 		return;
96 
97 	ebitmap_destroy(&c->range.level[0].cat);
98 	ebitmap_destroy(&c->range.level[1].cat);
99 	mls_context_init(c);
100 }
101 
102 static inline void context_init(struct context *c)
103 {
104 	memset(c, 0, sizeof(*c));
105 }
106 
107 static inline int context_cpy(struct context *dst, struct context *src)
108 {
109 	dst->user = src->user;
110 	dst->role = src->role;
111 	dst->type = src->type;
112 	return mls_context_cpy(dst, src);
113 }
114 
115 static inline void context_destroy(struct context *c)
116 {
117 	c->user = c->role = c->type = 0;
118 	mls_context_destroy(c);
119 }
120 
121 static inline int context_cmp(struct context *c1, struct context *c2)
122 {
123 	return ((c1->user == c2->user) &&
124 		(c1->role == c2->role) &&
125 		(c1->type == c2->type) &&
126 		mls_context_cmp(c1, c2));
127 }
128 
129 #endif	/* _SS_CONTEXT_H_ */
130 
131