📄 mls.c
字号:
rc = -EINVAL; goto out; } if (catdatum->value >= rngdatum->value) { rc = -EINVAL; goto out; } for (i = catdatum->value; i < rngdatum->value; i++) { rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1); if (rc) goto out; } } if (delim != ',') break; } } if (delim == '-') { /* Extract high sensitivity. */ scontextp = p; while (*p && *p != ':') p++; delim = *p; if (delim != 0) *p++ = 0; } else break; } if (l == 0) { context->range.level[1].sens = context->range.level[0].sens; rc = ebitmap_cpy(&context->range.level[1].cat, &context->range.level[0].cat); if (rc) goto out; } *scontext = ++p; rc = 0;out: return rc;}/* * Set the MLS fields in the security context structure * `context' based on the string representation in * the string `str'. This function will allocate temporary memory with the * given constraints of gfp_mask. */int mls_from_string(char *str, struct context *context, gfp_t gfp_mask){ char *tmpstr, *freestr; int rc; if (!selinux_mls_enabled) return -EINVAL; /* we need freestr because mls_context_to_sid will change the value of tmpstr */ tmpstr = freestr = kstrdup(str, gfp_mask); if (!tmpstr) { rc = -ENOMEM; } else { rc = mls_context_to_sid(':', &tmpstr, context, NULL, SECSID_NULL); kfree(freestr); } return rc;}/* * Copies the MLS range `range' into `context'. */static inline int mls_range_set(struct context *context, struct mls_range *range){ int l, rc = 0; /* Copy the MLS range into the context */ for (l = 0; l < 2; l++) { context->range.level[l].sens = range->level[l].sens; rc = ebitmap_cpy(&context->range.level[l].cat, &range->level[l].cat); if (rc) break; } return rc;}int mls_setup_user_range(struct context *fromcon, struct user_datum *user, struct context *usercon){ if (selinux_mls_enabled) { struct mls_level *fromcon_sen = &(fromcon->range.level[0]); struct mls_level *fromcon_clr = &(fromcon->range.level[1]); struct mls_level *user_low = &(user->range.level[0]); struct mls_level *user_clr = &(user->range.level[1]); struct mls_level *user_def = &(user->dfltlevel); struct mls_level *usercon_sen = &(usercon->range.level[0]); struct mls_level *usercon_clr = &(usercon->range.level[1]); /* Honor the user's default level if we can */ if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) { *usercon_sen = *user_def; } else if (mls_level_between(fromcon_sen, user_def, user_clr)) { *usercon_sen = *fromcon_sen; } else if (mls_level_between(fromcon_clr, user_low, user_def)) { *usercon_sen = *user_low; } else return -EINVAL; /* Lower the clearance of available contexts if the clearance of "fromcon" is lower than that of the user's default clearance (but only if the "fromcon" clearance dominates the user's computed sensitivity level) */ if (mls_level_dom(user_clr, fromcon_clr)) { *usercon_clr = *fromcon_clr; } else if (mls_level_dom(fromcon_clr, user_clr)) { *usercon_clr = *user_clr; } else return -EINVAL; } return 0;}/* * Convert the MLS fields in the security context * structure `c' from the values specified in the * policy `oldp' to the values specified in the policy `newp'. */int mls_convert_context(struct policydb *oldp, struct policydb *newp, struct context *c){ struct level_datum *levdatum; struct cat_datum *catdatum; struct ebitmap bitmap; struct ebitmap_node *node; int l, i; if (!selinux_mls_enabled) return 0; for (l = 0; l < 2; l++) { levdatum = hashtab_search(newp->p_levels.table, oldp->p_sens_val_to_name[c->range.level[l].sens - 1]); if (!levdatum) return -EINVAL; c->range.level[l].sens = levdatum->level->sens; ebitmap_init(&bitmap); ebitmap_for_each_positive_bit(&c->range.level[l].cat, node, i) { int rc; catdatum = hashtab_search(newp->p_cats.table, oldp->p_cat_val_to_name[i]); if (!catdatum) return -EINVAL; rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); if (rc) return rc; } ebitmap_destroy(&c->range.level[l].cat); c->range.level[l].cat = bitmap; } return 0;}int mls_compute_sid(struct context *scontext, struct context *tcontext, u16 tclass, u32 specified, struct context *newcontext){ struct range_trans *rtr; if (!selinux_mls_enabled) return 0; switch (specified) { case AVTAB_TRANSITION: /* Look for a range transition rule. */ for (rtr = policydb.range_tr; rtr; rtr = rtr->next) { if (rtr->source_type == scontext->type && rtr->target_type == tcontext->type && rtr->target_class == tclass) { /* Set the range from the rule */ return mls_range_set(newcontext, &rtr->target_range); } } /* Fallthrough */ case AVTAB_CHANGE: if (tclass == SECCLASS_PROCESS) /* Use the process MLS attributes. */ return mls_context_cpy(newcontext, scontext); else /* Use the process effective MLS attributes. */ return mls_context_cpy_low(newcontext, scontext); case AVTAB_MEMBER: /* Only polyinstantiate the MLS attributes if the type is being polyinstantiated */ if (newcontext->type != tcontext->type) { /* Use the process effective MLS attributes. */ return mls_context_cpy_low(newcontext, scontext); } else { /* Use the related object MLS attributes. */ return mls_context_cpy(newcontext, tcontext); } default: return -EINVAL; } return -EINVAL;}#ifdef CONFIG_NETLABEL/** * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel * @context: the security context * @secattr: the NetLabel security attributes * * Description: * Given the security context copy the low MLS sensitivity level into the * NetLabel MLS sensitivity level field. * */void mls_export_netlbl_lvl(struct context *context, struct netlbl_lsm_secattr *secattr){ if (!selinux_mls_enabled) return; secattr->mls_lvl = context->range.level[0].sens - 1; secattr->flags |= NETLBL_SECATTR_MLS_LVL;}/** * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels * @context: the security context * @secattr: the NetLabel security attributes * * Description: * Given the security context and the NetLabel security attributes, copy the * NetLabel MLS sensitivity level into the context. * */void mls_import_netlbl_lvl(struct context *context, struct netlbl_lsm_secattr *secattr){ if (!selinux_mls_enabled) return; context->range.level[0].sens = secattr->mls_lvl + 1; context->range.level[1].sens = context->range.level[0].sens;}/** * mls_export_netlbl_cat - Export the MLS categories to NetLabel * @context: the security context * @secattr: the NetLabel security attributes * * Description: * Given the security context copy the low MLS categories into the NetLabel * MLS category field. Returns zero on success, negative values on failure. * */int mls_export_netlbl_cat(struct context *context, struct netlbl_lsm_secattr *secattr){ int rc; if (!selinux_mls_enabled) return 0; rc = ebitmap_netlbl_export(&context->range.level[0].cat, &secattr->mls_cat); if (rc == 0 && secattr->mls_cat != NULL) secattr->flags |= NETLBL_SECATTR_MLS_CAT; return rc;}/** * mls_import_netlbl_cat - Import the MLS categories from NetLabel * @context: the security context * @secattr: the NetLabel security attributes * * Description: * Copy the NetLabel security attributes into the SELinux context; since the * NetLabel security attribute only contains a single MLS category use it for * both the low and high categories of the context. Returns zero on success, * negative values on failure. * */int mls_import_netlbl_cat(struct context *context, struct netlbl_lsm_secattr *secattr){ int rc; if (!selinux_mls_enabled) return 0; rc = ebitmap_netlbl_import(&context->range.level[0].cat, secattr->mls_cat); if (rc != 0) goto import_netlbl_cat_failure; rc = ebitmap_cpy(&context->range.level[1].cat, &context->range.level[0].cat); if (rc != 0) goto import_netlbl_cat_failure; return 0;import_netlbl_cat_failure: ebitmap_destroy(&context->range.level[0].cat); ebitmap_destroy(&context->range.level[1].cat); return rc;}#endif /* CONFIG_NETLABEL */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -