7420ed23a4
Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
88 lines
2.2 KiB
C
88 lines
2.2 KiB
C
/*
|
|
* Multi-level security (MLS) policy operations.
|
|
*
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
*/
|
|
/*
|
|
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
|
|
*
|
|
* Support for enhanced MLS infrastructure.
|
|
*
|
|
* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
|
|
*/
|
|
/*
|
|
* Updated: Hewlett-Packard <paul.moore@hp.com>
|
|
*
|
|
* Added support to import/export the MLS label
|
|
*
|
|
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
|
|
*/
|
|
|
|
#ifndef _SS_MLS_H_
|
|
#define _SS_MLS_H_
|
|
|
|
#include "context.h"
|
|
#include "policydb.h"
|
|
|
|
/*
|
|
* Copies the MLS range from `src' into `dst'.
|
|
*/
|
|
static inline int mls_copy_context(struct context *dst,
|
|
struct context *src)
|
|
{
|
|
int l, rc = 0;
|
|
|
|
/* Copy the MLS range from the source context */
|
|
for (l = 0; l < 2; l++) {
|
|
dst->range.level[l].sens = src->range.level[l].sens;
|
|
rc = ebitmap_cpy(&dst->range.level[l].cat,
|
|
&src->range.level[l].cat);
|
|
if (rc)
|
|
break;
|
|
}
|
|
|
|
return rc;
|
|
}
|
|
|
|
int mls_compute_context_len(struct context *context);
|
|
void mls_sid_to_context(struct context *context, char **scontext);
|
|
int mls_context_isvalid(struct policydb *p, struct context *c);
|
|
|
|
int mls_context_to_sid(char oldc,
|
|
char **scontext,
|
|
struct context *context,
|
|
struct sidtab *s,
|
|
u32 def_sid);
|
|
|
|
int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
|
|
|
|
int mls_convert_context(struct policydb *oldp,
|
|
struct policydb *newp,
|
|
struct context *context);
|
|
|
|
int mls_compute_sid(struct context *scontext,
|
|
struct context *tcontext,
|
|
u16 tclass,
|
|
u32 specified,
|
|
struct context *newcontext);
|
|
|
|
int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
|
|
struct context *usercon);
|
|
|
|
void mls_export_lvl(const struct context *context, u32 *low, u32 *high);
|
|
void mls_import_lvl(struct context *context, u32 low, u32 high);
|
|
|
|
int mls_export_cat(const struct context *context,
|
|
unsigned char **low,
|
|
size_t *low_len,
|
|
unsigned char **high,
|
|
size_t *high_len);
|
|
int mls_import_cat(struct context *context,
|
|
const unsigned char *low,
|
|
size_t low_len,
|
|
const unsigned char *high,
|
|
size_t high_len);
|
|
|
|
#endif /* _SS_MLS_H */
|
|
|