[MLSXFRM]: Define new SELinux service routine

This defines a routine that combines the Type Enforcement portion of
one sid with the MLS portion from the other sid to arrive at a new
sid. This would be used to define a sid for a security association
that is to be negotiated by IKE as well as for determing the sid for
open requests and connection-oriented child sockets.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 063af47bb23175b4887fd634ea541fd2ae6eef05..911954a692fac20e8f00cce1ae8741ed7aaa1b96 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -78,6 +78,8 @@ int security_node_sid(u16 domain, void *addr, u32 addrlen,
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                  u16 tclass);
 
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
+
 #define SECURITY_FS_USE_XATTR          1 /* use xattr */
 #define SECURITY_FS_USE_TRANS          2 /* use transition SIDs, e.g. devpts/tmpfs */
 #define SECURITY_FS_USE_TASK           3 /* use task SIDs, e.g. pipefs/sockfs */

diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 7bc5b6440f70ba1ab45a66d0a7b3152d394096af..e15f7e0399b8e07b9481eb1362c219db55597633 100644 (file)
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -211,26 +211,6 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
        return 1;
 }
 
-/*
- * Copies the MLS range from `src' into `dst'.
- */
-static inline int mls_copy_context(struct context *dst,
-                                  struct context *src)
-{
-       int l, rc = 0;
-
-       /* Copy the MLS range from the source context */
-       for (l = 0; l < 2; l++) {
-               dst->range.level[l].sens = src->range.level[l].sens;
-               rc = ebitmap_cpy(&dst->range.level[l].cat,
-                                &src->range.level[l].cat);
-               if (rc)
-                       break;
-       }
-
-       return rc;
-}
-
 /*
  * Set the MLS fields in the security context structure
  * `context' based on the string representation in

diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index fbb42f07dd7c04f390ecb7c07d5872514ed8a4df..90c5e88987fa8ac8039c5c47c972449ffc5cc60d 100644 (file)
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -17,6 +17,26 @@
 #include "context.h"
 #include "policydb.h"
 
+/*
+ * Copies the MLS range from `src' into `dst'.
+ */
+static inline int mls_copy_context(struct context *dst,
+                                  struct context *src)
+{
+       int l, rc = 0;
+
+       /* Copy the MLS range from the source context */
+       for (l = 0; l < 2; l++) {
+               dst->range.level[l].sens = src->range.level[l].sens;
+               rc = ebitmap_cpy(&dst->range.level[l].cat,
+                                &src->range.level[l].cat);
+               if (rc)
+                       break;
+       }
+
+       return rc;
+}
+
 int mls_compute_context_len(struct context *context);
 void mls_sid_to_context(struct context *context, char **scontext);
 int mls_context_isvalid(struct policydb *p, struct context *c);

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 85e4298843936fb920533ee9007f706774a240c9..b00ec69f0ffd5a6d219fc554fc7cb3fb79213a19 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1817,6 +1817,75 @@ out:
        return rc;
 }
 
+/*
+ * security_sid_mls_copy() - computes a new sid based on the given
+ * sid and the mls portion of mls_sid.
+ */
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
+{
+       struct context *context1;
+       struct context *context2;
+       struct context newcon;
+       char *s;
+       u32 len;
+       int rc = 0;
+
+       if (!ss_initialized) {
+               *new_sid = sid;
+               goto out;
+       }
+
+       context_init(&newcon);
+
+       POLICY_RDLOCK;
+       context1 = sidtab_search(&sidtab, sid);
+       if (!context1) {
+               printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
+                      "%d\n", sid);
+               rc = -EINVAL;
+               goto out_unlock;
+       }
+
+       context2 = sidtab_search(&sidtab, mls_sid);
+       if (!context2) {
+               printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
+                      "%d\n", mls_sid);
+               rc = -EINVAL;
+               goto out_unlock;
+       }
+
+       newcon.user = context1->user;
+       newcon.role = context1->role;
+       newcon.type = context1->type;
+       rc = mls_copy_context(&newcon, context2);
+       if (rc)
+               goto out_unlock;
+
+
+       /* Check the validity of the new context. */
+       if (!policydb_context_isvalid(&policydb, &newcon)) {
+               rc = convert_context_handle_invalid_context(&newcon);
+               if (rc)
+                       goto bad;
+       }
+
+       rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
+       goto out_unlock;
+
+bad:
+       if (!context_struct_to_string(&newcon, &s, &len)) {
+               audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                         "security_sid_mls_copy: invalid context %s", s);
+               kfree(s);
+       }
+
+out_unlock:
+       POLICY_RDUNLOCK;
+       context_destroy(&newcon);
+out:
+       return rc;
+}
+
 struct selinux_audit_rule {
        u32 au_seqno;
        struct context au_ctxt;