Commit 00447872 authored by Paul Moore's avatar Paul Moore Committed by David S. Miller

NetLabel: Allow passing the LSM domain as a shared pointer

Smack doesn't have the need to create a private copy of the LSM "domain" when
setting NetLabel security attributes like SELinux, however, the current
NetLabel code requires a private copy of the LSM "domain".  This patches fixes
that by letting the LSM determine how it wants to pass the domain value.

 * NETLBL_SECATTR_DOMAIN_CPY
   The current behavior, NetLabel assumes that the domain value is a copy and
   frees it when done

 * NETLBL_SECATTR_DOMAIN
   New, Smack-friendly behavior, NetLabel assumes that the domain value is a
   reference to a string managed by the LSM and does not free it when done
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b9f3124f
...@@ -162,7 +162,7 @@ struct netlbl_lsm_secattr_catmap { ...@@ -162,7 +162,7 @@ struct netlbl_lsm_secattr_catmap {
/** /**
* struct netlbl_lsm_secattr - NetLabel LSM security attributes * struct netlbl_lsm_secattr - NetLabel LSM security attributes
* @flags: indicate which attributes are contained in this structure * @flags: indicate structure attributes, see NETLBL_SECATTR_*
* @type: indicate the NLTYPE of the attributes * @type: indicate the NLTYPE of the attributes
* @domain: the NetLabel LSM domain * @domain: the NetLabel LSM domain
* @cache: NetLabel LSM specific cache * @cache: NetLabel LSM specific cache
...@@ -180,17 +180,22 @@ struct netlbl_lsm_secattr_catmap { ...@@ -180,17 +180,22 @@ struct netlbl_lsm_secattr_catmap {
* NetLabel itself when returning security attributes to the LSM. * NetLabel itself when returning security attributes to the LSM.
* *
*/ */
struct netlbl_lsm_secattr {
u32 flags;
/* bitmap values for 'flags' */
#define NETLBL_SECATTR_NONE 0x00000000 #define NETLBL_SECATTR_NONE 0x00000000
#define NETLBL_SECATTR_DOMAIN 0x00000001 #define NETLBL_SECATTR_DOMAIN 0x00000001
#define NETLBL_SECATTR_DOMAIN_CPY (NETLBL_SECATTR_DOMAIN | \
NETLBL_SECATTR_FREE_DOMAIN)
#define NETLBL_SECATTR_CACHE 0x00000002 #define NETLBL_SECATTR_CACHE 0x00000002
#define NETLBL_SECATTR_MLS_LVL 0x00000004 #define NETLBL_SECATTR_MLS_LVL 0x00000004
#define NETLBL_SECATTR_MLS_CAT 0x00000008 #define NETLBL_SECATTR_MLS_CAT 0x00000008
#define NETLBL_SECATTR_SECID 0x00000010 #define NETLBL_SECATTR_SECID 0x00000010
/* bitmap meta-values for 'flags' */
#define NETLBL_SECATTR_FREE_DOMAIN 0x01000000
#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \
NETLBL_SECATTR_MLS_CAT | \ NETLBL_SECATTR_MLS_CAT | \
NETLBL_SECATTR_SECID) NETLBL_SECATTR_SECID)
struct netlbl_lsm_secattr {
u32 flags;
u32 type; u32 type;
char *domain; char *domain;
struct netlbl_lsm_cache *cache; struct netlbl_lsm_cache *cache;
...@@ -303,6 +308,7 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) ...@@ -303,6 +308,7 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
*/ */
static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
{ {
if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN)
kfree(secattr->domain); kfree(secattr->domain);
if (secattr->flags & NETLBL_SECATTR_CACHE) if (secattr->flags & NETLBL_SECATTR_CACHE)
netlbl_secattr_cache_free(secattr->cache); netlbl_secattr_cache_free(secattr->cache);
......
...@@ -2649,7 +2649,7 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) ...@@ -2649,7 +2649,7 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
goto netlbl_sid_to_secattr_failure; goto netlbl_sid_to_secattr_failure;
secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
GFP_ATOMIC); GFP_ATOMIC);
secattr->flags |= NETLBL_SECATTR_DOMAIN; secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY;
mls_export_netlbl_lvl(ctx, secattr); mls_export_netlbl_lvl(ctx, secattr);
rc = mls_export_netlbl_cat(ctx, secattr); rc = mls_export_netlbl_cat(ctx, secattr);
if (rc != 0) if (rc != 0)
......
...@@ -1275,7 +1275,7 @@ static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) ...@@ -1275,7 +1275,7 @@ static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp)
switch (smack_net_nltype) { switch (smack_net_nltype) {
case NETLBL_NLTYPE_CIPSOV4: case NETLBL_NLTYPE_CIPSOV4:
nlsp->domain = kstrdup(smack, GFP_ATOMIC); nlsp->domain = smack;
nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
rc = smack_to_cipso(smack, &cipso); rc = smack_to_cipso(smack, &cipso);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment