]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * A security context is a set of security attributes | |
3 | * associated with each subject and object controlled | |
4 | * by the security policy. Security contexts are | |
5 | * externally represented as variable-length strings | |
6 | * that can be interpreted by a user or application | |
7 | * with an understanding of the security policy. | |
8 | * Internally, the security server uses a simple | |
9 | * structure. This structure is private to the | |
10 | * security server and can be changed without affecting | |
11 | * clients of the security server. | |
12 | * | |
13 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> | |
14 | */ | |
15 | #ifndef _SS_CONTEXT_H_ | |
16 | #define _SS_CONTEXT_H_ | |
17 | ||
18 | #include "ebitmap.h" | |
19 | #include "mls_types.h" | |
20 | #include "security.h" | |
21 | ||
22 | /* | |
23 | * A security context consists of an authenticated user | |
24 | * identity, a role, a type and a MLS range. | |
25 | */ | |
26 | struct context { | |
27 | u32 user; | |
28 | u32 role; | |
29 | u32 type; | |
76f7ba35 | 30 | u32 len; /* length of string in bytes */ |
1da177e4 | 31 | struct mls_range range; |
12b29f34 | 32 | char *str; /* string representation if context cannot be mapped. */ |
1da177e4 LT |
33 | }; |
34 | ||
35 | static inline void mls_context_init(struct context *c) | |
36 | { | |
37 | memset(&c->range, 0, sizeof(c->range)); | |
38 | } | |
39 | ||
40 | static inline int mls_context_cpy(struct context *dst, struct context *src) | |
41 | { | |
42 | int rc; | |
43 | ||
1da177e4 LT |
44 | dst->range.level[0].sens = src->range.level[0].sens; |
45 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); | |
46 | if (rc) | |
47 | goto out; | |
48 | ||
49 | dst->range.level[1].sens = src->range.level[1].sens; | |
50 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); | |
51 | if (rc) | |
52 | ebitmap_destroy(&dst->range.level[0].cat); | |
53 | out: | |
54 | return rc; | |
55 | } | |
56 | ||
0efc61ea VY |
57 | /* |
58 | * Sets both levels in the MLS range of 'dst' to the low level of 'src'. | |
59 | */ | |
60 | static inline int mls_context_cpy_low(struct context *dst, struct context *src) | |
61 | { | |
62 | int rc; | |
63 | ||
0efc61ea VY |
64 | dst->range.level[0].sens = src->range.level[0].sens; |
65 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); | |
66 | if (rc) | |
67 | goto out; | |
68 | ||
69 | dst->range.level[1].sens = src->range.level[0].sens; | |
70 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat); | |
71 | if (rc) | |
72 | ebitmap_destroy(&dst->range.level[0].cat); | |
73 | out: | |
74 | return rc; | |
75 | } | |
76 | ||
aa893269 EP |
77 | /* |
78 | * Sets both levels in the MLS range of 'dst' to the high level of 'src'. | |
79 | */ | |
80 | static inline int mls_context_cpy_high(struct context *dst, struct context *src) | |
81 | { | |
82 | int rc; | |
83 | ||
84 | dst->range.level[0].sens = src->range.level[1].sens; | |
85 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[1].cat); | |
86 | if (rc) | |
87 | goto out; | |
88 | ||
89 | dst->range.level[1].sens = src->range.level[1].sens; | |
90 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); | |
91 | if (rc) | |
92 | ebitmap_destroy(&dst->range.level[0].cat); | |
93 | out: | |
94 | return rc; | |
95 | } | |
96 | ||
1da177e4 LT |
97 | static inline int mls_context_cmp(struct context *c1, struct context *c2) |
98 | { | |
1da177e4 | 99 | return ((c1->range.level[0].sens == c2->range.level[0].sens) && |
81fa42df | 100 | ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) && |
1da177e4 | 101 | (c1->range.level[1].sens == c2->range.level[1].sens) && |
81fa42df | 102 | ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat)); |
1da177e4 LT |
103 | } |
104 | ||
105 | static inline void mls_context_destroy(struct context *c) | |
106 | { | |
1da177e4 LT |
107 | ebitmap_destroy(&c->range.level[0].cat); |
108 | ebitmap_destroy(&c->range.level[1].cat); | |
109 | mls_context_init(c); | |
110 | } | |
111 | ||
112 | static inline void context_init(struct context *c) | |
113 | { | |
114 | memset(c, 0, sizeof(*c)); | |
115 | } | |
116 | ||
117 | static inline int context_cpy(struct context *dst, struct context *src) | |
118 | { | |
12b29f34 SS |
119 | int rc; |
120 | ||
1da177e4 LT |
121 | dst->user = src->user; |
122 | dst->role = src->role; | |
123 | dst->type = src->type; | |
12b29f34 SS |
124 | if (src->str) { |
125 | dst->str = kstrdup(src->str, GFP_ATOMIC); | |
126 | if (!dst->str) | |
127 | return -ENOMEM; | |
128 | dst->len = src->len; | |
129 | } else { | |
130 | dst->str = NULL; | |
131 | dst->len = 0; | |
132 | } | |
133 | rc = mls_context_cpy(dst, src); | |
134 | if (rc) { | |
135 | kfree(dst->str); | |
136 | return rc; | |
137 | } | |
138 | return 0; | |
1da177e4 LT |
139 | } |
140 | ||
141 | static inline void context_destroy(struct context *c) | |
142 | { | |
143 | c->user = c->role = c->type = 0; | |
12b29f34 SS |
144 | kfree(c->str); |
145 | c->str = NULL; | |
146 | c->len = 0; | |
1da177e4 LT |
147 | mls_context_destroy(c); |
148 | } | |
149 | ||
150 | static inline int context_cmp(struct context *c1, struct context *c2) | |
151 | { | |
12b29f34 SS |
152 | if (c1->len && c2->len) |
153 | return (c1->len == c2->len && !strcmp(c1->str, c2->str)); | |
154 | if (c1->len || c2->len) | |
155 | return 0; | |
1da177e4 LT |
156 | return ((c1->user == c2->user) && |
157 | (c1->role == c2->role) && | |
158 | (c1->type == c2->type) && | |
159 | mls_context_cmp(c1, c2)); | |
160 | } | |
161 | ||
162 | #endif /* _SS_CONTEXT_H_ */ | |
163 |