]>
Commit | Line | Data |
---|---|---|
b2441318 | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
1da177e4 LT |
2 | /* |
3 | * A security context is a set of security attributes | |
4 | * associated with each subject and object controlled | |
5 | * by the security policy. Security contexts are | |
6 | * externally represented as variable-length strings | |
7 | * that can be interpreted by a user or application | |
8 | * with an understanding of the security policy. | |
9 | * Internally, the security server uses a simple | |
10 | * structure. This structure is private to the | |
11 | * security server and can be changed without affecting | |
12 | * clients of the security server. | |
13 | * | |
7efbb60b | 14 | * Author : Stephen Smalley, <sds@tycho.nsa.gov> |
1da177e4 LT |
15 | */ |
16 | #ifndef _SS_CONTEXT_H_ | |
17 | #define _SS_CONTEXT_H_ | |
18 | ||
19 | #include "ebitmap.h" | |
20 | #include "mls_types.h" | |
21 | #include "security.h" | |
22 | ||
23 | /* | |
24 | * A security context consists of an authenticated user | |
25 | * identity, a role, a type and a MLS range. | |
26 | */ | |
27 | struct context { | |
28 | u32 user; | |
29 | u32 role; | |
30 | u32 type; | |
76f7ba35 | 31 | u32 len; /* length of string in bytes */ |
1da177e4 | 32 | struct mls_range range; |
12b29f34 | 33 | char *str; /* string representation if context cannot be mapped. */ |
1da177e4 LT |
34 | }; |
35 | ||
36 | static inline void mls_context_init(struct context *c) | |
37 | { | |
38 | memset(&c->range, 0, sizeof(c->range)); | |
39 | } | |
40 | ||
41 | static inline int mls_context_cpy(struct context *dst, struct context *src) | |
42 | { | |
43 | int rc; | |
44 | ||
1da177e4 LT |
45 | dst->range.level[0].sens = src->range.level[0].sens; |
46 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); | |
47 | if (rc) | |
48 | goto out; | |
49 | ||
50 | dst->range.level[1].sens = src->range.level[1].sens; | |
51 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); | |
52 | if (rc) | |
53 | ebitmap_destroy(&dst->range.level[0].cat); | |
54 | out: | |
55 | return rc; | |
56 | } | |
57 | ||
0efc61ea VY |
58 | /* |
59 | * Sets both levels in the MLS range of 'dst' to the low level of 'src'. | |
60 | */ | |
61 | static inline int mls_context_cpy_low(struct context *dst, struct context *src) | |
62 | { | |
63 | int rc; | |
64 | ||
0efc61ea VY |
65 | dst->range.level[0].sens = src->range.level[0].sens; |
66 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); | |
67 | if (rc) | |
68 | goto out; | |
69 | ||
70 | dst->range.level[1].sens = src->range.level[0].sens; | |
71 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat); | |
72 | if (rc) | |
73 | ebitmap_destroy(&dst->range.level[0].cat); | |
74 | out: | |
75 | return rc; | |
76 | } | |
77 | ||
aa893269 EP |
78 | /* |
79 | * Sets both levels in the MLS range of 'dst' to the high level of 'src'. | |
80 | */ | |
81 | static inline int mls_context_cpy_high(struct context *dst, struct context *src) | |
82 | { | |
83 | int rc; | |
84 | ||
85 | dst->range.level[0].sens = src->range.level[1].sens; | |
86 | rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[1].cat); | |
87 | if (rc) | |
88 | goto out; | |
89 | ||
90 | dst->range.level[1].sens = src->range.level[1].sens; | |
91 | rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); | |
92 | if (rc) | |
93 | ebitmap_destroy(&dst->range.level[0].cat); | |
94 | out: | |
95 | return rc; | |
96 | } | |
97 | ||
1da177e4 LT |
98 | static inline int mls_context_cmp(struct context *c1, struct context *c2) |
99 | { | |
1da177e4 | 100 | return ((c1->range.level[0].sens == c2->range.level[0].sens) && |
81fa42df | 101 | ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) && |
1da177e4 | 102 | (c1->range.level[1].sens == c2->range.level[1].sens) && |
81fa42df | 103 | ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat)); |
1da177e4 LT |
104 | } |
105 | ||
106 | static inline void mls_context_destroy(struct context *c) | |
107 | { | |
1da177e4 LT |
108 | ebitmap_destroy(&c->range.level[0].cat); |
109 | ebitmap_destroy(&c->range.level[1].cat); | |
110 | mls_context_init(c); | |
111 | } | |
112 | ||
113 | static inline void context_init(struct context *c) | |
114 | { | |
115 | memset(c, 0, sizeof(*c)); | |
116 | } | |
117 | ||
118 | static inline int context_cpy(struct context *dst, struct context *src) | |
119 | { | |
12b29f34 SS |
120 | int rc; |
121 | ||
1da177e4 LT |
122 | dst->user = src->user; |
123 | dst->role = src->role; | |
124 | dst->type = src->type; | |
12b29f34 SS |
125 | if (src->str) { |
126 | dst->str = kstrdup(src->str, GFP_ATOMIC); | |
127 | if (!dst->str) | |
128 | return -ENOMEM; | |
129 | dst->len = src->len; | |
130 | } else { | |
131 | dst->str = NULL; | |
132 | dst->len = 0; | |
133 | } | |
134 | rc = mls_context_cpy(dst, src); | |
135 | if (rc) { | |
136 | kfree(dst->str); | |
137 | return rc; | |
138 | } | |
139 | return 0; | |
1da177e4 LT |
140 | } |
141 | ||
142 | static inline void context_destroy(struct context *c) | |
143 | { | |
144 | c->user = c->role = c->type = 0; | |
12b29f34 SS |
145 | kfree(c->str); |
146 | c->str = NULL; | |
147 | c->len = 0; | |
1da177e4 LT |
148 | mls_context_destroy(c); |
149 | } | |
150 | ||
151 | static inline int context_cmp(struct context *c1, struct context *c2) | |
152 | { | |
12b29f34 SS |
153 | if (c1->len && c2->len) |
154 | return (c1->len == c2->len && !strcmp(c1->str, c2->str)); | |
155 | if (c1->len || c2->len) | |
156 | return 0; | |
1da177e4 LT |
157 | return ((c1->user == c2->user) && |
158 | (c1->role == c2->role) && | |
159 | (c1->type == c2->type) && | |
160 | mls_context_cmp(c1, c2)); | |
161 | } | |
162 | ||
163 | #endif /* _SS_CONTEXT_H_ */ | |
164 |