7420ed23a4
Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
84 lines
2.4 KiB
C
84 lines
2.4 KiB
C
/*
|
|
* An extensible bitmap is a bitmap that supports an
|
|
* arbitrary number of bits. Extensible bitmaps are
|
|
* used to represent sets of values, such as types,
|
|
* roles, categories, and classes.
|
|
*
|
|
* Each extensible bitmap is implemented as a linked
|
|
* list of bitmap nodes, where each bitmap node has
|
|
* an explicitly specified starting bit position within
|
|
* the total bitmap.
|
|
*
|
|
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
*/
|
|
#ifndef _SS_EBITMAP_H_
|
|
#define _SS_EBITMAP_H_
|
|
|
|
#define MAPTYPE u64 /* portion of bitmap in each node */
|
|
#define MAPSIZE (sizeof(MAPTYPE) * 8) /* number of bits in node bitmap */
|
|
#define MAPBIT 1ULL /* a bit in the node bitmap */
|
|
|
|
struct ebitmap_node {
|
|
u32 startbit; /* starting position in the total bitmap */
|
|
MAPTYPE map; /* this node's portion of the bitmap */
|
|
struct ebitmap_node *next;
|
|
};
|
|
|
|
struct ebitmap {
|
|
struct ebitmap_node *node; /* first node in the bitmap */
|
|
u32 highbit; /* highest position in the total bitmap */
|
|
};
|
|
|
|
#define ebitmap_length(e) ((e)->highbit)
|
|
#define ebitmap_startbit(e) ((e)->node ? (e)->node->startbit : 0)
|
|
|
|
static inline unsigned int ebitmap_start(struct ebitmap *e,
|
|
struct ebitmap_node **n)
|
|
{
|
|
*n = e->node;
|
|
return ebitmap_startbit(e);
|
|
}
|
|
|
|
static inline void ebitmap_init(struct ebitmap *e)
|
|
{
|
|
memset(e, 0, sizeof(*e));
|
|
}
|
|
|
|
static inline unsigned int ebitmap_next(struct ebitmap_node **n,
|
|
unsigned int bit)
|
|
{
|
|
if ((bit == ((*n)->startbit + MAPSIZE - 1)) &&
|
|
(*n)->next) {
|
|
*n = (*n)->next;
|
|
return (*n)->startbit;
|
|
}
|
|
|
|
return (bit+1);
|
|
}
|
|
|
|
static inline int ebitmap_node_get_bit(struct ebitmap_node * n,
|
|
unsigned int bit)
|
|
{
|
|
if (n->map & (MAPBIT << (bit - n->startbit)))
|
|
return 1;
|
|
return 0;
|
|
}
|
|
|
|
#define ebitmap_for_each_bit(e, n, bit) \
|
|
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
|
|
|
|
int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
|
|
int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
|
|
int ebitmap_export(const struct ebitmap *src,
|
|
unsigned char **dst,
|
|
size_t *dst_len);
|
|
int ebitmap_import(const unsigned char *src,
|
|
size_t src_len,
|
|
struct ebitmap *dst);
|
|
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2);
|
|
int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
|
|
int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
|
|
void ebitmap_destroy(struct ebitmap *e);
|
|
int ebitmap_read(struct ebitmap *e, void *fp);
|
|
|
|
#endif /* _SS_EBITMAP_H_ */
|