?? services.c
字號:
1 + strlen(policydb.p_type_val_to_name[context->type - 1]); mls_sid_to_context(context, &scontextp); *scontextp = 0; return 0;}#include "initial_sid_to_string.h"/** * security_sid_to_context - Obtain a context for a given SID. * @sid: security identifier, SID * @scontext: security context * @scontext_len: length in bytes * * Write the string representation of the context associated with @sid * into a dynamically allocated string of the correct size. Set @scontext * to point to this string and set @scontext_len to the length of the string. */int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len){ struct context *context; int rc = 0; if ( !ss_initialized ) { if ( sid <= SECINITSID_NUM ) { char *scontextp; *scontext_len = strlen(initial_sid_to_string[sid]) + 1; scontextp = xmalloc_array(char, *scontext_len); strlcpy(scontextp, initial_sid_to_string[sid], *scontext_len); *scontext = scontextp; goto out; } printk(KERN_ERR "security_sid_to_context: called before initial " "load_policy on unknown SID %d\n", sid); rc = -EINVAL; goto out; } POLICY_RDLOCK; context = sidtab_search(&sidtab, sid); if ( !context ) { printk(KERN_ERR "security_sid_to_context: unrecognized SID " "%d\n", sid); rc = -EINVAL; goto out_unlock; } rc = context_struct_to_string(context, scontext, scontext_len);out_unlock: POLICY_RDUNLOCK;out: return rc;}static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid){ char *scontext2; struct context context; struct role_datum *role; struct type_datum *typdatum; struct user_datum *usrdatum; char *scontextp, *p, oldc; int rc = 0; if ( !ss_initialized ) { int i; for ( i = 1; i < SECINITSID_NUM; i++ ) { if ( !strcmp(initial_sid_to_string[i], scontext) ) { *sid = i; goto out; } } *sid = SECINITSID_XEN; goto out; } *sid = SECSID_NULL; /* Copy the string so that we can modify the copy as we parse it. The string should already by null terminated, but we append a null suffix to the copy to avoid problems with the existing attr package, which doesn't view the null terminator as part of the attribute value. */ scontext2 = xmalloc_array(char, scontext_len+1); if ( !scontext2 ) { rc = -ENOMEM; goto out; } memcpy(scontext2, scontext, scontext_len); scontext2[scontext_len] = 0; context_init(&context); *sid = SECSID_NULL; POLICY_RDLOCK; /* Parse the security context. */ rc = -EINVAL; scontextp = (char *) scontext2; /* Extract the user. */ p = scontextp; while ( *p && *p != ':' ) p++; if (*p == 0) goto out_unlock; *p++ = 0; usrdatum = hashtab_search(policydb.p_users.table, scontextp); if ( !usrdatum ) goto out_unlock; context.user = usrdatum->value; /* Extract role. */ scontextp = p; while ( *p && *p != ':' ) p++; if ( *p == 0 ) goto out_unlock; *p++ = 0; role = hashtab_search(policydb.p_roles.table, scontextp); if ( !role ) goto out_unlock; context.role = role->value; /* Extract type. */ scontextp = p; while ( *p && *p != ':' ) p++; oldc = *p; *p++ = 0; typdatum = hashtab_search(policydb.p_types.table, scontextp); if ( !typdatum ) goto out_unlock; context.type = typdatum->value; rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid); if ( rc ) goto out_unlock; if ( (p - scontext2) < scontext_len ) { rc = -EINVAL; goto out_unlock; } /* Check the validity of the new context. */ if ( !policydb_context_isvalid(&policydb, &context) ) { rc = -EINVAL; goto out_unlock; } /* Obtain the new sid. */ rc = sidtab_context_to_sid(&sidtab, &context, sid);out_unlock: POLICY_RDUNLOCK; context_destroy(&context); xfree(scontext2);out: return rc;}/** * security_context_to_sid - Obtain a SID for a given security context. * @scontext: security context * @scontext_len: length in bytes * @sid: security identifier, SID * * Obtains a SID associated with the security context that * has the string representation specified by @scontext. * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient * memory is available, or 0 on success. */int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid){ return security_context_to_sid_core(scontext, scontext_len, sid, SECSID_NULL);}/** * security_context_to_sid_default - Obtain a SID for a given security context, * falling back to specified default if needed. * * @scontext: security context * @scontext_len: length in bytes * @sid: security identifier, SID * @def_sid: default SID to assign on errror * * Obtains a SID associated with the security context that * has the string representation specified by @scontext. * The default SID is passed to the MLS layer to be used to allow * kernel labeling of the MLS field if the MLS field is not present * (for upgrading to MLS without full relabel). * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient * memory is available, or 0 on success. */int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid){ return security_context_to_sid_core(scontext, scontext_len, sid, def_sid);}static int compute_sid_handle_invalid_context( struct context *scontext, struct context *tcontext, u16 tclass, struct context *newcontext){ char *s = NULL, *t = NULL, *n = NULL; u32 slen, tlen, nlen; if ( context_struct_to_string(scontext, &s, &slen) < 0 ) goto out; if ( context_struct_to_string(tcontext, &t, &tlen) < 0 ) goto out; if ( context_struct_to_string(newcontext, &n, &nlen) < 0 ) goto out; printk("security_compute_sid: invalid context %s" " for scontext=%s" " tcontext=%s" " tclass=%s", n, s, t, policydb.p_class_val_to_name[tclass-1]);out: xfree(s); xfree(t); xfree(n); if ( !flask_enforcing ) return 0; return -EACCES;}static int security_compute_sid(u32 ssid, u32 tsid, u16 tclass, u32 specified, u32 *out_sid){ struct context *scontext = NULL, *tcontext = NULL, newcontext; struct role_trans *roletr = NULL; struct avtab_key avkey; struct avtab_datum *avdatum; struct avtab_node *node; int rc = 0; if ( !ss_initialized ) { switch ( tclass ) { case SECCLASS_DOMAIN: *out_sid = ssid; break; default: *out_sid = tsid; break; } goto out; } POLICY_RDLOCK; scontext = sidtab_search(&sidtab, ssid); if ( !scontext ) { printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", ssid); rc = -EINVAL; goto out_unlock; } tcontext = sidtab_search(&sidtab, tsid); if ( !tcontext ) { printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", tsid); rc = -EINVAL; goto out_unlock; } context_init(&newcontext); /* Set the user identity. */ switch ( specified ) { case AVTAB_TRANSITION: case AVTAB_CHANGE: /* Use the process user identity. */ newcontext.user = scontext->user; break; case AVTAB_MEMBER: /* Use the related object owner. */ newcontext.user = tcontext->user; break; } /* Set the role and type to default values. */ switch ( tclass ) { case SECCLASS_DOMAIN: /* Use the current role and type of process. */ newcontext.role = scontext->role; newcontext.type = scontext->type; break; default: /* Use the well-defined object role. */ newcontext.role = OBJECT_R_VAL; /* Use the type of the related object. */ newcontext.type = tcontext->type; } /* Look for a type transition/member/change rule. */ avkey.source_type = scontext->type; avkey.target_type = tcontext->type; avkey.target_class = tclass; avkey.specified = specified; avdatum = avtab_search(&policydb.te_avtab, &avkey); /* If no permanent rule, also check for enabled conditional rules */ if ( !avdatum ) { node = avtab_search_node(&policydb.te_cond_avtab, &avkey); for ( ; node != NULL; node = avtab_search_node_next(node, specified) ) { if ( node->key.specified & AVTAB_ENABLED ) { avdatum = &node->datum; break; } } } if ( avdatum ) { /* Use the type from the type transition/member/change rule. */ newcontext.type = avdatum->data; } /* Check for class-specific changes. */ switch ( tclass ) { case SECCLASS_DOMAIN: if ( specified & AVTAB_TRANSITION ) { /* Look for a role transition rule. */ for ( roletr = policydb.role_tr; roletr; roletr = roletr->next ) { if ( roletr->role == scontext->role && roletr->type == tcontext->type ) { /* Use the role transition rule. */ newcontext.role = roletr->new_role; break; } } } break; default: break; } /* Set the MLS attributes. This is done last because it may allocate memory. */ rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); if ( rc ) goto out_unlock; /* Check the validity of the context. */ if ( !policydb_context_isvalid(&policydb, &newcontext) ) { rc = compute_sid_handle_invalid_context(scontext, tcontext, tclass, &newcontext); if ( rc ) goto out_unlock; } /* Obtain the sid for the context. */ rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);out_unlock: POLICY_RDUNLOCK; context_destroy(&newcontext);out: return rc;}/** * security_transition_sid - Compute the SID for a new subject/object. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @out_sid: security identifier for new subject/object * * Compute a SID to use for labeling a new subject or object in the * class @tclass based on a SID pair (@ssid, @tsid). * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM * if insufficient memory is available, or %0 if the new SID was * computed successfully. */int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid){ return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);}/** * security_member_sid - Compute the SID for member selection. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @out_sid: security identifier for selected member * * Compute a SID to use when selecting a member of a polyinstantiated * object of class @tclass based on a SID pair (@ssid, @tsid). * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM * if insufficient memory is available, or %0 if the SID was * computed successfully. */int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid){ return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);}/** * security_change_sid - Compute the SID for object relabeling. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @out_sid: security identifier for selected member * * Compute a SID to use for relabeling an object of class @tclass * based on a SID pair (@ssid, @tsid). * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM * if insufficient memory is available, or %0 if the SID was * computed successfully. */int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid){ return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);}/* * Verify that each permission that is defined under the * existing policy is still defined with the same value * in the new policy. */static int validate_perm(void *key, void *datum, void *p){ struct hashtab *h; struct perm_datum *perdatum, *perdatum2; int rc = 0; h = p; perdatum = datum; perdatum2 = hashtab_search(h, key); if ( !perdatum2 ) { printk(KERN_ERR "security: permission %s disappeared", (char *)key); rc = -ENOENT; goto out; } if ( perdatum->value != perdatum2->value ) { printk(KERN_ERR "security: the value of permission %s changed", (char *)key); rc = -EINVAL; }out: return rc;}/* * Verify that each class that is defined under the * existing policy is still defined with the same * attributes in the new policy. */static int validate_class(void *key, void *datum, void *p){ struct policydb *newp; struct class_datum *cladatum, *cladatum2; int rc; newp = p; cladatum = datum; cladatum2 = hashtab_search(newp->p_classes.table, key); if ( !cladatum2 ) { printk(KERN_ERR "security: class %s disappeared\n", (char *)key); rc = -ENOENT; goto out; } if (cladatum->value != cladatum2->value) { printk(KERN_ERR "security: the value of class %s changed\n", (char *)key); rc = -EINVAL; goto out; } if ( (cladatum->comdatum && !cladatum2->comdatum) || (!cladatum->comdatum && cladatum2->comdatum) ) { printk(KERN_ERR "security: the inherits clause for the access " "vector definition for class %s changed\n", (char *)key); rc = -EINVAL; goto out; } if ( cladatum->comdatum ) { rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm, cladatum2->comdatum->permissions.table); if ( rc ) { printk(" in the access vector definition for class %s\n", (char *)key); goto out; } } rc = hashtab_map(cladatum->permissions.table, validate_perm, cladatum2->permissions.table); if ( rc ) printk(" in access vector definition for class %s\n", (char *)key);out: return rc;}/* Clone the SID into the new SID table. */static int clone_sid(u32 sid, struct context *context, void *arg){ struct sidtab *s = arg; return sidtab_insert(s, sid, context);}static inline int convert_context_handle_invalid_context(struct context *context){ int rc = 0; if ( flask_enforcing ) rc = -EINVAL; else { char *s; u32 len;?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -