Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0719aaf5 authored by Guido Trentalancia's avatar Guido Trentalancia Committed by James Morris
Browse files

selinux: allow MLS->non-MLS and vice versa upon policy reload 



Allow runtime switching between different policy types (e.g. from a MLS/MCS
policy to a non-MLS/non-MCS policy or viceversa).

Signed-off-by: default avatarGuido Trentalancia <guido@trentalancia.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 42596eaf

security/selinux/include/security.h

+2 −1
Original line number Diff line number Diff line
@@ -57,7 +57,6 @@ 
struct netlbl_lsm_secattr;



extern int selinux_enabled;

extern int selinux_mls_enabled;



/* Policy capabilities */

enum {
@@ -80,6 +79,8 @@ extern int selinux_policycap_openperm; 
/* limitation of boundary depth  */

#define POLICYDB_BOUNDS_MAXDEPTH	4



int security_mls_enabled(void);



int security_load_policy(void *data, size_t len);



int security_policycap_supported(unsigned int req_cap);

security/selinux/selinuxfs.c

+2 −1
Original line number Diff line number Diff line
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file *filp, char __user *buf, 
	char tmpbuf[TMPBUFLEN];

	ssize_t length;



	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);

	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",

			   security_mls_enabled());

	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);

}

security/selinux/ss/context.h

+0 −12
Original line number Diff line number Diff line
@@ -41,9 +41,6 @@ static inline int mls_context_cpy(struct context *dst, struct context *src) 
{

	int rc;



	if (!selinux_mls_enabled)

		return 0;



	dst->range.level[0].sens = src->range.level[0].sens;

	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);

	if (rc)
@@ -64,9 +61,6 @@ static inline int mls_context_cpy_low(struct context *dst, struct context *src) 
{

	int rc;



	if (!selinux_mls_enabled)

		return 0;



	dst->range.level[0].sens = src->range.level[0].sens;

	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);

	if (rc)
@@ -82,9 +76,6 @@ static inline int mls_context_cpy_low(struct context *dst, struct context *src) 


static inline int mls_context_cmp(struct context *c1, struct context *c2)

{

	if (!selinux_mls_enabled)

		return 1;



	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&

		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&

		(c1->range.level[1].sens == c2->range.level[1].sens) &&
@@ -93,9 +84,6 @@ static inline int mls_context_cmp(struct context *c1, struct context *c2) 


static inline void mls_context_destroy(struct context *c)

{

	if (!selinux_mls_enabled)

		return;



	ebitmap_destroy(&c->range.level[0].cat);

	ebitmap_destroy(&c->range.level[1].cat);

	mls_context_init(c);

security/selinux/ss/mls.c

+13 −13
Original line number Diff line number Diff line
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct context *context) 
	struct ebitmap *e;

	struct ebitmap_node *node;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return 0;



	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *context, 
	struct ebitmap *e;

	struct ebitmap_node *node;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return;



	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb *p, struct context *c) 
{

	struct user_datum *usrdatum;



	if (!selinux_mls_enabled)

	if (!p->mls_enabled)

		return 1;



	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *pol, 
	struct cat_datum *catdatum, *rngdatum;

	int l, rc = -EINVAL;



	if (!selinux_mls_enabled) {

	if (!pol->mls_enabled) {

		if (def_sid != SECSID_NULL && oldc)

			*scontext += strlen(*scontext)+1;

		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) 
	char *tmpstr, *freestr;

	int rc;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return -EINVAL;



	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) 
/*

 * Copies the MLS range `range' into `context'.

 */

static inline int mls_range_set(struct context *context,

int mls_range_set(struct context *context,

				struct mls_range *range)

{

	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct context *context, 
int mls_setup_user_range(struct context *fromcon, struct user_datum *user,

			 struct context *usercon)

{

	if (selinux_mls_enabled) {

	if (policydb.mls_enabled) {

		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);

		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);

		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb *oldp, 
	struct ebitmap_node *node;

	int l, i;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return 0;



	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scontext, 
	struct range_trans rtr;

	struct mls_range *r;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return 0;



	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scontext, 
void mls_export_netlbl_lvl(struct context *context,

			   struct netlbl_lsm_secattr *secattr)

{

	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return;



	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct context *context, 
void mls_import_netlbl_lvl(struct context *context,

			   struct netlbl_lsm_secattr *secattr)

{

	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return;



	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context *context, 
{

	int rc;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return 0;



	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context *context, 
{

	int rc;



	if (!selinux_mls_enabled)

	if (!policydb.mls_enabled)

		return 0;



	rc = ebitmap_netlbl_import(&context->range.level[0].cat,

security/selinux/ss/mls.h

+2 −0
Original line number Diff line number Diff line
@@ -39,6 +39,8 @@ int mls_context_to_sid(struct policydb *p, 


int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);



int mls_range_set(struct context *context, struct mls_range *range);



int mls_convert_context(struct policydb *oldp,

			struct policydb *newp,

			struct context *context);