diff options
author | Paul Moore <paul.moore@hp.com> | 2008-04-12 19:06:42 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-04-12 19:06:42 -0700 |
commit | 00447872a643787411c2c0cb1df6169dda8b0c47 (patch) | |
tree | ea4215f6f3040507b46bf90fe133ca73a59c9c0e | |
parent | b9f3124f08fffe2ad706fd164f6702fdca409a91 (diff) | |
download | linux-00447872a643787411c2c0cb1df6169dda8b0c47.tar.gz linux-00447872a643787411c2c0cb1df6169dda8b0c47.tar.bz2 linux-00447872a643787411c2c0cb1df6169dda8b0c47.zip |
NetLabel: Allow passing the LSM domain as a shared pointer
Smack doesn't have the need to create a private copy of the LSM "domain" when
setting NetLabel security attributes like SELinux, however, the current
NetLabel code requires a private copy of the LSM "domain". This patches fixes
that by letting the LSM determine how it wants to pass the domain value.
* NETLBL_SECATTR_DOMAIN_CPY
The current behavior, NetLabel assumes that the domain value is a copy and
frees it when done
* NETLBL_SECATTR_DOMAIN
New, Smack-friendly behavior, NetLabel assumes that the domain value is a
reference to a string managed by the LSM and does not free it when done
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/netlabel.h | 14 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 2 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 2 |
3 files changed, 12 insertions, 6 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 0ca67d73c7ad..5e53a85b5ca1 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -162,7 +162,7 @@ struct netlbl_lsm_secattr_catmap { /** * struct netlbl_lsm_secattr - NetLabel LSM security attributes - * @flags: indicate which attributes are contained in this structure + * @flags: indicate structure attributes, see NETLBL_SECATTR_* * @type: indicate the NLTYPE of the attributes * @domain: the NetLabel LSM domain * @cache: NetLabel LSM specific cache @@ -180,17 +180,22 @@ struct netlbl_lsm_secattr_catmap { * NetLabel itself when returning security attributes to the LSM. * */ +struct netlbl_lsm_secattr { + u32 flags; + /* bitmap values for 'flags' */ #define NETLBL_SECATTR_NONE 0x00000000 #define NETLBL_SECATTR_DOMAIN 0x00000001 +#define NETLBL_SECATTR_DOMAIN_CPY (NETLBL_SECATTR_DOMAIN | \ + NETLBL_SECATTR_FREE_DOMAIN) #define NETLBL_SECATTR_CACHE 0x00000002 #define NETLBL_SECATTR_MLS_LVL 0x00000004 #define NETLBL_SECATTR_MLS_CAT 0x00000008 #define NETLBL_SECATTR_SECID 0x00000010 + /* bitmap meta-values for 'flags' */ +#define NETLBL_SECATTR_FREE_DOMAIN 0x01000000 #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ NETLBL_SECATTR_MLS_CAT | \ NETLBL_SECATTR_SECID) -struct netlbl_lsm_secattr { - u32 flags; u32 type; char *domain; struct netlbl_lsm_cache *cache; @@ -303,7 +308,8 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr) */ static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr) { - kfree(secattr->domain); + if (secattr->flags & NETLBL_SECATTR_FREE_DOMAIN) + kfree(secattr->domain); if (secattr->flags & NETLBL_SECATTR_CACHE) netlbl_secattr_cache_free(secattr->cache); if (secattr->flags & NETLBL_SECATTR_MLS_CAT) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f37418601215..47295acd09c9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2649,7 +2649,7 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) goto netlbl_sid_to_secattr_failure; secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], GFP_ATOMIC); - secattr->flags |= NETLBL_SECATTR_DOMAIN; + secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY; mls_export_netlbl_lvl(ctx, secattr); rc = mls_export_netlbl_cat(ctx, secattr); if (rc != 0) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 732ba27923c4..e2d6f7cd9254 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1275,7 +1275,7 @@ static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) switch (smack_net_nltype) { case NETLBL_NLTYPE_CIPSOV4: - nlsp->domain = kstrdup(smack, GFP_ATOMIC); + nlsp->domain = smack; nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; rc = smack_to_cipso(smack, &cipso); |