* [PATCH 1/1] selinux: Delete mls_copy_context
@ 2006-12-12 15:21 Venkat Yekkirala
2006-12-12 16:13 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Venkat Yekkirala @ 2006-12-12 15:21 UTC (permalink / raw)
To: selinux; +Cc: sds
This deletes mls_copy_context() in favor of mls_context_cpy() and
replaces mls_scopy_context() with mls_context_scpy().
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
security/selinux/ss/context.h | 23 +++++++++++++++++++++++
security/selinux/ss/mls.c | 30 +++++-------------------------
security/selinux/ss/mls.h | 20 --------------------
security/selinux/ss/services.c | 3 +--
4 files changed, 29 insertions(+), 47 deletions(-)
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index 0562bac..3f57585 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -55,6 +55,29 @@ out:
return rc;
}
+/*
+ * Copies the effective MLS range from `src' into `dst'.
+ */
+static inline int mls_context_scpy(struct context *dst, struct context *src)
+{
+ int rc;
+
+ if (!selinux_mls_enabled)
+ return 0;
+
+ dst->range.level[0].sens = src->range.level[0].sens;
+ rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
+ if (rc)
+ goto out;
+
+ dst->range.level[1].sens = src->range.level[0].sens;
+ rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
+ if (rc)
+ ebitmap_destroy(&dst->range.level[0].cat);
+out:
+ return rc;
+}
+
static inline int mls_context_cmp(struct context *c1, struct context *c2)
{
if (!selinux_mls_enabled)
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b4f682d..6437fcf 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -270,7 +270,7 @@ int mls_context_to_sid(char oldc,
if (!defcon)
goto out;
- rc = mls_copy_context(context, defcon);
+ rc = mls_context_cpy(context, defcon);
goto out;
}
@@ -401,26 +401,6 @@ int mls_from_string(char *str, struct co
}
/*
- * Copies the effective MLS range from `src' into `dst'.
- */
-static inline int mls_scopy_context(struct context *dst,
- struct context *src)
-{
- int l, rc = 0;
-
- /* Copy the MLS range from the source context */
- for (l = 0; l < 2; l++) {
- dst->range.level[l].sens = src->range.level[0].sens;
- rc = ebitmap_cpy(&dst->range.level[l].cat,
- &src->range.level[0].cat);
- if (rc)
- break;
- }
-
- return rc;
-}
-
-/*
* Copies the MLS range `range' into `context'.
*/
static inline int mls_range_set(struct context *context,
@@ -552,19 +532,19 @@ int mls_compute_sid(struct context *scon
case AVTAB_CHANGE:
if (tclass == SECCLASS_PROCESS)
/* Use the process MLS attributes. */
- return mls_copy_context(newcontext, scontext);
+ return mls_context_cpy(newcontext, scontext);
else
/* Use the process effective MLS attributes. */
- return mls_scopy_context(newcontext, scontext);
+ return mls_context_scpy(newcontext, scontext);
case AVTAB_MEMBER:
/* Only polyinstantiate the MLS attributes if
the type is being polyinstantiated */
if (newcontext->type != tcontext->type) {
/* Use the process effective MLS attributes. */
- return mls_scopy_context(newcontext, scontext);
+ return mls_context_scpy(newcontext, scontext);
} else {
/* Use the related object MLS attributes. */
- return mls_copy_context(newcontext, tcontext);
+ return mls_context_cpy(newcontext, tcontext);
}
default:
return -EINVAL;
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 661d6fc..096d1b4 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -24,26 +24,6 @@ #define _SS_MLS_H_
#include "context.h"
#include "policydb.h"
-/*
- * Copies the MLS range from `src' into `dst'.
- */
-static inline int mls_copy_context(struct context *dst,
- struct context *src)
-{
- int l, rc = 0;
-
- /* Copy the MLS range from the source context */
- for (l = 0; l < 2; l++) {
- dst->range.level[l].sens = src->range.level[l].sens;
- rc = ebitmap_cpy(&dst->range.level[l].cat,
- &src->range.level[l].cat);
- if (rc)
- break;
- }
-
- return rc;
-}
-
int mls_compute_context_len(struct context *context);
void mls_sid_to_context(struct context *context, char **scontext);
int mls_context_isvalid(struct policydb *p, struct context *c);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index bdb7070..668bc37 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1916,11 +1916,10 @@ int security_sid_mls_copy(u32 sid, u32 m
newcon.user = context1->user;
newcon.role = context1->role;
newcon.type = context1->type;
- rc = mls_copy_context(&newcon, context2);
+ rc = mls_context_cpy(&newcon, context2);
if (rc)
goto out_unlock;
-
/* Check the validity of the new context. */
if (!policydb_context_isvalid(&policydb, &newcon)) {
rc = convert_context_handle_invalid_context(&newcon);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] selinux: Delete mls_copy_context
2006-12-12 15:21 [PATCH 1/1] selinux: Delete mls_copy_context Venkat Yekkirala
@ 2006-12-12 16:13 ` Paul Moore
2006-12-12 18:31 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2006-12-12 16:13 UTC (permalink / raw)
To: Venkat Yekkirala; +Cc: selinux, sds
Venkat Yekkirala wrote:
> diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
> index 0562bac..3f57585 100644
> --- a/security/selinux/ss/context.h
> +++ b/security/selinux/ss/context.h
> @@ -55,6 +55,29 @@ out:
> return rc;
> }
>
> +/*
> + * Copies the effective MLS range from `src' into `dst'.
> + */
This isn't your fault, the old code used the same comment, but I wonder if it is
better to say:
"Copies the low MLS range from 'src' into 'dst'."
As the concept of "effective" and "clearance" are policy constructs and not
hardcoded into the kernel.
> +static inline int mls_context_scpy(struct context *dst, struct context *src)
> +{
> + int rc;
> +
> + if (!selinux_mls_enabled)
> + return 0;
> +
> + dst->range.level[0].sens = src->range.level[0].sens;
> + rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
> + if (rc)
> + goto out;
> +
> + dst->range.level[1].sens = src->range.level[0].sens;
> + rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
> + if (rc)
> + ebitmap_destroy(&dst->range.level[0].cat);
> +out:
> + return rc;
> +}
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] selinux: Delete mls_copy_context
2006-12-12 16:13 ` Paul Moore
@ 2006-12-12 18:31 ` Stephen Smalley
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2006-12-12 18:31 UTC (permalink / raw)
To: Paul Moore; +Cc: Venkat Yekkirala, selinux
On Tue, 2006-12-12 at 11:13 -0500, Paul Moore wrote:
> Venkat Yekkirala wrote:
> > diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
> > index 0562bac..3f57585 100644
> > --- a/security/selinux/ss/context.h
> > +++ b/security/selinux/ss/context.h
> > @@ -55,6 +55,29 @@ out:
> > return rc;
> > }
> >
> > +/*
> > + * Copies the effective MLS range from `src' into `dst'.
> > + */
>
> This isn't your fault, the old code used the same comment, but I wonder if it is
> better to say:
>
> "Copies the low MLS range from 'src' into 'dst'."
>
> As the concept of "effective" and "clearance" are policy constructs and not
> hardcoded into the kernel.
Possibly "Sets both levels in the MLS range of 'dst' to the low level of
'src'." And renaming the function to something that more clearly
indicates that purpose (neither the old name nor the new one are very
obvious in their meaning).
>
> > +static inline int mls_context_scpy(struct context *dst, struct context *src)
> > +{
> > + int rc;
> > +
> > + if (!selinux_mls_enabled)
> > + return 0;
> > +
> > + dst->range.level[0].sens = src->range.level[0].sens;
> > + rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
> > + if (rc)
> > + goto out;
> > +
> > + dst->range.level[1].sens = src->range.level[0].sens;
> > + rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
> > + if (rc)
> > + ebitmap_destroy(&dst->range.level[0].cat);
> > +out:
> > + return rc;
> > +}
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-12-12 18:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-12 15:21 [PATCH 1/1] selinux: Delete mls_copy_context Venkat Yekkirala
2006-12-12 16:13 ` Paul Moore
2006-12-12 18:31 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.