Lines Matching +full:sens +full:-
1 // SPDX-License-Identifier: GPL-2.0
3 * Implementation of the multi-level security (MLS) policy.
11 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
13 * Updated: Hewlett-Packard <paul@paul-moore.com>
15 * Copyright (C) Hewlett-Packard Development Company, L.P., 2006
39 if (!p->mls_enabled) in mls_compute_context_len()
44 u32 index_sens = context->range.level[l].sens; in mls_compute_context_len()
45 len += strlen(sym_name(p, SYM_LEVELS, index_sens - 1)); in mls_compute_context_len()
48 head = -2; in mls_compute_context_len()
49 prev = -2; in mls_compute_context_len()
50 e = &context->range.level[l].cat; in mls_compute_context_len()
53 if (i - prev > 1) { in mls_compute_context_len()
70 if (mls_level_eq(&context->range.level[0], in mls_compute_context_len()
71 &context->range.level[1])) in mls_compute_context_len()
94 if (!p->mls_enabled) in mls_sid_to_context()
104 context->range.level[l].sens - 1)); in mls_sid_to_context()
108 head = -2; in mls_sid_to_context()
109 prev = -2; in mls_sid_to_context()
110 e = &context->range.level[l].cat; in mls_sid_to_context()
113 if (i - prev > 1) { in mls_sid_to_context()
116 if (prev - head > 1) in mls_sid_to_context()
137 if (prev - head > 1) in mls_sid_to_context()
147 if (mls_level_eq(&context->range.level[0], in mls_sid_to_context()
148 &context->range.level[1])) in mls_sid_to_context()
151 *scontextp++ = '-'; in mls_sid_to_context()
162 if (!l->sens || l->sens > p->p_levels.nprim) in mls_level_isvalid()
164 levdatum = symtab_search(&p->p_levels, in mls_level_isvalid()
165 sym_name(p, SYM_LEVELS, l->sens - 1)); in mls_level_isvalid()
170 * Return 1 iff all the bits set in l->cat are also be set in in mls_level_isvalid()
171 * levdatum->level->cat and no bit in l->cat is larger than in mls_level_isvalid()
172 * p->p_cats.nprim. in mls_level_isvalid()
174 return ebitmap_contains(&levdatum->level->cat, &l->cat, in mls_level_isvalid()
175 p->p_cats.nprim); in mls_level_isvalid()
180 return (mls_level_isvalid(p, &r->level[0]) && in mls_range_isvalid()
181 mls_level_isvalid(p, &r->level[1]) && in mls_range_isvalid()
182 mls_level_dom(&r->level[1], &r->level[0])); in mls_range_isvalid()
193 if (!p->mls_enabled) in mls_context_isvalid()
196 if (!mls_range_isvalid(p, &c->range)) in mls_context_isvalid()
199 if (c->role == OBJECT_R_VAL) in mls_context_isvalid()
205 if (!c->user || c->user > p->p_users.nprim) in mls_context_isvalid()
207 usrdatum = p->user_val_to_struct[c->user - 1]; in mls_context_isvalid()
208 if (!mls_range_contains(usrdatum->range, c->range)) in mls_context_isvalid()
227 * Policy read-lock must be held for sidtab lookup.
240 if (!pol->mls_enabled) { in mls_context_to_sid()
242 * With no MLS, only return -EINVAL if there is a MLS field in mls_context_to_sid()
246 return -EINVAL; in mls_context_to_sid()
258 return -EINVAL; in mls_context_to_sid()
262 return -EINVAL; in mls_context_to_sid()
272 rangep[1] = strchr(scontext, '-'); in mls_context_to_sid()
289 levdatum = symtab_search(&pol->p_levels, sensitivity); in mls_context_to_sid()
291 return -EINVAL; in mls_context_to_sid()
292 context->range.level[l].sens = levdatum->level->sens; in mls_context_to_sid()
308 catdatum = symtab_search(&pol->p_cats, cur_cat); in mls_context_to_sid()
310 return -EINVAL; in mls_context_to_sid()
312 rc = ebitmap_set_bit(&context->range.level[l].cat, in mls_context_to_sid()
313 catdatum->value - 1, 1); in mls_context_to_sid()
321 rngdatum = symtab_search(&pol->p_cats, rngptr); in mls_context_to_sid()
323 return -EINVAL; in mls_context_to_sid()
325 if (catdatum->value >= rngdatum->value) in mls_context_to_sid()
326 return -EINVAL; in mls_context_to_sid()
328 for (i = catdatum->value; i < rngdatum->value; i++) { in mls_context_to_sid()
330 &context->range.level[l].cat, i, 1); in mls_context_to_sid()
337 /* If we didn't see a '-', the range start is also the range end. */ in mls_context_to_sid()
339 context->range.level[1].sens = context->range.level[0].sens; in mls_context_to_sid()
340 rc = ebitmap_cpy(&context->range.level[1].cat, in mls_context_to_sid()
341 &context->range.level[0].cat); in mls_context_to_sid()
361 if (!p->mls_enabled) in mls_from_string()
362 return -EINVAL; in mls_from_string()
366 rc = -ENOMEM; in mls_from_string()
385 context->range.level[l].sens = range->level[l].sens; in mls_range_set()
386 rc = ebitmap_cpy(&context->range.level[l].cat, in mls_range_set()
387 &range->level[l].cat); in mls_range_set()
398 if (p->mls_enabled) { in mls_setup_user_range()
399 struct mls_level *fromcon_sen = &(fromcon->range.level[0]); in mls_setup_user_range()
400 struct mls_level *fromcon_clr = &(fromcon->range.level[1]); in mls_setup_user_range()
401 struct mls_level *user_low = &(user->range.level[0]); in mls_setup_user_range()
402 struct mls_level *user_clr = &(user->range.level[1]); in mls_setup_user_range()
403 struct mls_level *user_def = &(user->dfltlevel); in mls_setup_user_range()
404 struct mls_level *usercon_sen = &(usercon->range.level[0]); in mls_setup_user_range()
405 struct mls_level *usercon_clr = &(usercon->range.level[1]); in mls_setup_user_range()
415 return -EINVAL; in mls_setup_user_range()
427 return -EINVAL; in mls_setup_user_range()
448 if (!oldp->mls_enabled || !newp->mls_enabled) in mls_convert_context()
453 oldc->range.level[l].sens - 1); in mls_convert_context()
455 levdatum = symtab_search(&newp->p_levels, name); in mls_convert_context()
458 return -EINVAL; in mls_convert_context()
459 newc->range.level[l].sens = levdatum->level->sens; in mls_convert_context()
461 ebitmap_for_each_positive_bit(&oldc->range.level[l].cat, node, in mls_convert_context()
466 catdatum = symtab_search(&newp->p_cats, in mls_convert_context()
469 return -EINVAL; in mls_convert_context()
470 rc = ebitmap_set_bit(&newc->range.level[l].cat, in mls_convert_context()
471 catdatum->value - 1, 1); in mls_convert_context()
489 if (!p->mls_enabled) in mls_compute_sid()
495 rtr.source_type = scontext->type; in mls_compute_sid()
496 rtr.target_type = tcontext->type; in mls_compute_sid()
502 if (tclass && tclass <= p->p_classes.nprim) { in mls_compute_sid()
503 cladatum = p->class_val_to_struct[tclass - 1]; in mls_compute_sid()
505 default_range = cladatum->default_range; in mls_compute_sid()
528 if ((tclass == p->process_class) || sock) in mls_compute_sid()
538 return -EINVAL; in mls_compute_sid()
543 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
556 if (!p->mls_enabled) in mls_export_netlbl_lvl()
559 secattr->attr.mls.lvl = context->range.level[0].sens - 1; in mls_export_netlbl_lvl()
560 secattr->flags |= NETLBL_SECATTR_MLS_LVL; in mls_export_netlbl_lvl()
564 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
577 if (!p->mls_enabled) in mls_import_netlbl_lvl()
580 context->range.level[0].sens = secattr->attr.mls.lvl + 1; in mls_import_netlbl_lvl()
581 context->range.level[1].sens = context->range.level[0].sens; in mls_import_netlbl_lvl()
585 * mls_export_netlbl_cat - Export the MLS categories to NetLabel
600 if (!p->mls_enabled) in mls_export_netlbl_cat()
603 rc = ebitmap_netlbl_export(&context->range.level[0].cat, in mls_export_netlbl_cat()
604 &secattr->attr.mls.cat); in mls_export_netlbl_cat()
605 if (rc == 0 && secattr->attr.mls.cat != NULL) in mls_export_netlbl_cat()
606 secattr->flags |= NETLBL_SECATTR_MLS_CAT; in mls_export_netlbl_cat()
612 * mls_import_netlbl_cat - Import the MLS categories from NetLabel
629 if (!p->mls_enabled) in mls_import_netlbl_cat()
632 rc = ebitmap_netlbl_import(&context->range.level[0].cat, in mls_import_netlbl_cat()
633 secattr->attr.mls.cat); in mls_import_netlbl_cat()
636 memcpy(&context->range.level[1].cat, &context->range.level[0].cat, in mls_import_netlbl_cat()
637 sizeof(context->range.level[0].cat)); in mls_import_netlbl_cat()
642 ebitmap_destroy(&context->range.level[0].cat); in mls_import_netlbl_cat()