static int flask_relabel_domain(struct xen_flask_relabel *arg) { int rc; struct domain *d; struct domain_security_struct *csec = current->domain->ssid; struct domain_security_struct *dsec; struct avc_audit_data ad; AVC_AUDIT_DATA_INIT(&ad, NONE); d = rcu_lock_domain_by_any_id(arg->domid); if ( d == NULL ) return -ESRCH; ad.sdom = current->domain; ad.tdom = d; dsec = d->ssid; if ( arg->domid == DOMID_SELF ) { rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, &ad); if ( rc ) goto out; } else { rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, &ad); if ( rc ) goto out; rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, &ad); if ( rc ) goto out; } rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN, DOMAIN__TRANSITION, &ad); if ( rc ) goto out; dsec->sid = arg->sid; dsec->self_sid = arg->sid; security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN, &dsec->self_sid); if ( d->target ) { struct domain_security_struct *tsec = d->target->ssid; security_transition_sid(tsec->sid, dsec->sid, SECCLASS_DOMAIN, &dsec->target_sid); } out: rcu_unlock_domain(d); return rc; }
static ssize_t sel_write_create(struct file *file, char *buf, size_t size) { char *scon, *tcon; u32 ssid, tsid, newsid; u16 tclass; ssize_t length; char *newcon; u32 len; length = task_has_security(current, SECURITY__COMPUTE_CREATE); if (length) return length; length = -ENOMEM; scon = kzalloc(size+1, GFP_KERNEL); if (!scon) return length; tcon = kzalloc(size+1, GFP_KERNEL); if (!tcon) goto out; length = -EINVAL; if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out2; length = security_context_to_sid(scon, strlen(scon)+1, &ssid); if (length < 0) goto out2; length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); if (length < 0) goto out2; length = security_transition_sid(ssid, tsid, tclass, &newsid); if (length < 0) goto out2; length = security_sid_to_context(newsid, &newcon, &len); if (length < 0) goto out2; if (len > SIMPLE_TRANSACTION_LIMIT) { printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " "payload max\n", __func__, len); length = -ERANGE; goto out3; } memcpy(buf, newcon, len); length = len; out3: kfree(newcon); out2: kfree(tcon); out: kfree(scon); return length; }
static int flask_security_create(struct xen_flask_transition *arg) { int rv; rv = domain_has_security(current->domain, SECURITY__COMPUTE_CREATE); if ( rv ) return rv; rv = security_transition_sid(arg->ssid, arg->tsid, arg->tclass, &arg->newsid); return rv; }