Пример #1
0
static int flask_relabel_domain(struct xen_flask_relabel *arg)
{
    int rc;
    struct domain *d;
    struct domain_security_struct *csec = current->domain->ssid;
    struct domain_security_struct *dsec;
    struct avc_audit_data ad;
    AVC_AUDIT_DATA_INIT(&ad, NONE);

    d = rcu_lock_domain_by_any_id(arg->domid);
    if ( d == NULL )
        return -ESRCH;

    ad.sdom = current->domain;
    ad.tdom = d;
    dsec = d->ssid;

    if ( arg->domid == DOMID_SELF )
    {
        rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, &ad);
        if ( rc )
            goto out;
    }
    else
    {
        rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, &ad);
        if ( rc )
            goto out;

        rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, &ad);
        if ( rc )
            goto out;
    }

    rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN, DOMAIN__TRANSITION, &ad);
    if ( rc )
        goto out;

    dsec->sid = arg->sid;
    dsec->self_sid = arg->sid;
    security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN,
                            &dsec->self_sid);
    if ( d->target )
    {
        struct domain_security_struct *tsec = d->target->ssid;
        security_transition_sid(tsec->sid, dsec->sid, SECCLASS_DOMAIN,
                                &dsec->target_sid);
    }

 out:
    rcu_unlock_domain(d);
    return rc;
}
Пример #2
0
static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{
	char *scon, *tcon;
	u32 ssid, tsid, newsid;
	u16 tclass;
	ssize_t length;
	char *newcon;
	u32 len;

	length = task_has_security(current, SECURITY__COMPUTE_CREATE);
	if (length)
		return length;

	length = -ENOMEM;
	scon = kzalloc(size+1, GFP_KERNEL);
	if (!scon)
		return length;

	tcon = kzalloc(size+1, GFP_KERNEL);
	if (!tcon)
		goto out;

	length = -EINVAL;
	if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
		goto out2;

	length = security_context_to_sid(scon, strlen(scon)+1, &ssid);
	if (length < 0)
		goto out2;
	length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid);
	if (length < 0)
		goto out2;

	length = security_transition_sid(ssid, tsid, tclass, &newsid);
	if (length < 0)
		goto out2;

	length = security_sid_to_context(newsid, &newcon, &len);
	if (length < 0)
		goto out2;

	if (len > SIMPLE_TRANSACTION_LIMIT) {
		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "
			"payload max\n", __func__, len);
		length = -ERANGE;
		goto out3;
	}

	memcpy(buf, newcon, len);
	length = len;
out3:
	kfree(newcon);
out2:
	kfree(tcon);
out:
	kfree(scon);
	return length;
}
Пример #3
0
static int flask_security_create(struct xen_flask_transition *arg)
{
    int rv;

    rv = domain_has_security(current->domain, SECURITY__COMPUTE_CREATE);
    if ( rv )
        return rv;

    rv = security_transition_sid(arg->ssid, arg->tsid, arg->tclass, &arg->newsid);

    return rv;
}