1*1da177e4SLinus Torvalds /* 2*1da177e4SLinus Torvalds * A security context is a set of security attributes 3*1da177e4SLinus Torvalds * associated with each subject and object controlled 4*1da177e4SLinus Torvalds * by the security policy. Security contexts are 5*1da177e4SLinus Torvalds * externally represented as variable-length strings 6*1da177e4SLinus Torvalds * that can be interpreted by a user or application 7*1da177e4SLinus Torvalds * with an understanding of the security policy. 8*1da177e4SLinus Torvalds * Internally, the security server uses a simple 9*1da177e4SLinus Torvalds * structure. This structure is private to the 10*1da177e4SLinus Torvalds * security server and can be changed without affecting 11*1da177e4SLinus Torvalds * clients of the security server. 12*1da177e4SLinus Torvalds * 13*1da177e4SLinus Torvalds * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 14*1da177e4SLinus Torvalds */ 15*1da177e4SLinus Torvalds #ifndef _SS_CONTEXT_H_ 16*1da177e4SLinus Torvalds #define _SS_CONTEXT_H_ 17*1da177e4SLinus Torvalds 18*1da177e4SLinus Torvalds #include "ebitmap.h" 19*1da177e4SLinus Torvalds #include "mls_types.h" 20*1da177e4SLinus Torvalds #include "security.h" 21*1da177e4SLinus Torvalds 22*1da177e4SLinus Torvalds /* 23*1da177e4SLinus Torvalds * A security context consists of an authenticated user 24*1da177e4SLinus Torvalds * identity, a role, a type and a MLS range. 25*1da177e4SLinus Torvalds */ 26*1da177e4SLinus Torvalds struct context { 27*1da177e4SLinus Torvalds u32 user; 28*1da177e4SLinus Torvalds u32 role; 29*1da177e4SLinus Torvalds u32 type; 30*1da177e4SLinus Torvalds struct mls_range range; 31*1da177e4SLinus Torvalds }; 32*1da177e4SLinus Torvalds 33*1da177e4SLinus Torvalds static inline void mls_context_init(struct context *c) 34*1da177e4SLinus Torvalds { 35*1da177e4SLinus Torvalds memset(&c->range, 0, sizeof(c->range)); 36*1da177e4SLinus Torvalds } 37*1da177e4SLinus Torvalds 38*1da177e4SLinus Torvalds static inline int mls_context_cpy(struct context *dst, struct context *src) 39*1da177e4SLinus Torvalds { 40*1da177e4SLinus Torvalds int rc; 41*1da177e4SLinus Torvalds 42*1da177e4SLinus Torvalds if (!selinux_mls_enabled) 43*1da177e4SLinus Torvalds return 0; 44*1da177e4SLinus Torvalds 45*1da177e4SLinus Torvalds dst->range.level[0].sens = src->range.level[0].sens; 46*1da177e4SLinus Torvalds rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); 47*1da177e4SLinus Torvalds if (rc) 48*1da177e4SLinus Torvalds goto out; 49*1da177e4SLinus Torvalds 50*1da177e4SLinus Torvalds dst->range.level[1].sens = src->range.level[1].sens; 51*1da177e4SLinus Torvalds rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); 52*1da177e4SLinus Torvalds if (rc) 53*1da177e4SLinus Torvalds ebitmap_destroy(&dst->range.level[0].cat); 54*1da177e4SLinus Torvalds out: 55*1da177e4SLinus Torvalds return rc; 56*1da177e4SLinus Torvalds } 57*1da177e4SLinus Torvalds 58*1da177e4SLinus Torvalds static inline int mls_context_cmp(struct context *c1, struct context *c2) 59*1da177e4SLinus Torvalds { 60*1da177e4SLinus Torvalds if (!selinux_mls_enabled) 61*1da177e4SLinus Torvalds return 1; 62*1da177e4SLinus Torvalds 63*1da177e4SLinus Torvalds return ((c1->range.level[0].sens == c2->range.level[0].sens) && 64*1da177e4SLinus Torvalds ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) && 65*1da177e4SLinus Torvalds (c1->range.level[1].sens == c2->range.level[1].sens) && 66*1da177e4SLinus Torvalds ebitmap_cmp(&c1->range.level[1].cat,&c2->range.level[1].cat)); 67*1da177e4SLinus Torvalds } 68*1da177e4SLinus Torvalds 69*1da177e4SLinus Torvalds static inline void mls_context_destroy(struct context *c) 70*1da177e4SLinus Torvalds { 71*1da177e4SLinus Torvalds if (!selinux_mls_enabled) 72*1da177e4SLinus Torvalds return; 73*1da177e4SLinus Torvalds 74*1da177e4SLinus Torvalds ebitmap_destroy(&c->range.level[0].cat); 75*1da177e4SLinus Torvalds ebitmap_destroy(&c->range.level[1].cat); 76*1da177e4SLinus Torvalds mls_context_init(c); 77*1da177e4SLinus Torvalds } 78*1da177e4SLinus Torvalds 79*1da177e4SLinus Torvalds static inline void context_init(struct context *c) 80*1da177e4SLinus Torvalds { 81*1da177e4SLinus Torvalds memset(c, 0, sizeof(*c)); 82*1da177e4SLinus Torvalds } 83*1da177e4SLinus Torvalds 84*1da177e4SLinus Torvalds static inline int context_cpy(struct context *dst, struct context *src) 85*1da177e4SLinus Torvalds { 86*1da177e4SLinus Torvalds dst->user = src->user; 87*1da177e4SLinus Torvalds dst->role = src->role; 88*1da177e4SLinus Torvalds dst->type = src->type; 89*1da177e4SLinus Torvalds return mls_context_cpy(dst, src); 90*1da177e4SLinus Torvalds } 91*1da177e4SLinus Torvalds 92*1da177e4SLinus Torvalds static inline void context_destroy(struct context *c) 93*1da177e4SLinus Torvalds { 94*1da177e4SLinus Torvalds c->user = c->role = c->type = 0; 95*1da177e4SLinus Torvalds mls_context_destroy(c); 96*1da177e4SLinus Torvalds } 97*1da177e4SLinus Torvalds 98*1da177e4SLinus Torvalds static inline int context_cmp(struct context *c1, struct context *c2) 99*1da177e4SLinus Torvalds { 100*1da177e4SLinus Torvalds return ((c1->user == c2->user) && 101*1da177e4SLinus Torvalds (c1->role == c2->role) && 102*1da177e4SLinus Torvalds (c1->type == c2->type) && 103*1da177e4SLinus Torvalds mls_context_cmp(c1, c2)); 104*1da177e4SLinus Torvalds } 105*1da177e4SLinus Torvalds 106*1da177e4SLinus Torvalds #endif /* _SS_CONTEXT_H_ */ 107*1da177e4SLinus Torvalds 108