1/* 2 * A security context is a set of security attributes 3 * associated with each subject and object controlled 4 * by the security policy. Security contexts are 5 * externally represented as variable-length strings 6 * that can be interpreted by a user or application 7 * with an understanding of the security policy. 8 * Internally, the security server uses a simple 9 * structure. This structure is private to the 10 * security server and can be changed without affecting 11 * clients of the security server. 12 * 13 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 14 */ 15#ifndef _SS_CONTEXT_H_ 16#define _SS_CONTEXT_H_ 17 18#include "ebitmap.h" 19#include "mls_types.h" 20#include "security.h" 21 22/* 23 * A security context consists of an authenticated user 24 * identity, a role, a type and a MLS range. 25 */ 26struct context { 27 u32 user; 28 u32 role; 29 u32 type; 30 struct mls_range range; 31}; 32 33static inline void mls_context_init(struct context *c) 34{ 35 memset(&c->range, 0, sizeof(c->range)); 36} 37 38static inline int mls_context_cpy(struct context *dst, struct context *src) 39{ 40 int rc; 41 42 if (!selinux_mls_enabled) 43 return 0; 44 45 dst->range.level[0].sens = src->range.level[0].sens; 46 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); 47 if (rc) 48 goto out; 49 50 dst->range.level[1].sens = src->range.level[1].sens; 51 rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); 52 if (rc) 53 ebitmap_destroy(&dst->range.level[0].cat); 54out: 55 return rc; 56} 57 58/* 59 * Sets both levels in the MLS range of 'dst' to the low level of 'src'. 60 */ 61static inline int mls_context_cpy_low(struct context *dst, struct context *src) 62{ 63 int rc; 64 65 if (!selinux_mls_enabled) 66 return 0; 67 68 dst->range.level[0].sens = src->range.level[0].sens; 69 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); 70 if (rc) 71 goto out; 72 73 dst->range.level[1].sens = src->range.level[0].sens; 74 rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat); 75 if (rc) 76 ebitmap_destroy(&dst->range.level[0].cat); 77out: 78 return rc; 79} 80 81static inline int mls_context_cmp(struct context *c1, struct context *c2) 82{ 83 if (!selinux_mls_enabled) 84 return 1; 85 86 return ((c1->range.level[0].sens == c2->range.level[0].sens) && 87 ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) && 88 (c1->range.level[1].sens == c2->range.level[1].sens) && 89 ebitmap_cmp(&c1->range.level[1].cat,&c2->range.level[1].cat)); 90} 91 92static inline void mls_context_destroy(struct context *c) 93{ 94 if (!selinux_mls_enabled) 95 return; 96 97 ebitmap_destroy(&c->range.level[0].cat); 98 ebitmap_destroy(&c->range.level[1].cat); 99 mls_context_init(c); 100} 101 102static inline void context_init(struct context *c) 103{ 104 memset(c, 0, sizeof(*c)); 105} 106 107static inline int context_cpy(struct context *dst, struct context *src) 108{ 109 dst->user = src->user; 110 dst->role = src->role; 111 dst->type = src->type; 112 return mls_context_cpy(dst, src); 113} 114 115static inline void context_destroy(struct context *c) 116{ 117 c->user = c->role = c->type = 0; 118 mls_context_destroy(c); 119} 120 121static inline int context_cmp(struct context *c1, struct context *c2) 122{ 123 return ((c1->user == c2->user) && 124 (c1->role == c2->role) && 125 (c1->type == c2->type) && 126 mls_context_cmp(c1, c2)); 127} 128 129#endif /* _SS_CONTEXT_H_ */ 130