#include "ebitmap.h"
#include "mls_types.h"
+#include "security.h"
/*
* A security context consists of an authenticated user
u32 user;
u32 role;
u32 type;
-#ifdef CONFIG_SECURITY_SELINUX_MLS
struct mls_range range;
-#endif
};
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-
static inline void mls_context_init(struct context *c)
{
memset(&c->range, 0, sizeof(c->range));
{
int rc;
+ if (!selinux_mls_enabled)
+ return 0;
+
dst->range.level[0].sens = src->range.level[0].sens;
rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
if (rc)
return rc;
}
+/*
+ * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
+ */
+static inline int mls_context_cpy_low(struct context *dst, struct context *src)
+{
+ int rc;
+
+ if (!selinux_mls_enabled)
+ return 0;
+
+ dst->range.level[0].sens = src->range.level[0].sens;
+ rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
+ if (rc)
+ goto out;
+
+ dst->range.level[1].sens = src->range.level[0].sens;
+ rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
+ if (rc)
+ ebitmap_destroy(&dst->range.level[0].cat);
+out:
+ return rc;
+}
+
static inline int mls_context_cmp(struct context *c1, struct context *c2)
{
+ if (!selinux_mls_enabled)
+ return 1;
+
return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) &&
(c1->range.level[1].sens == c2->range.level[1].sens) &&
static inline void mls_context_destroy(struct context *c)
{
+ if (!selinux_mls_enabled)
+ return;
+
ebitmap_destroy(&c->range.level[0].cat);
ebitmap_destroy(&c->range.level[1].cat);
mls_context_init(c);
}
-#else
-
-static inline void mls_context_init(struct context *c)
-{ }
-
-static inline int mls_context_cpy(struct context *dst, struct context *src)
-{ return 0; }
-
-static inline int mls_context_cmp(struct context *c1, struct context *c2)
-{ return 1; }
-
-static inline void mls_context_destroy(struct context *c)
-{ }
-
-#endif
-
static inline void context_init(struct context *c)
{
memset(c, 0, sizeof(*c));