Re: [PATCH] libselinux: avc_compute_member convenience function

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Thu, 2008-02-07 at 17:42 -0500, Eamon Walsh wrote:
> avc_compute_member function, same as security_compute_member but takes 
> userspace AVC SID's.  Includes man page.
> 
> Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>

Acked-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>

> ---
> 
>  include/selinux/avc.h         |   18 ++++++++++++++++++
>  man/man3/avc_compute_create.3 |   16 +++++++++++++---
>  man/man3/avc_compute_member.3 |    1 +
>  src/avc.c                     |   25 +++++++++++++++++++++++++
>  4 files changed, 57 insertions(+), 3 deletions(-)
> 
> 
> Index: libselinux/include/selinux/avc.h
> ===================================================================
> --- libselinux/include/selinux/avc.h	(revision 2793)
> +++ libselinux/include/selinux/avc.h	(working copy)
> @@ -322,6 +322,24 @@
>  		       security_id_t tsid,
>  		       security_class_t tclass, security_id_t * newsid);
>  
> +/**
> + * avc_compute_member - Compute SID for polyinstantation.
> + * @ssid: source security identifier
> + * @tsid: target security identifier
> + * @tclass: target security class
> + * @newsid: pointer to SID reference
> + *
> + * Call the security server to obtain a context for labeling an
> + * object instance.  Look up the context in the SID table, making
> + * a new entry if not found.  Increment the reference counter
> + * for the SID.  Store a pointer to the SID structure into the
> + * memory referenced by @newsid, returning %0 on success or -%1 on
> + * error with @errno set.  
> + */
> +int avc_compute_member(security_id_t ssid,
> +		       security_id_t tsid,
> +		       security_class_t tclass, security_id_t * newsid);
> +
>  /* 
>   * security event callback facility
>   */
> Index: libselinux/src/avc.c
> ===================================================================
> --- libselinux/src/avc.c	(revision 2793)
> +++ libselinux/src/avc.c	(working copy)
> @@ -906,6 +906,31 @@
>  	return rc;
>  }
>  
> +int avc_compute_member(security_id_t ssid,  security_id_t tsid,
> +		       security_class_t tclass, security_id_t *newsid)
> +{
> +	int rc;
> +	*newsid = NULL;
> +	avc_get_lock(avc_lock);
> +	if (ssid->refcnt > 0 && tsid->refcnt > 0) {
> +		security_context_t ctx = NULL;
> +		rc = security_compute_member_raw(ssid->ctx, tsid->ctx, tclass,
> +						 &ctx);
> +		if (rc)
> +			goto out;
> +		rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
> +		if (!rc)
> +			(*newsid)->refcnt++;
> +		freecon(ctx);
> +	} else {
> +		errno = EINVAL;	/* bad reference count */
> +		rc = -1;
> +	}
> +out:
> +	avc_release_lock(avc_lock);
> +	return rc;
> +}
> +
>  int avc_add_callback(int (*callback) (uint32_t event, security_id_t ssid,
>  				      security_id_t tsid,
>  				      security_class_t tclass,
> Index: libselinux/man/man3/avc_compute_create.3
> ===================================================================
> --- libselinux/man/man3/avc_compute_create.3	(revision 2793)
> +++ libselinux/man/man3/avc_compute_create.3	(working copy)
> @@ -3,7 +3,7 @@
>  .\" Author: Eamon Walsh (ewalsh@xxxxxxxxxxxxx) 2007
>  .TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation"
>  .SH "NAME"
> -avc_compute_create \- obtain SELinux label for new object.
> +avc_compute_create, avc_compute_member \- obtain SELinux label for new object.
>  .SH "SYNOPSIS"
>  .B #include <selinux/selinux.h>
>  
> @@ -12,15 +12,25 @@
>  .BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid ,
>  .in +\w'int avc_compute_create('u
>  .BI "security_class_t " tclass ", security_id_t *" newsid ");"
> +.sp
>  .in
> +.BI "int avc_compute_member(security_id_t " ssid ", security_id_t " tsid ,
> +.in +\w'int avc_compute_member('u
> +.BI "security_class_t " tclass ", security_id_t *" newsid ");"
> +.in
>  .SH "DESCRIPTION"
>  .B avc_compute_create
>  is used to compute a SID to use for labeling a new object in a particular class based on a SID pair.  This call is identical to
>  .BR security_compute_create ,
>  but does not require converting from userspace SID's to contexts and back again.
>  
> -.B avc_compute_create
> -returns a SID for the computed context in the memory referenced by
> +.B avc_compute_member
> +is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair.  This call is identical to
> +.BR security_compute_member ,
> +but does not require converting from userspace SID's to contexts and back again.
> +
> +These functions
> +return a SID for the computed context in the memory referenced by
>  .IR sid ,
>  incrementing its reference count by 1.
>  
> Index: libselinux/man/man3/avc_compute_member.3
> ===================================================================
> --- libselinux/man/man3/avc_compute_member.3	(revision 0)
> +++ libselinux/man/man3/avc_compute_member.3	(revision 0)
> @@ -0,0 +1 @@
> +.so man3/avc_compute_create.3
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.