Split ObjectSIDByLabel into two functions since property labeling now
involves an additional compute_create lookup.
This commit is contained in:
parent
700fccf863
commit
2fb8b7f819
|
@ -314,36 +314,75 @@ IDPerm(ClientPtr sclient,
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* ObjectSIDByLabel - get SID for an extension or property.
|
* GetPropertySID - compute SID for a property object.
|
||||||
*
|
*
|
||||||
* Arguments:
|
* Arguments:
|
||||||
* class: should be SECCLASS_XEXTENSION or SECCLASS_PROPERTY.
|
* basecontext: context of client owning the property.
|
||||||
* name: name of the extension or property.
|
* name: name of the property.
|
||||||
*
|
*
|
||||||
* Returns: proper SID for the object or NULL on error.
|
* Returns: proper SID for the object or NULL on error.
|
||||||
*/
|
*/
|
||||||
static security_id_t
|
static security_id_t
|
||||||
ObjectSIDByLabel(security_context_t basecontext, security_class_t class,
|
GetPropertySID(security_context_t base, const char *name)
|
||||||
const char *name)
|
{
|
||||||
|
security_context_t new, result;
|
||||||
|
context_t con;
|
||||||
|
security_id_t sid = NULL;
|
||||||
|
char **ptr, *type = NULL;
|
||||||
|
|
||||||
|
/* make a new context-manipulation object */
|
||||||
|
con = context_new(base);
|
||||||
|
if (!con)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
/* look in the mappings of names to types */
|
||||||
|
for (ptr = propertyTypes; *ptr; ptr+=2)
|
||||||
|
if (!strcmp(*ptr, name))
|
||||||
|
break;
|
||||||
|
type = ptr[1];
|
||||||
|
|
||||||
|
/* set the role and type in the context (user unchanged) */
|
||||||
|
if (context_type_set(con, type) ||
|
||||||
|
context_role_set(con, "object_r"))
|
||||||
|
goto out2;
|
||||||
|
|
||||||
|
/* get a context string from the context-manipulation object */
|
||||||
|
new = context_str(con);
|
||||||
|
if (!new)
|
||||||
|
goto out2;
|
||||||
|
|
||||||
|
/* perform a transition to obtain the final context */
|
||||||
|
if (security_compute_create(base, new, SECCLASS_PROPERTY, &result) < 0)
|
||||||
|
goto out2;
|
||||||
|
|
||||||
|
/* get a SID for the context */
|
||||||
|
avc_context_to_sid(result, &sid);
|
||||||
|
freecon(result);
|
||||||
|
out2:
|
||||||
|
context_free(con);
|
||||||
|
out:
|
||||||
|
return sid;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* GetExtensionSID - compute SID for an extension object.
|
||||||
|
*
|
||||||
|
* Arguments:
|
||||||
|
* name: name of the extension.
|
||||||
|
*
|
||||||
|
* Returns: proper SID for the object or NULL on error.
|
||||||
|
*/
|
||||||
|
static security_id_t
|
||||||
|
GetExtensionSID(const char *name)
|
||||||
{
|
{
|
||||||
security_context_t base, new;
|
security_context_t base, new;
|
||||||
context_t con;
|
context_t con;
|
||||||
security_id_t sid = NULL;
|
security_id_t sid = NULL;
|
||||||
char **ptr, *type = NULL;
|
char **ptr, *type = NULL;
|
||||||
|
|
||||||
if (basecontext != NULL)
|
/* get server context */
|
||||||
{
|
if (getcon(&base) < 0)
|
||||||
/* use the supplied context */
|
goto out;
|
||||||
base = strdup(basecontext);
|
|
||||||
if (base == NULL)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
/* get server context */
|
|
||||||
if (getcon(&base) < 0)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* make a new context-manipulation object */
|
/* make a new context-manipulation object */
|
||||||
con = context_new(base);
|
con = context_new(base);
|
||||||
|
@ -351,8 +390,7 @@ ObjectSIDByLabel(security_context_t basecontext, security_class_t class,
|
||||||
goto out2;
|
goto out2;
|
||||||
|
|
||||||
/* look in the mappings of names to types */
|
/* look in the mappings of names to types */
|
||||||
ptr = (class == SECCLASS_PROPERTY) ? propertyTypes : extensionTypes;
|
for (ptr = extensionTypes; *ptr; ptr+=2)
|
||||||
for (; *ptr; ptr+=2)
|
|
||||||
if (!strcmp(*ptr, name))
|
if (!strcmp(*ptr, name))
|
||||||
break;
|
break;
|
||||||
type = ptr[1];
|
type = ptr[1];
|
||||||
|
@ -368,8 +406,7 @@ ObjectSIDByLabel(security_context_t basecontext, security_class_t class,
|
||||||
goto out3;
|
goto out3;
|
||||||
|
|
||||||
/* get a SID for the context */
|
/* get a SID for the context */
|
||||||
if (avc_context_to_sid(new, &sid) < 0)
|
avc_context_to_sid(new, &sid);
|
||||||
goto out3;
|
|
||||||
|
|
||||||
out3:
|
out3:
|
||||||
context_free(con);
|
context_free(con);
|
||||||
|
@ -1028,7 +1065,7 @@ CALLBACK(XSELinuxExtDispatch)
|
||||||
/* XXX there should be a separate callback for this */
|
/* XXX there should be a separate callback for this */
|
||||||
if (!EXTENSIONSID(ext))
|
if (!EXTENSIONSID(ext))
|
||||||
{
|
{
|
||||||
extsid = ObjectSIDByLabel(NULL, SECCLASS_XEXTENSION, ext->name);
|
extsid = GetExtensionSID(ext->name);
|
||||||
if (!extsid)
|
if (!extsid)
|
||||||
return;
|
return;
|
||||||
EXTENSIONSID(ext) = extsid;
|
EXTENSIONSID(ext) = extsid;
|
||||||
|
@ -1071,7 +1108,7 @@ CALLBACK(XSELinuxProperty)
|
||||||
if (!tclient || !HAVESTATE(tclient))
|
if (!tclient || !HAVESTATE(tclient))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
propsid = ObjectSIDByLabel(SID(tclient)->ctx, SECCLASS_PROPERTY, propname);
|
propsid = GetPropertySID(SID(tclient)->ctx, propname);
|
||||||
if (!propsid)
|
if (!propsid)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user