selinux: export validatetrans decisions

[karo-tx-linux.git] / security / selinux / ss / services.c

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ebb5eb3c318c789922da4851b1b0507f28e7f831..ebda97333f1b707c9e05cba9278c1c9693492d0d 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -778,8 +778,8 @@ out:
        return -EPERM;
 }
 
-int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
-                                u16 orig_tclass)
+static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
+                                         u16 orig_tclass, bool user)
 {
        struct context *ocontext;
        struct context *ncontext;
@@ -794,11 +794,12 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 
        read_lock(&policy_rwlock);
 
-       tclass = unmap_class(orig_tclass);
+       if (!user)
+               tclass = unmap_class(orig_tclass);
+       else
+               tclass = orig_tclass;
 
        if (!tclass || tclass > policydb.p_classes.nprim) {
-               printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
-                       __func__, tclass);
                rc = -EINVAL;
                goto out;
        }
@@ -832,8 +833,13 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
        while (constraint) {
                if (!constraint_expr_eval(ocontext, ncontext, tcontext,
                                          constraint->expr)) {
-                       rc = security_validtrans_handle_fail(ocontext, ncontext,
-                                                            tcontext, tclass);
+                       if (user)
+                               rc = -EPERM;
+                       else
+                               rc = security_validtrans_handle_fail(ocontext,
+                                                                    ncontext,
+                                                                    tcontext,
+                                                                    tclass);
                        goto out;
                }
                constraint = constraint->next;
@@ -844,6 +850,20 @@ out:
        return rc;
 }
 
+int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
+                                       u16 tclass)
+{
+       return security_compute_validatetrans(oldsid, newsid, tasksid,
+                                               tclass, true);
+}
+
+int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
+                                u16 orig_tclass)
+{
+       return security_compute_validatetrans(oldsid, newsid, tasksid,
+                                               orig_tclass, false);
+}
+
 /*
  * security_bounded_transition - check whether the given
  * transition is directed to bounded, or not.