summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig3
-rw-r--r--security/apparmor/lsm.c4
-rw-r--r--security/integrity/ima/ima.h6
-rw-r--r--security/integrity/ima/ima_appraise.c4
-rw-r--r--security/integrity/ima/ima_crypto.c4
-rw-r--r--security/integrity/ima/ima_init.c16
-rw-r--r--security/integrity/ima/ima_main.c16
-rw-r--r--security/integrity/ima/ima_queue.c4
-rw-r--r--security/keys/dh.c8
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/avc.c2
-rw-r--r--security/selinux/hooks.c72
-rw-r--r--security/selinux/netif.c11
-rw-r--r--security/selinux/netlink.c2
-rw-r--r--security/selinux/netnode.c5
-rw-r--r--security/selinux/netport.c5
-rw-r--r--security/selinux/nlmsgtab.c2
-rw-r--r--security/selinux/selinuxfs.c123
-rw-r--r--security/selinux/ss/avtab.c51
-rw-r--r--security/selinux/ss/conditional.c16
-rw-r--r--security/selinux/ss/ebitmap.c15
-rw-r--r--security/selinux/ss/policydb.c91
-rw-r--r--security/selinux/ss/services.c71
-rw-r--r--security/selinux/ss/sidtab.c5
-rw-r--r--security/smack/smack_lsm.c29
-rw-r--r--security/tomoyo/Makefile2
-rw-r--r--security/tomoyo/tomoyo.c2
27 files changed, 288 insertions, 285 deletions
diff --git a/security/Kconfig b/security/Kconfig
index c4302067a3ad..27d8b2688f75 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -57,7 +57,7 @@ config SECURITY_NETWORK
57config PAGE_TABLE_ISOLATION 57config PAGE_TABLE_ISOLATION
58 bool "Remove the kernel mapping in user mode" 58 bool "Remove the kernel mapping in user mode"
59 default y 59 default y
60 depends on X86_64 && !UML 60 depends on X86 && !UML
61 help 61 help
62 This feature reduces the number of hardware side channels by 62 This feature reduces the number of hardware side channels by
63 ensuring that the majority of kernel addresses are not mapped 63 ensuring that the majority of kernel addresses are not mapped
@@ -153,7 +153,6 @@ config HAVE_HARDENED_USERCOPY_ALLOCATOR
153config HARDENED_USERCOPY 153config HARDENED_USERCOPY
154 bool "Harden memory copies between kernel and userspace" 154 bool "Harden memory copies between kernel and userspace"
155 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 155 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
156 select BUG
157 imply STRICT_DEVMEM 156 imply STRICT_DEVMEM
158 help 157 help
159 This option checks for obviously wrong memory regions when 158 This option checks for obviously wrong memory regions when
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 74f17376202b..8b8b70620bbe 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -395,7 +395,7 @@ static int apparmor_inode_getattr(const struct path *path)
395 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 395 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
396} 396}
397 397
398static int apparmor_file_open(struct file *file, const struct cred *cred) 398static int apparmor_file_open(struct file *file)
399{ 399{
400 struct aa_file_ctx *fctx = file_ctx(file); 400 struct aa_file_ctx *fctx = file_ctx(file);
401 struct aa_label *label; 401 struct aa_label *label;
@@ -414,7 +414,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
414 return 0; 414 return 0;
415 } 415 }
416 416
417 label = aa_get_newest_cred_label(cred); 417 label = aa_get_newest_cred_label(file->f_cred);
418 if (!unconfined(label)) { 418 if (!unconfined(label)) {
419 struct inode *inode = file_inode(file); 419 struct inode *inode = file_inode(file);
420 struct path_cond cond = { inode->i_uid, inode->i_mode }; 420 struct path_cond cond = { inode->i_uid, inode->i_mode };
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 78c15264b17b..67db9d9454ca 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -53,9 +53,9 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
53extern int ima_policy_flag; 53extern int ima_policy_flag;
54 54
55/* set during initialization */ 55/* set during initialization */
56extern int ima_used_chip;
57extern int ima_hash_algo; 56extern int ima_hash_algo;
58extern int ima_appraise; 57extern int ima_appraise;
58extern struct tpm_chip *ima_tpm_chip;
59 59
60/* IMA event related data */ 60/* IMA event related data */
61struct ima_event_data { 61struct ima_event_data {
@@ -239,7 +239,7 @@ int ima_appraise_measurement(enum ima_hooks func,
239 struct integrity_iint_cache *iint, 239 struct integrity_iint_cache *iint,
240 struct file *file, const unsigned char *filename, 240 struct file *file, const unsigned char *filename,
241 struct evm_ima_xattr_data *xattr_value, 241 struct evm_ima_xattr_data *xattr_value,
242 int xattr_len, int opened); 242 int xattr_len);
243int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); 243int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
244void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 244void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
245enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 245enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
@@ -255,7 +255,7 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
255 struct file *file, 255 struct file *file,
256 const unsigned char *filename, 256 const unsigned char *filename,
257 struct evm_ima_xattr_data *xattr_value, 257 struct evm_ima_xattr_data *xattr_value,
258 int xattr_len, int opened) 258 int xattr_len)
259{ 259{
260 return INTEGRITY_UNKNOWN; 260 return INTEGRITY_UNKNOWN;
261} 261}
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 8bd7a0733e51..deec1804a00a 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -212,7 +212,7 @@ int ima_appraise_measurement(enum ima_hooks func,
212 struct integrity_iint_cache *iint, 212 struct integrity_iint_cache *iint,
213 struct file *file, const unsigned char *filename, 213 struct file *file, const unsigned char *filename,
214 struct evm_ima_xattr_data *xattr_value, 214 struct evm_ima_xattr_data *xattr_value,
215 int xattr_len, int opened) 215 int xattr_len)
216{ 216{
217 static const char op[] = "appraise_data"; 217 static const char op[] = "appraise_data";
218 const char *cause = "unknown"; 218 const char *cause = "unknown";
@@ -231,7 +231,7 @@ int ima_appraise_measurement(enum ima_hooks func,
231 cause = iint->flags & IMA_DIGSIG_REQUIRED ? 231 cause = iint->flags & IMA_DIGSIG_REQUIRED ?
232 "IMA-signature-required" : "missing-hash"; 232 "IMA-signature-required" : "missing-hash";
233 status = INTEGRITY_NOLABEL; 233 status = INTEGRITY_NOLABEL;
234 if (opened & FILE_CREATED) 234 if (file->f_mode & FMODE_CREATED)
235 iint->flags |= IMA_NEW_FILE; 235 iint->flags |= IMA_NEW_FILE;
236 if ((iint->flags & IMA_NEW_FILE) && 236 if ((iint->flags & IMA_NEW_FILE) &&
237 (!(iint->flags & IMA_DIGSIG_REQUIRED) || 237 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 4e085a17124f..7e7e7e7c250a 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -631,10 +631,10 @@ int ima_calc_buffer_hash(const void *buf, loff_t len,
631 631
632static void __init ima_pcrread(int idx, u8 *pcr) 632static void __init ima_pcrread(int idx, u8 *pcr)
633{ 633{
634 if (!ima_used_chip) 634 if (!ima_tpm_chip)
635 return; 635 return;
636 636
637 if (tpm_pcr_read(NULL, idx, pcr) != 0) 637 if (tpm_pcr_read(ima_tpm_chip, idx, pcr) != 0)
638 pr_err("Error Communicating to TPM chip\n"); 638 pr_err("Error Communicating to TPM chip\n");
639} 639}
640 640
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 29b72cd2502e..faac9ecaa0ae 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -26,7 +26,7 @@
26 26
27/* name for boot aggregate entry */ 27/* name for boot aggregate entry */
28static const char *boot_aggregate_name = "boot_aggregate"; 28static const char *boot_aggregate_name = "boot_aggregate";
29int ima_used_chip; 29struct tpm_chip *ima_tpm_chip;
30 30
31/* Add the boot aggregate to the IMA measurement list and extend 31/* Add the boot aggregate to the IMA measurement list and extend
32 * the PCR register. 32 * the PCR register.
@@ -64,7 +64,7 @@ static int __init ima_add_boot_aggregate(void)
64 iint->ima_hash->algo = HASH_ALGO_SHA1; 64 iint->ima_hash->algo = HASH_ALGO_SHA1;
65 iint->ima_hash->length = SHA1_DIGEST_SIZE; 65 iint->ima_hash->length = SHA1_DIGEST_SIZE;
66 66
67 if (ima_used_chip) { 67 if (ima_tpm_chip) {
68 result = ima_calc_boot_aggregate(&hash.hdr); 68 result = ima_calc_boot_aggregate(&hash.hdr);
69 if (result < 0) { 69 if (result < 0) {
70 audit_cause = "hashing_error"; 70 audit_cause = "hashing_error";
@@ -106,17 +106,11 @@ void __init ima_load_x509(void)
106 106
107int __init ima_init(void) 107int __init ima_init(void)
108{ 108{
109 u8 pcr_i[TPM_DIGEST_SIZE];
110 int rc; 109 int rc;
111 110
112 ima_used_chip = 0; 111 ima_tpm_chip = tpm_default_chip();
113 rc = tpm_pcr_read(NULL, 0, pcr_i); 112 if (!ima_tpm_chip)
114 if (rc == 0) 113 pr_info("No TPM chip found, activating TPM-bypass!\n");
115 ima_used_chip = 1;
116
117 if (!ima_used_chip)
118 pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
119 rc);
120 114
121 rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); 115 rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
122 if (rc) 116 if (rc)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index dce0a8a217bb..2d31921fbda4 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -168,7 +168,7 @@ void ima_file_free(struct file *file)
168 168
169static int process_measurement(struct file *file, const struct cred *cred, 169static int process_measurement(struct file *file, const struct cred *cred,
170 u32 secid, char *buf, loff_t size, int mask, 170 u32 secid, char *buf, loff_t size, int mask,
171 enum ima_hooks func, int opened) 171 enum ima_hooks func)
172{ 172{
173 struct inode *inode = file_inode(file); 173 struct inode *inode = file_inode(file);
174 struct integrity_iint_cache *iint = NULL; 174 struct integrity_iint_cache *iint = NULL;
@@ -294,7 +294,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
294 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 294 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
295 inode_lock(inode); 295 inode_lock(inode);
296 rc = ima_appraise_measurement(func, iint, file, pathname, 296 rc = ima_appraise_measurement(func, iint, file, pathname,
297 xattr_value, xattr_len, opened); 297 xattr_value, xattr_len);
298 inode_unlock(inode); 298 inode_unlock(inode);
299 } 299 }
300 if (action & IMA_AUDIT) 300 if (action & IMA_AUDIT)
@@ -338,7 +338,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
338 if (file && (prot & PROT_EXEC)) { 338 if (file && (prot & PROT_EXEC)) {
339 security_task_getsecid(current, &secid); 339 security_task_getsecid(current, &secid);
340 return process_measurement(file, current_cred(), secid, NULL, 340 return process_measurement(file, current_cred(), secid, NULL,
341 0, MAY_EXEC, MMAP_CHECK, 0); 341 0, MAY_EXEC, MMAP_CHECK);
342 } 342 }
343 343
344 return 0; 344 return 0;
@@ -364,13 +364,13 @@ int ima_bprm_check(struct linux_binprm *bprm)
364 364
365 security_task_getsecid(current, &secid); 365 security_task_getsecid(current, &secid);
366 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, 366 ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
367 MAY_EXEC, BPRM_CHECK, 0); 367 MAY_EXEC, BPRM_CHECK);
368 if (ret) 368 if (ret)
369 return ret; 369 return ret;
370 370
371 security_cred_getsecid(bprm->cred, &secid); 371 security_cred_getsecid(bprm->cred, &secid);
372 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, 372 return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
373 MAY_EXEC, CREDS_CHECK, 0); 373 MAY_EXEC, CREDS_CHECK);
374} 374}
375 375
376/** 376/**
@@ -383,14 +383,14 @@ int ima_bprm_check(struct linux_binprm *bprm)
383 * On success return 0. On integrity appraisal error, assuming the file 383 * On success return 0. On integrity appraisal error, assuming the file
384 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. 384 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
385 */ 385 */
386int ima_file_check(struct file *file, int mask, int opened) 386int ima_file_check(struct file *file, int mask)
387{ 387{
388 u32 secid; 388 u32 secid;
389 389
390 security_task_getsecid(current, &secid); 390 security_task_getsecid(current, &secid);
391 return process_measurement(file, current_cred(), secid, NULL, 0, 391 return process_measurement(file, current_cred(), secid, NULL, 0,
392 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 392 mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
393 MAY_APPEND), FILE_CHECK, opened); 393 MAY_APPEND), FILE_CHECK);
394} 394}
395EXPORT_SYMBOL_GPL(ima_file_check); 395EXPORT_SYMBOL_GPL(ima_file_check);
396 396
@@ -490,7 +490,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
490 func = read_idmap[read_id] ?: FILE_CHECK; 490 func = read_idmap[read_id] ?: FILE_CHECK;
491 security_task_getsecid(current, &secid); 491 security_task_getsecid(current, &secid);
492 return process_measurement(file, current_cred(), secid, buf, size, 492 return process_measurement(file, current_cred(), secid, buf, size,
493 MAY_READ, func, 0); 493 MAY_READ, func);
494} 494}
495 495
496/** 496/**
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 418f35e38015..b186819bd5aa 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -142,10 +142,10 @@ static int ima_pcr_extend(const u8 *hash, int pcr)
142{ 142{
143 int result = 0; 143 int result = 0;
144 144
145 if (!ima_used_chip) 145 if (!ima_tpm_chip)
146 return result; 146 return result;
147 147
148 result = tpm_pcr_extend(NULL, pcr, hash); 148 result = tpm_pcr_extend(ima_tpm_chip, pcr, hash);
149 if (result != 0) 149 if (result != 0)
150 pr_err("Error Communicating to TPM chip, result: %d\n", result); 150 pr_err("Error Communicating to TPM chip, result: %d\n", result);
151 return result; 151 return result;
diff --git a/security/keys/dh.c b/security/keys/dh.c
index f7403821db7f..711e89d8c415 100644
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -142,6 +142,8 @@ static void kdf_dealloc(struct kdf_sdesc *sdesc)
142 * The src pointer is defined as Z || other info where Z is the shared secret 142 * The src pointer is defined as Z || other info where Z is the shared secret
143 * from DH and other info is an arbitrary string (see SP800-56A section 143 * from DH and other info is an arbitrary string (see SP800-56A section
144 * 5.8.1.2). 144 * 5.8.1.2).
145 *
146 * 'dlen' must be a multiple of the digest size.
145 */ 147 */
146static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, 148static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
147 u8 *dst, unsigned int dlen, unsigned int zlen) 149 u8 *dst, unsigned int dlen, unsigned int zlen)
@@ -205,8 +207,8 @@ static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
205{ 207{
206 uint8_t *outbuf = NULL; 208 uint8_t *outbuf = NULL;
207 int ret; 209 int ret;
208 size_t outbuf_len = round_up(buflen, 210 size_t outbuf_len = roundup(buflen,
209 crypto_shash_digestsize(sdesc->shash.tfm)); 211 crypto_shash_digestsize(sdesc->shash.tfm));
210 212
211 outbuf = kmalloc(outbuf_len, GFP_KERNEL); 213 outbuf = kmalloc(outbuf_len, GFP_KERNEL);
212 if (!outbuf) { 214 if (!outbuf) {
@@ -315,7 +317,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
315 if (ret) 317 if (ret)
316 goto out3; 318 goto out3;
317 319
318 tfm = crypto_alloc_kpp("dh", CRYPTO_ALG_TYPE_KPP, 0); 320 tfm = crypto_alloc_kpp("dh", 0, 0);
319 if (IS_ERR(tfm)) { 321 if (IS_ERR(tfm)) {
320 ret = PTR_ERR(tfm); 322 ret = PTR_ERR(tfm);
321 goto out3; 323 goto out3;
diff --git a/security/security.c b/security/security.c
index dbca03d3629b..47cfff01d7ec 100644
--- a/security/security.c
+++ b/security/security.c
@@ -972,11 +972,11 @@ int security_file_receive(struct file *file)
972 return call_int_hook(file_receive, 0, file); 972 return call_int_hook(file_receive, 0, file);
973} 973}
974 974
975int security_file_open(struct file *file, const struct cred *cred) 975int security_file_open(struct file *file)
976{ 976{
977 int ret; 977 int ret;
978 978
979 ret = call_int_hook(file_open, 0, file, cred); 979 ret = call_int_hook(file_open, 0, file);
980 if (ret) 980 if (ret)
981 return ret; 981 return ret;
982 982
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index f3aedf077509..635e5c1e3e48 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -650,7 +650,7 @@ static int avc_latest_notif_update(struct selinux_avc *avc,
650 spin_lock_irqsave(&notif_lock, flag); 650 spin_lock_irqsave(&notif_lock, flag);
651 if (is_insert) { 651 if (is_insert) {
652 if (seqno < avc->avc_cache.latest_notif) { 652 if (seqno < avc->avc_cache.latest_notif) {
653 printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", 653 pr_warn("SELinux: avc: seqno %d < latest_notif %d\n",
654 seqno, avc->avc_cache.latest_notif); 654 seqno, avc->avc_cache.latest_notif);
655 ret = -EAGAIN; 655 ret = -EAGAIN;
656 } 656 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a8bf324130f5..ad9a9b8e9979 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -530,7 +530,7 @@ static int sb_finish_set_opts(struct super_block *sb)
530 the first boot of the SELinux kernel before we have 530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */ 531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) { 532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 533 pr_warn("SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name); 534 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = -EOPNOTSUPP; 535 rc = -EOPNOTSUPP;
536 goto out; 536 goto out;
@@ -539,11 +539,11 @@ static int sb_finish_set_opts(struct super_block *sb)
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) { 540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP) 541 if (rc == -EOPNOTSUPP)
542 printk(KERN_WARNING "SELinux: (dev %s, type " 542 pr_warn("SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n", 543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name); 544 sb->s_id, sb->s_type->name);
545 else 545 else
546 printk(KERN_WARNING "SELinux: (dev %s, type " 546 pr_warn("SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id, 547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc); 548 sb->s_type->name, -rc);
549 goto out; 549 goto out;
@@ -742,7 +742,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
742 goto out; 742 goto out;
743 } 743 }
744 rc = -EINVAL; 744 rc = -EINVAL;
745 printk(KERN_WARNING "SELinux: Unable to set superblock options " 745 pr_warn("SELinux: Unable to set superblock options "
746 "before the security server is initialized\n"); 746 "before the security server is initialized\n");
747 goto out; 747 goto out;
748 } 748 }
@@ -784,7 +784,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
784 mount_options[i], &sid, 784 mount_options[i], &sid,
785 GFP_KERNEL); 785 GFP_KERNEL);
786 if (rc) { 786 if (rc) {
787 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 787 pr_warn("SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n", 788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc); 789 mount_options[i], sb->s_id, name, rc);
790 goto out; 790 goto out;
@@ -860,8 +860,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
860 */ 860 */
861 rc = security_fs_use(&selinux_state, sb); 861 rc = security_fs_use(&selinux_state, sb);
862 if (rc) { 862 if (rc) {
863 printk(KERN_WARNING 863 pr_warn("%s: security_fs_use(%s) returned %d\n",
864 "%s: security_fs_use(%s) returned %d\n",
865 __func__, sb->s_type->name, rc); 864 __func__, sb->s_type->name, rc);
866 goto out; 865 goto out;
867 } 866 }
@@ -947,7 +946,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
947 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 946 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
948 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 947 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
949 rc = -EINVAL; 948 rc = -EINVAL;
950 printk(KERN_WARNING "SELinux: defcontext option is " 949 pr_warn("SELinux: defcontext option is "
951 "invalid for this filesystem type\n"); 950 "invalid for this filesystem type\n");
952 goto out; 951 goto out;
953 } 952 }
@@ -969,7 +968,7 @@ out:
969 return rc; 968 return rc;
970out_double_mount: 969out_double_mount:
971 rc = -EINVAL; 970 rc = -EINVAL;
972 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 971 pr_warn("SELinux: mount invalid. Same superblock, different "
973 "security settings for (dev %s, type %s)\n", sb->s_id, name); 972 "security settings for (dev %s, type %s)\n", sb->s_id, name);
974 goto out; 973 goto out;
975} 974}
@@ -998,7 +997,7 @@ static int selinux_cmp_sb_context(const struct super_block *oldsb,
998 } 997 }
999 return 0; 998 return 0;
1000mismatch: 999mismatch:
1001 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 1000 pr_warn("SELinux: mount invalid. Same superblock, "
1002 "different security settings for (dev %s, " 1001 "different security settings for (dev %s, "
1003 "type %s)\n", newsb->s_id, newsb->s_type->name); 1002 "type %s)\n", newsb->s_id, newsb->s_type->name);
1004 return -EBUSY; 1003 return -EBUSY;
@@ -1106,7 +1105,7 @@ static int selinux_parse_opts_str(char *options,
1106 case Opt_context: 1105 case Opt_context:
1107 if (context || defcontext) { 1106 if (context || defcontext) {
1108 rc = -EINVAL; 1107 rc = -EINVAL;
1109 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1108 pr_warn(SEL_MOUNT_FAIL_MSG);
1110 goto out_err; 1109 goto out_err;
1111 } 1110 }
1112 context = match_strdup(&args[0]); 1111 context = match_strdup(&args[0]);
@@ -1119,7 +1118,7 @@ static int selinux_parse_opts_str(char *options,
1119 case Opt_fscontext: 1118 case Opt_fscontext:
1120 if (fscontext) { 1119 if (fscontext) {
1121 rc = -EINVAL; 1120 rc = -EINVAL;
1122 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1121 pr_warn(SEL_MOUNT_FAIL_MSG);
1123 goto out_err; 1122 goto out_err;
1124 } 1123 }
1125 fscontext = match_strdup(&args[0]); 1124 fscontext = match_strdup(&args[0]);
@@ -1132,7 +1131,7 @@ static int selinux_parse_opts_str(char *options,
1132 case Opt_rootcontext: 1131 case Opt_rootcontext:
1133 if (rootcontext) { 1132 if (rootcontext) {
1134 rc = -EINVAL; 1133 rc = -EINVAL;
1135 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1134 pr_warn(SEL_MOUNT_FAIL_MSG);
1136 goto out_err; 1135 goto out_err;
1137 } 1136 }
1138 rootcontext = match_strdup(&args[0]); 1137 rootcontext = match_strdup(&args[0]);
@@ -1145,7 +1144,7 @@ static int selinux_parse_opts_str(char *options,
1145 case Opt_defcontext: 1144 case Opt_defcontext:
1146 if (context || defcontext) { 1145 if (context || defcontext) {
1147 rc = -EINVAL; 1146 rc = -EINVAL;
1148 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1147 pr_warn(SEL_MOUNT_FAIL_MSG);
1149 goto out_err; 1148 goto out_err;
1150 } 1149 }
1151 defcontext = match_strdup(&args[0]); 1150 defcontext = match_strdup(&args[0]);
@@ -1158,7 +1157,7 @@ static int selinux_parse_opts_str(char *options,
1158 break; 1157 break;
1159 default: 1158 default:
1160 rc = -EINVAL; 1159 rc = -EINVAL;
1161 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1160 pr_warn("SELinux: unknown mount option\n");
1162 goto out_err; 1161 goto out_err;
1163 1162
1164 } 1163 }
@@ -1623,7 +1622,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1623 dput(dentry); 1622 dput(dentry);
1624 if (rc < 0) { 1623 if (rc < 0) {
1625 if (rc != -ENODATA) { 1624 if (rc != -ENODATA) {
1626 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1625 pr_warn("SELinux: %s: getxattr returned "
1627 "%d for dev=%s ino=%ld\n", __func__, 1626 "%d for dev=%s ino=%ld\n", __func__,
1628 -rc, inode->i_sb->s_id, inode->i_ino); 1627 -rc, inode->i_sb->s_id, inode->i_ino);
1629 kfree(context); 1628 kfree(context);
@@ -1643,11 +1642,11 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1643 1642
1644 if (rc == -EINVAL) { 1643 if (rc == -EINVAL) {
1645 if (printk_ratelimit()) 1644 if (printk_ratelimit())
1646 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1645 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1647 "context=%s. This indicates you may need to relabel the inode or the " 1646 "context=%s. This indicates you may need to relabel the inode or the "
1648 "filesystem in question.\n", ino, dev, context); 1647 "filesystem in question.\n", ino, dev, context);
1649 } else { 1648 } else {
1650 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1649 pr_warn("SELinux: %s: context_to_sid(%s) "
1651 "returned %d for dev=%s ino=%ld\n", 1650 "returned %d for dev=%s ino=%ld\n",
1652 __func__, context, -rc, dev, ino); 1651 __func__, context, -rc, dev, ino);
1653 } 1652 }
@@ -1785,8 +1784,7 @@ static int cred_has_capability(const struct cred *cred,
1785 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1784 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1786 break; 1785 break;
1787 default: 1786 default:
1788 printk(KERN_ERR 1787 pr_err("SELinux: out of range capability %d\n", cap);
1789 "SELinux: out of range capability %d\n", cap);
1790 BUG(); 1788 BUG();
1791 return -EINVAL; 1789 return -EINVAL;
1792 } 1790 }
@@ -2029,7 +2027,7 @@ static int may_link(struct inode *dir,
2029 av = DIR__RMDIR; 2027 av = DIR__RMDIR;
2030 break; 2028 break;
2031 default: 2029 default:
2032 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 2030 pr_warn("SELinux: %s: unrecognized kind %d\n",
2033 __func__, kind); 2031 __func__, kind);
2034 return 0; 2032 return 0;
2035 } 2033 }
@@ -2875,7 +2873,7 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2875 mount_options[i], &sid, 2873 mount_options[i], &sid,
2876 GFP_KERNEL); 2874 GFP_KERNEL);
2877 if (rc) { 2875 if (rc) {
2878 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2876 pr_warn("SELinux: security_context_str_to_sid"
2879 "(%s) failed for (dev %s, type %s) errno=%d\n", 2877 "(%s) failed for (dev %s, type %s) errno=%d\n",
2880 mount_options[i], sb->s_id, sb->s_type->name, rc); 2878 mount_options[i], sb->s_id, sb->s_type->name, rc);
2881 goto out_free_opts; 2879 goto out_free_opts;
@@ -2914,7 +2912,7 @@ out_free_secdata:
2914 free_secdata(secdata); 2912 free_secdata(secdata);
2915 return rc; 2913 return rc;
2916out_bad_option: 2914out_bad_option:
2917 printk(KERN_WARNING "SELinux: unable to change security options " 2915 pr_warn("SELinux: unable to change security options "
2918 "during remount (dev %s, type=%s)\n", sb->s_id, 2916 "during remount (dev %s, type=%s)\n", sb->s_id,
2919 sb->s_type->name); 2917 sb->s_type->name);
2920 goto out_free_opts; 2918 goto out_free_opts;
@@ -3357,7 +3355,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3357 rc = security_context_to_sid_force(&selinux_state, value, size, 3355 rc = security_context_to_sid_force(&selinux_state, value, size,
3358 &newsid); 3356 &newsid);
3359 if (rc) { 3357 if (rc) {
3360 printk(KERN_ERR "SELinux: unable to map context to SID" 3358 pr_err("SELinux: unable to map context to SID"
3361 "for (%s, %lu), rc=%d\n", 3359 "for (%s, %lu), rc=%d\n",
3362 inode->i_sb->s_id, inode->i_ino, -rc); 3360 inode->i_sb->s_id, inode->i_ino, -rc);
3363 return; 3361 return;
@@ -3862,7 +3860,7 @@ static int selinux_file_receive(struct file *file)
3862 return file_has_perm(cred, file, file_to_av(file)); 3860 return file_has_perm(cred, file, file_to_av(file));
3863} 3861}
3864 3862
3865static int selinux_file_open(struct file *file, const struct cred *cred) 3863static int selinux_file_open(struct file *file)
3866{ 3864{
3867 struct file_security_struct *fsec; 3865 struct file_security_struct *fsec;
3868 struct inode_security_struct *isec; 3866 struct inode_security_struct *isec;
@@ -3886,7 +3884,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3886 * new inode label or new policy. 3884 * new inode label or new policy.
3887 * This check is not redundant - do not remove. 3885 * This check is not redundant - do not remove.
3888 */ 3886 */
3889 return file_path_has_perm(cred, file, open_file_to_av(file)); 3887 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3890} 3888}
3891 3889
3892/* task security operations */ 3890/* task security operations */
@@ -4434,7 +4432,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4434 } 4432 }
4435 4433
4436parse_error: 4434parse_error:
4437 printk(KERN_WARNING 4435 pr_warn(
4438 "SELinux: failure in selinux_parse_skb()," 4436 "SELinux: failure in selinux_parse_skb(),"
4439 " unable to parse packet\n"); 4437 " unable to parse packet\n");
4440 return ret; 4438 return ret;
@@ -4477,7 +4475,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4477 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4475 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4478 nlbl_type, xfrm_sid, sid); 4476 nlbl_type, xfrm_sid, sid);
4479 if (unlikely(err)) { 4477 if (unlikely(err)) {
4480 printk(KERN_WARNING 4478 pr_warn(
4481 "SELinux: failure in selinux_skb_peerlbl_sid()," 4479 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4482 " unable to determine packet's peer label\n"); 4480 " unable to determine packet's peer label\n");
4483 return -EACCES; 4481 return -EACCES;
@@ -7141,11 +7139,11 @@ static __init int selinux_init(void)
7141 } 7139 }
7142 7140
7143 if (!selinux_enabled) { 7141 if (!selinux_enabled) {
7144 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 7142 pr_info("SELinux: Disabled at boot.\n");
7145 return 0; 7143 return 0;
7146 } 7144 }
7147 7145
7148 printk(KERN_INFO "SELinux: Initializing.\n"); 7146 pr_info("SELinux: Initializing.\n");
7149 7147
7150 memset(&selinux_state, 0, sizeof(selinux_state)); 7148 memset(&selinux_state, 0, sizeof(selinux_state));
7151 enforcing_set(&selinux_state, selinux_enforcing_boot); 7149 enforcing_set(&selinux_state, selinux_enforcing_boot);
@@ -7181,9 +7179,9 @@ static __init int selinux_init(void)
7181 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7179 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7182 7180
7183 if (selinux_enforcing_boot) 7181 if (selinux_enforcing_boot)
7184 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7182 pr_debug("SELinux: Starting in enforcing mode\n");
7185 else 7183 else
7186 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7184 pr_debug("SELinux: Starting in permissive mode\n");
7187 7185
7188 return 0; 7186 return 0;
7189} 7187}
@@ -7195,10 +7193,10 @@ static void delayed_superblock_init(struct super_block *sb, void *unused)
7195 7193
7196void selinux_complete_init(void) 7194void selinux_complete_init(void)
7197{ 7195{
7198 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 7196 pr_debug("SELinux: Completing initialization.\n");
7199 7197
7200 /* Set up any superblocks initialized prior to the policy load. */ 7198 /* Set up any superblocks initialized prior to the policy load. */
7201 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 7199 pr_debug("SELinux: Setting up existing superblocks.\n");
7202 iterate_supers(delayed_superblock_init, NULL); 7200 iterate_supers(delayed_superblock_init, NULL);
7203} 7201}
7204 7202
@@ -7273,7 +7271,7 @@ static int __init selinux_nf_ip_init(void)
7273 if (!selinux_enabled) 7271 if (!selinux_enabled)
7274 return 0; 7272 return 0;
7275 7273
7276 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 7274 pr_debug("SELinux: Registering netfilter hooks\n");
7277 7275
7278 err = register_pernet_subsys(&selinux_net_ops); 7276 err = register_pernet_subsys(&selinux_net_ops);
7279 if (err) 7277 if (err)
@@ -7286,7 +7284,7 @@ __initcall(selinux_nf_ip_init);
7286#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7284#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7287static void selinux_nf_ip_exit(void) 7285static void selinux_nf_ip_exit(void)
7288{ 7286{
7289 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 7287 pr_debug("SELinux: Unregistering netfilter hooks\n");
7290 7288
7291 unregister_pernet_subsys(&selinux_net_ops); 7289 unregister_pernet_subsys(&selinux_net_ops);
7292} 7290}
@@ -7315,7 +7313,7 @@ int selinux_disable(struct selinux_state *state)
7315 7313
7316 state->disabled = 1; 7314 state->disabled = 1;
7317 7315
7318 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7316 pr_info("SELinux: Disabled at runtime.\n");
7319 7317
7320 selinux_enabled = 0; 7318 selinux_enabled = 0;
7321 7319
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index ac65f7417413..8c738c189942 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -145,9 +145,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
145 145
146 dev = dev_get_by_index(ns, ifindex); 146 dev = dev_get_by_index(ns, ifindex);
147 if (unlikely(dev == NULL)) { 147 if (unlikely(dev == NULL)) {
148 printk(KERN_WARNING 148 pr_warn("SELinux: failure in %s(), invalid network interface (%d)\n",
149 "SELinux: failure in sel_netif_sid_slow()," 149 __func__, ifindex);
150 " invalid network interface (%d)\n", ifindex);
151 return -ENOENT; 150 return -ENOENT;
152 } 151 }
153 152
@@ -177,10 +176,8 @@ out:
177 spin_unlock_bh(&sel_netif_lock); 176 spin_unlock_bh(&sel_netif_lock);
178 dev_put(dev); 177 dev_put(dev);
179 if (unlikely(ret)) { 178 if (unlikely(ret)) {
180 printk(KERN_WARNING 179 pr_warn("SELinux: failure in %s(), unable to determine network interface label (%d)\n",
181 "SELinux: failure in sel_netif_sid_slow()," 180 __func__, ifindex);
182 " unable to determine network interface label (%d)\n",
183 ifindex);
184 kfree(new); 181 kfree(new);
185 } 182 }
186 return ret; 183 return ret;
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
index 828fb6a4e941..8a8a72507437 100644
--- a/security/selinux/netlink.c
+++ b/security/selinux/netlink.c
@@ -94,7 +94,7 @@ out:
94out_kfree_skb: 94out_kfree_skb:
95 kfree_skb(skb); 95 kfree_skb(skb);
96oom: 96oom:
97 printk(KERN_ERR "SELinux: OOM in %s\n", __func__); 97 pr_err("SELinux: OOM in %s\n", __func__);
98 goto out; 98 goto out;
99} 99}
100 100
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 6dd89b89bc1f..afa0d432436b 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -238,9 +238,8 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
238out: 238out:
239 spin_unlock_bh(&sel_netnode_lock); 239 spin_unlock_bh(&sel_netnode_lock);
240 if (unlikely(ret)) { 240 if (unlikely(ret)) {
241 printk(KERN_WARNING 241 pr_warn("SELinux: failure in %s(), unable to determine network node label\n",
242 "SELinux: failure in sel_netnode_sid_slow()," 242 __func__);
243 " unable to determine network node label\n");
244 kfree(new); 243 kfree(new);
245 } 244 }
246 return ret; 245 return ret;
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 9ed4c5064a5e..7a141cadbffc 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -173,9 +173,8 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
173out: 173out:
174 spin_unlock_bh(&sel_netport_lock); 174 spin_unlock_bh(&sel_netport_lock);
175 if (unlikely(ret)) { 175 if (unlikely(ret)) {
176 printk(KERN_WARNING 176 pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
177 "SELinux: failure in sel_netport_sid_slow()," 177 __func__);
178 " unable to determine network port label\n");
179 kfree(new); 178 kfree(new);
180 } 179 }
181 return ret; 180 return ret;
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 7b7433a1a34c..74b951f55608 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -159,7 +159,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
159 switch (sclass) { 159 switch (sclass) {
160 case SECCLASS_NETLINK_ROUTE_SOCKET: 160 case SECCLASS_NETLINK_ROUTE_SOCKET:
161 /* RTM_MAX always point to RTM_SETxxxx, ie RTM_NEWxxx + 3 */ 161 /* RTM_MAX always point to RTM_SETxxxx, ie RTM_NEWxxx + 3 */
162 BUILD_BUG_ON(RTM_MAX != (RTM_NEWCACHEREPORT + 3)); 162 BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3));
163 err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, 163 err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
164 sizeof(nlmsg_route_perms)); 164 sizeof(nlmsg_route_perms));
165 break; 165 break;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index f3d374d2ca04..f3a5a138a096 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -441,22 +441,16 @@ static int sel_release_policy(struct inode *inode, struct file *filp)
441static ssize_t sel_read_policy(struct file *filp, char __user *buf, 441static ssize_t sel_read_policy(struct file *filp, char __user *buf,
442 size_t count, loff_t *ppos) 442 size_t count, loff_t *ppos)
443{ 443{
444 struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
445 struct policy_load_memory *plm = filp->private_data; 444 struct policy_load_memory *plm = filp->private_data;
446 int ret; 445 int ret;
447 446
448 mutex_lock(&fsi->mutex);
449
450 ret = avc_has_perm(&selinux_state, 447 ret = avc_has_perm(&selinux_state,
451 current_sid(), SECINITSID_SECURITY, 448 current_sid(), SECINITSID_SECURITY,
452 SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL); 449 SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL);
453 if (ret) 450 if (ret)
454 goto out; 451 return ret;
455 452
456 ret = simple_read_from_buffer(buf, count, ppos, plm->data, plm->len); 453 return simple_read_from_buffer(buf, count, ppos, plm->data, plm->len);
457out:
458 mutex_unlock(&fsi->mutex);
459 return ret;
460} 454}
461 455
462static vm_fault_t sel_mmap_policy_fault(struct vm_fault *vmf) 456static vm_fault_t sel_mmap_policy_fault(struct vm_fault *vmf)
@@ -620,7 +614,7 @@ static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
620 614
621 length = -ERANGE; 615 length = -ERANGE;
622 if (len > SIMPLE_TRANSACTION_LIMIT) { 616 if (len > SIMPLE_TRANSACTION_LIMIT) {
623 printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " 617 pr_err("SELinux: %s: context size (%u) exceeds "
624 "payload max\n", __func__, len); 618 "payload max\n", __func__, len);
625 goto out; 619 goto out;
626 } 620 }
@@ -773,7 +767,7 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
773static ssize_t sel_write_user(struct file *file, char *buf, size_t size); 767static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
774static ssize_t sel_write_member(struct file *file, char *buf, size_t size); 768static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
775 769
776static ssize_t (*write_op[])(struct file *, char *, size_t) = { 770static ssize_t (*const write_op[])(struct file *, char *, size_t) = {
777 [SEL_ACCESS] = sel_write_access, 771 [SEL_ACCESS] = sel_write_access,
778 [SEL_CREATE] = sel_write_create, 772 [SEL_CREATE] = sel_write_create,
779 [SEL_RELABEL] = sel_write_relabel, 773 [SEL_RELABEL] = sel_write_relabel,
@@ -956,7 +950,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
956 950
957 length = -ERANGE; 951 length = -ERANGE;
958 if (len > SIMPLE_TRANSACTION_LIMIT) { 952 if (len > SIMPLE_TRANSACTION_LIMIT) {
959 printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " 953 pr_err("SELinux: %s: context size (%u) exceeds "
960 "payload max\n", __func__, len); 954 "payload max\n", __func__, len);
961 goto out; 955 goto out;
962 } 956 }
@@ -1147,7 +1141,7 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
1147 1141
1148 length = -ERANGE; 1142 length = -ERANGE;
1149 if (len > SIMPLE_TRANSACTION_LIMIT) { 1143 if (len > SIMPLE_TRANSACTION_LIMIT) {
1150 printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " 1144 pr_err("SELinux: %s: context size (%u) exceeds "
1151 "payload max\n", __func__, len); 1145 "payload max\n", __func__, len);
1152 goto out; 1146 goto out;
1153 } 1147 }
@@ -1188,25 +1182,29 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
1188 ret = -EINVAL; 1182 ret = -EINVAL;
1189 if (index >= fsi->bool_num || strcmp(name, 1183 if (index >= fsi->bool_num || strcmp(name,
1190 fsi->bool_pending_names[index])) 1184 fsi->bool_pending_names[index]))
1191 goto out; 1185 goto out_unlock;
1192 1186
1193 ret = -ENOMEM; 1187 ret = -ENOMEM;
1194 page = (char *)get_zeroed_page(GFP_KERNEL); 1188 page = (char *)get_zeroed_page(GFP_KERNEL);
1195 if (!page) 1189 if (!page)
1196 goto out; 1190 goto out_unlock;
1197 1191
1198 cur_enforcing = security_get_bool_value(fsi->state, index); 1192 cur_enforcing = security_get_bool_value(fsi->state, index);
1199 if (cur_enforcing < 0) { 1193 if (cur_enforcing < 0) {
1200 ret = cur_enforcing; 1194 ret = cur_enforcing;
1201 goto out; 1195 goto out_unlock;
1202 } 1196 }
1203 length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing, 1197 length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
1204 fsi->bool_pending_values[index]); 1198 fsi->bool_pending_values[index]);
1205 ret = simple_read_from_buffer(buf, count, ppos, page, length);
1206out:
1207 mutex_unlock(&fsi->mutex); 1199 mutex_unlock(&fsi->mutex);
1200 ret = simple_read_from_buffer(buf, count, ppos, page, length);
1201out_free:
1208 free_page((unsigned long)page); 1202 free_page((unsigned long)page);
1209 return ret; 1203 return ret;
1204
1205out_unlock:
1206 mutex_unlock(&fsi->mutex);
1207 goto out_free;
1210} 1208}
1211 1209
1212static ssize_t sel_write_bool(struct file *filep, const char __user *buf, 1210static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
@@ -1219,6 +1217,17 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1219 unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK; 1217 unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
1220 const char *name = filep->f_path.dentry->d_name.name; 1218 const char *name = filep->f_path.dentry->d_name.name;
1221 1219
1220 if (count >= PAGE_SIZE)
1221 return -ENOMEM;
1222
1223 /* No partial writes. */
1224 if (*ppos != 0)
1225 return -EINVAL;
1226
1227 page = memdup_user_nul(buf, count);
1228 if (IS_ERR(page))
1229 return PTR_ERR(page);
1230
1222 mutex_lock(&fsi->mutex); 1231 mutex_lock(&fsi->mutex);
1223 1232
1224 length = avc_has_perm(&selinux_state, 1233 length = avc_has_perm(&selinux_state,
@@ -1233,22 +1242,6 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1233 fsi->bool_pending_names[index])) 1242 fsi->bool_pending_names[index]))
1234 goto out; 1243 goto out;
1235 1244
1236 length = -ENOMEM;
1237 if (count >= PAGE_SIZE)
1238 goto out;
1239
1240 /* No partial writes. */
1241 length = -EINVAL;
1242 if (*ppos != 0)
1243 goto out;
1244
1245 page = memdup_user_nul(buf, count);
1246 if (IS_ERR(page)) {
1247 length = PTR_ERR(page);
1248 page = NULL;
1249 goto out;
1250 }
1251
1252 length = -EINVAL; 1245 length = -EINVAL;
1253 if (sscanf(page, "%d", &new_value) != 1) 1246 if (sscanf(page, "%d", &new_value) != 1)
1254 goto out; 1247 goto out;
@@ -1280,6 +1273,17 @@ static ssize_t sel_commit_bools_write(struct file *filep,
1280 ssize_t length; 1273 ssize_t length;
1281 int new_value; 1274 int new_value;
1282 1275
1276 if (count >= PAGE_SIZE)
1277 return -ENOMEM;
1278
1279 /* No partial writes. */
1280 if (*ppos != 0)
1281 return -EINVAL;
1282
1283 page = memdup_user_nul(buf, count);
1284 if (IS_ERR(page))
1285 return PTR_ERR(page);
1286
1283 mutex_lock(&fsi->mutex); 1287 mutex_lock(&fsi->mutex);
1284 1288
1285 length = avc_has_perm(&selinux_state, 1289 length = avc_has_perm(&selinux_state,
@@ -1289,22 +1293,6 @@ static ssize_t sel_commit_bools_write(struct file *filep,
1289 if (length) 1293 if (length)
1290 goto out; 1294 goto out;
1291 1295
1292 length = -ENOMEM;
1293 if (count >= PAGE_SIZE)
1294 goto out;
1295
1296 /* No partial writes. */
1297 length = -EINVAL;
1298 if (*ppos != 0)
1299 goto out;
1300
1301 page = memdup_user_nul(buf, count);
1302 if (IS_ERR(page)) {
1303 length = PTR_ERR(page);
1304 page = NULL;
1305 goto out;
1306 }
1307
1308 length = -EINVAL; 1296 length = -EINVAL;
1309 if (sscanf(page, "%d", &new_value) != 1) 1297 if (sscanf(page, "%d", &new_value) != 1)
1310 goto out; 1298 goto out;
@@ -1377,13 +1365,18 @@ static int sel_make_bools(struct selinux_fs_info *fsi)
1377 1365
1378 ret = -ENOMEM; 1366 ret = -ENOMEM;
1379 inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); 1367 inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR);
1380 if (!inode) 1368 if (!inode) {
1369 dput(dentry);
1381 goto out; 1370 goto out;
1371 }
1382 1372
1383 ret = -ENAMETOOLONG; 1373 ret = -ENAMETOOLONG;
1384 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); 1374 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]);
1385 if (len >= PAGE_SIZE) 1375 if (len >= PAGE_SIZE) {
1376 dput(dentry);
1377 iput(inode);
1386 goto out; 1378 goto out;
1379 }
1387 1380
1388 isec = (struct inode_security_struct *)inode->i_security; 1381 isec = (struct inode_security_struct *)inode->i_security;
1389 ret = security_genfs_sid(fsi->state, "selinuxfs", page, 1382 ret = security_genfs_sid(fsi->state, "selinuxfs", page,
@@ -1598,8 +1591,10 @@ static int sel_make_avc_files(struct dentry *dir)
1598 return -ENOMEM; 1591 return -ENOMEM;
1599 1592
1600 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); 1593 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode);
1601 if (!inode) 1594 if (!inode) {
1595 dput(dentry);
1602 return -ENOMEM; 1596 return -ENOMEM;
1597 }
1603 1598
1604 inode->i_fop = files[i].ops; 1599 inode->i_fop = files[i].ops;
1605 inode->i_ino = ++fsi->last_ino; 1600 inode->i_ino = ++fsi->last_ino;
@@ -1644,8 +1639,10 @@ static int sel_make_initcon_files(struct dentry *dir)
1644 return -ENOMEM; 1639 return -ENOMEM;
1645 1640
1646 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1641 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1647 if (!inode) 1642 if (!inode) {
1643 dput(dentry);
1648 return -ENOMEM; 1644 return -ENOMEM;
1645 }
1649 1646
1650 inode->i_fop = &sel_initcon_ops; 1647 inode->i_fop = &sel_initcon_ops;
1651 inode->i_ino = i|SEL_INITCON_INO_OFFSET; 1648 inode->i_ino = i|SEL_INITCON_INO_OFFSET;
@@ -1745,8 +1742,10 @@ static int sel_make_perm_files(char *objclass, int classvalue,
1745 1742
1746 rc = -ENOMEM; 1743 rc = -ENOMEM;
1747 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1744 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1748 if (!inode) 1745 if (!inode) {
1746 dput(dentry);
1749 goto out; 1747 goto out;
1748 }
1750 1749
1751 inode->i_fop = &sel_perm_ops; 1750 inode->i_fop = &sel_perm_ops;
1752 /* i+1 since perm values are 1-indexed */ 1751 /* i+1 since perm values are 1-indexed */
@@ -1775,8 +1774,10 @@ static int sel_make_class_dir_entries(char *classname, int index,
1775 return -ENOMEM; 1774 return -ENOMEM;
1776 1775
1777 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1776 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1778 if (!inode) 1777 if (!inode) {
1778 dput(dentry);
1779 return -ENOMEM; 1779 return -ENOMEM;
1780 }
1780 1781
1781 inode->i_fop = &sel_class_ops; 1782 inode->i_fop = &sel_class_ops;
1782 inode->i_ino = sel_class_to_ino(index); 1783 inode->i_ino = sel_class_to_ino(index);
@@ -1850,8 +1851,10 @@ static int sel_make_policycap(struct selinux_fs_info *fsi)
1850 return -ENOMEM; 1851 return -ENOMEM;
1851 1852
1852 inode = sel_make_inode(fsi->sb, S_IFREG | 0444); 1853 inode = sel_make_inode(fsi->sb, S_IFREG | 0444);
1853 if (inode == NULL) 1854 if (inode == NULL) {
1855 dput(dentry);
1854 return -ENOMEM; 1856 return -ENOMEM;
1857 }
1855 1858
1856 inode->i_fop = &sel_policycap_ops; 1859 inode->i_fop = &sel_policycap_ops;
1857 inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET; 1860 inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET;
@@ -1944,8 +1947,10 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
1944 1947
1945 ret = -ENOMEM; 1948 ret = -ENOMEM;
1946 inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO); 1949 inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO);
1947 if (!inode) 1950 if (!inode) {
1951 dput(dentry);
1948 goto err; 1952 goto err;
1953 }
1949 1954
1950 inode->i_ino = ++fsi->last_ino; 1955 inode->i_ino = ++fsi->last_ino;
1951 isec = (struct inode_security_struct *)inode->i_security; 1956 isec = (struct inode_security_struct *)inode->i_security;
@@ -1996,7 +2001,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
1996 goto err; 2001 goto err;
1997 return 0; 2002 return 0;
1998err: 2003err:
1999 printk(KERN_ERR "SELinux: %s: failed while creating inodes\n", 2004 pr_err("SELinux: %s: failed while creating inodes\n",
2000 __func__); 2005 __func__);
2001 2006
2002 selinux_fs_info_free(sb); 2007 selinux_fs_info_free(sb);
@@ -2046,7 +2051,7 @@ static int __init init_sel_fs(void)
2046 2051
2047 selinux_null.mnt = selinuxfs_mount = kern_mount(&sel_fs_type); 2052 selinux_null.mnt = selinuxfs_mount = kern_mount(&sel_fs_type);
2048 if (IS_ERR(selinuxfs_mount)) { 2053 if (IS_ERR(selinuxfs_mount)) {
2049 printk(KERN_ERR "selinuxfs: could not mount!\n"); 2054 pr_err("selinuxfs: could not mount!\n");
2050 err = PTR_ERR(selinuxfs_mount); 2055 err = PTR_ERR(selinuxfs_mount);
2051 selinuxfs_mount = NULL; 2056 selinuxfs_mount = NULL;
2052 } 2057 }
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index a2c9148b0662..c0417cf17fee 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -338,7 +338,7 @@ int avtab_alloc(struct avtab *h, u32 nrules)
338 h->nel = 0; 338 h->nel = 0;
339 h->nslot = nslot; 339 h->nslot = nslot;
340 h->mask = mask; 340 h->mask = mask;
341 printk(KERN_DEBUG "SELinux: %d avtab hash slots, %d rules.\n", 341 pr_debug("SELinux: %d avtab hash slots, %d rules.\n",
342 h->nslot, nrules); 342 h->nslot, nrules);
343 return 0; 343 return 0;
344} 344}
@@ -368,7 +368,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
368 } 368 }
369 } 369 }
370 370
371 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " 371 pr_debug("SELinux: %s: %d entries and %d/%d buckets used, "
372 "longest chain length %d sum of chain length^2 %llu\n", 372 "longest chain length %d sum of chain length^2 %llu\n",
373 tag, h->nel, slots_used, h->nslot, max_chain_len, 373 tag, h->nel, slots_used, h->nslot, max_chain_len,
374 chain2_len_sum); 374 chain2_len_sum);
@@ -407,18 +407,18 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
407 if (vers < POLICYDB_VERSION_AVTAB) { 407 if (vers < POLICYDB_VERSION_AVTAB) {
408 rc = next_entry(buf32, fp, sizeof(u32)); 408 rc = next_entry(buf32, fp, sizeof(u32));
409 if (rc) { 409 if (rc) {
410 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 410 pr_err("SELinux: avtab: truncated entry\n");
411 return rc; 411 return rc;
412 } 412 }
413 items2 = le32_to_cpu(buf32[0]); 413 items2 = le32_to_cpu(buf32[0]);
414 if (items2 > ARRAY_SIZE(buf32)) { 414 if (items2 > ARRAY_SIZE(buf32)) {
415 printk(KERN_ERR "SELinux: avtab: entry overflow\n"); 415 pr_err("SELinux: avtab: entry overflow\n");
416 return -EINVAL; 416 return -EINVAL;
417 417
418 } 418 }
419 rc = next_entry(buf32, fp, sizeof(u32)*items2); 419 rc = next_entry(buf32, fp, sizeof(u32)*items2);
420 if (rc) { 420 if (rc) {
421 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 421 pr_err("SELinux: avtab: truncated entry\n");
422 return rc; 422 return rc;
423 } 423 }
424 items = 0; 424 items = 0;
@@ -426,19 +426,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
426 val = le32_to_cpu(buf32[items++]); 426 val = le32_to_cpu(buf32[items++]);
427 key.source_type = (u16)val; 427 key.source_type = (u16)val;
428 if (key.source_type != val) { 428 if (key.source_type != val) {
429 printk(KERN_ERR "SELinux: avtab: truncated source type\n"); 429 pr_err("SELinux: avtab: truncated source type\n");
430 return -EINVAL; 430 return -EINVAL;
431 } 431 }
432 val = le32_to_cpu(buf32[items++]); 432 val = le32_to_cpu(buf32[items++]);
433 key.target_type = (u16)val; 433 key.target_type = (u16)val;
434 if (key.target_type != val) { 434 if (key.target_type != val) {
435 printk(KERN_ERR "SELinux: avtab: truncated target type\n"); 435 pr_err("SELinux: avtab: truncated target type\n");
436 return -EINVAL; 436 return -EINVAL;
437 } 437 }
438 val = le32_to_cpu(buf32[items++]); 438 val = le32_to_cpu(buf32[items++]);
439 key.target_class = (u16)val; 439 key.target_class = (u16)val;
440 if (key.target_class != val) { 440 if (key.target_class != val) {
441 printk(KERN_ERR "SELinux: avtab: truncated target class\n"); 441 pr_err("SELinux: avtab: truncated target class\n");
442 return -EINVAL; 442 return -EINVAL;
443 } 443 }
444 444
@@ -446,16 +446,16 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
446 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; 446 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
447 447
448 if (!(val & (AVTAB_AV | AVTAB_TYPE))) { 448 if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
449 printk(KERN_ERR "SELinux: avtab: null entry\n"); 449 pr_err("SELinux: avtab: null entry\n");
450 return -EINVAL; 450 return -EINVAL;
451 } 451 }
452 if ((val & AVTAB_AV) && 452 if ((val & AVTAB_AV) &&
453 (val & AVTAB_TYPE)) { 453 (val & AVTAB_TYPE)) {
454 printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n"); 454 pr_err("SELinux: avtab: entry has both access vectors and types\n");
455 return -EINVAL; 455 return -EINVAL;
456 } 456 }
457 if (val & AVTAB_XPERMS) { 457 if (val & AVTAB_XPERMS) {
458 printk(KERN_ERR "SELinux: avtab: entry has extended permissions\n"); 458 pr_err("SELinux: avtab: entry has extended permissions\n");
459 return -EINVAL; 459 return -EINVAL;
460 } 460 }
461 461
@@ -470,7 +470,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
470 } 470 }
471 471
472 if (items != items2) { 472 if (items != items2) {
473 printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items); 473 pr_err("SELinux: avtab: entry only had %d items, expected %d\n",
474 items2, items);
474 return -EINVAL; 475 return -EINVAL;
475 } 476 }
476 return 0; 477 return 0;
@@ -478,7 +479,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
478 479
479 rc = next_entry(buf16, fp, sizeof(u16)*4); 480 rc = next_entry(buf16, fp, sizeof(u16)*4);
480 if (rc) { 481 if (rc) {
481 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 482 pr_err("SELinux: avtab: truncated entry\n");
482 return rc; 483 return rc;
483 } 484 }
484 485
@@ -491,7 +492,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
491 if (!policydb_type_isvalid(pol, key.source_type) || 492 if (!policydb_type_isvalid(pol, key.source_type) ||
492 !policydb_type_isvalid(pol, key.target_type) || 493 !policydb_type_isvalid(pol, key.target_type) ||
493 !policydb_class_isvalid(pol, key.target_class)) { 494 !policydb_class_isvalid(pol, key.target_class)) {
494 printk(KERN_ERR "SELinux: avtab: invalid type or class\n"); 495 pr_err("SELinux: avtab: invalid type or class\n");
495 return -EINVAL; 496 return -EINVAL;
496 } 497 }
497 498
@@ -501,13 +502,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
501 set++; 502 set++;
502 } 503 }
503 if (!set || set > 1) { 504 if (!set || set > 1) {
504 printk(KERN_ERR "SELinux: avtab: more than one specifier\n"); 505 pr_err("SELinux: avtab: more than one specifier\n");
505 return -EINVAL; 506 return -EINVAL;
506 } 507 }
507 508
508 if ((vers < POLICYDB_VERSION_XPERMS_IOCTL) && 509 if ((vers < POLICYDB_VERSION_XPERMS_IOCTL) &&
509 (key.specified & AVTAB_XPERMS)) { 510 (key.specified & AVTAB_XPERMS)) {
510 printk(KERN_ERR "SELinux: avtab: policy version %u does not " 511 pr_err("SELinux: avtab: policy version %u does not "
511 "support extended permissions rules and one " 512 "support extended permissions rules and one "
512 "was specified\n", vers); 513 "was specified\n", vers);
513 return -EINVAL; 514 return -EINVAL;
@@ -515,17 +516,17 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
515 memset(&xperms, 0, sizeof(struct avtab_extended_perms)); 516 memset(&xperms, 0, sizeof(struct avtab_extended_perms));
516 rc = next_entry(&xperms.specified, fp, sizeof(u8)); 517 rc = next_entry(&xperms.specified, fp, sizeof(u8));
517 if (rc) { 518 if (rc) {
518 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 519 pr_err("SELinux: avtab: truncated entry\n");
519 return rc; 520 return rc;
520 } 521 }
521 rc = next_entry(&xperms.driver, fp, sizeof(u8)); 522 rc = next_entry(&xperms.driver, fp, sizeof(u8));
522 if (rc) { 523 if (rc) {
523 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 524 pr_err("SELinux: avtab: truncated entry\n");
524 return rc; 525 return rc;
525 } 526 }
526 rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(xperms.perms.p)); 527 rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(xperms.perms.p));
527 if (rc) { 528 if (rc) {
528 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 529 pr_err("SELinux: avtab: truncated entry\n");
529 return rc; 530 return rc;
530 } 531 }
531 for (i = 0; i < ARRAY_SIZE(xperms.perms.p); i++) 532 for (i = 0; i < ARRAY_SIZE(xperms.perms.p); i++)
@@ -534,14 +535,14 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
534 } else { 535 } else {
535 rc = next_entry(buf32, fp, sizeof(u32)); 536 rc = next_entry(buf32, fp, sizeof(u32));
536 if (rc) { 537 if (rc) {
537 printk(KERN_ERR "SELinux: avtab: truncated entry\n"); 538 pr_err("SELinux: avtab: truncated entry\n");
538 return rc; 539 return rc;
539 } 540 }
540 datum.u.data = le32_to_cpu(*buf32); 541 datum.u.data = le32_to_cpu(*buf32);
541 } 542 }
542 if ((key.specified & AVTAB_TYPE) && 543 if ((key.specified & AVTAB_TYPE) &&
543 !policydb_type_isvalid(pol, datum.u.data)) { 544 !policydb_type_isvalid(pol, datum.u.data)) {
544 printk(KERN_ERR "SELinux: avtab: invalid type\n"); 545 pr_err("SELinux: avtab: invalid type\n");
545 return -EINVAL; 546 return -EINVAL;
546 } 547 }
547 return insertf(a, &key, &datum, p); 548 return insertf(a, &key, &datum, p);
@@ -562,12 +563,12 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol)
562 563
563 rc = next_entry(buf, fp, sizeof(u32)); 564 rc = next_entry(buf, fp, sizeof(u32));
564 if (rc < 0) { 565 if (rc < 0) {
565 printk(KERN_ERR "SELinux: avtab: truncated table\n"); 566 pr_err("SELinux: avtab: truncated table\n");
566 goto bad; 567 goto bad;
567 } 568 }
568 nel = le32_to_cpu(buf[0]); 569 nel = le32_to_cpu(buf[0]);
569 if (!nel) { 570 if (!nel) {
570 printk(KERN_ERR "SELinux: avtab: table is empty\n"); 571 pr_err("SELinux: avtab: table is empty\n");
571 rc = -EINVAL; 572 rc = -EINVAL;
572 goto bad; 573 goto bad;
573 } 574 }
@@ -580,9 +581,9 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol)
580 rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL); 581 rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL);
581 if (rc) { 582 if (rc) {
582 if (rc == -ENOMEM) 583 if (rc == -ENOMEM)
583 printk(KERN_ERR "SELinux: avtab: out of memory\n"); 584 pr_err("SELinux: avtab: out of memory\n");
584 else if (rc == -EEXIST) 585 else if (rc == -EEXIST)
585 printk(KERN_ERR "SELinux: avtab: duplicate entry\n"); 586 pr_err("SELinux: avtab: duplicate entry\n");
586 587
587 goto bad; 588 goto bad;
588 } 589 }
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index c91543a617ac..f49e522e932d 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -96,7 +96,7 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
96 if (new_state != node->cur_state) { 96 if (new_state != node->cur_state) {
97 node->cur_state = new_state; 97 node->cur_state = new_state;
98 if (new_state == -1) 98 if (new_state == -1)
99 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); 99 pr_err("SELinux: expression result was undefined - disabling all rules.\n");
100 /* turn the rules on or off */ 100 /* turn the rules on or off */
101 for (cur = node->true_list; cur; cur = cur->next) { 101 for (cur = node->true_list; cur; cur = cur->next) {
102 if (new_state <= 0) 102 if (new_state <= 0)
@@ -287,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
287 */ 287 */
288 if (k->specified & AVTAB_TYPE) { 288 if (k->specified & AVTAB_TYPE) {
289 if (avtab_search(&p->te_avtab, k)) { 289 if (avtab_search(&p->te_avtab, k)) {
290 printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n"); 290 pr_err("SELinux: type rule already exists outside of a conditional.\n");
291 goto err; 291 goto err;
292 } 292 }
293 /* 293 /*
@@ -302,7 +302,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
302 node_ptr = avtab_search_node(&p->te_cond_avtab, k); 302 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
303 if (node_ptr) { 303 if (node_ptr) {
304 if (avtab_search_node_next(node_ptr, k->specified)) { 304 if (avtab_search_node_next(node_ptr, k->specified)) {
305 printk(KERN_ERR "SELinux: too many conflicting type rules.\n"); 305 pr_err("SELinux: too many conflicting type rules.\n");
306 goto err; 306 goto err;
307 } 307 }
308 found = 0; 308 found = 0;
@@ -313,13 +313,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
313 } 313 }
314 } 314 }
315 if (!found) { 315 if (!found) {
316 printk(KERN_ERR "SELinux: conflicting type rules.\n"); 316 pr_err("SELinux: conflicting type rules.\n");
317 goto err; 317 goto err;
318 } 318 }
319 } 319 }
320 } else { 320 } else {
321 if (avtab_search(&p->te_cond_avtab, k)) { 321 if (avtab_search(&p->te_cond_avtab, k)) {
322 printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n"); 322 pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
323 goto err; 323 goto err;
324 } 324 }
325 } 325 }
@@ -327,7 +327,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
327 327
328 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 328 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
329 if (!node_ptr) { 329 if (!node_ptr) {
330 printk(KERN_ERR "SELinux: could not insert rule.\n"); 330 pr_err("SELinux: could not insert rule.\n");
331 rc = -ENOMEM; 331 rc = -ENOMEM;
332 goto err; 332 goto err;
333 } 333 }
@@ -387,12 +387,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
387static int expr_isvalid(struct policydb *p, struct cond_expr *expr) 387static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
388{ 388{
389 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 389 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
390 printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n"); 390 pr_err("SELinux: conditional expressions uses unknown operator.\n");
391 return 0; 391 return 0;
392 } 392 }
393 393
394 if (expr->bool > p->p_bools.nprim) { 394 if (expr->bool > p->p_bools.nprim) {
395 printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n"); 395 pr_err("SELinux: conditional expressions uses unknown bool.\n");
396 return 0; 396 return 0;
397 } 397 }
398 return 1; 398 return 1;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 5ae8c61b75bf..8f624f80055b 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -362,7 +362,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
362 count = le32_to_cpu(buf[2]); 362 count = le32_to_cpu(buf[2]);
363 363
364 if (mapunit != BITS_PER_U64) { 364 if (mapunit != BITS_PER_U64) {
365 printk(KERN_ERR "SELinux: ebitmap: map size %u does not " 365 pr_err("SELinux: ebitmap: map size %u does not "
366 "match my size %zd (high bit was %d)\n", 366 "match my size %zd (high bit was %d)\n",
367 mapunit, BITS_PER_U64, e->highbit); 367 mapunit, BITS_PER_U64, e->highbit);
368 goto bad; 368 goto bad;
@@ -383,19 +383,19 @@ int ebitmap_read(struct ebitmap *e, void *fp)
383 for (i = 0; i < count; i++) { 383 for (i = 0; i < count; i++) {
384 rc = next_entry(&startbit, fp, sizeof(u32)); 384 rc = next_entry(&startbit, fp, sizeof(u32));
385 if (rc < 0) { 385 if (rc < 0) {
386 printk(KERN_ERR "SELinux: ebitmap: truncated map\n"); 386 pr_err("SELinux: ebitmap: truncated map\n");
387 goto bad; 387 goto bad;
388 } 388 }
389 startbit = le32_to_cpu(startbit); 389 startbit = le32_to_cpu(startbit);
390 390
391 if (startbit & (mapunit - 1)) { 391 if (startbit & (mapunit - 1)) {
392 printk(KERN_ERR "SELinux: ebitmap start bit (%d) is " 392 pr_err("SELinux: ebitmap start bit (%d) is "
393 "not a multiple of the map unit size (%u)\n", 393 "not a multiple of the map unit size (%u)\n",
394 startbit, mapunit); 394 startbit, mapunit);
395 goto bad; 395 goto bad;
396 } 396 }
397 if (startbit > e->highbit - mapunit) { 397 if (startbit > e->highbit - mapunit) {
398 printk(KERN_ERR "SELinux: ebitmap start bit (%d) is " 398 pr_err("SELinux: ebitmap start bit (%d) is "
399 "beyond the end of the bitmap (%u)\n", 399 "beyond the end of the bitmap (%u)\n",
400 startbit, (e->highbit - mapunit)); 400 startbit, (e->highbit - mapunit));
401 goto bad; 401 goto bad;
@@ -405,8 +405,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
405 struct ebitmap_node *tmp; 405 struct ebitmap_node *tmp;
406 tmp = kmem_cache_zalloc(ebitmap_node_cachep, GFP_KERNEL); 406 tmp = kmem_cache_zalloc(ebitmap_node_cachep, GFP_KERNEL);
407 if (!tmp) { 407 if (!tmp) {
408 printk(KERN_ERR 408 pr_err("SELinux: ebitmap: out of memory\n");
409 "SELinux: ebitmap: out of memory\n");
410 rc = -ENOMEM; 409 rc = -ENOMEM;
411 goto bad; 410 goto bad;
412 } 411 }
@@ -418,7 +417,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
418 e->node = tmp; 417 e->node = tmp;
419 n = tmp; 418 n = tmp;
420 } else if (startbit <= n->startbit) { 419 } else if (startbit <= n->startbit) {
421 printk(KERN_ERR "SELinux: ebitmap: start bit %d" 420 pr_err("SELinux: ebitmap: start bit %d"
422 " comes after start bit %d\n", 421 " comes after start bit %d\n",
423 startbit, n->startbit); 422 startbit, n->startbit);
424 goto bad; 423 goto bad;
@@ -426,7 +425,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
426 425
427 rc = next_entry(&map, fp, sizeof(u64)); 426 rc = next_entry(&map, fp, sizeof(u64));
428 if (rc < 0) { 427 if (rc < 0) {
429 printk(KERN_ERR "SELinux: ebitmap: truncated map\n"); 428 pr_err("SELinux: ebitmap: truncated map\n");
430 goto bad; 429 goto bad;
431 } 430 }
432 map = le64_to_cpu(map); 431 map = le64_to_cpu(map);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 6e8c8056d7ad..e9394e7adc84 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -504,7 +504,7 @@ static void hash_eval(struct hashtab *h, const char *hash_name)
504 struct hashtab_info info; 504 struct hashtab_info info;
505 505
506 hashtab_stat(h, &info); 506 hashtab_stat(h, &info);
507 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " 507 pr_debug("SELinux: %s: %d entries and %d/%d buckets used, "
508 "longest chain length %d\n", hash_name, h->nel, 508 "longest chain length %d\n", hash_name, h->nel,
509 info.slots_used, h->size, info.max_chain_len); 509 info.slots_used, h->size, info.max_chain_len);
510} 510}
@@ -533,15 +533,17 @@ static int policydb_index(struct policydb *p)
533{ 533{
534 int i, rc; 534 int i, rc;
535 535
536 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools",
537 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
538 if (p->mls_enabled) 536 if (p->mls_enabled)
539 printk(KERN_CONT ", %d sens, %d cats", p->p_levels.nprim, 537 pr_debug("SELinux: %d users, %d roles, %d types, %d bools, %d sens, %d cats\n",
540 p->p_cats.nprim); 538 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
541 printk(KERN_CONT "\n"); 539 p->p_bools.nprim, p->p_levels.nprim, p->p_cats.nprim);
540 else
541 pr_debug("SELinux: %d users, %d roles, %d types, %d bools\n",
542 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
543 p->p_bools.nprim);
542 544
543 printk(KERN_DEBUG "SELinux: %d classes, %d rules\n", 545 pr_debug("SELinux: %d classes, %d rules\n",
544 p->p_classes.nprim, p->te_avtab.nel); 546 p->p_classes.nprim, p->te_avtab.nel);
545 547
546#ifdef DEBUG_HASHES 548#ifdef DEBUG_HASHES
547 avtab_hash_eval(&p->te_avtab, "rules"); 549 avtab_hash_eval(&p->te_avtab, "rules");
@@ -897,7 +899,7 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
897 899
898 rc = sidtab_init(s); 900 rc = sidtab_init(s);
899 if (rc) { 901 if (rc) {
900 printk(KERN_ERR "SELinux: out of memory on SID table init\n"); 902 pr_err("SELinux: out of memory on SID table init\n");
901 goto out; 903 goto out;
902 } 904 }
903 905
@@ -905,14 +907,14 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
905 for (c = head; c; c = c->next) { 907 for (c = head; c; c = c->next) {
906 rc = -EINVAL; 908 rc = -EINVAL;
907 if (!c->context[0].user) { 909 if (!c->context[0].user) {
908 printk(KERN_ERR "SELinux: SID %s was never defined.\n", 910 pr_err("SELinux: SID %s was never defined.\n",
909 c->u.name); 911 c->u.name);
910 goto out; 912 goto out;
911 } 913 }
912 914
913 rc = sidtab_insert(s, c->sid[0], &c->context[0]); 915 rc = sidtab_insert(s, c->sid[0], &c->context[0]);
914 if (rc) { 916 if (rc) {
915 printk(KERN_ERR "SELinux: unable to load initial SID %s.\n", 917 pr_err("SELinux: unable to load initial SID %s.\n",
916 c->u.name); 918 c->u.name);
917 goto out; 919 goto out;
918 } 920 }
@@ -1005,13 +1007,13 @@ static int mls_read_range_helper(struct mls_range *r, void *fp)
1005 rc = -EINVAL; 1007 rc = -EINVAL;
1006 items = le32_to_cpu(buf[0]); 1008 items = le32_to_cpu(buf[0]);
1007 if (items > ARRAY_SIZE(buf)) { 1009 if (items > ARRAY_SIZE(buf)) {
1008 printk(KERN_ERR "SELinux: mls: range overflow\n"); 1010 pr_err("SELinux: mls: range overflow\n");
1009 goto out; 1011 goto out;
1010 } 1012 }
1011 1013
1012 rc = next_entry(buf, fp, sizeof(u32) * items); 1014 rc = next_entry(buf, fp, sizeof(u32) * items);
1013 if (rc) { 1015 if (rc) {
1014 printk(KERN_ERR "SELinux: mls: truncated range\n"); 1016 pr_err("SELinux: mls: truncated range\n");
1015 goto out; 1017 goto out;
1016 } 1018 }
1017 1019
@@ -1023,19 +1025,19 @@ static int mls_read_range_helper(struct mls_range *r, void *fp)
1023 1025
1024 rc = ebitmap_read(&r->level[0].cat, fp); 1026 rc = ebitmap_read(&r->level[0].cat, fp);
1025 if (rc) { 1027 if (rc) {
1026 printk(KERN_ERR "SELinux: mls: error reading low categories\n"); 1028 pr_err("SELinux: mls: error reading low categories\n");
1027 goto out; 1029 goto out;
1028 } 1030 }
1029 if (items > 1) { 1031 if (items > 1) {
1030 rc = ebitmap_read(&r->level[1].cat, fp); 1032 rc = ebitmap_read(&r->level[1].cat, fp);
1031 if (rc) { 1033 if (rc) {
1032 printk(KERN_ERR "SELinux: mls: error reading high categories\n"); 1034 pr_err("SELinux: mls: error reading high categories\n");
1033 goto bad_high; 1035 goto bad_high;
1034 } 1036 }
1035 } else { 1037 } else {
1036 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat); 1038 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
1037 if (rc) { 1039 if (rc) {
1038 printk(KERN_ERR "SELinux: mls: out of memory\n"); 1040 pr_err("SELinux: mls: out of memory\n");
1039 goto bad_high; 1041 goto bad_high;
1040 } 1042 }
1041 } 1043 }
@@ -1060,7 +1062,7 @@ static int context_read_and_validate(struct context *c,
1060 1062
1061 rc = next_entry(buf, fp, sizeof buf); 1063 rc = next_entry(buf, fp, sizeof buf);
1062 if (rc) { 1064 if (rc) {
1063 printk(KERN_ERR "SELinux: context truncated\n"); 1065 pr_err("SELinux: context truncated\n");
1064 goto out; 1066 goto out;
1065 } 1067 }
1066 c->user = le32_to_cpu(buf[0]); 1068 c->user = le32_to_cpu(buf[0]);
@@ -1069,14 +1071,14 @@ static int context_read_and_validate(struct context *c,
1069 if (p->policyvers >= POLICYDB_VERSION_MLS) { 1071 if (p->policyvers >= POLICYDB_VERSION_MLS) {
1070 rc = mls_read_range_helper(&c->range, fp); 1072 rc = mls_read_range_helper(&c->range, fp);
1071 if (rc) { 1073 if (rc) {
1072 printk(KERN_ERR "SELinux: error reading MLS range of context\n"); 1074 pr_err("SELinux: error reading MLS range of context\n");
1073 goto out; 1075 goto out;
1074 } 1076 }
1075 } 1077 }
1076 1078
1077 rc = -EINVAL; 1079 rc = -EINVAL;
1078 if (!policydb_context_isvalid(p, c)) { 1080 if (!policydb_context_isvalid(p, c)) {
1079 printk(KERN_ERR "SELinux: invalid security context\n"); 1081 pr_err("SELinux: invalid security context\n");
1080 context_destroy(c); 1082 context_destroy(c);
1081 goto out; 1083 goto out;
1082 } 1084 }
@@ -1352,7 +1354,8 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1352 rc = -EINVAL; 1354 rc = -EINVAL;
1353 cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey); 1355 cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey);
1354 if (!cladatum->comdatum) { 1356 if (!cladatum->comdatum) {
1355 printk(KERN_ERR "SELinux: unknown common %s\n", cladatum->comkey); 1357 pr_err("SELinux: unknown common %s\n",
1358 cladatum->comkey);
1356 goto bad; 1359 goto bad;
1357 } 1360 }
1358 } 1361 }
@@ -1444,7 +1447,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1444 if (strcmp(key, OBJECT_R) == 0) { 1447 if (strcmp(key, OBJECT_R) == 0) {
1445 rc = -EINVAL; 1448 rc = -EINVAL;
1446 if (role->value != OBJECT_R_VAL) { 1449 if (role->value != OBJECT_R_VAL) {
1447 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", 1450 pr_err("SELinux: Role %s has wrong value %d\n",
1448 OBJECT_R, role->value); 1451 OBJECT_R, role->value);
1449 goto bad; 1452 goto bad;
1450 } 1453 }
@@ -1522,14 +1525,14 @@ static int mls_read_level(struct mls_level *lp, void *fp)
1522 1525
1523 rc = next_entry(buf, fp, sizeof buf); 1526 rc = next_entry(buf, fp, sizeof buf);
1524 if (rc) { 1527 if (rc) {
1525 printk(KERN_ERR "SELinux: mls: truncated level\n"); 1528 pr_err("SELinux: mls: truncated level\n");
1526 return rc; 1529 return rc;
1527 } 1530 }
1528 lp->sens = le32_to_cpu(buf[0]); 1531 lp->sens = le32_to_cpu(buf[0]);
1529 1532
1530 rc = ebitmap_read(&lp->cat, fp); 1533 rc = ebitmap_read(&lp->cat, fp);
1531 if (rc) { 1534 if (rc) {
1532 printk(KERN_ERR "SELinux: mls: error reading level categories\n"); 1535 pr_err("SELinux: mls: error reading level categories\n");
1533 return rc; 1536 return rc;
1534 } 1537 }
1535 return 0; 1538 return 0;
@@ -1683,7 +1686,7 @@ static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1683 unsigned long bit; 1686 unsigned long bit;
1684 1687
1685 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1688 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1686 printk(KERN_ERR "SELinux: user %s: " 1689 pr_err("SELinux: user %s: "
1687 "too deep or looped boundary", 1690 "too deep or looped boundary",
1688 (char *) key); 1691 (char *) key);
1689 return -EINVAL; 1692 return -EINVAL;
@@ -1694,8 +1697,7 @@ static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1694 if (ebitmap_get_bit(&upper->roles, bit)) 1697 if (ebitmap_get_bit(&upper->roles, bit))
1695 continue; 1698 continue;
1696 1699
1697 printk(KERN_ERR 1700 pr_err("SELinux: boundary violated policy: "
1698 "SELinux: boundary violated policy: "
1699 "user=%s role=%s bounds=%s\n", 1701 "user=%s role=%s bounds=%s\n",
1700 sym_name(p, SYM_USERS, user->value - 1), 1702 sym_name(p, SYM_USERS, user->value - 1),
1701 sym_name(p, SYM_ROLES, bit), 1703 sym_name(p, SYM_ROLES, bit),
@@ -1720,7 +1722,7 @@ static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1720 unsigned long bit; 1722 unsigned long bit;
1721 1723
1722 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1724 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1723 printk(KERN_ERR "SELinux: role %s: " 1725 pr_err("SELinux: role %s: "
1724 "too deep or looped bounds\n", 1726 "too deep or looped bounds\n",
1725 (char *) key); 1727 (char *) key);
1726 return -EINVAL; 1728 return -EINVAL;
@@ -1731,8 +1733,7 @@ static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1731 if (ebitmap_get_bit(&upper->types, bit)) 1733 if (ebitmap_get_bit(&upper->types, bit))
1732 continue; 1734 continue;
1733 1735
1734 printk(KERN_ERR 1736 pr_err("SELinux: boundary violated policy: "
1735 "SELinux: boundary violated policy: "
1736 "role=%s type=%s bounds=%s\n", 1737 "role=%s type=%s bounds=%s\n",
1737 sym_name(p, SYM_ROLES, role->value - 1), 1738 sym_name(p, SYM_ROLES, role->value - 1),
1738 sym_name(p, SYM_TYPES, bit), 1739 sym_name(p, SYM_TYPES, bit),
@@ -1754,7 +1755,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1754 upper = datum; 1755 upper = datum;
1755 while (upper->bounds) { 1756 while (upper->bounds) {
1756 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1757 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1757 printk(KERN_ERR "SELinux: type %s: " 1758 pr_err("SELinux: type %s: "
1758 "too deep or looped boundary\n", 1759 "too deep or looped boundary\n",
1759 (char *) key); 1760 (char *) key);
1760 return -EINVAL; 1761 return -EINVAL;
@@ -1765,7 +1766,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1765 BUG_ON(!upper); 1766 BUG_ON(!upper);
1766 1767
1767 if (upper->attribute) { 1768 if (upper->attribute) {
1768 printk(KERN_ERR "SELinux: type %s: " 1769 pr_err("SELinux: type %s: "
1769 "bounded by attribute %s", 1770 "bounded by attribute %s",
1770 (char *) key, 1771 (char *) key,
1771 sym_name(p, SYM_TYPES, upper->value - 1)); 1772 sym_name(p, SYM_TYPES, upper->value - 1));
@@ -1888,7 +1889,7 @@ static int range_read(struct policydb *p, void *fp)
1888 1889
1889 rc = -EINVAL; 1890 rc = -EINVAL;
1890 if (!mls_range_isvalid(p, r)) { 1891 if (!mls_range_isvalid(p, r)) {
1891 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n"); 1892 pr_warn("SELinux: rangetrans: invalid range\n");
1892 goto out; 1893 goto out;
1893 } 1894 }
1894 1895
@@ -2023,7 +2024,7 @@ static int genfs_read(struct policydb *p, void *fp)
2023 genfs_p = genfs, genfs = genfs->next) { 2024 genfs_p = genfs, genfs = genfs->next) {
2024 rc = -EINVAL; 2025 rc = -EINVAL;
2025 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) { 2026 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
2026 printk(KERN_ERR "SELinux: dup genfs fstype %s\n", 2027 pr_err("SELinux: dup genfs fstype %s\n",
2027 newgenfs->fstype); 2028 newgenfs->fstype);
2028 goto out; 2029 goto out;
2029 } 2030 }
@@ -2073,7 +2074,7 @@ static int genfs_read(struct policydb *p, void *fp)
2073 if (!strcmp(newc->u.name, c->u.name) && 2074 if (!strcmp(newc->u.name, c->u.name) &&
2074 (!c->v.sclass || !newc->v.sclass || 2075 (!c->v.sclass || !newc->v.sclass ||
2075 newc->v.sclass == c->v.sclass)) { 2076 newc->v.sclass == c->v.sclass)) {
2076 printk(KERN_ERR "SELinux: dup genfs entry (%s,%s)\n", 2077 pr_err("SELinux: dup genfs entry (%s,%s)\n",
2077 genfs->fstype, c->u.name); 2078 genfs->fstype, c->u.name);
2078 goto out; 2079 goto out;
2079 } 2080 }
@@ -2295,7 +2296,7 @@ int policydb_read(struct policydb *p, void *fp)
2295 2296
2296 rc = -EINVAL; 2297 rc = -EINVAL;
2297 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) { 2298 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
2298 printk(KERN_ERR "SELinux: policydb magic number 0x%x does " 2299 pr_err("SELinux: policydb magic number 0x%x does "
2299 "not match expected magic number 0x%x\n", 2300 "not match expected magic number 0x%x\n",
2300 le32_to_cpu(buf[0]), POLICYDB_MAGIC); 2301 le32_to_cpu(buf[0]), POLICYDB_MAGIC);
2301 goto bad; 2302 goto bad;
@@ -2304,7 +2305,7 @@ int policydb_read(struct policydb *p, void *fp)
2304 rc = -EINVAL; 2305 rc = -EINVAL;
2305 len = le32_to_cpu(buf[1]); 2306 len = le32_to_cpu(buf[1]);
2306 if (len != strlen(POLICYDB_STRING)) { 2307 if (len != strlen(POLICYDB_STRING)) {
2307 printk(KERN_ERR "SELinux: policydb string length %d does not " 2308 pr_err("SELinux: policydb string length %d does not "
2308 "match expected length %zu\n", 2309 "match expected length %zu\n",
2309 len, strlen(POLICYDB_STRING)); 2310 len, strlen(POLICYDB_STRING));
2310 goto bad; 2311 goto bad;
@@ -2313,14 +2314,14 @@ int policydb_read(struct policydb *p, void *fp)
2313 rc = -ENOMEM; 2314 rc = -ENOMEM;
2314 policydb_str = kmalloc(len + 1, GFP_KERNEL); 2315 policydb_str = kmalloc(len + 1, GFP_KERNEL);
2315 if (!policydb_str) { 2316 if (!policydb_str) {
2316 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 2317 pr_err("SELinux: unable to allocate memory for policydb "
2317 "string of length %d\n", len); 2318 "string of length %d\n", len);
2318 goto bad; 2319 goto bad;
2319 } 2320 }
2320 2321
2321 rc = next_entry(policydb_str, fp, len); 2322 rc = next_entry(policydb_str, fp, len);
2322 if (rc) { 2323 if (rc) {
2323 printk(KERN_ERR "SELinux: truncated policydb string identifier\n"); 2324 pr_err("SELinux: truncated policydb string identifier\n");
2324 kfree(policydb_str); 2325 kfree(policydb_str);
2325 goto bad; 2326 goto bad;
2326 } 2327 }
@@ -2328,7 +2329,7 @@ int policydb_read(struct policydb *p, void *fp)
2328 rc = -EINVAL; 2329 rc = -EINVAL;
2329 policydb_str[len] = '\0'; 2330 policydb_str[len] = '\0';
2330 if (strcmp(policydb_str, POLICYDB_STRING)) { 2331 if (strcmp(policydb_str, POLICYDB_STRING)) {
2331 printk(KERN_ERR "SELinux: policydb string %s does not match " 2332 pr_err("SELinux: policydb string %s does not match "
2332 "my string %s\n", policydb_str, POLICYDB_STRING); 2333 "my string %s\n", policydb_str, POLICYDB_STRING);
2333 kfree(policydb_str); 2334 kfree(policydb_str);
2334 goto bad; 2335 goto bad;
@@ -2346,7 +2347,7 @@ int policydb_read(struct policydb *p, void *fp)
2346 p->policyvers = le32_to_cpu(buf[0]); 2347 p->policyvers = le32_to_cpu(buf[0]);
2347 if (p->policyvers < POLICYDB_VERSION_MIN || 2348 if (p->policyvers < POLICYDB_VERSION_MIN ||
2348 p->policyvers > POLICYDB_VERSION_MAX) { 2349 p->policyvers > POLICYDB_VERSION_MAX) {
2349 printk(KERN_ERR "SELinux: policydb version %d does not match " 2350 pr_err("SELinux: policydb version %d does not match "
2350 "my version range %d-%d\n", 2351 "my version range %d-%d\n",
2351 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 2352 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
2352 goto bad; 2353 goto bad;
@@ -2357,7 +2358,7 @@ int policydb_read(struct policydb *p, void *fp)
2357 2358
2358 rc = -EINVAL; 2359 rc = -EINVAL;
2359 if (p->policyvers < POLICYDB_VERSION_MLS) { 2360 if (p->policyvers < POLICYDB_VERSION_MLS) {
2360 printk(KERN_ERR "SELinux: security policydb version %d " 2361 pr_err("SELinux: security policydb version %d "
2361 "(MLS) not backwards compatible\n", 2362 "(MLS) not backwards compatible\n",
2362 p->policyvers); 2363 p->policyvers);
2363 goto bad; 2364 goto bad;
@@ -2381,7 +2382,7 @@ int policydb_read(struct policydb *p, void *fp)
2381 rc = -EINVAL; 2382 rc = -EINVAL;
2382 info = policydb_lookup_compat(p->policyvers); 2383 info = policydb_lookup_compat(p->policyvers);
2383 if (!info) { 2384 if (!info) {
2384 printk(KERN_ERR "SELinux: unable to find policy compat info " 2385 pr_err("SELinux: unable to find policy compat info "
2385 "for version %d\n", p->policyvers); 2386 "for version %d\n", p->policyvers);
2386 goto bad; 2387 goto bad;
2387 } 2388 }
@@ -2389,7 +2390,7 @@ int policydb_read(struct policydb *p, void *fp)
2389 rc = -EINVAL; 2390 rc = -EINVAL;
2390 if (le32_to_cpu(buf[2]) != info->sym_num || 2391 if (le32_to_cpu(buf[2]) != info->sym_num ||
2391 le32_to_cpu(buf[3]) != info->ocon_num) { 2392 le32_to_cpu(buf[3]) != info->ocon_num) {
2392 printk(KERN_ERR "SELinux: policydb table sizes (%d,%d) do " 2393 pr_err("SELinux: policydb table sizes (%d,%d) do "
2393 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]), 2394 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
2394 le32_to_cpu(buf[3]), 2395 le32_to_cpu(buf[3]),
2395 info->sym_num, info->ocon_num); 2396 info->sym_num, info->ocon_num);
@@ -3417,7 +3418,7 @@ int policydb_write(struct policydb *p, void *fp)
3417 * careful if you ever try to remove this restriction 3418 * careful if you ever try to remove this restriction
3418 */ 3419 */
3419 if (p->policyvers < POLICYDB_VERSION_AVTAB) { 3420 if (p->policyvers < POLICYDB_VERSION_AVTAB) {
3420 printk(KERN_ERR "SELinux: refusing to write policy version %d." 3421 pr_err("SELinux: refusing to write policy version %d."
3421 " Because it is less than version %d\n", p->policyvers, 3422 " Because it is less than version %d\n", p->policyvers,
3422 POLICYDB_VERSION_AVTAB); 3423 POLICYDB_VERSION_AVTAB);
3423 return -EINVAL; 3424 return -EINVAL;
@@ -3446,7 +3447,7 @@ int policydb_write(struct policydb *p, void *fp)
3446 /* Write the version, config, and table sizes. */ 3447 /* Write the version, config, and table sizes. */
3447 info = policydb_lookup_compat(p->policyvers); 3448 info = policydb_lookup_compat(p->policyvers);
3448 if (!info) { 3449 if (!info) {
3449 printk(KERN_ERR "SELinux: compatibility lookup failed for policy " 3450 pr_err("SELinux: compatibility lookup failed for policy "
3450 "version %d", p->policyvers); 3451 "version %d", p->policyvers);
3451 return -EINVAL; 3452 return -EINVAL;
3452 } 3453 }
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index dd2ceec06fef..f3def298a90e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -136,8 +136,7 @@ static int selinux_set_mapping(struct policydb *pol,
136 136
137 p_out->value = string_to_security_class(pol, p_in->name); 137 p_out->value = string_to_security_class(pol, p_in->name);
138 if (!p_out->value) { 138 if (!p_out->value) {
139 printk(KERN_INFO 139 pr_info("SELinux: Class %s not defined in policy.\n",
140 "SELinux: Class %s not defined in policy.\n",
141 p_in->name); 140 p_in->name);
142 if (pol->reject_unknown) 141 if (pol->reject_unknown)
143 goto err; 142 goto err;
@@ -156,8 +155,7 @@ static int selinux_set_mapping(struct policydb *pol,
156 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 155 p_out->perms[k] = string_to_av_perm(pol, p_out->value,
157 p_in->perms[k]); 156 p_in->perms[k]);
158 if (!p_out->perms[k]) { 157 if (!p_out->perms[k]) {
159 printk(KERN_INFO 158 pr_info("SELinux: Permission %s in class %s not defined in policy.\n",
160 "SELinux: Permission %s in class %s not defined in policy.\n",
161 p_in->perms[k], p_in->name); 159 p_in->perms[k], p_in->name);
162 if (pol->reject_unknown) 160 if (pol->reject_unknown)
163 goto err; 161 goto err;
@@ -170,7 +168,7 @@ static int selinux_set_mapping(struct policydb *pol,
170 } 168 }
171 169
172 if (print_unknown_handle) 170 if (print_unknown_handle)
173 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", 171 pr_info("SELinux: the above unknown classes and permissions will be %s\n",
174 pol->allow_unknown ? "allowed" : "denied"); 172 pol->allow_unknown ? "allowed" : "denied");
175 173
176 out_map->size = i; 174 out_map->size = i;
@@ -644,7 +642,7 @@ static void context_struct_compute_av(struct policydb *policydb,
644 642
645 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 643 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {
646 if (printk_ratelimit()) 644 if (printk_ratelimit())
647 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); 645 pr_warn("SELinux: Invalid class %hu\n", tclass);
648 return; 646 return;
649 } 647 }
650 648
@@ -793,7 +791,7 @@ static int security_compute_validatetrans(struct selinux_state *state,
793 791
794 ocontext = sidtab_search(sidtab, oldsid); 792 ocontext = sidtab_search(sidtab, oldsid);
795 if (!ocontext) { 793 if (!ocontext) {
796 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 794 pr_err("SELinux: %s: unrecognized SID %d\n",
797 __func__, oldsid); 795 __func__, oldsid);
798 rc = -EINVAL; 796 rc = -EINVAL;
799 goto out; 797 goto out;
@@ -801,7 +799,7 @@ static int security_compute_validatetrans(struct selinux_state *state,
801 799
802 ncontext = sidtab_search(sidtab, newsid); 800 ncontext = sidtab_search(sidtab, newsid);
803 if (!ncontext) { 801 if (!ncontext) {
804 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 802 pr_err("SELinux: %s: unrecognized SID %d\n",
805 __func__, newsid); 803 __func__, newsid);
806 rc = -EINVAL; 804 rc = -EINVAL;
807 goto out; 805 goto out;
@@ -809,7 +807,7 @@ static int security_compute_validatetrans(struct selinux_state *state,
809 807
810 tcontext = sidtab_search(sidtab, tasksid); 808 tcontext = sidtab_search(sidtab, tasksid);
811 if (!tcontext) { 809 if (!tcontext) {
812 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 810 pr_err("SELinux: %s: unrecognized SID %d\n",
813 __func__, tasksid); 811 __func__, tasksid);
814 rc = -EINVAL; 812 rc = -EINVAL;
815 goto out; 813 goto out;
@@ -883,7 +881,7 @@ int security_bounded_transition(struct selinux_state *state,
883 rc = -EINVAL; 881 rc = -EINVAL;
884 old_context = sidtab_search(sidtab, old_sid); 882 old_context = sidtab_search(sidtab, old_sid);
885 if (!old_context) { 883 if (!old_context) {
886 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 884 pr_err("SELinux: %s: unrecognized SID %u\n",
887 __func__, old_sid); 885 __func__, old_sid);
888 goto out; 886 goto out;
889 } 887 }
@@ -891,7 +889,7 @@ int security_bounded_transition(struct selinux_state *state,
891 rc = -EINVAL; 889 rc = -EINVAL;
892 new_context = sidtab_search(sidtab, new_sid); 890 new_context = sidtab_search(sidtab, new_sid);
893 if (!new_context) { 891 if (!new_context) {
894 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 892 pr_err("SELinux: %s: unrecognized SID %u\n",
895 __func__, new_sid); 893 __func__, new_sid);
896 goto out; 894 goto out;
897 } 895 }
@@ -1040,14 +1038,14 @@ void security_compute_xperms_decision(struct selinux_state *state,
1040 1038
1041 scontext = sidtab_search(sidtab, ssid); 1039 scontext = sidtab_search(sidtab, ssid);
1042 if (!scontext) { 1040 if (!scontext) {
1043 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1041 pr_err("SELinux: %s: unrecognized SID %d\n",
1044 __func__, ssid); 1042 __func__, ssid);
1045 goto out; 1043 goto out;
1046 } 1044 }
1047 1045
1048 tcontext = sidtab_search(sidtab, tsid); 1046 tcontext = sidtab_search(sidtab, tsid);
1049 if (!tcontext) { 1047 if (!tcontext) {
1050 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1048 pr_err("SELinux: %s: unrecognized SID %d\n",
1051 __func__, tsid); 1049 __func__, tsid);
1052 goto out; 1050 goto out;
1053 } 1051 }
@@ -1129,7 +1127,7 @@ void security_compute_av(struct selinux_state *state,
1129 1127
1130 scontext = sidtab_search(sidtab, ssid); 1128 scontext = sidtab_search(sidtab, ssid);
1131 if (!scontext) { 1129 if (!scontext) {
1132 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1130 pr_err("SELinux: %s: unrecognized SID %d\n",
1133 __func__, ssid); 1131 __func__, ssid);
1134 goto out; 1132 goto out;
1135 } 1133 }
@@ -1140,7 +1138,7 @@ void security_compute_av(struct selinux_state *state,
1140 1138
1141 tcontext = sidtab_search(sidtab, tsid); 1139 tcontext = sidtab_search(sidtab, tsid);
1142 if (!tcontext) { 1140 if (!tcontext) {
1143 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1141 pr_err("SELinux: %s: unrecognized SID %d\n",
1144 __func__, tsid); 1142 __func__, tsid);
1145 goto out; 1143 goto out;
1146 } 1144 }
@@ -1183,7 +1181,7 @@ void security_compute_av_user(struct selinux_state *state,
1183 1181
1184 scontext = sidtab_search(sidtab, ssid); 1182 scontext = sidtab_search(sidtab, ssid);
1185 if (!scontext) { 1183 if (!scontext) {
1186 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1184 pr_err("SELinux: %s: unrecognized SID %d\n",
1187 __func__, ssid); 1185 __func__, ssid);
1188 goto out; 1186 goto out;
1189 } 1187 }
@@ -1194,7 +1192,7 @@ void security_compute_av_user(struct selinux_state *state,
1194 1192
1195 tcontext = sidtab_search(sidtab, tsid); 1193 tcontext = sidtab_search(sidtab, tsid);
1196 if (!tcontext) { 1194 if (!tcontext) {
1197 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1195 pr_err("SELinux: %s: unrecognized SID %d\n",
1198 __func__, tsid); 1196 __func__, tsid);
1199 goto out; 1197 goto out;
1200 } 1198 }
@@ -1310,7 +1308,7 @@ static int security_sid_to_context_core(struct selinux_state *state,
1310 *scontext = scontextp; 1308 *scontext = scontextp;
1311 goto out; 1309 goto out;
1312 } 1310 }
1313 printk(KERN_ERR "SELinux: %s: called before initial " 1311 pr_err("SELinux: %s: called before initial "
1314 "load_policy on unknown SID %d\n", __func__, sid); 1312 "load_policy on unknown SID %d\n", __func__, sid);
1315 rc = -EINVAL; 1313 rc = -EINVAL;
1316 goto out; 1314 goto out;
@@ -1323,7 +1321,7 @@ static int security_sid_to_context_core(struct selinux_state *state,
1323 else 1321 else
1324 context = sidtab_search(sidtab, sid); 1322 context = sidtab_search(sidtab, sid);
1325 if (!context) { 1323 if (!context) {
1326 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1324 pr_err("SELinux: %s: unrecognized SID %d\n",
1327 __func__, sid); 1325 __func__, sid);
1328 rc = -EINVAL; 1326 rc = -EINVAL;
1329 goto out_unlock; 1327 goto out_unlock;
@@ -1678,14 +1676,14 @@ static int security_compute_sid(struct selinux_state *state,
1678 1676
1679 scontext = sidtab_search(sidtab, ssid); 1677 scontext = sidtab_search(sidtab, ssid);
1680 if (!scontext) { 1678 if (!scontext) {
1681 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1679 pr_err("SELinux: %s: unrecognized SID %d\n",
1682 __func__, ssid); 1680 __func__, ssid);
1683 rc = -EINVAL; 1681 rc = -EINVAL;
1684 goto out_unlock; 1682 goto out_unlock;
1685 } 1683 }
1686 tcontext = sidtab_search(sidtab, tsid); 1684 tcontext = sidtab_search(sidtab, tsid);
1687 if (!tcontext) { 1685 if (!tcontext) {
1688 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1686 pr_err("SELinux: %s: unrecognized SID %d\n",
1689 __func__, tsid); 1687 __func__, tsid);
1690 rc = -EINVAL; 1688 rc = -EINVAL;
1691 goto out_unlock; 1689 goto out_unlock;
@@ -1911,7 +1909,8 @@ static inline int convert_context_handle_invalid_context(
1911 return -EINVAL; 1909 return -EINVAL;
1912 1910
1913 if (!context_struct_to_string(policydb, context, &s, &len)) { 1911 if (!context_struct_to_string(policydb, context, &s, &len)) {
1914 printk(KERN_WARNING "SELinux: Context %s would be invalid if enforcing\n", s); 1912 pr_warn("SELinux: Context %s would be invalid if enforcing\n",
1913 s);
1915 kfree(s); 1914 kfree(s);
1916 } 1915 }
1917 return 0; 1916 return 0;
@@ -1962,7 +1961,7 @@ static int convert_context(u32 key,
1962 c->len, &ctx, SECSID_NULL); 1961 c->len, &ctx, SECSID_NULL);
1963 kfree(s); 1962 kfree(s);
1964 if (!rc) { 1963 if (!rc) {
1965 printk(KERN_INFO "SELinux: Context %s became valid (mapped).\n", 1964 pr_info("SELinux: Context %s became valid (mapped).\n",
1966 c->str); 1965 c->str);
1967 /* Replace string with mapped representation. */ 1966 /* Replace string with mapped representation. */
1968 kfree(c->str); 1967 kfree(c->str);
@@ -1974,7 +1973,7 @@ static int convert_context(u32 key,
1974 goto out; 1973 goto out;
1975 } else { 1974 } else {
1976 /* Other error condition, e.g. ENOMEM. */ 1975 /* Other error condition, e.g. ENOMEM. */
1977 printk(KERN_ERR "SELinux: Unable to map context %s, rc = %d.\n", 1976 pr_err("SELinux: Unable to map context %s, rc = %d.\n",
1978 c->str, -rc); 1977 c->str, -rc);
1979 goto out; 1978 goto out;
1980 } 1979 }
@@ -2033,7 +2032,7 @@ static int convert_context(u32 key,
2033 oc = oc->next; 2032 oc = oc->next;
2034 rc = -EINVAL; 2033 rc = -EINVAL;
2035 if (!oc) { 2034 if (!oc) {
2036 printk(KERN_ERR "SELinux: unable to look up" 2035 pr_err("SELinux: unable to look up"
2037 " the initial SIDs list\n"); 2036 " the initial SIDs list\n");
2038 goto bad; 2037 goto bad;
2039 } 2038 }
@@ -2065,7 +2064,7 @@ bad:
2065 context_destroy(c); 2064 context_destroy(c);
2066 c->str = s; 2065 c->str = s;
2067 c->len = len; 2066 c->len = len;
2068 printk(KERN_INFO "SELinux: Context %s became invalid (unmapped).\n", 2067 pr_info("SELinux: Context %s became invalid (unmapped).\n",
2069 c->str); 2068 c->str);
2070 rc = 0; 2069 rc = 0;
2071 goto out; 2070 goto out;
@@ -2170,13 +2169,13 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
2170 newpolicydb->len = len; 2169 newpolicydb->len = len;
2171 /* If switching between different policy types, log MLS status */ 2170 /* If switching between different policy types, log MLS status */
2172 if (policydb->mls_enabled && !newpolicydb->mls_enabled) 2171 if (policydb->mls_enabled && !newpolicydb->mls_enabled)
2173 printk(KERN_INFO "SELinux: Disabling MLS support...\n"); 2172 pr_info("SELinux: Disabling MLS support...\n");
2174 else if (!policydb->mls_enabled && newpolicydb->mls_enabled) 2173 else if (!policydb->mls_enabled && newpolicydb->mls_enabled)
2175 printk(KERN_INFO "SELinux: Enabling MLS support...\n"); 2174 pr_info("SELinux: Enabling MLS support...\n");
2176 2175
2177 rc = policydb_load_isids(newpolicydb, &newsidtab); 2176 rc = policydb_load_isids(newpolicydb, &newsidtab);
2178 if (rc) { 2177 if (rc) {
2179 printk(KERN_ERR "SELinux: unable to load the initial SIDs\n"); 2178 pr_err("SELinux: unable to load the initial SIDs\n");
2180 policydb_destroy(newpolicydb); 2179 policydb_destroy(newpolicydb);
2181 goto out; 2180 goto out;
2182 } 2181 }
@@ -2187,7 +2186,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
2187 2186
2188 rc = security_preserve_bools(state, newpolicydb); 2187 rc = security_preserve_bools(state, newpolicydb);
2189 if (rc) { 2188 if (rc) {
2190 printk(KERN_ERR "SELinux: unable to preserve booleans\n"); 2189 pr_err("SELinux: unable to preserve booleans\n");
2191 goto err; 2190 goto err;
2192 } 2191 }
2193 2192
@@ -2207,7 +2206,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
2207 args.newp = newpolicydb; 2206 args.newp = newpolicydb;
2208 rc = sidtab_map(&newsidtab, convert_context, &args); 2207 rc = sidtab_map(&newsidtab, convert_context, &args);
2209 if (rc) { 2208 if (rc) {
2210 printk(KERN_ERR "SELinux: unable to convert the internal" 2209 pr_err("SELinux: unable to convert the internal"
2211 " representation of contexts in the new SID" 2210 " representation of contexts in the new SID"
2212 " table\n"); 2211 " table\n");
2213 goto err; 2212 goto err;
@@ -2999,7 +2998,7 @@ int security_sid_mls_copy(struct selinux_state *state,
2999 rc = -EINVAL; 2998 rc = -EINVAL;
3000 context1 = sidtab_search(sidtab, sid); 2999 context1 = sidtab_search(sidtab, sid);
3001 if (!context1) { 3000 if (!context1) {
3002 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 3001 pr_err("SELinux: %s: unrecognized SID %d\n",
3003 __func__, sid); 3002 __func__, sid);
3004 goto out_unlock; 3003 goto out_unlock;
3005 } 3004 }
@@ -3007,7 +3006,7 @@ int security_sid_mls_copy(struct selinux_state *state,
3007 rc = -EINVAL; 3006 rc = -EINVAL;
3008 context2 = sidtab_search(sidtab, mls_sid); 3007 context2 = sidtab_search(sidtab, mls_sid);
3009 if (!context2) { 3008 if (!context2) {
3010 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 3009 pr_err("SELinux: %s: unrecognized SID %d\n",
3011 __func__, mls_sid); 3010 __func__, mls_sid);
3012 goto out_unlock; 3011 goto out_unlock;
3013 } 3012 }
@@ -3104,14 +3103,14 @@ int security_net_peersid_resolve(struct selinux_state *state,
3104 rc = -EINVAL; 3103 rc = -EINVAL;
3105 nlbl_ctx = sidtab_search(sidtab, nlbl_sid); 3104 nlbl_ctx = sidtab_search(sidtab, nlbl_sid);
3106 if (!nlbl_ctx) { 3105 if (!nlbl_ctx) {
3107 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 3106 pr_err("SELinux: %s: unrecognized SID %d\n",
3108 __func__, nlbl_sid); 3107 __func__, nlbl_sid);
3109 goto out; 3108 goto out;
3110 } 3109 }
3111 rc = -EINVAL; 3110 rc = -EINVAL;
3112 xfrm_ctx = sidtab_search(sidtab, xfrm_sid); 3111 xfrm_ctx = sidtab_search(sidtab, xfrm_sid);
3113 if (!xfrm_ctx) { 3112 if (!xfrm_ctx) {
3114 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 3113 pr_err("SELinux: %s: unrecognized SID %d\n",
3115 __func__, xfrm_sid); 3114 __func__, xfrm_sid);
3116 goto out; 3115 goto out;
3117 } 3116 }
@@ -3202,7 +3201,7 @@ int security_get_permissions(struct selinux_state *state,
3202 rc = -EINVAL; 3201 rc = -EINVAL;
3203 match = hashtab_search(policydb->p_classes.table, class); 3202 match = hashtab_search(policydb->p_classes.table, class);
3204 if (!match) { 3203 if (!match) {
3205 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", 3204 pr_err("SELinux: %s: unrecognized class %s\n",
3206 __func__, class); 3205 __func__, class);
3207 goto out; 3206 goto out;
3208 } 3207 }
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 5be31b7af225..fd75a12fa8fc 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -214,8 +214,7 @@ int sidtab_context_to_sid(struct sidtab *s,
214 } 214 }
215 sid = s->next_sid++; 215 sid = s->next_sid++;
216 if (context->len) 216 if (context->len)
217 printk(KERN_INFO 217 pr_info("SELinux: Context %s is not valid (left unmapped).\n",
218 "SELinux: Context %s is not valid (left unmapped).\n",
219 context->str); 218 context->str);
220 ret = sidtab_insert(s, sid, context); 219 ret = sidtab_insert(s, sid, context);
221 if (ret) 220 if (ret)
@@ -253,7 +252,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag)
253 } 252 }
254 } 253 }
255 254
256 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " 255 pr_debug("%s: %d entries and %d/%d buckets used, longest "
257 "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE, 256 "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE,
258 max_chain_len); 257 max_chain_len);
259} 258}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7ad226018f51..340fc30ad85d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -28,6 +28,7 @@
28#include <linux/tcp.h> 28#include <linux/tcp.h>
29#include <linux/udp.h> 29#include <linux/udp.h>
30#include <linux/dccp.h> 30#include <linux/dccp.h>
31#include <linux/icmpv6.h>
31#include <linux/slab.h> 32#include <linux/slab.h>
32#include <linux/mutex.h> 33#include <linux/mutex.h>
33#include <linux/pipe_fs_i.h> 34#include <linux/pipe_fs_i.h>
@@ -1927,9 +1928,9 @@ static int smack_file_receive(struct file *file)
1927 * 1928 *
1928 * Returns 0 1929 * Returns 0
1929 */ 1930 */
1930static int smack_file_open(struct file *file, const struct cred *cred) 1931static int smack_file_open(struct file *file)
1931{ 1932{
1932 struct task_smack *tsp = cred->security; 1933 struct task_smack *tsp = file->f_cred->security;
1933 struct inode *inode = file_inode(file); 1934 struct inode *inode = file_inode(file);
1934 struct smk_audit_info ad; 1935 struct smk_audit_info ad;
1935 int rc; 1936 int rc;
@@ -1937,7 +1938,7 @@ static int smack_file_open(struct file *file, const struct cred *cred)
1937 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1938 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1938 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1939 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1939 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1940 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
1940 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1941 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
1941 1942
1942 return rc; 1943 return rc;
1943} 1944}
@@ -2296,6 +2297,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
2296 struct smack_known *skp = smk_of_task_struct(p); 2297 struct smack_known *skp = smk_of_task_struct(p);
2297 2298
2298 isp->smk_inode = skp; 2299 isp->smk_inode = skp;
2300 isp->smk_flags |= SMK_INODE_INSTANT;
2299} 2301}
2300 2302
2301/* 2303/*
@@ -3895,6 +3897,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
3895 sip->sin6_port = th->source; 3897 sip->sin6_port = th->source;
3896 break; 3898 break;
3897 case IPPROTO_UDP: 3899 case IPPROTO_UDP:
3900 case IPPROTO_UDPLITE:
3898 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3901 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3899 if (uh != NULL) 3902 if (uh != NULL)
3900 sip->sin6_port = uh->source; 3903 sip->sin6_port = uh->source;
@@ -3923,15 +3926,19 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3923 struct smack_known *skp = NULL; 3926 struct smack_known *skp = NULL;
3924 int rc = 0; 3927 int rc = 0;
3925 struct smk_audit_info ad; 3928 struct smk_audit_info ad;
3929 u16 family = sk->sk_family;
3926#ifdef CONFIG_AUDIT 3930#ifdef CONFIG_AUDIT
3927 struct lsm_network_audit net; 3931 struct lsm_network_audit net;
3928#endif 3932#endif
3929#if IS_ENABLED(CONFIG_IPV6) 3933#if IS_ENABLED(CONFIG_IPV6)
3930 struct sockaddr_in6 sadd; 3934 struct sockaddr_in6 sadd;
3931 int proto; 3935 int proto;
3936
3937 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3938 family = PF_INET;
3932#endif /* CONFIG_IPV6 */ 3939#endif /* CONFIG_IPV6 */
3933 3940
3934 switch (sk->sk_family) { 3941 switch (family) {
3935 case PF_INET: 3942 case PF_INET:
3936#ifdef CONFIG_SECURITY_SMACK_NETFILTER 3943#ifdef CONFIG_SECURITY_SMACK_NETFILTER
3937 /* 3944 /*
@@ -3949,7 +3956,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3949 */ 3956 */
3950 netlbl_secattr_init(&secattr); 3957 netlbl_secattr_init(&secattr);
3951 3958
3952 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3959 rc = netlbl_skbuff_getattr(skb, family, &secattr);
3953 if (rc == 0) 3960 if (rc == 0)
3954 skp = smack_from_secattr(&secattr, ssp); 3961 skp = smack_from_secattr(&secattr, ssp);
3955 else 3962 else
@@ -3962,7 +3969,7 @@ access_check:
3962#endif 3969#endif
3963#ifdef CONFIG_AUDIT 3970#ifdef CONFIG_AUDIT
3964 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3971 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3965 ad.a.u.net->family = sk->sk_family; 3972 ad.a.u.net->family = family;
3966 ad.a.u.net->netif = skb->skb_iif; 3973 ad.a.u.net->netif = skb->skb_iif;
3967 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3974 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
3968#endif 3975#endif
@@ -3976,12 +3983,13 @@ access_check:
3976 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3983 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
3977 MAY_WRITE, rc); 3984 MAY_WRITE, rc);
3978 if (rc != 0) 3985 if (rc != 0)
3979 netlbl_skbuff_err(skb, sk->sk_family, rc, 0); 3986 netlbl_skbuff_err(skb, family, rc, 0);
3980 break; 3987 break;
3981#if IS_ENABLED(CONFIG_IPV6) 3988#if IS_ENABLED(CONFIG_IPV6)
3982 case PF_INET6: 3989 case PF_INET6:
3983 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3990 proto = smk_skb_to_addr_ipv6(skb, &sadd);
3984 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 3991 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE &&
3992 proto != IPPROTO_TCP && proto != IPPROTO_DCCP)
3985 break; 3993 break;
3986#ifdef SMACK_IPV6_SECMARK_LABELING 3994#ifdef SMACK_IPV6_SECMARK_LABELING
3987 if (skb && skb->secmark != 0) 3995 if (skb && skb->secmark != 0)
@@ -3992,7 +4000,7 @@ access_check:
3992 skp = smack_net_ambient; 4000 skp = smack_net_ambient;
3993#ifdef CONFIG_AUDIT 4001#ifdef CONFIG_AUDIT
3994 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4002 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3995 ad.a.u.net->family = sk->sk_family; 4003 ad.a.u.net->family = family;
3996 ad.a.u.net->netif = skb->skb_iif; 4004 ad.a.u.net->netif = skb->skb_iif;
3997 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4005 ipv6_skb_to_auditdata(skb, &ad.a, NULL);
3998#endif /* CONFIG_AUDIT */ 4006#endif /* CONFIG_AUDIT */
@@ -4003,6 +4011,9 @@ access_check:
4003#ifdef SMACK_IPV6_PORT_LABELING 4011#ifdef SMACK_IPV6_PORT_LABELING
4004 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4012 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
4005#endif /* SMACK_IPV6_PORT_LABELING */ 4013#endif /* SMACK_IPV6_PORT_LABELING */
4014 if (rc != 0)
4015 icmpv6_send(skb, ICMPV6_DEST_UNREACH,
4016 ICMPV6_ADM_PROHIBITED, 0);
4006 break; 4017 break;
4007#endif /* CONFIG_IPV6 */ 4018#endif /* CONFIG_IPV6 */
4008 } 4019 }
diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile
index b7c6a7ffc058..cca5a3012fee 100644
--- a/security/tomoyo/Makefile
+++ b/security/tomoyo/Makefile
@@ -4,7 +4,7 @@ obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load
4targets += builtin-policy.h 4targets += builtin-policy.h
5define do_policy 5define do_policy
6echo "static char tomoyo_builtin_$(1)[] __initdata ="; \ 6echo "static char tomoyo_builtin_$(1)[] __initdata ="; \
7$(objtree)/scripts/basic/bin2c <$(firstword $(wildcard $(obj)/policy/$(1).conf $(srctree)/$(src)/policy/$(1).conf.default) /dev/null); \ 7$(objtree)/scripts/bin2c <$(firstword $(wildcard $(obj)/policy/$(1).conf $(srctree)/$(src)/policy/$(1).conf.default) /dev/null); \
8echo ";" 8echo ";"
9endef 9endef
10quiet_cmd_policy = POLICY $@ 10quiet_cmd_policy = POLICY $@
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 213b8c593668..9f932e2d6852 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -320,7 +320,7 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
320 * 320 *
321 * Returns 0 on success, negative value otherwise. 321 * Returns 0 on success, negative value otherwise.
322 */ 322 */
323static int tomoyo_file_open(struct file *f, const struct cred *cred) 323static int tomoyo_file_open(struct file *f)
324{ 324{
325 int flags = f->f_flags; 325 int flags = f->f_flags;
326 /* Don't check read permission here if called from do_execve(). */ 326 /* Don't check read permission here if called from do_execve(). */
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-17 21:35:20 -0400