diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-11-05 18:32:38 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-11-05 18:32:38 -0500 |
| commit | 1873499e13648a2dd01a394ed3217c9290921b3d (patch) | |
| tree | 3a662aadb3c02bbce2e9231a90da6e98b54d33d4 /security/selinux/hooks.c | |
| parent | 3460b01b12aaf0011cb30f6f502edd05752f70eb (diff) | |
| parent | ba94c3ff20c9c179f2a80f0e4c71e1571ebbf5c7 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem update from James Morris:
"This is mostly maintenance updates across the subsystem, with a
notable update for TPM 2.0, and addition of Jarkko Sakkinen as a
maintainer of that"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits)
apparmor: clarify CRYPTO dependency
selinux: Use a kmem_cache for allocation struct file_security_struct
selinux: ioctl_has_perm should be static
selinux: use sprintf return value
selinux: use kstrdup() in security_get_bools()
selinux: use kmemdup in security_sid_to_context_core()
selinux: remove pointless cast in selinux_inode_setsecurity()
selinux: introduce security_context_str_to_sid
selinux: do not check open perm on ftruncate call
selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
KEYS: Merge the type-specific data with the payload data
KEYS: Provide a script to extract a module signature
KEYS: Provide a script to extract the sys cert list from a vmlinux file
keys: Be more consistent in selection of union members used
certs: add .gitignore to stop git nagging about x509_certificate_list
KEYS: use kvfree() in add_key
Smack: limited capability for changing process label
TPM: remove unnecessary little endian conversion
vTPM: support little endian guests
char: Drop owner assignment from i2c_driver
...
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 26f4039d54b8..9e591e5989be 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -126,6 +126,7 @@ int selinux_enabled = 1; | |||
| 126 | #endif | 126 | #endif |
| 127 | 127 | ||
| 128 | static struct kmem_cache *sel_inode_cache; | 128 | static struct kmem_cache *sel_inode_cache; |
| 129 | static struct kmem_cache *file_security_cache; | ||
| 129 | 130 | ||
| 130 | /** | 131 | /** |
| 131 | * selinux_secmark_enabled - Check to see if SECMARK is currently enabled | 132 | * selinux_secmark_enabled - Check to see if SECMARK is currently enabled |
| @@ -287,7 +288,7 @@ static int file_alloc_security(struct file *file) | |||
| 287 | struct file_security_struct *fsec; | 288 | struct file_security_struct *fsec; |
| 288 | u32 sid = current_sid(); | 289 | u32 sid = current_sid(); |
| 289 | 290 | ||
| 290 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); | 291 | fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); |
| 291 | if (!fsec) | 292 | if (!fsec) |
| 292 | return -ENOMEM; | 293 | return -ENOMEM; |
| 293 | 294 | ||
| @@ -302,7 +303,7 @@ static void file_free_security(struct file *file) | |||
| 302 | { | 303 | { |
| 303 | struct file_security_struct *fsec = file->f_security; | 304 | struct file_security_struct *fsec = file->f_security; |
| 304 | file->f_security = NULL; | 305 | file->f_security = NULL; |
| 305 | kfree(fsec); | 306 | kmem_cache_free(file_security_cache, fsec); |
| 306 | } | 307 | } |
| 307 | 308 | ||
| 308 | static int superblock_alloc_security(struct super_block *sb) | 309 | static int superblock_alloc_security(struct super_block *sb) |
| @@ -674,10 +675,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 674 | 675 | ||
| 675 | if (flags[i] == SBLABEL_MNT) | 676 | if (flags[i] == SBLABEL_MNT) |
| 676 | continue; | 677 | continue; |
| 677 | rc = security_context_to_sid(mount_options[i], | 678 | rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); |
| 678 | strlen(mount_options[i]), &sid, GFP_KERNEL); | ||
| 679 | if (rc) { | 679 | if (rc) { |
| 680 | printk(KERN_WARNING "SELinux: security_context_to_sid" | 680 | printk(KERN_WARNING "SELinux: security_context_str_to_sid" |
| 681 | "(%s) failed for (dev %s, type %s) errno=%d\n", | 681 | "(%s) failed for (dev %s, type %s) errno=%d\n", |
| 682 | mount_options[i], sb->s_id, name, rc); | 682 | mount_options[i], sb->s_id, name, rc); |
| 683 | goto out; | 683 | goto out; |
| @@ -2617,15 +2617,12 @@ static int selinux_sb_remount(struct super_block *sb, void *data) | |||
| 2617 | 2617 | ||
| 2618 | for (i = 0; i < opts.num_mnt_opts; i++) { | 2618 | for (i = 0; i < opts.num_mnt_opts; i++) { |
| 2619 | u32 sid; | 2619 | u32 sid; |
| 2620 | size_t len; | ||
| 2621 | 2620 | ||
| 2622 | if (flags[i] == SBLABEL_MNT) | 2621 | if (flags[i] == SBLABEL_MNT) |
| 2623 | continue; | 2622 | continue; |
| 2624 | len = strlen(mount_options[i]); | 2623 | rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); |
| 2625 | rc = security_context_to_sid(mount_options[i], len, &sid, | ||
| 2626 | GFP_KERNEL); | ||
| 2627 | if (rc) { | 2624 | if (rc) { |
| 2628 | printk(KERN_WARNING "SELinux: security_context_to_sid" | 2625 | printk(KERN_WARNING "SELinux: security_context_str_to_sid" |
| 2629 | "(%s) failed for (dev %s, type %s) errno=%d\n", | 2626 | "(%s) failed for (dev %s, type %s) errno=%d\n", |
| 2630 | mount_options[i], sb->s_id, sb->s_type->name, rc); | 2627 | mount_options[i], sb->s_id, sb->s_type->name, rc); |
| 2631 | goto out_free_opts; | 2628 | goto out_free_opts; |
| @@ -2946,7 +2943,8 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) | |||
| 2946 | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) | 2943 | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) |
| 2947 | return dentry_has_perm(cred, dentry, FILE__SETATTR); | 2944 | return dentry_has_perm(cred, dentry, FILE__SETATTR); |
| 2948 | 2945 | ||
| 2949 | if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) | 2946 | if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) |
| 2947 | && !(ia_valid & ATTR_FILE)) | ||
| 2950 | av |= FILE__OPEN; | 2948 | av |= FILE__OPEN; |
| 2951 | 2949 | ||
| 2952 | return dentry_has_perm(cred, dentry, av); | 2950 | return dentry_has_perm(cred, dentry, av); |
| @@ -3166,7 +3164,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, | |||
| 3166 | if (!value || !size) | 3164 | if (!value || !size) |
| 3167 | return -EACCES; | 3165 | return -EACCES; |
| 3168 | 3166 | ||
| 3169 | rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL); | 3167 | rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); |
| 3170 | if (rc) | 3168 | if (rc) |
| 3171 | return rc; | 3169 | return rc; |
| 3172 | 3170 | ||
| @@ -3238,7 +3236,7 @@ static void selinux_file_free_security(struct file *file) | |||
| 3238 | * Check whether a task has the ioctl permission and cmd | 3236 | * Check whether a task has the ioctl permission and cmd |
| 3239 | * operation to an inode. | 3237 | * operation to an inode. |
| 3240 | */ | 3238 | */ |
| 3241 | int ioctl_has_perm(const struct cred *cred, struct file *file, | 3239 | static int ioctl_has_perm(const struct cred *cred, struct file *file, |
| 3242 | u32 requested, u16 cmd) | 3240 | u32 requested, u16 cmd) |
| 3243 | { | 3241 | { |
| 3244 | struct common_audit_data ad; | 3242 | struct common_audit_data ad; |
| @@ -6093,6 +6091,9 @@ static __init int selinux_init(void) | |||
| 6093 | sel_inode_cache = kmem_cache_create("selinux_inode_security", | 6091 | sel_inode_cache = kmem_cache_create("selinux_inode_security", |
| 6094 | sizeof(struct inode_security_struct), | 6092 | sizeof(struct inode_security_struct), |
| 6095 | 0, SLAB_PANIC, NULL); | 6093 | 0, SLAB_PANIC, NULL); |
| 6094 | file_security_cache = kmem_cache_create("selinux_file_security", | ||
| 6095 | sizeof(struct file_security_struct), | ||
| 6096 | 0, SLAB_PANIC, NULL); | ||
| 6096 | avc_init(); | 6097 | avc_init(); |
| 6097 | 6098 | ||
| 6098 | security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); | 6099 | security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); |