Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "The main change in this kernel is Casey's generalized LSM stacking work, which removes the hard-coding of Capabilities and Yama stacking, allowing multiple arbitrary "small" LSMs to be stacked with a default monolithic module (e.g. SELinux, Smack, AppArmor). See https://lwn.net/Articles/636056/ This will allow smaller, simpler LSMs to be incorporated into the mainline kernel and arbitrarily stacked by users. Also, this is a useful cleanup of the LSM code in its own right" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits) tpm, tpm_crb: fix le64_to_cpu conversions in crb_acpi_add() vTPM: set virtual device before passing to ibmvtpm_reset_crq tpm_ibmvtpm: remove unneccessary message level. ima: update builtin policies ima: extend "mask" policy matching support ima: add support for new "euid" policy condition ima: fix ima_show_template_data_ascii() Smack: freeing an error pointer in smk_write_revoke_subj() selinux: fix setting of security labels on NFS selinux: Remove unused permission definitions selinux: enable genfscon labeling for sysfs and pstore files selinux: enable per-file labeling for debugfs files. selinux: update netlink socket classes signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() selinux: Print 'sclass' as string when unrecognized netlink message occurs Smack: allow multiple labels in onlycap Smack: fix seq operations in smackfs ima: pass iint to ima_add_violation() ima: wrap event related data to the new ima_event_data structure integrity: add validity checks for 'path' parameter ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2015-06-27 16:26:03 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2015-06-27 16:26:03 -0400
commit: e22619a29fcdb513b7bc020e84225bb3b5914259 (patch)
tree: 1d1d72a4c8cebad4f2d2bf738395ca4ececa95ec /security/selinux/hooks.c
parent: 78c10e556ed904d5bfbd71e9cadd8ce8f25d6982 (diff)
parent: b3bddffd35a0b77eee89760eb94cafa18dc431f5 (diff)
1 files changed, 262 insertions, 305 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ffa5a642629a..623108199641 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -29,7 +29,7 @@
 #include <linux/tracehook.h>
 #include <linux/errno.h>
 #include <linux/sched.h>
-#include <linux/security.h>
+#include <linux/lsm_hooks.h>
 #include <linux/xattr.h>
 #include <linux/capability.h>
 #include <linux/unistd.h>
@@ -403,6 +403,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
        return sbsec->behavior == SECURITY_FS_USE_XATTR ||
                sbsec->behavior == SECURITY_FS_USE_TRANS ||
                sbsec->behavior == SECURITY_FS_USE_TASK ||
+                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
                /* Special handling. Genfs but also in-core setxattr handler */
                !strcmp(sb->s_type->name, "sysfs") ||
                !strcmp(sb->s_type->name, "pstore") ||
@@ -724,7 +725,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
        }
        if (strcmp(sb->s_type->name, "proc") == 0)
-                sbsec->flags |= SE_SBPROC;
+                sbsec->flags |= SE_SBPROC | SE_SBGENFS;
+        if (!strcmp(sb->s_type->name, "debugfs") ||
+            !strcmp(sb->s_type->name, "sysfs") ||
+            !strcmp(sb->s_type->name, "pstore"))
+                sbsec->flags |= SE_SBGENFS;
        if (!sbsec->behavior) {
                /*
@@ -1188,8 +1194,6 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
                switch (protocol) {
                case NETLINK_ROUTE:
                        return SECCLASS_NETLINK_ROUTE_SOCKET;
-                case NETLINK_FIREWALL:
-                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
                case NETLINK_SOCK_DIAG:
                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
                case NETLINK_NFLOG:
@@ -1198,14 +1202,28 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
                        return SECCLASS_NETLINK_XFRM_SOCKET;
                case NETLINK_SELINUX:
                        return SECCLASS_NETLINK_SELINUX_SOCKET;
+                case NETLINK_ISCSI:
+                        return SECCLASS_NETLINK_ISCSI_SOCKET;
                case NETLINK_AUDIT:
                        return SECCLASS_NETLINK_AUDIT_SOCKET;
-                case NETLINK_IP6_FW:
+                case NETLINK_FIB_LOOKUP:
-                        return SECCLASS_NETLINK_IP6FW_SOCKET;
+                        return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
+                case NETLINK_CONNECTOR:
+                        return SECCLASS_NETLINK_CONNECTOR_SOCKET;
+                case NETLINK_NETFILTER:
+                        return SECCLASS_NETLINK_NETFILTER_SOCKET;
                case NETLINK_DNRTMSG:
                        return SECCLASS_NETLINK_DNRT_SOCKET;
                case NETLINK_KOBJECT_UEVENT:
                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
+                case NETLINK_GENERIC:
+                        return SECCLASS_NETLINK_GENERIC_SOCKET;
+                case NETLINK_SCSITRANSPORT:
+                        return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
+                case NETLINK_RDMA:
+                        return SECCLASS_NETLINK_RDMA_SOCKET;
+                case NETLINK_CRYPTO:
+                        return SECCLASS_NETLINK_CRYPTO_SOCKET;
                default:
                        return SECCLASS_NETLINK_SOCKET;
                }
@@ -1220,12 +1238,13 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
        return SECCLASS_SOCKET;
 }
-#ifdef CONFIG_PROC_FS
+static int selinux_genfs_get_sid(struct dentry *dentry,
-static int selinux_proc_get_sid(struct dentry *dentry,
+                                 u16 tclass,
-                                u16 tclass,
+                                 u16 flags,
-                                u32 *sid)
+                                 u32 *sid)
 {
        int rc;
+        struct super_block *sb = dentry->d_inode->i_sb;
        char *buffer, *path;
        buffer = (char *)__get_free_page(GFP_KERNEL);
@@ -1236,26 +1255,20 @@ static int selinux_proc_get_sid(struct dentry *dentry,
        if (IS_ERR(path))
                rc = PTR_ERR(path);
        else {
-                /* each process gets a /proc/PID/ entry. Strip off the
+                if (flags & SE_SBPROC) {
-                 * PID part to get a valid selinux labeling.
+                        /* each process gets a /proc/PID/ entry. Strip off the
-                 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
+                         * PID part to get a valid selinux labeling.
-                while (path[1] >= '0' && path[1] <= '9') {
+                         * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
-                        path[1] = '/';
+                        while (path[1] >= '0' && path[1] <= '9') {
-                        path++;
+                                path[1] = '/';
+                                path++;
+                        }
                }
-                rc = security_genfs_sid("proc", path, tclass, sid);
+                rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
        }
        free_page((unsigned long)buffer);
        return rc;
 }
-#else
-static int selinux_proc_get_sid(struct dentry *dentry,
-                                u16 tclass,
-                                u32 *sid)
-{
-        return -EINVAL;
-}
-#endif
 /* The inode's security attributes must be initialized before first use. */
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
@@ -1412,7 +1425,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                /* Default to the fs superblock SID. */
                isec->sid = sbsec->sid;
-                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+                if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
                        /* We must have a dentry to determine the label on
                         * procfs inodes */
                        if (opt_dentry)
@@ -1435,7 +1448,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                        if (!dentry)
                                goto out_unlock;
                        isec->sclass = inode_mode_to_security_class(inode->i_mode);
-                        rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
+                        rc = selinux_genfs_get_sid(dentry, isec->sclass,
+                                                   sbsec->flags, &sid);
                        dput(dentry);
                        if (rc)
                                goto out_unlock;
@@ -1990,12 +2004,6 @@ static int selinux_binder_transfer_file(struct task_struct *from,
 static int selinux_ptrace_access_check(struct task_struct *child,
                                     unsigned int mode)
 {
-        int rc;
-        rc = cap_ptrace_access_check(child, mode);
-        if (rc)
-                return rc;
        if (mode & PTRACE_MODE_READ) {
                u32 sid = current_sid();
                u32 csid = task_sid(child);
@@ -2007,25 +2015,13 @@ static int selinux_ptrace_access_check(struct task_struct *child,
 static int selinux_ptrace_traceme(struct task_struct *parent)
 {
-        int rc;
-        rc = cap_ptrace_traceme(parent);
-        if (rc)
-                return rc;
        return task_has_perm(parent, current, PROCESS__PTRACE);
 }
 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
 {
-        int error;
+        return current_has_perm(target, PROCESS__GETCAP);
-        error = current_has_perm(target, PROCESS__GETCAP);
-        if (error)
-                return error;
-        return cap_capget(target, effective, inheritable, permitted);
 }
 static int selinux_capset(struct cred *new, const struct cred *old,
@@ -2033,13 +2029,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
                          const kernel_cap_t *inheritable,
                          const kernel_cap_t *permitted)
 {
-        int error;
-        error = cap_capset(new, old,
-                                      effective, inheritable, permitted);
-        if (error)
-                return error;
        return cred_has_perm(old, new, PROCESS__SETCAP);
 }
@@ -2056,12 +2045,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
                           int cap, int audit)
 {
-        int rc;
-        rc = cap_capable(cred, ns, cap, audit);
-        if (rc)
-                return rc;
        return cred_has_capability(cred, cap, audit);
 }
@@ -2139,12 +2122,12 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
-        rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
+        rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
-                             SECURITY_CAP_NOAUDIT);
+                                        SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
-        return __vm_enough_memory(mm, pages, cap_sys_admin);
+        return cap_sys_admin;
 }
 /* binprm security operations */
@@ -2193,10 +2176,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
        struct inode *inode = file_inode(bprm->file);
        int rc;
-        rc = cap_bprm_set_creds(bprm);
-        if (rc)
-                return rc;
        /* SELinux context only depends on initial program or script and not
         * the script interpreter */
        if (bprm->cred_prepared)
@@ -2320,7 +2299,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
                                        PROCESS__NOATSECURE, NULL);
        }
-        return (atsecure || cap_bprm_secureexec(bprm));
+        return !!atsecure;
 }
 static int match_file(const void *p, struct file *file, unsigned fd)
@@ -2451,10 +2430,12 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
                for (i = 0; i < 3; i++)
                        do_setitimer(i, &itimer, NULL);
                spin_lock_irq(&current->sighand->siglock);
-                if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
+                if (!fatal_signal_pending(current)) {
-                        __flush_signals(current);
+                        flush_sigqueue(&current->pending);
+                        flush_sigqueue(&current->signal->shared_pending);
                        flush_signal_handlers(current, 1);
                        sigemptyset(&current->blocked);
+                        recalc_sigpending();
                }
                spin_unlock_irq(&current->sighand->siglock);
        }
@@ -3144,8 +3125,11 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-        error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
+        error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
-                                SECURITY_CAP_NOAUDIT);
+                            SECURITY_CAP_NOAUDIT);
+        if (!error)
+                error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
+                                            SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
                                                      &size);
@@ -3330,12 +3314,7 @@ error:
 static int selinux_mmap_addr(unsigned long addr)
 {
-        int rc;
+        int rc = 0;
-        /* do DAC check on address space usage */
-        rc = cap_mmap_addr(addr);
-        if (rc)
-                return rc;
        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
                u32 sid = current_sid();
@@ -3651,23 +3630,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
 static int selinux_task_setnice(struct task_struct *p, int nice)
 {
-        int rc;
-        rc = cap_task_setnice(p, nice);
-        if (rc)
-                return rc;
        return current_has_perm(p, PROCESS__SETSCHED);
 }
 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
 {
-        int rc;
-        rc = cap_task_setioprio(p, ioprio);
-        if (rc)
-                return rc;
        return current_has_perm(p, PROCESS__SETSCHED);
 }
@@ -3693,12 +3660,6 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
 static int selinux_task_setscheduler(struct task_struct *p)
 {
-        int rc;
-        rc = cap_task_setscheduler(p);
-        if (rc)
-                return rc;
        return current_has_perm(p, PROCESS__SETSCHED);
 }
@@ -4780,8 +4741,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
                if (err == -EINVAL) {
                        printk(KERN_WARNING
                               "SELinux: unrecognized netlink message:"
-                               " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
+                               " protocol=%hu nlmsg_type=%hu sclass=%s\n",
-                               sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
+                               sk->sk_protocol, nlh->nlmsg_type,
+                               secclass_map[sksec->sclass - 1].name);
                        if (!selinux_enforcing || security_get_allow_unknown())
                                err = 0;
                }
@@ -5109,12 +5071,6 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
 {
-        int err;
-        err = cap_netlink_send(sk, skb);
-        if (err)
-                return err;
        return selinux_nlmsg_perm(sk, skb);
 }
@@ -5852,218 +5808,220 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
 #endif
-static struct security_operations selinux_ops = {
+static struct security_hook_list selinux_hooks[] = {
-        .name =                         "selinux",
+        LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
+        LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
-        .binder_set_context_mgr =       selinux_binder_set_context_mgr,
+        LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
-        .binder_transaction =           selinux_binder_transaction,
+        LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
-        .binder_transfer_binder =       selinux_binder_transfer_binder,
-        .binder_transfer_file =         selinux_binder_transfer_file,
+        LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
+        LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
-        .ptrace_access_check =          selinux_ptrace_access_check,
+        LSM_HOOK_INIT(capget, selinux_capget),
-        .ptrace_traceme =               selinux_ptrace_traceme,
+        LSM_HOOK_INIT(capset, selinux_capset),
-        .capget =                       selinux_capget,
+        LSM_HOOK_INIT(capable, selinux_capable),
-        .capset =                       selinux_capset,
+        LSM_HOOK_INIT(quotactl, selinux_quotactl),
-        .capable =                      selinux_capable,
+        LSM_HOOK_INIT(quota_on, selinux_quota_on),
-        .quotactl =                     selinux_quotactl,
+        LSM_HOOK_INIT(syslog, selinux_syslog),
-        .quota_on =                     selinux_quota_on,
+        LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
-        .syslog =                       selinux_syslog,
-        .vm_enough_memory =             selinux_vm_enough_memory,
+        LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
-        .netlink_send =                 selinux_netlink_send,
+        LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
+        LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
-        .bprm_set_creds =               selinux_bprm_set_creds,
+        LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
-        .bprm_committing_creds =        selinux_bprm_committing_creds,
+        LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
-        .bprm_committed_creds =         selinux_bprm_committed_creds,
-        .bprm_secureexec =              selinux_bprm_secureexec,
+        LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
+        LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
-        .sb_alloc_security =            selinux_sb_alloc_security,
+        LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
-        .sb_free_security =             selinux_sb_free_security,
+        LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
-        .sb_copy_data =                 selinux_sb_copy_data,
+        LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
-        .sb_remount =                   selinux_sb_remount,
+        LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
-        .sb_kern_mount =                selinux_sb_kern_mount,
+        LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
-        .sb_show_options =              selinux_sb_show_options,
+        LSM_HOOK_INIT(sb_mount, selinux_mount),
-        .sb_statfs =                    selinux_sb_statfs,
+        LSM_HOOK_INIT(sb_umount, selinux_umount),
-        .sb_mount =                     selinux_mount,
+        LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
-        .sb_umount =                    selinux_umount,
+        LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
-        .sb_set_mnt_opts =              selinux_set_mnt_opts,
+        LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
-        .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
-        .sb_parse_opts_str =            selinux_parse_opts_str,
+        LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
-        .dentry_init_security =         selinux_dentry_init_security,
+        LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
+        LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
-        .inode_alloc_security =         selinux_inode_alloc_security,
+        LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
-        .inode_free_security =          selinux_inode_free_security,
+        LSM_HOOK_INIT(inode_create, selinux_inode_create),
-        .inode_init_security =          selinux_inode_init_security,
+        LSM_HOOK_INIT(inode_link, selinux_inode_link),
-        .inode_create =                 selinux_inode_create,
+        LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
-        .inode_link =                   selinux_inode_link,
+        LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
-        .inode_unlink =                 selinux_inode_unlink,
+        LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
-        .inode_symlink =                selinux_inode_symlink,
+        LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
-        .inode_mkdir =                  selinux_inode_mkdir,
+        LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
-        .inode_rmdir =                  selinux_inode_rmdir,
+        LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
-        .inode_mknod =                  selinux_inode_mknod,
+        LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
-        .inode_rename =                 selinux_inode_rename,
+        LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
-        .inode_readlink =               selinux_inode_readlink,
+        LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
-        .inode_follow_link =            selinux_inode_follow_link,
+        LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
-        .inode_permission =             selinux_inode_permission,
+        LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
-        .inode_setattr =                selinux_inode_setattr,
+        LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
-        .inode_getattr =                selinux_inode_getattr,
+        LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
-        .inode_setxattr =               selinux_inode_setxattr,
+        LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
-        .inode_post_setxattr =          selinux_inode_post_setxattr,
+        LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
-        .inode_getxattr =               selinux_inode_getxattr,
+        LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
-        .inode_listxattr =              selinux_inode_listxattr,
+        LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
-        .inode_removexattr =            selinux_inode_removexattr,
+        LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
-        .inode_getsecurity =            selinux_inode_getsecurity,
+        LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
-        .inode_setsecurity =            selinux_inode_setsecurity,
+        LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
-        .inode_listsecurity =           selinux_inode_listsecurity,
-        .inode_getsecid =               selinux_inode_getsecid,
+        LSM_HOOK_INIT(file_permission, selinux_file_permission),
+        LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
-        .file_permission =              selinux_file_permission,
+        LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
-        .file_alloc_security =          selinux_file_alloc_security,
+        LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
-        .file_free_security =           selinux_file_free_security,
+        LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
-        .file_ioctl =                   selinux_file_ioctl,
+        LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
-        .mmap_file =                    selinux_mmap_file,
+        LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
-        .mmap_addr =                    selinux_mmap_addr,
+        LSM_HOOK_INIT(file_lock, selinux_file_lock),
-        .file_mprotect =                selinux_file_mprotect,
+        LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
-        .file_lock =                    selinux_file_lock,
+        LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
-        .file_fcntl =                   selinux_file_fcntl,
+        LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
-        .file_set_fowner =              selinux_file_set_fowner,
+        LSM_HOOK_INIT(file_receive, selinux_file_receive),
-        .file_send_sigiotask =          selinux_file_send_sigiotask,
-        .file_receive =                 selinux_file_receive,
+        LSM_HOOK_INIT(file_open, selinux_file_open),
-        .file_open =                    selinux_file_open,
+        LSM_HOOK_INIT(task_create, selinux_task_create),
+        LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
-        .task_create =                  selinux_task_create,
+        LSM_HOOK_INIT(cred_free, selinux_cred_free),
-        .cred_alloc_blank =             selinux_cred_alloc_blank,
+        LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
-        .cred_free =                    selinux_cred_free,
+        LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
-        .cred_prepare =                 selinux_cred_prepare,
+        LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
-        .cred_transfer =                selinux_cred_transfer,
+        LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
-        .kernel_act_as =                selinux_kernel_act_as,
+        LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
-        .kernel_create_files_as =       selinux_kernel_create_files_as,
+        LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
-        .kernel_module_request =        selinux_kernel_module_request,
+        LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
-        .task_setpgid =                 selinux_task_setpgid,
+        LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
-        .task_getpgid =                 selinux_task_getpgid,
+        LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
-        .task_getsid =                  selinux_task_getsid,
+        LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
-        .task_getsecid =                selinux_task_getsecid,
+        LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
-        .task_setnice =                 selinux_task_setnice,
+        LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
-        .task_setioprio =               selinux_task_setioprio,
+        LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
-        .task_getioprio =               selinux_task_getioprio,
+        LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
-        .task_setrlimit =               selinux_task_setrlimit,
+        LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
-        .task_setscheduler =            selinux_task_setscheduler,
+        LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
-        .task_getscheduler =            selinux_task_getscheduler,
+        LSM_HOOK_INIT(task_kill, selinux_task_kill),
-        .task_movememory =              selinux_task_movememory,
+        LSM_HOOK_INIT(task_wait, selinux_task_wait),
-        .task_kill =                    selinux_task_kill,
+        LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
-        .task_wait =                    selinux_task_wait,
-        .task_to_inode =                selinux_task_to_inode,
+        LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
+        LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
-        .ipc_permission =               selinux_ipc_permission,
-        .ipc_getsecid =                 selinux_ipc_getsecid,
+        LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
+        LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
-        .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
-        .msg_msg_free_security =        selinux_msg_msg_free_security,
+        LSM_HOOK_INIT(msg_queue_alloc_security,
+                        selinux_msg_queue_alloc_security),
-        .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
+        LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
-        .msg_queue_free_security =      selinux_msg_queue_free_security,
+        LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
-        .msg_queue_associate =          selinux_msg_queue_associate,
+        LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
-        .msg_queue_msgctl =             selinux_msg_queue_msgctl,
+        LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
-        .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
+        LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
-        .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
+        LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
-        .shm_alloc_security =           selinux_shm_alloc_security,
+        LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
-        .shm_free_security =            selinux_shm_free_security,
+        LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
-        .shm_associate =                selinux_shm_associate,
+        LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
-        .shm_shmctl =                   selinux_shm_shmctl,
+        LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
-        .shm_shmat =                    selinux_shm_shmat,
+        LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
-        .sem_alloc_security =           selinux_sem_alloc_security,
+        LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
-        .sem_free_security =            selinux_sem_free_security,
+        LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
-        .sem_associate =                selinux_sem_associate,
+        LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
-        .sem_semctl =                   selinux_sem_semctl,
+        LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
-        .sem_semop =                    selinux_sem_semop,
+        LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
-        .d_instantiate =                selinux_d_instantiate,
+        LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
-        .getprocattr =                  selinux_getprocattr,
+        LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
-        .setprocattr =                  selinux_setprocattr,
+        LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
-        .ismaclabel =                   selinux_ismaclabel,
+        LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
-        .secid_to_secctx =              selinux_secid_to_secctx,
+        LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
-        .secctx_to_secid =              selinux_secctx_to_secid,
+        LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
-        .release_secctx =               selinux_release_secctx,
+        LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
-        .inode_notifysecctx =           selinux_inode_notifysecctx,
+        LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
-        .inode_setsecctx =              selinux_inode_setsecctx,
+        LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
-        .inode_getsecctx =              selinux_inode_getsecctx,
+        LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
-        .unix_stream_connect =          selinux_socket_unix_stream_connect,
+        LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
-        .unix_may_send =                selinux_socket_unix_may_send,
+        LSM_HOOK_INIT(socket_create, selinux_socket_create),
-        .socket_create =                selinux_socket_create,
+        LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
-        .socket_post_create =           selinux_socket_post_create,
+        LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
-        .socket_bind =                  selinux_socket_bind,
+        LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
-        .socket_connect =               selinux_socket_connect,
+        LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
-        .socket_listen =                selinux_socket_listen,
+        LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
-        .socket_accept =                selinux_socket_accept,
+        LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
-        .socket_sendmsg =               selinux_socket_sendmsg,
+        LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
-        .socket_recvmsg =               selinux_socket_recvmsg,
+        LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
-        .socket_getsockname =           selinux_socket_getsockname,
+        LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
-        .socket_getpeername =           selinux_socket_getpeername,
+        LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
-        .socket_getsockopt =            selinux_socket_getsockopt,
+        LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
-        .socket_setsockopt =            selinux_socket_setsockopt,
+        LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
-        .socket_shutdown =              selinux_socket_shutdown,
+        LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
-        .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
+        LSM_HOOK_INIT(socket_getpeersec_stream,
-        .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
+                        selinux_socket_getpeersec_stream),
-        .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
+        LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
-        .sk_alloc_security =            selinux_sk_alloc_security,
+        LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
-        .sk_free_security =             selinux_sk_free_security,
+        LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
-        .sk_clone_security =            selinux_sk_clone_security,
+        LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
-        .sk_getsecid =                  selinux_sk_getsecid,
+        LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
-        .sock_graft =                   selinux_sock_graft,
+        LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
-        .inet_conn_request =            selinux_inet_conn_request,
+        LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
-        .inet_csk_clone =               selinux_inet_csk_clone,
+        LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
-        .inet_conn_established =        selinux_inet_conn_established,
+        LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
-        .secmark_relabel_packet =       selinux_secmark_relabel_packet,
+        LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
-        .secmark_refcount_inc =         selinux_secmark_refcount_inc,
+        LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
-        .secmark_refcount_dec =         selinux_secmark_refcount_dec,
+        LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
-        .req_classify_flow =            selinux_req_classify_flow,
+        LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
-        .tun_dev_alloc_security =       selinux_tun_dev_alloc_security,
+        LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
-        .tun_dev_free_security =        selinux_tun_dev_free_security,
+        LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
-        .tun_dev_create =               selinux_tun_dev_create,
+        LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
-        .tun_dev_attach_queue =         selinux_tun_dev_attach_queue,
+        LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
-        .tun_dev_attach =               selinux_tun_dev_attach,
+        LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
-        .tun_dev_open =                 selinux_tun_dev_open,
+        LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
-        .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
+        LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
-        .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
+        LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
-        .xfrm_policy_free_security =    selinux_xfrm_policy_free,
+        LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
-        .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
+        LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
-        .xfrm_state_alloc =             selinux_xfrm_state_alloc,
+        LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
-        .xfrm_state_alloc_acquire =     selinux_xfrm_state_alloc_acquire,
+        LSM_HOOK_INIT(xfrm_state_alloc_acquire,
-        .xfrm_state_free_security =     selinux_xfrm_state_free,
+                        selinux_xfrm_state_alloc_acquire),
-        .xfrm_state_delete_security =   selinux_xfrm_state_delete,
+        LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
-        .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
+        LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
-        .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
+        LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
-        .xfrm_decode_session =          selinux_xfrm_decode_session,
+        LSM_HOOK_INIT(xfrm_state_pol_flow_match,
+                        selinux_xfrm_state_pol_flow_match),
+        LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
 #endif
 #ifdef CONFIG_KEYS
-        .key_alloc =                    selinux_key_alloc,
+        LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
-        .key_free =                     selinux_key_free,
+        LSM_HOOK_INIT(key_free, selinux_key_free),
-        .key_permission =               selinux_key_permission,
+        LSM_HOOK_INIT(key_permission, selinux_key_permission),
-        .key_getsecurity =              selinux_key_getsecurity,
+        LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
 #endif
 #ifdef CONFIG_AUDIT
-        .audit_rule_init =              selinux_audit_rule_init,
+        LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
-        .audit_rule_known =             selinux_audit_rule_known,
+        LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
-        .audit_rule_match =             selinux_audit_rule_match,
+        LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
-        .audit_rule_free =              selinux_audit_rule_free,
+        LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
 #endif
 };
 static __init int selinux_init(void)
 {
-        if (!security_module_enable(&selinux_ops)) {
+        if (!security_module_enable("selinux")) {
                selinux_enabled = 0;
                return 0;
        }
@@ -6085,8 +6043,7 @@ static __init int selinux_init(void)
                                            0, SLAB_PANIC, NULL);
        avc_init();
-        if (register_security(&selinux_ops))
+        security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
-                panic("SELinux: Unable to register with kernel.\n");
        if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
                panic("SELinux: Unable to register AVC netcache callback\n");
@@ -6214,7 +6171,7 @@ int selinux_disable(void)
        selinux_disabled = 1;
        selinux_enabled = 0;
-        reset_security_ops();
+        security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
        /* Try to destroy the avc node cache */
        avc_disable();
author	Linus Torvalds <torvalds@linux-foundation.org>	2015-06-27 16:26:03 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2015-06-27 16:26:03 -0400
commit	e22619a29fcdb513b7bc020e84225bb3b5914259 (patch)
tree	1d1d72a4c8cebad4f2d2bf738395ca4ececa95ec /security/selinux/hooks.c
parent	78c10e556ed904d5bfbd71e9cadd8ce8f25d6982 (diff)
parent	b3bddffd35a0b77eee89760eb94cafa18dc431f5 (diff)