diff options
| author | Thomas Gleixner <tglx@linutronix.de> | 2011-02-22 12:24:26 -0500 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2011-02-22 12:41:48 -0500 |
| commit | 695884fb8acd9857e0e7120ccb2150e30f4b8fef (patch) | |
| tree | 49aa424c1a021ce432e9fa5ea29d37a23e4e30cc /security/selinux/hooks.c | |
| parent | 5df91509d324d44cfb11e55d9cb02fe18b53b045 (diff) | |
| parent | 04bea68b2f0eeebb089ecc67b618795925268b4a (diff) | |
Merge branch 'devicetree/for-x86' of git://git.secretlab.ca/git/linux-2.6 into x86/platform
Reason: x86 devicetree support for ce4100 depends on those device tree
changes scheduled for .39.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 33 |
1 files changed, 16 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9154cf90ae..e276eb46853 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry) | |||
| 1973 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); | 1973 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); |
| 1974 | } | 1974 | } |
| 1975 | 1975 | ||
| 1976 | static int selinux_syslog(int type, bool from_file) | 1976 | static int selinux_syslog(int type) |
| 1977 | { | 1977 | { |
| 1978 | int rc; | 1978 | int rc; |
| 1979 | 1979 | ||
| 1980 | rc = cap_syslog(type, from_file); | ||
| 1981 | if (rc) | ||
| 1982 | return rc; | ||
| 1983 | |||
| 1984 | switch (type) { | 1980 | switch (type) { |
| 1985 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ | 1981 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ |
| 1986 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ | 1982 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ |
| @@ -2529,7 +2525,10 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2529 | sid = tsec->sid; | 2525 | sid = tsec->sid; |
| 2530 | newsid = tsec->create_sid; | 2526 | newsid = tsec->create_sid; |
| 2531 | 2527 | ||
| 2532 | if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { | 2528 | if ((sbsec->flags & SE_SBINITIALIZED) && |
| 2529 | (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) | ||
| 2530 | newsid = sbsec->mntpoint_sid; | ||
| 2531 | else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { | ||
| 2533 | rc = security_transition_sid(sid, dsec->sid, | 2532 | rc = security_transition_sid(sid, dsec->sid, |
| 2534 | inode_mode_to_security_class(inode->i_mode), | 2533 | inode_mode_to_security_class(inode->i_mode), |
| 2535 | &newsid); | 2534 | &newsid); |
| @@ -3925,18 +3924,18 @@ static int selinux_socket_shutdown(struct socket *sock, int how) | |||
| 3925 | return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); | 3924 | return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); |
| 3926 | } | 3925 | } |
| 3927 | 3926 | ||
| 3928 | static int selinux_socket_unix_stream_connect(struct socket *sock, | 3927 | static int selinux_socket_unix_stream_connect(struct sock *sock, |
| 3929 | struct socket *other, | 3928 | struct sock *other, |
| 3930 | struct sock *newsk) | 3929 | struct sock *newsk) |
| 3931 | { | 3930 | { |
| 3932 | struct sk_security_struct *sksec_sock = sock->sk->sk_security; | 3931 | struct sk_security_struct *sksec_sock = sock->sk_security; |
| 3933 | struct sk_security_struct *sksec_other = other->sk->sk_security; | 3932 | struct sk_security_struct *sksec_other = other->sk_security; |
| 3934 | struct sk_security_struct *sksec_new = newsk->sk_security; | 3933 | struct sk_security_struct *sksec_new = newsk->sk_security; |
| 3935 | struct common_audit_data ad; | 3934 | struct common_audit_data ad; |
| 3936 | int err; | 3935 | int err; |
| 3937 | 3936 | ||
| 3938 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3937 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
| 3939 | ad.u.net.sk = other->sk; | 3938 | ad.u.net.sk = other; |
| 3940 | 3939 | ||
| 3941 | err = avc_has_perm(sksec_sock->sid, sksec_other->sid, | 3940 | err = avc_has_perm(sksec_sock->sid, sksec_other->sid, |
| 3942 | sksec_other->sclass, | 3941 | sksec_other->sclass, |
| @@ -4524,11 +4523,11 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4524 | if (selinux_secmark_enabled()) | 4523 | if (selinux_secmark_enabled()) |
| 4525 | if (avc_has_perm(sksec->sid, skb->secmark, | 4524 | if (avc_has_perm(sksec->sid, skb->secmark, |
| 4526 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4525 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
| 4527 | return NF_DROP; | 4526 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4528 | 4527 | ||
| 4529 | if (selinux_policycap_netpeer) | 4528 | if (selinux_policycap_netpeer) |
| 4530 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) | 4529 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) |
| 4531 | return NF_DROP; | 4530 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4532 | 4531 | ||
| 4533 | return NF_ACCEPT; | 4532 | return NF_ACCEPT; |
| 4534 | } | 4533 | } |
| @@ -4585,7 +4584,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4585 | secmark_perm = PACKET__SEND; | 4584 | secmark_perm = PACKET__SEND; |
| 4586 | break; | 4585 | break; |
| 4587 | default: | 4586 | default: |
| 4588 | return NF_DROP; | 4587 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4589 | } | 4588 | } |
| 4590 | if (secmark_perm == PACKET__FORWARD_OUT) { | 4589 | if (secmark_perm == PACKET__FORWARD_OUT) { |
| 4591 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) | 4590 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) |
| @@ -4607,7 +4606,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4607 | if (secmark_active) | 4606 | if (secmark_active) |
| 4608 | if (avc_has_perm(peer_sid, skb->secmark, | 4607 | if (avc_has_perm(peer_sid, skb->secmark, |
| 4609 | SECCLASS_PACKET, secmark_perm, &ad)) | 4608 | SECCLASS_PACKET, secmark_perm, &ad)) |
| 4610 | return NF_DROP; | 4609 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4611 | 4610 | ||
| 4612 | if (peerlbl_active) { | 4611 | if (peerlbl_active) { |
| 4613 | u32 if_sid; | 4612 | u32 if_sid; |
| @@ -4617,13 +4616,13 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4617 | return NF_DROP; | 4616 | return NF_DROP; |
| 4618 | if (avc_has_perm(peer_sid, if_sid, | 4617 | if (avc_has_perm(peer_sid, if_sid, |
| 4619 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) | 4618 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) |
| 4620 | return NF_DROP; | 4619 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4621 | 4620 | ||
| 4622 | if (sel_netnode_sid(addrp, family, &node_sid)) | 4621 | if (sel_netnode_sid(addrp, family, &node_sid)) |
| 4623 | return NF_DROP; | 4622 | return NF_DROP; |
| 4624 | if (avc_has_perm(peer_sid, node_sid, | 4623 | if (avc_has_perm(peer_sid, node_sid, |
| 4625 | SECCLASS_NODE, NODE__SENDTO, &ad)) | 4624 | SECCLASS_NODE, NODE__SENDTO, &ad)) |
| 4626 | return NF_DROP; | 4625 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4627 | } | 4626 | } |
| 4628 | 4627 | ||
| 4629 | return NF_ACCEPT; | 4628 | return NF_ACCEPT; |