diff options
author | James Morris <jmorris@namei.org> | 2009-01-29 18:05:06 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-01 17:20:34 -0500 |
commit | 5626d3e86141390c8efc7bcb929b6a4b58b00480 (patch) | |
tree | aafff4163d6bc40f78c025fe3c4f8eda232ef5c9 | |
parent | 95c14904b6f6f8a35365f0c58d530c85b4fb96b4 (diff) |
selinux: remove hooks which simply defer to capabilities
Remove SELinux hooks which do nothing except defer to the capabilites
hooks (or in one case, replicates the function).
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | security/selinux/hooks.c | 68 |
1 files changed, 10 insertions, 58 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9604794a4d2..a69d6f8970ca 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1892,6 +1892,16 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1892 | return cred_has_perm(old, new, PROCESS__SETCAP); | 1892 | return cred_has_perm(old, new, PROCESS__SETCAP); |
1893 | } | 1893 | } |
1894 | 1894 | ||
1895 | /* | ||
1896 | * (This comment used to live with the selinux_task_setuid hook, | ||
1897 | * which was removed). | ||
1898 | * | ||
1899 | * Since setuid only affects the current process, and since the SELinux | ||
1900 | * controls are not based on the Linux identity attributes, SELinux does not | ||
1901 | * need to control this operation. However, SELinux does control the use of | ||
1902 | * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. | ||
1903 | */ | ||
1904 | |||
1895 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, | 1905 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, |
1896 | int cap, int audit) | 1906 | int cap, int audit) |
1897 | { | 1907 | { |
@@ -2909,16 +2919,6 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t | |||
2909 | return len; | 2919 | return len; |
2910 | } | 2920 | } |
2911 | 2921 | ||
2912 | static int selinux_inode_need_killpriv(struct dentry *dentry) | ||
2913 | { | ||
2914 | return secondary_ops->inode_need_killpriv(dentry); | ||
2915 | } | ||
2916 | |||
2917 | static int selinux_inode_killpriv(struct dentry *dentry) | ||
2918 | { | ||
2919 | return secondary_ops->inode_killpriv(dentry); | ||
2920 | } | ||
2921 | |||
2922 | static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) | 2922 | static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) |
2923 | { | 2923 | { |
2924 | struct inode_security_struct *isec = inode->i_security; | 2924 | struct inode_security_struct *isec = inode->i_security; |
@@ -3288,29 +3288,6 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) | |||
3288 | return 0; | 3288 | return 0; |
3289 | } | 3289 | } |
3290 | 3290 | ||
3291 | static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
3292 | { | ||
3293 | /* Since setuid only affects the current process, and | ||
3294 | since the SELinux controls are not based on the Linux | ||
3295 | identity attributes, SELinux does not need to control | ||
3296 | this operation. However, SELinux does control the use | ||
3297 | of the CAP_SETUID and CAP_SETGID capabilities using the | ||
3298 | capable hook. */ | ||
3299 | return 0; | ||
3300 | } | ||
3301 | |||
3302 | static int selinux_task_fix_setuid(struct cred *new, const struct cred *old, | ||
3303 | int flags) | ||
3304 | { | ||
3305 | return secondary_ops->task_fix_setuid(new, old, flags); | ||
3306 | } | ||
3307 | |||
3308 | static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | ||
3309 | { | ||
3310 | /* See the comment for setuid above. */ | ||
3311 | return 0; | ||
3312 | } | ||
3313 | |||
3314 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) | 3291 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) |
3315 | { | 3292 | { |
3316 | return current_has_perm(p, PROCESS__SETPGID); | 3293 | return current_has_perm(p, PROCESS__SETPGID); |
@@ -3331,12 +3308,6 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid) | |||
3331 | *secid = task_sid(p); | 3308 | *secid = task_sid(p); |
3332 | } | 3309 | } |
3333 | 3310 | ||
3334 | static int selinux_task_setgroups(struct group_info *group_info) | ||
3335 | { | ||
3336 | /* See the comment for setuid above. */ | ||
3337 | return 0; | ||
3338 | } | ||
3339 | |||
3340 | static int selinux_task_setnice(struct task_struct *p, int nice) | 3311 | static int selinux_task_setnice(struct task_struct *p, int nice) |
3341 | { | 3312 | { |
3342 | int rc; | 3313 | int rc; |
@@ -3417,18 +3388,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, | |||
3417 | return rc; | 3388 | return rc; |
3418 | } | 3389 | } |
3419 | 3390 | ||
3420 | static int selinux_task_prctl(int option, | ||
3421 | unsigned long arg2, | ||
3422 | unsigned long arg3, | ||
3423 | unsigned long arg4, | ||
3424 | unsigned long arg5) | ||
3425 | { | ||
3426 | /* The current prctl operations do not appear to require | ||
3427 | any SELinux controls since they merely observe or modify | ||
3428 | the state of the current process. */ | ||
3429 | return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5); | ||
3430 | } | ||
3431 | |||
3432 | static int selinux_task_wait(struct task_struct *p) | 3391 | static int selinux_task_wait(struct task_struct *p) |
3433 | { | 3392 | { |
3434 | return task_has_perm(p, current, PROCESS__SIGCHLD); | 3393 | return task_has_perm(p, current, PROCESS__SIGCHLD); |
@@ -5563,8 +5522,6 @@ static struct security_operations selinux_ops = { | |||
5563 | .inode_getsecurity = selinux_inode_getsecurity, | 5522 | .inode_getsecurity = selinux_inode_getsecurity, |
5564 | .inode_setsecurity = selinux_inode_setsecurity, | 5523 | .inode_setsecurity = selinux_inode_setsecurity, |
5565 | .inode_listsecurity = selinux_inode_listsecurity, | 5524 | .inode_listsecurity = selinux_inode_listsecurity, |
5566 | .inode_need_killpriv = selinux_inode_need_killpriv, | ||
5567 | .inode_killpriv = selinux_inode_killpriv, | ||
5568 | .inode_getsecid = selinux_inode_getsecid, | 5525 | .inode_getsecid = selinux_inode_getsecid, |
5569 | 5526 | ||
5570 | .file_permission = selinux_file_permission, | 5527 | .file_permission = selinux_file_permission, |
@@ -5586,14 +5543,10 @@ static struct security_operations selinux_ops = { | |||
5586 | .cred_prepare = selinux_cred_prepare, | 5543 | .cred_prepare = selinux_cred_prepare, |
5587 | .kernel_act_as = selinux_kernel_act_as, | 5544 | .kernel_act_as = selinux_kernel_act_as, |
5588 | .kernel_create_files_as = selinux_kernel_create_files_as, | 5545 | .kernel_create_files_as = selinux_kernel_create_files_as, |
5589 | .task_setuid = selinux_task_setuid, | ||
5590 | .task_fix_setuid = selinux_task_fix_setuid, | ||
5591 | .task_setgid = selinux_task_setgid, | ||
5592 | .task_setpgid = selinux_task_setpgid, | 5546 | .task_setpgid = selinux_task_setpgid, |
5593 | .task_getpgid = selinux_task_getpgid, | 5547 | .task_getpgid = selinux_task_getpgid, |
5594 | .task_getsid = selinux_task_getsid, | 5548 | .task_getsid = selinux_task_getsid, |
5595 | .task_getsecid = selinux_task_getsecid, | 5549 | .task_getsecid = selinux_task_getsecid, |
5596 | .task_setgroups = selinux_task_setgroups, | ||
5597 | .task_setnice = selinux_task_setnice, | 5550 | .task_setnice = selinux_task_setnice, |
5598 | .task_setioprio = selinux_task_setioprio, | 5551 | .task_setioprio = selinux_task_setioprio, |
5599 | .task_getioprio = selinux_task_getioprio, | 5552 | .task_getioprio = selinux_task_getioprio, |
@@ -5603,7 +5556,6 @@ static struct security_operations selinux_ops = { | |||
5603 | .task_movememory = selinux_task_movememory, | 5556 | .task_movememory = selinux_task_movememory, |
5604 | .task_kill = selinux_task_kill, | 5557 | .task_kill = selinux_task_kill, |
5605 | .task_wait = selinux_task_wait, | 5558 | .task_wait = selinux_task_wait, |
5606 | .task_prctl = selinux_task_prctl, | ||
5607 | .task_to_inode = selinux_task_to_inode, | 5559 | .task_to_inode = selinux_task_to_inode, |
5608 | 5560 | ||
5609 | .ipc_permission = selinux_ipc_permission, | 5561 | .ipc_permission = selinux_ipc_permission, |