aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-01-29 18:05:06 -0500
committerJames Morris <jmorris@namei.org>2009-02-01 17:20:34 -0500
commit5626d3e86141390c8efc7bcb929b6a4b58b00480 (patch)
treeaafff4163d6bc40f78c025fe3c4f8eda232ef5c9
parent95c14904b6f6f8a35365f0c58d530c85b4fb96b4 (diff)
selinux: remove hooks which simply defer to capabilities
Remove SELinux hooks which do nothing except defer to the capabilites hooks (or in one case, replicates the function). Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r--security/selinux/hooks.c68
1 files changed, 10 insertions, 58 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9604794a4d2..a69d6f8970ca 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1892,6 +1892,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1892 return cred_has_perm(old, new, PROCESS__SETCAP); 1892 return cred_has_perm(old, new, PROCESS__SETCAP);
1893} 1893}
1894 1894
1895/*
1896 * (This comment used to live with the selinux_task_setuid hook,
1897 * which was removed).
1898 *
1899 * Since setuid only affects the current process, and since the SELinux
1900 * controls are not based on the Linux identity attributes, SELinux does not
1901 * need to control this operation. However, SELinux does control the use of
1902 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1903 */
1904
1895static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1905static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1896 int cap, int audit) 1906 int cap, int audit)
1897{ 1907{
@@ -2909,16 +2919,6 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
2909 return len; 2919 return len;
2910} 2920}
2911 2921
2912static int selinux_inode_need_killpriv(struct dentry *dentry)
2913{
2914 return secondary_ops->inode_need_killpriv(dentry);
2915}
2916
2917static int selinux_inode_killpriv(struct dentry *dentry)
2918{
2919 return secondary_ops->inode_killpriv(dentry);
2920}
2921
2922static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2922static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2923{ 2923{
2924 struct inode_security_struct *isec = inode->i_security; 2924 struct inode_security_struct *isec = inode->i_security;
@@ -3288,29 +3288,6 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3288 return 0; 3288 return 0;
3289} 3289}
3290 3290
3291static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3292{
3293 /* Since setuid only affects the current process, and
3294 since the SELinux controls are not based on the Linux
3295 identity attributes, SELinux does not need to control
3296 this operation. However, SELinux does control the use
3297 of the CAP_SETUID and CAP_SETGID capabilities using the
3298 capable hook. */
3299 return 0;
3300}
3301
3302static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3303 int flags)
3304{
3305 return secondary_ops->task_fix_setuid(new, old, flags);
3306}
3307
3308static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3309{
3310 /* See the comment for setuid above. */
3311 return 0;
3312}
3313
3314static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3291static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3315{ 3292{
3316 return current_has_perm(p, PROCESS__SETPGID); 3293 return current_has_perm(p, PROCESS__SETPGID);
@@ -3331,12 +3308,6 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3331 *secid = task_sid(p); 3308 *secid = task_sid(p);
3332} 3309}
3333 3310
3334static int selinux_task_setgroups(struct group_info *group_info)
3335{
3336 /* See the comment for setuid above. */
3337 return 0;
3338}
3339
3340static int selinux_task_setnice(struct task_struct *p, int nice) 3311static int selinux_task_setnice(struct task_struct *p, int nice)
3341{ 3312{
3342 int rc; 3313 int rc;
@@ -3417,18 +3388,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3417 return rc; 3388 return rc;
3418} 3389}
3419 3390
3420static int selinux_task_prctl(int option,
3421 unsigned long arg2,
3422 unsigned long arg3,
3423 unsigned long arg4,
3424 unsigned long arg5)
3425{
3426 /* The current prctl operations do not appear to require
3427 any SELinux controls since they merely observe or modify
3428 the state of the current process. */
3429 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3430}
3431
3432static int selinux_task_wait(struct task_struct *p) 3391static int selinux_task_wait(struct task_struct *p)
3433{ 3392{
3434 return task_has_perm(p, current, PROCESS__SIGCHLD); 3393 return task_has_perm(p, current, PROCESS__SIGCHLD);
@@ -5563,8 +5522,6 @@ static struct security_operations selinux_ops = {
5563 .inode_getsecurity = selinux_inode_getsecurity, 5522 .inode_getsecurity = selinux_inode_getsecurity,
5564 .inode_setsecurity = selinux_inode_setsecurity, 5523 .inode_setsecurity = selinux_inode_setsecurity,
5565 .inode_listsecurity = selinux_inode_listsecurity, 5524 .inode_listsecurity = selinux_inode_listsecurity,
5566 .inode_need_killpriv = selinux_inode_need_killpriv,
5567 .inode_killpriv = selinux_inode_killpriv,
5568 .inode_getsecid = selinux_inode_getsecid, 5525 .inode_getsecid = selinux_inode_getsecid,
5569 5526
5570 .file_permission = selinux_file_permission, 5527 .file_permission = selinux_file_permission,
@@ -5586,14 +5543,10 @@ static struct security_operations selinux_ops = {
5586 .cred_prepare = selinux_cred_prepare, 5543 .cred_prepare = selinux_cred_prepare,
5587 .kernel_act_as = selinux_kernel_act_as, 5544 .kernel_act_as = selinux_kernel_act_as,
5588 .kernel_create_files_as = selinux_kernel_create_files_as, 5545 .kernel_create_files_as = selinux_kernel_create_files_as,
5589 .task_setuid = selinux_task_setuid,
5590 .task_fix_setuid = selinux_task_fix_setuid,
5591 .task_setgid = selinux_task_setgid,
5592 .task_setpgid = selinux_task_setpgid, 5546 .task_setpgid = selinux_task_setpgid,
5593 .task_getpgid = selinux_task_getpgid, 5547 .task_getpgid = selinux_task_getpgid,
5594 .task_getsid = selinux_task_getsid, 5548 .task_getsid = selinux_task_getsid,
5595 .task_getsecid = selinux_task_getsecid, 5549 .task_getsecid = selinux_task_getsecid,
5596 .task_setgroups = selinux_task_setgroups,
5597 .task_setnice = selinux_task_setnice, 5550 .task_setnice = selinux_task_setnice,
5598 .task_setioprio = selinux_task_setioprio, 5551 .task_setioprio = selinux_task_setioprio,
5599 .task_getioprio = selinux_task_getioprio, 5552 .task_getioprio = selinux_task_getioprio,
@@ -5603,7 +5556,6 @@ static struct security_operations selinux_ops = {
5603 .task_movememory = selinux_task_movememory, 5556 .task_movememory = selinux_task_movememory,
5604 .task_kill = selinux_task_kill, 5557 .task_kill = selinux_task_kill,
5605 .task_wait = selinux_task_wait, 5558 .task_wait = selinux_task_wait,
5606 .task_prctl = selinux_task_prctl,
5607 .task_to_inode = selinux_task_to_inode, 5559 .task_to_inode = selinux_task_to_inode,
5608 5560
5609 .ipc_permission = selinux_ipc_permission, 5561 .ipc_permission = selinux_ipc_permission,