aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-02-12 15:01:04 -0500
committerJames Morris <jmorris@namei.org>2009-02-13 17:22:24 -0500
commit200ac532a4bc3134147ca06686c56a6420e66c46 (patch)
treef9b1779458df389052c758ea23cf61695a021e67
parentb53fab9d48e9bd9aeba0b500dec550becd981a91 (diff)
SELinux: call capabilities code directory
For cleanliness and efficiency remove all calls to secondary-> and instead call capabilities code directly. capabilities are the only module that selinux stacks with and so the code should not indicate that other stacking might be possible. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c30
1 files changed, 13 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a69d6f8970ca..e9011e5f5ffb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1841,7 +1841,7 @@ static int selinux_ptrace_may_access(struct task_struct *child,
1841{ 1841{
1842 int rc; 1842 int rc;
1843 1843
1844 rc = secondary_ops->ptrace_may_access(child, mode); 1844 rc = cap_ptrace_may_access(child, mode);
1845 if (rc) 1845 if (rc)
1846 return rc; 1846 return rc;
1847 1847
@@ -1858,7 +1858,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
1858{ 1858{
1859 int rc; 1859 int rc;
1860 1860
1861 rc = secondary_ops->ptrace_traceme(parent); 1861 rc = cap_ptrace_traceme(parent);
1862 if (rc) 1862 if (rc)
1863 return rc; 1863 return rc;
1864 1864
@@ -1874,7 +1874,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1874 if (error) 1874 if (error)
1875 return error; 1875 return error;
1876 1876
1877 return secondary_ops->capget(target, effective, inheritable, permitted); 1877 return cap_capget(target, effective, inheritable, permitted);
1878} 1878}
1879 1879
1880static int selinux_capset(struct cred *new, const struct cred *old, 1880static int selinux_capset(struct cred *new, const struct cred *old,
@@ -1884,7 +1884,7 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1884{ 1884{
1885 int error; 1885 int error;
1886 1886
1887 error = secondary_ops->capset(new, old, 1887 error = cap_capset(new, old,
1888 effective, inheritable, permitted); 1888 effective, inheritable, permitted);
1889 if (error) 1889 if (error)
1890 return error; 1890 return error;
@@ -1907,7 +1907,7 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1907{ 1907{
1908 int rc; 1908 int rc;
1909 1909
1910 rc = secondary_ops->capable(tsk, cred, cap, audit); 1910 rc = cap_capable(tsk, cred, cap, audit);
1911 if (rc) 1911 if (rc)
1912 return rc; 1912 return rc;
1913 1913
@@ -2033,7 +2033,7 @@ static int selinux_syslog(int type)
2033{ 2033{
2034 int rc; 2034 int rc;
2035 2035
2036 rc = secondary_ops->syslog(type); 2036 rc = cap_syslog(type);
2037 if (rc) 2037 if (rc)
2038 return rc; 2038 return rc;
2039 2039
@@ -2064,10 +2064,6 @@ static int selinux_syslog(int type)
2064 * mapping. 0 means there is enough memory for the allocation to 2064 * mapping. 0 means there is enough memory for the allocation to
2065 * succeed and -ENOMEM implies there is not. 2065 * succeed and -ENOMEM implies there is not.
2066 * 2066 *
2067 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2068 * if the capability is granted, but __vm_enough_memory requires 1 if
2069 * the capability is granted.
2070 *
2071 * Do not audit the selinux permission check, as this is applied to all 2067 * Do not audit the selinux permission check, as this is applied to all
2072 * processes that allocate mappings. 2068 * processes that allocate mappings.
2073 */ 2069 */
@@ -2094,7 +2090,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2094 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2090 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2095 int rc; 2091 int rc;
2096 2092
2097 rc = secondary_ops->bprm_set_creds(bprm); 2093 rc = cap_bprm_set_creds(bprm);
2098 if (rc) 2094 if (rc)
2099 return rc; 2095 return rc;
2100 2096
@@ -2211,7 +2207,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2211 PROCESS__NOATSECURE, NULL); 2207 PROCESS__NOATSECURE, NULL);
2212 } 2208 }
2213 2209
2214 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 2210 return (atsecure || cap_bprm_secureexec(bprm));
2215} 2211}
2216 2212
2217extern struct vfsmount *selinuxfs_mount; 2213extern struct vfsmount *selinuxfs_mount;
@@ -3312,7 +3308,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
3312{ 3308{
3313 int rc; 3309 int rc;
3314 3310
3315 rc = secondary_ops->task_setnice(p, nice); 3311 rc = cap_task_setnice(p, nice);
3316 if (rc) 3312 if (rc)
3317 return rc; 3313 return rc;
3318 3314
@@ -3323,7 +3319,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3323{ 3319{
3324 int rc; 3320 int rc;
3325 3321
3326 rc = secondary_ops->task_setioprio(p, ioprio); 3322 rc = cap_task_setioprio(p, ioprio);
3327 if (rc) 3323 if (rc)
3328 return rc; 3324 return rc;
3329 3325
@@ -3353,7 +3349,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s
3353{ 3349{
3354 int rc; 3350 int rc;
3355 3351
3356 rc = secondary_ops->task_setscheduler(p, policy, lp); 3352 rc = cap_task_setscheduler(p, policy, lp);
3357 if (rc) 3353 if (rc)
3358 return rc; 3354 return rc;
3359 3355
@@ -4749,7 +4745,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4749{ 4745{
4750 int err; 4746 int err;
4751 4747
4752 err = secondary_ops->netlink_send(sk, skb); 4748 err = cap_netlink_send(sk, skb);
4753 if (err) 4749 if (err)
4754 return err; 4750 return err;
4755 4751
@@ -4764,7 +4760,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4764 int err; 4760 int err;
4765 struct avc_audit_data ad; 4761 struct avc_audit_data ad;
4766 4762
4767 err = secondary_ops->netlink_recv(skb, capability); 4763 err = cap_netlink_recv(skb, capability);
4768 if (err) 4764 if (err)
4769 return err; 4765 return err;
4770 4766