diff options
author | Eric Paris <eparis@redhat.com> | 2009-02-12 15:01:04 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-13 17:22:24 -0500 |
commit | 200ac532a4bc3134147ca06686c56a6420e66c46 (patch) | |
tree | f9b1779458df389052c758ea23cf61695a021e67 | |
parent | b53fab9d48e9bd9aeba0b500dec550becd981a91 (diff) |
SELinux: call capabilities code directory
For cleanliness and efficiency remove all calls to secondary-> and instead
call capabilities code directly. capabilities are the only module that
selinux stacks with and so the code should not indicate that other stacking
might be possible.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/hooks.c | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a69d6f8970ca..e9011e5f5ffb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1841,7 +1841,7 @@ static int selinux_ptrace_may_access(struct task_struct *child, | |||
1841 | { | 1841 | { |
1842 | int rc; | 1842 | int rc; |
1843 | 1843 | ||
1844 | rc = secondary_ops->ptrace_may_access(child, mode); | 1844 | rc = cap_ptrace_may_access(child, mode); |
1845 | if (rc) | 1845 | if (rc) |
1846 | return rc; | 1846 | return rc; |
1847 | 1847 | ||
@@ -1858,7 +1858,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent) | |||
1858 | { | 1858 | { |
1859 | int rc; | 1859 | int rc; |
1860 | 1860 | ||
1861 | rc = secondary_ops->ptrace_traceme(parent); | 1861 | rc = cap_ptrace_traceme(parent); |
1862 | if (rc) | 1862 | if (rc) |
1863 | return rc; | 1863 | return rc; |
1864 | 1864 | ||
@@ -1874,7 +1874,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, | |||
1874 | if (error) | 1874 | if (error) |
1875 | return error; | 1875 | return error; |
1876 | 1876 | ||
1877 | return secondary_ops->capget(target, effective, inheritable, permitted); | 1877 | return cap_capget(target, effective, inheritable, permitted); |
1878 | } | 1878 | } |
1879 | 1879 | ||
1880 | static int selinux_capset(struct cred *new, const struct cred *old, | 1880 | static int selinux_capset(struct cred *new, const struct cred *old, |
@@ -1884,7 +1884,7 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1884 | { | 1884 | { |
1885 | int error; | 1885 | int error; |
1886 | 1886 | ||
1887 | error = secondary_ops->capset(new, old, | 1887 | error = cap_capset(new, old, |
1888 | effective, inheritable, permitted); | 1888 | effective, inheritable, permitted); |
1889 | if (error) | 1889 | if (error) |
1890 | return error; | 1890 | return error; |
@@ -1907,7 +1907,7 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred, | |||
1907 | { | 1907 | { |
1908 | int rc; | 1908 | int rc; |
1909 | 1909 | ||
1910 | rc = secondary_ops->capable(tsk, cred, cap, audit); | 1910 | rc = cap_capable(tsk, cred, cap, audit); |
1911 | if (rc) | 1911 | if (rc) |
1912 | return rc; | 1912 | return rc; |
1913 | 1913 | ||
@@ -2033,7 +2033,7 @@ static int selinux_syslog(int type) | |||
2033 | { | 2033 | { |
2034 | int rc; | 2034 | int rc; |
2035 | 2035 | ||
2036 | rc = secondary_ops->syslog(type); | 2036 | rc = cap_syslog(type); |
2037 | if (rc) | 2037 | if (rc) |
2038 | return rc; | 2038 | return rc; |
2039 | 2039 | ||
@@ -2064,10 +2064,6 @@ static int selinux_syslog(int type) | |||
2064 | * mapping. 0 means there is enough memory for the allocation to | 2064 | * mapping. 0 means there is enough memory for the allocation to |
2065 | * succeed and -ENOMEM implies there is not. | 2065 | * succeed and -ENOMEM implies there is not. |
2066 | * | 2066 | * |
2067 | * Note that secondary_ops->capable and task_has_perm_noaudit return 0 | ||
2068 | * if the capability is granted, but __vm_enough_memory requires 1 if | ||
2069 | * the capability is granted. | ||
2070 | * | ||
2071 | * Do not audit the selinux permission check, as this is applied to all | 2067 | * Do not audit the selinux permission check, as this is applied to all |
2072 | * processes that allocate mappings. | 2068 | * processes that allocate mappings. |
2073 | */ | 2069 | */ |
@@ -2094,7 +2090,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2094 | struct inode *inode = bprm->file->f_path.dentry->d_inode; | 2090 | struct inode *inode = bprm->file->f_path.dentry->d_inode; |
2095 | int rc; | 2091 | int rc; |
2096 | 2092 | ||
2097 | rc = secondary_ops->bprm_set_creds(bprm); | 2093 | rc = cap_bprm_set_creds(bprm); |
2098 | if (rc) | 2094 | if (rc) |
2099 | return rc; | 2095 | return rc; |
2100 | 2096 | ||
@@ -2211,7 +2207,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm) | |||
2211 | PROCESS__NOATSECURE, NULL); | 2207 | PROCESS__NOATSECURE, NULL); |
2212 | } | 2208 | } |
2213 | 2209 | ||
2214 | return (atsecure || secondary_ops->bprm_secureexec(bprm)); | 2210 | return (atsecure || cap_bprm_secureexec(bprm)); |
2215 | } | 2211 | } |
2216 | 2212 | ||
2217 | extern struct vfsmount *selinuxfs_mount; | 2213 | extern struct vfsmount *selinuxfs_mount; |
@@ -3312,7 +3308,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) | |||
3312 | { | 3308 | { |
3313 | int rc; | 3309 | int rc; |
3314 | 3310 | ||
3315 | rc = secondary_ops->task_setnice(p, nice); | 3311 | rc = cap_task_setnice(p, nice); |
3316 | if (rc) | 3312 | if (rc) |
3317 | return rc; | 3313 | return rc; |
3318 | 3314 | ||
@@ -3323,7 +3319,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio) | |||
3323 | { | 3319 | { |
3324 | int rc; | 3320 | int rc; |
3325 | 3321 | ||
3326 | rc = secondary_ops->task_setioprio(p, ioprio); | 3322 | rc = cap_task_setioprio(p, ioprio); |
3327 | if (rc) | 3323 | if (rc) |
3328 | return rc; | 3324 | return rc; |
3329 | 3325 | ||
@@ -3353,7 +3349,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s | |||
3353 | { | 3349 | { |
3354 | int rc; | 3350 | int rc; |
3355 | 3351 | ||
3356 | rc = secondary_ops->task_setscheduler(p, policy, lp); | 3352 | rc = cap_task_setscheduler(p, policy, lp); |
3357 | if (rc) | 3353 | if (rc) |
3358 | return rc; | 3354 | return rc; |
3359 | 3355 | ||
@@ -4749,7 +4745,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
4749 | { | 4745 | { |
4750 | int err; | 4746 | int err; |
4751 | 4747 | ||
4752 | err = secondary_ops->netlink_send(sk, skb); | 4748 | err = cap_netlink_send(sk, skb); |
4753 | if (err) | 4749 | if (err) |
4754 | return err; | 4750 | return err; |
4755 | 4751 | ||
@@ -4764,7 +4760,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) | |||
4764 | int err; | 4760 | int err; |
4765 | struct avc_audit_data ad; | 4761 | struct avc_audit_data ad; |
4766 | 4762 | ||
4767 | err = secondary_ops->netlink_recv(skb, capability); | 4763 | err = cap_netlink_recv(skb, capability); |
4768 | if (err) | 4764 | if (err) |
4769 | return err; | 4765 | return err; |
4770 | 4766 | ||