diff options
author | Eric Paris <eparis@redhat.com> | 2009-09-12 22:54:10 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-09-13 22:34:07 -0400 |
commit | ed868a56988464cd31de0302426a5e94d3127f10 (patch) | |
tree | cdcd1715445aa19051b6a9a671b39250a449333a | |
parent | 86d710146fb9975f04c505ec78caa43d227c1018 (diff) |
Creds: creds->security can be NULL is selinux is disabled
__validate_process_creds should check if selinux is actually enabled before
running tests on the selinux portion of the credentials struct.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | include/linux/cred.h | 13 | ||||
-rw-r--r-- | include/linux/selinux.h | 9 | ||||
-rw-r--r-- | security/selinux/exports.c | 6 |
3 files changed, 23 insertions, 5 deletions
diff --git a/include/linux/cred.h b/include/linux/cred.h index 24520a539c6f..fb371601a3b4 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h | |||
@@ -15,6 +15,7 @@ | |||
15 | #include <linux/capability.h> | 15 | #include <linux/capability.h> |
16 | #include <linux/init.h> | 16 | #include <linux/init.h> |
17 | #include <linux/key.h> | 17 | #include <linux/key.h> |
18 | #include <linux/selinux.h> | ||
18 | #include <asm/atomic.h> | 19 | #include <asm/atomic.h> |
19 | 20 | ||
20 | struct user_struct; | 21 | struct user_struct; |
@@ -182,11 +183,13 @@ static inline bool creds_are_invalid(const struct cred *cred) | |||
182 | if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers)) | 183 | if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers)) |
183 | return true; | 184 | return true; |
184 | #ifdef CONFIG_SECURITY_SELINUX | 185 | #ifdef CONFIG_SECURITY_SELINUX |
185 | if ((unsigned long) cred->security < PAGE_SIZE) | 186 | if (selinux_is_enabled()) { |
186 | return true; | 187 | if ((unsigned long) cred->security < PAGE_SIZE) |
187 | if ((*(u32*)cred->security & 0xffffff00) == | 188 | return true; |
188 | (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)) | 189 | if ((*(u32 *)cred->security & 0xffffff00) == |
189 | return true; | 190 | (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)) |
191 | return true; | ||
192 | } | ||
190 | #endif | 193 | #endif |
191 | return false; | 194 | return false; |
192 | } | 195 | } |
diff --git a/include/linux/selinux.h b/include/linux/selinux.h index 20f965d4b041..223d06a6feb1 100644 --- a/include/linux/selinux.h +++ b/include/linux/selinux.h | |||
@@ -61,6 +61,11 @@ void selinux_secmark_refcount_inc(void); | |||
61 | * existing SECMARK targets has been removed/flushed. | 61 | * existing SECMARK targets has been removed/flushed. |
62 | */ | 62 | */ |
63 | void selinux_secmark_refcount_dec(void); | 63 | void selinux_secmark_refcount_dec(void); |
64 | |||
65 | /** | ||
66 | * selinux_is_enabled - is SELinux enabled? | ||
67 | */ | ||
68 | bool selinux_is_enabled(void); | ||
64 | #else | 69 | #else |
65 | 70 | ||
66 | static inline int selinux_string_to_sid(const char *str, u32 *sid) | 71 | static inline int selinux_string_to_sid(const char *str, u32 *sid) |
@@ -84,6 +89,10 @@ static inline void selinux_secmark_refcount_dec(void) | |||
84 | return; | 89 | return; |
85 | } | 90 | } |
86 | 91 | ||
92 | static bool selinux_is_enabled(void) | ||
93 | { | ||
94 | return false; | ||
95 | } | ||
87 | #endif /* CONFIG_SECURITY_SELINUX */ | 96 | #endif /* CONFIG_SECURITY_SELINUX */ |
88 | 97 | ||
89 | #endif /* _LINUX_SELINUX_H */ | 98 | #endif /* _LINUX_SELINUX_H */ |
diff --git a/security/selinux/exports.c b/security/selinux/exports.c index c73aeaa008e8..c0a454aee1e0 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c | |||
@@ -63,3 +63,9 @@ void selinux_secmark_refcount_dec(void) | |||
63 | atomic_dec(&selinux_secmark_refcount); | 63 | atomic_dec(&selinux_secmark_refcount); |
64 | } | 64 | } |
65 | EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec); | 65 | EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec); |
66 | |||
67 | bool selinux_is_enabled(void) | ||
68 | { | ||
69 | return selinux_enabled; | ||
70 | } | ||
71 | EXPORT_SYMBOL_GPL(selinux_is_enabled); | ||