diff options
author | James Morris <james.l.morris@oracle.com> | 2014-05-26 08:38:46 -0400 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2014-05-26 08:38:46 -0400 |
commit | 92953ff38ba59b4f7b1a54ab28b84be35fafaecc (patch) | |
tree | 235ddd61f28c3030838ebbe5655fccfd1468042c | |
parent | 2fd4e6698f0863f47558e63b67c7c3a026513541 (diff) | |
parent | 47dd0b76ace953bd2c0479076db0d3e3b9594003 (diff) |
Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
-rw-r--r-- | security/selinux/avc.c | 7 | ||||
-rw-r--r-- | security/selinux/hooks.c | 11 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 4 | ||||
-rw-r--r-- | security/selinux/ss/hashtab.c | 3 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 2 |
5 files changed, 20 insertions, 7 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index fc3e6628a864..a18f1fa6440b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -444,11 +444,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |||
444 | avc_dump_query(ab, ad->selinux_audit_data->ssid, | 444 | avc_dump_query(ab, ad->selinux_audit_data->ssid, |
445 | ad->selinux_audit_data->tsid, | 445 | ad->selinux_audit_data->tsid, |
446 | ad->selinux_audit_data->tclass); | 446 | ad->selinux_audit_data->tclass); |
447 | if (ad->selinux_audit_data->denied) { | ||
448 | audit_log_format(ab, " permissive=%u", | ||
449 | ad->selinux_audit_data->result ? 0 : 1); | ||
450 | } | ||
447 | } | 451 | } |
448 | 452 | ||
449 | /* This is the slow part of avc audit with big stack footprint */ | 453 | /* This is the slow part of avc audit with big stack footprint */ |
450 | noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | 454 | noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, |
451 | u32 requested, u32 audited, u32 denied, | 455 | u32 requested, u32 audited, u32 denied, int result, |
452 | struct common_audit_data *a, | 456 | struct common_audit_data *a, |
453 | unsigned flags) | 457 | unsigned flags) |
454 | { | 458 | { |
@@ -477,6 +481,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | |||
477 | sad.tsid = tsid; | 481 | sad.tsid = tsid; |
478 | sad.audited = audited; | 482 | sad.audited = audited; |
479 | sad.denied = denied; | 483 | sad.denied = denied; |
484 | sad.result = result; | ||
480 | 485 | ||
481 | a->selinux_audit_data = &sad; | 486 | a->selinux_audit_data = &sad; |
482 | 487 | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6ab22720c277..d4cbf7d16f07 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -2123,11 +2123,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2123 | new_tsec->exec_sid = 0; | 2123 | new_tsec->exec_sid = 0; |
2124 | 2124 | ||
2125 | /* | 2125 | /* |
2126 | * Minimize confusion: if no_new_privs and a transition is | 2126 | * Minimize confusion: if no_new_privs or nosuid and a |
2127 | * explicitly requested, then fail the exec. | 2127 | * transition is explicitly requested, then fail the exec. |
2128 | */ | 2128 | */ |
2129 | if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) | 2129 | if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) |
2130 | return -EPERM; | 2130 | return -EPERM; |
2131 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | ||
2132 | return -EACCES; | ||
2131 | } else { | 2133 | } else { |
2132 | /* Check for a default transition on this program. */ | 2134 | /* Check for a default transition on this program. */ |
2133 | rc = security_transition_sid(old_tsec->sid, isec->sid, | 2135 | rc = security_transition_sid(old_tsec->sid, isec->sid, |
@@ -2770,6 +2772,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na | |||
2770 | 2772 | ||
2771 | static noinline int audit_inode_permission(struct inode *inode, | 2773 | static noinline int audit_inode_permission(struct inode *inode, |
2772 | u32 perms, u32 audited, u32 denied, | 2774 | u32 perms, u32 audited, u32 denied, |
2775 | int result, | ||
2773 | unsigned flags) | 2776 | unsigned flags) |
2774 | { | 2777 | { |
2775 | struct common_audit_data ad; | 2778 | struct common_audit_data ad; |
@@ -2780,7 +2783,7 @@ static noinline int audit_inode_permission(struct inode *inode, | |||
2780 | ad.u.inode = inode; | 2783 | ad.u.inode = inode; |
2781 | 2784 | ||
2782 | rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, | 2785 | rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, |
2783 | audited, denied, &ad, flags); | 2786 | audited, denied, result, &ad, flags); |
2784 | if (rc) | 2787 | if (rc) |
2785 | return rc; | 2788 | return rc; |
2786 | return 0; | 2789 | return 0; |
@@ -2822,7 +2825,7 @@ static int selinux_inode_permission(struct inode *inode, int mask) | |||
2822 | if (likely(!audited)) | 2825 | if (likely(!audited)) |
2823 | return rc; | 2826 | return rc; |
2824 | 2827 | ||
2825 | rc2 = audit_inode_permission(inode, perms, audited, denied, flags); | 2828 | rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); |
2826 | if (rc2) | 2829 | if (rc2) |
2827 | return rc2; | 2830 | return rc2; |
2828 | return rc; | 2831 | return rc; |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index f53ee3c58d0f..ddf8eec03f21 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -102,7 +102,7 @@ static inline u32 avc_audit_required(u32 requested, | |||
102 | } | 102 | } |
103 | 103 | ||
104 | int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | 104 | int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, |
105 | u32 requested, u32 audited, u32 denied, | 105 | u32 requested, u32 audited, u32 denied, int result, |
106 | struct common_audit_data *a, | 106 | struct common_audit_data *a, |
107 | unsigned flags); | 107 | unsigned flags); |
108 | 108 | ||
@@ -137,7 +137,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
137 | if (likely(!audited)) | 137 | if (likely(!audited)) |
138 | return 0; | 138 | return 0; |
139 | return slow_avc_audit(ssid, tsid, tclass, | 139 | return slow_avc_audit(ssid, tsid, tclass, |
140 | requested, audited, denied, | 140 | requested, audited, denied, result, |
141 | a, 0); | 141 | a, 0); |
142 | } | 142 | } |
143 | 143 | ||
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index 933e735bb185..2cc496149842 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c | |||
@@ -6,6 +6,7 @@ | |||
6 | #include <linux/kernel.h> | 6 | #include <linux/kernel.h> |
7 | #include <linux/slab.h> | 7 | #include <linux/slab.h> |
8 | #include <linux/errno.h> | 8 | #include <linux/errno.h> |
9 | #include <linux/sched.h> | ||
9 | #include "hashtab.h" | 10 | #include "hashtab.h" |
10 | 11 | ||
11 | struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), | 12 | struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), |
@@ -40,6 +41,8 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum) | |||
40 | u32 hvalue; | 41 | u32 hvalue; |
41 | struct hashtab_node *prev, *cur, *newnode; | 42 | struct hashtab_node *prev, *cur, *newnode; |
42 | 43 | ||
44 | cond_resched(); | ||
45 | |||
43 | if (!h || h->nel == HASHTAB_MAX_NODES) | 46 | if (!h || h->nel == HASHTAB_MAX_NODES) |
44 | return -EINVAL; | 47 | return -EINVAL; |
45 | 48 | ||
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index c85bc1ec040c..d307b37ddc2b 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -492,6 +492,8 @@ int mls_convert_context(struct policydb *oldp, | |||
492 | rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); | 492 | rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); |
493 | if (rc) | 493 | if (rc) |
494 | return rc; | 494 | return rc; |
495 | |||
496 | cond_resched(); | ||
495 | } | 497 | } |
496 | ebitmap_destroy(&c->range.level[l].cat); | 498 | ebitmap_destroy(&c->range.level[l].cat); |
497 | c->range.level[l].cat = bitmap; | 499 | c->range.level[l].cat = bitmap; |