Merge branch 'next' into for-linus

author: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2012-03-19 20:02:01 -0400
committer: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2012-03-19 20:02:01 -0400
commit: 10ce3cc919f50c2043b41ca968b43c26a3672600 (patch)
tree: ea409366a5208aced495bc0516a08b81fd43222e /security/selinux/hooks.c
parent: 24e3e5ae1e4c2a3a32f5b1f96b4e3fd721806acd (diff)
parent: 5c6a7a62c130afef3d61c1dee153012231ff5cd9 (diff)
1 files changed, 22 insertions, 43 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1126c10a5e82..6a3683e28426 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1090,7 +1090,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
                        return SECCLASS_NETLINK_ROUTE_SOCKET;
                case NETLINK_FIREWALL:
                        return SECCLASS_NETLINK_FIREWALL_SOCKET;
-                case NETLINK_INET_DIAG:
+                case NETLINK_SOCK_DIAG:
                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
                case NETLINK_NFLOG:
                        return SECCLASS_NETLINK_NFLOG_SOCKET;
@@ -1415,8 +1415,7 @@ static int current_has_perm(const struct task_struct *tsk,
 #endif
 /* Check whether a task is allowed to use a capability. */
-static int task_has_capability(struct task_struct *tsk,
+static int cred_has_capability(const struct cred *cred,
-                               const struct cred *cred,
                               int cap, int audit)
 {
        struct common_audit_data ad;
@@ -1427,7 +1426,7 @@ static int task_has_capability(struct task_struct *tsk,
        int rc;
        COMMON_AUDIT_DATA_INIT(&ad, CAP);
-        ad.tsk = tsk;
+        ad.tsk = current;
        ad.u.cap = cap;
        switch (CAP_TO_INDEX(cap)) {
@@ -1740,7 +1739,7 @@ static inline u32 file_mask_to_av(int mode, int mask)
 {
        u32 av = 0;
-        if ((mode & S_IFMT) != S_IFDIR) {
+        if (!S_ISDIR(mode)) {
                if (mask & MAY_EXEC)
                        av |= FILE__EXECUTE;
                if (mask & MAY_READ)
@@ -1811,7 +1810,7 @@ static int selinux_ptrace_access_check(struct task_struct *child,
        if (rc)
                return rc;
-        if (mode == PTRACE_MODE_READ) {
+        if (mode & PTRACE_MODE_READ) {
                u32 sid = current_sid();
                u32 csid = task_sid(child);
                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
@@ -1868,16 +1867,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
 */
-static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
+static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
-                           struct user_namespace *ns, int cap, int audit)
+                           int cap, int audit)
 {
        int rc;
-        rc = cap_capable(tsk, cred, ns, cap, audit);
+        rc = cap_capable(cred, ns, cap, audit);
        if (rc)
                return rc;
-        return task_has_capability(tsk, cred, cap, audit);
+        return cred_has_capability(cred, cap, audit);
 }
 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
@@ -1954,8 +1953,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
-        rc = selinux_capable(current, current_cred(),
+        rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
-                             &init_user_ns, CAP_SYS_ADMIN,
                             SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2507,7 +2505,7 @@ static int selinux_mount(char *dev_name,
        const struct cred *cred = current_cred();
        if (flags & MS_REMOUNT)
-                return superblock_has_perm(cred, path->mnt->mnt_sb,
+                return superblock_has_perm(cred, path->dentry->d_sb,
                                           FILESYSTEM__REMOUNT, NULL);
        else
                return path_has_perm(cred, path, FILE__MOUNTON);
@@ -2598,7 +2596,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
        return 0;
 }
-static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
+static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
 {
        return may_create(dir, dentry, SECCLASS_FILE);
 }
@@ -2618,7 +2616,7 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
        return may_create(dir, dentry, SECCLASS_LNK_FILE);
 }
-static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
+static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
 {
        return may_create(dir, dentry, SECCLASS_DIR);
 }
@@ -2628,7 +2626,7 @@ static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
        return may_link(dir, dentry, MAY_RMDIR);
 }
-static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
 {
        return may_create(dir, dentry, inode_mode_to_security_class(mode));
 }
@@ -2859,8 +2857,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-        error = selinux_capable(current, current_cred(),
+        error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
-                                &init_user_ns, CAP_MAC_ADMIN,
                                SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
@@ -2993,8 +2990,8 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
        case KDSKBENT:
        case KDSKBSENT:
-                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
+                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
-                                        SECURITY_CAP_AUDIT);
+                                            SECURITY_CAP_AUDIT);
                break;
        /* default case assumes that the command will go
@@ -3561,19 +3558,20 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
        u8 nexthdr;
        int ret = -EINVAL, offset;
        struct ipv6hdr _ipv6h, *ip6;
+        __be16 frag_off;
        offset = skb_network_offset(skb);
        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
        if (ip6 == NULL)
                goto out;
-        ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
+        ad->u.net.v6info.saddr = ip6->saddr;
-        ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
+        ad->u.net.v6info.daddr = ip6->daddr;
        ret = 0;
        nexthdr = ip6->nexthdr;
        offset += sizeof(_ipv6h);
-        offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
+        offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
        if (offset < 0)
                goto out;
@@ -3871,7 +3869,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                if (family == PF_INET)
                        ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
                else
-                        ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
+                        ad.u.net.v6info.saddr = addr6->sin6_addr;
                err = avc_has_perm(sksec->sid, sid,
                                   sksec->sclass, node_perm, &ad);
@@ -4717,24 +4715,6 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
        return selinux_nlmsg_perm(sk, skb);
 }
-static int selinux_netlink_recv(struct sk_buff *skb, int capability)
-{
-        int err;
-        struct common_audit_data ad;
-        u32 sid;
-        err = cap_netlink_recv(skb, capability);
-        if (err)
-                return err;
-        COMMON_AUDIT_DATA_INIT(&ad, CAP);
-        ad.u.cap = capability;
-        security_task_getsecid(current, &sid);
-        return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
-                            CAP_TO_MASK(capability), &ad);
-}
 static int ipc_alloc_security(struct task_struct *task,
                              struct kern_ipc_perm *perm,
                              u16 sclass)
@@ -5463,7 +5443,6 @@ static struct security_operations selinux_ops = {
        .vm_enough_memory =             selinux_vm_enough_memory,
        .netlink_send =                 selinux_netlink_send,
-        .netlink_recv =                 selinux_netlink_recv,
        .bprm_set_creds =               selinux_bprm_set_creds,
        .bprm_committing_creds =        selinux_bprm_committing_creds,
author	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2012-03-19 20:02:01 -0400
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2012-03-19 20:02:01 -0400
commit	10ce3cc919f50c2043b41ca968b43c26a3672600 (patch)
tree	ea409366a5208aced495bc0516a08b81fd43222e /security/selinux/hooks.c
parent	24e3e5ae1e4c2a3a32f5b1f96b4e3fd721806acd (diff)
parent	5c6a7a62c130afef3d61c1dee153012231ff5cd9 (diff)