aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-01-06 17:58:22 -0500
committerJames Morris <jmorris@namei.org>2009-01-06 17:58:22 -0500
commitac8cc0fa5395fe2278e305a4cbed48e90d88d878 (patch)
tree515f577bfddd054ee4373228be7c974dfb8133af /security/selinux/hooks.c
parent238c6d54830c624f34ac9cf123ac04aebfca5013 (diff)
parent3699c53c485bf0168e6500d0ed18bf931584dd7c (diff)
Merge branch 'next' into for-linus
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c22
1 files changed, 13 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dbeaa783b2a9..00815973d412 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1433,12 +1433,13 @@ static int current_has_perm(const struct task_struct *tsk,
1433 1433
1434/* Check whether a task is allowed to use a capability. */ 1434/* Check whether a task is allowed to use a capability. */
1435static int task_has_capability(struct task_struct *tsk, 1435static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1436 int cap, int audit) 1437 int cap, int audit)
1437{ 1438{
1438 struct avc_audit_data ad; 1439 struct avc_audit_data ad;
1439 struct av_decision avd; 1440 struct av_decision avd;
1440 u16 sclass; 1441 u16 sclass;
1441 u32 sid = task_sid(tsk); 1442 u32 sid = cred_sid(cred);
1442 u32 av = CAP_TO_MASK(cap); 1443 u32 av = CAP_TO_MASK(cap);
1443 int rc; 1444 int rc;
1444 1445
@@ -1865,15 +1866,16 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1865 return cred_has_perm(old, new, PROCESS__SETCAP); 1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1866} 1867}
1867 1868
1868static int selinux_capable(struct task_struct *tsk, int cap, int audit) 1869static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1870 int cap, int audit)
1869{ 1871{
1870 int rc; 1872 int rc;
1871 1873
1872 rc = secondary_ops->capable(tsk, cap, audit); 1874 rc = secondary_ops->capable(tsk, cred, cap, audit);
1873 if (rc) 1875 if (rc)
1874 return rc; 1876 return rc;
1875 1877
1876 return task_has_capability(tsk, cap, audit); 1878 return task_has_capability(tsk, cred, cap, audit);
1877} 1879}
1878 1880
1879static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1881static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -2037,7 +2039,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2037{ 2039{
2038 int rc, cap_sys_admin = 0; 2040 int rc, cap_sys_admin = 0;
2039 2041
2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); 2042 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2043 SECURITY_CAP_NOAUDIT);
2041 if (rc == 0) 2044 if (rc == 0)
2042 cap_sys_admin = 1; 2045 cap_sys_admin = 1;
2043 2046
@@ -2880,7 +2883,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2880 * and lack of permission just means that we fall back to the 2883 * and lack of permission just means that we fall back to the
2881 * in-core context value, not a denial. 2884 * in-core context value, not a denial.
2882 */ 2885 */
2883 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); 2886 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2887 SECURITY_CAP_NOAUDIT);
2884 if (!error) 2888 if (!error)
2885 error = security_sid_to_context_force(isec->sid, &context, 2889 error = security_sid_to_context_force(isec->sid, &context,
2886 &size); 2890 &size);
@@ -4185,7 +4189,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4185static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4189static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4186 u16 family) 4190 u16 family)
4187{ 4191{
4188 int err; 4192 int err = 0;
4189 struct sk_security_struct *sksec = sk->sk_security; 4193 struct sk_security_struct *sksec = sk->sk_security;
4190 u32 peer_sid; 4194 u32 peer_sid;
4191 u32 sk_sid = sksec->sid; 4195 u32 sk_sid = sksec->sid;
@@ -4202,7 +4206,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4202 if (selinux_compat_net) 4206 if (selinux_compat_net)
4203 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad, 4207 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4204 family, addrp); 4208 family, addrp);
4205 else 4209 else if (selinux_secmark_enabled())
4206 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4210 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4207 PACKET__RECV, &ad); 4211 PACKET__RECV, &ad);
4208 if (err) 4212 if (err)
@@ -4705,7 +4709,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4705 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4709 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4706 &ad, family, addrp)) 4710 &ad, family, addrp))
4707 return NF_DROP; 4711 return NF_DROP;
4708 } else { 4712 } else if (selinux_secmark_enabled()) {
4709 if (avc_has_perm(sksec->sid, skb->secmark, 4713 if (avc_has_perm(sksec->sid, skb->secmark,
4710 SECCLASS_PACKET, PACKET__SEND, &ad)) 4714 SECCLASS_PACKET, PACKET__SEND, &ad))
4711 return NF_DROP; 4715 return NF_DROP;