diff options
author | David P. Quigley <dpquigl@tycho.nsa.gov> | 2009-01-16 09:22:02 -0500 |
---|---|---|
committer | James Morris <jmorris@macbook.localdomain> | 2009-01-18 17:46:40 -0500 |
commit | 0d90a7ec48c704025307b129413bc62451b20ab3 (patch) | |
tree | 38cc8a7f5ff3afaccd16d2978455ccc002d69933 /security/selinux/hooks.c | |
parent | c8334dc8fb6413b363df3e1419e287f5b25bce32 (diff) |
SELinux: Condense super block security structure flags and cleanup necessary code.
The super block security structure currently has three fields for what are
essentially flags. The flags field is used for mount options while two other
char fields are used for initialization and proc flags. These latter two fields are
essentially bit fields since the only used values are 0 and 1. These fields
have been collapsed into the flags field and new bit masks have been added for
them. The code is also fixed to work with these new flags.
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@macbook.localdomain>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 38 |
1 files changed, 18 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 00815973d412..473adc5f4f9a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -431,7 +431,7 @@ static int sb_finish_set_opts(struct super_block *sb) | |||
431 | } | 431 | } |
432 | } | 432 | } |
433 | 433 | ||
434 | sbsec->initialized = 1; | 434 | sbsec->flags |= SE_SBINITIALIZED; |
435 | 435 | ||
436 | if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) | 436 | if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) |
437 | printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", | 437 | printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", |
@@ -487,17 +487,13 @@ static int selinux_get_mnt_opts(const struct super_block *sb, | |||
487 | 487 | ||
488 | security_init_mnt_opts(opts); | 488 | security_init_mnt_opts(opts); |
489 | 489 | ||
490 | if (!sbsec->initialized) | 490 | if (!(sbsec->flags & SE_SBINITIALIZED)) |
491 | return -EINVAL; | 491 | return -EINVAL; |
492 | 492 | ||
493 | if (!ss_initialized) | 493 | if (!ss_initialized) |
494 | return -EINVAL; | 494 | return -EINVAL; |
495 | 495 | ||
496 | /* | 496 | tmp = sbsec->flags & SE_MNTMASK; |
497 | * if we ever use sbsec flags for anything other than tracking mount | ||
498 | * settings this is going to need a mask | ||
499 | */ | ||
500 | tmp = sbsec->flags; | ||
501 | /* count the number of mount options for this sb */ | 497 | /* count the number of mount options for this sb */ |
502 | for (i = 0; i < 8; i++) { | 498 | for (i = 0; i < 8; i++) { |
503 | if (tmp & 0x01) | 499 | if (tmp & 0x01) |
@@ -562,8 +558,10 @@ out_free: | |||
562 | static int bad_option(struct superblock_security_struct *sbsec, char flag, | 558 | static int bad_option(struct superblock_security_struct *sbsec, char flag, |
563 | u32 old_sid, u32 new_sid) | 559 | u32 old_sid, u32 new_sid) |
564 | { | 560 | { |
561 | char mnt_flags = sbsec->flags & SE_MNTMASK; | ||
562 | |||
565 | /* check if the old mount command had the same options */ | 563 | /* check if the old mount command had the same options */ |
566 | if (sbsec->initialized) | 564 | if (sbsec->flags & SE_SBINITIALIZED) |
567 | if (!(sbsec->flags & flag) || | 565 | if (!(sbsec->flags & flag) || |
568 | (old_sid != new_sid)) | 566 | (old_sid != new_sid)) |
569 | return 1; | 567 | return 1; |
@@ -571,8 +569,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag, | |||
571 | /* check if we were passed the same options twice, | 569 | /* check if we were passed the same options twice, |
572 | * aka someone passed context=a,context=b | 570 | * aka someone passed context=a,context=b |
573 | */ | 571 | */ |
574 | if (!sbsec->initialized) | 572 | if (!(sbsec->flags & SE_SBINITIALIZED)) |
575 | if (sbsec->flags & flag) | 573 | if (mnt_flags & flag) |
576 | return 1; | 574 | return 1; |
577 | return 0; | 575 | return 0; |
578 | } | 576 | } |
@@ -626,7 +624,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
626 | * this sb does not set any security options. (The first options | 624 | * this sb does not set any security options. (The first options |
627 | * will be used for both mounts) | 625 | * will be used for both mounts) |
628 | */ | 626 | */ |
629 | if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) | 627 | if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) |
630 | && (num_opts == 0)) | 628 | && (num_opts == 0)) |
631 | goto out; | 629 | goto out; |
632 | 630 | ||
@@ -690,19 +688,19 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
690 | } | 688 | } |
691 | } | 689 | } |
692 | 690 | ||
693 | if (sbsec->initialized) { | 691 | if (sbsec->flags & SE_SBINITIALIZED) { |
694 | /* previously mounted with options, but not on this attempt? */ | 692 | /* previously mounted with options, but not on this attempt? */ |
695 | if (sbsec->flags && !num_opts) | 693 | if ((sbsec->flags & SE_MNTMASK) && !num_opts) |
696 | goto out_double_mount; | 694 | goto out_double_mount; |
697 | rc = 0; | 695 | rc = 0; |
698 | goto out; | 696 | goto out; |
699 | } | 697 | } |
700 | 698 | ||
701 | if (strcmp(sb->s_type->name, "proc") == 0) | 699 | if (strcmp(sb->s_type->name, "proc") == 0) |
702 | sbsec->proc = 1; | 700 | sbsec->flags |= SE_SBPROC; |
703 | 701 | ||
704 | /* Determine the labeling behavior to use for this filesystem type. */ | 702 | /* Determine the labeling behavior to use for this filesystem type. */ |
705 | rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); | 703 | rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); |
706 | if (rc) { | 704 | if (rc) { |
707 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | 705 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", |
708 | __func__, sb->s_type->name, rc); | 706 | __func__, sb->s_type->name, rc); |
@@ -806,10 +804,10 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, | |||
806 | } | 804 | } |
807 | 805 | ||
808 | /* how can we clone if the old one wasn't set up?? */ | 806 | /* how can we clone if the old one wasn't set up?? */ |
809 | BUG_ON(!oldsbsec->initialized); | 807 | BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); |
810 | 808 | ||
811 | /* if fs is reusing a sb, just let its options stand... */ | 809 | /* if fs is reusing a sb, just let its options stand... */ |
812 | if (newsbsec->initialized) | 810 | if (newsbsec->flags & SE_SBINITIALIZED) |
813 | return; | 811 | return; |
814 | 812 | ||
815 | mutex_lock(&newsbsec->lock); | 813 | mutex_lock(&newsbsec->lock); |
@@ -1209,7 +1207,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1209 | goto out_unlock; | 1207 | goto out_unlock; |
1210 | 1208 | ||
1211 | sbsec = inode->i_sb->s_security; | 1209 | sbsec = inode->i_sb->s_security; |
1212 | if (!sbsec->initialized) { | 1210 | if (!(sbsec->flags & SE_SBINITIALIZED)) { |
1213 | /* Defer initialization until selinux_complete_init, | 1211 | /* Defer initialization until selinux_complete_init, |
1214 | after the initial policy is loaded and the security | 1212 | after the initial policy is loaded and the security |
1215 | server is ready to handle calls. */ | 1213 | server is ready to handle calls. */ |
@@ -1326,7 +1324,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1326 | /* Default to the fs superblock SID. */ | 1324 | /* Default to the fs superblock SID. */ |
1327 | isec->sid = sbsec->sid; | 1325 | isec->sid = sbsec->sid; |
1328 | 1326 | ||
1329 | if (sbsec->proc && !S_ISLNK(inode->i_mode)) { | 1327 | if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { |
1330 | struct proc_inode *proci = PROC_I(inode); | 1328 | struct proc_inode *proci = PROC_I(inode); |
1331 | if (proci->pde) { | 1329 | if (proci->pde) { |
1332 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | 1330 | isec->sclass = inode_mode_to_security_class(inode->i_mode); |
@@ -2585,7 +2583,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2585 | } | 2583 | } |
2586 | 2584 | ||
2587 | /* Possibly defer initialization to selinux_complete_init. */ | 2585 | /* Possibly defer initialization to selinux_complete_init. */ |
2588 | if (sbsec->initialized) { | 2586 | if (sbsec->flags & SE_SBINITIALIZED) { |
2589 | struct inode_security_struct *isec = inode->i_security; | 2587 | struct inode_security_struct *isec = inode->i_security; |
2590 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | 2588 | isec->sclass = inode_mode_to_security_class(inode->i_mode); |
2591 | isec->sid = newsid; | 2589 | isec->sid = newsid; |