diff options
| author | Ingo Molnar <mingo@elte.hu> | 2009-04-05 19:41:22 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@elte.hu> | 2009-04-05 19:41:22 -0400 |
| commit | 9efe21cb82b5dbe3b0b2ae4de4eccc64ecb94e95 (patch) | |
| tree | 7ff8833745d2f268f897f6fa4a27263b4a572245 /security/selinux/include | |
| parent | de18836e447c2dc30120c0919b8db8ddc0401cc4 (diff) | |
| parent | 0221c81b1b8eb0cbb6b30a0ced52ead32d2b4e4c (diff) | |
Merge branch 'linus' into irq/threaded
Conflicts:
include/linux/irq.h
kernel/irq/handle.c
Diffstat (limited to 'security/selinux/include')
| -rw-r--r-- | security/selinux/include/av_perm_to_string.h | 2 | ||||
| -rw-r--r-- | security/selinux/include/av_permissions.h | 2 | ||||
| -rw-r--r-- | security/selinux/include/netlabel.h | 27 | ||||
| -rw-r--r-- | security/selinux/include/objsec.h | 2 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 9 |
5 files changed, 25 insertions, 17 deletions
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index c0c885427b91..31df1d7c1aee 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
| @@ -24,6 +24,7 @@ | |||
| 24 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") | 24 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") |
| 25 | S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") | 25 | S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") |
| 26 | S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") | 26 | S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") |
| 27 | S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") | ||
| 27 | S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") | 28 | S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") |
| 28 | S_(SECCLASS_FD, FD__USE, "use") | 29 | S_(SECCLASS_FD, FD__USE, "use") |
| 29 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") | 30 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") |
| @@ -152,6 +153,7 @@ | |||
| 152 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") | 153 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") |
| 153 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") | 154 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") |
| 154 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") | 155 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") |
| 156 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit") | ||
| 155 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") | 157 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") |
| 156 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") | 158 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") |
| 157 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") | 159 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0ba79fe00e11..d645192ee950 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
| @@ -174,6 +174,7 @@ | |||
| 174 | #define SOCK_FILE__SWAPON 0x00004000UL | 174 | #define SOCK_FILE__SWAPON 0x00004000UL |
| 175 | #define SOCK_FILE__QUOTAON 0x00008000UL | 175 | #define SOCK_FILE__QUOTAON 0x00008000UL |
| 176 | #define SOCK_FILE__MOUNTON 0x00010000UL | 176 | #define SOCK_FILE__MOUNTON 0x00010000UL |
| 177 | #define SOCK_FILE__OPEN 0x00020000UL | ||
| 177 | #define FIFO_FILE__IOCTL 0x00000001UL | 178 | #define FIFO_FILE__IOCTL 0x00000001UL |
| 178 | #define FIFO_FILE__READ 0x00000002UL | 179 | #define FIFO_FILE__READ 0x00000002UL |
| 179 | #define FIFO_FILE__WRITE 0x00000004UL | 180 | #define FIFO_FILE__WRITE 0x00000004UL |
| @@ -707,6 +708,7 @@ | |||
| 707 | #define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL | 708 | #define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL |
| 708 | #define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL | 709 | #define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL |
| 709 | #define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL | 710 | #define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL |
| 711 | #define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL | ||
| 710 | #define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL | 712 | #define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL |
| 711 | #define NETLINK_IP6FW_SOCKET__READ 0x00000002UL | 713 | #define NETLINK_IP6FW_SOCKET__READ 0x00000002UL |
| 712 | #define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL | 714 | #define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL |
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index b913c8d06038..b4b5b9b2f0be 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h | |||
| @@ -32,6 +32,7 @@ | |||
| 32 | #include <linux/net.h> | 32 | #include <linux/net.h> |
| 33 | #include <linux/skbuff.h> | 33 | #include <linux/skbuff.h> |
| 34 | #include <net/sock.h> | 34 | #include <net/sock.h> |
| 35 | #include <net/request_sock.h> | ||
| 35 | 36 | ||
| 36 | #include "avc.h" | 37 | #include "avc.h" |
| 37 | #include "objsec.h" | 38 | #include "objsec.h" |
| @@ -42,8 +43,7 @@ void selinux_netlbl_cache_invalidate(void); | |||
| 42 | void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); | 43 | void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); |
| 43 | 44 | ||
| 44 | void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec); | 45 | void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec); |
| 45 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, | 46 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec); |
| 46 | int family); | ||
| 47 | 47 | ||
| 48 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 48 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
| 49 | u16 family, | 49 | u16 family, |
| @@ -53,9 +53,9 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, | |||
| 53 | u16 family, | 53 | u16 family, |
| 54 | u32 sid); | 54 | u32 sid); |
| 55 | 55 | ||
| 56 | void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family); | 56 | int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family); |
| 57 | int selinux_netlbl_socket_post_create(struct socket *sock); | 57 | void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family); |
| 58 | int selinux_netlbl_inode_permission(struct inode *inode, int mask); | 58 | int selinux_netlbl_socket_post_create(struct sock *sk, u16 family); |
| 59 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 59 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
| 60 | struct sk_buff *skb, | 60 | struct sk_buff *skb, |
| 61 | u16 family, | 61 | u16 family, |
| @@ -85,8 +85,7 @@ static inline void selinux_netlbl_sk_security_free( | |||
| 85 | } | 85 | } |
| 86 | 86 | ||
| 87 | static inline void selinux_netlbl_sk_security_reset( | 87 | static inline void selinux_netlbl_sk_security_reset( |
| 88 | struct sk_security_struct *ssec, | 88 | struct sk_security_struct *ssec) |
| 89 | int family) | ||
| 90 | { | 89 | { |
| 91 | return; | 90 | return; |
| 92 | } | 91 | } |
| @@ -113,17 +112,17 @@ static inline int selinux_netlbl_conn_setsid(struct sock *sk, | |||
| 113 | return 0; | 112 | return 0; |
| 114 | } | 113 | } |
| 115 | 114 | ||
| 116 | static inline void selinux_netlbl_inet_conn_established(struct sock *sk, | 115 | static inline int selinux_netlbl_inet_conn_request(struct request_sock *req, |
| 117 | u16 family) | 116 | u16 family) |
| 118 | { | 117 | { |
| 119 | return; | 118 | return 0; |
| 120 | } | 119 | } |
| 121 | static inline int selinux_netlbl_socket_post_create(struct socket *sock) | 120 | static inline void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) |
| 122 | { | 121 | { |
| 123 | return 0; | 122 | return; |
| 124 | } | 123 | } |
| 125 | static inline int selinux_netlbl_inode_permission(struct inode *inode, | 124 | static inline int selinux_netlbl_socket_post_create(struct sock *sk, |
| 126 | int mask) | 125 | u16 family) |
| 127 | { | 126 | { |
| 128 | return 0; | 127 | return 0; |
| 129 | } | 128 | } |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 3cc45168f674..c4e062336ef3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
| @@ -60,9 +60,7 @@ struct superblock_security_struct { | |||
| 60 | u32 def_sid; /* default SID for labeling */ | 60 | u32 def_sid; /* default SID for labeling */ |
| 61 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ | 61 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ |
| 62 | unsigned int behavior; /* labeling behavior */ | 62 | unsigned int behavior; /* labeling behavior */ |
| 63 | unsigned char initialized; /* initialization flag */ | ||
| 64 | unsigned char flags; /* which mount options were specified */ | 63 | unsigned char flags; /* which mount options were specified */ |
| 65 | unsigned char proc; /* proc fs */ | ||
| 66 | struct mutex lock; | 64 | struct mutex lock; |
| 67 | struct list_head isec_head; | 65 | struct list_head isec_head; |
| 68 | spinlock_t isec_lock; | 66 | spinlock_t isec_lock; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 72447370bc95..5c3434f7626f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -37,15 +37,23 @@ | |||
| 37 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY | 37 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY |
| 38 | #endif | 38 | #endif |
| 39 | 39 | ||
| 40 | /* Mask for just the mount related flags */ | ||
| 41 | #define SE_MNTMASK 0x0f | ||
| 42 | /* Super block security struct flags for mount options */ | ||
| 40 | #define CONTEXT_MNT 0x01 | 43 | #define CONTEXT_MNT 0x01 |
| 41 | #define FSCONTEXT_MNT 0x02 | 44 | #define FSCONTEXT_MNT 0x02 |
| 42 | #define ROOTCONTEXT_MNT 0x04 | 45 | #define ROOTCONTEXT_MNT 0x04 |
| 43 | #define DEFCONTEXT_MNT 0x08 | 46 | #define DEFCONTEXT_MNT 0x08 |
| 47 | /* Non-mount related flags */ | ||
| 48 | #define SE_SBINITIALIZED 0x10 | ||
| 49 | #define SE_SBPROC 0x20 | ||
| 50 | #define SE_SBLABELSUPP 0x40 | ||
| 44 | 51 | ||
| 45 | #define CONTEXT_STR "context=" | 52 | #define CONTEXT_STR "context=" |
| 46 | #define FSCONTEXT_STR "fscontext=" | 53 | #define FSCONTEXT_STR "fscontext=" |
| 47 | #define ROOTCONTEXT_STR "rootcontext=" | 54 | #define ROOTCONTEXT_STR "rootcontext=" |
| 48 | #define DEFCONTEXT_STR "defcontext=" | 55 | #define DEFCONTEXT_STR "defcontext=" |
| 56 | #define LABELSUPP_STR "seclabel" | ||
| 49 | 57 | ||
| 50 | struct netlbl_lsm_secattr; | 58 | struct netlbl_lsm_secattr; |
| 51 | 59 | ||
| @@ -80,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); | |||
| 80 | #define SEL_VEC_MAX 32 | 88 | #define SEL_VEC_MAX 32 |
| 81 | struct av_decision { | 89 | struct av_decision { |
| 82 | u32 allowed; | 90 | u32 allowed; |
| 83 | u32 decided; | ||
| 84 | u32 auditallow; | 91 | u32 auditallow; |
| 85 | u32 auditdeny; | 92 | u32 auditdeny; |
| 86 | u32 seqno; | 93 | u32 seqno; |