Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits) nommu: Provide mmap_min_addr definition. TOMOYO: Add description of lists and structures. TOMOYO: Remove unused field. integrity: ima audit dentry_open failure TOMOYO: Remove unused parameter. security: use mmap_min_addr indepedently of security models TOMOYO: Simplify policy reader. TOMOYO: Remove redundant markers. SELinux: define audit permissions for audit tree netlink messages TOMOYO: Remove unused mutex. tomoyo: avoid get+put of task_struct smack: Remove redundant initialization. integrity: nfsd imbalance bug fix rootplug: Remove redundant initialization. smack: do not beyond ARRAY_SIZE of data integrity: move ima_counts_get integrity: path_check update IMA: Add __init notation to ima functions IMA: Minimal IMA policy and boot param for TCB IMA policy selinux: remove obsolete read buffer limit from sel_read_bool ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2009-06-11 13:01:41 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2009-06-11 13:01:41 -0400
commit: 3296ca27f50ecbd71db1d808c7a72d311027f919 (patch)
tree: 833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /security/selinux/ss/services.c
parent: e893123c7378192c094747dadec326b7c000c190 (diff)
parent: 73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff)
1 files changed, 5 insertions, 25 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index deeec6c013ae..500e6f78e115 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
        avd->auditallow = 0;
        avd->auditdeny = 0xffffffff;
        avd->seqno = latest_granting;
+        avd->flags = 0;
        /*
         * Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
        return 0;
 }
-/*
- * Given a sid find if the type has the permissive flag set
- */
-int security_permissive_sid(u32 sid)
-{
-        struct context *context;
-        u32 type;
-        int rc;
-        read_lock(&policy_rwlock);
-        context = sidtab_search(&sidtab, sid);
-        BUG_ON(!context);
-        type = context->type;
-        /*
-         * we are intentionally using type here, not type-1, the 0th bit may
-         * someday indicate that we are globally setting permissive in policy.
-         */
-        rc = ebitmap_get_bit(&policydb.permissive_map, type);
-        read_unlock(&policy_rwlock);
-        return rc;
-}
 static int security_validtrans_handle_fail(struct context *ocontext,
                                           struct context *ncontext,
                                           struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
        rc = context_struct_compute_av(scontext, tcontext, tclass,
                                       requested, avd);
+        /* permissive domain? */
+        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+            avd->flags |= AVD_FLAGS_PERMISSIVE;
 out:
        read_unlock(&policy_rwlock);
        return rc;
author	Linus Torvalds <torvalds@linux-foundation.org>	2009-06-11 13:01:41 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2009-06-11 13:01:41 -0400
commit	3296ca27f50ecbd71db1d808c7a72d311027f919 (patch)
tree	833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /security/selinux/ss/services.c
parent	e893123c7378192c094747dadec326b7c000c190 (diff)
parent	73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index deeec6c013ae..500e6f78e115 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
410	avd->auditallow = 0;	410	avd->auditallow = 0;
411	avd->auditdeny = 0xffffffff;	411	avd->auditdeny = 0xffffffff;
412	avd->seqno = latest_granting;	412	avd->seqno = latest_granting;
		413	avd->flags = 0;
413		414
414	/*	415	/*
415	* Check for all the invalid cases.	416	* Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
528	return 0;	529	return 0;
529	}	530	}
530		531
531	/*
532	* Given a sid find if the type has the permissive flag set
533	*/
534	int security_permissive_sid(u32 sid)
535	{
536	struct context *context;
537	u32 type;
538	int rc;
539
540	read_lock(&policy_rwlock);
541
542	context = sidtab_search(&sidtab, sid);
543	BUG_ON(!context);
544
545	type = context->type;
546	/*
547	* we are intentionally using type here, not type-1, the 0th bit may
548	* someday indicate that we are globally setting permissive in policy.
549	*/
550	rc = ebitmap_get_bit(&policydb.permissive_map, type);
551
552	read_unlock(&policy_rwlock);
553	return rc;
554	}
555
556	static int security_validtrans_handle_fail(struct context *ocontext,	532	static int security_validtrans_handle_fail(struct context *ocontext,
557	struct context *ncontext,	533	struct context *ncontext,
558	struct context *tcontext,	534	struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
767		743
768	rc = context_struct_compute_av(scontext, tcontext, tclass,	744	rc = context_struct_compute_av(scontext, tcontext, tclass,
769	requested, avd);	745	requested, avd);
		746
		747	/* permissive domain? */
		748	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
		749	avd->flags \|= AVD_FLAGS_PERMISSIVE;
770	out:	750	out:
771	read_unlock(&policy_rwlock);	751	read_unlock(&policy_rwlock);
772	return rc;	752	return rc;