diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-20 11:55:50 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-20 11:55:50 -0400 |
commit | 96b5b7f4f2d59b37c1fc2fba1ae25999accd6dcd (patch) | |
tree | cda421c6cd7533940b35504660a05a366a3ece0c /security/selinux/ss/services.c | |
parent | f72caf7e496465182eeda842ac66a5e75404ddf1 (diff) | |
parent | 539c99fd7fc28f8db257c713c10fb4aceadf8887 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (61 commits)
KEYS: Return more accurate error codes
LSM: Add __init to fixup function.
TOMOYO: Add pathname grouping support.
ima: remove ACPI dependency
TPM: ACPI/PNP dependency removal
security/selinux/ss: Use kstrdup
TOMOYO: Use stack memory for pending entry.
Revert "ima: remove ACPI dependency"
Revert "TPM: ACPI/PNP dependency removal"
KEYS: Do preallocation for __key_link()
TOMOYO: Use mutex_lock_interruptible.
KEYS: Better handling of errors from construct_alloc_key()
KEYS: keyring_serialise_link_sem is only needed for keyring->keyring links
TOMOYO: Use GFP_NOFS rather than GFP_KERNEL.
ima: remove ACPI dependency
TPM: ACPI/PNP dependency removal
selinux: generalize disabling of execmem for plt-in-heap archs
LSM Audit: rename LSM_AUDIT_NO_AUDIT to LSM_AUDIT_DATA_NONE
CRED: Holding a spinlock does not imply the holding of RCU read lock
SMACK: Don't #include Ext2 headers
...
Diffstat (limited to 'security/selinux/ss/services.c')
-rw-r--r-- | security/selinux/ss/services.c | 49 |
1 files changed, 28 insertions, 21 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index cf27b3ee1a95..1de60ce90d9a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -274,15 +274,15 @@ static int constraint_expr_eval(struct context *scontext, | |||
274 | case CEXPR_AND: | 274 | case CEXPR_AND: |
275 | BUG_ON(sp < 1); | 275 | BUG_ON(sp < 1); |
276 | sp--; | 276 | sp--; |
277 | s[sp] &= s[sp+1]; | 277 | s[sp] &= s[sp + 1]; |
278 | break; | 278 | break; |
279 | case CEXPR_OR: | 279 | case CEXPR_OR: |
280 | BUG_ON(sp < 1); | 280 | BUG_ON(sp < 1); |
281 | sp--; | 281 | sp--; |
282 | s[sp] |= s[sp+1]; | 282 | s[sp] |= s[sp + 1]; |
283 | break; | 283 | break; |
284 | case CEXPR_ATTR: | 284 | case CEXPR_ATTR: |
285 | if (sp == (CEXPR_MAXDEPTH-1)) | 285 | if (sp == (CEXPR_MAXDEPTH - 1)) |
286 | return 0; | 286 | return 0; |
287 | switch (e->attr) { | 287 | switch (e->attr) { |
288 | case CEXPR_USER: | 288 | case CEXPR_USER: |
@@ -1216,7 +1216,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, | |||
1216 | *sid = SECSID_NULL; | 1216 | *sid = SECSID_NULL; |
1217 | 1217 | ||
1218 | /* Copy the string so that we can modify the copy as we parse it. */ | 1218 | /* Copy the string so that we can modify the copy as we parse it. */ |
1219 | scontext2 = kmalloc(scontext_len+1, gfp_flags); | 1219 | scontext2 = kmalloc(scontext_len + 1, gfp_flags); |
1220 | if (!scontext2) | 1220 | if (!scontext2) |
1221 | return -ENOMEM; | 1221 | return -ENOMEM; |
1222 | memcpy(scontext2, scontext, scontext_len); | 1222 | memcpy(scontext2, scontext, scontext_len); |
@@ -1760,22 +1760,28 @@ int security_load_policy(void *data, size_t len) | |||
1760 | 1760 | ||
1761 | if (!ss_initialized) { | 1761 | if (!ss_initialized) { |
1762 | avtab_cache_init(); | 1762 | avtab_cache_init(); |
1763 | if (policydb_read(&policydb, fp)) { | 1763 | rc = policydb_read(&policydb, fp); |
1764 | if (rc) { | ||
1764 | avtab_cache_destroy(); | 1765 | avtab_cache_destroy(); |
1765 | return -EINVAL; | 1766 | return rc; |
1766 | } | 1767 | } |
1767 | if (selinux_set_mapping(&policydb, secclass_map, | 1768 | |
1768 | ¤t_mapping, | 1769 | rc = selinux_set_mapping(&policydb, secclass_map, |
1769 | ¤t_mapping_size)) { | 1770 | ¤t_mapping, |
1771 | ¤t_mapping_size); | ||
1772 | if (rc) { | ||
1770 | policydb_destroy(&policydb); | 1773 | policydb_destroy(&policydb); |
1771 | avtab_cache_destroy(); | 1774 | avtab_cache_destroy(); |
1772 | return -EINVAL; | 1775 | return rc; |
1773 | } | 1776 | } |
1774 | if (policydb_load_isids(&policydb, &sidtab)) { | 1777 | |
1778 | rc = policydb_load_isids(&policydb, &sidtab); | ||
1779 | if (rc) { | ||
1775 | policydb_destroy(&policydb); | 1780 | policydb_destroy(&policydb); |
1776 | avtab_cache_destroy(); | 1781 | avtab_cache_destroy(); |
1777 | return -EINVAL; | 1782 | return rc; |
1778 | } | 1783 | } |
1784 | |||
1779 | security_load_policycaps(); | 1785 | security_load_policycaps(); |
1780 | ss_initialized = 1; | 1786 | ss_initialized = 1; |
1781 | seqno = ++latest_granting; | 1787 | seqno = ++latest_granting; |
@@ -1791,8 +1797,9 @@ int security_load_policy(void *data, size_t len) | |||
1791 | sidtab_hash_eval(&sidtab, "sids"); | 1797 | sidtab_hash_eval(&sidtab, "sids"); |
1792 | #endif | 1798 | #endif |
1793 | 1799 | ||
1794 | if (policydb_read(&newpolicydb, fp)) | 1800 | rc = policydb_read(&newpolicydb, fp); |
1795 | return -EINVAL; | 1801 | if (rc) |
1802 | return rc; | ||
1796 | 1803 | ||
1797 | /* If switching between different policy types, log MLS status */ | 1804 | /* If switching between different policy types, log MLS status */ |
1798 | if (policydb.mls_enabled && !newpolicydb.mls_enabled) | 1805 | if (policydb.mls_enabled && !newpolicydb.mls_enabled) |
@@ -1807,8 +1814,8 @@ int security_load_policy(void *data, size_t len) | |||
1807 | return rc; | 1814 | return rc; |
1808 | } | 1815 | } |
1809 | 1816 | ||
1810 | if (selinux_set_mapping(&newpolicydb, secclass_map, | 1817 | rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size); |
1811 | &map, &map_size)) | 1818 | if (rc) |
1812 | goto err; | 1819 | goto err; |
1813 | 1820 | ||
1814 | rc = security_preserve_bools(&newpolicydb); | 1821 | rc = security_preserve_bools(&newpolicydb); |
@@ -1819,10 +1826,10 @@ int security_load_policy(void *data, size_t len) | |||
1819 | 1826 | ||
1820 | /* Clone the SID table. */ | 1827 | /* Clone the SID table. */ |
1821 | sidtab_shutdown(&sidtab); | 1828 | sidtab_shutdown(&sidtab); |
1822 | if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { | 1829 | |
1823 | rc = -ENOMEM; | 1830 | rc = sidtab_map(&sidtab, clone_sid, &newsidtab); |
1831 | if (rc) | ||
1824 | goto err; | 1832 | goto err; |
1825 | } | ||
1826 | 1833 | ||
1827 | /* | 1834 | /* |
1828 | * Convert the internal representations of contexts | 1835 | * Convert the internal representations of contexts |
@@ -2101,9 +2108,9 @@ int security_get_user_sids(u32 fromsid, | |||
2101 | 2108 | ||
2102 | ebitmap_for_each_positive_bit(&user->roles, rnode, i) { | 2109 | ebitmap_for_each_positive_bit(&user->roles, rnode, i) { |
2103 | role = policydb.role_val_to_struct[i]; | 2110 | role = policydb.role_val_to_struct[i]; |
2104 | usercon.role = i+1; | 2111 | usercon.role = i + 1; |
2105 | ebitmap_for_each_positive_bit(&role->types, tnode, j) { | 2112 | ebitmap_for_each_positive_bit(&role->types, tnode, j) { |
2106 | usercon.type = j+1; | 2113 | usercon.type = j + 1; |
2107 | 2114 | ||
2108 | if (mls_setup_user_range(fromcon, user, &usercon)) | 2115 | if (mls_setup_user_range(fromcon, user, &usercon)) |
2109 | continue; | 2116 | continue; |