diff options
| author | James Morris <jmorris@namei.org> | 2009-02-05 19:01:45 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-02-05 19:01:45 -0500 |
| commit | cb5629b10d64a8006622ce3a52bc887d91057d69 (patch) | |
| tree | 7c06d8f30783115e3384721046258ce615b129c5 /security/selinux | |
| parent | 8920d5ad6ba74ae8ab020e90cc4d976980e68701 (diff) | |
| parent | f01d1d546abb2f4028b5299092f529eefb01253a (diff) | |
Merge branch 'master' into next
Conflicts:
fs/namei.c
Manually merged per:
diff --cc fs/namei.c
index 734f2b5,bbc15c2..0000000
--- a/fs/namei.c
+++ b/fs/namei.c
@@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char
nd->flags |= LOOKUP_CONTINUE;
err = exec_permission_lite(inode);
if (err == -EAGAIN)
- err = vfs_permission(nd, MAY_EXEC);
+ err = inode_permission(nd->path.dentry->d_inode,
+ MAY_EXEC);
+ if (!err)
+ err = ima_path_check(&nd->path, MAY_EXEC);
if (err)
break;
@@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc
flag &= ~O_TRUNC;
}
- error = vfs_permission(nd, acc_mode);
+ error = inode_permission(inode, acc_mode);
if (error)
return error;
+
- error = ima_path_check(&nd->path,
++ error = ima_path_check(path,
+ acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
+ if (error)
+ return error;
/*
* An append-only file must be opened in append mode for writing.
*/
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/selinuxfs.c | 4 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 26 |
2 files changed, 14 insertions, 16 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 77fb3c8d9267..01ec6d2c6b97 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -847,8 +847,6 @@ static struct inode *sel_make_inode(struct super_block *sb, int mode) | |||
| 847 | 847 | ||
| 848 | if (ret) { | 848 | if (ret) { |
| 849 | ret->i_mode = mode; | 849 | ret->i_mode = mode; |
| 850 | ret->i_uid = ret->i_gid = 0; | ||
| 851 | ret->i_blocks = 0; | ||
| 852 | ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME; | 850 | ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME; |
| 853 | } | 851 | } |
| 854 | return ret; | 852 | return ret; |
| @@ -1211,7 +1209,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) | |||
| 1211 | { | 1209 | { |
| 1212 | int cpu; | 1210 | int cpu; |
| 1213 | 1211 | ||
| 1214 | for (cpu = *idx; cpu < NR_CPUS; ++cpu) { | 1212 | for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) { |
| 1215 | if (!cpu_possible(cpu)) | 1213 | if (!cpu_possible(cpu)) |
| 1216 | continue; | 1214 | continue; |
| 1217 | *idx = cpu + 1; | 1215 | *idx = cpu + 1; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 343c8ab14af0..c65e4fe4a0f1 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -2602,7 +2602,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) | |||
| 2602 | case AUDIT_OBJ_ROLE: | 2602 | case AUDIT_OBJ_ROLE: |
| 2603 | case AUDIT_OBJ_TYPE: | 2603 | case AUDIT_OBJ_TYPE: |
| 2604 | /* only 'equals' and 'not equals' fit user, role, and type */ | 2604 | /* only 'equals' and 'not equals' fit user, role, and type */ |
| 2605 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) | 2605 | if (op != Audit_equal && op != Audit_not_equal) |
| 2606 | return -EINVAL; | 2606 | return -EINVAL; |
| 2607 | break; | 2607 | break; |
| 2608 | case AUDIT_SUBJ_SEN: | 2608 | case AUDIT_SUBJ_SEN: |
| @@ -2736,10 +2736,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2736 | case AUDIT_SUBJ_USER: | 2736 | case AUDIT_SUBJ_USER: |
| 2737 | case AUDIT_OBJ_USER: | 2737 | case AUDIT_OBJ_USER: |
| 2738 | switch (op) { | 2738 | switch (op) { |
| 2739 | case AUDIT_EQUAL: | 2739 | case Audit_equal: |
| 2740 | match = (ctxt->user == rule->au_ctxt.user); | 2740 | match = (ctxt->user == rule->au_ctxt.user); |
| 2741 | break; | 2741 | break; |
| 2742 | case AUDIT_NOT_EQUAL: | 2742 | case Audit_not_equal: |
| 2743 | match = (ctxt->user != rule->au_ctxt.user); | 2743 | match = (ctxt->user != rule->au_ctxt.user); |
| 2744 | break; | 2744 | break; |
| 2745 | } | 2745 | } |
| @@ -2747,10 +2747,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2747 | case AUDIT_SUBJ_ROLE: | 2747 | case AUDIT_SUBJ_ROLE: |
| 2748 | case AUDIT_OBJ_ROLE: | 2748 | case AUDIT_OBJ_ROLE: |
| 2749 | switch (op) { | 2749 | switch (op) { |
| 2750 | case AUDIT_EQUAL: | 2750 | case Audit_equal: |
| 2751 | match = (ctxt->role == rule->au_ctxt.role); | 2751 | match = (ctxt->role == rule->au_ctxt.role); |
| 2752 | break; | 2752 | break; |
| 2753 | case AUDIT_NOT_EQUAL: | 2753 | case Audit_not_equal: |
| 2754 | match = (ctxt->role != rule->au_ctxt.role); | 2754 | match = (ctxt->role != rule->au_ctxt.role); |
| 2755 | break; | 2755 | break; |
| 2756 | } | 2756 | } |
| @@ -2758,10 +2758,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2758 | case AUDIT_SUBJ_TYPE: | 2758 | case AUDIT_SUBJ_TYPE: |
| 2759 | case AUDIT_OBJ_TYPE: | 2759 | case AUDIT_OBJ_TYPE: |
| 2760 | switch (op) { | 2760 | switch (op) { |
| 2761 | case AUDIT_EQUAL: | 2761 | case Audit_equal: |
| 2762 | match = (ctxt->type == rule->au_ctxt.type); | 2762 | match = (ctxt->type == rule->au_ctxt.type); |
| 2763 | break; | 2763 | break; |
| 2764 | case AUDIT_NOT_EQUAL: | 2764 | case Audit_not_equal: |
| 2765 | match = (ctxt->type != rule->au_ctxt.type); | 2765 | match = (ctxt->type != rule->au_ctxt.type); |
| 2766 | break; | 2766 | break; |
| 2767 | } | 2767 | } |
| @@ -2774,31 +2774,31 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2774 | field == AUDIT_OBJ_LEV_LOW) ? | 2774 | field == AUDIT_OBJ_LEV_LOW) ? |
| 2775 | &ctxt->range.level[0] : &ctxt->range.level[1]); | 2775 | &ctxt->range.level[0] : &ctxt->range.level[1]); |
| 2776 | switch (op) { | 2776 | switch (op) { |
| 2777 | case AUDIT_EQUAL: | 2777 | case Audit_equal: |
| 2778 | match = mls_level_eq(&rule->au_ctxt.range.level[0], | 2778 | match = mls_level_eq(&rule->au_ctxt.range.level[0], |
| 2779 | level); | 2779 | level); |
| 2780 | break; | 2780 | break; |
| 2781 | case AUDIT_NOT_EQUAL: | 2781 | case Audit_not_equal: |
| 2782 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], | 2782 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], |
| 2783 | level); | 2783 | level); |
| 2784 | break; | 2784 | break; |
| 2785 | case AUDIT_LESS_THAN: | 2785 | case Audit_lt: |
| 2786 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], | 2786 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], |
| 2787 | level) && | 2787 | level) && |
| 2788 | !mls_level_eq(&rule->au_ctxt.range.level[0], | 2788 | !mls_level_eq(&rule->au_ctxt.range.level[0], |
| 2789 | level)); | 2789 | level)); |
| 2790 | break; | 2790 | break; |
| 2791 | case AUDIT_LESS_THAN_OR_EQUAL: | 2791 | case Audit_le: |
| 2792 | match = mls_level_dom(&rule->au_ctxt.range.level[0], | 2792 | match = mls_level_dom(&rule->au_ctxt.range.level[0], |
| 2793 | level); | 2793 | level); |
| 2794 | break; | 2794 | break; |
| 2795 | case AUDIT_GREATER_THAN: | 2795 | case Audit_gt: |
| 2796 | match = (mls_level_dom(level, | 2796 | match = (mls_level_dom(level, |
| 2797 | &rule->au_ctxt.range.level[0]) && | 2797 | &rule->au_ctxt.range.level[0]) && |
| 2798 | !mls_level_eq(level, | 2798 | !mls_level_eq(level, |
| 2799 | &rule->au_ctxt.range.level[0])); | 2799 | &rule->au_ctxt.range.level[0])); |
| 2800 | break; | 2800 | break; |
| 2801 | case AUDIT_GREATER_THAN_OR_EQUAL: | 2801 | case Audit_ge: |
| 2802 | match = mls_level_dom(level, | 2802 | match = mls_level_dom(level, |
| 2803 | &rule->au_ctxt.range.level[0]); | 2803 | &rule->au_ctxt.range.level[0]); |
| 2804 | break; | 2804 | break; |