aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-04-18 17:38:33 -0400
committerJames Morris <jmorris@namei.org>2008-04-21 05:09:08 -0400
commit5d55a345c09ef1708bd341395792931a66306ba6 (patch)
tree137da17e617d8854f65ae878ebb125a0b6e9208d /security/selinux
parent1a5e6f8729266154f34c84d25bb83942f99ba002 (diff)
SELinux: services.c whitespace, syntax, and static declaraction cleanups
This patch changes services.c to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) whitespace at end of lines spaces followed by tabs spaces used instead of tabs spacing around parenthesis locateion of { around struct and else clauses location of * in pointer declarations removal of initialization of static data to keep it in the right section useless {} in if statemetns useless checking for NULL before kfree fixing of the indentation depth of switch statements and any number of other things I forgot to mention Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/ss/services.c115
1 files changed, 55 insertions, 60 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b341b8fd8c7c..fc3dfca475d6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2,7 +2,7 @@
2 * Implementation of the security services. 2 * Implementation of the security services.
3 * 3 *
4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com> 5 * James Morris <jmorris@redhat.com>
6 * 6 *
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 * 8 *
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -27,7 +27,7 @@
27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
29 * This program is free software; you can redistribute it and/or modify 29 * This program is free software; you can redistribute it and/or modify
30 * it under the terms of the GNU General Public License as published by 30 * it under the terms of the GNU General Public License as published by
31 * the Free Software Foundation, version 2. 31 * the Free Software Foundation, version 2.
32 */ 32 */
33#include <linux/kernel.h> 33#include <linux/kernel.h>
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
82 82
83static struct sidtab sidtab; 83static struct sidtab sidtab;
84struct policydb policydb; 84struct policydb policydb;
85int ss_initialized = 0; 85int ss_initialized;
86 86
87/* 87/*
88 * The largest sequence number that has been used when 88 * The largest sequence number that has been used when
@@ -90,7 +90,7 @@ int ss_initialized = 0;
90 * The sequence number only changes when a policy change 90 * The sequence number only changes when a policy change
91 * occurs. 91 * occurs.
92 */ 92 */
93static u32 latest_granting = 0; 93static u32 latest_granting;
94 94
95/* Forward declaration. */ 95/* Forward declaration. */
96static int context_struct_to_string(struct context *context, char **scontext, 96static int context_struct_to_string(struct context *context, char **scontext,
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
163 val1 - 1); 163 val1 - 1);
164 continue; 164 continue;
165 case CEXPR_INCOMP: 165 case CEXPR_INCOMP:
166 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 166 s[++sp] = (!ebitmap_get_bit(&r1->dominates,
167 val2 - 1) && 167 val2 - 1) &&
168 !ebitmap_get_bit(&r2->dominates, 168 !ebitmap_get_bit(&r2->dominates,
169 val1 - 1) ); 169 val1 - 1));
170 continue; 170 continue;
171 default: 171 default:
172 break; 172 break;
@@ -409,7 +409,7 @@ static int context_struct_compute_av(struct context *scontext,
409 } 409 }
410 if (!ra) 410 if (!ra)
411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
412 PROCESS__DYNTRANSITION); 412 PROCESS__DYNTRANSITION);
413 } 413 }
414 414
415 return 0; 415 return 0;
@@ -445,9 +445,9 @@ int security_permissive_sid(u32 sid)
445} 445}
446 446
447static int security_validtrans_handle_fail(struct context *ocontext, 447static int security_validtrans_handle_fail(struct context *ocontext,
448 struct context *ncontext, 448 struct context *ncontext,
449 struct context *tcontext, 449 struct context *tcontext,
450 u16 tclass) 450 u16 tclass)
451{ 451{
452 char *o = NULL, *n = NULL, *t = NULL; 452 char *o = NULL, *n = NULL, *t = NULL;
453 u32 olen, nlen, tlen; 453 u32 olen, nlen, tlen;
@@ -459,9 +459,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
459 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 459 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
460 goto out; 460 goto out;
461 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 461 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
462 "security_validate_transition: denied for" 462 "security_validate_transition: denied for"
463 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 463 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
464 o, n, t, policydb.p_class_val_to_name[tclass-1]); 464 o, n, t, policydb.p_class_val_to_name[tclass-1]);
465out: 465out:
466 kfree(o); 466 kfree(o);
467 kfree(n); 467 kfree(n);
@@ -473,7 +473,7 @@ out:
473} 473}
474 474
475int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 475int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
476 u16 tclass) 476 u16 tclass)
477{ 477{
478 struct context *ocontext; 478 struct context *ocontext;
479 struct context *ncontext; 479 struct context *ncontext;
@@ -533,9 +533,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
533 constraint = tclass_datum->validatetrans; 533 constraint = tclass_datum->validatetrans;
534 while (constraint) { 534 while (constraint) {
535 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 535 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
536 constraint->expr)) { 536 constraint->expr)) {
537 rc = security_validtrans_handle_fail(ocontext, ncontext, 537 rc = security_validtrans_handle_fail(ocontext, ncontext,
538 tcontext, tclass); 538 tcontext, tclass);
539 goto out; 539 goto out;
540 } 540 }
541 constraint = constraint->next; 541 constraint = constraint->next;
@@ -623,9 +623,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
623 623
624 /* Allocate space for the context; caller must free this space. */ 624 /* Allocate space for the context; caller must free this space. */
625 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 625 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
626 if (!scontextp) { 626 if (!scontextp)
627 return -ENOMEM; 627 return -ENOMEM;
628 }
629 *scontext = scontextp; 628 *scontext = scontextp;
630 629
631 /* 630 /*
@@ -636,8 +635,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
636 policydb.p_role_val_to_name[context->role - 1], 635 policydb.p_role_val_to_name[context->role - 1],
637 policydb.p_type_val_to_name[context->type - 1]); 636 policydb.p_type_val_to_name[context->type - 1]);
638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 637 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 638 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 639 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
641 640
642 mls_sid_to_context(context, &scontextp); 641 mls_sid_to_context(context, &scontextp);
643 642
@@ -678,7 +677,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
678 char *scontextp; 677 char *scontextp;
679 678
680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 679 *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
681 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 680 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
682 if (!scontextp) { 681 if (!scontextp) {
683 rc = -ENOMEM; 682 rc = -ENOMEM;
684 goto out; 683 goto out;
@@ -974,7 +973,7 @@ static int security_compute_sid(u32 ssid,
974 avdatum = avtab_search(&policydb.te_avtab, &avkey); 973 avdatum = avtab_search(&policydb.te_avtab, &avkey);
975 974
976 /* If no permanent rule, also check for enabled conditional rules */ 975 /* If no permanent rule, also check for enabled conditional rules */
977 if(!avdatum) { 976 if (!avdatum) {
978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 977 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
979 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 978 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
980 if (node->key.specified & AVTAB_ENABLED) { 979 if (node->key.specified & AVTAB_ENABLED) {
@@ -1288,26 +1287,23 @@ static int convert_context(u32 key,
1288 1287
1289 /* Convert the user. */ 1288 /* Convert the user. */
1290 usrdatum = hashtab_search(args->newp->p_users.table, 1289 usrdatum = hashtab_search(args->newp->p_users.table,
1291 args->oldp->p_user_val_to_name[c->user - 1]); 1290 args->oldp->p_user_val_to_name[c->user - 1]);
1292 if (!usrdatum) { 1291 if (!usrdatum)
1293 goto bad; 1292 goto bad;
1294 }
1295 c->user = usrdatum->value; 1293 c->user = usrdatum->value;
1296 1294
1297 /* Convert the role. */ 1295 /* Convert the role. */
1298 role = hashtab_search(args->newp->p_roles.table, 1296 role = hashtab_search(args->newp->p_roles.table,
1299 args->oldp->p_role_val_to_name[c->role - 1]); 1297 args->oldp->p_role_val_to_name[c->role - 1]);
1300 if (!role) { 1298 if (!role)
1301 goto bad; 1299 goto bad;
1302 }
1303 c->role = role->value; 1300 c->role = role->value;
1304 1301
1305 /* Convert the type. */ 1302 /* Convert the type. */
1306 typdatum = hashtab_search(args->newp->p_types.table, 1303 typdatum = hashtab_search(args->newp->p_types.table,
1307 args->oldp->p_type_val_to_name[c->type - 1]); 1304 args->oldp->p_type_val_to_name[c->type - 1]);
1308 if (!typdatum) { 1305 if (!typdatum)
1309 goto bad; 1306 goto bad;
1310 }
1311 c->type = typdatum->value; 1307 c->type = typdatum->value;
1312 1308
1313 rc = mls_convert_context(args->oldp, args->newp, c); 1309 rc = mls_convert_context(args->oldp, args->newp, c);
@@ -1556,8 +1552,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1556{ 1552{
1557 int i, fail = 0; 1553 int i, fail = 0;
1558 1554
1559 for(i = 0; i < 4; i++) 1555 for (i = 0; i < 4; i++)
1560 if(addr[i] != (input[i] & mask[i])) { 1556 if (addr[i] != (input[i] & mask[i])) {
1561 fail = 1; 1557 fail = 1;
1562 break; 1558 break;
1563 } 1559 }
@@ -1656,7 +1652,7 @@ out:
1656 */ 1652 */
1657 1653
1658int security_get_user_sids(u32 fromsid, 1654int security_get_user_sids(u32 fromsid,
1659 char *username, 1655 char *username,
1660 u32 **sids, 1656 u32 **sids,
1661 u32 *nel) 1657 u32 *nel)
1662{ 1658{
@@ -1766,7 +1762,7 @@ out:
1766 * transition SIDs or task SIDs. 1762 * transition SIDs or task SIDs.
1767 */ 1763 */
1768int security_genfs_sid(const char *fstype, 1764int security_genfs_sid(const char *fstype,
1769 char *path, 1765 char *path,
1770 u16 sclass, 1766 u16 sclass,
1771 u32 *sid) 1767 u32 *sid)
1772{ 1768{
@@ -1881,7 +1877,7 @@ int security_get_bools(int *len, char ***names, int **values)
1881 goto out; 1877 goto out;
1882 } 1878 }
1883 1879
1884 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1880 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
1885 if (!*names) 1881 if (!*names)
1886 goto err; 1882 goto err;
1887 1883
@@ -1893,7 +1889,7 @@ int security_get_bools(int *len, char ***names, int **values)
1893 size_t name_len; 1889 size_t name_len;
1894 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1890 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1895 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1891 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1896 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1892 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1897 if (!(*names)[i]) 1893 if (!(*names)[i])
1898 goto err; 1894 goto err;
1899 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1895 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1938,11 +1934,10 @@ int security_set_bools(int len, int *values)
1938 audit_get_loginuid(current), 1934 audit_get_loginuid(current),
1939 audit_get_sessionid(current)); 1935 audit_get_sessionid(current));
1940 } 1936 }
1941 if (values[i]) { 1937 if (values[i])
1942 policydb.bool_val_to_struct[i]->state = 1; 1938 policydb.bool_val_to_struct[i]->state = 1;
1943 } else { 1939 else
1944 policydb.bool_val_to_struct[i]->state = 0; 1940 policydb.bool_val_to_struct[i]->state = 0;
1945 }
1946 } 1941 }
1947 1942
1948 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1943 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
@@ -2435,7 +2430,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2435 2430
2436 if (!rule) { 2431 if (!rule) {
2437 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2432 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2438 "selinux_audit_rule_match: missing rule\n"); 2433 "selinux_audit_rule_match: missing rule\n");
2439 return -ENOENT; 2434 return -ENOENT;
2440 } 2435 }
2441 2436
@@ -2443,7 +2438,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2443 2438
2444 if (rule->au_seqno < latest_granting) { 2439 if (rule->au_seqno < latest_granting) {
2445 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2440 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2446 "selinux_audit_rule_match: stale rule\n"); 2441 "selinux_audit_rule_match: stale rule\n");
2447 match = -ESTALE; 2442 match = -ESTALE;
2448 goto out; 2443 goto out;
2449 } 2444 }
@@ -2451,8 +2446,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2451 ctxt = sidtab_search(&sidtab, sid); 2446 ctxt = sidtab_search(&sidtab, sid);
2452 if (!ctxt) { 2447 if (!ctxt) {
2453 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2448 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2454 "selinux_audit_rule_match: unrecognized SID %d\n", 2449 "selinux_audit_rule_match: unrecognized SID %d\n",
2455 sid); 2450 sid);
2456 match = -ENOENT; 2451 match = -ENOENT;
2457 goto out; 2452 goto out;
2458 } 2453 }
@@ -2498,36 +2493,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2498 case AUDIT_OBJ_LEV_LOW: 2493 case AUDIT_OBJ_LEV_LOW:
2499 case AUDIT_OBJ_LEV_HIGH: 2494 case AUDIT_OBJ_LEV_HIGH:
2500 level = ((field == AUDIT_SUBJ_SEN || 2495 level = ((field == AUDIT_SUBJ_SEN ||
2501 field == AUDIT_OBJ_LEV_LOW) ? 2496 field == AUDIT_OBJ_LEV_LOW) ?
2502 &ctxt->range.level[0] : &ctxt->range.level[1]); 2497 &ctxt->range.level[0] : &ctxt->range.level[1]);
2503 switch (op) { 2498 switch (op) {
2504 case AUDIT_EQUAL: 2499 case AUDIT_EQUAL:
2505 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2500 match = mls_level_eq(&rule->au_ctxt.range.level[0],
2506 level); 2501 level);
2507 break; 2502 break;
2508 case AUDIT_NOT_EQUAL: 2503 case AUDIT_NOT_EQUAL:
2509 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2504 match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2510 level); 2505 level);
2511 break; 2506 break;
2512 case AUDIT_LESS_THAN: 2507 case AUDIT_LESS_THAN:
2513 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2508 match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2514 level) && 2509 level) &&
2515 !mls_level_eq(&rule->au_ctxt.range.level[0], 2510 !mls_level_eq(&rule->au_ctxt.range.level[0],
2516 level)); 2511 level));
2517 break; 2512 break;
2518 case AUDIT_LESS_THAN_OR_EQUAL: 2513 case AUDIT_LESS_THAN_OR_EQUAL:
2519 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2514 match = mls_level_dom(&rule->au_ctxt.range.level[0],
2520 level); 2515 level);
2521 break; 2516 break;
2522 case AUDIT_GREATER_THAN: 2517 case AUDIT_GREATER_THAN:
2523 match = (mls_level_dom(level, 2518 match = (mls_level_dom(level,
2524 &rule->au_ctxt.range.level[0]) && 2519 &rule->au_ctxt.range.level[0]) &&
2525 !mls_level_eq(level, 2520 !mls_level_eq(level,
2526 &rule->au_ctxt.range.level[0])); 2521 &rule->au_ctxt.range.level[0]));
2527 break; 2522 break;
2528 case AUDIT_GREATER_THAN_OR_EQUAL: 2523 case AUDIT_GREATER_THAN_OR_EQUAL:
2529 match = mls_level_dom(level, 2524 match = mls_level_dom(level,
2530 &rule->au_ctxt.range.level[0]); 2525 &rule->au_ctxt.range.level[0]);
2531 break; 2526 break;
2532 } 2527 }
2533 } 2528 }
@@ -2554,7 +2549,7 @@ static int __init aurule_init(void)
2554 int err; 2549 int err;
2555 2550
2556 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2551 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2557 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2552 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2558 if (err) 2553 if (err)
2559 panic("avc_add_callback() failed, error %d\n", err); 2554 panic("avc_add_callback() failed, error %d\n", err);
2560 2555