diff options
| author | Jeff Garzik <jgarzik@pretzel.yyz.us> | 2005-06-26 17:11:03 -0400 |
|---|---|---|
| committer | Jeff Garzik <jgarzik@pobox.com> | 2005-06-26 17:11:03 -0400 |
| commit | 8b0ee07e108b2eefdab5bb73f33223f18926c3b2 (patch) | |
| tree | f68ca04180c5488301a40ec212ef2eb2467cf56c /security/selinux | |
| parent | 4638aef40ba9ebb9734caeed1f373c24015259fd (diff) | |
| parent | 8678887e7fb43cd6c9be6c9807b05e77848e0920 (diff) | |
Merge upstream (approx. 2.6.12-git8) into 'janitor' branch of netdev-2.6.
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 40 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 27 | ||||
| -rw-r--r-- | security/selinux/include/av_perm_to_string.h | 2 | ||||
| -rw-r--r-- | security/selinux/include/av_permissions.h | 2 | ||||
| -rw-r--r-- | security/selinux/nlmsgtab.c | 12 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 9 | ||||
| -rw-r--r-- | security/selinux/ss/conditional.c | 9 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 15 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 18 |
9 files changed, 79 insertions, 55 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 85a6f66a873f..451502467a9b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -242,7 +242,7 @@ void __init avc_init(void) | |||
| 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), |
| 243 | 0, SLAB_PANIC, NULL, NULL); | 243 | 0, SLAB_PANIC, NULL, NULL); |
| 244 | 244 | ||
| 245 | audit_log(current->audit_context, "AVC INITIALIZED\n"); | 245 | audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
| 246 | } | 246 | } |
| 247 | 247 | ||
| 248 | int avc_get_hash_stats(char *page) | 248 | int avc_get_hash_stats(char *page) |
| @@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 532 | u16 tclass, u32 requested, | 532 | u16 tclass, u32 requested, |
| 533 | struct av_decision *avd, int result, struct avc_audit_data *a) | 533 | struct av_decision *avd, int result, struct avc_audit_data *a) |
| 534 | { | 534 | { |
| 535 | struct task_struct *tsk = current; | ||
| 535 | struct inode *inode = NULL; | 536 | struct inode *inode = NULL; |
| 536 | u32 denied, audited; | 537 | u32 denied, audited; |
| 537 | struct audit_buffer *ab; | 538 | struct audit_buffer *ab; |
| @@ -549,12 +550,18 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 549 | return; | 550 | return; |
| 550 | } | 551 | } |
| 551 | 552 | ||
| 552 | ab = audit_log_start(current->audit_context); | 553 | ab = audit_log_start(current->audit_context, AUDIT_AVC); |
| 553 | if (!ab) | 554 | if (!ab) |
| 554 | return; /* audit_panic has been called */ | 555 | return; /* audit_panic has been called */ |
| 555 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | 556 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); |
| 556 | avc_dump_av(ab, tclass,audited); | 557 | avc_dump_av(ab, tclass,audited); |
| 557 | audit_log_format(ab, " for "); | 558 | audit_log_format(ab, " for "); |
| 559 | if (a && a->tsk) | ||
| 560 | tsk = a->tsk; | ||
| 561 | if (tsk && tsk->pid) { | ||
| 562 | audit_log_format(ab, " pid=%d comm=", tsk->pid); | ||
| 563 | audit_log_untrustedstring(ab, tsk->comm); | ||
| 564 | } | ||
| 558 | if (a) { | 565 | if (a) { |
| 559 | switch (a->type) { | 566 | switch (a->type) { |
| 560 | case AVC_AUDIT_DATA_IPC: | 567 | case AVC_AUDIT_DATA_IPC: |
| @@ -566,21 +573,18 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 566 | case AVC_AUDIT_DATA_FS: | 573 | case AVC_AUDIT_DATA_FS: |
| 567 | if (a->u.fs.dentry) { | 574 | if (a->u.fs.dentry) { |
| 568 | struct dentry *dentry = a->u.fs.dentry; | 575 | struct dentry *dentry = a->u.fs.dentry; |
| 569 | if (a->u.fs.mnt) { | 576 | if (a->u.fs.mnt) |
| 570 | audit_log_d_path(ab, "path=", dentry, | 577 | audit_avc_path(dentry, a->u.fs.mnt); |
| 571 | a->u.fs.mnt); | 578 | audit_log_format(ab, " name="); |
| 572 | } else { | 579 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| 573 | audit_log_format(ab, " name=%s", | ||
| 574 | dentry->d_name.name); | ||
| 575 | } | ||
| 576 | inode = dentry->d_inode; | 580 | inode = dentry->d_inode; |
| 577 | } else if (a->u.fs.inode) { | 581 | } else if (a->u.fs.inode) { |
| 578 | struct dentry *dentry; | 582 | struct dentry *dentry; |
| 579 | inode = a->u.fs.inode; | 583 | inode = a->u.fs.inode; |
| 580 | dentry = d_find_alias(inode); | 584 | dentry = d_find_alias(inode); |
| 581 | if (dentry) { | 585 | if (dentry) { |
| 582 | audit_log_format(ab, " name=%s", | 586 | audit_log_format(ab, " name="); |
| 583 | dentry->d_name.name); | 587 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| 584 | dput(dentry); | 588 | dput(dentry); |
| 585 | } | 589 | } |
| 586 | } | 590 | } |
| @@ -623,22 +627,20 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 623 | case AF_UNIX: | 627 | case AF_UNIX: |
| 624 | u = unix_sk(sk); | 628 | u = unix_sk(sk); |
| 625 | if (u->dentry) { | 629 | if (u->dentry) { |
| 626 | audit_log_d_path(ab, "path=", | 630 | audit_avc_path(u->dentry, u->mnt); |
| 627 | u->dentry, u->mnt); | 631 | audit_log_format(ab, " name="); |
| 632 | audit_log_untrustedstring(ab, u->dentry->d_name.name); | ||
| 628 | break; | 633 | break; |
| 629 | } | 634 | } |
| 630 | if (!u->addr) | 635 | if (!u->addr) |
| 631 | break; | 636 | break; |
| 632 | len = u->addr->len-sizeof(short); | 637 | len = u->addr->len-sizeof(short); |
| 633 | p = &u->addr->name->sun_path[0]; | 638 | p = &u->addr->name->sun_path[0]; |
| 639 | audit_log_format(ab, " path="); | ||
| 634 | if (*p) | 640 | if (*p) |
| 635 | audit_log_format(ab, | 641 | audit_log_untrustedstring(ab, p); |
| 636 | "path=%*.*s", len, | ||
| 637 | len, p); | ||
| 638 | else | 642 | else |
| 639 | audit_log_format(ab, | 643 | audit_log_hex(ab, p, len); |
| 640 | "path=@%*.*s", len-1, | ||
| 641 | len-1, p+1); | ||
| 642 | break; | 644 | break; |
| 643 | } | 645 | } |
| 644 | } | 646 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aae1e794fe48..17a1189f1ff8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1658,9 +1658,8 @@ static int selinux_bprm_secureexec (struct linux_binprm *bprm) | |||
| 1658 | 1658 | ||
| 1659 | static void selinux_bprm_free_security(struct linux_binprm *bprm) | 1659 | static void selinux_bprm_free_security(struct linux_binprm *bprm) |
| 1660 | { | 1660 | { |
| 1661 | struct bprm_security_struct *bsec = bprm->security; | 1661 | kfree(bprm->security); |
| 1662 | bprm->security = NULL; | 1662 | bprm->security = NULL; |
| 1663 | kfree(bsec); | ||
| 1664 | } | 1663 | } |
| 1665 | 1664 | ||
| 1666 | extern struct vfsmount *selinuxfs_mount; | 1665 | extern struct vfsmount *selinuxfs_mount; |
| @@ -1945,6 +1944,7 @@ static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void | |||
| 1945 | } while (*in_end++); | 1944 | } while (*in_end++); |
| 1946 | 1945 | ||
| 1947 | copy_page(in_save, nosec_save); | 1946 | copy_page(in_save, nosec_save); |
| 1947 | free_page((unsigned long)nosec_save); | ||
| 1948 | out: | 1948 | out: |
| 1949 | return rc; | 1949 | return rc; |
| 1950 | } | 1950 | } |
| @@ -2476,6 +2476,17 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
| 2476 | prot = reqprot; | 2476 | prot = reqprot; |
| 2477 | 2477 | ||
| 2478 | #ifndef CONFIG_PPC32 | 2478 | #ifndef CONFIG_PPC32 |
| 2479 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) && | ||
| 2480 | (vma->vm_start >= vma->vm_mm->start_brk && | ||
| 2481 | vma->vm_end <= vma->vm_mm->brk)) { | ||
| 2482 | /* | ||
| 2483 | * We are making an executable mapping in the brk region. | ||
| 2484 | * This has an additional execheap check. | ||
| 2485 | */ | ||
| 2486 | rc = task_has_perm(current, current, PROCESS__EXECHEAP); | ||
| 2487 | if (rc) | ||
| 2488 | return rc; | ||
| 2489 | } | ||
| 2479 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { | 2490 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { |
| 2480 | /* | 2491 | /* |
| 2481 | * We are making executable a file mapping that has | 2492 | * We are making executable a file mapping that has |
| @@ -2487,6 +2498,16 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
| 2487 | if (rc) | 2498 | if (rc) |
| 2488 | return rc; | 2499 | return rc; |
| 2489 | } | 2500 | } |
| 2501 | if (!vma->vm_file && (prot & PROT_EXEC) && | ||
| 2502 | vma->vm_start <= vma->vm_mm->start_stack && | ||
| 2503 | vma->vm_end >= vma->vm_mm->start_stack) { | ||
| 2504 | /* Attempt to make the process stack executable. | ||
| 2505 | * This has an additional execstack check. | ||
| 2506 | */ | ||
| 2507 | rc = task_has_perm(current, current, PROCESS__EXECSTACK); | ||
| 2508 | if (rc) | ||
| 2509 | return rc; | ||
| 2510 | } | ||
| 2490 | #endif | 2511 | #endif |
| 2491 | 2512 | ||
| 2492 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); | 2513 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); |
| @@ -3419,7 +3440,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | |||
| 3419 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); | 3440 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); |
| 3420 | if (err) { | 3441 | if (err) { |
| 3421 | if (err == -EINVAL) { | 3442 | if (err == -EINVAL) { |
| 3422 | audit_log(current->audit_context, | 3443 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, |
| 3423 | "SELinux: unrecognized netlink message" | 3444 | "SELinux: unrecognized netlink message" |
| 3424 | " type=%hu for sclass=%hu\n", | 3445 | " type=%hu for sclass=%hu\n", |
| 3425 | nlh->nlmsg_type, isec->sclass); | 3446 | nlh->nlmsg_type, isec->sclass); |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 8928bb4d3c53..1deb59e1b762 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
| @@ -70,6 +70,8 @@ | |||
| 70 | S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") | 70 | S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition") |
| 71 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") | 71 | S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent") |
| 72 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") | 72 | S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem") |
| 73 | S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack") | ||
| 74 | S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap") | ||
| 73 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") | 75 | S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue") |
| 74 | S_(SECCLASS_MSG, MSG__SEND, "send") | 76 | S_(SECCLASS_MSG, MSG__SEND, "send") |
| 75 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") | 77 | S_(SECCLASS_MSG, MSG__RECEIVE, "receive") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index bdfce4ca8f8e..a78b5d59c9fc 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
| @@ -465,6 +465,8 @@ | |||
| 465 | #define PROCESS__DYNTRANSITION 0x00800000UL | 465 | #define PROCESS__DYNTRANSITION 0x00800000UL |
| 466 | #define PROCESS__SETCURRENT 0x01000000UL | 466 | #define PROCESS__SETCURRENT 0x01000000UL |
| 467 | #define PROCESS__EXECMEM 0x02000000UL | 467 | #define PROCESS__EXECMEM 0x02000000UL |
| 468 | #define PROCESS__EXECSTACK 0x04000000UL | ||
| 469 | #define PROCESS__EXECHEAP 0x08000000UL | ||
| 468 | 470 | ||
| 469 | #define IPC__CREATE 0x00000001UL | 471 | #define IPC__CREATE 0x00000001UL |
| 470 | #define IPC__DESTROY 0x00000002UL | 472 | #define IPC__DESTROY 0x00000002UL |
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index b3adb481bc25..92b057becb4b 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
| @@ -63,6 +63,8 @@ static struct nlmsg_perm nlmsg_route_perms[] = | |||
| 63 | { RTM_GETPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_READ }, | 63 | { RTM_GETPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_READ }, |
| 64 | { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, | 64 | { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, |
| 65 | { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, | 65 | { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, |
| 66 | { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, | ||
| 67 | { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, | ||
| 66 | }; | 68 | }; |
| 67 | 69 | ||
| 68 | static struct nlmsg_perm nlmsg_firewall_perms[] = | 70 | static struct nlmsg_perm nlmsg_firewall_perms[] = |
| @@ -97,6 +99,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] = | |||
| 97 | { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | 99 | { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, |
| 98 | { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | 100 | { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, |
| 99 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, | 101 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, |
| 102 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | ||
| 100 | }; | 103 | }; |
| 101 | 104 | ||
| 102 | 105 | ||
| @@ -141,8 +144,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) | |||
| 141 | break; | 144 | break; |
| 142 | 145 | ||
| 143 | case SECCLASS_NETLINK_AUDIT_SOCKET: | 146 | case SECCLASS_NETLINK_AUDIT_SOCKET: |
| 144 | err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, | 147 | if (nlmsg_type >= AUDIT_FIRST_USER_MSG && |
| 145 | sizeof(nlmsg_audit_perms)); | 148 | nlmsg_type <= AUDIT_LAST_USER_MSG) { |
| 149 | *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; | ||
| 150 | } else { | ||
| 151 | err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, | ||
| 152 | sizeof(nlmsg_audit_perms)); | ||
| 153 | } | ||
| 146 | break; | 154 | break; |
| 147 | 155 | ||
| 148 | /* No messaging from userspace, or class unknown/unhandled */ | 156 | /* No messaging from userspace, or class unknown/unhandled */ |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 07221568b505..8eb140dd2e4b 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -951,8 +951,7 @@ static int sel_make_bools(void) | |||
| 951 | u32 sid; | 951 | u32 sid; |
| 952 | 952 | ||
| 953 | /* remove any existing files */ | 953 | /* remove any existing files */ |
| 954 | if (bool_pending_values) | 954 | kfree(bool_pending_values); |
| 955 | kfree(bool_pending_values); | ||
| 956 | 955 | ||
| 957 | sel_remove_bools(dir); | 956 | sel_remove_bools(dir); |
| 958 | 957 | ||
| @@ -997,10 +996,8 @@ static int sel_make_bools(void) | |||
| 997 | out: | 996 | out: |
| 998 | free_page((unsigned long)page); | 997 | free_page((unsigned long)page); |
| 999 | if (names) { | 998 | if (names) { |
| 1000 | for (i = 0; i < num; i++) { | 999 | for (i = 0; i < num; i++) |
| 1001 | if (names[i]) | 1000 | kfree(names[i]); |
| 1002 | kfree(names[i]); | ||
| 1003 | } | ||
| 1004 | kfree(names); | 1001 | kfree(names); |
| 1005 | } | 1002 | } |
| 1006 | return ret; | 1003 | return ret; |
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index b53441184aca..e2057f5a411a 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c | |||
| @@ -166,16 +166,14 @@ static void cond_list_destroy(struct cond_node *list) | |||
| 166 | 166 | ||
| 167 | void cond_policydb_destroy(struct policydb *p) | 167 | void cond_policydb_destroy(struct policydb *p) |
| 168 | { | 168 | { |
| 169 | if (p->bool_val_to_struct != NULL) | 169 | kfree(p->bool_val_to_struct); |
| 170 | kfree(p->bool_val_to_struct); | ||
| 171 | avtab_destroy(&p->te_cond_avtab); | 170 | avtab_destroy(&p->te_cond_avtab); |
| 172 | cond_list_destroy(p->cond_list); | 171 | cond_list_destroy(p->cond_list); |
| 173 | } | 172 | } |
| 174 | 173 | ||
| 175 | int cond_init_bool_indexes(struct policydb *p) | 174 | int cond_init_bool_indexes(struct policydb *p) |
| 176 | { | 175 | { |
| 177 | if (p->bool_val_to_struct) | 176 | kfree(p->bool_val_to_struct); |
| 178 | kfree(p->bool_val_to_struct); | ||
| 179 | p->bool_val_to_struct = (struct cond_bool_datum**) | 177 | p->bool_val_to_struct = (struct cond_bool_datum**) |
| 180 | kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); | 178 | kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); |
| 181 | if (!p->bool_val_to_struct) | 179 | if (!p->bool_val_to_struct) |
| @@ -185,8 +183,7 @@ int cond_init_bool_indexes(struct policydb *p) | |||
| 185 | 183 | ||
| 186 | int cond_destroy_bool(void *key, void *datum, void *p) | 184 | int cond_destroy_bool(void *key, void *datum, void *p) |
| 187 | { | 185 | { |
| 188 | if (key) | 186 | kfree(key); |
| 189 | kfree(key); | ||
| 190 | kfree(datum); | 187 | kfree(datum); |
| 191 | return 0; | 188 | return 0; |
| 192 | } | 189 | } |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 14190efbf333..785c33cf4864 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
| @@ -590,17 +590,12 @@ void policydb_destroy(struct policydb *p) | |||
| 590 | hashtab_destroy(p->symtab[i].table); | 590 | hashtab_destroy(p->symtab[i].table); |
| 591 | } | 591 | } |
| 592 | 592 | ||
| 593 | for (i = 0; i < SYM_NUM; i++) { | 593 | for (i = 0; i < SYM_NUM; i++) |
| 594 | if (p->sym_val_to_name[i]) | 594 | kfree(p->sym_val_to_name[i]); |
| 595 | kfree(p->sym_val_to_name[i]); | ||
| 596 | } | ||
| 597 | 595 | ||
| 598 | if (p->class_val_to_struct) | 596 | kfree(p->class_val_to_struct); |
| 599 | kfree(p->class_val_to_struct); | 597 | kfree(p->role_val_to_struct); |
| 600 | if (p->role_val_to_struct) | 598 | kfree(p->user_val_to_struct); |
| 601 | kfree(p->role_val_to_struct); | ||
| 602 | if (p->user_val_to_struct) | ||
| 603 | kfree(p->user_val_to_struct); | ||
| 604 | 599 | ||
| 605 | avtab_destroy(&p->te_avtab); | 600 | avtab_destroy(&p->te_avtab); |
| 606 | 601 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 5a820cf88c9c..922bb45054aa 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
| 365 | goto out; | 365 | goto out; |
| 366 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) | 366 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) |
| 367 | goto out; | 367 | goto out; |
| 368 | audit_log(current->audit_context, | 368 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, |
| 369 | "security_validate_transition: denied for" | 369 | "security_validate_transition: denied for" |
| 370 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 370 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
| 371 | o, n, t, policydb.p_class_val_to_name[tclass-1]); | 371 | o, n, t, policydb.p_class_val_to_name[tclass-1]); |
| @@ -476,8 +476,8 @@ int security_compute_av(u32 ssid, | |||
| 476 | int rc = 0; | 476 | int rc = 0; |
| 477 | 477 | ||
| 478 | if (!ss_initialized) { | 478 | if (!ss_initialized) { |
| 479 | avd->allowed = requested; | 479 | avd->allowed = 0xffffffff; |
| 480 | avd->decided = requested; | 480 | avd->decided = 0xffffffff; |
| 481 | avd->auditallow = 0; | 481 | avd->auditallow = 0; |
| 482 | avd->auditdeny = 0xffffffff; | 482 | avd->auditdeny = 0xffffffff; |
| 483 | avd->seqno = latest_granting; | 483 | avd->seqno = latest_granting; |
| @@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context( | |||
| 742 | goto out; | 742 | goto out; |
| 743 | if (context_struct_to_string(newcontext, &n, &nlen) < 0) | 743 | if (context_struct_to_string(newcontext, &n, &nlen) < 0) |
| 744 | goto out; | 744 | goto out; |
| 745 | audit_log(current->audit_context, | 745 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, |
| 746 | "security_compute_sid: invalid context %s" | 746 | "security_compute_sid: invalid context %s" |
| 747 | " for scontext=%s" | 747 | " for scontext=%s" |
| 748 | " tcontext=%s" | 748 | " tcontext=%s" |
| @@ -1196,9 +1196,11 @@ int security_load_policy(void *data, size_t len) | |||
| 1196 | } | 1196 | } |
| 1197 | policydb_loaded_version = policydb.policyvers; | 1197 | policydb_loaded_version = policydb.policyvers; |
| 1198 | ss_initialized = 1; | 1198 | ss_initialized = 1; |
| 1199 | 1199 | seqno = ++latest_granting; | |
| 1200 | LOAD_UNLOCK; | 1200 | LOAD_UNLOCK; |
| 1201 | selinux_complete_init(); | 1201 | selinux_complete_init(); |
| 1202 | avc_ss_reset(seqno); | ||
| 1203 | selnl_notify_policyload(seqno); | ||
| 1202 | return 0; | 1204 | return 0; |
| 1203 | } | 1205 | } |
| 1204 | 1206 | ||
| @@ -1703,11 +1705,9 @@ out: | |||
| 1703 | err: | 1705 | err: |
| 1704 | if (*names) { | 1706 | if (*names) { |
| 1705 | for (i = 0; i < *len; i++) | 1707 | for (i = 0; i < *len; i++) |
| 1706 | if ((*names)[i]) | 1708 | kfree((*names)[i]); |
| 1707 | kfree((*names)[i]); | ||
| 1708 | } | 1709 | } |
| 1709 | if (*values) | 1710 | kfree(*values); |
| 1710 | kfree(*values); | ||
| 1711 | goto out; | 1711 | goto out; |
| 1712 | } | 1712 | } |
| 1713 | 1713 | ||