diff options
| author | Eric Paris <eparis@redhat.com> | 2013-11-22 18:57:08 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2013-11-22 18:57:54 -0500 |
| commit | fc582aef7dcc27a7120cf232c1e76c569c7b6eab (patch) | |
| tree | 7d275dd4ceab6067b91e9a25a5f6338b425fbccd /security/selinux | |
| parent | 9175c9d2aed528800175ef81c90569d00d23f9be (diff) | |
| parent | 5e01dc7b26d9f24f39abace5da98ccbd6a5ceb52 (diff) | |
Merge tag 'v3.12'
Linux 3.12
Conflicts:
fs/exec.c
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 9 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 32 | ||||
| -rw-r--r-- | security/selinux/include/avc.h | 18 | ||||
| -rw-r--r-- | security/selinux/include/xfrm.h | 7 |
4 files changed, 27 insertions, 39 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index dad36a6ab45f..fc3e6628a864 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -746,7 +746,6 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 746 | * @tclass: target security class | 746 | * @tclass: target security class |
| 747 | * @requested: requested permissions, interpreted based on @tclass | 747 | * @requested: requested permissions, interpreted based on @tclass |
| 748 | * @auditdata: auxiliary audit data | 748 | * @auditdata: auxiliary audit data |
| 749 | * @flags: VFS walk flags | ||
| 750 | * | 749 | * |
| 751 | * Check the AVC to determine whether the @requested permissions are granted | 750 | * Check the AVC to determine whether the @requested permissions are granted |
| 752 | * for the SID pair (@ssid, @tsid), interpreting the permissions | 751 | * for the SID pair (@ssid, @tsid), interpreting the permissions |
| @@ -756,17 +755,15 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 756 | * permissions are granted, -%EACCES if any permissions are denied, or | 755 | * permissions are granted, -%EACCES if any permissions are denied, or |
| 757 | * another -errno upon other errors. | 756 | * another -errno upon other errors. |
| 758 | */ | 757 | */ |
| 759 | int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, | 758 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
| 760 | u32 requested, struct common_audit_data *auditdata, | 759 | u32 requested, struct common_audit_data *auditdata) |
| 761 | unsigned flags) | ||
| 762 | { | 760 | { |
| 763 | struct av_decision avd; | 761 | struct av_decision avd; |
| 764 | int rc, rc2; | 762 | int rc, rc2; |
| 765 | 763 | ||
| 766 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); | 764 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
| 767 | 765 | ||
| 768 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, | 766 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); |
| 769 | flags); | ||
| 770 | if (rc2) | 767 | if (rc2) |
| 771 | return rc2; | 768 | return rc2; |
| 772 | return rc; | 769 | return rc; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c956390a9136..5b5231068516 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1502,7 +1502,7 @@ static int cred_has_capability(const struct cred *cred, | |||
| 1502 | 1502 | ||
| 1503 | rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); | 1503 | rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); |
| 1504 | if (audit == SECURITY_CAP_AUDIT) { | 1504 | if (audit == SECURITY_CAP_AUDIT) { |
| 1505 | int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); | 1505 | int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); |
| 1506 | if (rc2) | 1506 | if (rc2) |
| 1507 | return rc2; | 1507 | return rc2; |
| 1508 | } | 1508 | } |
| @@ -1525,8 +1525,7 @@ static int task_has_system(struct task_struct *tsk, | |||
| 1525 | static int inode_has_perm(const struct cred *cred, | 1525 | static int inode_has_perm(const struct cred *cred, |
| 1526 | struct inode *inode, | 1526 | struct inode *inode, |
| 1527 | u32 perms, | 1527 | u32 perms, |
| 1528 | struct common_audit_data *adp, | 1528 | struct common_audit_data *adp) |
| 1529 | unsigned flags) | ||
| 1530 | { | 1529 | { |
| 1531 | struct inode_security_struct *isec; | 1530 | struct inode_security_struct *isec; |
| 1532 | u32 sid; | 1531 | u32 sid; |
| @@ -1539,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred, | |||
| 1539 | sid = cred_sid(cred); | 1538 | sid = cred_sid(cred); |
| 1540 | isec = inode->i_security; | 1539 | isec = inode->i_security; |
| 1541 | 1540 | ||
| 1542 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); | 1541 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); |
| 1543 | } | 1542 | } |
| 1544 | 1543 | ||
| 1545 | /* Same as inode_has_perm, but pass explicit audit data containing | 1544 | /* Same as inode_has_perm, but pass explicit audit data containing |
| @@ -1554,7 +1553,7 @@ static inline int dentry_has_perm(const struct cred *cred, | |||
| 1554 | 1553 | ||
| 1555 | ad.type = LSM_AUDIT_DATA_DENTRY; | 1554 | ad.type = LSM_AUDIT_DATA_DENTRY; |
| 1556 | ad.u.dentry = dentry; | 1555 | ad.u.dentry = dentry; |
| 1557 | return inode_has_perm(cred, inode, av, &ad, 0); | 1556 | return inode_has_perm(cred, inode, av, &ad); |
| 1558 | } | 1557 | } |
| 1559 | 1558 | ||
| 1560 | /* Same as inode_has_perm, but pass explicit audit data containing | 1559 | /* Same as inode_has_perm, but pass explicit audit data containing |
| @@ -1569,7 +1568,7 @@ static inline int path_has_perm(const struct cred *cred, | |||
| 1569 | 1568 | ||
| 1570 | ad.type = LSM_AUDIT_DATA_PATH; | 1569 | ad.type = LSM_AUDIT_DATA_PATH; |
| 1571 | ad.u.path = *path; | 1570 | ad.u.path = *path; |
| 1572 | return inode_has_perm(cred, inode, av, &ad, 0); | 1571 | return inode_has_perm(cred, inode, av, &ad); |
| 1573 | } | 1572 | } |
| 1574 | 1573 | ||
| 1575 | /* Same as path_has_perm, but uses the inode from the file struct. */ | 1574 | /* Same as path_has_perm, but uses the inode from the file struct. */ |
| @@ -1581,7 +1580,7 @@ static inline int file_path_has_perm(const struct cred *cred, | |||
| 1581 | 1580 | ||
| 1582 | ad.type = LSM_AUDIT_DATA_PATH; | 1581 | ad.type = LSM_AUDIT_DATA_PATH; |
| 1583 | ad.u.path = file->f_path; | 1582 | ad.u.path = file->f_path; |
| 1584 | return inode_has_perm(cred, file_inode(file), av, &ad, 0); | 1583 | return inode_has_perm(cred, file_inode(file), av, &ad); |
| 1585 | } | 1584 | } |
| 1586 | 1585 | ||
| 1587 | /* Check whether a task can use an open file descriptor to | 1586 | /* Check whether a task can use an open file descriptor to |
| @@ -1617,7 +1616,7 @@ static int file_has_perm(const struct cred *cred, | |||
| 1617 | /* av is zero if only checking access to the descriptor. */ | 1616 | /* av is zero if only checking access to the descriptor. */ |
| 1618 | rc = 0; | 1617 | rc = 0; |
| 1619 | if (av) | 1618 | if (av) |
| 1620 | rc = inode_has_perm(cred, inode, av, &ad, 0); | 1619 | rc = inode_has_perm(cred, inode, av, &ad); |
| 1621 | 1620 | ||
| 1622 | out: | 1621 | out: |
| 1623 | return rc; | 1622 | return rc; |
| @@ -2587,7 +2586,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, | |||
| 2587 | } | 2586 | } |
| 2588 | 2587 | ||
| 2589 | static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | 2588 | static int selinux_inode_init_security(struct inode *inode, struct inode *dir, |
| 2590 | const struct qstr *qstr, char **name, | 2589 | const struct qstr *qstr, |
| 2590 | const char **name, | ||
| 2591 | void **value, size_t *len) | 2591 | void **value, size_t *len) |
| 2592 | { | 2592 | { |
| 2593 | const struct task_security_struct *tsec = current_security(); | 2593 | const struct task_security_struct *tsec = current_security(); |
| @@ -2595,7 +2595,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2595 | struct superblock_security_struct *sbsec; | 2595 | struct superblock_security_struct *sbsec; |
| 2596 | u32 sid, newsid, clen; | 2596 | u32 sid, newsid, clen; |
| 2597 | int rc; | 2597 | int rc; |
| 2598 | char *namep = NULL, *context; | 2598 | char *context; |
| 2599 | 2599 | ||
| 2600 | dsec = dir->i_security; | 2600 | dsec = dir->i_security; |
| 2601 | sbsec = dir->i_sb->s_security; | 2601 | sbsec = dir->i_sb->s_security; |
| @@ -2631,19 +2631,13 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2631 | if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) | 2631 | if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) |
| 2632 | return -EOPNOTSUPP; | 2632 | return -EOPNOTSUPP; |
| 2633 | 2633 | ||
| 2634 | if (name) { | 2634 | if (name) |
| 2635 | namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); | 2635 | *name = XATTR_SELINUX_SUFFIX; |
| 2636 | if (!namep) | ||
| 2637 | return -ENOMEM; | ||
| 2638 | *name = namep; | ||
| 2639 | } | ||
| 2640 | 2636 | ||
| 2641 | if (value && len) { | 2637 | if (value && len) { |
| 2642 | rc = security_sid_to_context_force(newsid, &context, &clen); | 2638 | rc = security_sid_to_context_force(newsid, &context, &clen); |
| 2643 | if (rc) { | 2639 | if (rc) |
| 2644 | kfree(namep); | ||
| 2645 | return rc; | 2640 | return rc; |
| 2646 | } | ||
| 2647 | *value = context; | 2641 | *value = context; |
| 2648 | *len = clen; | 2642 | *len = clen; |
| 2649 | } | 2643 | } |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 92d0ab561db8..f53ee3c58d0f 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
| @@ -130,7 +130,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
| 130 | u16 tclass, u32 requested, | 130 | u16 tclass, u32 requested, |
| 131 | struct av_decision *avd, | 131 | struct av_decision *avd, |
| 132 | int result, | 132 | int result, |
| 133 | struct common_audit_data *a, unsigned flags) | 133 | struct common_audit_data *a) |
| 134 | { | 134 | { |
| 135 | u32 audited, denied; | 135 | u32 audited, denied; |
| 136 | audited = avc_audit_required(requested, avd, result, 0, &denied); | 136 | audited = avc_audit_required(requested, avd, result, 0, &denied); |
| @@ -138,7 +138,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
| 138 | return 0; | 138 | return 0; |
| 139 | return slow_avc_audit(ssid, tsid, tclass, | 139 | return slow_avc_audit(ssid, tsid, tclass, |
| 140 | requested, audited, denied, | 140 | requested, audited, denied, |
| 141 | a, flags); | 141 | a, 0); |
| 142 | } | 142 | } |
| 143 | 143 | ||
| 144 | #define AVC_STRICT 1 /* Ignore permissive mode. */ | 144 | #define AVC_STRICT 1 /* Ignore permissive mode. */ |
| @@ -147,17 +147,9 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 147 | unsigned flags, | 147 | unsigned flags, |
| 148 | struct av_decision *avd); | 148 | struct av_decision *avd); |
| 149 | 149 | ||
| 150 | int avc_has_perm_flags(u32 ssid, u32 tsid, | 150 | int avc_has_perm(u32 ssid, u32 tsid, |
| 151 | u16 tclass, u32 requested, | 151 | u16 tclass, u32 requested, |
| 152 | struct common_audit_data *auditdata, | 152 | struct common_audit_data *auditdata); |
| 153 | unsigned); | ||
| 154 | |||
| 155 | static inline int avc_has_perm(u32 ssid, u32 tsid, | ||
| 156 | u16 tclass, u32 requested, | ||
| 157 | struct common_audit_data *auditdata) | ||
| 158 | { | ||
| 159 | return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0); | ||
| 160 | } | ||
| 161 | 153 | ||
| 162 | u32 avc_policy_seqno(void); | 154 | u32 avc_policy_seqno(void); |
| 163 | 155 | ||
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 65f67cb0aefb..6713f04e30ba 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
| @@ -50,8 +50,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | |||
| 50 | 50 | ||
| 51 | static inline void selinux_xfrm_notify_policyload(void) | 51 | static inline void selinux_xfrm_notify_policyload(void) |
| 52 | { | 52 | { |
| 53 | struct net *net; | ||
| 54 | |||
| 53 | atomic_inc(&flow_cache_genid); | 55 | atomic_inc(&flow_cache_genid); |
| 54 | rt_genid_bump(&init_net); | 56 | rtnl_lock(); |
| 57 | for_each_net(net) | ||
| 58 | rt_genid_bump_all(net); | ||
| 59 | rtnl_unlock(); | ||
| 55 | } | 60 | } |
| 56 | #else | 61 | #else |
| 57 | static inline int selinux_xfrm_enabled(void) | 62 | static inline int selinux_xfrm_enabled(void) |