diff options
| author | Paul Moore <pmoore@redhat.com> | 2013-11-08 13:56:38 -0500 |
|---|---|---|
| committer | Paul Moore <pmoore@redhat.com> | 2013-11-08 13:56:38 -0500 |
| commit | 94851b18d4eb94f8bbf0d9176f7429bd8e371f62 (patch) | |
| tree | c3c743ac6323e1caf9e987d6946cc4b2333a8256 /security/selinux | |
| parent | 42d64e1add3a1ce8a787116036163b8724362145 (diff) | |
| parent | 5e01dc7b26d9f24f39abace5da98ccbd6a5ceb52 (diff) | |
Merge tag 'v3.12'
Linux 3.12
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 9 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 32 | ||||
| -rw-r--r-- | security/selinux/include/avc.h | 18 | ||||
| -rw-r--r-- | security/selinux/include/xfrm.h | 7 |
4 files changed, 27 insertions, 39 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index dad36a6ab45f..fc3e6628a864 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -746,7 +746,6 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 746 | * @tclass: target security class | 746 | * @tclass: target security class |
| 747 | * @requested: requested permissions, interpreted based on @tclass | 747 | * @requested: requested permissions, interpreted based on @tclass |
| 748 | * @auditdata: auxiliary audit data | 748 | * @auditdata: auxiliary audit data |
| 749 | * @flags: VFS walk flags | ||
| 750 | * | 749 | * |
| 751 | * Check the AVC to determine whether the @requested permissions are granted | 750 | * Check the AVC to determine whether the @requested permissions are granted |
| 752 | * for the SID pair (@ssid, @tsid), interpreting the permissions | 751 | * for the SID pair (@ssid, @tsid), interpreting the permissions |
| @@ -756,17 +755,15 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 756 | * permissions are granted, -%EACCES if any permissions are denied, or | 755 | * permissions are granted, -%EACCES if any permissions are denied, or |
| 757 | * another -errno upon other errors. | 756 | * another -errno upon other errors. |
| 758 | */ | 757 | */ |
| 759 | int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, | 758 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
| 760 | u32 requested, struct common_audit_data *auditdata, | 759 | u32 requested, struct common_audit_data *auditdata) |
| 761 | unsigned flags) | ||
| 762 | { | 760 | { |
| 763 | struct av_decision avd; | 761 | struct av_decision avd; |
| 764 | int rc, rc2; | 762 | int rc, rc2; |
| 765 | 763 | ||
| 766 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); | 764 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
| 767 | 765 | ||
| 768 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, | 766 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); |
| 769 | flags); | ||
| 770 | if (rc2) | 767 | if (rc2) |
| 771 | return rc2; | 768 | return rc2; |
| 772 | return rc; | 769 | return rc; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c09211a4d7da..777ee98273d1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1539,7 +1539,7 @@ static int cred_has_capability(const struct cred *cred, | |||
| 1539 | 1539 | ||
| 1540 | rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); | 1540 | rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); |
| 1541 | if (audit == SECURITY_CAP_AUDIT) { | 1541 | if (audit == SECURITY_CAP_AUDIT) { |
| 1542 | int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); | 1542 | int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); |
| 1543 | if (rc2) | 1543 | if (rc2) |
| 1544 | return rc2; | 1544 | return rc2; |
| 1545 | } | 1545 | } |
| @@ -1562,8 +1562,7 @@ static int task_has_system(struct task_struct *tsk, | |||
| 1562 | static int inode_has_perm(const struct cred *cred, | 1562 | static int inode_has_perm(const struct cred *cred, |
| 1563 | struct inode *inode, | 1563 | struct inode *inode, |
| 1564 | u32 perms, | 1564 | u32 perms, |
| 1565 | struct common_audit_data *adp, | 1565 | struct common_audit_data *adp) |
| 1566 | unsigned flags) | ||
| 1567 | { | 1566 | { |
| 1568 | struct inode_security_struct *isec; | 1567 | struct inode_security_struct *isec; |
| 1569 | u32 sid; | 1568 | u32 sid; |
| @@ -1576,7 +1575,7 @@ static int inode_has_perm(const struct cred *cred, | |||
| 1576 | sid = cred_sid(cred); | 1575 | sid = cred_sid(cred); |
| 1577 | isec = inode->i_security; | 1576 | isec = inode->i_security; |
| 1578 | 1577 | ||
| 1579 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); | 1578 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); |
| 1580 | } | 1579 | } |
| 1581 | 1580 | ||
| 1582 | /* Same as inode_has_perm, but pass explicit audit data containing | 1581 | /* Same as inode_has_perm, but pass explicit audit data containing |
| @@ -1591,7 +1590,7 @@ static inline int dentry_has_perm(const struct cred *cred, | |||
| 1591 | 1590 | ||
| 1592 | ad.type = LSM_AUDIT_DATA_DENTRY; | 1591 | ad.type = LSM_AUDIT_DATA_DENTRY; |
| 1593 | ad.u.dentry = dentry; | 1592 | ad.u.dentry = dentry; |
| 1594 | return inode_has_perm(cred, inode, av, &ad, 0); | 1593 | return inode_has_perm(cred, inode, av, &ad); |
| 1595 | } | 1594 | } |
| 1596 | 1595 | ||
| 1597 | /* Same as inode_has_perm, but pass explicit audit data containing | 1596 | /* Same as inode_has_perm, but pass explicit audit data containing |
| @@ -1606,7 +1605,7 @@ static inline int path_has_perm(const struct cred *cred, | |||
| 1606 | 1605 | ||
| 1607 | ad.type = LSM_AUDIT_DATA_PATH; | 1606 | ad.type = LSM_AUDIT_DATA_PATH; |
| 1608 | ad.u.path = *path; | 1607 | ad.u.path = *path; |
| 1609 | return inode_has_perm(cred, inode, av, &ad, 0); | 1608 | return inode_has_perm(cred, inode, av, &ad); |
| 1610 | } | 1609 | } |
| 1611 | 1610 | ||
| 1612 | /* Same as path_has_perm, but uses the inode from the file struct. */ | 1611 | /* Same as path_has_perm, but uses the inode from the file struct. */ |
| @@ -1618,7 +1617,7 @@ static inline int file_path_has_perm(const struct cred *cred, | |||
| 1618 | 1617 | ||
| 1619 | ad.type = LSM_AUDIT_DATA_PATH; | 1618 | ad.type = LSM_AUDIT_DATA_PATH; |
| 1620 | ad.u.path = file->f_path; | 1619 | ad.u.path = file->f_path; |
| 1621 | return inode_has_perm(cred, file_inode(file), av, &ad, 0); | 1620 | return inode_has_perm(cred, file_inode(file), av, &ad); |
| 1622 | } | 1621 | } |
| 1623 | 1622 | ||
| 1624 | /* Check whether a task can use an open file descriptor to | 1623 | /* Check whether a task can use an open file descriptor to |
| @@ -1654,7 +1653,7 @@ static int file_has_perm(const struct cred *cred, | |||
| 1654 | /* av is zero if only checking access to the descriptor. */ | 1653 | /* av is zero if only checking access to the descriptor. */ |
| 1655 | rc = 0; | 1654 | rc = 0; |
| 1656 | if (av) | 1655 | if (av) |
| 1657 | rc = inode_has_perm(cred, inode, av, &ad, 0); | 1656 | rc = inode_has_perm(cred, inode, av, &ad); |
| 1658 | 1657 | ||
| 1659 | out: | 1658 | out: |
| 1660 | return rc; | 1659 | return rc; |
| @@ -2624,7 +2623,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, | |||
| 2624 | } | 2623 | } |
| 2625 | 2624 | ||
| 2626 | static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | 2625 | static int selinux_inode_init_security(struct inode *inode, struct inode *dir, |
| 2627 | const struct qstr *qstr, char **name, | 2626 | const struct qstr *qstr, |
| 2627 | const char **name, | ||
| 2628 | void **value, size_t *len) | 2628 | void **value, size_t *len) |
| 2629 | { | 2629 | { |
| 2630 | const struct task_security_struct *tsec = current_security(); | 2630 | const struct task_security_struct *tsec = current_security(); |
| @@ -2632,7 +2632,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2632 | struct superblock_security_struct *sbsec; | 2632 | struct superblock_security_struct *sbsec; |
| 2633 | u32 sid, newsid, clen; | 2633 | u32 sid, newsid, clen; |
| 2634 | int rc; | 2634 | int rc; |
| 2635 | char *namep = NULL, *context; | 2635 | char *context; |
| 2636 | 2636 | ||
| 2637 | dsec = dir->i_security; | 2637 | dsec = dir->i_security; |
| 2638 | sbsec = dir->i_sb->s_security; | 2638 | sbsec = dir->i_sb->s_security; |
| @@ -2668,19 +2668,13 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2668 | if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) | 2668 | if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) |
| 2669 | return -EOPNOTSUPP; | 2669 | return -EOPNOTSUPP; |
| 2670 | 2670 | ||
| 2671 | if (name) { | 2671 | if (name) |
| 2672 | namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); | 2672 | *name = XATTR_SELINUX_SUFFIX; |
| 2673 | if (!namep) | ||
| 2674 | return -ENOMEM; | ||
| 2675 | *name = namep; | ||
| 2676 | } | ||
| 2677 | 2673 | ||
| 2678 | if (value && len) { | 2674 | if (value && len) { |
| 2679 | rc = security_sid_to_context_force(newsid, &context, &clen); | 2675 | rc = security_sid_to_context_force(newsid, &context, &clen); |
| 2680 | if (rc) { | 2676 | if (rc) |
| 2681 | kfree(namep); | ||
| 2682 | return rc; | 2677 | return rc; |
| 2683 | } | ||
| 2684 | *value = context; | 2678 | *value = context; |
| 2685 | *len = clen; | 2679 | *len = clen; |
| 2686 | } | 2680 | } |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 92d0ab561db8..f53ee3c58d0f 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
| @@ -130,7 +130,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
| 130 | u16 tclass, u32 requested, | 130 | u16 tclass, u32 requested, |
| 131 | struct av_decision *avd, | 131 | struct av_decision *avd, |
| 132 | int result, | 132 | int result, |
| 133 | struct common_audit_data *a, unsigned flags) | 133 | struct common_audit_data *a) |
| 134 | { | 134 | { |
| 135 | u32 audited, denied; | 135 | u32 audited, denied; |
| 136 | audited = avc_audit_required(requested, avd, result, 0, &denied); | 136 | audited = avc_audit_required(requested, avd, result, 0, &denied); |
| @@ -138,7 +138,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
| 138 | return 0; | 138 | return 0; |
| 139 | return slow_avc_audit(ssid, tsid, tclass, | 139 | return slow_avc_audit(ssid, tsid, tclass, |
| 140 | requested, audited, denied, | 140 | requested, audited, denied, |
| 141 | a, flags); | 141 | a, 0); |
| 142 | } | 142 | } |
| 143 | 143 | ||
| 144 | #define AVC_STRICT 1 /* Ignore permissive mode. */ | 144 | #define AVC_STRICT 1 /* Ignore permissive mode. */ |
| @@ -147,17 +147,9 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 147 | unsigned flags, | 147 | unsigned flags, |
| 148 | struct av_decision *avd); | 148 | struct av_decision *avd); |
| 149 | 149 | ||
| 150 | int avc_has_perm_flags(u32 ssid, u32 tsid, | 150 | int avc_has_perm(u32 ssid, u32 tsid, |
| 151 | u16 tclass, u32 requested, | 151 | u16 tclass, u32 requested, |
| 152 | struct common_audit_data *auditdata, | 152 | struct common_audit_data *auditdata); |
| 153 | unsigned); | ||
| 154 | |||
| 155 | static inline int avc_has_perm(u32 ssid, u32 tsid, | ||
| 156 | u16 tclass, u32 requested, | ||
| 157 | struct common_audit_data *auditdata) | ||
| 158 | { | ||
| 159 | return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0); | ||
| 160 | } | ||
| 161 | 153 | ||
| 162 | u32 avc_policy_seqno(void); | 154 | u32 avc_policy_seqno(void); |
| 163 | 155 | ||
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 7605251936f5..0dec76c64cf5 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
| @@ -42,8 +42,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | |||
| 42 | 42 | ||
| 43 | static inline void selinux_xfrm_notify_policyload(void) | 43 | static inline void selinux_xfrm_notify_policyload(void) |
| 44 | { | 44 | { |
| 45 | struct net *net; | ||
| 46 | |||
| 45 | atomic_inc(&flow_cache_genid); | 47 | atomic_inc(&flow_cache_genid); |
| 46 | rt_genid_bump(&init_net); | 48 | rtnl_lock(); |
| 49 | for_each_net(net) | ||
| 50 | rt_genid_bump_all(net); | ||
| 51 | rtnl_unlock(); | ||
| 47 | } | 52 | } |
| 48 | #else | 53 | #else |
| 49 | static inline int selinux_xfrm_enabled(void) | 54 | static inline int selinux_xfrm_enabled(void) |