Merge commit 'v2.6.39' into 20110526

Conflicts: lib/flex_array.c security/selinux/avc.c security/selinux/hooks.c security/selinux/ss/policydb.c security/smack/smack_lsm.c
author: Eric Paris <eparis@redhat.com> 2011-05-26 17:20:14 -0400
committer: Eric Paris <eparis@redhat.com> 2011-05-26 17:20:14 -0400
commit: ea77f7a2e8561012cf100c530170f12351c3b53e (patch)
tree: 7302ac1064f4e364aadda84020a176804fb86e22 /security/selinux
parent: 7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e (diff)
parent: 61c4f2c81c61f73549928dfd9f3e8f26aa36a8cf (diff)
5 files changed, 21 insertions, 16 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9f426b8a12b5..a0d38459d650 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -79,6 +79,7 @@
 #include <linux/mutex.h>
 #include <linux/posix-timers.h>
 #include <linux/syslog.h>
+#include <linux/user_namespace.h>
 #include "avc.h"
 #include "objsec.h"
@@ -1866,11 +1867,11 @@ static int selinux_capset(struct cred *new, const struct cred *old,
 */
 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
-                           int cap, int audit)
+                           struct user_namespace *ns, int cap, int audit)
 {
        int rc;
-        rc = cap_capable(tsk, cred, cap, audit);
+        rc = cap_capable(tsk, cred, ns, cap, audit);
        if (rc)
                return rc;
@@ -1951,7 +1952,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
-        rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
+        rc = selinux_capable(current, current_cred(),
+                             &init_user_ns, CAP_SYS_ADMIN,
                             SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2746,7 +2748,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
        if (!(sbsec->flags & SE_SBLABELSUPP))
                return -EOPNOTSUPP;
-        if (!is_owner_or_cap(inode))
+        if (!inode_owner_or_capable(inode))
                return -EPERM;
        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
@@ -2857,7 +2859,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-        error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
+        error = selinux_capable(current, current_cred(),
+                                &init_user_ns, CAP_MAC_ADMIN,
                                SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
@@ -2991,7 +2994,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
        case KDSKBENT:
        case KDSKBSENT:
                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
-                                            SECURITY_CAP_AUDIT);
+                                        SECURITY_CAP_AUDIT);
                break;
        /* default case assumes that the command will go
@@ -4369,7 +4372,7 @@ static void selinux_secmark_refcount_dec(void)
 static void selinux_req_classify_flow(const struct request_sock *req,
                                      struct flowi *fl)
 {
-        fl->secid = req->secid;
+        fl->flowi_secid = req->secid;
 }
 static int selinux_tun_dev_create(void)
@@ -4718,6 +4721,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
 {
        int err;
        struct common_audit_data ad;
+        u32 sid;
        err = cap_netlink_recv(skb, capability);
        if (err)
@@ -4726,8 +4730,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
        COMMON_AUDIT_DATA_INIT(&ad, CAP);
        ad.u.cap = capability;
-        return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
+        security_task_getsecid(current, &sid);
-                            SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
+        return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
+                            CAP_TO_MASK(capability), &ad);
 }
 static int ipc_alloc_security(struct task_struct *task,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 13128f9a3e5a..b43813c9e049 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x);
 int selinux_xfrm_state_delete(struct xfrm_state *x);
 int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
-                        struct xfrm_policy *xp, struct flowi *fl);
+                        struct xfrm_policy *xp, const struct flowi *fl);
 /*
 * Extract the security blob from the sock (it's actually on the socket)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 1c2fc46544bf..c3bf3ed07b06 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -151,7 +151,7 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
 *
 * Description:
 * Called when the NetLabel state of a sk_security_struct needs to be reset.
- * The caller is responsibile for all the NetLabel sk_security_struct locking.
+ * The caller is responsible for all the NetLabel sk_security_struct locking.
 *
 */
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e11b4b038f4a..c3e4b52699f4 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2814,7 +2814,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
        case AUDIT_SUBJ_CLR:
        case AUDIT_OBJ_LEV_LOW:
        case AUDIT_OBJ_LEV_HIGH:
-                /* we do not allow a range, indicated by the presense of '-' */
+                /* we do not allow a range, indicated by the presence of '-' */
                if (strchr(rulestr, '-'))
                        return -EINVAL;
                break;
@@ -3083,7 +3083,7 @@ static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
 * Description:
 * Convert the given NetLabel security attributes in @secattr into a
 * SELinux SID.  If the @secattr field does not contain a full SELinux
- * SID/context then use SECINITSID_NETMSG as the foundation.  If possibile the
+ * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
 * 'cache' field of @secattr is set and the CACHE flag is set; this is to
 * allow the @secattr to be used by NetLabel to cache the secattr to SID
 * conversion for future lookups.  Returns zero on success, negative values on
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 728c57e3d65d..68178b76a2b3 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -112,7 +112,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
 */
 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
-                        struct flowi *fl)
+                        const struct flowi *fl)
 {
        u32 state_sid;
        int rc;
@@ -135,10 +135,10 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
        state_sid = x->security->ctx_sid;
-        if (fl->secid != state_sid)
+        if (fl->flowi_secid != state_sid)
                return 0;
-        rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
+        rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
                          ASSOCIATION__SENDTO,
                          NULL)? 0:1;
author	Eric Paris <eparis@redhat.com>	2011-05-26 17:20:14 -0400
committer	Eric Paris <eparis@redhat.com>	2011-05-26 17:20:14 -0400
commit	ea77f7a2e8561012cf100c530170f12351c3b53e (patch)
tree	7302ac1064f4e364aadda84020a176804fb86e22 /security/selinux
parent	7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e (diff)
parent	61c4f2c81c61f73549928dfd9f3e8f26aa36a8cf (diff)