diff options
| author | Paul Mackerras <paulus@samba.org> | 2008-04-14 07:11:02 -0400 |
|---|---|---|
| committer | Paul Mackerras <paulus@samba.org> | 2008-04-14 07:11:02 -0400 |
| commit | ac7c5353b189e10cf5dd27399f64f7b013abffc6 (patch) | |
| tree | 8222d92b774c256d6ec4399c716d76b3f05ddc4b /security | |
| parent | a8f75ea70c58546205fb7673be41455b9da5d9a7 (diff) | |
| parent | 120dd64cacd4fb796bca0acba3665553f1d9ecaa (diff) | |
Merge branch 'linux-2.6'
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 25 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 3 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 12 |
3 files changed, 25 insertions, 15 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 41a049f50f58..d39b59cf8a08 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -180,7 +180,7 @@ static int inode_alloc_security(struct inode *inode) | |||
| 180 | struct task_security_struct *tsec = current->security; | 180 | struct task_security_struct *tsec = current->security; |
| 181 | struct inode_security_struct *isec; | 181 | struct inode_security_struct *isec; |
| 182 | 182 | ||
| 183 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); | 183 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); |
| 184 | if (!isec) | 184 | if (!isec) |
| 185 | return -ENOMEM; | 185 | return -ENOMEM; |
| 186 | 186 | ||
| @@ -760,13 +760,13 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, | |||
| 760 | * this early in the boot process. */ | 760 | * this early in the boot process. */ |
| 761 | BUG_ON(!ss_initialized); | 761 | BUG_ON(!ss_initialized); |
| 762 | 762 | ||
| 763 | /* this might go away sometime down the line if there is a new user | ||
| 764 | * of clone, but for now, nfs better not get here... */ | ||
| 765 | BUG_ON(newsbsec->initialized); | ||
| 766 | |||
| 767 | /* how can we clone if the old one wasn't set up?? */ | 763 | /* how can we clone if the old one wasn't set up?? */ |
| 768 | BUG_ON(!oldsbsec->initialized); | 764 | BUG_ON(!oldsbsec->initialized); |
| 769 | 765 | ||
| 766 | /* if fs is reusing a sb, just let its options stand... */ | ||
| 767 | if (newsbsec->initialized) | ||
| 768 | return; | ||
| 769 | |||
| 770 | mutex_lock(&newsbsec->lock); | 770 | mutex_lock(&newsbsec->lock); |
| 771 | 771 | ||
| 772 | newsbsec->flags = oldsbsec->flags; | 772 | newsbsec->flags = oldsbsec->flags; |
| @@ -1143,7 +1143,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
| 1143 | } | 1143 | } |
| 1144 | 1144 | ||
| 1145 | len = INITCONTEXTLEN; | 1145 | len = INITCONTEXTLEN; |
| 1146 | context = kmalloc(len, GFP_KERNEL); | 1146 | context = kmalloc(len, GFP_NOFS); |
| 1147 | if (!context) { | 1147 | if (!context) { |
| 1148 | rc = -ENOMEM; | 1148 | rc = -ENOMEM; |
| 1149 | dput(dentry); | 1149 | dput(dentry); |
| @@ -1161,7 +1161,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
| 1161 | } | 1161 | } |
| 1162 | kfree(context); | 1162 | kfree(context); |
| 1163 | len = rc; | 1163 | len = rc; |
| 1164 | context = kmalloc(len, GFP_KERNEL); | 1164 | context = kmalloc(len, GFP_NOFS); |
| 1165 | if (!context) { | 1165 | if (!context) { |
| 1166 | rc = -ENOMEM; | 1166 | rc = -ENOMEM; |
| 1167 | dput(dentry); | 1167 | dput(dentry); |
| @@ -1185,7 +1185,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
| 1185 | rc = 0; | 1185 | rc = 0; |
| 1186 | } else { | 1186 | } else { |
| 1187 | rc = security_context_to_sid_default(context, rc, &sid, | 1187 | rc = security_context_to_sid_default(context, rc, &sid, |
| 1188 | sbsec->def_sid); | 1188 | sbsec->def_sid, |
| 1189 | GFP_NOFS); | ||
| 1189 | if (rc) { | 1190 | if (rc) { |
| 1190 | printk(KERN_WARNING "%s: context_to_sid(%s) " | 1191 | printk(KERN_WARNING "%s: context_to_sid(%s) " |
| 1191 | "returned %d for dev=%s ino=%ld\n", | 1192 | "returned %d for dev=%s ino=%ld\n", |
| @@ -1630,6 +1631,12 @@ static inline u32 file_to_av(struct file *file) | |||
| 1630 | else | 1631 | else |
| 1631 | av |= FILE__WRITE; | 1632 | av |= FILE__WRITE; |
| 1632 | } | 1633 | } |
| 1634 | if (!av) { | ||
| 1635 | /* | ||
| 1636 | * Special file opened with flags 3 for ioctl-only use. | ||
| 1637 | */ | ||
| 1638 | av = FILE__IOCTL; | ||
| 1639 | } | ||
| 1633 | 1640 | ||
| 1634 | return av; | 1641 | return av; |
| 1635 | } | 1642 | } |
| @@ -2423,7 +2430,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2423 | return -EOPNOTSUPP; | 2430 | return -EOPNOTSUPP; |
| 2424 | 2431 | ||
| 2425 | if (name) { | 2432 | if (name) { |
| 2426 | namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); | 2433 | namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); |
| 2427 | if (!namep) | 2434 | if (!namep) |
| 2428 | return -ENOMEM; | 2435 | return -ENOMEM; |
| 2429 | *name = namep; | 2436 | *name = namep; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index f7d2f03781f2..44e12ec88090 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -86,7 +86,8 @@ int security_sid_to_context(u32 sid, char **scontext, | |||
| 86 | int security_context_to_sid(char *scontext, u32 scontext_len, | 86 | int security_context_to_sid(char *scontext, u32 scontext_len, |
| 87 | u32 *out_sid); | 87 | u32 *out_sid); |
| 88 | 88 | ||
| 89 | int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid); | 89 | int security_context_to_sid_default(char *scontext, u32 scontext_len, |
| 90 | u32 *out_sid, u32 def_sid, gfp_t gfp_flags); | ||
| 90 | 91 | ||
| 91 | int security_get_user_sids(u32 callsid, char *username, | 92 | int security_get_user_sids(u32 callsid, char *username, |
| 92 | u32 **sids, u32 *nel); | 93 | u32 **sids, u32 *nel); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f37418601215..3f2bad28ee7b 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -680,7 +680,8 @@ out: | |||
| 680 | 680 | ||
| 681 | } | 681 | } |
| 682 | 682 | ||
| 683 | static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) | 683 | static int security_context_to_sid_core(char *scontext, u32 scontext_len, |
| 684 | u32 *sid, u32 def_sid, gfp_t gfp_flags) | ||
| 684 | { | 685 | { |
| 685 | char *scontext2; | 686 | char *scontext2; |
| 686 | struct context context; | 687 | struct context context; |
| @@ -709,7 +710,7 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s | |||
| 709 | null suffix to the copy to avoid problems with the existing | 710 | null suffix to the copy to avoid problems with the existing |
| 710 | attr package, which doesn't view the null terminator as part | 711 | attr package, which doesn't view the null terminator as part |
| 711 | of the attribute value. */ | 712 | of the attribute value. */ |
| 712 | scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); | 713 | scontext2 = kmalloc(scontext_len+1, gfp_flags); |
| 713 | if (!scontext2) { | 714 | if (!scontext2) { |
| 714 | rc = -ENOMEM; | 715 | rc = -ENOMEM; |
| 715 | goto out; | 716 | goto out; |
| @@ -809,7 +810,7 @@ out: | |||
| 809 | int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) | 810 | int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) |
| 810 | { | 811 | { |
| 811 | return security_context_to_sid_core(scontext, scontext_len, | 812 | return security_context_to_sid_core(scontext, scontext_len, |
| 812 | sid, SECSID_NULL); | 813 | sid, SECSID_NULL, GFP_KERNEL); |
| 813 | } | 814 | } |
| 814 | 815 | ||
| 815 | /** | 816 | /** |
| @@ -829,10 +830,11 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) | |||
| 829 | * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient | 830 | * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient |
| 830 | * memory is available, or 0 on success. | 831 | * memory is available, or 0 on success. |
| 831 | */ | 832 | */ |
| 832 | int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) | 833 | int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, |
| 834 | u32 def_sid, gfp_t gfp_flags) | ||
| 833 | { | 835 | { |
| 834 | return security_context_to_sid_core(scontext, scontext_len, | 836 | return security_context_to_sid_core(scontext, scontext_len, |
| 835 | sid, def_sid); | 837 | sid, def_sid, gfp_flags); |
| 836 | } | 838 | } |
| 837 | 839 | ||
| 838 | static int compute_sid_handle_invalid_context( | 840 | static int compute_sid_handle_invalid_context( |