diff options
| author | James Morris <jmorris@namei.org> | 2009-02-05 19:01:45 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-02-05 19:01:45 -0500 |
| commit | cb5629b10d64a8006622ce3a52bc887d91057d69 (patch) | |
| tree | 7c06d8f30783115e3384721046258ce615b129c5 /security | |
| parent | 8920d5ad6ba74ae8ab020e90cc4d976980e68701 (diff) | |
| parent | f01d1d546abb2f4028b5299092f529eefb01253a (diff) | |
Merge branch 'master' into next
Conflicts:
fs/namei.c
Manually merged per:
diff --cc fs/namei.c
index 734f2b5,bbc15c2..0000000
--- a/fs/namei.c
+++ b/fs/namei.c
@@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char
nd->flags |= LOOKUP_CONTINUE;
err = exec_permission_lite(inode);
if (err == -EAGAIN)
- err = vfs_permission(nd, MAY_EXEC);
+ err = inode_permission(nd->path.dentry->d_inode,
+ MAY_EXEC);
+ if (!err)
+ err = ima_path_check(&nd->path, MAY_EXEC);
if (err)
break;
@@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc
flag &= ~O_TRUNC;
}
- error = vfs_permission(nd, acc_mode);
+ error = inode_permission(inode, acc_mode);
if (error)
return error;
+
- error = ima_path_check(&nd->path,
++ error = ima_path_check(path,
+ acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
+ if (error)
+ return error;
/*
* An append-only file must be opened in append mode for writing.
*/
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/Kconfig | 9 | ||||
| -rw-r--r-- | security/capability.c | 57 | ||||
| -rw-r--r-- | security/commoncap.c | 6 | ||||
| -rw-r--r-- | security/device_cgroup.c | 5 | ||||
| -rw-r--r-- | security/inode.c | 3 | ||||
| -rw-r--r-- | security/keys/keyctl.c | 23 | ||||
| -rw-r--r-- | security/security.c | 66 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 4 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 26 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 6 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 4 |
11 files changed, 170 insertions, 39 deletions
diff --git a/security/Kconfig b/security/Kconfig index a79b23f73d03..bf129f87de7e 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
| @@ -82,6 +82,15 @@ config SECURITY_NETWORK_XFRM | |||
| 82 | IPSec. | 82 | IPSec. |
| 83 | If you are unsure how to answer this question, answer N. | 83 | If you are unsure how to answer this question, answer N. |
| 84 | 84 | ||
| 85 | config SECURITY_PATH | ||
| 86 | bool "Security hooks for pathname based access control" | ||
| 87 | depends on SECURITY | ||
| 88 | help | ||
| 89 | This enables the security hooks for pathname based access control. | ||
| 90 | If enabled, a security module can use these hooks to | ||
| 91 | implement pathname based access controls. | ||
| 92 | If you are unsure how to answer this question, answer N. | ||
| 93 | |||
| 85 | config SECURITY_FILE_CAPABILITIES | 94 | config SECURITY_FILE_CAPABILITIES |
| 86 | bool "File POSIX Capabilities" | 95 | bool "File POSIX Capabilities" |
| 87 | default n | 96 | default n |
diff --git a/security/capability.c b/security/capability.c index 2dce66fcb992..c545bd1300b5 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -263,6 +263,53 @@ static void cap_inode_getsecid(const struct inode *inode, u32 *secid) | |||
| 263 | *secid = 0; | 263 | *secid = 0; |
| 264 | } | 264 | } |
| 265 | 265 | ||
| 266 | #ifdef CONFIG_SECURITY_PATH | ||
| 267 | static int cap_path_mknod(struct path *dir, struct dentry *dentry, int mode, | ||
| 268 | unsigned int dev) | ||
| 269 | { | ||
| 270 | return 0; | ||
| 271 | } | ||
| 272 | |||
| 273 | static int cap_path_mkdir(struct path *dir, struct dentry *dentry, int mode) | ||
| 274 | { | ||
| 275 | return 0; | ||
| 276 | } | ||
| 277 | |||
| 278 | static int cap_path_rmdir(struct path *dir, struct dentry *dentry) | ||
| 279 | { | ||
| 280 | return 0; | ||
| 281 | } | ||
| 282 | |||
| 283 | static int cap_path_unlink(struct path *dir, struct dentry *dentry) | ||
| 284 | { | ||
| 285 | return 0; | ||
| 286 | } | ||
| 287 | |||
| 288 | static int cap_path_symlink(struct path *dir, struct dentry *dentry, | ||
| 289 | const char *old_name) | ||
| 290 | { | ||
| 291 | return 0; | ||
| 292 | } | ||
| 293 | |||
| 294 | static int cap_path_link(struct dentry *old_dentry, struct path *new_dir, | ||
| 295 | struct dentry *new_dentry) | ||
| 296 | { | ||
| 297 | return 0; | ||
| 298 | } | ||
| 299 | |||
| 300 | static int cap_path_rename(struct path *old_path, struct dentry *old_dentry, | ||
| 301 | struct path *new_path, struct dentry *new_dentry) | ||
| 302 | { | ||
| 303 | return 0; | ||
| 304 | } | ||
| 305 | |||
| 306 | static int cap_path_truncate(struct path *path, loff_t length, | ||
| 307 | unsigned int time_attrs) | ||
| 308 | { | ||
| 309 | return 0; | ||
| 310 | } | ||
| 311 | #endif | ||
| 312 | |||
| 266 | static int cap_file_permission(struct file *file, int mask) | 313 | static int cap_file_permission(struct file *file, int mask) |
| 267 | { | 314 | { |
| 268 | return 0; | 315 | return 0; |
| @@ -883,6 +930,16 @@ void security_fixup_ops(struct security_operations *ops) | |||
| 883 | set_to_cap_if_null(ops, inode_setsecurity); | 930 | set_to_cap_if_null(ops, inode_setsecurity); |
| 884 | set_to_cap_if_null(ops, inode_listsecurity); | 931 | set_to_cap_if_null(ops, inode_listsecurity); |
| 885 | set_to_cap_if_null(ops, inode_getsecid); | 932 | set_to_cap_if_null(ops, inode_getsecid); |
| 933 | #ifdef CONFIG_SECURITY_PATH | ||
| 934 | set_to_cap_if_null(ops, path_mknod); | ||
| 935 | set_to_cap_if_null(ops, path_mkdir); | ||
| 936 | set_to_cap_if_null(ops, path_rmdir); | ||
| 937 | set_to_cap_if_null(ops, path_unlink); | ||
| 938 | set_to_cap_if_null(ops, path_symlink); | ||
| 939 | set_to_cap_if_null(ops, path_link); | ||
| 940 | set_to_cap_if_null(ops, path_rename); | ||
| 941 | set_to_cap_if_null(ops, path_truncate); | ||
| 942 | #endif | ||
| 886 | set_to_cap_if_null(ops, file_permission); | 943 | set_to_cap_if_null(ops, file_permission); |
| 887 | set_to_cap_if_null(ops, file_alloc_security); | 944 | set_to_cap_if_null(ops, file_alloc_security); |
| 888 | set_to_cap_if_null(ops, file_free_security); | 945 | set_to_cap_if_null(ops, file_free_security); |
diff --git a/security/commoncap.c b/security/commoncap.c index f0e671dcfff0..7cd61a5f5205 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -235,7 +235,7 @@ int cap_inode_need_killpriv(struct dentry *dentry) | |||
| 235 | struct inode *inode = dentry->d_inode; | 235 | struct inode *inode = dentry->d_inode; |
| 236 | int error; | 236 | int error; |
| 237 | 237 | ||
| 238 | if (!inode->i_op || !inode->i_op->getxattr) | 238 | if (!inode->i_op->getxattr) |
| 239 | return 0; | 239 | return 0; |
| 240 | 240 | ||
| 241 | error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); | 241 | error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); |
| @@ -256,7 +256,7 @@ int cap_inode_killpriv(struct dentry *dentry) | |||
| 256 | { | 256 | { |
| 257 | struct inode *inode = dentry->d_inode; | 257 | struct inode *inode = dentry->d_inode; |
| 258 | 258 | ||
| 259 | if (!inode->i_op || !inode->i_op->removexattr) | 259 | if (!inode->i_op->removexattr) |
| 260 | return 0; | 260 | return 0; |
| 261 | 261 | ||
| 262 | return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); | 262 | return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); |
| @@ -314,7 +314,7 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data | |||
| 314 | 314 | ||
| 315 | memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); | 315 | memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); |
| 316 | 316 | ||
| 317 | if (!inode || !inode->i_op || !inode->i_op->getxattr) | 317 | if (!inode || !inode->i_op->getxattr) |
| 318 | return -ENODATA; | 318 | return -ENODATA; |
| 319 | 319 | ||
| 320 | size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, | 320 | size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, |
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 5ba78701adc3..3aacd0fe7179 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -513,11 +513,14 @@ int devcgroup_inode_mknod(int mode, dev_t dev) | |||
| 513 | struct dev_cgroup *dev_cgroup; | 513 | struct dev_cgroup *dev_cgroup; |
| 514 | struct dev_whitelist_item *wh; | 514 | struct dev_whitelist_item *wh; |
| 515 | 515 | ||
| 516 | if (!S_ISBLK(mode) && !S_ISCHR(mode)) | ||
| 517 | return 0; | ||
| 518 | |||
| 516 | rcu_read_lock(); | 519 | rcu_read_lock(); |
| 517 | 520 | ||
| 518 | dev_cgroup = task_devcgroup(current); | 521 | dev_cgroup = task_devcgroup(current); |
| 519 | 522 | ||
| 520 | list_for_each_entry(wh, &dev_cgroup->whitelist, list) { | 523 | list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) { |
| 521 | if (wh->type & DEV_ALL) | 524 | if (wh->type & DEV_ALL) |
| 522 | goto acc_check; | 525 | goto acc_check; |
| 523 | if ((wh->type & DEV_BLOCK) && !S_ISBLK(mode)) | 526 | if ((wh->type & DEV_BLOCK) && !S_ISBLK(mode)) |
diff --git a/security/inode.c b/security/inode.c index b41e708147ae..f3b91bfbe4cb 100644 --- a/security/inode.c +++ b/security/inode.c | |||
| @@ -61,9 +61,6 @@ static struct inode *get_inode(struct super_block *sb, int mode, dev_t dev) | |||
| 61 | 61 | ||
| 62 | if (inode) { | 62 | if (inode) { |
| 63 | inode->i_mode = mode; | 63 | inode->i_mode = mode; |
| 64 | inode->i_uid = 0; | ||
| 65 | inode->i_gid = 0; | ||
| 66 | inode->i_blocks = 0; | ||
| 67 | inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; | 64 | inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; |
| 68 | switch (mode & S_IFMT) { | 65 | switch (mode & S_IFMT) { |
| 69 | default: | 66 | default: |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 09796797d122..b1ec3b4ee17d 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
| @@ -54,11 +54,11 @@ static int key_get_type_from_user(char *type, | |||
| 54 | * - returns the new key's serial number | 54 | * - returns the new key's serial number |
| 55 | * - implements add_key() | 55 | * - implements add_key() |
| 56 | */ | 56 | */ |
| 57 | asmlinkage long sys_add_key(const char __user *_type, | 57 | SYSCALL_DEFINE5(add_key, const char __user *, _type, |
| 58 | const char __user *_description, | 58 | const char __user *, _description, |
| 59 | const void __user *_payload, | 59 | const void __user *, _payload, |
| 60 | size_t plen, | 60 | size_t, plen, |
| 61 | key_serial_t ringid) | 61 | key_serial_t, ringid) |
| 62 | { | 62 | { |
| 63 | key_ref_t keyring_ref, key_ref; | 63 | key_ref_t keyring_ref, key_ref; |
| 64 | char type[32], *description; | 64 | char type[32], *description; |
| @@ -146,10 +146,10 @@ asmlinkage long sys_add_key(const char __user *_type, | |||
| 146 | * - if the _callout_info string is empty, it will be rendered as "-" | 146 | * - if the _callout_info string is empty, it will be rendered as "-" |
| 147 | * - implements request_key() | 147 | * - implements request_key() |
| 148 | */ | 148 | */ |
| 149 | asmlinkage long sys_request_key(const char __user *_type, | 149 | SYSCALL_DEFINE4(request_key, const char __user *, _type, |
| 150 | const char __user *_description, | 150 | const char __user *, _description, |
| 151 | const char __user *_callout_info, | 151 | const char __user *, _callout_info, |
| 152 | key_serial_t destringid) | 152 | key_serial_t, destringid) |
| 153 | { | 153 | { |
| 154 | struct key_type *ktype; | 154 | struct key_type *ktype; |
| 155 | struct key *key; | 155 | struct key *key; |
| @@ -270,6 +270,7 @@ long keyctl_join_session_keyring(const char __user *_name) | |||
| 270 | 270 | ||
| 271 | /* join the session */ | 271 | /* join the session */ |
| 272 | ret = join_session_keyring(name); | 272 | ret = join_session_keyring(name); |
| 273 | kfree(name); | ||
| 273 | 274 | ||
| 274 | error: | 275 | error: |
| 275 | return ret; | 276 | return ret; |
| @@ -1216,8 +1217,8 @@ long keyctl_get_security(key_serial_t keyid, | |||
| 1216 | /* | 1217 | /* |
| 1217 | * the key control system call | 1218 | * the key control system call |
| 1218 | */ | 1219 | */ |
| 1219 | asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, | 1220 | SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, |
| 1220 | unsigned long arg4, unsigned long arg5) | 1221 | unsigned long, arg4, unsigned long, arg5) |
| 1221 | { | 1222 | { |
| 1222 | switch (option) { | 1223 | switch (option) { |
| 1223 | case KEYCTL_GET_KEYRING_ID: | 1224 | case KEYCTL_GET_KEYRING_ID: |
diff --git a/security/security.c b/security/security.c index a02f243f09c0..c3586c0d97e2 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -373,6 +373,72 @@ int security_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 373 | } | 373 | } |
| 374 | EXPORT_SYMBOL(security_inode_init_security); | 374 | EXPORT_SYMBOL(security_inode_init_security); |
| 375 | 375 | ||
| 376 | #ifdef CONFIG_SECURITY_PATH | ||
| 377 | int security_path_mknod(struct path *path, struct dentry *dentry, int mode, | ||
| 378 | unsigned int dev) | ||
| 379 | { | ||
| 380 | if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | ||
| 381 | return 0; | ||
| 382 | return security_ops->path_mknod(path, dentry, mode, dev); | ||
| 383 | } | ||
| 384 | EXPORT_SYMBOL(security_path_mknod); | ||
| 385 | |||
| 386 | int security_path_mkdir(struct path *path, struct dentry *dentry, int mode) | ||
| 387 | { | ||
| 388 | if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | ||
| 389 | return 0; | ||
| 390 | return security_ops->path_mkdir(path, dentry, mode); | ||
| 391 | } | ||
| 392 | |||
| 393 | int security_path_rmdir(struct path *path, struct dentry *dentry) | ||
| 394 | { | ||
| 395 | if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | ||
| 396 | return 0; | ||
| 397 | return security_ops->path_rmdir(path, dentry); | ||
| 398 | } | ||
| 399 | |||
| 400 | int security_path_unlink(struct path *path, struct dentry *dentry) | ||
| 401 | { | ||
| 402 | if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | ||
| 403 | return 0; | ||
| 404 | return security_ops->path_unlink(path, dentry); | ||
| 405 | } | ||
| 406 | |||
| 407 | int security_path_symlink(struct path *path, struct dentry *dentry, | ||
| 408 | const char *old_name) | ||
| 409 | { | ||
| 410 | if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | ||
| 411 | return 0; | ||
| 412 | return security_ops->path_symlink(path, dentry, old_name); | ||
| 413 | } | ||
| 414 | |||
| 415 | int security_path_link(struct dentry *old_dentry, struct path *new_dir, | ||
| 416 | struct dentry *new_dentry) | ||
| 417 | { | ||
| 418 | if (unlikely(IS_PRIVATE(old_dentry->d_inode))) | ||
| 419 | return 0; | ||
| 420 | return security_ops->path_link(old_dentry, new_dir, new_dentry); | ||
| 421 | } | ||
| 422 | |||
| 423 | int security_path_rename(struct path *old_dir, struct dentry *old_dentry, | ||
| 424 | struct path *new_dir, struct dentry *new_dentry) | ||
| 425 | { | ||
| 426 | if (unlikely(IS_PRIVATE(old_dentry->d_inode) || | ||
| 427 | (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode)))) | ||
| 428 | return 0; | ||
| 429 | return security_ops->path_rename(old_dir, old_dentry, new_dir, | ||
| 430 | new_dentry); | ||
| 431 | } | ||
| 432 | |||
| 433 | int security_path_truncate(struct path *path, loff_t length, | ||
| 434 | unsigned int time_attrs) | ||
| 435 | { | ||
| 436 | if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | ||
| 437 | return 0; | ||
| 438 | return security_ops->path_truncate(path, length, time_attrs); | ||
| 439 | } | ||
| 440 | #endif | ||
| 441 | |||
| 376 | int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) | 442 | int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) |
| 377 | { | 443 | { |
| 378 | if (unlikely(IS_PRIVATE(dir))) | 444 | if (unlikely(IS_PRIVATE(dir))) |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 77fb3c8d9267..01ec6d2c6b97 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -847,8 +847,6 @@ static struct inode *sel_make_inode(struct super_block *sb, int mode) | |||
| 847 | 847 | ||
| 848 | if (ret) { | 848 | if (ret) { |
| 849 | ret->i_mode = mode; | 849 | ret->i_mode = mode; |
| 850 | ret->i_uid = ret->i_gid = 0; | ||
| 851 | ret->i_blocks = 0; | ||
| 852 | ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME; | 850 | ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME; |
| 853 | } | 851 | } |
| 854 | return ret; | 852 | return ret; |
| @@ -1211,7 +1209,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) | |||
| 1211 | { | 1209 | { |
| 1212 | int cpu; | 1210 | int cpu; |
| 1213 | 1211 | ||
| 1214 | for (cpu = *idx; cpu < NR_CPUS; ++cpu) { | 1212 | for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) { |
| 1215 | if (!cpu_possible(cpu)) | 1213 | if (!cpu_possible(cpu)) |
| 1216 | continue; | 1214 | continue; |
| 1217 | *idx = cpu + 1; | 1215 | *idx = cpu + 1; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 343c8ab14af0..c65e4fe4a0f1 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -2602,7 +2602,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) | |||
| 2602 | case AUDIT_OBJ_ROLE: | 2602 | case AUDIT_OBJ_ROLE: |
| 2603 | case AUDIT_OBJ_TYPE: | 2603 | case AUDIT_OBJ_TYPE: |
| 2604 | /* only 'equals' and 'not equals' fit user, role, and type */ | 2604 | /* only 'equals' and 'not equals' fit user, role, and type */ |
| 2605 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) | 2605 | if (op != Audit_equal && op != Audit_not_equal) |
| 2606 | return -EINVAL; | 2606 | return -EINVAL; |
| 2607 | break; | 2607 | break; |
| 2608 | case AUDIT_SUBJ_SEN: | 2608 | case AUDIT_SUBJ_SEN: |
| @@ -2736,10 +2736,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2736 | case AUDIT_SUBJ_USER: | 2736 | case AUDIT_SUBJ_USER: |
| 2737 | case AUDIT_OBJ_USER: | 2737 | case AUDIT_OBJ_USER: |
| 2738 | switch (op) { | 2738 | switch (op) { |
| 2739 | case AUDIT_EQUAL: | 2739 | case Audit_equal: |
| 2740 | match = (ctxt->user == rule->au_ctxt.user); | 2740 | match = (ctxt->user == rule->au_ctxt.user); |
| 2741 | break; | 2741 | break; |
| 2742 | case AUDIT_NOT_EQUAL: | 2742 | case Audit_not_equal: |
| 2743 | match = (ctxt->user != rule->au_ctxt.user); | 2743 | match = (ctxt->user != rule->au_ctxt.user); |
| 2744 | break; | 2744 | break; |
| 2745 | } | 2745 | } |
| @@ -2747,10 +2747,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2747 | case AUDIT_SUBJ_ROLE: | 2747 | case AUDIT_SUBJ_ROLE: |
| 2748 | case AUDIT_OBJ_ROLE: | 2748 | case AUDIT_OBJ_ROLE: |
| 2749 | switch (op) { | 2749 | switch (op) { |
| 2750 | case AUDIT_EQUAL: | 2750 | case Audit_equal: |
| 2751 | match = (ctxt->role == rule->au_ctxt.role); | 2751 | match = (ctxt->role == rule->au_ctxt.role); |
| 2752 | break; | 2752 | break; |
| 2753 | case AUDIT_NOT_EQUAL: | 2753 | case Audit_not_equal: |
| 2754 | match = (ctxt->role != rule->au_ctxt.role); | 2754 | match = (ctxt->role != rule->au_ctxt.role); |
| 2755 | break; | 2755 | break; |
| 2756 | } | 2756 | } |
| @@ -2758,10 +2758,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2758 | case AUDIT_SUBJ_TYPE: | 2758 | case AUDIT_SUBJ_TYPE: |
| 2759 | case AUDIT_OBJ_TYPE: | 2759 | case AUDIT_OBJ_TYPE: |
| 2760 | switch (op) { | 2760 | switch (op) { |
| 2761 | case AUDIT_EQUAL: | 2761 | case Audit_equal: |
| 2762 | match = (ctxt->type == rule->au_ctxt.type); | 2762 | match = (ctxt->type == rule->au_ctxt.type); |
| 2763 | break; | 2763 | break; |
| 2764 | case AUDIT_NOT_EQUAL: | 2764 | case Audit_not_equal: |
| 2765 | match = (ctxt->type != rule->au_ctxt.type); | 2765 | match = (ctxt->type != rule->au_ctxt.type); |
| 2766 | break; | 2766 | break; |
| 2767 | } | 2767 | } |
| @@ -2774,31 +2774,31 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
| 2774 | field == AUDIT_OBJ_LEV_LOW) ? | 2774 | field == AUDIT_OBJ_LEV_LOW) ? |
| 2775 | &ctxt->range.level[0] : &ctxt->range.level[1]); | 2775 | &ctxt->range.level[0] : &ctxt->range.level[1]); |
| 2776 | switch (op) { | 2776 | switch (op) { |
| 2777 | case AUDIT_EQUAL: | 2777 | case Audit_equal: |
| 2778 | match = mls_level_eq(&rule->au_ctxt.range.level[0], | 2778 | match = mls_level_eq(&rule->au_ctxt.range.level[0], |
| 2779 | level); | 2779 | level); |
| 2780 | break; | 2780 | break; |
| 2781 | case AUDIT_NOT_EQUAL: | 2781 | case Audit_not_equal: |
| 2782 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], | 2782 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], |
| 2783 | level); | 2783 | level); |
| 2784 | break; | 2784 | break; |
| 2785 | case AUDIT_LESS_THAN: | 2785 | case Audit_lt: |
| 2786 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], | 2786 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], |
| 2787 | level) && | 2787 | level) && |
| 2788 | !mls_level_eq(&rule->au_ctxt.range.level[0], | 2788 | !mls_level_eq(&rule->au_ctxt.range.level[0], |
| 2789 | level)); | 2789 | level)); |
| 2790 | break; | 2790 | break; |
| 2791 | case AUDIT_LESS_THAN_OR_EQUAL: | 2791 | case Audit_le: |
| 2792 | match = mls_level_dom(&rule->au_ctxt.range.level[0], | 2792 | match = mls_level_dom(&rule->au_ctxt.range.level[0], |
| 2793 | level); | 2793 | level); |
| 2794 | break; | 2794 | break; |
| 2795 | case AUDIT_GREATER_THAN: | 2795 | case Audit_gt: |
| 2796 | match = (mls_level_dom(level, | 2796 | match = (mls_level_dom(level, |
| 2797 | &rule->au_ctxt.range.level[0]) && | 2797 | &rule->au_ctxt.range.level[0]) && |
| 2798 | !mls_level_eq(level, | 2798 | !mls_level_eq(level, |
| 2799 | &rule->au_ctxt.range.level[0])); | 2799 | &rule->au_ctxt.range.level[0])); |
| 2800 | break; | 2800 | break; |
| 2801 | case AUDIT_GREATER_THAN_OR_EQUAL: | 2801 | case Audit_ge: |
| 2802 | match = mls_level_dom(level, | 2802 | match = mls_level_dom(level, |
| 2803 | &rule->au_ctxt.range.level[0]); | 2803 | &rule->au_ctxt.range.level[0]); |
| 2804 | break; | 2804 | break; |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6bfaba6177c2..0278bc083044 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -2691,7 +2691,7 @@ static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) | |||
| 2691 | if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) | 2691 | if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) |
| 2692 | return -EINVAL; | 2692 | return -EINVAL; |
| 2693 | 2693 | ||
| 2694 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) | 2694 | if (op != Audit_equal && op != Audit_not_equal) |
| 2695 | return -EINVAL; | 2695 | return -EINVAL; |
| 2696 | 2696 | ||
| 2697 | *rule = smk_import(rulestr, 0); | 2697 | *rule = smk_import(rulestr, 0); |
| @@ -2755,9 +2755,9 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, | |||
| 2755 | * both pointers will point to the same smack_known | 2755 | * both pointers will point to the same smack_known |
| 2756 | * label. | 2756 | * label. |
| 2757 | */ | 2757 | */ |
| 2758 | if (op == AUDIT_EQUAL) | 2758 | if (op == Audit_equal) |
| 2759 | return (rule == smack); | 2759 | return (rule == smack); |
| 2760 | if (op == AUDIT_NOT_EQUAL) | 2760 | if (op == Audit_not_equal) |
| 2761 | return (rule != smack); | 2761 | return (rule != smack); |
| 2762 | 2762 | ||
| 2763 | return 0; | 2763 | return 0; |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index bf107a389ac1..8e42800878f4 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -334,7 +334,7 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf, | |||
| 334 | break; | 334 | break; |
| 335 | case 'a': | 335 | case 'a': |
| 336 | case 'A': | 336 | case 'A': |
| 337 | rule.smk_access |= MAY_READ; | 337 | rule.smk_access |= MAY_APPEND; |
| 338 | break; | 338 | break; |
| 339 | default: | 339 | default: |
| 340 | goto out; | 340 | goto out; |
| @@ -569,7 +569,7 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf, | |||
| 569 | if (skp == NULL) | 569 | if (skp == NULL) |
| 570 | goto out; | 570 | goto out; |
| 571 | 571 | ||
| 572 | rule += SMK_LABELLEN;; | 572 | rule += SMK_LABELLEN; |
| 573 | ret = sscanf(rule, "%d", &maplevel); | 573 | ret = sscanf(rule, "%d", &maplevel); |
| 574 | if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) | 574 | if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) |
| 575 | goto out; | 575 | goto out; |