diff options
| author | Jeff Garzik <jgarzik@pobox.com> | 2006-02-09 00:58:59 -0500 |
|---|---|---|
| committer | Jeff Garzik <jgarzik@pobox.com> | 2006-02-09 00:58:59 -0500 |
| commit | cac0e8e8bb2e7a086643bdd00c41d900a79bb4fa (patch) | |
| tree | 73cd85e5529a01fa2338ab6d58b99c36dd666cbe /security | |
| parent | ddef9bb367b19383df627e388cb4c01c86ddba6c (diff) | |
| parent | 0bdd340c092b0936f78a54bdbd3927463ed4fca3 (diff) | |
Merge branch 'master'
Diffstat (limited to 'security')
| -rw-r--r-- | security/keys/keyctl.c | 15 | ||||
| -rw-r--r-- | security/selinux/Kconfig | 2 | ||||
| -rw-r--r-- | security/selinux/Makefile | 4 | ||||
| -rw-r--r-- | security/selinux/avc.c | 2 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 21 |
5 files changed, 15 insertions, 29 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 90db5c76cf6e..0c62798ac7d8 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
| @@ -67,9 +67,10 @@ asmlinkage long sys_add_key(const char __user *_type, | |||
| 67 | description = kmalloc(dlen + 1, GFP_KERNEL); | 67 | description = kmalloc(dlen + 1, GFP_KERNEL); |
| 68 | if (!description) | 68 | if (!description) |
| 69 | goto error; | 69 | goto error; |
| 70 | description[dlen] = '\0'; | ||
| 70 | 71 | ||
| 71 | ret = -EFAULT; | 72 | ret = -EFAULT; |
| 72 | if (copy_from_user(description, _description, dlen + 1) != 0) | 73 | if (copy_from_user(description, _description, dlen) != 0) |
| 73 | goto error2; | 74 | goto error2; |
| 74 | 75 | ||
| 75 | /* pull the payload in if one was supplied */ | 76 | /* pull the payload in if one was supplied */ |
| @@ -161,9 +162,10 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
| 161 | description = kmalloc(dlen + 1, GFP_KERNEL); | 162 | description = kmalloc(dlen + 1, GFP_KERNEL); |
| 162 | if (!description) | 163 | if (!description) |
| 163 | goto error; | 164 | goto error; |
| 165 | description[dlen] = '\0'; | ||
| 164 | 166 | ||
| 165 | ret = -EFAULT; | 167 | ret = -EFAULT; |
| 166 | if (copy_from_user(description, _description, dlen + 1) != 0) | 168 | if (copy_from_user(description, _description, dlen) != 0) |
| 167 | goto error2; | 169 | goto error2; |
| 168 | 170 | ||
| 169 | /* pull the callout info into kernel space */ | 171 | /* pull the callout info into kernel space */ |
| @@ -182,9 +184,10 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
| 182 | callout_info = kmalloc(dlen + 1, GFP_KERNEL); | 184 | callout_info = kmalloc(dlen + 1, GFP_KERNEL); |
| 183 | if (!callout_info) | 185 | if (!callout_info) |
| 184 | goto error2; | 186 | goto error2; |
| 187 | callout_info[dlen] = '\0'; | ||
| 185 | 188 | ||
| 186 | ret = -EFAULT; | 189 | ret = -EFAULT; |
| 187 | if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) | 190 | if (copy_from_user(callout_info, _callout_info, dlen) != 0) |
| 188 | goto error3; | 191 | goto error3; |
| 189 | } | 192 | } |
| 190 | 193 | ||
| @@ -279,9 +282,10 @@ long keyctl_join_session_keyring(const char __user *_name) | |||
| 279 | name = kmalloc(nlen + 1, GFP_KERNEL); | 282 | name = kmalloc(nlen + 1, GFP_KERNEL); |
| 280 | if (!name) | 283 | if (!name) |
| 281 | goto error; | 284 | goto error; |
| 285 | name[nlen] = '\0'; | ||
| 282 | 286 | ||
| 283 | ret = -EFAULT; | 287 | ret = -EFAULT; |
| 284 | if (copy_from_user(name, _name, nlen + 1) != 0) | 288 | if (copy_from_user(name, _name, nlen) != 0) |
| 285 | goto error2; | 289 | goto error2; |
| 286 | } | 290 | } |
| 287 | 291 | ||
| @@ -583,9 +587,10 @@ long keyctl_keyring_search(key_serial_t ringid, | |||
| 583 | description = kmalloc(dlen + 1, GFP_KERNEL); | 587 | description = kmalloc(dlen + 1, GFP_KERNEL); |
| 584 | if (!description) | 588 | if (!description) |
| 585 | goto error; | 589 | goto error; |
| 590 | description[dlen] = '\0'; | ||
| 586 | 591 | ||
| 587 | ret = -EFAULT; | 592 | ret = -EFAULT; |
| 588 | if (copy_from_user(description, _description, dlen + 1) != 0) | 593 | if (copy_from_user(description, _description, dlen) != 0) |
| 589 | goto error2; | 594 | goto error2; |
| 590 | 595 | ||
| 591 | /* get the keyring at which to begin the search */ | 596 | /* get the keyring at which to begin the search */ |
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index b59582b92283..f636f53ca544 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | config SECURITY_SELINUX | 1 | config SECURITY_SELINUX |
| 2 | bool "NSA SELinux Support" | 2 | bool "NSA SELinux Support" |
| 3 | depends on SECURITY && NET && INET | 3 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
| 4 | default n | 4 | default n |
| 5 | help | 5 | help |
| 6 | This selects NSA Security-Enhanced Linux (SELinux). | 6 | This selects NSA Security-Enhanced Linux (SELinux). |
diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 06d54d9d20a5..688c0a267b62 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile | |||
| @@ -4,9 +4,7 @@ | |||
| 4 | 4 | ||
| 5 | obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ | 5 | obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ |
| 6 | 6 | ||
| 7 | selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o | 7 | selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o |
| 8 | |||
| 9 | selinux-$(CONFIG_SECURITY_NETWORK) += netif.o | ||
| 10 | 8 | ||
| 11 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o | 9 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o |
| 12 | 10 | ||
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 53d6c7bbf564..ac5d69bb3377 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -43,13 +43,11 @@ static const struct av_perm_to_string | |||
| 43 | #undef S_ | 43 | #undef S_ |
| 44 | }; | 44 | }; |
| 45 | 45 | ||
| 46 | #ifdef CONFIG_AUDIT | ||
| 47 | static const char *class_to_string[] = { | 46 | static const char *class_to_string[] = { |
| 48 | #define S_(s) s, | 47 | #define S_(s) s, |
| 49 | #include "class_to_string.h" | 48 | #include "class_to_string.h" |
| 50 | #undef S_ | 49 | #undef S_ |
| 51 | }; | 50 | }; |
| 52 | #endif | ||
| 53 | 51 | ||
| 54 | #define TB_(s) static const char * s [] = { | 52 | #define TB_(s) static const char * s [] = { |
| 55 | #define TE_(s) }; | 53 | #define TE_(s) }; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4ae834d89bce..b7773bf68efa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -232,7 +232,6 @@ static void superblock_free_security(struct super_block *sb) | |||
| 232 | kfree(sbsec); | 232 | kfree(sbsec); |
| 233 | } | 233 | } |
| 234 | 234 | ||
| 235 | #ifdef CONFIG_SECURITY_NETWORK | ||
| 236 | static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) | 235 | static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) |
| 237 | { | 236 | { |
| 238 | struct sk_security_struct *ssec; | 237 | struct sk_security_struct *ssec; |
| @@ -261,7 +260,6 @@ static void sk_free_security(struct sock *sk) | |||
| 261 | sk->sk_security = NULL; | 260 | sk->sk_security = NULL; |
| 262 | kfree(ssec); | 261 | kfree(ssec); |
| 263 | } | 262 | } |
| 264 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
| 265 | 263 | ||
| 266 | /* The security server must be initialized before | 264 | /* The security server must be initialized before |
| 267 | any labeling or access decisions can be provided. */ | 265 | any labeling or access decisions can be provided. */ |
| @@ -2736,8 +2734,6 @@ static void selinux_task_to_inode(struct task_struct *p, | |||
| 2736 | return; | 2734 | return; |
| 2737 | } | 2735 | } |
| 2738 | 2736 | ||
| 2739 | #ifdef CONFIG_SECURITY_NETWORK | ||
| 2740 | |||
| 2741 | /* Returns error only if unable to parse addresses */ | 2737 | /* Returns error only if unable to parse addresses */ |
| 2742 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) | 2738 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) |
| 2743 | { | 2739 | { |
| @@ -3556,15 +3552,6 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, | |||
| 3556 | 3552 | ||
| 3557 | #endif /* CONFIG_NETFILTER */ | 3553 | #endif /* CONFIG_NETFILTER */ |
| 3558 | 3554 | ||
| 3559 | #else | ||
| 3560 | |||
| 3561 | static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | ||
| 3562 | { | ||
| 3563 | return 0; | ||
| 3564 | } | ||
| 3565 | |||
| 3566 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
| 3567 | |||
| 3568 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | 3555 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) |
| 3569 | { | 3556 | { |
| 3570 | struct task_security_struct *tsec; | 3557 | struct task_security_struct *tsec; |
| @@ -4340,7 +4327,6 @@ static struct security_operations selinux_ops = { | |||
| 4340 | .getprocattr = selinux_getprocattr, | 4327 | .getprocattr = selinux_getprocattr, |
| 4341 | .setprocattr = selinux_setprocattr, | 4328 | .setprocattr = selinux_setprocattr, |
| 4342 | 4329 | ||
| 4343 | #ifdef CONFIG_SECURITY_NETWORK | ||
| 4344 | .unix_stream_connect = selinux_socket_unix_stream_connect, | 4330 | .unix_stream_connect = selinux_socket_unix_stream_connect, |
| 4345 | .unix_may_send = selinux_socket_unix_may_send, | 4331 | .unix_may_send = selinux_socket_unix_may_send, |
| 4346 | 4332 | ||
| @@ -4362,7 +4348,6 @@ static struct security_operations selinux_ops = { | |||
| 4362 | .sk_alloc_security = selinux_sk_alloc_security, | 4348 | .sk_alloc_security = selinux_sk_alloc_security, |
| 4363 | .sk_free_security = selinux_sk_free_security, | 4349 | .sk_free_security = selinux_sk_free_security, |
| 4364 | .sk_getsid = selinux_sk_getsid_security, | 4350 | .sk_getsid = selinux_sk_getsid_security, |
| 4365 | #endif | ||
| 4366 | 4351 | ||
| 4367 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 4352 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
| 4368 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, | 4353 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, |
| @@ -4440,7 +4425,7 @@ next_sb: | |||
| 4440 | all processes and objects when they are created. */ | 4425 | all processes and objects when they are created. */ |
| 4441 | security_initcall(selinux_init); | 4426 | security_initcall(selinux_init); |
| 4442 | 4427 | ||
| 4443 | #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) | 4428 | #if defined(CONFIG_NETFILTER) |
| 4444 | 4429 | ||
| 4445 | static struct nf_hook_ops selinux_ipv4_op = { | 4430 | static struct nf_hook_ops selinux_ipv4_op = { |
| 4446 | .hook = selinux_ipv4_postroute_last, | 4431 | .hook = selinux_ipv4_postroute_last, |
| @@ -4501,13 +4486,13 @@ static void selinux_nf_ip_exit(void) | |||
| 4501 | } | 4486 | } |
| 4502 | #endif | 4487 | #endif |
| 4503 | 4488 | ||
| 4504 | #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | 4489 | #else /* CONFIG_NETFILTER */ |
| 4505 | 4490 | ||
| 4506 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 4491 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
| 4507 | #define selinux_nf_ip_exit() | 4492 | #define selinux_nf_ip_exit() |
| 4508 | #endif | 4493 | #endif |
| 4509 | 4494 | ||
| 4510 | #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | 4495 | #endif /* CONFIG_NETFILTER */ |
| 4511 | 4496 | ||
| 4512 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 4497 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
| 4513 | int selinux_disable(void) | 4498 | int selinux_disable(void) |