selinux: Remove the "compat_net" compatibility code

The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2009-03-27 17:10:41 -0400
committer: James Morris <jmorris@namei.org> 2009-03-28 00:01:37 -0400
commit: 58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2 (patch)
tree: 41132587adbb6816b56b9d28105826b8ef0fd7b9 /security
parent: 389fb800ac8be2832efedd19978a2b8ced37eb61 (diff)
2 files changed, 7 insertions, 214 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ee2e781d11d7..ba808ef6babb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -93,7 +93,6 @@
 extern unsigned int policydb_loaded_version;
 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
-extern int selinux_compat_net;
 extern struct security_operations *security_ops;
 /* SECMARK reference count */
@@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
                            SECCLASS_NODE, NODE__RECVFROM, ad);
 }
-static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
-                                                struct sk_buff *skb,
-                                                struct avc_audit_data *ad,
-                                                u16 family,
-                                                char *addrp)
-{
-        int err;
-        struct sk_security_struct *sksec = sk->sk_security;
-        u16 sk_class;
-        u32 netif_perm, node_perm, recv_perm;
-        u32 port_sid, node_sid, if_sid, sk_sid;
-        sk_sid = sksec->sid;
-        sk_class = sksec->sclass;
-        switch (sk_class) {
-        case SECCLASS_UDP_SOCKET:
-                netif_perm = NETIF__UDP_RECV;
-                node_perm = NODE__UDP_RECV;
-                recv_perm = UDP_SOCKET__RECV_MSG;
-                break;
-        case SECCLASS_TCP_SOCKET:
-                netif_perm = NETIF__TCP_RECV;
-                node_perm = NODE__TCP_RECV;
-                recv_perm = TCP_SOCKET__RECV_MSG;
-                break;
-        case SECCLASS_DCCP_SOCKET:
-                netif_perm = NETIF__DCCP_RECV;
-                node_perm = NODE__DCCP_RECV;
-                recv_perm = DCCP_SOCKET__RECV_MSG;
-                break;
-        default:
-                netif_perm = NETIF__RAWIP_RECV;
-                node_perm = NODE__RAWIP_RECV;
-                recv_perm = 0;
-                break;
-        }
-        err = sel_netif_sid(skb->iif, &if_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
-        if (err)
-                return err;
-        err = sel_netnode_sid(addrp, family, &node_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
-        if (err)
-                return err;
-        if (!recv_perm)
-                return 0;
-        err = sel_netport_sid(sk->sk_protocol,
-                              ntohs(ad->u.net.sport), &port_sid);
-        if (unlikely(err)) {
-                printk(KERN_WARNING
-                       "SELinux: failure in"
-                       " selinux_sock_rcv_skb_iptables_compat(),"
-                       " network port label not found\n");
-                return err;
-        }
-        return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
-}
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
                                       u16 family)
 {
@@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
        if (err)
                return err;
-        if (selinux_compat_net)
+        if (selinux_secmark_enabled()) {
-                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
-                                                           family, addrp);
-        else if (selinux_secmark_enabled())
                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
                                   PACKET__RECV, &ad);
-        if (err)
+                if (err)
-                return err;
+                        return err;
+        }
        if (selinux_policycap_netpeer) {
                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
@@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
         * to the selinux_sock_rcv_skb_compat() function to deal with the
         * special handling.  We do this in an attempt to keep this function
         * as fast and as clean as possible. */
-        if (selinux_compat_net || !selinux_policycap_netpeer)
+        if (!selinux_policycap_netpeer)
                return selinux_sock_rcv_skb_compat(sk, skb, family);
        secmark_active = selinux_secmark_enabled();
@@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum,
        return selinux_ip_output(skb, PF_INET);
 }
-static int selinux_ip_postroute_iptables_compat(struct sock *sk,
-                                                int ifindex,
-                                                struct avc_audit_data *ad,
-                                                u16 family, char *addrp)
-{
-        int err;
-        struct sk_security_struct *sksec = sk->sk_security;
-        u16 sk_class;
-        u32 netif_perm, node_perm, send_perm;
-        u32 port_sid, node_sid, if_sid, sk_sid;
-        sk_sid = sksec->sid;
-        sk_class = sksec->sclass;
-        switch (sk_class) {
-        case SECCLASS_UDP_SOCKET:
-                netif_perm = NETIF__UDP_SEND;
-                node_perm = NODE__UDP_SEND;
-                send_perm = UDP_SOCKET__SEND_MSG;
-                break;
-        case SECCLASS_TCP_SOCKET:
-                netif_perm = NETIF__TCP_SEND;
-                node_perm = NODE__TCP_SEND;
-                send_perm = TCP_SOCKET__SEND_MSG;
-                break;
-        case SECCLASS_DCCP_SOCKET:
-                netif_perm = NETIF__DCCP_SEND;
-                node_perm = NODE__DCCP_SEND;
-                send_perm = DCCP_SOCKET__SEND_MSG;
-                break;
-        default:
-                netif_perm = NETIF__RAWIP_SEND;
-                node_perm = NODE__RAWIP_SEND;
-                send_perm = 0;
-                break;
-        }
-        err = sel_netif_sid(ifindex, &if_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
-                return err;
-        err = sel_netnode_sid(addrp, family, &node_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
-        if (err)
-                return err;
-        if (send_perm != 0)
-                return 0;
-        err = sel_netport_sid(sk->sk_protocol,
-                              ntohs(ad->u.net.dport), &port_sid);
-        if (unlikely(err)) {
-                printk(KERN_WARNING
-                       "SELinux: failure in"
-                       " selinux_ip_postroute_iptables_compat(),"
-                       " network port label not found\n");
-                return err;
-        }
-        return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
-}
 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                                                int ifindex,
                                                u16 family)
@@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
        if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
                return NF_DROP;
-        if (selinux_compat_net) {
+        if (selinux_secmark_enabled())
-                if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
-                                                         &ad, family, addrp))
-                        return NF_DROP;
-        } else if (selinux_secmark_enabled()) {
                if (avc_has_perm(sksec->sid, skb->secmark,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
                        return NF_DROP;
-        }
        if (selinux_policycap_netpeer)
                if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
@@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         * to the selinux_ip_postroute_compat() function to deal with the
         * special handling.  We do this in an attempt to keep this function
         * as fast and as clean as possible. */
-        if (selinux_compat_net || !selinux_policycap_netpeer)
+        if (!selinux_policycap_netpeer)
                return selinux_ip_postroute_compat(skb, ifindex, family);
 #ifdef CONFIG_XFRM
        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d3c8b982cfb0..2d5136ec3d54 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -47,8 +47,6 @@ static char *policycap_names[] = {
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-int selinux_compat_net = 0;
 static int __init checkreqprot_setup(char *str)
 {
        unsigned long checkreqprot;
@@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str)
 }
 __setup("checkreqprot=", checkreqprot_setup);
-static int __init selinux_compat_net_setup(char *str)
-{
-        unsigned long compat_net;
-        if (!strict_strtoul(str, 0, &compat_net))
-                selinux_compat_net = compat_net ? 1 : 0;
-        return 1;
-}
-__setup("selinux_compat_net=", selinux_compat_net_setup);
 static DEFINE_MUTEX(sel_mutex);
 /* global data for booleans */
@@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = {
        .write          = sel_write_checkreqprot,
 };
-static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
-                                   size_t count, loff_t *ppos)
-{
-        char tmpbuf[TMPBUFLEN];
-        ssize_t length;
-        length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
-        return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
-}
-static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
-                                    size_t count, loff_t *ppos)
-{
-        char *page;
-        ssize_t length;
-        int new_value;
-        length = task_has_security(current, SECURITY__LOAD_POLICY);
-        if (length)
-                return length;
-        if (count >= PAGE_SIZE)
-                return -ENOMEM;
-        if (*ppos != 0) {
-                /* No partial writes. */
-                return -EINVAL;
-        }
-        page = (char *)get_zeroed_page(GFP_KERNEL);
-        if (!page)
-                return -ENOMEM;
-        length = -EFAULT;
-        if (copy_from_user(page, buf, count))
-                goto out;
-        length = -EINVAL;
-        if (sscanf(page, "%d", &new_value) != 1)
-                goto out;
-        if (new_value) {
-                printk(KERN_NOTICE
-                       "SELinux: compat_net is deprecated, please use secmark"
-                       " instead\n");
-                selinux_compat_net = 1;
-        } else
-                selinux_compat_net = 0;
-        length = count;
-out:
-        free_page((unsigned long) page);
-        return length;
-}
-static const struct file_operations sel_compat_net_ops = {
-        .read           = sel_read_compat_net,
-        .write          = sel_write_compat_net,
-};
 /*
 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
 */
@@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
                [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
                [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
                [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
-                [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
                [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
                [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
                /* last one */ {""}
author	Paul Moore <paul.moore@hp.com>	2009-03-27 17:10:41 -0400
committer	James Morris <jmorris@namei.org>	2009-03-28 00:01:37 -0400
commit	58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2 (patch)
tree	41132587adbb6816b56b9d28105826b8ef0fd7b9 /security
parent	389fb800ac8be2832efedd19978a2b8ced37eb61 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ee2e781d11d7..ba808ef6babb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -93,7 +93,6 @@
93		93
94	extern unsigned int policydb_loaded_version;	94	extern unsigned int policydb_loaded_version;
95	extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);	95	extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96	extern int selinux_compat_net;
97	extern struct security_operations *security_ops;	96	extern struct security_operations *security_ops;
98		97
99	/* SECMARK reference count */	98	/* SECMARK reference count */
@@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4019	SECCLASS_NODE, NODE__RECVFROM, ad);	4018	SECCLASS_NODE, NODE__RECVFROM, ad);
4020	}	4019	}
4021		4020
4022	static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4023	struct sk_buff *skb,
4024	struct avc_audit_data *ad,
4025	u16 family,
4026	char *addrp)
4027	{
4028	int err;
4029	struct sk_security_struct *sksec = sk->sk_security;
4030	u16 sk_class;
4031	u32 netif_perm, node_perm, recv_perm;
4032	u32 port_sid, node_sid, if_sid, sk_sid;
4033
4034	sk_sid = sksec->sid;
4035	sk_class = sksec->sclass;
4036
4037	switch (sk_class) {
4038	case SECCLASS_UDP_SOCKET:
4039	netif_perm = NETIF__UDP_RECV;
4040	node_perm = NODE__UDP_RECV;
4041	recv_perm = UDP_SOCKET__RECV_MSG;
4042	break;
4043	case SECCLASS_TCP_SOCKET:
4044	netif_perm = NETIF__TCP_RECV;
4045	node_perm = NODE__TCP_RECV;
4046	recv_perm = TCP_SOCKET__RECV_MSG;
4047	break;
4048	case SECCLASS_DCCP_SOCKET:
4049	netif_perm = NETIF__DCCP_RECV;
4050	node_perm = NODE__DCCP_RECV;
4051	recv_perm = DCCP_SOCKET__RECV_MSG;
4052	break;
4053	default:
4054	netif_perm = NETIF__RAWIP_RECV;
4055	node_perm = NODE__RAWIP_RECV;
4056	recv_perm = 0;
4057	break;
4058	}
4059
4060	err = sel_netif_sid(skb->iif, &if_sid);
4061	if (err)
4062	return err;
4063	err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4064	if (err)
4065	return err;
4066
4067	err = sel_netnode_sid(addrp, family, &node_sid);
4068	if (err)
4069	return err;
4070	err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4071	if (err)
4072	return err;
4073
4074	if (!recv_perm)
4075	return 0;
4076	err = sel_netport_sid(sk->sk_protocol,
4077	ntohs(ad->u.net.sport), &port_sid);
4078	if (unlikely(err)) {
4079	printk(KERN_WARNING
4080	"SELinux: failure in"
4081	" selinux_sock_rcv_skb_iptables_compat(),"
4082	" network port label not found\n");
4083	return err;
4084	}
4085	return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4086	}
4087
4088	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,	4021	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4089	u16 family)	4022	u16 family)
4090	{	4023	{
@@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4102	if (err)	4035	if (err)
4103	return err;	4036	return err;
4104		4037
4105	if (selinux_compat_net)	4038	if (selinux_secmark_enabled()) {
4106	err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4107	family, addrp);
4108	else if (selinux_secmark_enabled())
4109	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,	4039	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4110	PACKET__RECV, &ad);	4040	PACKET__RECV, &ad);
4111	if (err)	4041	if (err)
4112	return err;	4042	return err;
		4043	}
4113		4044
4114	if (selinux_policycap_netpeer) {	4045	if (selinux_policycap_netpeer) {
4115	err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);	4046	err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
@@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
4151	* to the selinux_sock_rcv_skb_compat() function to deal with the	4082	* to the selinux_sock_rcv_skb_compat() function to deal with the
4152	* special handling. We do this in an attempt to keep this function	4083	* special handling. We do this in an attempt to keep this function
4153	* as fast and as clean as possible. */	4084	* as fast and as clean as possible. */
4154	if (selinux_compat_net \|\| !selinux_policycap_netpeer)	4085	if (!selinux_policycap_netpeer)
4155	return selinux_sock_rcv_skb_compat(sk, skb, family);	4086	return selinux_sock_rcv_skb_compat(sk, skb, family);
4156		4087
4157	secmark_active = selinux_secmark_enabled();	4088	secmark_active = selinux_secmark_enabled();
@@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum,
4516	return selinux_ip_output(skb, PF_INET);	4447	return selinux_ip_output(skb, PF_INET);
4517	}	4448	}
4518		4449
4519	static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4520	int ifindex,
4521	struct avc_audit_data *ad,
4522	u16 family, char *addrp)
4523	{
4524	int err;
4525	struct sk_security_struct *sksec = sk->sk_security;
4526	u16 sk_class;
4527	u32 netif_perm, node_perm, send_perm;
4528	u32 port_sid, node_sid, if_sid, sk_sid;
4529
4530	sk_sid = sksec->sid;
4531	sk_class = sksec->sclass;
4532
4533	switch (sk_class) {
4534	case SECCLASS_UDP_SOCKET:
4535	netif_perm = NETIF__UDP_SEND;
4536	node_perm = NODE__UDP_SEND;
4537	send_perm = UDP_SOCKET__SEND_MSG;
4538	break;
4539	case SECCLASS_TCP_SOCKET:
4540	netif_perm = NETIF__TCP_SEND;
4541	node_perm = NODE__TCP_SEND;
4542	send_perm = TCP_SOCKET__SEND_MSG;
4543	break;
4544	case SECCLASS_DCCP_SOCKET:
4545	netif_perm = NETIF__DCCP_SEND;
4546	node_perm = NODE__DCCP_SEND;
4547	send_perm = DCCP_SOCKET__SEND_MSG;
4548	break;
4549	default:
4550	netif_perm = NETIF__RAWIP_SEND;
4551	node_perm = NODE__RAWIP_SEND;
4552	send_perm = 0;
4553	break;
4554	}
4555
4556	err = sel_netif_sid(ifindex, &if_sid);
4557	if (err)
4558	return err;
4559	err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4560	return err;
4561
4562	err = sel_netnode_sid(addrp, family, &node_sid);
4563	if (err)
4564	return err;
4565	err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4566	if (err)
4567	return err;
4568
4569	if (send_perm != 0)
4570	return 0;
4571
4572	err = sel_netport_sid(sk->sk_protocol,
4573	ntohs(ad->u.net.dport), &port_sid);
4574	if (unlikely(err)) {
4575	printk(KERN_WARNING
4576	"SELinux: failure in"
4577	" selinux_ip_postroute_iptables_compat(),"
4578	" network port label not found\n");
4579	return err;
4580	}
4581	return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4582	}
4583
4584	static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,	4450	static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4585	int ifindex,	4451	int ifindex,
4586	u16 family)	4452	u16 family)
@@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4601	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))	4467	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4602	return NF_DROP;	4468	return NF_DROP;
4603		4469
4604	if (selinux_compat_net) {	4470	if (selinux_secmark_enabled())
4605	if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4606	&ad, family, addrp))
4607	return NF_DROP;
4608	} else if (selinux_secmark_enabled()) {
4609	if (avc_has_perm(sksec->sid, skb->secmark,	4471	if (avc_has_perm(sksec->sid, skb->secmark,
4610	SECCLASS_PACKET, PACKET__SEND, &ad))	4472	SECCLASS_PACKET, PACKET__SEND, &ad))
4611	return NF_DROP;	4473	return NF_DROP;
4612	}
4613		4474
4614	if (selinux_policycap_netpeer)	4475	if (selinux_policycap_netpeer)
4615	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))	4476	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
@@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4633	* to the selinux_ip_postroute_compat() function to deal with the	4494	* to the selinux_ip_postroute_compat() function to deal with the
4634	* special handling. We do this in an attempt to keep this function	4495	* special handling. We do this in an attempt to keep this function
4635	* as fast and as clean as possible. */	4496	* as fast and as clean as possible. */
4636	if (selinux_compat_net \|\| !selinux_policycap_netpeer)	4497	if (!selinux_policycap_netpeer)
4637	return selinux_ip_postroute_compat(skb, ifindex, family);	4498	return selinux_ip_postroute_compat(skb, ifindex, family);
4638	#ifdef CONFIG_XFRM	4499	#ifdef CONFIG_XFRM
4639	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec	4500	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec


diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d3c8b982cfb0..2d5136ec3d54 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c
@@ -47,8 +47,6 @@ static char *policycap_names[] = {
47		47
48	unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;	48	unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
49		49
50	int selinux_compat_net = 0;
51
52	static int __init checkreqprot_setup(char *str)	50	static int __init checkreqprot_setup(char *str)
53	{	51	{
54	unsigned long checkreqprot;	52	unsigned long checkreqprot;
@@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str)
58	}	56	}
59	__setup("checkreqprot=", checkreqprot_setup);	57	__setup("checkreqprot=", checkreqprot_setup);
60		58
61	static int __init selinux_compat_net_setup(char *str)
62	{
63	unsigned long compat_net;
64	if (!strict_strtoul(str, 0, &compat_net))
65	selinux_compat_net = compat_net ? 1 : 0;
66	return 1;
67	}
68	__setup("selinux_compat_net=", selinux_compat_net_setup);
69
70
71	static DEFINE_MUTEX(sel_mutex);	59	static DEFINE_MUTEX(sel_mutex);
72		60
73	/* global data for booleans */	61	/* global data for booleans */
@@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = {
450	.write = sel_write_checkreqprot,	438	.write = sel_write_checkreqprot,
451	};	439	};
452		440
453	static ssize_t sel_read_compat_net(struct file filp, char __user buf,
454	size_t count, loff_t *ppos)
455	{
456	char tmpbuf[TMPBUFLEN];
457	ssize_t length;
458
459	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
460	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
461	}
462
463	static ssize_t sel_write_compat_net(struct file file, const char __user buf,
464	size_t count, loff_t *ppos)
465	{
466	char *page;
467	ssize_t length;
468	int new_value;
469
470	length = task_has_security(current, SECURITY__LOAD_POLICY);
471	if (length)
472	return length;
473
474	if (count >= PAGE_SIZE)
475	return -ENOMEM;
476	if (*ppos != 0) {
477	/* No partial writes. */
478	return -EINVAL;
479	}
480	page = (char *)get_zeroed_page(GFP_KERNEL);
481	if (!page)
482	return -ENOMEM;
483	length = -EFAULT;
484	if (copy_from_user(page, buf, count))
485	goto out;
486
487	length = -EINVAL;
488	if (sscanf(page, "%d", &new_value) != 1)
489	goto out;
490
491	if (new_value) {
492	printk(KERN_NOTICE
493	"SELinux: compat_net is deprecated, please use secmark"
494	" instead\n");
495	selinux_compat_net = 1;
496	} else
497	selinux_compat_net = 0;
498	length = count;
499	out:
500	free_page((unsigned long) page);
501	return length;
502	}
503	static const struct file_operations sel_compat_net_ops = {
504	.read = sel_read_compat_net,
505	.write = sel_write_compat_net,
506	};
507
508	/*	441	/*
509	* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c	442	* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
510	*/	443	*/
@@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block sb, void data, int silent)
1665	[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},	1598	[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
1666	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},	1599	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},
1667	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},	1600	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},
1668	[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO\|S_IWUSR},
1669	[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},	1601	[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
1670	[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},	1602	[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1671	/* last one */ {""}	1603	/* last one */ {""}