aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/avc.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/avc.c')
-rw-r--r--security/selinux/avc.c58
1 files changed, 29 insertions, 29 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index a4fc6e6d038a..1d69f6649bff 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -2,16 +2,16 @@
2 * Implementation of the kernel access vector cache (AVC). 2 * Implementation of the kernel access vector cache (AVC).
3 * 3 *
4 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 4 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com> 5 * James Morris <jmorris@redhat.com>
6 * 6 *
7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> 7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
8 * Replaced the avc_lock spinlock by RCU. 8 * Replaced the avc_lock spinlock by RCU.
9 * 9 *
10 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
11 * 11 *
12 * This program is free software; you can redistribute it and/or modify 12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2, 13 * it under the terms of the GNU General Public License version 2,
14 * as published by the Free Software Foundation. 14 * as published by the Free Software Foundation.
15 */ 15 */
16#include <linux/types.h> 16#include <linux/types.h>
17#include <linux/stddef.h> 17#include <linux/stddef.h>
@@ -44,7 +44,7 @@ static const char *class_to_string[] = {
44#undef S_ 44#undef S_
45}; 45};
46 46
47#define TB_(s) static const char * s [] = { 47#define TB_(s) static const char *s[] = {
48#define TE_(s) }; 48#define TE_(s) };
49#define S_(s) s, 49#define S_(s) s,
50#include "common_perm_to_string.h" 50#include "common_perm_to_string.h"
@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = {
72#define AVC_CACHE_RECLAIM 16 72#define AVC_CACHE_RECLAIM 16
73 73
74#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 74#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
75#define avc_cache_stats_incr(field) \ 75#define avc_cache_stats_incr(field) \
76do { \ 76do { \
77 per_cpu(avc_cache_stats, get_cpu()).field++; \ 77 per_cpu(avc_cache_stats, get_cpu()).field++; \
78 put_cpu(); \ 78 put_cpu(); \
@@ -92,7 +92,7 @@ struct avc_entry {
92struct avc_node { 92struct avc_node {
93 struct avc_entry ae; 93 struct avc_entry ae;
94 struct list_head list; 94 struct list_head list;
95 struct rcu_head rhead; 95 struct rcu_head rhead;
96}; 96};
97 97
98struct avc_cache { 98struct avc_cache {
@@ -105,8 +105,8 @@ struct avc_cache {
105 105
106struct avc_callback_node { 106struct avc_callback_node {
107 int (*callback) (u32 event, u32 ssid, u32 tsid, 107 int (*callback) (u32 event, u32 ssid, u32 tsid,
108 u16 tclass, u32 perms, 108 u16 tclass, u32 perms,
109 u32 *out_retained); 109 u32 *out_retained);
110 u32 events; 110 u32 events;
111 u32 ssid; 111 u32 ssid;
112 u32 tsid; 112 u32 tsid;
@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
202 char *scontext; 202 char *scontext;
203 u32 scontext_len; 203 u32 scontext_len;
204 204
205 rc = security_sid_to_context(ssid, &scontext, &scontext_len); 205 rc = security_sid_to_context(ssid, &scontext, &scontext_len);
206 if (rc) 206 if (rc)
207 audit_log_format(ab, "ssid=%d", ssid); 207 audit_log_format(ab, "ssid=%d", ssid);
208 else { 208 else {
@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void)
306 int hvalue, try, ecx; 306 int hvalue, try, ecx;
307 unsigned long flags; 307 unsigned long flags;
308 308
309 for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { 309 for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
310 hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); 310 hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
311 311
312 if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) 312 if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
426 spin_lock_irqsave(&notif_lock, flag); 426 spin_lock_irqsave(&notif_lock, flag);
427 if (is_insert) { 427 if (is_insert) {
428 if (seqno < avc_cache.latest_notif) { 428 if (seqno < avc_cache.latest_notif) {
429 printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", 429 printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n",
430 seqno, avc_cache.latest_notif); 430 seqno, avc_cache.latest_notif);
431 ret = -EAGAIN; 431 ret = -EAGAIN;
432 } 432 }
@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en
475 if (pos->ae.ssid == ssid && 475 if (pos->ae.ssid == ssid &&
476 pos->ae.tsid == tsid && 476 pos->ae.tsid == tsid &&
477 pos->ae.tclass == tclass) { 477 pos->ae.tclass == tclass) {
478 avc_node_replace(node, pos); 478 avc_node_replace(node, pos);
479 goto found; 479 goto found;
480 } 480 }
481 } 481 }
@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
526 * before calling the auditing code. 526 * before calling the auditing code.
527 */ 527 */
528void avc_audit(u32 ssid, u32 tsid, 528void avc_audit(u32 ssid, u32 tsid,
529 u16 tclass, u32 requested, 529 u16 tclass, u32 requested,
530 struct av_decision *avd, int result, struct avc_audit_data *a) 530 struct av_decision *avd, int result, struct avc_audit_data *a)
531{ 531{
532 struct task_struct *tsk = current; 532 struct task_struct *tsk = current;
533 struct inode *inode = NULL; 533 struct inode *inode = NULL;
@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid,
541 return; 541 return;
542 } else if (result) { 542 } else if (result) {
543 audited = denied = requested; 543 audited = denied = requested;
544 } else { 544 } else {
545 audited = requested; 545 audited = requested;
546 if (!(audited & avd->auditallow)) 546 if (!(audited & avd->auditallow))
547 return; 547 return;
@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid,
551 if (!ab) 551 if (!ab)
552 return; /* audit_panic has been called */ 552 return; /* audit_panic has been called */
553 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 553 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
554 avc_dump_av(ab, tclass,audited); 554 avc_dump_av(ab, tclass, audited);
555 audit_log_format(ab, " for "); 555 audit_log_format(ab, " for ");
556 if (a && a->tsk) 556 if (a && a->tsk)
557 tsk = a->tsk; 557 tsk = a->tsk;
@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid,
647 break; 647 break;
648 } 648 }
649 } 649 }
650 650
651 switch (a->u.net.family) { 651 switch (a->u.net.family) {
652 case AF_INET: 652 case AF_INET:
653 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, 653 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid,
702 * -%ENOMEM if insufficient memory exists to add the callback. 702 * -%ENOMEM if insufficient memory exists to add the callback.
703 */ 703 */
704int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, 704int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
705 u16 tclass, u32 perms, 705 u16 tclass, u32 perms,
706 u32 *out_retained), 706 u32 *out_retained),
707 u32 events, u32 ssid, u32 tsid, 707 u32 events, u32 ssid, u32 tsid,
708 u16 tclass, u32 perms) 708 u16 tclass, u32 perms)
709{ 709{
710 struct avc_callback_node *c; 710 struct avc_callback_node *c;
711 int rc = 0; 711 int rc = 0;
@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
759 hvalue = avc_hash(ssid, tsid, tclass); 759 hvalue = avc_hash(ssid, tsid, tclass);
760 spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); 760 spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
761 761
762 list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ 762 list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
763 if ( ssid==pos->ae.ssid && 763 if (ssid == pos->ae.ssid &&
764 tsid==pos->ae.tsid && 764 tsid == pos->ae.tsid &&
765 tclass==pos->ae.tclass ){ 765 tclass == pos->ae.tclass){
766 orig = pos; 766 orig = pos;
767 break; 767 break;
768 } 768 }
@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno)
829 for (c = avc_callbacks; c; c = c->next) { 829 for (c = avc_callbacks; c; c = c->next) {
830 if (c->events & AVC_CALLBACK_RESET) { 830 if (c->events & AVC_CALLBACK_RESET) {
831 tmprc = c->callback(AVC_CALLBACK_RESET, 831 tmprc = c->callback(AVC_CALLBACK_RESET,
832 0, 0, 0, 0, NULL); 832 0, 0, 0, 0, NULL);
833 /* save the first error encountered for the return 833 /* save the first error encountered for the return
834 value and continue processing the callbacks */ 834 value and continue processing the callbacks */
835 if (!rc) 835 if (!rc)
@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
878 node = avc_lookup(ssid, tsid, tclass, requested); 878 node = avc_lookup(ssid, tsid, tclass, requested);
879 if (!node) { 879 if (!node) {
880 rcu_read_unlock(); 880 rcu_read_unlock();
881 rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); 881 rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd);
882 if (rc) 882 if (rc)
883 goto out; 883 goto out;
884 rcu_read_lock(); 884 rcu_read_lock();
885 node = avc_insert(ssid,tsid,tclass,&entry); 885 node = avc_insert(ssid, tsid, tclass, &entry);
886 } 886 }
887 887
888 p_ae = node ? &node->ae : &entry; 888 p_ae = node ? &node->ae : &entry;
@@ -924,7 +924,7 @@ out:
924 * another -errno upon other errors. 924 * another -errno upon other errors.
925 */ 925 */
926int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 926int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
927 u32 requested, struct avc_audit_data *auditdata) 927 u32 requested, struct avc_audit_data *auditdata)
928{ 928{
929 struct av_decision avd; 929 struct av_decision avd;
930 int rc; 930 int rc;