diff options
Diffstat (limited to 'security/selinux/avc.c')
-rw-r--r-- | security/selinux/avc.c | 58 |
1 files changed, 29 insertions, 29 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index a4fc6e6d038a..1d69f6649bff 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -2,16 +2,16 @@ | |||
2 | * Implementation of the kernel access vector cache (AVC). | 2 | * Implementation of the kernel access vector cache (AVC). |
3 | * | 3 | * |
4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | 4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> |
5 | * James Morris <jmorris@redhat.com> | 5 | * James Morris <jmorris@redhat.com> |
6 | * | 6 | * |
7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | 7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> |
8 | * Replaced the avc_lock spinlock by RCU. | 8 | * Replaced the avc_lock spinlock by RCU. |
9 | * | 9 | * |
10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | 10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
11 | * | 11 | * |
12 | * This program is free software; you can redistribute it and/or modify | 12 | * This program is free software; you can redistribute it and/or modify |
13 | * it under the terms of the GNU General Public License version 2, | 13 | * it under the terms of the GNU General Public License version 2, |
14 | * as published by the Free Software Foundation. | 14 | * as published by the Free Software Foundation. |
15 | */ | 15 | */ |
16 | #include <linux/types.h> | 16 | #include <linux/types.h> |
17 | #include <linux/stddef.h> | 17 | #include <linux/stddef.h> |
@@ -44,7 +44,7 @@ static const char *class_to_string[] = { | |||
44 | #undef S_ | 44 | #undef S_ |
45 | }; | 45 | }; |
46 | 46 | ||
47 | #define TB_(s) static const char * s [] = { | 47 | #define TB_(s) static const char *s[] = { |
48 | #define TE_(s) }; | 48 | #define TE_(s) }; |
49 | #define S_(s) s, | 49 | #define S_(s) s, |
50 | #include "common_perm_to_string.h" | 50 | #include "common_perm_to_string.h" |
@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = { | |||
72 | #define AVC_CACHE_RECLAIM 16 | 72 | #define AVC_CACHE_RECLAIM 16 |
73 | 73 | ||
74 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | 74 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS |
75 | #define avc_cache_stats_incr(field) \ | 75 | #define avc_cache_stats_incr(field) \ |
76 | do { \ | 76 | do { \ |
77 | per_cpu(avc_cache_stats, get_cpu()).field++; \ | 77 | per_cpu(avc_cache_stats, get_cpu()).field++; \ |
78 | put_cpu(); \ | 78 | put_cpu(); \ |
@@ -92,7 +92,7 @@ struct avc_entry { | |||
92 | struct avc_node { | 92 | struct avc_node { |
93 | struct avc_entry ae; | 93 | struct avc_entry ae; |
94 | struct list_head list; | 94 | struct list_head list; |
95 | struct rcu_head rhead; | 95 | struct rcu_head rhead; |
96 | }; | 96 | }; |
97 | 97 | ||
98 | struct avc_cache { | 98 | struct avc_cache { |
@@ -105,8 +105,8 @@ struct avc_cache { | |||
105 | 105 | ||
106 | struct avc_callback_node { | 106 | struct avc_callback_node { |
107 | int (*callback) (u32 event, u32 ssid, u32 tsid, | 107 | int (*callback) (u32 event, u32 ssid, u32 tsid, |
108 | u16 tclass, u32 perms, | 108 | u16 tclass, u32 perms, |
109 | u32 *out_retained); | 109 | u32 *out_retained); |
110 | u32 events; | 110 | u32 events; |
111 | u32 ssid; | 111 | u32 ssid; |
112 | u32 tsid; | 112 | u32 tsid; |
@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla | |||
202 | char *scontext; | 202 | char *scontext; |
203 | u32 scontext_len; | 203 | u32 scontext_len; |
204 | 204 | ||
205 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); | 205 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); |
206 | if (rc) | 206 | if (rc) |
207 | audit_log_format(ab, "ssid=%d", ssid); | 207 | audit_log_format(ab, "ssid=%d", ssid); |
208 | else { | 208 | else { |
@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void) | |||
306 | int hvalue, try, ecx; | 306 | int hvalue, try, ecx; |
307 | unsigned long flags; | 307 | unsigned long flags; |
308 | 308 | ||
309 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { | 309 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
310 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); | 310 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
311 | 311 | ||
312 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) | 312 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) |
@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert) | |||
426 | spin_lock_irqsave(¬if_lock, flag); | 426 | spin_lock_irqsave(¬if_lock, flag); |
427 | if (is_insert) { | 427 | if (is_insert) { |
428 | if (seqno < avc_cache.latest_notif) { | 428 | if (seqno < avc_cache.latest_notif) { |
429 | printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", | 429 | printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", |
430 | seqno, avc_cache.latest_notif); | 430 | seqno, avc_cache.latest_notif); |
431 | ret = -EAGAIN; | 431 | ret = -EAGAIN; |
432 | } | 432 | } |
@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en | |||
475 | if (pos->ae.ssid == ssid && | 475 | if (pos->ae.ssid == ssid && |
476 | pos->ae.tsid == tsid && | 476 | pos->ae.tsid == tsid && |
477 | pos->ae.tclass == tclass) { | 477 | pos->ae.tclass == tclass) { |
478 | avc_node_replace(node, pos); | 478 | avc_node_replace(node, pos); |
479 | goto found; | 479 | goto found; |
480 | } | 480 | } |
481 | } | 481 | } |
@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, | |||
526 | * before calling the auditing code. | 526 | * before calling the auditing code. |
527 | */ | 527 | */ |
528 | void avc_audit(u32 ssid, u32 tsid, | 528 | void avc_audit(u32 ssid, u32 tsid, |
529 | u16 tclass, u32 requested, | 529 | u16 tclass, u32 requested, |
530 | struct av_decision *avd, int result, struct avc_audit_data *a) | 530 | struct av_decision *avd, int result, struct avc_audit_data *a) |
531 | { | 531 | { |
532 | struct task_struct *tsk = current; | 532 | struct task_struct *tsk = current; |
533 | struct inode *inode = NULL; | 533 | struct inode *inode = NULL; |
@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
541 | return; | 541 | return; |
542 | } else if (result) { | 542 | } else if (result) { |
543 | audited = denied = requested; | 543 | audited = denied = requested; |
544 | } else { | 544 | } else { |
545 | audited = requested; | 545 | audited = requested; |
546 | if (!(audited & avd->auditallow)) | 546 | if (!(audited & avd->auditallow)) |
547 | return; | 547 | return; |
@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
551 | if (!ab) | 551 | if (!ab) |
552 | return; /* audit_panic has been called */ | 552 | return; /* audit_panic has been called */ |
553 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | 553 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); |
554 | avc_dump_av(ab, tclass,audited); | 554 | avc_dump_av(ab, tclass, audited); |
555 | audit_log_format(ab, " for "); | 555 | audit_log_format(ab, " for "); |
556 | if (a && a->tsk) | 556 | if (a && a->tsk) |
557 | tsk = a->tsk; | 557 | tsk = a->tsk; |
@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
647 | break; | 647 | break; |
648 | } | 648 | } |
649 | } | 649 | } |
650 | 650 | ||
651 | switch (a->u.net.family) { | 651 | switch (a->u.net.family) { |
652 | case AF_INET: | 652 | case AF_INET: |
653 | avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, | 653 | avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, |
@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid, | |||
702 | * -%ENOMEM if insufficient memory exists to add the callback. | 702 | * -%ENOMEM if insufficient memory exists to add the callback. |
703 | */ | 703 | */ |
704 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, | 704 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, |
705 | u16 tclass, u32 perms, | 705 | u16 tclass, u32 perms, |
706 | u32 *out_retained), | 706 | u32 *out_retained), |
707 | u32 events, u32 ssid, u32 tsid, | 707 | u32 events, u32 ssid, u32 tsid, |
708 | u16 tclass, u32 perms) | 708 | u16 tclass, u32 perms) |
709 | { | 709 | { |
710 | struct avc_callback_node *c; | 710 | struct avc_callback_node *c; |
711 | int rc = 0; | 711 | int rc = 0; |
@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) | |||
759 | hvalue = avc_hash(ssid, tsid, tclass); | 759 | hvalue = avc_hash(ssid, tsid, tclass); |
760 | spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); | 760 | spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); |
761 | 761 | ||
762 | list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ | 762 | list_for_each_entry(pos, &avc_cache.slots[hvalue], list) { |
763 | if ( ssid==pos->ae.ssid && | 763 | if (ssid == pos->ae.ssid && |
764 | tsid==pos->ae.tsid && | 764 | tsid == pos->ae.tsid && |
765 | tclass==pos->ae.tclass ){ | 765 | tclass == pos->ae.tclass){ |
766 | orig = pos; | 766 | orig = pos; |
767 | break; | 767 | break; |
768 | } | 768 | } |
@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno) | |||
829 | for (c = avc_callbacks; c; c = c->next) { | 829 | for (c = avc_callbacks; c; c = c->next) { |
830 | if (c->events & AVC_CALLBACK_RESET) { | 830 | if (c->events & AVC_CALLBACK_RESET) { |
831 | tmprc = c->callback(AVC_CALLBACK_RESET, | 831 | tmprc = c->callback(AVC_CALLBACK_RESET, |
832 | 0, 0, 0, 0, NULL); | 832 | 0, 0, 0, 0, NULL); |
833 | /* save the first error encountered for the return | 833 | /* save the first error encountered for the return |
834 | value and continue processing the callbacks */ | 834 | value and continue processing the callbacks */ |
835 | if (!rc) | 835 | if (!rc) |
@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
878 | node = avc_lookup(ssid, tsid, tclass, requested); | 878 | node = avc_lookup(ssid, tsid, tclass, requested); |
879 | if (!node) { | 879 | if (!node) { |
880 | rcu_read_unlock(); | 880 | rcu_read_unlock(); |
881 | rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); | 881 | rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd); |
882 | if (rc) | 882 | if (rc) |
883 | goto out; | 883 | goto out; |
884 | rcu_read_lock(); | 884 | rcu_read_lock(); |
885 | node = avc_insert(ssid,tsid,tclass,&entry); | 885 | node = avc_insert(ssid, tsid, tclass, &entry); |
886 | } | 886 | } |
887 | 887 | ||
888 | p_ae = node ? &node->ae : &entry; | 888 | p_ae = node ? &node->ae : &entry; |
@@ -924,7 +924,7 @@ out: | |||
924 | * another -errno upon other errors. | 924 | * another -errno upon other errors. |
925 | */ | 925 | */ |
926 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, | 926 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
927 | u32 requested, struct avc_audit_data *auditdata) | 927 | u32 requested, struct avc_audit_data *auditdata) |
928 | { | 928 | { |
929 | struct av_decision avd; | 929 | struct av_decision avd; |
930 | int rc; | 930 | int rc; |