aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c512
1 files changed, 254 insertions, 258 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f9927f02bc3d..1bf2543ea942 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4,22 +4,22 @@
4 * This file contains the SELinux hook function implementations. 4 * This file contains the SELinux hook function implementations.
5 * 5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com> 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com> 9 * James Morris <jmorris@redhat.com>
10 * 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com> 14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com> 16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 * 19 *
20 * This program is free software; you can redistribute it and/or modify 20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2, 21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation. 22 * as published by the Free Software Foundation.
23 */ 23 */
24 24
25#include <linux/init.h> 25#include <linux/init.h>
@@ -99,11 +99,11 @@ extern struct security_operations *security_ops;
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 100
101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102int selinux_enforcing = 0; 102int selinux_enforcing;
103 103
104static int __init enforcing_setup(char *str) 104static int __init enforcing_setup(char *str)
105{ 105{
106 selinux_enforcing = simple_strtol(str,NULL,0); 106 selinux_enforcing = simple_strtol(str, NULL, 0);
107 return 1; 107 return 1;
108} 108}
109__setup("enforcing=", enforcing_setup); 109__setup("enforcing=", enforcing_setup);
@@ -123,13 +123,13 @@ int selinux_enabled = 1;
123#endif 123#endif
124 124
125/* Original (dummy) security module. */ 125/* Original (dummy) security module. */
126static struct security_operations *original_ops = NULL; 126static struct security_operations *original_ops;
127 127
128/* Minimal support for a secondary security module, 128/* Minimal support for a secondary security module,
129 just to allow the use of the dummy or capability modules. 129 just to allow the use of the dummy or capability modules.
130 The owlsm module can alternatively be used as a secondary 130 The owlsm module can alternatively be used as a secondary
131 module as long as CONFIG_OWLSM_FD is not enabled. */ 131 module as long as CONFIG_OWLSM_FD is not enabled. */
132static struct security_operations *secondary_ops = NULL; 132static struct security_operations *secondary_ops;
133 133
134/* Lists of inode and superblock security structures initialized 134/* Lists of inode and superblock security structures initialized
135 before the policy was loaded. */ 135 before the policy was loaded. */
@@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
575 goto out; 575 goto out;
576 } 576 }
577 rc = -EINVAL; 577 rc = -EINVAL;
578 printk(KERN_WARNING "Unable to set superblock options before " 578 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579 "the security server is initialized\n"); 579 "before the security server is initialized\n");
580 goto out; 580 goto out;
581 } 581 }
582 582
@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de,
1054 int buflen, rc; 1054 int buflen, rc;
1055 char *buffer, *path, *end; 1055 char *buffer, *path, *end;
1056 1056
1057 buffer = (char*)__get_free_page(GFP_KERNEL); 1057 buffer = (char *)__get_free_page(GFP_KERNEL);
1058 if (!buffer) 1058 if (!buffer)
1059 return -ENOMEM; 1059 return -ENOMEM;
1060 1060
@@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1135 dentry = d_find_alias(inode); 1135 dentry = d_find_alias(inode);
1136 } 1136 }
1137 if (!dentry) { 1137 if (!dentry) {
1138 printk(KERN_WARNING "%s: no dentry for dev=%s " 1138 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1139 "ino=%ld\n", __func__, inode->i_sb->s_id, 1139 "ino=%ld\n", __func__, inode->i_sb->s_id,
1140 inode->i_ino); 1140 inode->i_ino);
1141 goto out_unlock; 1141 goto out_unlock;
@@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1173 dput(dentry); 1173 dput(dentry);
1174 if (rc < 0) { 1174 if (rc < 0) {
1175 if (rc != -ENODATA) { 1175 if (rc != -ENODATA) {
1176 printk(KERN_WARNING "%s: getxattr returned " 1176 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1177 "%d for dev=%s ino=%ld\n", __func__, 1177 "%d for dev=%s ino=%ld\n", __func__,
1178 -rc, inode->i_sb->s_id, inode->i_ino); 1178 -rc, inode->i_sb->s_id, inode->i_ino);
1179 kfree(context); 1179 kfree(context);
@@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1187 sbsec->def_sid, 1187 sbsec->def_sid,
1188 GFP_NOFS); 1188 GFP_NOFS);
1189 if (rc) { 1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) " 1190 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n", 1191 "returned %d for dev=%s ino=%ld\n",
1192 __func__, context, -rc, 1192 __func__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino); 1193 inode->i_sb->s_id, inode->i_ino);
@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk,
1305 1305
1306 tsec = tsk->security; 1306 tsec = tsk->security;
1307 1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP); 1308 AVC_AUDIT_DATA_INIT(&ad, CAP);
1309 ad.tsk = tsk; 1309 ad.tsk = tsk;
1310 ad.u.cap = cap; 1310 ad.u.cap = cap;
1311 1311
@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk,
1348 struct inode_security_struct *isec; 1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad; 1349 struct avc_audit_data ad;
1350 1350
1351 if (unlikely (IS_PRIVATE (inode))) 1351 if (unlikely(IS_PRIVATE(inode)))
1352 return 0; 1352 return 0;
1353 1353
1354 tsec = tsk->security; 1354 tsec = tsk->security;
@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk,
1373{ 1373{
1374 struct inode *inode = dentry->d_inode; 1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad; 1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS); 1376 AVC_AUDIT_DATA_INIT(&ad, FS);
1377 ad.u.fs.path.mnt = mnt; 1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry; 1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad); 1379 return inode_has_perm(tsk, inode, av, &ad);
@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid,
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471} 1471}
1472 1472
1473#define MAY_LINK 0 1473#define MAY_LINK 0
1474#define MAY_UNLINK 1 1474#define MAY_UNLINK 1
1475#define MAY_RMDIR 2 1475#define MAY_RMDIR 2
1476 1476
1477/* Check whether a task can link, unlink, or rmdir a file/directory. */ 1477/* Check whether a task can link, unlink, or rmdir a file/directory. */
1478static int may_link(struct inode *dir, 1478static int may_link(struct inode *dir,
@@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir,
1510 av = DIR__RMDIR; 1510 av = DIR__RMDIR;
1511 break; 1511 break;
1512 default: 1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1513 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1514 __func__, kind);
1514 return 0; 1515 return 0;
1515 } 1516 }
1516 1517
@@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
1640 else if (S_ISDIR(mode)) 1641 else if (S_ISDIR(mode))
1641 av |= DIR__OPEN; 1642 av |= DIR__OPEN;
1642 else 1643 else
1643 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " 1644 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1644 "with unknown mode:%x\n", mode); 1645 "unknown mode:%x\n", __func__, mode);
1645 } 1646 }
1646 return av; 1647 return av;
1647} 1648}
@@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1675{ 1676{
1676 int rc; 1677 int rc;
1677 1678
1678 rc = secondary_ops->ptrace(parent,child); 1679 rc = secondary_ops->ptrace(parent, child);
1679 if (rc) 1680 if (rc)
1680 return rc; 1681 return rc;
1681 1682
@@ -1683,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1683} 1684}
1684 1685
1685static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1686static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1686 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1687 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1687{ 1688{
1688 int error; 1689 int error;
1689 1690
@@ -1695,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1695} 1696}
1696 1697
1697static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1698static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1698 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1699 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1699{ 1700{
1700 int error; 1701 int error;
1701 1702
@@ -1707,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect
1707} 1708}
1708 1709
1709static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1710static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1711 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711{ 1712{
1712 secondary_ops->capset_set(target, effective, inheritable, permitted); 1713 secondary_ops->capset_set(target, effective, inheritable, permitted);
1713} 1714}
@@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap)
1720 if (rc) 1721 if (rc)
1721 return rc; 1722 return rc;
1722 1723
1723 return task_has_capability(tsk,cap); 1724 return task_has_capability(tsk, cap);
1724} 1725}
1725 1726
1726static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1727static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1729 char *buffer, *path, *end; 1730 char *buffer, *path, *end;
1730 1731
1731 rc = -ENOMEM; 1732 rc = -ENOMEM;
1732 buffer = (char*)__get_free_page(GFP_KERNEL); 1733 buffer = (char *)__get_free_page(GFP_KERNEL);
1733 if (!buffer) 1734 if (!buffer)
1734 goto out; 1735 goto out;
1735 1736
@@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1787 1788
1788 /* The op values are "defined" in sysctl.c, thereby creating 1789 /* The op values are "defined" in sysctl.c, thereby creating
1789 * a bad coupling between this module and sysctl.c */ 1790 * a bad coupling between this module and sysctl.c */
1790 if(op == 001) { 1791 if (op == 001) {
1791 error = avc_has_perm(tsec->sid, tsid, 1792 error = avc_has_perm(tsec->sid, tsid,
1792 SECCLASS_DIR, DIR__SEARCH, NULL); 1793 SECCLASS_DIR, DIR__SEARCH, NULL);
1793 } else { 1794 } else {
@@ -1799,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1799 if (av) 1800 if (av)
1800 error = avc_has_perm(tsec->sid, tsid, 1801 error = avc_has_perm(tsec->sid, tsid,
1801 SECCLASS_FILE, av, NULL); 1802 SECCLASS_FILE, av, NULL);
1802 } 1803 }
1803 1804
1804 return error; 1805 return error;
1805} 1806}
@@ -1812,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1812 return 0; 1813 return 0;
1813 1814
1814 switch (cmds) { 1815 switch (cmds) {
1815 case Q_SYNC: 1816 case Q_SYNC:
1816 case Q_QUOTAON: 1817 case Q_QUOTAON:
1817 case Q_QUOTAOFF: 1818 case Q_QUOTAOFF:
1818 case Q_SETINFO: 1819 case Q_SETINFO:
1819 case Q_SETQUOTA: 1820 case Q_SETQUOTA:
1820 rc = superblock_has_perm(current, 1821 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1821 sb, 1822 NULL);
1822 FILESYSTEM__QUOTAMOD, NULL); 1823 break;
1823 break; 1824 case Q_GETFMT:
1824 case Q_GETFMT: 1825 case Q_GETINFO:
1825 case Q_GETINFO: 1826 case Q_GETQUOTA:
1826 case Q_GETQUOTA: 1827 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1827 rc = superblock_has_perm(current, 1828 NULL);
1828 sb, 1829 break;
1829 FILESYSTEM__QUOTAGET, NULL); 1830 default:
1830 break; 1831 rc = 0; /* let the kernel handle invalid cmds */
1831 default: 1832 break;
1832 rc = 0; /* let the kernel handle invalid cmds */
1833 break;
1834 } 1833 }
1835 return rc; 1834 return rc;
1836} 1835}
@@ -1849,23 +1848,23 @@ static int selinux_syslog(int type)
1849 return rc; 1848 return rc;
1850 1849
1851 switch (type) { 1850 switch (type) {
1852 case 3: /* Read last kernel messages */ 1851 case 3: /* Read last kernel messages */
1853 case 10: /* Return size of the log buffer */ 1852 case 10: /* Return size of the log buffer */
1854 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1853 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1855 break; 1854 break;
1856 case 6: /* Disable logging to console */ 1855 case 6: /* Disable logging to console */
1857 case 7: /* Enable logging to console */ 1856 case 7: /* Enable logging to console */
1858 case 8: /* Set level of messages printed to console */ 1857 case 8: /* Set level of messages printed to console */
1859 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1858 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1860 break; 1859 break;
1861 case 0: /* Close log */ 1860 case 0: /* Close log */
1862 case 1: /* Open log */ 1861 case 1: /* Open log */
1863 case 2: /* Read from log */ 1862 case 2: /* Read from log */
1864 case 4: /* Read/clear last kernel messages */ 1863 case 4: /* Read/clear last kernel messages */
1865 case 5: /* Clear ring buffer */ 1864 case 5: /* Clear ring buffer */
1866 default: 1865 default:
1867 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1866 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1868 break; 1867 break;
1869 } 1868 }
1870 return rc; 1869 return rc;
1871} 1870}
@@ -1971,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1971 } else { 1970 } else {
1972 /* Check for a default transition on this program. */ 1971 /* Check for a default transition on this program. */
1973 rc = security_transition_sid(tsec->sid, isec->sid, 1972 rc = security_transition_sid(tsec->sid, isec->sid,
1974 SECCLASS_PROCESS, &newsid); 1973 SECCLASS_PROCESS, &newsid);
1975 if (rc) 1974 if (rc)
1976 return rc; 1975 return rc;
1977 } 1976 }
@@ -1982,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1982 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1981 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1983 newsid = tsec->sid; 1982 newsid = tsec->sid;
1984 1983
1985 if (tsec->sid == newsid) { 1984 if (tsec->sid == newsid) {
1986 rc = avc_has_perm(tsec->sid, isec->sid, 1985 rc = avc_has_perm(tsec->sid, isec->sid,
1987 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1986 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1988 if (rc) 1987 if (rc)
@@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
2010 return 0; 2009 return 0;
2011} 2010}
2012 2011
2013static int selinux_bprm_check_security (struct linux_binprm *bprm) 2012static int selinux_bprm_check_security(struct linux_binprm *bprm)
2014{ 2013{
2015 return secondary_ops->bprm_check_security(bprm); 2014 return secondary_ops->bprm_check_security(bprm);
2016} 2015}
2017 2016
2018 2017
2019static int selinux_bprm_secureexec (struct linux_binprm *bprm) 2018static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2020{ 2019{
2021 struct task_security_struct *tsec = current->security; 2020 struct task_security_struct *tsec = current->security;
2022 int atsecure = 0; 2021 int atsecure = 0;
@@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount;
2043extern struct dentry *selinux_null; 2042extern struct dentry *selinux_null;
2044 2043
2045/* Derived from fs/exec.c:flush_old_files. */ 2044/* Derived from fs/exec.c:flush_old_files. */
2046static inline void flush_unauthorized_files(struct files_struct * files) 2045static inline void flush_unauthorized_files(struct files_struct *files)
2047{ 2046{
2048 struct avc_audit_data ad; 2047 struct avc_audit_data ad;
2049 struct file *file, *devnull = NULL; 2048 struct file *file, *devnull = NULL;
@@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
2078 2077
2079 /* Revalidate access to inherited open files. */ 2078 /* Revalidate access to inherited open files. */
2080 2079
2081 AVC_AUDIT_DATA_INIT(&ad,FS); 2080 AVC_AUDIT_DATA_INIT(&ad, FS);
2082 2081
2083 spin_lock(&files->file_lock); 2082 spin_lock(&files->file_lock);
2084 for (;;) { 2083 for (;;) {
@@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
2094 if (!set) 2093 if (!set)
2095 continue; 2094 continue;
2096 spin_unlock(&files->file_lock); 2095 spin_unlock(&files->file_lock);
2097 for ( ; set ; i++,set >>= 1) { 2096 for ( ; set ; i++, set >>= 1) {
2098 if (set & 1) { 2097 if (set & 1) {
2099 file = fget(i); 2098 file = fget(i);
2100 if (!file) 2099 if (!file)
@@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2251 for (i = 0; i < RLIM_NLIMITS; i++) { 2250 for (i = 0; i < RLIM_NLIMITS; i++) {
2252 rlim = current->signal->rlim + i; 2251 rlim = current->signal->rlim + i;
2253 initrlim = init_task.signal->rlim+i; 2252 initrlim = init_task.signal->rlim+i;
2254 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2253 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2255 } 2254 }
2256 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2255 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2257 /* 2256 /*
@@ -2306,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len)
2306 *to += len; 2305 *to += len;
2307} 2306}
2308 2307
2309static inline void take_selinux_option(char **to, char *from, int *first, 2308static inline void take_selinux_option(char **to, char *from, int *first,
2310 int len) 2309 int len)
2311{ 2310{
2312 int current_size = 0; 2311 int current_size = 0;
2313 2312
2314 if (!*first) { 2313 if (!*first) {
2315 **to = '|'; 2314 **to = '|';
2316 *to += 1; 2315 *to += 1;
2317 } 2316 } else
2318 else
2319 *first = 0; 2317 *first = 0;
2320 2318
2321 while (current_size < len) { 2319 while (current_size < len) {
@@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2379 if (rc) 2377 if (rc)
2380 return rc; 2378 return rc;
2381 2379
2382 AVC_AUDIT_DATA_INIT(&ad,FS); 2380 AVC_AUDIT_DATA_INIT(&ad, FS);
2383 ad.u.fs.path.dentry = sb->s_root; 2381 ad.u.fs.path.dentry = sb->s_root;
2384 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2382 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2385} 2383}
@@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry)
2388{ 2386{
2389 struct avc_audit_data ad; 2387 struct avc_audit_data ad;
2390 2388
2391 AVC_AUDIT_DATA_INIT(&ad,FS); 2389 AVC_AUDIT_DATA_INIT(&ad, FS);
2392 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2390 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2393 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2391 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2394} 2392}
2395 2393
2396static int selinux_mount(char * dev_name, 2394static int selinux_mount(char *dev_name,
2397 struct nameidata *nd, 2395 struct nameidata *nd,
2398 char * type, 2396 char *type,
2399 unsigned long flags, 2397 unsigned long flags,
2400 void * data) 2398 void *data)
2401{ 2399{
2402 int rc; 2400 int rc;
2403 2401
@@ -2407,10 +2405,10 @@ static int selinux_mount(char * dev_name,
2407 2405
2408 if (flags & MS_REMOUNT) 2406 if (flags & MS_REMOUNT)
2409 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2410 FILESYSTEM__REMOUNT, NULL); 2408 FILESYSTEM__REMOUNT, NULL);
2411 else 2409 else
2412 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2413 FILE__MOUNTON); 2411 FILE__MOUNTON);
2414} 2412}
2415 2413
2416static int selinux_umount(struct vfsmount *mnt, int flags) 2414static int selinux_umount(struct vfsmount *mnt, int flags)
@@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
2421 if (rc) 2419 if (rc)
2422 return rc; 2420 return rc;
2423 2421
2424 return superblock_has_perm(current,mnt->mnt_sb, 2422 return superblock_has_perm(current, mnt->mnt_sb,
2425 FILESYSTEM__UNMOUNT,NULL); 2423 FILESYSTEM__UNMOUNT, NULL);
2426} 2424}
2427 2425
2428/* inode security operations */ 2426/* inode security operations */
@@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
2508{ 2506{
2509 int rc; 2507 int rc;
2510 2508
2511 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2509 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2512 if (rc) 2510 if (rc)
2513 return rc; 2511 return rc;
2514 return may_link(dir, old_dentry, MAY_LINK); 2512 return may_link(dir, old_dentry, MAY_LINK);
@@ -2551,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
2551} 2549}
2552 2550
2553static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2551static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2554 struct inode *new_inode, struct dentry *new_dentry) 2552 struct inode *new_inode, struct dentry *new_dentry)
2555{ 2553{
2556 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2554 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2557} 2555}
@@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
2565{ 2563{
2566 int rc; 2564 int rc;
2567 2565
2568 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2566 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2569 if (rc) 2567 if (rc)
2570 return rc; 2568 return rc;
2571 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2569 return dentry_has_perm(current, NULL, dentry, FILE__READ);
@@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2651 if (!is_owner_or_cap(inode)) 2649 if (!is_owner_or_cap(inode))
2652 return -EPERM; 2650 return -EPERM;
2653 2651
2654 AVC_AUDIT_DATA_INIT(&ad,FS); 2652 AVC_AUDIT_DATA_INIT(&ad, FS);
2655 ad.u.fs.path.dentry = dentry; 2653 ad.u.fs.path.dentry = dentry;
2656 2654
2657 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2655 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
@@ -2669,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2669 return rc; 2667 return rc;
2670 2668
2671 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2669 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2672 isec->sclass); 2670 isec->sclass);
2673 if (rc) 2671 if (rc)
2674 return rc; 2672 return rc;
2675 2673
@@ -2681,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2681} 2679}
2682 2680
2683static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2681static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2684 void *value, size_t size, int flags) 2682 void *value, size_t size, int flags)
2685{ 2683{
2686 struct inode *inode = dentry->d_inode; 2684 struct inode *inode = dentry->d_inode;
2687 struct inode_security_struct *isec = inode->i_security; 2685 struct inode_security_struct *isec = inode->i_security;
@@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2704 return; 2702 return;
2705} 2703}
2706 2704
2707static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2705static int selinux_inode_getxattr(struct dentry *dentry, char *name)
2708{ 2706{
2709 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2707 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2710} 2708}
2711 2709
2712static int selinux_inode_listxattr (struct dentry *dentry) 2710static int selinux_inode_listxattr(struct dentry *dentry)
2713{ 2711{
2714 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2712 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2715} 2713}
2716 2714
2717static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2715static int selinux_inode_removexattr(struct dentry *dentry, char *name)
2718{ 2716{
2719 if (strcmp(name, XATTR_NAME_SELINUX)) 2717 if (strcmp(name, XATTR_NAME_SELINUX))
2720 return selinux_inode_setotherxattr(dentry, name); 2718 return selinux_inode_setotherxattr(dentry, name);
@@ -2755,7 +2753,7 @@ out_nofree:
2755} 2753}
2756 2754
2757static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2755static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2758 const void *value, size_t size, int flags) 2756 const void *value, size_t size, int flags)
2759{ 2757{
2760 struct inode_security_struct *isec = inode->i_security; 2758 struct inode_security_struct *isec = inode->i_security;
2761 u32 newsid; 2759 u32 newsid;
@@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2767 if (!value || !size) 2765 if (!value || !size)
2768 return -EACCES; 2766 return -EACCES;
2769 2767
2770 rc = security_context_to_sid((void*)value, size, &newsid); 2768 rc = security_context_to_sid((void *)value, size, &newsid);
2771 if (rc) 2769 if (rc)
2772 return rc; 2770 return rc;
2773 2771
@@ -2858,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2858 int error = 0; 2856 int error = 0;
2859 2857
2860 switch (cmd) { 2858 switch (cmd) {
2861 case FIONREAD: 2859 case FIONREAD:
2862 /* fall through */ 2860 /* fall through */
2863 case FIBMAP: 2861 case FIBMAP:
2864 /* fall through */ 2862 /* fall through */
2865 case FIGETBSZ: 2863 case FIGETBSZ:
2866 /* fall through */ 2864 /* fall through */
2867 case EXT2_IOC_GETFLAGS: 2865 case EXT2_IOC_GETFLAGS:
2868 /* fall through */ 2866 /* fall through */
2869 case EXT2_IOC_GETVERSION: 2867 case EXT2_IOC_GETVERSION:
2870 error = file_has_perm(current, file, FILE__GETATTR); 2868 error = file_has_perm(current, file, FILE__GETATTR);
2871 break; 2869 break;
2872
2873 case EXT2_IOC_SETFLAGS:
2874 /* fall through */
2875 case EXT2_IOC_SETVERSION:
2876 error = file_has_perm(current, file, FILE__SETATTR);
2877 break;
2878 2870
2879 /* sys_ioctl() checks */ 2871 case EXT2_IOC_SETFLAGS:
2880 case FIONBIO: 2872 /* fall through */
2881 /* fall through */ 2873 case EXT2_IOC_SETVERSION:
2882 case FIOASYNC: 2874 error = file_has_perm(current, file, FILE__SETATTR);
2883 error = file_has_perm(current, file, 0); 2875 break;
2884 break;
2885 2876
2886 case KDSKBENT: 2877 /* sys_ioctl() checks */
2887 case KDSKBSENT: 2878 case FIONBIO:
2888 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2879 /* fall through */
2889 break; 2880 case FIOASYNC:
2881 error = file_has_perm(current, file, 0);
2882 break;
2890 2883
2891 /* default case assumes that the command will go 2884 case KDSKBENT:
2892 * to the file's ioctl() function. 2885 case KDSKBSENT:
2893 */ 2886 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2894 default: 2887 break;
2895 error = file_has_perm(current, file, FILE__IOCTL);
2896 2888
2889 /* default case assumes that the command will go
2890 * to the file's ioctl() function.
2891 */
2892 default:
2893 error = file_has_perm(current, file, FILE__IOCTL);
2897 } 2894 }
2898 return error; 2895 return error;
2899} 2896}
@@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2934 unsigned long addr, unsigned long addr_only) 2931 unsigned long addr, unsigned long addr_only)
2935{ 2932{
2936 int rc = 0; 2933 int rc = 0;
2937 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2934 u32 sid = ((struct task_security_struct *)(current->security))->sid;
2938 2935
2939 if (addr < mmap_min_addr) 2936 if (addr < mmap_min_addr)
2940 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2937 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@@ -3003,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3003 int err = 0; 3000 int err = 0;
3004 3001
3005 switch (cmd) { 3002 switch (cmd) {
3006 case F_SETFL: 3003 case F_SETFL:
3007 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3004 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3008 err = -EINVAL; 3005 err = -EINVAL;
3009 break; 3006 break;
3010 } 3007 }
3011 3008
3012 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3009 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3013 err = file_has_perm(current, file,FILE__WRITE); 3010 err = file_has_perm(current, file, FILE__WRITE);
3014 break;
3015 }
3016 /* fall through */
3017 case F_SETOWN:
3018 case F_SETSIG:
3019 case F_GETFL:
3020 case F_GETOWN:
3021 case F_GETSIG:
3022 /* Just check FD__USE permission */
3023 err = file_has_perm(current, file, 0);
3024 break; 3011 break;
3025 case F_GETLK: 3012 }
3026 case F_SETLK: 3013 /* fall through */
3027 case F_SETLKW: 3014 case F_SETOWN:
3015 case F_SETSIG:
3016 case F_GETFL:
3017 case F_GETOWN:
3018 case F_GETSIG:
3019 /* Just check FD__USE permission */
3020 err = file_has_perm(current, file, 0);
3021 break;
3022 case F_GETLK:
3023 case F_SETLK:
3024 case F_SETLKW:
3028#if BITS_PER_LONG == 32 3025#if BITS_PER_LONG == 32
3029 case F_GETLK64: 3026 case F_GETLK64:
3030 case F_SETLK64: 3027 case F_SETLK64:
3031 case F_SETLKW64: 3028 case F_SETLKW64:
3032#endif 3029#endif
3033 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3030 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3034 err = -EINVAL; 3031 err = -EINVAL;
3035 break;
3036 }
3037 err = file_has_perm(current, file, FILE__LOCK);
3038 break; 3032 break;
3033 }
3034 err = file_has_perm(current, file, FILE__LOCK);
3035 break;
3039 } 3036 }
3040 3037
3041 return err; 3038 return err;
@@ -3056,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file)
3056static int selinux_file_send_sigiotask(struct task_struct *tsk, 3053static int selinux_file_send_sigiotask(struct task_struct *tsk,
3057 struct fown_struct *fown, int signum) 3054 struct fown_struct *fown, int signum)
3058{ 3055{
3059 struct file *file; 3056 struct file *file;
3060 u32 perm; 3057 u32 perm;
3061 struct task_security_struct *tsec; 3058 struct task_security_struct *tsec;
3062 struct file_security_struct *fsec; 3059 struct file_security_struct *fsec;
3063 3060
3064 /* struct fown_struct is never outside the context of a struct file */ 3061 /* struct fown_struct is never outside the context of a struct file */
3065 file = container_of(fown, struct file, f_owner); 3062 file = container_of(fown, struct file, f_owner);
3066 3063
3067 tsec = tsk->security; 3064 tsec = tsk->security;
3068 fsec = file->f_security; 3065 fsec = file->f_security;
@@ -3164,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3164 3161
3165static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3162static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3166{ 3163{
3167 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3164 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3168} 3165}
3169 3166
3170static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3167static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -3208,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
3208 if (rc) 3205 if (rc)
3209 return rc; 3206 return rc;
3210 3207
3211 return task_has_perm(current,p, PROCESS__SETSCHED); 3208 return task_has_perm(current, p, PROCESS__SETSCHED);
3212} 3209}
3213 3210
3214static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3211static int selinux_task_setioprio(struct task_struct *p, int ioprio)
@@ -3312,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p)
3312 3309
3313static void selinux_task_reparent_to_init(struct task_struct *p) 3310static void selinux_task_reparent_to_init(struct task_struct *p)
3314{ 3311{
3315 struct task_security_struct *tsec; 3312 struct task_security_struct *tsec;
3316 3313
3317 secondary_ops->task_reparent_to_init(p); 3314 secondary_ops->task_reparent_to_init(p);
3318 3315
@@ -3357,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3357 *proto = ih->protocol; 3354 *proto = ih->protocol;
3358 3355
3359 switch (ih->protocol) { 3356 switch (ih->protocol) {
3360 case IPPROTO_TCP: { 3357 case IPPROTO_TCP: {
3361 struct tcphdr _tcph, *th; 3358 struct tcphdr _tcph, *th;
3362 3359
3363 if (ntohs(ih->frag_off) & IP_OFFSET) 3360 if (ntohs(ih->frag_off) & IP_OFFSET)
3364 break; 3361 break;
3365 3362
3366 offset += ihlen; 3363 offset += ihlen;
3367 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3364 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
@@ -3371,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3371 ad->u.net.sport = th->source; 3368 ad->u.net.sport = th->source;
3372 ad->u.net.dport = th->dest; 3369 ad->u.net.dport = th->dest;
3373 break; 3370 break;
3374 } 3371 }
3375 3372
3376 case IPPROTO_UDP: { 3373 case IPPROTO_UDP: {
3377 struct udphdr _udph, *uh; 3374 struct udphdr _udph, *uh;
3378 3375
3379 if (ntohs(ih->frag_off) & IP_OFFSET) 3376 if (ntohs(ih->frag_off) & IP_OFFSET)
3380 break; 3377 break;
3381 3378
3382 offset += ihlen; 3379 offset += ihlen;
3383 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3380 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3384 if (uh == NULL) 3381 if (uh == NULL)
3385 break; 3382 break;
3386 3383
3387 ad->u.net.sport = uh->source; 3384 ad->u.net.sport = uh->source;
3388 ad->u.net.dport = uh->dest; 3385 ad->u.net.dport = uh->dest;
3389 break; 3386 break;
3390 } 3387 }
3391 3388
3392 case IPPROTO_DCCP: { 3389 case IPPROTO_DCCP: {
3393 struct dccp_hdr _dccph, *dh; 3390 struct dccp_hdr _dccph, *dh;
@@ -3403,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3403 ad->u.net.sport = dh->dccph_sport; 3400 ad->u.net.sport = dh->dccph_sport;
3404 ad->u.net.dport = dh->dccph_dport; 3401 ad->u.net.dport = dh->dccph_dport;
3405 break; 3402 break;
3406 } 3403 }
3407 3404
3408 default: 3405 default:
3409 break; 3406 break;
3410 } 3407 }
3411out: 3408out:
3412 return ret; 3409 return ret;
3413} 3410}
@@ -3442,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3442 3439
3443 switch (nexthdr) { 3440 switch (nexthdr) {
3444 case IPPROTO_TCP: { 3441 case IPPROTO_TCP: {
3445 struct tcphdr _tcph, *th; 3442 struct tcphdr _tcph, *th;
3446 3443
3447 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3444 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3448 if (th == NULL) 3445 if (th == NULL)
@@ -3475,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3475 ad->u.net.sport = dh->dccph_sport; 3472 ad->u.net.sport = dh->dccph_sport;
3476 ad->u.net.dport = dh->dccph_dport; 3473 ad->u.net.dport = dh->dccph_dport;
3477 break; 3474 break;
3478 } 3475 }
3479 3476
3480 /* includes fragments */ 3477 /* includes fragments */
3481 default: 3478 default:
@@ -3573,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3573 if (isec->sid == SECINITSID_KERNEL) 3570 if (isec->sid == SECINITSID_KERNEL)
3574 goto out; 3571 goto out;
3575 3572
3576 AVC_AUDIT_DATA_INIT(&ad,NET); 3573 AVC_AUDIT_DATA_INIT(&ad, NET);
3577 ad.u.net.sk = sock->sk; 3574 ad.u.net.sk = sock->sk;
3578 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3575 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3579 3576
@@ -3683,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3683 snum, &sid); 3680 snum, &sid);
3684 if (err) 3681 if (err)
3685 goto out; 3682 goto out;
3686 AVC_AUDIT_DATA_INIT(&ad,NET); 3683 AVC_AUDIT_DATA_INIT(&ad, NET);
3687 ad.u.net.sport = htons(snum); 3684 ad.u.net.sport = htons(snum);
3688 ad.u.net.family = family; 3685 ad.u.net.family = family;
3689 err = avc_has_perm(isec->sid, sid, 3686 err = avc_has_perm(isec->sid, sid,
@@ -3693,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3693 goto out; 3690 goto out;
3694 } 3691 }
3695 } 3692 }
3696 3693
3697 switch(isec->sclass) { 3694 switch (isec->sclass) {
3698 case SECCLASS_TCP_SOCKET: 3695 case SECCLASS_TCP_SOCKET:
3699 node_perm = TCP_SOCKET__NODE_BIND; 3696 node_perm = TCP_SOCKET__NODE_BIND;
3700 break; 3697 break;
3701 3698
3702 case SECCLASS_UDP_SOCKET: 3699 case SECCLASS_UDP_SOCKET:
3703 node_perm = UDP_SOCKET__NODE_BIND; 3700 node_perm = UDP_SOCKET__NODE_BIND;
3704 break; 3701 break;
@@ -3711,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3711 node_perm = RAWIP_SOCKET__NODE_BIND; 3708 node_perm = RAWIP_SOCKET__NODE_BIND;
3712 break; 3709 break;
3713 } 3710 }
3714 3711
3715 err = sel_netnode_sid(addrp, family, &sid); 3712 err = sel_netnode_sid(addrp, family, &sid);
3716 if (err) 3713 if (err)
3717 goto out; 3714 goto out;
3718 3715
3719 AVC_AUDIT_DATA_INIT(&ad,NET); 3716 AVC_AUDIT_DATA_INIT(&ad, NET);
3720 ad.u.net.sport = htons(snum); 3717 ad.u.net.sport = htons(snum);
3721 ad.u.net.family = family; 3718 ad.u.net.family = family;
3722 3719
@@ -3726,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3726 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3723 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3727 3724
3728 err = avc_has_perm(isec->sid, sid, 3725 err = avc_has_perm(isec->sid, sid,
3729 isec->sclass, node_perm, &ad); 3726 isec->sclass, node_perm, &ad);
3730 if (err) 3727 if (err)
3731 goto out; 3728 goto out;
3732 } 3729 }
@@ -3775,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3775 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3772 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3776 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3773 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3777 3774
3778 AVC_AUDIT_DATA_INIT(&ad,NET); 3775 AVC_AUDIT_DATA_INIT(&ad, NET);
3779 ad.u.net.dport = htons(snum); 3776 ad.u.net.dport = htons(snum);
3780 ad.u.net.family = sk->sk_family; 3777 ad.u.net.family = sk->sk_family;
3781 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3778 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@@ -3813,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3813} 3810}
3814 3811
3815static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3812static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3816 int size) 3813 int size)
3817{ 3814{
3818 int rc; 3815 int rc;
3819 3816
@@ -3840,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock)
3840 return socket_has_perm(current, sock, SOCKET__GETATTR); 3837 return socket_has_perm(current, sock, SOCKET__GETATTR);
3841} 3838}
3842 3839
3843static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3840static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3844{ 3841{
3845 int err; 3842 int err;
3846 3843
@@ -3879,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3879 isec = SOCK_INODE(sock)->i_security; 3876 isec = SOCK_INODE(sock)->i_security;
3880 other_isec = SOCK_INODE(other)->i_security; 3877 other_isec = SOCK_INODE(other)->i_security;
3881 3878
3882 AVC_AUDIT_DATA_INIT(&ad,NET); 3879 AVC_AUDIT_DATA_INIT(&ad, NET);
3883 ad.u.net.sk = other->sk; 3880 ad.u.net.sk = other->sk;
3884 3881
3885 err = avc_has_perm(isec->sid, other_isec->sid, 3882 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3891,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3891 /* connecting socket */ 3888 /* connecting socket */
3892 ssec = sock->sk->sk_security; 3889 ssec = sock->sk->sk_security;
3893 ssec->peer_sid = other_isec->sid; 3890 ssec->peer_sid = other_isec->sid;
3894 3891
3895 /* server child socket */ 3892 /* server child socket */
3896 ssec = newsk->sk_security; 3893 ssec = newsk->sk_security;
3897 ssec->peer_sid = isec->sid; 3894 ssec->peer_sid = isec->sid;
@@ -3911,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3911 isec = SOCK_INODE(sock)->i_security; 3908 isec = SOCK_INODE(sock)->i_security;
3912 other_isec = SOCK_INODE(other)->i_security; 3909 other_isec = SOCK_INODE(other)->i_security;
3913 3910
3914 AVC_AUDIT_DATA_INIT(&ad,NET); 3911 AVC_AUDIT_DATA_INIT(&ad, NET);
3915 ad.u.net.sk = other->sk; 3912 ad.u.net.sk = other->sk;
3916 3913
3917 err = avc_has_perm(isec->sid, other_isec->sid, 3914 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3989,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3989 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3986 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3990 if (err) 3987 if (err)
3991 return err; 3988 return err;
3992 3989
3993 err = sel_netnode_sid(addrp, family, &node_sid); 3990 err = sel_netnode_sid(addrp, family, &node_sid);
3994 if (err) 3991 if (err)
3995 return err; 3992 return err;
@@ -4140,7 +4137,7 @@ out_len:
4140 err = -EFAULT; 4137 err = -EFAULT;
4141 4138
4142 kfree(scontext); 4139 kfree(scontext);
4143out: 4140out:
4144 return err; 4141 return err;
4145} 4142}
4146 4143
@@ -4201,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4201 } 4198 }
4202} 4199}
4203 4200
4204static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4201static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4205{ 4202{
4206 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4203 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4207 struct sk_security_struct *sksec = sk->sk_security; 4204 struct sk_security_struct *sksec = sk->sk_security;
@@ -4278,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4278 struct nlmsghdr *nlh; 4275 struct nlmsghdr *nlh;
4279 struct socket *sock = sk->sk_socket; 4276 struct socket *sock = sk->sk_socket;
4280 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4277 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4281 4278
4282 if (skb->len < NLMSG_SPACE(0)) { 4279 if (skb->len < NLMSG_SPACE(0)) {
4283 err = -EINVAL; 4280 err = -EINVAL;
4284 goto out; 4281 goto out;
4285 } 4282 }
4286 nlh = nlmsg_hdr(skb); 4283 nlh = nlmsg_hdr(skb);
4287 4284
4288 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4285 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4289 if (err) { 4286 if (err) {
4290 if (err == -EINVAL) { 4287 if (err == -EINVAL) {
@@ -4410,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4410 return err; 4407 return err;
4411 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4408 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4412 return err; 4409 return err;
4413 4410
4414 err = sel_netnode_sid(addrp, family, &node_sid); 4411 err = sel_netnode_sid(addrp, family, &node_sid);
4415 if (err) 4412 if (err)
4416 return err; 4413 return err;
@@ -4593,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4593 ad.u.cap = capability; 4590 ad.u.cap = capability;
4594 4591
4595 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4592 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4596 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4593 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4597} 4594}
4598 4595
4599static int ipc_alloc_security(struct task_struct *task, 4596static int ipc_alloc_security(struct task_struct *task,
@@ -4685,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4685 isec = msq->q_perm.security; 4682 isec = msq->q_perm.security;
4686 4683
4687 AVC_AUDIT_DATA_INIT(&ad, IPC); 4684 AVC_AUDIT_DATA_INIT(&ad, IPC);
4688 ad.u.ipc_id = msq->q_perm.key; 4685 ad.u.ipc_id = msq->q_perm.key;
4689 4686
4690 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4687 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4691 MSGQ__CREATE, &ad); 4688 MSGQ__CREATE, &ad);
@@ -4722,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4722 int err; 4719 int err;
4723 int perms; 4720 int perms;
4724 4721
4725 switch(cmd) { 4722 switch (cmd) {
4726 case IPC_INFO: 4723 case IPC_INFO:
4727 case MSG_INFO: 4724 case MSG_INFO:
4728 /* No specific object, just general system-wide information. */ 4725 /* No specific object, just general system-wide information. */
@@ -4806,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4806 msec = msg->security; 4803 msec = msg->security;
4807 4804
4808 AVC_AUDIT_DATA_INIT(&ad, IPC); 4805 AVC_AUDIT_DATA_INIT(&ad, IPC);
4809 ad.u.ipc_id = msq->q_perm.key; 4806 ad.u.ipc_id = msq->q_perm.key;
4810 4807
4811 rc = avc_has_perm(tsec->sid, isec->sid, 4808 rc = avc_has_perm(tsec->sid, isec->sid,
4812 SECCLASS_MSGQ, MSGQ__READ, &ad); 4809 SECCLASS_MSGQ, MSGQ__READ, &ad);
@@ -4832,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4832 isec = shp->shm_perm.security; 4829 isec = shp->shm_perm.security;
4833 4830
4834 AVC_AUDIT_DATA_INIT(&ad, IPC); 4831 AVC_AUDIT_DATA_INIT(&ad, IPC);
4835 ad.u.ipc_id = shp->shm_perm.key; 4832 ad.u.ipc_id = shp->shm_perm.key;
4836 4833
4837 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4834 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4838 SHM__CREATE, &ad); 4835 SHM__CREATE, &ad);
@@ -4870,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4870 int perms; 4867 int perms;
4871 int err; 4868 int err;
4872 4869
4873 switch(cmd) { 4870 switch (cmd) {
4874 case IPC_INFO: 4871 case IPC_INFO:
4875 case SHM_INFO: 4872 case SHM_INFO:
4876 /* No specific object, just general system-wide information. */ 4873 /* No specific object, just general system-wide information. */
@@ -4931,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
4931 isec = sma->sem_perm.security; 4928 isec = sma->sem_perm.security;
4932 4929
4933 AVC_AUDIT_DATA_INIT(&ad, IPC); 4930 AVC_AUDIT_DATA_INIT(&ad, IPC);
4934 ad.u.ipc_id = sma->sem_perm.key; 4931 ad.u.ipc_id = sma->sem_perm.key;
4935 4932
4936 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4933 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4937 SEM__CREATE, &ad); 4934 SEM__CREATE, &ad);
@@ -4969,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4969 int err; 4966 int err;
4970 u32 perms; 4967 u32 perms;
4971 4968
4972 switch(cmd) { 4969 switch (cmd) {
4973 case IPC_INFO: 4970 case IPC_INFO:
4974 case SEM_INFO: 4971 case SEM_INFO:
4975 /* No specific object, just general system-wide information. */ 4972 /* No specific object, just general system-wide information. */
@@ -5041,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5041} 5038}
5042 5039
5043/* module stacking operations */ 5040/* module stacking operations */
5044static int selinux_register_security (const char *name, struct security_operations *ops) 5041static int selinux_register_security(const char *name, struct security_operations *ops)
5045{ 5042{
5046 if (secondary_ops != original_ops) { 5043 if (secondary_ops != original_ops) {
5047 printk(KERN_ERR "%s: There is already a secondary security " 5044 printk(KERN_ERR "%s: There is already a secondary security "
5048 "module registered.\n", __func__); 5045 "module registered.\n", __func__);
5049 return -EINVAL; 5046 return -EINVAL;
5050 } 5047 }
5051 5048
5052 secondary_ops = ops; 5049 secondary_ops = ops;
5053 5050
@@ -5058,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio
5058 return 0; 5055 return 0;
5059} 5056}
5060 5057
5061static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5058static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5062{ 5059{
5063 if (inode) 5060 if (inode)
5064 inode_doinit_with_dentry(inode, dentry); 5061 inode_doinit_with_dentry(inode, dentry);
@@ -5186,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p,
5186 } 5183 }
5187 while_each_thread(g, t); 5184 while_each_thread(g, t);
5188 read_unlock(&tasklist_lock); 5185 read_unlock(&tasklist_lock);
5189 } 5186 }
5190 5187
5191 /* Check permissions for the transition. */ 5188 /* Check permissions for the transition. */
5192 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5189 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5193 PROCESS__DYNTRANSITION, NULL); 5190 PROCESS__DYNTRANSITION, NULL);
5194 if (error) 5191 if (error)
5195 return error; 5192 return error;
5196 5193
@@ -5218,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p,
5218 tsec->sid = sid; 5215 tsec->sid = sid;
5219 task_unlock(p); 5216 task_unlock(p);
5220 } 5217 }
5221 } 5218 } else
5222 else
5223 return -EINVAL; 5219 return -EINVAL;
5224 5220
5225 return size; 5221 return size;
@@ -5309,7 +5305,7 @@ static struct security_operations selinux_ops = {
5309 .vm_enough_memory = selinux_vm_enough_memory, 5305 .vm_enough_memory = selinux_vm_enough_memory,
5310 5306
5311 .netlink_send = selinux_netlink_send, 5307 .netlink_send = selinux_netlink_send,
5312 .netlink_recv = selinux_netlink_recv, 5308 .netlink_recv = selinux_netlink_recv,
5313 5309
5314 .bprm_alloc_security = selinux_bprm_alloc_security, 5310 .bprm_alloc_security = selinux_bprm_alloc_security,
5315 .bprm_free_security = selinux_bprm_free_security, 5311 .bprm_free_security = selinux_bprm_free_security,
@@ -5322,13 +5318,13 @@ static struct security_operations selinux_ops = {
5322 .sb_alloc_security = selinux_sb_alloc_security, 5318 .sb_alloc_security = selinux_sb_alloc_security,
5323 .sb_free_security = selinux_sb_free_security, 5319 .sb_free_security = selinux_sb_free_security,
5324 .sb_copy_data = selinux_sb_copy_data, 5320 .sb_copy_data = selinux_sb_copy_data,
5325 .sb_kern_mount = selinux_sb_kern_mount, 5321 .sb_kern_mount = selinux_sb_kern_mount,
5326 .sb_statfs = selinux_sb_statfs, 5322 .sb_statfs = selinux_sb_statfs,
5327 .sb_mount = selinux_mount, 5323 .sb_mount = selinux_mount,
5328 .sb_umount = selinux_umount, 5324 .sb_umount = selinux_umount,
5329 .sb_get_mnt_opts = selinux_get_mnt_opts, 5325 .sb_get_mnt_opts = selinux_get_mnt_opts,
5330 .sb_set_mnt_opts = selinux_set_mnt_opts, 5326 .sb_set_mnt_opts = selinux_set_mnt_opts,
5331 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5327 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5332 .sb_parse_opts_str = selinux_parse_opts_str, 5328 .sb_parse_opts_str = selinux_parse_opts_str,
5333 5329
5334 5330
@@ -5353,9 +5349,9 @@ static struct security_operations selinux_ops = {
5353 .inode_getxattr = selinux_inode_getxattr, 5349 .inode_getxattr = selinux_inode_getxattr,
5354 .inode_listxattr = selinux_inode_listxattr, 5350 .inode_listxattr = selinux_inode_listxattr,
5355 .inode_removexattr = selinux_inode_removexattr, 5351 .inode_removexattr = selinux_inode_removexattr,
5356 .inode_getsecurity = selinux_inode_getsecurity, 5352 .inode_getsecurity = selinux_inode_getsecurity,
5357 .inode_setsecurity = selinux_inode_setsecurity, 5353 .inode_setsecurity = selinux_inode_setsecurity,
5358 .inode_listsecurity = selinux_inode_listsecurity, 5354 .inode_listsecurity = selinux_inode_listsecurity,
5359 .inode_need_killpriv = selinux_inode_need_killpriv, 5355 .inode_need_killpriv = selinux_inode_need_killpriv,
5360 .inode_killpriv = selinux_inode_killpriv, 5356 .inode_killpriv = selinux_inode_killpriv,
5361 .inode_getsecid = selinux_inode_getsecid, 5357 .inode_getsecid = selinux_inode_getsecid,
@@ -5372,7 +5368,7 @@ static struct security_operations selinux_ops = {
5372 .file_send_sigiotask = selinux_file_send_sigiotask, 5368 .file_send_sigiotask = selinux_file_send_sigiotask,
5373 .file_receive = selinux_file_receive, 5369 .file_receive = selinux_file_receive,
5374 5370
5375 .dentry_open = selinux_dentry_open, 5371 .dentry_open = selinux_dentry_open,
5376 5372
5377 .task_create = selinux_task_create, 5373 .task_create = selinux_task_create,
5378 .task_alloc_security = selinux_task_alloc_security, 5374 .task_alloc_security = selinux_task_alloc_security,
@@ -5382,7 +5378,7 @@ static struct security_operations selinux_ops = {
5382 .task_setgid = selinux_task_setgid, 5378 .task_setgid = selinux_task_setgid,
5383 .task_setpgid = selinux_task_setpgid, 5379 .task_setpgid = selinux_task_setpgid,
5384 .task_getpgid = selinux_task_getpgid, 5380 .task_getpgid = selinux_task_getpgid,
5385 .task_getsid = selinux_task_getsid, 5381 .task_getsid = selinux_task_getsid,
5386 .task_getsecid = selinux_task_getsecid, 5382 .task_getsecid = selinux_task_getsecid,
5387 .task_setgroups = selinux_task_setgroups, 5383 .task_setgroups = selinux_task_setgroups,
5388 .task_setnice = selinux_task_setnice, 5384 .task_setnice = selinux_task_setnice,
@@ -5396,7 +5392,7 @@ static struct security_operations selinux_ops = {
5396 .task_wait = selinux_task_wait, 5392 .task_wait = selinux_task_wait,
5397 .task_prctl = selinux_task_prctl, 5393 .task_prctl = selinux_task_prctl,
5398 .task_reparent_to_init = selinux_task_reparent_to_init, 5394 .task_reparent_to_init = selinux_task_reparent_to_init,
5399 .task_to_inode = selinux_task_to_inode, 5395 .task_to_inode = selinux_task_to_inode,
5400 5396
5401 .ipc_permission = selinux_ipc_permission, 5397 .ipc_permission = selinux_ipc_permission,
5402 .ipc_getsecid = selinux_ipc_getsecid, 5398 .ipc_getsecid = selinux_ipc_getsecid,
@@ -5417,24 +5413,24 @@ static struct security_operations selinux_ops = {
5417 .shm_shmctl = selinux_shm_shmctl, 5413 .shm_shmctl = selinux_shm_shmctl,
5418 .shm_shmat = selinux_shm_shmat, 5414 .shm_shmat = selinux_shm_shmat,
5419 5415
5420 .sem_alloc_security = selinux_sem_alloc_security, 5416 .sem_alloc_security = selinux_sem_alloc_security,
5421 .sem_free_security = selinux_sem_free_security, 5417 .sem_free_security = selinux_sem_free_security,
5422 .sem_associate = selinux_sem_associate, 5418 .sem_associate = selinux_sem_associate,
5423 .sem_semctl = selinux_sem_semctl, 5419 .sem_semctl = selinux_sem_semctl,
5424 .sem_semop = selinux_sem_semop, 5420 .sem_semop = selinux_sem_semop,
5425 5421
5426 .register_security = selinux_register_security, 5422 .register_security = selinux_register_security,
5427 5423
5428 .d_instantiate = selinux_d_instantiate, 5424 .d_instantiate = selinux_d_instantiate,
5429 5425
5430 .getprocattr = selinux_getprocattr, 5426 .getprocattr = selinux_getprocattr,
5431 .setprocattr = selinux_setprocattr, 5427 .setprocattr = selinux_setprocattr,
5432 5428
5433 .secid_to_secctx = selinux_secid_to_secctx, 5429 .secid_to_secctx = selinux_secid_to_secctx,
5434 .secctx_to_secid = selinux_secctx_to_secid, 5430 .secctx_to_secid = selinux_secctx_to_secid,
5435 .release_secctx = selinux_release_secctx, 5431 .release_secctx = selinux_release_secctx,
5436 5432
5437 .unix_stream_connect = selinux_socket_unix_stream_connect, 5433 .unix_stream_connect = selinux_socket_unix_stream_connect,
5438 .unix_may_send = selinux_socket_unix_may_send, 5434 .unix_may_send = selinux_socket_unix_may_send,
5439 5435
5440 .socket_create = selinux_socket_create, 5436 .socket_create = selinux_socket_create,
@@ -5456,7 +5452,7 @@ static struct security_operations selinux_ops = {
5456 .sk_alloc_security = selinux_sk_alloc_security, 5452 .sk_alloc_security = selinux_sk_alloc_security,
5457 .sk_free_security = selinux_sk_free_security, 5453 .sk_free_security = selinux_sk_free_security,
5458 .sk_clone_security = selinux_sk_clone_security, 5454 .sk_clone_security = selinux_sk_clone_security,
5459 .sk_getsecid = selinux_sk_getsecid, 5455 .sk_getsecid = selinux_sk_getsecid,
5460 .sock_graft = selinux_sock_graft, 5456 .sock_graft = selinux_sock_graft,
5461 .inet_conn_request = selinux_inet_conn_request, 5457 .inet_conn_request = selinux_inet_conn_request,
5462 .inet_csk_clone = selinux_inet_csk_clone, 5458 .inet_csk_clone = selinux_inet_csk_clone,
@@ -5471,15 +5467,15 @@ static struct security_operations selinux_ops = {
5471 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5467 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5472 .xfrm_state_free_security = selinux_xfrm_state_free, 5468 .xfrm_state_free_security = selinux_xfrm_state_free,
5473 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5469 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5474 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5470 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5475 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5471 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5476 .xfrm_decode_session = selinux_xfrm_decode_session, 5472 .xfrm_decode_session = selinux_xfrm_decode_session,
5477#endif 5473#endif
5478 5474
5479#ifdef CONFIG_KEYS 5475#ifdef CONFIG_KEYS
5480 .key_alloc = selinux_key_alloc, 5476 .key_alloc = selinux_key_alloc,
5481 .key_free = selinux_key_free, 5477 .key_free = selinux_key_free,
5482 .key_permission = selinux_key_permission, 5478 .key_permission = selinux_key_permission,
5483#endif 5479#endif
5484 5480
5485#ifdef CONFIG_AUDIT 5481#ifdef CONFIG_AUDIT
@@ -5519,15 +5515,14 @@ static __init int selinux_init(void)
5519 5515
5520 original_ops = secondary_ops = security_ops; 5516 original_ops = secondary_ops = security_ops;
5521 if (!secondary_ops) 5517 if (!secondary_ops)
5522 panic ("SELinux: No initial security operations\n"); 5518 panic("SELinux: No initial security operations\n");
5523 if (register_security (&selinux_ops)) 5519 if (register_security(&selinux_ops))
5524 panic("SELinux: Unable to register with kernel.\n"); 5520 panic("SELinux: Unable to register with kernel.\n");
5525 5521
5526 if (selinux_enforcing) { 5522 if (selinux_enforcing)
5527 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5523 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5528 } else { 5524 else
5529 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5525 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5530 }
5531 5526
5532#ifdef CONFIG_KEYS 5527#ifdef CONFIG_KEYS
5533 /* Add security information to initial keyrings */ 5528 /* Add security information to initial keyrings */
@@ -5552,8 +5547,8 @@ next_sb:
5552 if (!list_empty(&superblock_security_head)) { 5547 if (!list_empty(&superblock_security_head)) {
5553 struct superblock_security_struct *sbsec = 5548 struct superblock_security_struct *sbsec =
5554 list_entry(superblock_security_head.next, 5549 list_entry(superblock_security_head.next,
5555 struct superblock_security_struct, 5550 struct superblock_security_struct,
5556 list); 5551 list);
5557 struct super_block *sb = sbsec->sb; 5552 struct super_block *sb = sbsec->sb;
5558 sb->s_count++; 5553 sb->s_count++;
5559 spin_unlock(&sb_security_lock); 5554 spin_unlock(&sb_security_lock);
@@ -5672,10 +5667,11 @@ static void selinux_nf_ip_exit(void)
5672#endif /* CONFIG_NETFILTER */ 5667#endif /* CONFIG_NETFILTER */
5673 5668
5674#ifdef CONFIG_SECURITY_SELINUX_DISABLE 5669#ifdef CONFIG_SECURITY_SELINUX_DISABLE
5670static int selinux_disabled;
5671
5675int selinux_disable(void) 5672int selinux_disable(void)
5676{ 5673{
5677 extern void exit_sel_fs(void); 5674 extern void exit_sel_fs(void);
5678 static int selinux_disabled = 0;
5679 5675
5680 if (ss_initialized) { 5676 if (ss_initialized) {
5681 /* Not permitted after initial policy load. */ 5677 /* Not permitted after initial policy load. */
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-19 21:11:35 -0500