1 files changed, 46 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 35eb8de892fc..b1ac22d23195 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1077,6 +1077,9 @@ static int inode_has_perm(struct task_struct *tsk,
        struct inode_security_struct *isec;
        struct avc_audit_data ad;
+        if (unlikely (IS_PRIVATE (inode)))
+                return 0;
        tsec = tsk->security;
        isec = inode->i_security;
@@ -1423,6 +1426,47 @@ static int selinux_capable(struct task_struct *tsk, int cap)
        return task_has_capability(tsk,cap);
 }
+static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
+{
+        int buflen, rc;
+        char *buffer, *path, *end;
+        rc = -ENOMEM;
+        buffer = (char*)__get_free_page(GFP_KERNEL);
+        if (!buffer)
+                goto out;
+        buflen = PAGE_SIZE;
+        end = buffer+buflen;
+        *--end = '\0';
+        buflen--;
+        path = end-1;
+        *path = '/';
+        while (table) {
+                const char *name = table->procname;
+                size_t namelen = strlen(name);
+                buflen -= namelen + 1;
+                if (buflen < 0)
+                        goto out_free;
+                end -= namelen;
+                memcpy(end, name, namelen);
+                *--end = '/';
+                path = end;
+                table = table->parent;
+        }
+        buflen -= 4;
+        if (buflen < 0)
+                goto out_free;
+        end -= 4;
+        memcpy(end, "/sys", 4);
+        path = end;
+        rc = security_genfs_sid("proc", path, tclass, sid);
+out_free:
+        free_page((unsigned long)buffer);
+out:
+        return rc;
+}
 static int selinux_sysctl(ctl_table *table, int op)
 {
        int error = 0;
@@ -1437,8 +1481,8 @@ static int selinux_sysctl(ctl_table *table, int op)
        tsec = current->security;
-        rc = selinux_proc_get_sid(table->de, (op == 001) ?
+        rc = selinux_sysctl_get_sid(table, (op == 0001) ?
-                                  SECCLASS_DIR : SECCLASS_FILE, &tsid);
+                                    SECCLASS_DIR : SECCLASS_FILE, &tsid);
        if (rc) {
                /* Default to the well-defined sysctl SID. */
                tsid = SECINITSID_SYSCTL;

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 35eb8de892fc..b1ac22d23195 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1077,6 +1077,9 @@ static int inode_has_perm(struct task_struct *tsk,
1077	struct inode_security_struct *isec;	1077	struct inode_security_struct *isec;
1078	struct avc_audit_data ad;	1078	struct avc_audit_data ad;
1079		1079
		1080	if (unlikely (IS_PRIVATE (inode)))
		1081	return 0;
		1082
1080	tsec = tsk->security;	1083	tsec = tsk->security;
1081	isec = inode->i_security;	1084	isec = inode->i_security;
1082		1085
@@ -1423,6 +1426,47 @@ static int selinux_capable(struct task_struct *tsk, int cap)
1423	return task_has_capability(tsk,cap);	1426	return task_has_capability(tsk,cap);
1424	}	1427	}
1425		1428
		1429	static int selinux_sysctl_get_sid(ctl_table table, u16 tclass, u32 sid)
		1430	{
		1431	int buflen, rc;
		1432	char buffer, path, *end;
		1433
		1434	rc = -ENOMEM;
		1435	buffer = (char*)__get_free_page(GFP_KERNEL);
		1436	if (!buffer)
		1437	goto out;
		1438
		1439	buflen = PAGE_SIZE;
		1440	end = buffer+buflen;
		1441	*--end = '\0';
		1442	buflen--;
		1443	path = end-1;
		1444	*path = '/';
		1445	while (table) {
		1446	const char *name = table->procname;
		1447	size_t namelen = strlen(name);
		1448	buflen -= namelen + 1;
		1449	if (buflen < 0)
		1450	goto out_free;
		1451	end -= namelen;
		1452	memcpy(end, name, namelen);
		1453	*--end = '/';
		1454	path = end;
		1455	table = table->parent;
		1456	}
		1457	buflen -= 4;
		1458	if (buflen < 0)
		1459	goto out_free;
		1460	end -= 4;
		1461	memcpy(end, "/sys", 4);
		1462	path = end;
		1463	rc = security_genfs_sid("proc", path, tclass, sid);
		1464	out_free:
		1465	free_page((unsigned long)buffer);
		1466	out:
		1467	return rc;
		1468	}
		1469
1426	static int selinux_sysctl(ctl_table *table, int op)	1470	static int selinux_sysctl(ctl_table *table, int op)
1427	{	1471	{
1428	int error = 0;	1472	int error = 0;
@@ -1437,8 +1481,8 @@ static int selinux_sysctl(ctl_table *table, int op)
1437		1481
1438	tsec = current->security;	1482	tsec = current->security;
1439		1483
1440	rc = selinux_proc_get_sid(table->de, (op == 001) ?	1484	rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1441	SECCLASS_DIR : SECCLASS_FILE, &tsid);	1485	SECCLASS_DIR : SECCLASS_FILE, &tsid);
1442	if (rc) {	1486	if (rc) {
1443	/* Default to the well-defined sysctl SID. */	1487	/* Default to the well-defined sysctl SID. */
1444	tsid = SECINITSID_SYSCTL;	1488	tsid = SECINITSID_SYSCTL;