diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1c864c0efe2b..59c6e98f7bea 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2495,7 +2495,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
| 2495 | } | 2495 | } |
| 2496 | 2496 | ||
| 2497 | if (value && len) { | 2497 | if (value && len) { |
| 2498 | rc = security_sid_to_context(newsid, &context, &clen); | 2498 | rc = security_sid_to_context_force(newsid, &context, &clen); |
| 2499 | if (rc) { | 2499 | if (rc) { |
| 2500 | kfree(namep); | 2500 | kfree(namep); |
| 2501 | return rc; | 2501 | return rc; |
| @@ -2669,6 +2669,11 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 2669 | return rc; | 2669 | return rc; |
| 2670 | 2670 | ||
| 2671 | rc = security_context_to_sid(value, size, &newsid); | 2671 | rc = security_context_to_sid(value, size, &newsid); |
| 2672 | if (rc == -EINVAL) { | ||
| 2673 | if (!capable(CAP_MAC_ADMIN)) | ||
| 2674 | return rc; | ||
| 2675 | rc = security_context_to_sid_force(value, size, &newsid); | ||
| 2676 | } | ||
| 2672 | if (rc) | 2677 | if (rc) |
| 2673 | return rc; | 2678 | return rc; |
| 2674 | 2679 | ||
| @@ -2703,10 +2708,11 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, | |||
| 2703 | return; | 2708 | return; |
| 2704 | } | 2709 | } |
| 2705 | 2710 | ||
| 2706 | rc = security_context_to_sid(value, size, &newsid); | 2711 | rc = security_context_to_sid_force(value, size, &newsid); |
| 2707 | if (rc) { | 2712 | if (rc) { |
| 2708 | printk(KERN_WARNING "%s: unable to obtain SID for context " | 2713 | printk(KERN_ERR "SELinux: unable to map context to SID" |
| 2709 | "%s, rc=%d\n", __func__, (char *)value, -rc); | 2714 | "for (%s, %lu), rc=%d\n", |
| 2715 | inode->i_sb->s_id, inode->i_ino, -rc); | ||
| 2710 | return; | 2716 | return; |
| 2711 | } | 2717 | } |
| 2712 | 2718 | ||
| @@ -5153,6 +5159,12 @@ static int selinux_setprocattr(struct task_struct *p, | |||
| 5153 | size--; | 5159 | size--; |
| 5154 | } | 5160 | } |
| 5155 | error = security_context_to_sid(value, size, &sid); | 5161 | error = security_context_to_sid(value, size, &sid); |
| 5162 | if (error == -EINVAL && !strcmp(name, "fscreate")) { | ||
| 5163 | if (!capable(CAP_MAC_ADMIN)) | ||
| 5164 | return error; | ||
| 5165 | error = security_context_to_sid_force(value, size, | ||
| 5166 | &sid); | ||
| 5167 | } | ||
| 5156 | if (error) | 5168 | if (error) |
| 5157 | return error; | 5169 | return error; |
| 5158 | } | 5170 | } |