1 files changed, 33 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e5ed07510309..75c2e99bfb81 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1,
                            SECCLASS_PROCESS, perms, NULL);
 }
+#if CAP_LAST_CAP > 63
+#error Fix SELinux to handle capabilities > 63.
+#endif
 /* Check whether a task is allowed to use a capability. */
 static int task_has_capability(struct task_struct *tsk,
                               int cap)
 {
        struct task_security_struct *tsec;
        struct avc_audit_data ad;
+        u16 sclass;
+        u32 av = CAP_TO_MASK(cap);
        tsec = tsk->security;
@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk,
        ad.tsk = tsk;
        ad.u.cap = cap;
-        return avc_has_perm(tsec->sid, tsec->sid,
+        switch (CAP_TO_INDEX(cap)) {
-                            SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
+        case 0:
+                sclass = SECCLASS_CAPABILITY;
+                break;
+        case 1:
+                sclass = SECCLASS_CAPABILITY2;
+                break;
+        default:
+                printk(KERN_ERR
+                       "SELinux:  out of range capability %d\n", cap);
+                BUG();
+        }
+        return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
 }
 /* Check whether a task is allowed to use a system operation. */
@@ -1339,8 +1356,8 @@ static inline int dentry_has_perm(struct task_struct *tsk,
        struct inode *inode = dentry->d_inode;
        struct avc_audit_data ad;
        AVC_AUDIT_DATA_INIT(&ad,FS);
-        ad.u.fs.mnt = mnt;
+        ad.u.fs.path.mnt = mnt;
-        ad.u.fs.dentry = dentry;
+        ad.u.fs.path.dentry = dentry;
        return inode_has_perm(tsk, inode, av, &ad);
 }
@@ -1358,15 +1375,12 @@ static int file_has_perm(struct task_struct *tsk,
 {
        struct task_security_struct *tsec = tsk->security;
        struct file_security_struct *fsec = file->f_security;
-        struct vfsmount *mnt = file->f_path.mnt;
+        struct inode *inode = file->f_path.dentry->d_inode;
-        struct dentry *dentry = file->f_path.dentry;
-        struct inode *inode = dentry->d_inode;
        struct avc_audit_data ad;
        int rc;
        AVC_AUDIT_DATA_INIT(&ad, FS);
-        ad.u.fs.mnt = mnt;
+        ad.u.fs.path = file->f_path;
-        ad.u.fs.dentry = dentry;
        if (tsec->sid != fsec->sid) {
                rc = avc_has_perm(tsec->sid, fsec->sid,
@@ -1401,7 +1415,7 @@ static int may_create(struct inode *dir,
        sbsec = dir->i_sb->s_security;
        AVC_AUDIT_DATA_INIT(&ad, FS);
-        ad.u.fs.dentry = dentry;
+        ad.u.fs.path.dentry = dentry;
        rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
                          DIR__ADD_NAME | DIR__SEARCH,
@@ -1459,7 +1473,7 @@ static int may_link(struct inode *dir,
        isec = dentry->d_inode->i_security;
        AVC_AUDIT_DATA_INIT(&ad, FS);
-        ad.u.fs.dentry = dentry;
+        ad.u.fs.path.dentry = dentry;
        av = DIR__SEARCH;
        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1506,7 +1520,7 @@ static inline int may_rename(struct inode *old_dir,
        AVC_AUDIT_DATA_INIT(&ad, FS);
-        ad.u.fs.dentry = old_dentry;
+        ad.u.fs.path.dentry = old_dentry;
        rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
        if (rc)
@@ -1522,7 +1536,7 @@ static inline int may_rename(struct inode *old_dir,
                        return rc;
        }
-        ad.u.fs.dentry = new_dentry;
+        ad.u.fs.path.dentry = new_dentry;
        av = DIR__ADD_NAME | DIR__SEARCH;
        if (new_dentry->d_inode)
                av |= DIR__REMOVE_NAME;
@@ -1901,8 +1915,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
        }
        AVC_AUDIT_DATA_INIT(&ad, FS);
-        ad.u.fs.mnt = bprm->file->f_path.mnt;
+        ad.u.fs.path = bprm->file->f_path;
-        ad.u.fs.dentry = bprm->file->f_path.dentry;
        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
                newsid = tsec->sid;
@@ -2298,7 +2311,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
                return rc;
        AVC_AUDIT_DATA_INIT(&ad,FS);
-        ad.u.fs.dentry = sb->s_root;
+        ad.u.fs.path.dentry = sb->s_root;
        return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
 }
@@ -2307,7 +2320,7 @@ static int selinux_sb_statfs(struct dentry *dentry)
        struct avc_audit_data ad;
        AVC_AUDIT_DATA_INIT(&ad,FS);
-        ad.u.fs.dentry = dentry->d_sb->s_root;
+        ad.u.fs.path.dentry = dentry->d_sb->s_root;
        return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
 }
@@ -2324,10 +2337,10 @@ static int selinux_mount(char * dev_name,
                return rc;
        if (flags & MS_REMOUNT)
-                return superblock_has_perm(current, nd->mnt->mnt_sb,
+                return superblock_has_perm(current, nd->path.mnt->mnt_sb,
                                           FILESYSTEM__REMOUNT, NULL);
        else
-                return dentry_has_perm(current, nd->mnt, nd->dentry,
+                return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
                                       FILE__MOUNTON);
 }
@@ -2570,7 +2583,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
                return -EPERM;
        AVC_AUDIT_DATA_INIT(&ad,FS);
-        ad.u.fs.dentry = dentry;
+        ad.u.fs.path.dentry = dentry;
        rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
                          FILE__RELABELFROM, &ad);