aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c30
1 files changed, 15 insertions, 15 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 520b9998123e..d8bc4172819c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1584,7 +1584,7 @@ static int selinux_syslog(int type)
1584 * Do not audit the selinux permission check, as this is applied to all 1584 * Do not audit the selinux permission check, as this is applied to all
1585 * processes that allocate mappings. 1585 * processes that allocate mappings.
1586 */ 1586 */
1587static int selinux_vm_enough_memory(long pages) 1587static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1588{ 1588{
1589 int rc, cap_sys_admin = 0; 1589 int rc, cap_sys_admin = 0;
1590 struct task_security_struct *tsec = current->security; 1590 struct task_security_struct *tsec = current->security;
@@ -1600,7 +1600,7 @@ static int selinux_vm_enough_memory(long pages)
1600 if (rc == 0) 1600 if (rc == 0)
1601 cap_sys_admin = 1; 1601 cap_sys_admin = 1;
1602 1602
1603 return __vm_enough_memory(pages, cap_sys_admin); 1603 return __vm_enough_memory(mm, pages, cap_sys_admin);
1604} 1604}
1605 1605
1606/* binprm security operations */ 1606/* binprm security operations */
@@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3129/** 3129/**
3130 * selinux_skb_extlbl_sid - Determine the external label of a packet 3130 * selinux_skb_extlbl_sid - Determine the external label of a packet
3131 * @skb: the packet 3131 * @skb: the packet
3132 * @base_sid: the SELinux SID to use as a context for MLS only external labels
3133 * @sid: the packet's SID 3132 * @sid: the packet's SID
3134 * 3133 *
3135 * Description: 3134 * Description:
3136 * Check the various different forms of external packet labeling and determine 3135 * Check the various different forms of external packet labeling and determine
3137 * the external SID for the packet. 3136 * the external SID for the packet. If only one form of external labeling is
3137 * present then it is used, if both labeled IPsec and NetLabel labels are
3138 * present then the SELinux type information is taken from the labeled IPsec
3139 * SA and the MLS sensitivity label information is taken from the NetLabel
3140 * security attributes. This bit of "magic" is done in the call to
3141 * selinux_netlbl_skbuff_getsid().
3138 * 3142 *
3139 */ 3143 */
3140static void selinux_skb_extlbl_sid(struct sk_buff *skb, 3144static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3141 u32 base_sid,
3142 u32 *sid)
3143{ 3145{
3144 u32 xfrm_sid; 3146 u32 xfrm_sid;
3145 u32 nlbl_sid; 3147 u32 nlbl_sid;
@@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3147 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3149 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3148 if (selinux_netlbl_skbuff_getsid(skb, 3150 if (selinux_netlbl_skbuff_getsid(skb,
3149 (xfrm_sid == SECSID_NULL ? 3151 (xfrm_sid == SECSID_NULL ?
3150 base_sid : xfrm_sid), 3152 SECINITSID_NETMSG : xfrm_sid),
3151 &nlbl_sid) != 0) 3153 &nlbl_sid) != 0)
3152 nlbl_sid = SECSID_NULL; 3154 nlbl_sid = SECSID_NULL;
3153
3154 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3155 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3155} 3156}
3156 3157
@@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
3695 if (sock && sock->sk->sk_family == PF_UNIX) 3696 if (sock && sock->sk->sk_family == PF_UNIX)
3696 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3697 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3697 else if (skb) 3698 else if (skb)
3698 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); 3699 selinux_skb_extlbl_sid(skb, &peer_secid);
3699 3700
3700 if (peer_secid == SECSID_NULL) 3701 if (peer_secid == SECSID_NULL)
3701 err = -EINVAL; 3702 err = -EINVAL;
@@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3756 u32 newsid; 3757 u32 newsid;
3757 u32 peersid; 3758 u32 peersid;
3758 3759
3759 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3760 selinux_skb_extlbl_sid(skb, &peersid);
3760 if (peersid == SECSID_NULL) { 3761 if (peersid == SECSID_NULL) {
3761 req->secid = sksec->sid; 3762 req->secid = sksec->sid;
3762 req->peer_secid = SECSID_NULL; 3763 req->peer_secid = SECSID_NULL;
@@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3794{ 3795{
3795 struct sk_security_struct *sksec = sk->sk_security; 3796 struct sk_security_struct *sksec = sk->sk_security;
3796 3797
3797 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3798 selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3798} 3799}
3799 3800
3800static void selinux_req_classify_flow(const struct request_sock *req, 3801static void selinux_req_classify_flow(const struct request_sock *req,
@@ -4657,8 +4658,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4657 4658
4658static void selinux_release_secctx(char *secdata, u32 seclen) 4659static void selinux_release_secctx(char *secdata, u32 seclen)
4659{ 4660{
4660 if (secdata) 4661 kfree(secdata);
4661 kfree(secdata);
4662} 4662}
4663 4663
4664#ifdef CONFIG_KEYS 4664#ifdef CONFIG_KEYS
@@ -4912,7 +4912,7 @@ static __init int selinux_init(void)
4912 4912
4913 sel_inode_cache = kmem_cache_create("selinux_inode_security", 4913 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4914 sizeof(struct inode_security_struct), 4914 sizeof(struct inode_security_struct),
4915 0, SLAB_PANIC, NULL, NULL); 4915 0, SLAB_PANIC, NULL);
4916 avc_init(); 4916 avc_init();
4917 4917
4918 original_ops = secondary_ops = security_ops; 4918 original_ops = secondary_ops = security_ops;
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-24 18:45:31 -0500