1 files changed, 29 insertions, 19 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6237933f7d82..3c3fff33d1ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -47,7 +47,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/tty.h>
 #include <net/icmp.h>
-#include <net/ip.h>             /* for sysctl_local_port_range[] */
+#include <net/ip.h>             /* for local_port_range[] */
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
@@ -316,6 +316,7 @@ static inline int inode_doinit(struct inode *inode)
 }
 enum {
+        Opt_error = -1,
        Opt_context = 1,
        Opt_fscontext = 2,
        Opt_defcontext = 4,
@@ -327,6 +328,7 @@ static match_table_t tokens = {
        {Opt_fscontext, "fscontext=%s"},
        {Opt_defcontext, "defcontext=%s"},
        {Opt_rootcontext, "rootcontext=%s"},
+        {Opt_error, NULL},
 };
 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
@@ -1584,7 +1586,7 @@ static int selinux_syslog(int type)
 * Do not audit the selinux permission check, as this is applied to all
 * processes that allocate mappings.
 */
-static int selinux_vm_enough_memory(long pages)
+static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
        struct task_security_struct *tsec = current->security;
@@ -1600,7 +1602,7 @@ static int selinux_vm_enough_memory(long pages)
        if (rc == 0)
                cap_sys_admin = 1;
-        return __vm_enough_memory(pages, cap_sys_admin);
+        return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
 /* binprm security operations */
@@ -1907,6 +1909,9 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
                spin_unlock_irq(&current->sighand->siglock);
        }
+        /* Always clear parent death signal on SID transitions. */
+        current->pdeath_signal = 0;
        /* Check whether the new SID can inherit resource limits
           from the old SID.  If not, reset all soft limits to
           the lower of the current task's hard limit and the init
@@ -3227,8 +3232,6 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 /* Range of port numbers used to automatically bind.
   Need to determine whether we should perform a name_bind
   permission check between the socket and the port number. */
-#define ip_local_port_range_0 sysctl_local_port_range[0]
-#define ip_local_port_range_1 sysctl_local_port_range[1]
 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
 {
@@ -3271,20 +3274,27 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                        addrp = (char *)&addr6->sin6_addr.s6_addr;
                }
-                if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
+                if (snum) {
-                           snum > ip_local_port_range_1)) {
+                        int low, high;
-                        err = security_port_sid(sk->sk_family, sk->sk_type,
-                                                sk->sk_protocol, snum, &sid);
+                        inet_get_local_port_range(&low, &high);
-                        if (err)
-                                goto out;
+                        if (snum < max(PROT_SOCK, low) || snum > high) {
-                        AVC_AUDIT_DATA_INIT(&ad,NET);
+                                err = security_port_sid(sk->sk_family,
-                        ad.u.net.sport = htons(snum);
+                                                        sk->sk_type,
-                        ad.u.net.family = family;
+                                                        sk->sk_protocol, snum,
-                        err = avc_has_perm(isec->sid, sid,
+                                                        &sid);
-                                           isec->sclass,
+                                if (err)
-                                           SOCKET__NAME_BIND, &ad);
+                                        goto out;
-                        if (err)
+                                AVC_AUDIT_DATA_INIT(&ad,NET);
-                                goto out;
+                                ad.u.net.sport = htons(snum);
+                                ad.u.net.family = family;
+                                err = avc_has_perm(isec->sid, sid,
+                                                   isec->sclass,
+                                                   SOCKET__NAME_BIND, &ad);
+                                if (err)
+                                        goto out;
+                        }
                }
                
                switch(isec->sclass) {

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6237933f7d82..3c3fff33d1ce 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -47,7 +47,7 @@
47	#include <linux/netfilter_ipv6.h>	47	#include <linux/netfilter_ipv6.h>
48	#include <linux/tty.h>	48	#include <linux/tty.h>
49	#include <net/icmp.h>	49	#include <net/icmp.h>
50	#include <net/ip.h> /* for sysctl_local_port_range[] */	50	#include <net/ip.h> /* for local_port_range[] */
51	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	51	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52	#include <asm/uaccess.h>	52	#include <asm/uaccess.h>
53	#include <asm/ioctls.h>	53	#include <asm/ioctls.h>
@@ -316,6 +316,7 @@ static inline int inode_doinit(struct inode *inode)
316	}	316	}
317		317
318	enum {	318	enum {
		319	Opt_error = -1,
319	Opt_context = 1,	320	Opt_context = 1,
320	Opt_fscontext = 2,	321	Opt_fscontext = 2,
321	Opt_defcontext = 4,	322	Opt_defcontext = 4,
@@ -327,6 +328,7 @@ static match_table_t tokens = {
327	{Opt_fscontext, "fscontext=%s"},	328	{Opt_fscontext, "fscontext=%s"},
328	{Opt_defcontext, "defcontext=%s"},	329	{Opt_defcontext, "defcontext=%s"},
329	{Opt_rootcontext, "rootcontext=%s"},	330	{Opt_rootcontext, "rootcontext=%s"},
		331	{Opt_error, NULL},
330	};	332	};
331		333
332	#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"	334	#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
@@ -1584,7 +1586,7 @@ static int selinux_syslog(int type)
1584	* Do not audit the selinux permission check, as this is applied to all	1586	* Do not audit the selinux permission check, as this is applied to all
1585	* processes that allocate mappings.	1587	* processes that allocate mappings.
1586	*/	1588	*/
1587	static int selinux_vm_enough_memory(long pages)	1589	static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1588	{	1590	{
1589	int rc, cap_sys_admin = 0;	1591	int rc, cap_sys_admin = 0;
1590	struct task_security_struct *tsec = current->security;	1592	struct task_security_struct *tsec = current->security;
@@ -1600,7 +1602,7 @@ static int selinux_vm_enough_memory(long pages)
1600	if (rc == 0)	1602	if (rc == 0)
1601	cap_sys_admin = 1;	1603	cap_sys_admin = 1;
1602		1604
1603	return __vm_enough_memory(pages, cap_sys_admin);	1605	return __vm_enough_memory(mm, pages, cap_sys_admin);
1604	}	1606	}
1605		1607
1606	/* binprm security operations */	1608	/* binprm security operations */
@@ -1907,6 +1909,9 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1907	spin_unlock_irq(&current->sighand->siglock);	1909	spin_unlock_irq(&current->sighand->siglock);
1908	}	1910	}
1909		1911
		1912	/* Always clear parent death signal on SID transitions. */
		1913	current->pdeath_signal = 0;
		1914
1910	/* Check whether the new SID can inherit resource limits	1915	/* Check whether the new SID can inherit resource limits
1911	from the old SID. If not, reset all soft limits to	1916	from the old SID. If not, reset all soft limits to
1912	the lower of the current task's hard limit and the init	1917	the lower of the current task's hard limit and the init
@@ -3227,8 +3232,6 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3227	/* Range of port numbers used to automatically bind.	3232	/* Range of port numbers used to automatically bind.
3228	Need to determine whether we should perform a name_bind	3233	Need to determine whether we should perform a name_bind
3229	permission check between the socket and the port number. */	3234	permission check between the socket and the port number. */
3230	#define ip_local_port_range_0 sysctl_local_port_range[0]
3231	#define ip_local_port_range_1 sysctl_local_port_range[1]
3232		3235
3233	static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)	3236	static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)
3234	{	3237	{
@@ -3271,20 +3274,27 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
3271	addrp = (char *)&addr6->sin6_addr.s6_addr;	3274	addrp = (char *)&addr6->sin6_addr.s6_addr;
3272	}	3275	}
3273		3276
3274	if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) \|\|	3277	if (snum) {
3275	snum > ip_local_port_range_1)) {	3278	int low, high;
3276	err = security_port_sid(sk->sk_family, sk->sk_type,	3279
3277	sk->sk_protocol, snum, &sid);	3280	inet_get_local_port_range(&low, &high);
3278	if (err)	3281
3279	goto out;	3282	if (snum < max(PROT_SOCK, low) \|\| snum > high) {
3280	AVC_AUDIT_DATA_INIT(&ad,NET);	3283	err = security_port_sid(sk->sk_family,
3281	ad.u.net.sport = htons(snum);	3284	sk->sk_type,
3282	ad.u.net.family = family;	3285	sk->sk_protocol, snum,
3283	err = avc_has_perm(isec->sid, sid,	3286	&sid);
3284	isec->sclass,	3287	if (err)
3285	SOCKET__NAME_BIND, &ad);	3288	goto out;
3286	if (err)	3289	AVC_AUDIT_DATA_INIT(&ad,NET);
3287	goto out;	3290	ad.u.net.sport = htons(snum);
		3291	ad.u.net.family = family;
		3292	err = avc_has_perm(isec->sid, sid,
		3293	isec->sclass,
		3294	SOCKET__NAME_BIND, &ad);
		3295	if (err)
		3296	goto out;
		3297	}
3288	}	3298	}
3289		3299
3290	switch(isec->sclass) {	3300	switch(isec->sclass) {