aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss/services.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss/services.c')
-rw-r--r--security/selinux/ss/services.c178
1 files changed, 86 insertions, 92 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b341b8fd8c7c..2daaddbb301d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2,7 +2,7 @@
2 * Implementation of the security services. 2 * Implementation of the security services.
3 * 3 *
4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com> 5 * James Morris <jmorris@redhat.com>
6 * 6 *
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 * 8 *
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -27,7 +27,7 @@
27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
29 * This program is free software; you can redistribute it and/or modify 29 * This program is free software; you can redistribute it and/or modify
30 * it under the terms of the GNU General Public License as published by 30 * it under the terms of the GNU General Public License as published by
31 * the Free Software Foundation, version 2. 31 * the Free Software Foundation, version 2.
32 */ 32 */
33#include <linux/kernel.h> 33#include <linux/kernel.h>
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
82 82
83static struct sidtab sidtab; 83static struct sidtab sidtab;
84struct policydb policydb; 84struct policydb policydb;
85int ss_initialized = 0; 85int ss_initialized;
86 86
87/* 87/*
88 * The largest sequence number that has been used when 88 * The largest sequence number that has been used when
@@ -90,7 +90,7 @@ int ss_initialized = 0;
90 * The sequence number only changes when a policy change 90 * The sequence number only changes when a policy change
91 * occurs. 91 * occurs.
92 */ 92 */
93static u32 latest_granting = 0; 93static u32 latest_granting;
94 94
95/* Forward declaration. */ 95/* Forward declaration. */
96static int context_struct_to_string(struct context *context, char **scontext, 96static int context_struct_to_string(struct context *context, char **scontext,
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
163 val1 - 1); 163 val1 - 1);
164 continue; 164 continue;
165 case CEXPR_INCOMP: 165 case CEXPR_INCOMP:
166 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 166 s[++sp] = (!ebitmap_get_bit(&r1->dominates,
167 val2 - 1) && 167 val2 - 1) &&
168 !ebitmap_get_bit(&r2->dominates, 168 !ebitmap_get_bit(&r2->dominates,
169 val1 - 1) ); 169 val1 - 1));
170 continue; 170 continue;
171 default: 171 default:
172 break; 172 break;
@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext,
409 } 409 }
410 if (!ra) 410 if (!ra)
411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
412 PROCESS__DYNTRANSITION); 412 PROCESS__DYNTRANSITION);
413 } 413 }
414 414
415 return 0; 415 return 0;
416 416
417inval_class: 417inval_class:
418 printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); 418 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
419 tclass);
419 return -EINVAL; 420 return -EINVAL;
420} 421}
421 422
@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid)
445} 446}
446 447
447static int security_validtrans_handle_fail(struct context *ocontext, 448static int security_validtrans_handle_fail(struct context *ocontext,
448 struct context *ncontext, 449 struct context *ncontext,
449 struct context *tcontext, 450 struct context *tcontext,
450 u16 tclass) 451 u16 tclass)
451{ 452{
452 char *o = NULL, *n = NULL, *t = NULL; 453 char *o = NULL, *n = NULL, *t = NULL;
453 u32 olen, nlen, tlen; 454 u32 olen, nlen, tlen;
@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
459 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 460 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
460 goto out; 461 goto out;
461 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 462 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
462 "security_validate_transition: denied for" 463 "security_validate_transition: denied for"
463 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 464 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
464 o, n, t, policydb.p_class_val_to_name[tclass-1]); 465 o, n, t, policydb.p_class_val_to_name[tclass-1]);
465out: 466out:
466 kfree(o); 467 kfree(o);
467 kfree(n); 468 kfree(n);
@@ -473,7 +474,7 @@ out:
473} 474}
474 475
475int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 476int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
476 u16 tclass) 477 u16 tclass)
477{ 478{
478 struct context *ocontext; 479 struct context *ocontext;
479 struct context *ncontext; 480 struct context *ncontext;
@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
499 tclass = SECCLASS_NETLINK_SOCKET; 500 tclass = SECCLASS_NETLINK_SOCKET;
500 501
501 if (!tclass || tclass > policydb.p_classes.nprim) { 502 if (!tclass || tclass > policydb.p_classes.nprim) {
502 printk(KERN_ERR "security_validate_transition: " 503 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
503 "unrecognized class %d\n", tclass); 504 __func__, tclass);
504 rc = -EINVAL; 505 rc = -EINVAL;
505 goto out; 506 goto out;
506 } 507 }
@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
508 509
509 ocontext = sidtab_search(&sidtab, oldsid); 510 ocontext = sidtab_search(&sidtab, oldsid);
510 if (!ocontext) { 511 if (!ocontext) {
511 printk(KERN_ERR "security_validate_transition: " 512 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
512 " unrecognized SID %d\n", oldsid); 513 __func__, oldsid);
513 rc = -EINVAL; 514 rc = -EINVAL;
514 goto out; 515 goto out;
515 } 516 }
516 517
517 ncontext = sidtab_search(&sidtab, newsid); 518 ncontext = sidtab_search(&sidtab, newsid);
518 if (!ncontext) { 519 if (!ncontext) {
519 printk(KERN_ERR "security_validate_transition: " 520 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
520 " unrecognized SID %d\n", newsid); 521 __func__, newsid);
521 rc = -EINVAL; 522 rc = -EINVAL;
522 goto out; 523 goto out;
523 } 524 }
524 525
525 tcontext = sidtab_search(&sidtab, tasksid); 526 tcontext = sidtab_search(&sidtab, tasksid);
526 if (!tcontext) { 527 if (!tcontext) {
527 printk(KERN_ERR "security_validate_transition: " 528 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
528 " unrecognized SID %d\n", tasksid); 529 __func__, tasksid);
529 rc = -EINVAL; 530 rc = -EINVAL;
530 goto out; 531 goto out;
531 } 532 }
@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
533 constraint = tclass_datum->validatetrans; 534 constraint = tclass_datum->validatetrans;
534 while (constraint) { 535 while (constraint) {
535 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 536 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
536 constraint->expr)) { 537 constraint->expr)) {
537 rc = security_validtrans_handle_fail(ocontext, ncontext, 538 rc = security_validtrans_handle_fail(ocontext, ncontext,
538 tcontext, tclass); 539 tcontext, tclass);
539 goto out; 540 goto out;
540 } 541 }
541 constraint = constraint->next; 542 constraint = constraint->next;
@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
581 582
582 scontext = sidtab_search(&sidtab, ssid); 583 scontext = sidtab_search(&sidtab, ssid);
583 if (!scontext) { 584 if (!scontext) {
584 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 585 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
585 ssid); 586 __func__, ssid);
586 rc = -EINVAL; 587 rc = -EINVAL;
587 goto out; 588 goto out;
588 } 589 }
589 tcontext = sidtab_search(&sidtab, tsid); 590 tcontext = sidtab_search(&sidtab, tsid);
590 if (!tcontext) { 591 if (!tcontext) {
591 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 592 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
592 tsid); 593 __func__, tsid);
593 rc = -EINVAL; 594 rc = -EINVAL;
594 goto out; 595 goto out;
595 } 596 }
@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
623 624
624 /* Allocate space for the context; caller must free this space. */ 625 /* Allocate space for the context; caller must free this space. */
625 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 626 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
626 if (!scontextp) { 627 if (!scontextp)
627 return -ENOMEM; 628 return -ENOMEM;
628 }
629 *scontext = scontextp; 629 *scontext = scontextp;
630 630
631 /* 631 /*
@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
636 policydb.p_role_val_to_name[context->role - 1], 636 policydb.p_role_val_to_name[context->role - 1],
637 policydb.p_type_val_to_name[context->type - 1]); 637 policydb.p_type_val_to_name[context->type - 1]);
638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
641 641
642 mls_sid_to_context(context, &scontextp); 642 mls_sid_to_context(context, &scontextp);
643 643
@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
678 char *scontextp; 678 char *scontextp;
679 679
680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
681 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 681 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
682 if (!scontextp) { 682 if (!scontextp) {
683 rc = -ENOMEM; 683 rc = -ENOMEM;
684 goto out; 684 goto out;
@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
687 *scontext = scontextp; 687 *scontext = scontextp;
688 goto out; 688 goto out;
689 } 689 }
690 printk(KERN_ERR "security_sid_to_context: called before initial " 690 printk(KERN_ERR "SELinux: %s: called before initial "
691 "load_policy on unknown SID %d\n", sid); 691 "load_policy on unknown SID %d\n", __func__, sid);
692 rc = -EINVAL; 692 rc = -EINVAL;
693 goto out; 693 goto out;
694 } 694 }
695 POLICY_RDLOCK; 695 POLICY_RDLOCK;
696 context = sidtab_search(&sidtab, sid); 696 context = sidtab_search(&sidtab, sid);
697 if (!context) { 697 if (!context) {
698 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 698 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
699 "%d\n", sid); 699 __func__, sid);
700 rc = -EINVAL; 700 rc = -EINVAL;
701 goto out_unlock; 701 goto out_unlock;
702 } 702 }
@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid,
926 926
927 scontext = sidtab_search(&sidtab, ssid); 927 scontext = sidtab_search(&sidtab, ssid);
928 if (!scontext) { 928 if (!scontext) {
929 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 929 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
930 ssid); 930 __func__, ssid);
931 rc = -EINVAL; 931 rc = -EINVAL;
932 goto out_unlock; 932 goto out_unlock;
933 } 933 }
934 tcontext = sidtab_search(&sidtab, tsid); 934 tcontext = sidtab_search(&sidtab, tsid);
935 if (!tcontext) { 935 if (!tcontext) {
936 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 936 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
937 tsid); 937 __func__, tsid);
938 rc = -EINVAL; 938 rc = -EINVAL;
939 goto out_unlock; 939 goto out_unlock;
940 } 940 }
@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid,
974 avdatum = avtab_search(&policydb.te_avtab, &avkey); 974 avdatum = avtab_search(&policydb.te_avtab, &avkey);
975 975
976 /* If no permanent rule, also check for enabled conditional rules */ 976 /* If no permanent rule, also check for enabled conditional rules */
977 if(!avdatum) { 977 if (!avdatum) {
978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
979 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 979 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
980 if (node->key.specified & AVTAB_ENABLED) { 980 if (node->key.specified & AVTAB_ENABLED) {
@@ -1288,26 +1288,23 @@ static int convert_context(u32 key,
1288 1288
1289 /* Convert the user. */ 1289 /* Convert the user. */
1290 usrdatum = hashtab_search(args->newp->p_users.table, 1290 usrdatum = hashtab_search(args->newp->p_users.table,
1291 args->oldp->p_user_val_to_name[c->user - 1]); 1291 args->oldp->p_user_val_to_name[c->user - 1]);
1292 if (!usrdatum) { 1292 if (!usrdatum)
1293 goto bad; 1293 goto bad;
1294 }
1295 c->user = usrdatum->value; 1294 c->user = usrdatum->value;
1296 1295
1297 /* Convert the role. */ 1296 /* Convert the role. */
1298 role = hashtab_search(args->newp->p_roles.table, 1297 role = hashtab_search(args->newp->p_roles.table,
1299 args->oldp->p_role_val_to_name[c->role - 1]); 1298 args->oldp->p_role_val_to_name[c->role - 1]);
1300 if (!role) { 1299 if (!role)
1301 goto bad; 1300 goto bad;
1302 }
1303 c->role = role->value; 1301 c->role = role->value;
1304 1302
1305 /* Convert the type. */ 1303 /* Convert the type. */
1306 typdatum = hashtab_search(args->newp->p_types.table, 1304 typdatum = hashtab_search(args->newp->p_types.table,
1307 args->oldp->p_type_val_to_name[c->type - 1]); 1305 args->oldp->p_type_val_to_name[c->type - 1]);
1308 if (!typdatum) { 1306 if (!typdatum)
1309 goto bad; 1307 goto bad;
1310 }
1311 c->type = typdatum->value; 1308 c->type = typdatum->value;
1312 1309
1313 rc = mls_convert_context(args->oldp, args->newp, c); 1310 rc = mls_convert_context(args->oldp, args->newp, c);
@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1556{ 1553{
1557 int i, fail = 0; 1554 int i, fail = 0;
1558 1555
1559 for(i = 0; i < 4; i++) 1556 for (i = 0; i < 4; i++)
1560 if(addr[i] != (input[i] & mask[i])) { 1557 if (addr[i] != (input[i] & mask[i])) {
1561 fail = 1; 1558 fail = 1;
1562 break; 1559 break;
1563 } 1560 }
@@ -1656,7 +1653,7 @@ out:
1656 */ 1653 */
1657 1654
1658int security_get_user_sids(u32 fromsid, 1655int security_get_user_sids(u32 fromsid,
1659 char *username, 1656 char *username,
1660 u32 **sids, 1657 u32 **sids,
1661 u32 *nel) 1658 u32 *nel)
1662{ 1659{
@@ -1766,7 +1763,7 @@ out:
1766 * transition SIDs or task SIDs. 1763 * transition SIDs or task SIDs.
1767 */ 1764 */
1768int security_genfs_sid(const char *fstype, 1765int security_genfs_sid(const char *fstype,
1769 char *path, 1766 char *path,
1770 u16 sclass, 1767 u16 sclass,
1771 u32 *sid) 1768 u32 *sid)
1772{ 1769{
@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values)
1881 goto out; 1878 goto out;
1882 } 1879 }
1883 1880
1884 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1881 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
1885 if (!*names) 1882 if (!*names)
1886 goto err; 1883 goto err;
1887 1884
@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values)
1893 size_t name_len; 1890 size_t name_len;
1894 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1891 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1895 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1892 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1896 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1893 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1897 if (!(*names)[i]) 1894 if (!(*names)[i])
1898 goto err; 1895 goto err;
1899 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1896 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values)
1938 audit_get_loginuid(current), 1935 audit_get_loginuid(current),
1939 audit_get_sessionid(current)); 1936 audit_get_sessionid(current));
1940 } 1937 }
1941 if (values[i]) { 1938 if (values[i])
1942 policydb.bool_val_to_struct[i]->state = 1; 1939 policydb.bool_val_to_struct[i]->state = 1;
1943 } else { 1940 else
1944 policydb.bool_val_to_struct[i]->state = 0; 1941 policydb.bool_val_to_struct[i]->state = 0;
1945 }
1946 } 1942 }
1947 1943
1948 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1944 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2036 POLICY_RDLOCK; 2032 POLICY_RDLOCK;
2037 context1 = sidtab_search(&sidtab, sid); 2033 context1 = sidtab_search(&sidtab, sid);
2038 if (!context1) { 2034 if (!context1) {
2039 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2035 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2040 "%d\n", sid); 2036 __func__, sid);
2041 rc = -EINVAL; 2037 rc = -EINVAL;
2042 goto out_unlock; 2038 goto out_unlock;
2043 } 2039 }
2044 2040
2045 context2 = sidtab_search(&sidtab, mls_sid); 2041 context2 = sidtab_search(&sidtab, mls_sid);
2046 if (!context2) { 2042 if (!context2) {
2047 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2043 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2048 "%d\n", mls_sid); 2044 __func__, mls_sid);
2049 rc = -EINVAL; 2045 rc = -EINVAL;
2050 goto out_unlock; 2046 goto out_unlock;
2051 } 2047 }
@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2136 2132
2137 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2133 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2138 if (!nlbl_ctx) { 2134 if (!nlbl_ctx) {
2139 printk(KERN_ERR 2135 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2140 "security_sid_mls_cmp: unrecognized SID %d\n", 2136 __func__, nlbl_sid);
2141 nlbl_sid);
2142 rc = -EINVAL; 2137 rc = -EINVAL;
2143 goto out_slowpath; 2138 goto out_slowpath;
2144 } 2139 }
2145 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2140 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2146 if (!xfrm_ctx) { 2141 if (!xfrm_ctx) {
2147 printk(KERN_ERR 2142 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2148 "security_sid_mls_cmp: unrecognized SID %d\n", 2143 __func__, xfrm_sid);
2149 xfrm_sid);
2150 rc = -EINVAL; 2144 rc = -EINVAL;
2151 goto out_slowpath; 2145 goto out_slowpath;
2152 } 2146 }
@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2226 2220
2227 match = hashtab_search(policydb.p_classes.table, class); 2221 match = hashtab_search(policydb.p_classes.table, class);
2228 if (!match) { 2222 if (!match) {
2229 printk(KERN_ERR "%s: unrecognized class %s\n", 2223 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
2230 __func__, class); 2224 __func__, class);
2231 rc = -EINVAL; 2225 rc = -EINVAL;
2232 goto out; 2226 goto out;
@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2435 2429
2436 if (!rule) { 2430 if (!rule) {
2437 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2431 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2438 "selinux_audit_rule_match: missing rule\n"); 2432 "selinux_audit_rule_match: missing rule\n");
2439 return -ENOENT; 2433 return -ENOENT;
2440 } 2434 }
2441 2435
@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2443 2437
2444 if (rule->au_seqno < latest_granting) { 2438 if (rule->au_seqno < latest_granting) {
2445 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2439 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2446 "selinux_audit_rule_match: stale rule\n"); 2440 "selinux_audit_rule_match: stale rule\n");
2447 match = -ESTALE; 2441 match = -ESTALE;
2448 goto out; 2442 goto out;
2449 } 2443 }
@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2451 ctxt = sidtab_search(&sidtab, sid); 2445 ctxt = sidtab_search(&sidtab, sid);
2452 if (!ctxt) { 2446 if (!ctxt) {
2453 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2447 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2454 "selinux_audit_rule_match: unrecognized SID %d\n", 2448 "selinux_audit_rule_match: unrecognized SID %d\n",
2455 sid); 2449 sid);
2456 match = -ENOENT; 2450 match = -ENOENT;
2457 goto out; 2451 goto out;
2458 } 2452 }
@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2498 case AUDIT_OBJ_LEV_LOW: 2492 case AUDIT_OBJ_LEV_LOW:
2499 case AUDIT_OBJ_LEV_HIGH: 2493 case AUDIT_OBJ_LEV_HIGH:
2500 level = ((field == AUDIT_SUBJ_SEN || 2494 level = ((field == AUDIT_SUBJ_SEN ||
2501 field == AUDIT_OBJ_LEV_LOW) ? 2495 field == AUDIT_OBJ_LEV_LOW) ?
2502 &ctxt->range.level[0] : &ctxt->range.level[1]); 2496 &ctxt->range.level[0] : &ctxt->range.level[1]);
2503 switch (op) { 2497 switch (op) {
2504 case AUDIT_EQUAL: 2498 case AUDIT_EQUAL:
2505 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2499 match = mls_level_eq(&rule->au_ctxt.range.level[0],
2506 level); 2500 level);
2507 break; 2501 break;
2508 case AUDIT_NOT_EQUAL: 2502 case AUDIT_NOT_EQUAL:
2509 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2503 match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2510 level); 2504 level);
2511 break; 2505 break;
2512 case AUDIT_LESS_THAN: 2506 case AUDIT_LESS_THAN:
2513 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2507 match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2514 level) && 2508 level) &&
2515 !mls_level_eq(&rule->au_ctxt.range.level[0], 2509 !mls_level_eq(&rule->au_ctxt.range.level[0],
2516 level)); 2510 level));
2517 break; 2511 break;
2518 case AUDIT_LESS_THAN_OR_EQUAL: 2512 case AUDIT_LESS_THAN_OR_EQUAL:
2519 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2513 match = mls_level_dom(&rule->au_ctxt.range.level[0],
2520 level); 2514 level);
2521 break; 2515 break;
2522 case AUDIT_GREATER_THAN: 2516 case AUDIT_GREATER_THAN:
2523 match = (mls_level_dom(level, 2517 match = (mls_level_dom(level,
2524 &rule->au_ctxt.range.level[0]) && 2518 &rule->au_ctxt.range.level[0]) &&
2525 !mls_level_eq(level, 2519 !mls_level_eq(level,
2526 &rule->au_ctxt.range.level[0])); 2520 &rule->au_ctxt.range.level[0]));
2527 break; 2521 break;
2528 case AUDIT_GREATER_THAN_OR_EQUAL: 2522 case AUDIT_GREATER_THAN_OR_EQUAL:
2529 match = mls_level_dom(level, 2523 match = mls_level_dom(level,
2530 &rule->au_ctxt.range.level[0]); 2524 &rule->au_ctxt.range.level[0]);
2531 break; 2525 break;
2532 } 2526 }
2533 } 2527 }
@@ -2554,7 +2548,7 @@ static int __init aurule_init(void)
2554 int err; 2548 int err;
2555 2549
2556 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2550 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2557 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2551 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2558 if (err) 2552 if (err)
2559 panic("avc_add_callback() failed, error %d\n", err); 2553 panic("avc_add_callback() failed, error %d\n", err);
2560 2554
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-27 17:42:10 -0500