diff options
Diffstat (limited to 'security/selinux/ss/services.c')
| -rw-r--r-- | security/selinux/ss/services.c | 56 |
1 files changed, 40 insertions, 16 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 185f849a26f6..4321b8fc8863 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1018,9 +1018,11 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
| 1018 | 1018 | ||
| 1019 | if (context->len) { | 1019 | if (context->len) { |
| 1020 | *scontext_len = context->len; | 1020 | *scontext_len = context->len; |
| 1021 | *scontext = kstrdup(context->str, GFP_ATOMIC); | 1021 | if (scontext) { |
| 1022 | if (!(*scontext)) | 1022 | *scontext = kstrdup(context->str, GFP_ATOMIC); |
| 1023 | return -ENOMEM; | 1023 | if (!(*scontext)) |
| 1024 | return -ENOMEM; | ||
| 1025 | } | ||
| 1024 | return 0; | 1026 | return 0; |
| 1025 | } | 1027 | } |
| 1026 | 1028 | ||
| @@ -1389,6 +1391,7 @@ static int security_compute_sid(u32 ssid, | |||
| 1389 | u32 *out_sid, | 1391 | u32 *out_sid, |
| 1390 | bool kern) | 1392 | bool kern) |
| 1391 | { | 1393 | { |
| 1394 | struct class_datum *cladatum = NULL; | ||
| 1392 | struct context *scontext = NULL, *tcontext = NULL, newcontext; | 1395 | struct context *scontext = NULL, *tcontext = NULL, newcontext; |
| 1393 | struct role_trans *roletr = NULL; | 1396 | struct role_trans *roletr = NULL; |
| 1394 | struct avtab_key avkey; | 1397 | struct avtab_key avkey; |
| @@ -1437,12 +1440,20 @@ static int security_compute_sid(u32 ssid, | |||
| 1437 | goto out_unlock; | 1440 | goto out_unlock; |
| 1438 | } | 1441 | } |
| 1439 | 1442 | ||
| 1443 | if (tclass && tclass <= policydb.p_classes.nprim) | ||
| 1444 | cladatum = policydb.class_val_to_struct[tclass - 1]; | ||
| 1445 | |||
| 1440 | /* Set the user identity. */ | 1446 | /* Set the user identity. */ |
| 1441 | switch (specified) { | 1447 | switch (specified) { |
| 1442 | case AVTAB_TRANSITION: | 1448 | case AVTAB_TRANSITION: |
| 1443 | case AVTAB_CHANGE: | 1449 | case AVTAB_CHANGE: |
| 1444 | /* Use the process user identity. */ | 1450 | if (cladatum && cladatum->default_user == DEFAULT_TARGET) { |
| 1445 | newcontext.user = scontext->user; | 1451 | newcontext.user = tcontext->user; |
| 1452 | } else { | ||
| 1453 | /* notice this gets both DEFAULT_SOURCE and unset */ | ||
| 1454 | /* Use the process user identity. */ | ||
| 1455 | newcontext.user = scontext->user; | ||
| 1456 | } | ||
| 1446 | break; | 1457 | break; |
| 1447 | case AVTAB_MEMBER: | 1458 | case AVTAB_MEMBER: |
| 1448 | /* Use the related object owner. */ | 1459 | /* Use the related object owner. */ |
| @@ -1450,16 +1461,31 @@ static int security_compute_sid(u32 ssid, | |||
| 1450 | break; | 1461 | break; |
| 1451 | } | 1462 | } |
| 1452 | 1463 | ||
| 1453 | /* Set the role and type to default values. */ | 1464 | /* Set the role to default values. */ |
| 1454 | if ((tclass == policydb.process_class) || (sock == true)) { | 1465 | if (cladatum && cladatum->default_role == DEFAULT_SOURCE) { |
| 1455 | /* Use the current role and type of process. */ | ||
| 1456 | newcontext.role = scontext->role; | 1466 | newcontext.role = scontext->role; |
| 1457 | newcontext.type = scontext->type; | 1467 | } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) { |
| 1468 | newcontext.role = tcontext->role; | ||
| 1458 | } else { | 1469 | } else { |
| 1459 | /* Use the well-defined object role. */ | 1470 | if ((tclass == policydb.process_class) || (sock == true)) |
| 1460 | newcontext.role = OBJECT_R_VAL; | 1471 | newcontext.role = scontext->role; |
| 1461 | /* Use the type of the related object. */ | 1472 | else |
| 1473 | newcontext.role = OBJECT_R_VAL; | ||
| 1474 | } | ||
| 1475 | |||
| 1476 | /* Set the type to default values. */ | ||
| 1477 | if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { | ||
| 1478 | newcontext.type = scontext->type; | ||
| 1479 | } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { | ||
| 1462 | newcontext.type = tcontext->type; | 1480 | newcontext.type = tcontext->type; |
| 1481 | } else { | ||
| 1482 | if ((tclass == policydb.process_class) || (sock == true)) { | ||
| 1483 | /* Use the type of process. */ | ||
| 1484 | newcontext.type = scontext->type; | ||
| 1485 | } else { | ||
| 1486 | /* Use the type of the related object. */ | ||
| 1487 | newcontext.type = tcontext->type; | ||
| 1488 | } | ||
| 1463 | } | 1489 | } |
| 1464 | 1490 | ||
| 1465 | /* Look for a type transition/member/change rule. */ | 1491 | /* Look for a type transition/member/change rule. */ |
| @@ -3018,8 +3044,7 @@ out: | |||
| 3018 | 3044 | ||
| 3019 | static int (*aurule_callback)(void) = audit_update_lsm_rules; | 3045 | static int (*aurule_callback)(void) = audit_update_lsm_rules; |
| 3020 | 3046 | ||
| 3021 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, | 3047 | static int aurule_avc_callback(u32 event) |
| 3022 | u16 class, u32 perms, u32 *retained) | ||
| 3023 | { | 3048 | { |
| 3024 | int err = 0; | 3049 | int err = 0; |
| 3025 | 3050 | ||
| @@ -3032,8 +3057,7 @@ static int __init aurule_init(void) | |||
| 3032 | { | 3057 | { |
| 3033 | int err; | 3058 | int err; |
| 3034 | 3059 | ||
| 3035 | err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, | 3060 | err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET); |
| 3036 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); | ||
| 3037 | if (err) | 3061 | if (err) |
| 3038 | panic("avc_add_callback() failed, error %d\n", err); | 3062 | panic("avc_add_callback() failed, error %d\n", err); |
| 3039 | 3063 | ||