aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/avtab.c27
-rw-r--r--security/selinux/ss/conditional.c14
-rw-r--r--security/selinux/ss/policydb.c17
-rw-r--r--security/selinux/ss/services.c63
4 files changed, 60 insertions, 61 deletions
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index a6175306d5b6..9e6626362bfd 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
310 } 310 }
311 } 311 }
312 312
313 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " 313 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
314 "chain length %d sum of chain length^2 %Lu\n", 314 "longest chain length %d sum of chain length^2 %Lu\n",
315 tag, h->nel, slots_used, h->nslot, max_chain_len, 315 tag, h->nel, slots_used, h->nslot, max_chain_len,
316 chain2_len_sum); 316 chain2_len_sum);
317} 317}
@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
364 val = le32_to_cpu(buf32[items++]); 364 val = le32_to_cpu(buf32[items++]);
365 key.source_type = (u16)val; 365 key.source_type = (u16)val;
366 if (key.source_type != val) { 366 if (key.source_type != val) {
367 printk("SELinux: avtab: truncated source type\n"); 367 printk(KERN_ERR "SELinux: avtab: truncated source type\n");
368 return -1; 368 return -1;
369 } 369 }
370 val = le32_to_cpu(buf32[items++]); 370 val = le32_to_cpu(buf32[items++]);
371 key.target_type = (u16)val; 371 key.target_type = (u16)val;
372 if (key.target_type != val) { 372 if (key.target_type != val) {
373 printk("SELinux: avtab: truncated target type\n"); 373 printk(KERN_ERR "SELinux: avtab: truncated target type\n");
374 return -1; 374 return -1;
375 } 375 }
376 val = le32_to_cpu(buf32[items++]); 376 val = le32_to_cpu(buf32[items++]);
377 key.target_class = (u16)val; 377 key.target_class = (u16)val;
378 if (key.target_class != val) { 378 if (key.target_class != val) {
379 printk("SELinux: avtab: truncated target class\n"); 379 printk(KERN_ERR "SELinux: avtab: truncated target class\n");
380 return -1; 380 return -1;
381 } 381 }
382 382
@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; 384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
385 385
386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) { 386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
387 printk("SELinux: avtab: null entry\n"); 387 printk(KERN_ERR "SELinux: avtab: null entry\n");
388 return -1; 388 return -1;
389 } 389 }
390 if ((val & AVTAB_AV) && 390 if ((val & AVTAB_AV) &&
391 (val & AVTAB_TYPE)) { 391 (val & AVTAB_TYPE)) {
392 printk("SELinux: avtab: entry has both access vectors and types\n"); 392 printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
393 return -1; 393 return -1;
394 } 394 }
395 395
@@ -404,7 +404,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
404 } 404 }
405 405
406 if (items != items2) { 406 if (items != items2) {
407 printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); 407 printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
408 return -1; 408 return -1;
409 } 409 }
410 return 0; 410 return 0;
@@ -412,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
412 412
413 rc = next_entry(buf16, fp, sizeof(u16)*4); 413 rc = next_entry(buf16, fp, sizeof(u16)*4);
414 if (rc < 0) { 414 if (rc < 0) {
415 printk("SELinux: avtab: truncated entry\n"); 415 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
416 return -1; 416 return -1;
417 } 417 }
418 418
@@ -425,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
425 if (!policydb_type_isvalid(pol, key.source_type) || 425 if (!policydb_type_isvalid(pol, key.source_type) ||
426 !policydb_type_isvalid(pol, key.target_type) || 426 !policydb_type_isvalid(pol, key.target_type) ||
427 !policydb_class_isvalid(pol, key.target_class)) { 427 !policydb_class_isvalid(pol, key.target_class)) {
428 printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); 428 printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
429 return -1; 429 return -1;
430 } 430 }
431 431
@@ -435,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
435 set++; 435 set++;
436 } 436 }
437 if (!set || set > 1) { 437 if (!set || set > 1) {
438 printk(KERN_WARNING 438 printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
439 "SELinux: avtab: more than one specifier\n");
440 return -1; 439 return -1;
441 } 440 }
442 441
443 rc = next_entry(buf32, fp, sizeof(u32)); 442 rc = next_entry(buf32, fp, sizeof(u32));
444 if (rc < 0) { 443 if (rc < 0) {
445 printk("SELinux: avtab: truncated entry\n"); 444 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
446 return -1; 445 return -1;
447 } 446 }
448 datum.data = le32_to_cpu(*buf32); 447 datum.data = le32_to_cpu(*buf32);
449 if ((key.specified & AVTAB_TYPE) && 448 if ((key.specified & AVTAB_TYPE) &&
450 !policydb_type_isvalid(pol, datum.data)) { 449 !policydb_type_isvalid(pol, datum.data)) {
451 printk(KERN_WARNING "SELinux: avtab: invalid type\n"); 450 printk(KERN_ERR "SELinux: avtab: invalid type\n");
452 return -1; 451 return -1;
453 } 452 }
454 return insertf(a, &key, &datum, p); 453 return insertf(a, &key, &datum, p);
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 5691af498c40..3a464c75d047 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -273,7 +273,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
273 */ 273 */
274 if (k->specified & AVTAB_TYPE) { 274 if (k->specified & AVTAB_TYPE) {
275 if (avtab_search(&p->te_avtab, k)) { 275 if (avtab_search(&p->te_avtab, k)) {
276 printk("SELinux: type rule already exists outside of a conditional."); 276 printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
277 goto err; 277 goto err;
278 } 278 }
279 /* 279 /*
@@ -288,7 +288,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
288 node_ptr = avtab_search_node(&p->te_cond_avtab, k); 288 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
289 if (node_ptr) { 289 if (node_ptr) {
290 if (avtab_search_node_next(node_ptr, k->specified)) { 290 if (avtab_search_node_next(node_ptr, k->specified)) {
291 printk("SELinux: too many conflicting type rules."); 291 printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
292 goto err; 292 goto err;
293 } 293 }
294 found = 0; 294 found = 0;
@@ -299,13 +299,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
299 } 299 }
300 } 300 }
301 if (!found) { 301 if (!found) {
302 printk("SELinux: conflicting type rules.\n"); 302 printk(KERN_ERR "SELinux: conflicting type rules.\n");
303 goto err; 303 goto err;
304 } 304 }
305 } 305 }
306 } else { 306 } else {
307 if (avtab_search(&p->te_cond_avtab, k)) { 307 if (avtab_search(&p->te_cond_avtab, k)) {
308 printk("SELinux: conflicting type rules when adding type rule for true.\n"); 308 printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
309 goto err; 309 goto err;
310 } 310 }
311 } 311 }
@@ -313,7 +313,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
313 313
314 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 314 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
315 if (!node_ptr) { 315 if (!node_ptr) {
316 printk("SELinux: could not insert rule."); 316 printk(KERN_ERR "SELinux: could not insert rule.\n");
317 goto err; 317 goto err;
318 } 318 }
319 319
@@ -372,12 +372,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
372static int expr_isvalid(struct policydb *p, struct cond_expr *expr) 372static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
373{ 373{
374 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 374 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
375 printk("SELinux: conditional expressions uses unknown operator.\n"); 375 printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
376 return 0; 376 return 0;
377 } 377 }
378 378
379 if (expr->bool > p->p_bools.nprim) { 379 if (expr->bool > p->p_bools.nprim) {
380 printk("SELinux: conditional expressions uses unknown bool.\n"); 380 printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
381 return 0; 381 return 0;
382 } 382 }
383 return 1; 383 return 1;
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 6bdb0ff6a927..891c2d07e8b6 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s)
390 struct hashtab_info info; 390 struct hashtab_info info;
391 391
392 hashtab_stat(h, &info); 392 hashtab_stat(h, &info);
393 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " 393 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
394 "longest chain length %d\n", symtab_name[i], h->nel, 394 "longest chain length %d\n", symtab_name[i], h->nel,
395 info.slots_used, h->size, info.max_chain_len); 395 info.slots_used, h->size, info.max_chain_len);
396 } 396 }
@@ -1215,7 +1215,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1215 1215
1216 if (strcmp(key, OBJECT_R) == 0) { 1216 if (strcmp(key, OBJECT_R) == 0) {
1217 if (role->value != OBJECT_R_VAL) { 1217 if (role->value != OBJECT_R_VAL) {
1218 printk(KERN_ERR "Role %s has wrong value %d\n", 1218 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
1219 OBJECT_R, role->value); 1219 OBJECT_R, role->value);
1220 rc = -EINVAL; 1220 rc = -EINVAL;
1221 goto bad; 1221 goto bad;
@@ -1551,22 +1551,23 @@ int policydb_read(struct policydb *p, void *fp)
1551 1551
1552 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1552 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1553 if (ss_initialized && !selinux_mls_enabled) { 1553 if (ss_initialized && !selinux_mls_enabled) {
1554 printk(KERN_ERR "Cannot switch between non-MLS and MLS " 1554 printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
1555 "policies\n"); 1555 " and MLS policies\n");
1556 goto bad; 1556 goto bad;
1557 } 1557 }
1558 selinux_mls_enabled = 1; 1558 selinux_mls_enabled = 1;
1559 config |= POLICYDB_CONFIG_MLS; 1559 config |= POLICYDB_CONFIG_MLS;
1560 1560
1561 if (p->policyvers < POLICYDB_VERSION_MLS) { 1561 if (p->policyvers < POLICYDB_VERSION_MLS) {
1562 printk(KERN_ERR "security policydb version %d (MLS) " 1562 printk(KERN_ERR "SELinux: security policydb version %d "
1563 "not backwards compatible\n", p->policyvers); 1563 "(MLS) not backwards compatible\n",
1564 p->policyvers);
1564 goto bad; 1565 goto bad;
1565 } 1566 }
1566 } else { 1567 } else {
1567 if (ss_initialized && selinux_mls_enabled) { 1568 if (ss_initialized && selinux_mls_enabled) {
1568 printk(KERN_ERR "Cannot switch between MLS and non-MLS " 1569 printk(KERN_ERR "SELinux: Cannot switch between MLS and"
1569 "policies\n"); 1570 " non-MLS policies\n");
1570 goto bad; 1571 goto bad;
1571 } 1572 }
1572 } 1573 }
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index fc3dfca475d6..2daaddbb301d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -415,7 +415,8 @@ static int context_struct_compute_av(struct context *scontext,
415 return 0; 415 return 0;
416 416
417inval_class: 417inval_class:
418 printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); 418 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
419 tclass);
419 return -EINVAL; 420 return -EINVAL;
420} 421}
421 422
@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
499 tclass = SECCLASS_NETLINK_SOCKET; 500 tclass = SECCLASS_NETLINK_SOCKET;
500 501
501 if (!tclass || tclass > policydb.p_classes.nprim) { 502 if (!tclass || tclass > policydb.p_classes.nprim) {
502 printk(KERN_ERR "security_validate_transition: " 503 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
503 "unrecognized class %d\n", tclass); 504 __func__, tclass);
504 rc = -EINVAL; 505 rc = -EINVAL;
505 goto out; 506 goto out;
506 } 507 }
@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
508 509
509 ocontext = sidtab_search(&sidtab, oldsid); 510 ocontext = sidtab_search(&sidtab, oldsid);
510 if (!ocontext) { 511 if (!ocontext) {
511 printk(KERN_ERR "security_validate_transition: " 512 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
512 " unrecognized SID %d\n", oldsid); 513 __func__, oldsid);
513 rc = -EINVAL; 514 rc = -EINVAL;
514 goto out; 515 goto out;
515 } 516 }
516 517
517 ncontext = sidtab_search(&sidtab, newsid); 518 ncontext = sidtab_search(&sidtab, newsid);
518 if (!ncontext) { 519 if (!ncontext) {
519 printk(KERN_ERR "security_validate_transition: " 520 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
520 " unrecognized SID %d\n", newsid); 521 __func__, newsid);
521 rc = -EINVAL; 522 rc = -EINVAL;
522 goto out; 523 goto out;
523 } 524 }
524 525
525 tcontext = sidtab_search(&sidtab, tasksid); 526 tcontext = sidtab_search(&sidtab, tasksid);
526 if (!tcontext) { 527 if (!tcontext) {
527 printk(KERN_ERR "security_validate_transition: " 528 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
528 " unrecognized SID %d\n", tasksid); 529 __func__, tasksid);
529 rc = -EINVAL; 530 rc = -EINVAL;
530 goto out; 531 goto out;
531 } 532 }
@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
581 582
582 scontext = sidtab_search(&sidtab, ssid); 583 scontext = sidtab_search(&sidtab, ssid);
583 if (!scontext) { 584 if (!scontext) {
584 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 585 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
585 ssid); 586 __func__, ssid);
586 rc = -EINVAL; 587 rc = -EINVAL;
587 goto out; 588 goto out;
588 } 589 }
589 tcontext = sidtab_search(&sidtab, tsid); 590 tcontext = sidtab_search(&sidtab, tsid);
590 if (!tcontext) { 591 if (!tcontext) {
591 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 592 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
592 tsid); 593 __func__, tsid);
593 rc = -EINVAL; 594 rc = -EINVAL;
594 goto out; 595 goto out;
595 } 596 }
@@ -686,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
686 *scontext = scontextp; 687 *scontext = scontextp;
687 goto out; 688 goto out;
688 } 689 }
689 printk(KERN_ERR "security_sid_to_context: called before initial " 690 printk(KERN_ERR "SELinux: %s: called before initial "
690 "load_policy on unknown SID %d\n", sid); 691 "load_policy on unknown SID %d\n", __func__, sid);
691 rc = -EINVAL; 692 rc = -EINVAL;
692 goto out; 693 goto out;
693 } 694 }
694 POLICY_RDLOCK; 695 POLICY_RDLOCK;
695 context = sidtab_search(&sidtab, sid); 696 context = sidtab_search(&sidtab, sid);
696 if (!context) { 697 if (!context) {
697 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 698 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
698 "%d\n", sid); 699 __func__, sid);
699 rc = -EINVAL; 700 rc = -EINVAL;
700 goto out_unlock; 701 goto out_unlock;
701 } 702 }
@@ -925,15 +926,15 @@ static int security_compute_sid(u32 ssid,
925 926
926 scontext = sidtab_search(&sidtab, ssid); 927 scontext = sidtab_search(&sidtab, ssid);
927 if (!scontext) { 928 if (!scontext) {
928 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 929 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
929 ssid); 930 __func__, ssid);
930 rc = -EINVAL; 931 rc = -EINVAL;
931 goto out_unlock; 932 goto out_unlock;
932 } 933 }
933 tcontext = sidtab_search(&sidtab, tsid); 934 tcontext = sidtab_search(&sidtab, tsid);
934 if (!tcontext) { 935 if (!tcontext) {
935 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 936 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
936 tsid); 937 __func__, tsid);
937 rc = -EINVAL; 938 rc = -EINVAL;
938 goto out_unlock; 939 goto out_unlock;
939 } 940 }
@@ -2031,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2031 POLICY_RDLOCK; 2032 POLICY_RDLOCK;
2032 context1 = sidtab_search(&sidtab, sid); 2033 context1 = sidtab_search(&sidtab, sid);
2033 if (!context1) { 2034 if (!context1) {
2034 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2035 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2035 "%d\n", sid); 2036 __func__, sid);
2036 rc = -EINVAL; 2037 rc = -EINVAL;
2037 goto out_unlock; 2038 goto out_unlock;
2038 } 2039 }
2039 2040
2040 context2 = sidtab_search(&sidtab, mls_sid); 2041 context2 = sidtab_search(&sidtab, mls_sid);
2041 if (!context2) { 2042 if (!context2) {
2042 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2043 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2043 "%d\n", mls_sid); 2044 __func__, mls_sid);
2044 rc = -EINVAL; 2045 rc = -EINVAL;
2045 goto out_unlock; 2046 goto out_unlock;
2046 } 2047 }
@@ -2131,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2131 2132
2132 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2133 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2133 if (!nlbl_ctx) { 2134 if (!nlbl_ctx) {
2134 printk(KERN_ERR 2135 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2135 "security_sid_mls_cmp: unrecognized SID %d\n", 2136 __func__, nlbl_sid);
2136 nlbl_sid);
2137 rc = -EINVAL; 2137 rc = -EINVAL;
2138 goto out_slowpath; 2138 goto out_slowpath;
2139 } 2139 }
2140 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2140 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2141 if (!xfrm_ctx) { 2141 if (!xfrm_ctx) {
2142 printk(KERN_ERR 2142 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2143 "security_sid_mls_cmp: unrecognized SID %d\n", 2143 __func__, xfrm_sid);
2144 xfrm_sid);
2145 rc = -EINVAL; 2144 rc = -EINVAL;
2146 goto out_slowpath; 2145 goto out_slowpath;
2147 } 2146 }
@@ -2221,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2221 2220
2222 match = hashtab_search(policydb.p_classes.table, class); 2221 match = hashtab_search(policydb.p_classes.table, class);
2223 if (!match) { 2222 if (!match) {
2224 printk(KERN_ERR "%s: unrecognized class %s\n", 2223 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
2225 __func__, class); 2224 __func__, class);
2226 rc = -EINVAL; 2225 rc = -EINVAL;
2227 goto out; 2226 goto out;