diff options
Diffstat (limited to 'security/selinux/ss')
-rw-r--r-- | security/selinux/ss/avtab.c | 48 | ||||
-rw-r--r-- | security/selinux/ss/conditional.c | 73 | ||||
-rw-r--r-- | security/selinux/ss/ebitmap.c | 5 | ||||
-rw-r--r-- | security/selinux/ss/hashtab.c | 4 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 27 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 148 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 178 | ||||
-rw-r--r-- | security/selinux/ss/sidtab.c | 6 |
8 files changed, 235 insertions, 254 deletions
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 916e73a18bc5..9e6626362bfd 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c | |||
@@ -6,15 +6,15 @@ | |||
6 | 6 | ||
7 | /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | 7 | /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
8 | * | 8 | * |
9 | * Added conditional policy language extensions | 9 | * Added conditional policy language extensions |
10 | * | 10 | * |
11 | * Copyright (C) 2003 Tresys Technology, LLC | 11 | * Copyright (C) 2003 Tresys Technology, LLC |
12 | * This program is free software; you can redistribute it and/or modify | 12 | * This program is free software; you can redistribute it and/or modify |
13 | * it under the terms of the GNU General Public License as published by | 13 | * it under the terms of the GNU General Public License as published by |
14 | * the Free Software Foundation, version 2. | 14 | * the Free Software Foundation, version 2. |
15 | * | 15 | * |
16 | * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> | 16 | * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> |
17 | * Tuned number of hash slots for avtab to reduce memory usage | 17 | * Tuned number of hash slots for avtab to reduce memory usage |
18 | */ | 18 | */ |
19 | 19 | ||
20 | #include <linux/kernel.h> | 20 | #include <linux/kernel.h> |
@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask) | |||
33 | 33 | ||
34 | static struct avtab_node* | 34 | static struct avtab_node* |
35 | avtab_insert_node(struct avtab *h, int hvalue, | 35 | avtab_insert_node(struct avtab *h, int hvalue, |
36 | struct avtab_node * prev, struct avtab_node * cur, | 36 | struct avtab_node *prev, struct avtab_node *cur, |
37 | struct avtab_key *key, struct avtab_datum *datum) | 37 | struct avtab_key *key, struct avtab_datum *datum) |
38 | { | 38 | { |
39 | struct avtab_node * newnode; | 39 | struct avtab_node *newnode; |
40 | newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); | 40 | newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); |
41 | if (newnode == NULL) | 41 | if (newnode == NULL) |
42 | return NULL; | 42 | return NULL; |
@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat | |||
84 | } | 84 | } |
85 | 85 | ||
86 | newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); | 86 | newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); |
87 | if(!newnode) | 87 | if (!newnode) |
88 | return -ENOMEM; | 88 | return -ENOMEM; |
89 | 89 | ||
90 | return 0; | 90 | return 0; |
@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat | |||
95 | * It also returns a pointer to the node inserted. | 95 | * It also returns a pointer to the node inserted. |
96 | */ | 96 | */ |
97 | struct avtab_node * | 97 | struct avtab_node * |
98 | avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum) | 98 | avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum) |
99 | { | 99 | { |
100 | int hvalue; | 100 | int hvalue; |
101 | struct avtab_node *prev, *cur, *newnode; | 101 | struct avtab_node *prev, *cur, *newnode; |
@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag) | |||
310 | } | 310 | } |
311 | } | 311 | } |
312 | 312 | ||
313 | printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " | 313 | printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " |
314 | "chain length %d sum of chain length^2 %Lu\n", | 314 | "longest chain length %d sum of chain length^2 %Lu\n", |
315 | tag, h->nel, slots_used, h->nslot, max_chain_len, | 315 | tag, h->nel, slots_used, h->nslot, max_chain_len, |
316 | chain2_len_sum); | 316 | chain2_len_sum); |
317 | } | 317 | } |
@@ -326,7 +326,7 @@ static uint16_t spec_order[] = { | |||
326 | }; | 326 | }; |
327 | 327 | ||
328 | int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | 328 | int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, |
329 | int (*insertf)(struct avtab *a, struct avtab_key *k, | 329 | int (*insertf)(struct avtab *a, struct avtab_key *k, |
330 | struct avtab_datum *d, void *p), | 330 | struct avtab_datum *d, void *p), |
331 | void *p) | 331 | void *p) |
332 | { | 332 | { |
@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
364 | val = le32_to_cpu(buf32[items++]); | 364 | val = le32_to_cpu(buf32[items++]); |
365 | key.source_type = (u16)val; | 365 | key.source_type = (u16)val; |
366 | if (key.source_type != val) { | 366 | if (key.source_type != val) { |
367 | printk("SELinux: avtab: truncated source type\n"); | 367 | printk(KERN_ERR "SELinux: avtab: truncated source type\n"); |
368 | return -1; | 368 | return -1; |
369 | } | 369 | } |
370 | val = le32_to_cpu(buf32[items++]); | 370 | val = le32_to_cpu(buf32[items++]); |
371 | key.target_type = (u16)val; | 371 | key.target_type = (u16)val; |
372 | if (key.target_type != val) { | 372 | if (key.target_type != val) { |
373 | printk("SELinux: avtab: truncated target type\n"); | 373 | printk(KERN_ERR "SELinux: avtab: truncated target type\n"); |
374 | return -1; | 374 | return -1; |
375 | } | 375 | } |
376 | val = le32_to_cpu(buf32[items++]); | 376 | val = le32_to_cpu(buf32[items++]); |
377 | key.target_class = (u16)val; | 377 | key.target_class = (u16)val; |
378 | if (key.target_class != val) { | 378 | if (key.target_class != val) { |
379 | printk("SELinux: avtab: truncated target class\n"); | 379 | printk(KERN_ERR "SELinux: avtab: truncated target class\n"); |
380 | return -1; | 380 | return -1; |
381 | } | 381 | } |
382 | 382 | ||
@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
384 | enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; | 384 | enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; |
385 | 385 | ||
386 | if (!(val & (AVTAB_AV | AVTAB_TYPE))) { | 386 | if (!(val & (AVTAB_AV | AVTAB_TYPE))) { |
387 | printk("SELinux: avtab: null entry\n"); | 387 | printk(KERN_ERR "SELinux: avtab: null entry\n"); |
388 | return -1; | 388 | return -1; |
389 | } | 389 | } |
390 | if ((val & AVTAB_AV) && | 390 | if ((val & AVTAB_AV) && |
391 | (val & AVTAB_TYPE)) { | 391 | (val & AVTAB_TYPE)) { |
392 | printk("SELinux: avtab: entry has both access vectors and types\n"); | 392 | printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n"); |
393 | return -1; | 393 | return -1; |
394 | } | 394 | } |
395 | 395 | ||
@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
398 | key.specified = spec_order[i] | enabled; | 398 | key.specified = spec_order[i] | enabled; |
399 | datum.data = le32_to_cpu(buf32[items++]); | 399 | datum.data = le32_to_cpu(buf32[items++]); |
400 | rc = insertf(a, &key, &datum, p); | 400 | rc = insertf(a, &key, &datum, p); |
401 | if (rc) return rc; | 401 | if (rc) |
402 | return rc; | ||
402 | } | 403 | } |
403 | } | 404 | } |
404 | 405 | ||
405 | if (items != items2) { | 406 | if (items != items2) { |
406 | printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); | 407 | printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items); |
407 | return -1; | 408 | return -1; |
408 | } | 409 | } |
409 | return 0; | 410 | return 0; |
@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
411 | 412 | ||
412 | rc = next_entry(buf16, fp, sizeof(u16)*4); | 413 | rc = next_entry(buf16, fp, sizeof(u16)*4); |
413 | if (rc < 0) { | 414 | if (rc < 0) { |
414 | printk("SELinux: avtab: truncated entry\n"); | 415 | printk(KERN_ERR "SELinux: avtab: truncated entry\n"); |
415 | return -1; | 416 | return -1; |
416 | } | 417 | } |
417 | 418 | ||
@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
424 | if (!policydb_type_isvalid(pol, key.source_type) || | 425 | if (!policydb_type_isvalid(pol, key.source_type) || |
425 | !policydb_type_isvalid(pol, key.target_type) || | 426 | !policydb_type_isvalid(pol, key.target_type) || |
426 | !policydb_class_isvalid(pol, key.target_class)) { | 427 | !policydb_class_isvalid(pol, key.target_class)) { |
427 | printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); | 428 | printk(KERN_ERR "SELinux: avtab: invalid type or class\n"); |
428 | return -1; | 429 | return -1; |
429 | } | 430 | } |
430 | 431 | ||
@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
434 | set++; | 435 | set++; |
435 | } | 436 | } |
436 | if (!set || set > 1) { | 437 | if (!set || set > 1) { |
437 | printk(KERN_WARNING | 438 | printk(KERN_ERR "SELinux: avtab: more than one specifier\n"); |
438 | "SELinux: avtab: more than one specifier\n"); | ||
439 | return -1; | 439 | return -1; |
440 | } | 440 | } |
441 | 441 | ||
442 | rc = next_entry(buf32, fp, sizeof(u32)); | 442 | rc = next_entry(buf32, fp, sizeof(u32)); |
443 | if (rc < 0) { | 443 | if (rc < 0) { |
444 | printk("SELinux: avtab: truncated entry\n"); | 444 | printk(KERN_ERR "SELinux: avtab: truncated entry\n"); |
445 | return -1; | 445 | return -1; |
446 | } | 446 | } |
447 | datum.data = le32_to_cpu(*buf32); | 447 | datum.data = le32_to_cpu(*buf32); |
448 | if ((key.specified & AVTAB_TYPE) && | 448 | if ((key.specified & AVTAB_TYPE) && |
449 | !policydb_type_isvalid(pol, datum.data)) { | 449 | !policydb_type_isvalid(pol, datum.data)) { |
450 | printk(KERN_WARNING "SELinux: avtab: invalid type\n"); | 450 | printk(KERN_ERR "SELinux: avtab: invalid type\n"); |
451 | return -1; | 451 | return -1; |
452 | } | 452 | } |
453 | return insertf(a, &key, &datum, p); | 453 | return insertf(a, &key, &datum, p); |
@@ -513,5 +513,5 @@ void avtab_cache_init(void) | |||
513 | 513 | ||
514 | void avtab_cache_destroy(void) | 514 | void avtab_cache_destroy(void) |
515 | { | 515 | { |
516 | kmem_cache_destroy (avtab_node_cachep); | 516 | kmem_cache_destroy(avtab_node_cachep); |
517 | } | 517 | } |
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index da0566c4f329..fb4efe4f4bc8 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c | |||
@@ -1,9 +1,9 @@ | |||
1 | /* Authors: Karl MacMillan <kmacmillan@tresys.com> | 1 | /* Authors: Karl MacMillan <kmacmillan@tresys.com> |
2 | * Frank Mayer <mayerf@tresys.com> | 2 | * Frank Mayer <mayerf@tresys.com> |
3 | * | 3 | * |
4 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | 4 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
5 | * This program is free software; you can redistribute it and/or modify | 5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by | 6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation, version 2. | 7 | * the Free Software Foundation, version 2. |
8 | */ | 8 | */ |
9 | 9 | ||
@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) | |||
89 | int evaluate_cond_node(struct policydb *p, struct cond_node *node) | 89 | int evaluate_cond_node(struct policydb *p, struct cond_node *node) |
90 | { | 90 | { |
91 | int new_state; | 91 | int new_state; |
92 | struct cond_av_list* cur; | 92 | struct cond_av_list *cur; |
93 | 93 | ||
94 | new_state = cond_evaluate_expr(p, node->expr); | 94 | new_state = cond_evaluate_expr(p, node->expr); |
95 | if (new_state != node->cur_state) { | 95 | if (new_state != node->cur_state) { |
@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node) | |||
98 | printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); | 98 | printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); |
99 | /* turn the rules on or off */ | 99 | /* turn the rules on or off */ |
100 | for (cur = node->true_list; cur != NULL; cur = cur->next) { | 100 | for (cur = node->true_list; cur != NULL; cur = cur->next) { |
101 | if (new_state <= 0) { | 101 | if (new_state <= 0) |
102 | cur->node->key.specified &= ~AVTAB_ENABLED; | 102 | cur->node->key.specified &= ~AVTAB_ENABLED; |
103 | } else { | 103 | else |
104 | cur->node->key.specified |= AVTAB_ENABLED; | 104 | cur->node->key.specified |= AVTAB_ENABLED; |
105 | } | ||
106 | } | 105 | } |
107 | 106 | ||
108 | for (cur = node->false_list; cur != NULL; cur = cur->next) { | 107 | for (cur = node->false_list; cur != NULL; cur = cur->next) { |
109 | /* -1 or 1 */ | 108 | /* -1 or 1 */ |
110 | if (new_state) { | 109 | if (new_state) |
111 | cur->node->key.specified &= ~AVTAB_ENABLED; | 110 | cur->node->key.specified &= ~AVTAB_ENABLED; |
112 | } else { | 111 | else |
113 | cur->node->key.specified |= AVTAB_ENABLED; | 112 | cur->node->key.specified |= AVTAB_ENABLED; |
114 | } | ||
115 | } | 113 | } |
116 | } | 114 | } |
117 | return 0; | 115 | return 0; |
@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p) | |||
173 | int cond_init_bool_indexes(struct policydb *p) | 171 | int cond_init_bool_indexes(struct policydb *p) |
174 | { | 172 | { |
175 | kfree(p->bool_val_to_struct); | 173 | kfree(p->bool_val_to_struct); |
176 | p->bool_val_to_struct = (struct cond_bool_datum**) | 174 | p->bool_val_to_struct = (struct cond_bool_datum **) |
177 | kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); | 175 | kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL); |
178 | if (!p->bool_val_to_struct) | 176 | if (!p->bool_val_to_struct) |
179 | return -1; | 177 | return -1; |
180 | return 0; | 178 | return 0; |
@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap) | |||
199 | return -EINVAL; | 197 | return -EINVAL; |
200 | 198 | ||
201 | p->p_bool_val_to_name[booldatum->value - 1] = key; | 199 | p->p_bool_val_to_name[booldatum->value - 1] = key; |
202 | p->bool_val_to_struct[booldatum->value -1] = booldatum; | 200 | p->bool_val_to_struct[booldatum->value - 1] = booldatum; |
203 | 201 | ||
204 | return 0; | 202 | return 0; |
205 | } | 203 | } |
@@ -251,8 +249,7 @@ err: | |||
251 | return -1; | 249 | return -1; |
252 | } | 250 | } |
253 | 251 | ||
254 | struct cond_insertf_data | 252 | struct cond_insertf_data { |
255 | { | ||
256 | struct policydb *p; | 253 | struct policydb *p; |
257 | struct cond_av_list *other; | 254 | struct cond_av_list *other; |
258 | struct cond_av_list *head; | 255 | struct cond_av_list *head; |
@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
275 | */ | 272 | */ |
276 | if (k->specified & AVTAB_TYPE) { | 273 | if (k->specified & AVTAB_TYPE) { |
277 | if (avtab_search(&p->te_avtab, k)) { | 274 | if (avtab_search(&p->te_avtab, k)) { |
278 | printk("SELinux: type rule already exists outside of a conditional."); | 275 | printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n"); |
279 | goto err; | 276 | goto err; |
280 | } | 277 | } |
281 | /* | 278 | /* |
@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
290 | node_ptr = avtab_search_node(&p->te_cond_avtab, k); | 287 | node_ptr = avtab_search_node(&p->te_cond_avtab, k); |
291 | if (node_ptr) { | 288 | if (node_ptr) { |
292 | if (avtab_search_node_next(node_ptr, k->specified)) { | 289 | if (avtab_search_node_next(node_ptr, k->specified)) { |
293 | printk("SELinux: too many conflicting type rules."); | 290 | printk(KERN_ERR "SELinux: too many conflicting type rules.\n"); |
294 | goto err; | 291 | goto err; |
295 | } | 292 | } |
296 | found = 0; | 293 | found = 0; |
@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
301 | } | 298 | } |
302 | } | 299 | } |
303 | if (!found) { | 300 | if (!found) { |
304 | printk("SELinux: conflicting type rules.\n"); | 301 | printk(KERN_ERR "SELinux: conflicting type rules.\n"); |
305 | goto err; | 302 | goto err; |
306 | } | 303 | } |
307 | } | 304 | } |
308 | } else { | 305 | } else { |
309 | if (avtab_search(&p->te_cond_avtab, k)) { | 306 | if (avtab_search(&p->te_cond_avtab, k)) { |
310 | printk("SELinux: conflicting type rules when adding type rule for true.\n"); | 307 | printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n"); |
311 | goto err; | 308 | goto err; |
312 | } | 309 | } |
313 | } | 310 | } |
@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
315 | 312 | ||
316 | node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); | 313 | node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); |
317 | if (!node_ptr) { | 314 | if (!node_ptr) { |
318 | printk("SELinux: could not insert rule."); | 315 | printk(KERN_ERR "SELinux: could not insert rule.\n"); |
319 | goto err; | 316 | goto err; |
320 | } | 317 | } |
321 | 318 | ||
@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * | |||
352 | return -1; | 349 | return -1; |
353 | 350 | ||
354 | len = le32_to_cpu(buf[0]); | 351 | len = le32_to_cpu(buf[0]); |
355 | if (len == 0) { | 352 | if (len == 0) |
356 | return 0; | 353 | return 0; |
357 | } | ||
358 | 354 | ||
359 | data.p = p; | 355 | data.p = p; |
360 | data.other = other; | 356 | data.other = other; |
@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * | |||
375 | static int expr_isvalid(struct policydb *p, struct cond_expr *expr) | 371 | static int expr_isvalid(struct policydb *p, struct cond_expr *expr) |
376 | { | 372 | { |
377 | if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { | 373 | if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { |
378 | printk("SELinux: conditional expressions uses unknown operator.\n"); | 374 | printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n"); |
379 | return 0; | 375 | return 0; |
380 | } | 376 | } |
381 | 377 | ||
382 | if (expr->bool > p->p_bools.nprim) { | 378 | if (expr->bool > p->p_bools.nprim) { |
383 | printk("SELinux: conditional expressions uses unknown bool.\n"); | 379 | printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n"); |
384 | return 0; | 380 | return 0; |
385 | } | 381 | } |
386 | return 1; | 382 | return 1; |
@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) | |||
407 | /* expr */ | 403 | /* expr */ |
408 | len = le32_to_cpu(buf[0]); | 404 | len = le32_to_cpu(buf[0]); |
409 | 405 | ||
410 | for (i = 0; i < len; i++ ) { | 406 | for (i = 0; i < len; i++) { |
411 | rc = next_entry(buf, fp, sizeof(u32) * 2); | 407 | rc = next_entry(buf, fp, sizeof(u32) * 2); |
412 | if (rc < 0) | 408 | if (rc < 0) |
413 | goto err; | 409 | goto err; |
414 | 410 | ||
415 | expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); | 411 | expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); |
416 | if (!expr) { | 412 | if (!expr) |
417 | goto err; | 413 | goto err; |
418 | } | ||
419 | 414 | ||
420 | expr->expr_type = le32_to_cpu(buf[0]); | 415 | expr->expr_type = le32_to_cpu(buf[0]); |
421 | expr->bool = le32_to_cpu(buf[1]); | 416 | expr->bool = le32_to_cpu(buf[1]); |
@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) | |||
425 | goto err; | 420 | goto err; |
426 | } | 421 | } |
427 | 422 | ||
428 | if (i == 0) { | 423 | if (i == 0) |
429 | node->expr = expr; | 424 | node->expr = expr; |
430 | } else { | 425 | else |
431 | last->next = expr; | 426 | last->next = expr; |
432 | } | ||
433 | last = expr; | 427 | last = expr; |
434 | } | 428 | } |
435 | 429 | ||
@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp) | |||
468 | if (cond_read_node(p, node, fp) != 0) | 462 | if (cond_read_node(p, node, fp) != 0) |
469 | goto err; | 463 | goto err; |
470 | 464 | ||
471 | if (i == 0) { | 465 | if (i == 0) |
472 | p->cond_list = node; | 466 | p->cond_list = node; |
473 | } else { | 467 | else |
474 | last->next = node; | 468 | last->next = node; |
475 | } | ||
476 | last = node; | 469 | last = node; |
477 | } | 470 | } |
478 | return 0; | 471 | return 0; |
@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi | |||
489 | { | 482 | { |
490 | struct avtab_node *node; | 483 | struct avtab_node *node; |
491 | 484 | ||
492 | if(!ctab || !key || !avd) | 485 | if (!ctab || !key || !avd) |
493 | return; | 486 | return; |
494 | 487 | ||
495 | for(node = avtab_search_node(ctab, key); node != NULL; | 488 | for (node = avtab_search_node(ctab, key); node != NULL; |
496 | node = avtab_search_node_next(node, key->specified)) { | 489 | node = avtab_search_node_next(node, key->specified)) { |
497 | if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == | 490 | if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) == |
498 | (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) | 491 | (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) |
499 | avd->allowed |= node->datum.data; | 492 | avd->allowed |= node->datum.data; |
500 | if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == | 493 | if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) == |
501 | (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) | 494 | (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) |
502 | /* Since a '0' in an auditdeny mask represents a | 495 | /* Since a '0' in an auditdeny mask represents a |
503 | * permission we do NOT want to audit (dontaudit), we use | 496 | * permission we do NOT want to audit (dontaudit), we use |
504 | * the '&' operand to ensure that all '0's in the mask | 497 | * the '&' operand to ensure that all '0's in the mask |
505 | * are retained (much unlike the allow and auditallow cases). | 498 | * are retained (much unlike the allow and auditallow cases). |
506 | */ | 499 | */ |
507 | avd->auditdeny &= node->datum.data; | 500 | avd->auditdeny &= node->datum.data; |
508 | if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == | 501 | if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) == |
509 | (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) | 502 | (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) |
510 | avd->auditallow |= node->datum.data; | 503 | avd->auditallow |= node->datum.data; |
511 | } | 504 | } |
512 | return; | 505 | return; |
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index e499af474b35..ddc275490af8 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c | |||
@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp) | |||
411 | } | 411 | } |
412 | /* round down */ | 412 | /* round down */ |
413 | tmp->startbit = startbit - (startbit % EBITMAP_SIZE); | 413 | tmp->startbit = startbit - (startbit % EBITMAP_SIZE); |
414 | if (n) { | 414 | if (n) |
415 | n->next = tmp; | 415 | n->next = tmp; |
416 | } else { | 416 | else |
417 | e->node = tmp; | 417 | e->node = tmp; |
418 | } | ||
419 | n = tmp; | 418 | n = tmp; |
420 | } else if (startbit <= n->startbit) { | 419 | } else if (startbit <= n->startbit) { |
421 | printk(KERN_ERR "SELinux: ebitmap: start bit %d" | 420 | printk(KERN_ERR "SELinux: ebitmap: start bit %d" |
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index 77b530c3bbce..2e7788e13213 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c | |||
@@ -9,8 +9,8 @@ | |||
9 | #include "hashtab.h" | 9 | #include "hashtab.h" |
10 | 10 | ||
11 | struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), | 11 | struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), |
12 | int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), | 12 | int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), |
13 | u32 size) | 13 | u32 size) |
14 | { | 14 | { |
15 | struct hashtab *p; | 15 | struct hashtab *p; |
16 | u32 i; | 16 | u32 i; |
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index feaf0a5b828f..8b1706b7b3cc 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -32,7 +32,7 @@ | |||
32 | * Return the length in bytes for the MLS fields of the | 32 | * Return the length in bytes for the MLS fields of the |
33 | * security context string representation of `context'. | 33 | * security context string representation of `context'. |
34 | */ | 34 | */ |
35 | int mls_compute_context_len(struct context * context) | 35 | int mls_compute_context_len(struct context *context) |
36 | { | 36 | { |
37 | int i, l, len, head, prev; | 37 | int i, l, len, head, prev; |
38 | char *nm; | 38 | char *nm; |
@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context) | |||
86 | * Update `*scontext' to point to the end of the MLS fields. | 86 | * Update `*scontext' to point to the end of the MLS fields. |
87 | */ | 87 | */ |
88 | void mls_sid_to_context(struct context *context, | 88 | void mls_sid_to_context(struct context *context, |
89 | char **scontext) | 89 | char **scontext) |
90 | { | 90 | { |
91 | char *scontextp, *nm; | 91 | char *scontextp, *nm; |
92 | int i, l, head, prev; | 92 | int i, l, head, prev; |
@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context, | |||
146 | 146 | ||
147 | if (l == 0) { | 147 | if (l == 0) { |
148 | if (mls_level_eq(&context->range.level[0], | 148 | if (mls_level_eq(&context->range.level[0], |
149 | &context->range.level[1])) | 149 | &context->range.level[1])) |
150 | break; | 150 | break; |
151 | else | 151 | else |
152 | *scontextp++ = '-'; | 152 | *scontextp++ = '-'; |
@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc, | |||
305 | *p++ = 0; | 305 | *p++ = 0; |
306 | 306 | ||
307 | /* Separate into range if exists */ | 307 | /* Separate into range if exists */ |
308 | if ((rngptr = strchr(scontextp, '.')) != NULL) { | 308 | rngptr = strchr(scontextp, '.'); |
309 | if (rngptr != NULL) { | ||
309 | /* Remove '.' */ | 310 | /* Remove '.' */ |
310 | *rngptr++ = 0; | 311 | *rngptr++ = 0; |
311 | } | 312 | } |
312 | 313 | ||
313 | catdatum = hashtab_search(policydb.p_cats.table, | 314 | catdatum = hashtab_search(policydb.p_cats.table, |
314 | scontextp); | 315 | scontextp); |
315 | if (!catdatum) { | 316 | if (!catdatum) { |
316 | rc = -EINVAL; | 317 | rc = -EINVAL; |
317 | goto out; | 318 | goto out; |
318 | } | 319 | } |
319 | 320 | ||
320 | rc = ebitmap_set_bit(&context->range.level[l].cat, | 321 | rc = ebitmap_set_bit(&context->range.level[l].cat, |
321 | catdatum->value - 1, 1); | 322 | catdatum->value - 1, 1); |
322 | if (rc) | 323 | if (rc) |
323 | goto out; | 324 | goto out; |
324 | 325 | ||
@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) | |||
395 | rc = -ENOMEM; | 396 | rc = -ENOMEM; |
396 | } else { | 397 | } else { |
397 | rc = mls_context_to_sid(':', &tmpstr, context, | 398 | rc = mls_context_to_sid(':', &tmpstr, context, |
398 | NULL, SECSID_NULL); | 399 | NULL, SECSID_NULL); |
399 | kfree(freestr); | 400 | kfree(freestr); |
400 | } | 401 | } |
401 | 402 | ||
@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) | |||
406 | * Copies the MLS range `range' into `context'. | 407 | * Copies the MLS range `range' into `context'. |
407 | */ | 408 | */ |
408 | static inline int mls_range_set(struct context *context, | 409 | static inline int mls_range_set(struct context *context, |
409 | struct mls_range *range) | 410 | struct mls_range *range) |
410 | { | 411 | { |
411 | int l, rc = 0; | 412 | int l, rc = 0; |
412 | 413 | ||
@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context, | |||
423 | } | 424 | } |
424 | 425 | ||
425 | int mls_setup_user_range(struct context *fromcon, struct user_datum *user, | 426 | int mls_setup_user_range(struct context *fromcon, struct user_datum *user, |
426 | struct context *usercon) | 427 | struct context *usercon) |
427 | { | 428 | { |
428 | if (selinux_mls_enabled) { | 429 | if (selinux_mls_enabled) { |
429 | struct mls_level *fromcon_sen = &(fromcon->range.level[0]); | 430 | struct mls_level *fromcon_sen = &(fromcon->range.level[0]); |
@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user, | |||
449 | that of the user's default clearance (but | 450 | that of the user's default clearance (but |
450 | only if the "fromcon" clearance dominates | 451 | only if the "fromcon" clearance dominates |
451 | the user's computed sensitivity level) */ | 452 | the user's computed sensitivity level) */ |
452 | if (mls_level_dom(user_clr, fromcon_clr)) { | 453 | if (mls_level_dom(user_clr, fromcon_clr)) |
453 | *usercon_clr = *fromcon_clr; | 454 | *usercon_clr = *fromcon_clr; |
454 | } else if (mls_level_dom(fromcon_clr, user_clr)) { | 455 | else if (mls_level_dom(fromcon_clr, user_clr)) |
455 | *usercon_clr = *user_clr; | 456 | *usercon_clr = *user_clr; |
456 | } else | 457 | else |
457 | return -EINVAL; | 458 | return -EINVAL; |
458 | } | 459 | } |
459 | 460 | ||
@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext, | |||
525 | rtr->target_class == tclass) { | 526 | rtr->target_class == tclass) { |
526 | /* Set the range from the rule */ | 527 | /* Set the range from the rule */ |
527 | return mls_range_set(newcontext, | 528 | return mls_range_set(newcontext, |
528 | &rtr->target_range); | 529 | &rtr->target_range); |
529 | } | 530 | } |
530 | } | 531 | } |
531 | /* Fallthrough */ | 532 | /* Fallthrough */ |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 6bdb0ff6a927..84f8cc73c7db 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -11,7 +11,7 @@ | |||
11 | * | 11 | * |
12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | 12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
13 | * | 13 | * |
14 | * Added conditional policy language extensions | 14 | * Added conditional policy language extensions |
15 | * | 15 | * |
16 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 16 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
17 | * | 17 | * |
@@ -21,7 +21,7 @@ | |||
21 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | 21 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. |
22 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | 22 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
23 | * This program is free software; you can redistribute it and/or modify | 23 | * This program is free software; you can redistribute it and/or modify |
24 | * it under the terms of the GNU General Public License as published by | 24 | * it under the terms of the GNU General Public License as published by |
25 | * the Free Software Foundation, version 2. | 25 | * the Free Software Foundation, version 2. |
26 | */ | 26 | */ |
27 | 27 | ||
@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = { | |||
51 | }; | 51 | }; |
52 | #endif | 52 | #endif |
53 | 53 | ||
54 | int selinux_mls_enabled = 0; | 54 | int selinux_mls_enabled; |
55 | 55 | ||
56 | static unsigned int symtab_sizes[SYM_NUM] = { | 56 | static unsigned int symtab_sizes[SYM_NUM] = { |
57 | 2, | 57 | 2, |
@@ -73,39 +73,39 @@ struct policydb_compat_info { | |||
73 | /* These need to be updated if SYM_NUM or OCON_NUM changes */ | 73 | /* These need to be updated if SYM_NUM or OCON_NUM changes */ |
74 | static struct policydb_compat_info policydb_compat[] = { | 74 | static struct policydb_compat_info policydb_compat[] = { |
75 | { | 75 | { |
76 | .version = POLICYDB_VERSION_BASE, | 76 | .version = POLICYDB_VERSION_BASE, |
77 | .sym_num = SYM_NUM - 3, | 77 | .sym_num = SYM_NUM - 3, |
78 | .ocon_num = OCON_NUM - 1, | 78 | .ocon_num = OCON_NUM - 1, |
79 | }, | 79 | }, |
80 | { | 80 | { |
81 | .version = POLICYDB_VERSION_BOOL, | 81 | .version = POLICYDB_VERSION_BOOL, |
82 | .sym_num = SYM_NUM - 2, | 82 | .sym_num = SYM_NUM - 2, |
83 | .ocon_num = OCON_NUM - 1, | 83 | .ocon_num = OCON_NUM - 1, |
84 | }, | 84 | }, |
85 | { | 85 | { |
86 | .version = POLICYDB_VERSION_IPV6, | 86 | .version = POLICYDB_VERSION_IPV6, |
87 | .sym_num = SYM_NUM - 2, | 87 | .sym_num = SYM_NUM - 2, |
88 | .ocon_num = OCON_NUM, | 88 | .ocon_num = OCON_NUM, |
89 | }, | 89 | }, |
90 | { | 90 | { |
91 | .version = POLICYDB_VERSION_NLCLASS, | 91 | .version = POLICYDB_VERSION_NLCLASS, |
92 | .sym_num = SYM_NUM - 2, | 92 | .sym_num = SYM_NUM - 2, |
93 | .ocon_num = OCON_NUM, | 93 | .ocon_num = OCON_NUM, |
94 | }, | 94 | }, |
95 | { | 95 | { |
96 | .version = POLICYDB_VERSION_MLS, | 96 | .version = POLICYDB_VERSION_MLS, |
97 | .sym_num = SYM_NUM, | 97 | .sym_num = SYM_NUM, |
98 | .ocon_num = OCON_NUM, | 98 | .ocon_num = OCON_NUM, |
99 | }, | 99 | }, |
100 | { | 100 | { |
101 | .version = POLICYDB_VERSION_AVTAB, | 101 | .version = POLICYDB_VERSION_AVTAB, |
102 | .sym_num = SYM_NUM, | 102 | .sym_num = SYM_NUM, |
103 | .ocon_num = OCON_NUM, | 103 | .ocon_num = OCON_NUM, |
104 | }, | 104 | }, |
105 | { | 105 | { |
106 | .version = POLICYDB_VERSION_RANGETRANS, | 106 | .version = POLICYDB_VERSION_RANGETRANS, |
107 | .sym_num = SYM_NUM, | 107 | .sym_num = SYM_NUM, |
108 | .ocon_num = OCON_NUM, | 108 | .ocon_num = OCON_NUM, |
109 | }, | 109 | }, |
110 | { | 110 | { |
111 | .version = POLICYDB_VERSION_POLCAP, | 111 | .version = POLICYDB_VERSION_POLCAP, |
@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p) | |||
152 | rc = -EINVAL; | 152 | rc = -EINVAL; |
153 | goto out_free_role; | 153 | goto out_free_role; |
154 | } | 154 | } |
155 | key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL); | 155 | key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL); |
156 | if (!key) { | 156 | if (!key) { |
157 | rc = -ENOMEM; | 157 | rc = -ENOMEM; |
158 | goto out_free_role; | 158 | goto out_free_role; |
@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s) | |||
390 | struct hashtab_info info; | 390 | struct hashtab_info info; |
391 | 391 | ||
392 | hashtab_stat(h, &info); | 392 | hashtab_stat(h, &info); |
393 | printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " | 393 | printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " |
394 | "longest chain length %d\n", symtab_name[i], h->nel, | 394 | "longest chain length %d\n", symtab_name[i], h->nel, |
395 | info.slots_used, h->size, info.max_chain_len); | 395 | info.slots_used, h->size, info.max_chain_len); |
396 | } | 396 | } |
@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p) | |||
424 | 424 | ||
425 | p->role_val_to_struct = | 425 | p->role_val_to_struct = |
426 | kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), | 426 | kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), |
427 | GFP_KERNEL); | 427 | GFP_KERNEL); |
428 | if (!p->role_val_to_struct) { | 428 | if (!p->role_val_to_struct) { |
429 | rc = -ENOMEM; | 429 | rc = -ENOMEM; |
430 | goto out; | 430 | goto out; |
@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p) | |||
432 | 432 | ||
433 | p->user_val_to_struct = | 433 | p->user_val_to_struct = |
434 | kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), | 434 | kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), |
435 | GFP_KERNEL); | 435 | GFP_KERNEL); |
436 | if (!p->user_val_to_struct) { | 436 | if (!p->user_val_to_struct) { |
437 | rc = -ENOMEM; | 437 | rc = -ENOMEM; |
438 | goto out; | 438 | goto out; |
@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p) | |||
634 | while (c) { | 634 | while (c) { |
635 | ctmp = c; | 635 | ctmp = c; |
636 | c = c->next; | 636 | c = c->next; |
637 | ocontext_destroy(ctmp,i); | 637 | ocontext_destroy(ctmp, i); |
638 | } | 638 | } |
639 | p->ocontexts[i] = NULL; | 639 | p->ocontexts[i] = NULL; |
640 | } | 640 | } |
@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p) | |||
647 | while (c) { | 647 | while (c) { |
648 | ctmp = c; | 648 | ctmp = c; |
649 | c = c->next; | 649 | c = c->next; |
650 | ocontext_destroy(ctmp,OCON_FSUSE); | 650 | ocontext_destroy(ctmp, OCON_FSUSE); |
651 | } | 651 | } |
652 | gtmp = g; | 652 | gtmp = g; |
653 | g = g->next; | 653 | g = g->next; |
@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p) | |||
664 | } | 664 | } |
665 | kfree(ltr); | 665 | kfree(ltr); |
666 | 666 | ||
667 | for (ra = p->role_allow; ra; ra = ra -> next) { | 667 | for (ra = p->role_allow; ra; ra = ra->next) { |
668 | cond_resched(); | 668 | cond_resched(); |
669 | kfree(lra); | 669 | kfree(lra); |
670 | lra = ra; | 670 | lra = ra; |
671 | } | 671 | } |
672 | kfree(lra); | 672 | kfree(lra); |
673 | 673 | ||
674 | for (rt = p->range_tr; rt; rt = rt -> next) { | 674 | for (rt = p->range_tr; rt; rt = rt->next) { |
675 | cond_resched(); | 675 | cond_resched(); |
676 | if (lrt) { | 676 | if (lrt) { |
677 | ebitmap_destroy(&lrt->target_range.level[0].cat); | 677 | ebitmap_destroy(&lrt->target_range.level[0].cat); |
@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp) | |||
924 | len = le32_to_cpu(buf[0]); | 924 | len = le32_to_cpu(buf[0]); |
925 | perdatum->value = le32_to_cpu(buf[1]); | 925 | perdatum->value = le32_to_cpu(buf[1]); |
926 | 926 | ||
927 | key = kmalloc(len + 1,GFP_KERNEL); | 927 | key = kmalloc(len + 1, GFP_KERNEL); |
928 | if (!key) { | 928 | if (!key) { |
929 | rc = -ENOMEM; | 929 | rc = -ENOMEM; |
930 | goto bad; | 930 | goto bad; |
@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp) | |||
971 | comdatum->permissions.nprim = le32_to_cpu(buf[2]); | 971 | comdatum->permissions.nprim = le32_to_cpu(buf[2]); |
972 | nel = le32_to_cpu(buf[3]); | 972 | nel = le32_to_cpu(buf[3]); |
973 | 973 | ||
974 | key = kmalloc(len + 1,GFP_KERNEL); | 974 | key = kmalloc(len + 1, GFP_KERNEL); |
975 | if (!key) { | 975 | if (!key) { |
976 | rc = -ENOMEM; | 976 | rc = -ENOMEM; |
977 | goto bad; | 977 | goto bad; |
@@ -998,7 +998,7 @@ bad: | |||
998 | } | 998 | } |
999 | 999 | ||
1000 | static int read_cons_helper(struct constraint_node **nodep, int ncons, | 1000 | static int read_cons_helper(struct constraint_node **nodep, int ncons, |
1001 | int allowxtarget, void *fp) | 1001 | int allowxtarget, void *fp) |
1002 | { | 1002 | { |
1003 | struct constraint_node *c, *lc; | 1003 | struct constraint_node *c, *lc; |
1004 | struct constraint_expr *e, *le; | 1004 | struct constraint_expr *e, *le; |
@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons, | |||
1012 | if (!c) | 1012 | if (!c) |
1013 | return -ENOMEM; | 1013 | return -ENOMEM; |
1014 | 1014 | ||
1015 | if (lc) { | 1015 | if (lc) |
1016 | lc->next = c; | 1016 | lc->next = c; |
1017 | } else { | 1017 | else |
1018 | *nodep = c; | 1018 | *nodep = c; |
1019 | } | ||
1020 | 1019 | ||
1021 | rc = next_entry(buf, fp, (sizeof(u32) * 2)); | 1020 | rc = next_entry(buf, fp, (sizeof(u32) * 2)); |
1022 | if (rc < 0) | 1021 | if (rc < 0) |
@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons, | |||
1030 | if (!e) | 1029 | if (!e) |
1031 | return -ENOMEM; | 1030 | return -ENOMEM; |
1032 | 1031 | ||
1033 | if (le) { | 1032 | if (le) |
1034 | le->next = e; | 1033 | le->next = e; |
1035 | } else { | 1034 | else |
1036 | c->expr = e; | 1035 | c->expr = e; |
1037 | } | ||
1038 | 1036 | ||
1039 | rc = next_entry(buf, fp, (sizeof(u32) * 3)); | 1037 | rc = next_entry(buf, fp, (sizeof(u32) * 3)); |
1040 | if (rc < 0) | 1038 | if (rc < 0) |
@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1111 | 1109 | ||
1112 | ncons = le32_to_cpu(buf[5]); | 1110 | ncons = le32_to_cpu(buf[5]); |
1113 | 1111 | ||
1114 | key = kmalloc(len + 1,GFP_KERNEL); | 1112 | key = kmalloc(len + 1, GFP_KERNEL); |
1115 | if (!key) { | 1113 | if (!key) { |
1116 | rc = -ENOMEM; | 1114 | rc = -ENOMEM; |
1117 | goto bad; | 1115 | goto bad; |
@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1122 | key[len] = 0; | 1120 | key[len] = 0; |
1123 | 1121 | ||
1124 | if (len2) { | 1122 | if (len2) { |
1125 | cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL); | 1123 | cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL); |
1126 | if (!cladatum->comkey) { | 1124 | if (!cladatum->comkey) { |
1127 | rc = -ENOMEM; | 1125 | rc = -ENOMEM; |
1128 | goto bad; | 1126 | goto bad; |
@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1195 | len = le32_to_cpu(buf[0]); | 1193 | len = le32_to_cpu(buf[0]); |
1196 | role->value = le32_to_cpu(buf[1]); | 1194 | role->value = le32_to_cpu(buf[1]); |
1197 | 1195 | ||
1198 | key = kmalloc(len + 1,GFP_KERNEL); | 1196 | key = kmalloc(len + 1, GFP_KERNEL); |
1199 | if (!key) { | 1197 | if (!key) { |
1200 | rc = -ENOMEM; | 1198 | rc = -ENOMEM; |
1201 | goto bad; | 1199 | goto bad; |
@@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1215 | 1213 | ||
1216 | if (strcmp(key, OBJECT_R) == 0) { | 1214 | if (strcmp(key, OBJECT_R) == 0) { |
1217 | if (role->value != OBJECT_R_VAL) { | 1215 | if (role->value != OBJECT_R_VAL) { |
1218 | printk(KERN_ERR "Role %s has wrong value %d\n", | 1216 | printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", |
1219 | OBJECT_R, role->value); | 1217 | OBJECT_R, role->value); |
1220 | rc = -EINVAL; | 1218 | rc = -EINVAL; |
1221 | goto bad; | 1219 | goto bad; |
@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1242 | __le32 buf[3]; | 1240 | __le32 buf[3]; |
1243 | u32 len; | 1241 | u32 len; |
1244 | 1242 | ||
1245 | typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL); | 1243 | typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); |
1246 | if (!typdatum) { | 1244 | if (!typdatum) { |
1247 | rc = -ENOMEM; | 1245 | rc = -ENOMEM; |
1248 | return rc; | 1246 | return rc; |
@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1256 | typdatum->value = le32_to_cpu(buf[1]); | 1254 | typdatum->value = le32_to_cpu(buf[1]); |
1257 | typdatum->primary = le32_to_cpu(buf[2]); | 1255 | typdatum->primary = le32_to_cpu(buf[2]); |
1258 | 1256 | ||
1259 | key = kmalloc(len + 1,GFP_KERNEL); | 1257 | key = kmalloc(len + 1, GFP_KERNEL); |
1260 | if (!key) { | 1258 | if (!key) { |
1261 | rc = -ENOMEM; | 1259 | rc = -ENOMEM; |
1262 | goto bad; | 1260 | goto bad; |
@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1328 | len = le32_to_cpu(buf[0]); | 1326 | len = le32_to_cpu(buf[0]); |
1329 | usrdatum->value = le32_to_cpu(buf[1]); | 1327 | usrdatum->value = le32_to_cpu(buf[1]); |
1330 | 1328 | ||
1331 | key = kmalloc(len + 1,GFP_KERNEL); | 1329 | key = kmalloc(len + 1, GFP_KERNEL); |
1332 | if (!key) { | 1330 | if (!key) { |
1333 | rc = -ENOMEM; | 1331 | rc = -ENOMEM; |
1334 | goto bad; | 1332 | goto bad; |
@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1382 | len = le32_to_cpu(buf[0]); | 1380 | len = le32_to_cpu(buf[0]); |
1383 | levdatum->isalias = le32_to_cpu(buf[1]); | 1381 | levdatum->isalias = le32_to_cpu(buf[1]); |
1384 | 1382 | ||
1385 | key = kmalloc(len + 1,GFP_ATOMIC); | 1383 | key = kmalloc(len + 1, GFP_ATOMIC); |
1386 | if (!key) { | 1384 | if (!key) { |
1387 | rc = -ENOMEM; | 1385 | rc = -ENOMEM; |
1388 | goto bad; | 1386 | goto bad; |
@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1434 | catdatum->value = le32_to_cpu(buf[1]); | 1432 | catdatum->value = le32_to_cpu(buf[1]); |
1435 | catdatum->isalias = le32_to_cpu(buf[2]); | 1433 | catdatum->isalias = le32_to_cpu(buf[2]); |
1436 | 1434 | ||
1437 | key = kmalloc(len + 1,GFP_ATOMIC); | 1435 | key = kmalloc(len + 1, GFP_ATOMIC); |
1438 | if (!key) { | 1436 | if (!key) { |
1439 | rc = -ENOMEM; | 1437 | rc = -ENOMEM; |
1440 | goto bad; | 1438 | goto bad; |
@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1493 | goto out; | 1491 | goto out; |
1494 | 1492 | ||
1495 | /* Read the magic number and string length. */ | 1493 | /* Read the magic number and string length. */ |
1496 | rc = next_entry(buf, fp, sizeof(u32)* 2); | 1494 | rc = next_entry(buf, fp, sizeof(u32) * 2); |
1497 | if (rc < 0) | 1495 | if (rc < 0) |
1498 | goto bad; | 1496 | goto bad; |
1499 | 1497 | ||
@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1511 | len, strlen(POLICYDB_STRING)); | 1509 | len, strlen(POLICYDB_STRING)); |
1512 | goto bad; | 1510 | goto bad; |
1513 | } | 1511 | } |
1514 | policydb_str = kmalloc(len + 1,GFP_KERNEL); | 1512 | policydb_str = kmalloc(len + 1, GFP_KERNEL); |
1515 | if (!policydb_str) { | 1513 | if (!policydb_str) { |
1516 | printk(KERN_ERR "SELinux: unable to allocate memory for policydb " | 1514 | printk(KERN_ERR "SELinux: unable to allocate memory for policydb " |
1517 | "string of length %d\n", len); | 1515 | "string of length %d\n", len); |
@@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp) | |||
1544 | if (p->policyvers < POLICYDB_VERSION_MIN || | 1542 | if (p->policyvers < POLICYDB_VERSION_MIN || |
1545 | p->policyvers > POLICYDB_VERSION_MAX) { | 1543 | p->policyvers > POLICYDB_VERSION_MAX) { |
1546 | printk(KERN_ERR "SELinux: policydb version %d does not match " | 1544 | printk(KERN_ERR "SELinux: policydb version %d does not match " |
1547 | "my version range %d-%d\n", | 1545 | "my version range %d-%d\n", |
1548 | le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); | 1546 | le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); |
1549 | goto bad; | 1547 | goto bad; |
1550 | } | 1548 | } |
1551 | 1549 | ||
1552 | if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { | 1550 | if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { |
1553 | if (ss_initialized && !selinux_mls_enabled) { | 1551 | if (ss_initialized && !selinux_mls_enabled) { |
1554 | printk(KERN_ERR "Cannot switch between non-MLS and MLS " | 1552 | printk(KERN_ERR "SELinux: Cannot switch between non-MLS" |
1555 | "policies\n"); | 1553 | " and MLS policies\n"); |
1556 | goto bad; | 1554 | goto bad; |
1557 | } | 1555 | } |
1558 | selinux_mls_enabled = 1; | 1556 | selinux_mls_enabled = 1; |
1559 | config |= POLICYDB_CONFIG_MLS; | 1557 | config |= POLICYDB_CONFIG_MLS; |
1560 | 1558 | ||
1561 | if (p->policyvers < POLICYDB_VERSION_MLS) { | 1559 | if (p->policyvers < POLICYDB_VERSION_MLS) { |
1562 | printk(KERN_ERR "security policydb version %d (MLS) " | 1560 | printk(KERN_ERR "SELinux: security policydb version %d " |
1563 | "not backwards compatible\n", p->policyvers); | 1561 | "(MLS) not backwards compatible\n", |
1562 | p->policyvers); | ||
1564 | goto bad; | 1563 | goto bad; |
1565 | } | 1564 | } |
1566 | } else { | 1565 | } else { |
1567 | if (ss_initialized && selinux_mls_enabled) { | 1566 | if (ss_initialized && selinux_mls_enabled) { |
1568 | printk(KERN_ERR "Cannot switch between MLS and non-MLS " | 1567 | printk(KERN_ERR "SELinux: Cannot switch between MLS and" |
1569 | "policies\n"); | 1568 | " non-MLS policies\n"); |
1570 | goto bad; | 1569 | goto bad; |
1571 | } | 1570 | } |
1572 | } | 1571 | } |
@@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
1633 | rc = -ENOMEM; | 1632 | rc = -ENOMEM; |
1634 | goto bad; | 1633 | goto bad; |
1635 | } | 1634 | } |
1636 | if (ltr) { | 1635 | if (ltr) |
1637 | ltr->next = tr; | 1636 | ltr->next = tr; |
1638 | } else { | 1637 | else |
1639 | p->role_tr = tr; | 1638 | p->role_tr = tr; |
1640 | } | ||
1641 | rc = next_entry(buf, fp, sizeof(u32)*3); | 1639 | rc = next_entry(buf, fp, sizeof(u32)*3); |
1642 | if (rc < 0) | 1640 | if (rc < 0) |
1643 | goto bad; | 1641 | goto bad; |
@@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
1664 | rc = -ENOMEM; | 1662 | rc = -ENOMEM; |
1665 | goto bad; | 1663 | goto bad; |
1666 | } | 1664 | } |
1667 | if (lra) { | 1665 | if (lra) |
1668 | lra->next = ra; | 1666 | lra->next = ra; |
1669 | } else { | 1667 | else |
1670 | p->role_allow = ra; | 1668 | p->role_allow = ra; |
1671 | } | ||
1672 | rc = next_entry(buf, fp, sizeof(u32)*2); | 1669 | rc = next_entry(buf, fp, sizeof(u32)*2); |
1673 | if (rc < 0) | 1670 | if (rc < 0) |
1674 | goto bad; | 1671 | goto bad; |
@@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
1702 | rc = -ENOMEM; | 1699 | rc = -ENOMEM; |
1703 | goto bad; | 1700 | goto bad; |
1704 | } | 1701 | } |
1705 | if (l) { | 1702 | if (l) |
1706 | l->next = c; | 1703 | l->next = c; |
1707 | } else { | 1704 | else |
1708 | p->ocontexts[i] = c; | 1705 | p->ocontexts[i] = c; |
1709 | } | ||
1710 | l = c; | 1706 | l = c; |
1711 | rc = -EINVAL; | 1707 | rc = -EINVAL; |
1712 | switch (i) { | 1708 | switch (i) { |
@@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1725 | if (rc < 0) | 1721 | if (rc < 0) |
1726 | goto bad; | 1722 | goto bad; |
1727 | len = le32_to_cpu(buf[0]); | 1723 | len = le32_to_cpu(buf[0]); |
1728 | c->u.name = kmalloc(len + 1,GFP_KERNEL); | 1724 | c->u.name = kmalloc(len + 1, GFP_KERNEL); |
1729 | if (!c->u.name) { | 1725 | if (!c->u.name) { |
1730 | rc = -ENOMEM; | 1726 | rc = -ENOMEM; |
1731 | goto bad; | 1727 | goto bad; |
@@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1753 | goto bad; | 1749 | goto bad; |
1754 | break; | 1750 | break; |
1755 | case OCON_NODE: | 1751 | case OCON_NODE: |
1756 | rc = next_entry(buf, fp, sizeof(u32)* 2); | 1752 | rc = next_entry(buf, fp, sizeof(u32) * 2); |
1757 | if (rc < 0) | 1753 | if (rc < 0) |
1758 | goto bad; | 1754 | goto bad; |
1759 | c->u.node.addr = le32_to_cpu(buf[0]); | 1755 | c->u.node.addr = le32_to_cpu(buf[0]); |
@@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1770 | if (c->v.behavior > SECURITY_FS_USE_NONE) | 1766 | if (c->v.behavior > SECURITY_FS_USE_NONE) |
1771 | goto bad; | 1767 | goto bad; |
1772 | len = le32_to_cpu(buf[1]); | 1768 | len = le32_to_cpu(buf[1]); |
1773 | c->u.name = kmalloc(len + 1,GFP_KERNEL); | 1769 | c->u.name = kmalloc(len + 1, GFP_KERNEL); |
1774 | if (!c->u.name) { | 1770 | if (!c->u.name) { |
1775 | rc = -ENOMEM; | 1771 | rc = -ENOMEM; |
1776 | goto bad; | 1772 | goto bad; |
@@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1818 | goto bad; | 1814 | goto bad; |
1819 | } | 1815 | } |
1820 | 1816 | ||
1821 | newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); | 1817 | newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL); |
1822 | if (!newgenfs->fstype) { | 1818 | if (!newgenfs->fstype) { |
1823 | rc = -ENOMEM; | 1819 | rc = -ENOMEM; |
1824 | kfree(newgenfs); | 1820 | kfree(newgenfs); |
@@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1864 | goto bad; | 1860 | goto bad; |
1865 | } | 1861 | } |
1866 | 1862 | ||
1867 | newc->u.name = kmalloc(len + 1,GFP_KERNEL); | 1863 | newc->u.name = kmalloc(len + 1, GFP_KERNEL); |
1868 | if (!newc->u.name) { | 1864 | if (!newc->u.name) { |
1869 | rc = -ENOMEM; | 1865 | rc = -ENOMEM; |
1870 | goto bad_newc; | 1866 | goto bad_newc; |
@@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1968 | out: | 1964 | out: |
1969 | return rc; | 1965 | return rc; |
1970 | bad_newc: | 1966 | bad_newc: |
1971 | ocontext_destroy(newc,OCON_FSUSE); | 1967 | ocontext_destroy(newc, OCON_FSUSE); |
1972 | bad: | 1968 | bad: |
1973 | if (!rc) | 1969 | if (!rc) |
1974 | rc = -EINVAL; | 1970 | rc = -EINVAL; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b341b8fd8c7c..2daaddbb301d 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -2,7 +2,7 @@ | |||
2 | * Implementation of the security services. | 2 | * Implementation of the security services. |
3 | * | 3 | * |
4 | * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> | 4 | * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> |
5 | * James Morris <jmorris@redhat.com> | 5 | * James Morris <jmorris@redhat.com> |
6 | * | 6 | * |
7 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | 7 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> |
8 | * | 8 | * |
@@ -11,7 +11,7 @@ | |||
11 | * | 11 | * |
12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | 12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
13 | * | 13 | * |
14 | * Added conditional policy language extensions | 14 | * Added conditional policy language extensions |
15 | * | 15 | * |
16 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 16 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
17 | * | 17 | * |
@@ -27,7 +27,7 @@ | |||
27 | * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC | 27 | * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC |
28 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | 28 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
29 | * This program is free software; you can redistribute it and/or modify | 29 | * This program is free software; you can redistribute it and/or modify |
30 | * it under the terms of the GNU General Public License as published by | 30 | * it under the terms of the GNU General Public License as published by |
31 | * the Free Software Foundation, version 2. | 31 | * the Free Software Foundation, version 2. |
32 | */ | 32 | */ |
33 | #include <linux/kernel.h> | 33 | #include <linux/kernel.h> |
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex); | |||
82 | 82 | ||
83 | static struct sidtab sidtab; | 83 | static struct sidtab sidtab; |
84 | struct policydb policydb; | 84 | struct policydb policydb; |
85 | int ss_initialized = 0; | 85 | int ss_initialized; |
86 | 86 | ||
87 | /* | 87 | /* |
88 | * The largest sequence number that has been used when | 88 | * The largest sequence number that has been used when |
@@ -90,7 +90,7 @@ int ss_initialized = 0; | |||
90 | * The sequence number only changes when a policy change | 90 | * The sequence number only changes when a policy change |
91 | * occurs. | 91 | * occurs. |
92 | */ | 92 | */ |
93 | static u32 latest_granting = 0; | 93 | static u32 latest_granting; |
94 | 94 | ||
95 | /* Forward declaration. */ | 95 | /* Forward declaration. */ |
96 | static int context_struct_to_string(struct context *context, char **scontext, | 96 | static int context_struct_to_string(struct context *context, char **scontext, |
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext, | |||
163 | val1 - 1); | 163 | val1 - 1); |
164 | continue; | 164 | continue; |
165 | case CEXPR_INCOMP: | 165 | case CEXPR_INCOMP: |
166 | s[++sp] = ( !ebitmap_get_bit(&r1->dominates, | 166 | s[++sp] = (!ebitmap_get_bit(&r1->dominates, |
167 | val2 - 1) && | 167 | val2 - 1) && |
168 | !ebitmap_get_bit(&r2->dominates, | 168 | !ebitmap_get_bit(&r2->dominates, |
169 | val1 - 1) ); | 169 | val1 - 1)); |
170 | continue; | 170 | continue; |
171 | default: | 171 | default: |
172 | break; | 172 | break; |
@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext, | |||
409 | } | 409 | } |
410 | if (!ra) | 410 | if (!ra) |
411 | avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | | 411 | avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | |
412 | PROCESS__DYNTRANSITION); | 412 | PROCESS__DYNTRANSITION); |
413 | } | 413 | } |
414 | 414 | ||
415 | return 0; | 415 | return 0; |
416 | 416 | ||
417 | inval_class: | 417 | inval_class: |
418 | printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); | 418 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__, |
419 | tclass); | ||
419 | return -EINVAL; | 420 | return -EINVAL; |
420 | } | 421 | } |
421 | 422 | ||
@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid) | |||
445 | } | 446 | } |
446 | 447 | ||
447 | static int security_validtrans_handle_fail(struct context *ocontext, | 448 | static int security_validtrans_handle_fail(struct context *ocontext, |
448 | struct context *ncontext, | 449 | struct context *ncontext, |
449 | struct context *tcontext, | 450 | struct context *tcontext, |
450 | u16 tclass) | 451 | u16 tclass) |
451 | { | 452 | { |
452 | char *o = NULL, *n = NULL, *t = NULL; | 453 | char *o = NULL, *n = NULL, *t = NULL; |
453 | u32 olen, nlen, tlen; | 454 | u32 olen, nlen, tlen; |
@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
459 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) | 460 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) |
460 | goto out; | 461 | goto out; |
461 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 462 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
462 | "security_validate_transition: denied for" | 463 | "security_validate_transition: denied for" |
463 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 464 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
464 | o, n, t, policydb.p_class_val_to_name[tclass-1]); | 465 | o, n, t, policydb.p_class_val_to_name[tclass-1]); |
465 | out: | 466 | out: |
466 | kfree(o); | 467 | kfree(o); |
467 | kfree(n); | 468 | kfree(n); |
@@ -473,7 +474,7 @@ out: | |||
473 | } | 474 | } |
474 | 475 | ||
475 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | 476 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, |
476 | u16 tclass) | 477 | u16 tclass) |
477 | { | 478 | { |
478 | struct context *ocontext; | 479 | struct context *ocontext; |
479 | struct context *ncontext; | 480 | struct context *ncontext; |
@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
499 | tclass = SECCLASS_NETLINK_SOCKET; | 500 | tclass = SECCLASS_NETLINK_SOCKET; |
500 | 501 | ||
501 | if (!tclass || tclass > policydb.p_classes.nprim) { | 502 | if (!tclass || tclass > policydb.p_classes.nprim) { |
502 | printk(KERN_ERR "security_validate_transition: " | 503 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", |
503 | "unrecognized class %d\n", tclass); | 504 | __func__, tclass); |
504 | rc = -EINVAL; | 505 | rc = -EINVAL; |
505 | goto out; | 506 | goto out; |
506 | } | 507 | } |
@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
508 | 509 | ||
509 | ocontext = sidtab_search(&sidtab, oldsid); | 510 | ocontext = sidtab_search(&sidtab, oldsid); |
510 | if (!ocontext) { | 511 | if (!ocontext) { |
511 | printk(KERN_ERR "security_validate_transition: " | 512 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
512 | " unrecognized SID %d\n", oldsid); | 513 | __func__, oldsid); |
513 | rc = -EINVAL; | 514 | rc = -EINVAL; |
514 | goto out; | 515 | goto out; |
515 | } | 516 | } |
516 | 517 | ||
517 | ncontext = sidtab_search(&sidtab, newsid); | 518 | ncontext = sidtab_search(&sidtab, newsid); |
518 | if (!ncontext) { | 519 | if (!ncontext) { |
519 | printk(KERN_ERR "security_validate_transition: " | 520 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
520 | " unrecognized SID %d\n", newsid); | 521 | __func__, newsid); |
521 | rc = -EINVAL; | 522 | rc = -EINVAL; |
522 | goto out; | 523 | goto out; |
523 | } | 524 | } |
524 | 525 | ||
525 | tcontext = sidtab_search(&sidtab, tasksid); | 526 | tcontext = sidtab_search(&sidtab, tasksid); |
526 | if (!tcontext) { | 527 | if (!tcontext) { |
527 | printk(KERN_ERR "security_validate_transition: " | 528 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
528 | " unrecognized SID %d\n", tasksid); | 529 | __func__, tasksid); |
529 | rc = -EINVAL; | 530 | rc = -EINVAL; |
530 | goto out; | 531 | goto out; |
531 | } | 532 | } |
@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
533 | constraint = tclass_datum->validatetrans; | 534 | constraint = tclass_datum->validatetrans; |
534 | while (constraint) { | 535 | while (constraint) { |
535 | if (!constraint_expr_eval(ocontext, ncontext, tcontext, | 536 | if (!constraint_expr_eval(ocontext, ncontext, tcontext, |
536 | constraint->expr)) { | 537 | constraint->expr)) { |
537 | rc = security_validtrans_handle_fail(ocontext, ncontext, | 538 | rc = security_validtrans_handle_fail(ocontext, ncontext, |
538 | tcontext, tclass); | 539 | tcontext, tclass); |
539 | goto out; | 540 | goto out; |
540 | } | 541 | } |
541 | constraint = constraint->next; | 542 | constraint = constraint->next; |
@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid, | |||
581 | 582 | ||
582 | scontext = sidtab_search(&sidtab, ssid); | 583 | scontext = sidtab_search(&sidtab, ssid); |
583 | if (!scontext) { | 584 | if (!scontext) { |
584 | printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", | 585 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
585 | ssid); | 586 | __func__, ssid); |
586 | rc = -EINVAL; | 587 | rc = -EINVAL; |
587 | goto out; | 588 | goto out; |
588 | } | 589 | } |
589 | tcontext = sidtab_search(&sidtab, tsid); | 590 | tcontext = sidtab_search(&sidtab, tsid); |
590 | if (!tcontext) { | 591 | if (!tcontext) { |
591 | printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", | 592 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
592 | tsid); | 593 | __func__, tsid); |
593 | rc = -EINVAL; | 594 | rc = -EINVAL; |
594 | goto out; | 595 | goto out; |
595 | } | 596 | } |
@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
623 | 624 | ||
624 | /* Allocate space for the context; caller must free this space. */ | 625 | /* Allocate space for the context; caller must free this space. */ |
625 | scontextp = kmalloc(*scontext_len, GFP_ATOMIC); | 626 | scontextp = kmalloc(*scontext_len, GFP_ATOMIC); |
626 | if (!scontextp) { | 627 | if (!scontextp) |
627 | return -ENOMEM; | 628 | return -ENOMEM; |
628 | } | ||
629 | *scontext = scontextp; | 629 | *scontext = scontextp; |
630 | 630 | ||
631 | /* | 631 | /* |
@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
636 | policydb.p_role_val_to_name[context->role - 1], | 636 | policydb.p_role_val_to_name[context->role - 1], |
637 | policydb.p_type_val_to_name[context->type - 1]); | 637 | policydb.p_type_val_to_name[context->type - 1]); |
638 | scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + | 638 | scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + |
639 | 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + | 639 | 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + |
640 | 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); | 640 | 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); |
641 | 641 | ||
642 | mls_sid_to_context(context, &scontextp); | 642 | mls_sid_to_context(context, &scontextp); |
643 | 643 | ||
@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) | |||
678 | char *scontextp; | 678 | char *scontextp; |
679 | 679 | ||
680 | *scontext_len = strlen(initial_sid_to_string[sid]) + 1; | 680 | *scontext_len = strlen(initial_sid_to_string[sid]) + 1; |
681 | scontextp = kmalloc(*scontext_len,GFP_ATOMIC); | 681 | scontextp = kmalloc(*scontext_len, GFP_ATOMIC); |
682 | if (!scontextp) { | 682 | if (!scontextp) { |
683 | rc = -ENOMEM; | 683 | rc = -ENOMEM; |
684 | goto out; | 684 | goto out; |
@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) | |||
687 | *scontext = scontextp; | 687 | *scontext = scontextp; |
688 | goto out; | 688 | goto out; |
689 | } | 689 | } |
690 | printk(KERN_ERR "security_sid_to_context: called before initial " | 690 | printk(KERN_ERR "SELinux: %s: called before initial " |
691 | "load_policy on unknown SID %d\n", sid); | 691 | "load_policy on unknown SID %d\n", __func__, sid); |
692 | rc = -EINVAL; | 692 | rc = -EINVAL; |
693 | goto out; | 693 | goto out; |
694 | } | 694 | } |
695 | POLICY_RDLOCK; | 695 | POLICY_RDLOCK; |
696 | context = sidtab_search(&sidtab, sid); | 696 | context = sidtab_search(&sidtab, sid); |
697 | if (!context) { | 697 | if (!context) { |
698 | printk(KERN_ERR "security_sid_to_context: unrecognized SID " | 698 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
699 | "%d\n", sid); | 699 | __func__, sid); |
700 | rc = -EINVAL; | 700 | rc = -EINVAL; |
701 | goto out_unlock; | 701 | goto out_unlock; |
702 | } | 702 | } |
@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid, | |||
926 | 926 | ||
927 | scontext = sidtab_search(&sidtab, ssid); | 927 | scontext = sidtab_search(&sidtab, ssid); |
928 | if (!scontext) { | 928 | if (!scontext) { |
929 | printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", | 929 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
930 | ssid); | 930 | __func__, ssid); |
931 | rc = -EINVAL; | 931 | rc = -EINVAL; |
932 | goto out_unlock; | 932 | goto out_unlock; |
933 | } | 933 | } |
934 | tcontext = sidtab_search(&sidtab, tsid); | 934 | tcontext = sidtab_search(&sidtab, tsid); |
935 | if (!tcontext) { | 935 | if (!tcontext) { |
936 | printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", | 936 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
937 | tsid); | 937 | __func__, tsid); |
938 | rc = -EINVAL; | 938 | rc = -EINVAL; |
939 | goto out_unlock; | 939 | goto out_unlock; |
940 | } | 940 | } |
@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid, | |||
974 | avdatum = avtab_search(&policydb.te_avtab, &avkey); | 974 | avdatum = avtab_search(&policydb.te_avtab, &avkey); |
975 | 975 | ||
976 | /* If no permanent rule, also check for enabled conditional rules */ | 976 | /* If no permanent rule, also check for enabled conditional rules */ |
977 | if(!avdatum) { | 977 | if (!avdatum) { |
978 | node = avtab_search_node(&policydb.te_cond_avtab, &avkey); | 978 | node = avtab_search_node(&policydb.te_cond_avtab, &avkey); |
979 | for (; node != NULL; node = avtab_search_node_next(node, specified)) { | 979 | for (; node != NULL; node = avtab_search_node_next(node, specified)) { |
980 | if (node->key.specified & AVTAB_ENABLED) { | 980 | if (node->key.specified & AVTAB_ENABLED) { |
@@ -1288,26 +1288,23 @@ static int convert_context(u32 key, | |||
1288 | 1288 | ||
1289 | /* Convert the user. */ | 1289 | /* Convert the user. */ |
1290 | usrdatum = hashtab_search(args->newp->p_users.table, | 1290 | usrdatum = hashtab_search(args->newp->p_users.table, |
1291 | args->oldp->p_user_val_to_name[c->user - 1]); | 1291 | args->oldp->p_user_val_to_name[c->user - 1]); |
1292 | if (!usrdatum) { | 1292 | if (!usrdatum) |
1293 | goto bad; | 1293 | goto bad; |
1294 | } | ||
1295 | c->user = usrdatum->value; | 1294 | c->user = usrdatum->value; |
1296 | 1295 | ||
1297 | /* Convert the role. */ | 1296 | /* Convert the role. */ |
1298 | role = hashtab_search(args->newp->p_roles.table, | 1297 | role = hashtab_search(args->newp->p_roles.table, |
1299 | args->oldp->p_role_val_to_name[c->role - 1]); | 1298 | args->oldp->p_role_val_to_name[c->role - 1]); |
1300 | if (!role) { | 1299 | if (!role) |
1301 | goto bad; | 1300 | goto bad; |
1302 | } | ||
1303 | c->role = role->value; | 1301 | c->role = role->value; |
1304 | 1302 | ||
1305 | /* Convert the type. */ | 1303 | /* Convert the type. */ |
1306 | typdatum = hashtab_search(args->newp->p_types.table, | 1304 | typdatum = hashtab_search(args->newp->p_types.table, |
1307 | args->oldp->p_type_val_to_name[c->type - 1]); | 1305 | args->oldp->p_type_val_to_name[c->type - 1]); |
1308 | if (!typdatum) { | 1306 | if (!typdatum) |
1309 | goto bad; | 1307 | goto bad; |
1310 | } | ||
1311 | c->type = typdatum->value; | 1308 | c->type = typdatum->value; |
1312 | 1309 | ||
1313 | rc = mls_convert_context(args->oldp, args->newp, c); | 1310 | rc = mls_convert_context(args->oldp, args->newp, c); |
@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) | |||
1556 | { | 1553 | { |
1557 | int i, fail = 0; | 1554 | int i, fail = 0; |
1558 | 1555 | ||
1559 | for(i = 0; i < 4; i++) | 1556 | for (i = 0; i < 4; i++) |
1560 | if(addr[i] != (input[i] & mask[i])) { | 1557 | if (addr[i] != (input[i] & mask[i])) { |
1561 | fail = 1; | 1558 | fail = 1; |
1562 | break; | 1559 | break; |
1563 | } | 1560 | } |
@@ -1656,7 +1653,7 @@ out: | |||
1656 | */ | 1653 | */ |
1657 | 1654 | ||
1658 | int security_get_user_sids(u32 fromsid, | 1655 | int security_get_user_sids(u32 fromsid, |
1659 | char *username, | 1656 | char *username, |
1660 | u32 **sids, | 1657 | u32 **sids, |
1661 | u32 *nel) | 1658 | u32 *nel) |
1662 | { | 1659 | { |
@@ -1766,7 +1763,7 @@ out: | |||
1766 | * transition SIDs or task SIDs. | 1763 | * transition SIDs or task SIDs. |
1767 | */ | 1764 | */ |
1768 | int security_genfs_sid(const char *fstype, | 1765 | int security_genfs_sid(const char *fstype, |
1769 | char *path, | 1766 | char *path, |
1770 | u16 sclass, | 1767 | u16 sclass, |
1771 | u32 *sid) | 1768 | u32 *sid) |
1772 | { | 1769 | { |
@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values) | |||
1881 | goto out; | 1878 | goto out; |
1882 | } | 1879 | } |
1883 | 1880 | ||
1884 | *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); | 1881 | *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); |
1885 | if (!*names) | 1882 | if (!*names) |
1886 | goto err; | 1883 | goto err; |
1887 | 1884 | ||
@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values) | |||
1893 | size_t name_len; | 1890 | size_t name_len; |
1894 | (*values)[i] = policydb.bool_val_to_struct[i]->state; | 1891 | (*values)[i] = policydb.bool_val_to_struct[i]->state; |
1895 | name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; | 1892 | name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; |
1896 | (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); | 1893 | (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); |
1897 | if (!(*names)[i]) | 1894 | if (!(*names)[i]) |
1898 | goto err; | 1895 | goto err; |
1899 | strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); | 1896 | strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); |
@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values) | |||
1938 | audit_get_loginuid(current), | 1935 | audit_get_loginuid(current), |
1939 | audit_get_sessionid(current)); | 1936 | audit_get_sessionid(current)); |
1940 | } | 1937 | } |
1941 | if (values[i]) { | 1938 | if (values[i]) |
1942 | policydb.bool_val_to_struct[i]->state = 1; | 1939 | policydb.bool_val_to_struct[i]->state = 1; |
1943 | } else { | 1940 | else |
1944 | policydb.bool_val_to_struct[i]->state = 0; | 1941 | policydb.bool_val_to_struct[i]->state = 0; |
1945 | } | ||
1946 | } | 1942 | } |
1947 | 1943 | ||
1948 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { | 1944 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { |
@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) | |||
2036 | POLICY_RDLOCK; | 2032 | POLICY_RDLOCK; |
2037 | context1 = sidtab_search(&sidtab, sid); | 2033 | context1 = sidtab_search(&sidtab, sid); |
2038 | if (!context1) { | 2034 | if (!context1) { |
2039 | printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " | 2035 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2040 | "%d\n", sid); | 2036 | __func__, sid); |
2041 | rc = -EINVAL; | 2037 | rc = -EINVAL; |
2042 | goto out_unlock; | 2038 | goto out_unlock; |
2043 | } | 2039 | } |
2044 | 2040 | ||
2045 | context2 = sidtab_search(&sidtab, mls_sid); | 2041 | context2 = sidtab_search(&sidtab, mls_sid); |
2046 | if (!context2) { | 2042 | if (!context2) { |
2047 | printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " | 2043 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2048 | "%d\n", mls_sid); | 2044 | __func__, mls_sid); |
2049 | rc = -EINVAL; | 2045 | rc = -EINVAL; |
2050 | goto out_unlock; | 2046 | goto out_unlock; |
2051 | } | 2047 | } |
@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, | |||
2136 | 2132 | ||
2137 | nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); | 2133 | nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); |
2138 | if (!nlbl_ctx) { | 2134 | if (!nlbl_ctx) { |
2139 | printk(KERN_ERR | 2135 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2140 | "security_sid_mls_cmp: unrecognized SID %d\n", | 2136 | __func__, nlbl_sid); |
2141 | nlbl_sid); | ||
2142 | rc = -EINVAL; | 2137 | rc = -EINVAL; |
2143 | goto out_slowpath; | 2138 | goto out_slowpath; |
2144 | } | 2139 | } |
2145 | xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); | 2140 | xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); |
2146 | if (!xfrm_ctx) { | 2141 | if (!xfrm_ctx) { |
2147 | printk(KERN_ERR | 2142 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2148 | "security_sid_mls_cmp: unrecognized SID %d\n", | 2143 | __func__, xfrm_sid); |
2149 | xfrm_sid); | ||
2150 | rc = -EINVAL; | 2144 | rc = -EINVAL; |
2151 | goto out_slowpath; | 2145 | goto out_slowpath; |
2152 | } | 2146 | } |
@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms) | |||
2226 | 2220 | ||
2227 | match = hashtab_search(policydb.p_classes.table, class); | 2221 | match = hashtab_search(policydb.p_classes.table, class); |
2228 | if (!match) { | 2222 | if (!match) { |
2229 | printk(KERN_ERR "%s: unrecognized class %s\n", | 2223 | printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", |
2230 | __func__, class); | 2224 | __func__, class); |
2231 | rc = -EINVAL; | 2225 | rc = -EINVAL; |
2232 | goto out; | 2226 | goto out; |
@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2435 | 2429 | ||
2436 | if (!rule) { | 2430 | if (!rule) { |
2437 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2431 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
2438 | "selinux_audit_rule_match: missing rule\n"); | 2432 | "selinux_audit_rule_match: missing rule\n"); |
2439 | return -ENOENT; | 2433 | return -ENOENT; |
2440 | } | 2434 | } |
2441 | 2435 | ||
@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2443 | 2437 | ||
2444 | if (rule->au_seqno < latest_granting) { | 2438 | if (rule->au_seqno < latest_granting) { |
2445 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2439 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
2446 | "selinux_audit_rule_match: stale rule\n"); | 2440 | "selinux_audit_rule_match: stale rule\n"); |
2447 | match = -ESTALE; | 2441 | match = -ESTALE; |
2448 | goto out; | 2442 | goto out; |
2449 | } | 2443 | } |
@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2451 | ctxt = sidtab_search(&sidtab, sid); | 2445 | ctxt = sidtab_search(&sidtab, sid); |
2452 | if (!ctxt) { | 2446 | if (!ctxt) { |
2453 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2447 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
2454 | "selinux_audit_rule_match: unrecognized SID %d\n", | 2448 | "selinux_audit_rule_match: unrecognized SID %d\n", |
2455 | sid); | 2449 | sid); |
2456 | match = -ENOENT; | 2450 | match = -ENOENT; |
2457 | goto out; | 2451 | goto out; |
2458 | } | 2452 | } |
@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2498 | case AUDIT_OBJ_LEV_LOW: | 2492 | case AUDIT_OBJ_LEV_LOW: |
2499 | case AUDIT_OBJ_LEV_HIGH: | 2493 | case AUDIT_OBJ_LEV_HIGH: |
2500 | level = ((field == AUDIT_SUBJ_SEN || | 2494 | level = ((field == AUDIT_SUBJ_SEN || |
2501 | field == AUDIT_OBJ_LEV_LOW) ? | 2495 | field == AUDIT_OBJ_LEV_LOW) ? |
2502 | &ctxt->range.level[0] : &ctxt->range.level[1]); | 2496 | &ctxt->range.level[0] : &ctxt->range.level[1]); |
2503 | switch (op) { | 2497 | switch (op) { |
2504 | case AUDIT_EQUAL: | 2498 | case AUDIT_EQUAL: |
2505 | match = mls_level_eq(&rule->au_ctxt.range.level[0], | 2499 | match = mls_level_eq(&rule->au_ctxt.range.level[0], |
2506 | level); | 2500 | level); |
2507 | break; | 2501 | break; |
2508 | case AUDIT_NOT_EQUAL: | 2502 | case AUDIT_NOT_EQUAL: |
2509 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], | 2503 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], |
2510 | level); | 2504 | level); |
2511 | break; | 2505 | break; |
2512 | case AUDIT_LESS_THAN: | 2506 | case AUDIT_LESS_THAN: |
2513 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], | 2507 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], |
2514 | level) && | 2508 | level) && |
2515 | !mls_level_eq(&rule->au_ctxt.range.level[0], | 2509 | !mls_level_eq(&rule->au_ctxt.range.level[0], |
2516 | level)); | 2510 | level)); |
2517 | break; | 2511 | break; |
2518 | case AUDIT_LESS_THAN_OR_EQUAL: | 2512 | case AUDIT_LESS_THAN_OR_EQUAL: |
2519 | match = mls_level_dom(&rule->au_ctxt.range.level[0], | 2513 | match = mls_level_dom(&rule->au_ctxt.range.level[0], |
2520 | level); | 2514 | level); |
2521 | break; | 2515 | break; |
2522 | case AUDIT_GREATER_THAN: | 2516 | case AUDIT_GREATER_THAN: |
2523 | match = (mls_level_dom(level, | 2517 | match = (mls_level_dom(level, |
2524 | &rule->au_ctxt.range.level[0]) && | 2518 | &rule->au_ctxt.range.level[0]) && |
2525 | !mls_level_eq(level, | 2519 | !mls_level_eq(level, |
2526 | &rule->au_ctxt.range.level[0])); | 2520 | &rule->au_ctxt.range.level[0])); |
2527 | break; | 2521 | break; |
2528 | case AUDIT_GREATER_THAN_OR_EQUAL: | 2522 | case AUDIT_GREATER_THAN_OR_EQUAL: |
2529 | match = mls_level_dom(level, | 2523 | match = mls_level_dom(level, |
2530 | &rule->au_ctxt.range.level[0]); | 2524 | &rule->au_ctxt.range.level[0]); |
2531 | break; | 2525 | break; |
2532 | } | 2526 | } |
2533 | } | 2527 | } |
@@ -2554,7 +2548,7 @@ static int __init aurule_init(void) | |||
2554 | int err; | 2548 | int err; |
2555 | 2549 | ||
2556 | err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, | 2550 | err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, |
2557 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); | 2551 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); |
2558 | if (err) | 2552 | if (err) |
2559 | panic("avc_add_callback() failed, error %d\n", err); | 2553 | panic("avc_add_callback() failed, error %d\n", err); |
2560 | 2554 | ||
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 53a54a77f1f8..4a516ff4bcde 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c | |||
@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s, | |||
156 | while (cur != NULL) { | 156 | while (cur != NULL) { |
157 | ret = apply(cur->sid, &cur->context, args); | 157 | ret = apply(cur->sid, &cur->context, args); |
158 | if (ret) { | 158 | if (ret) { |
159 | if (last) { | 159 | if (last) |
160 | last->next = cur->next; | 160 | last->next = cur->next; |
161 | } else { | 161 | else |
162 | s->htable[i] = cur->next; | 162 | s->htable[i] = cur->next; |
163 | } | ||
164 | |||
165 | temp = cur; | 163 | temp = cur; |
166 | cur = cur->next; | 164 | cur = cur->next; |
167 | context_destroy(&temp->context); | 165 | context_destroy(&temp->context); |