aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/avtab.c48
-rw-r--r--security/selinux/ss/conditional.c73
-rw-r--r--security/selinux/ss/ebitmap.c5
-rw-r--r--security/selinux/ss/hashtab.c4
-rw-r--r--security/selinux/ss/mls.c27
-rw-r--r--security/selinux/ss/policydb.c148
-rw-r--r--security/selinux/ss/services.c178
-rw-r--r--security/selinux/ss/sidtab.c6
8 files changed, 235 insertions, 254 deletions
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 916e73a18bc5..9e6626362bfd 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -6,15 +6,15 @@
6 6
7/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 7/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
8 * 8 *
9 * Added conditional policy language extensions 9 * Added conditional policy language extensions
10 * 10 *
11 * Copyright (C) 2003 Tresys Technology, LLC 11 * Copyright (C) 2003 Tresys Technology, LLC
12 * This program is free software; you can redistribute it and/or modify 12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by 13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation, version 2. 14 * the Free Software Foundation, version 2.
15 * 15 *
16 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> 16 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
17 * Tuned number of hash slots for avtab to reduce memory usage 17 * Tuned number of hash slots for avtab to reduce memory usage
18 */ 18 */
19 19
20#include <linux/kernel.h> 20#include <linux/kernel.h>
@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
33 33
34static struct avtab_node* 34static struct avtab_node*
35avtab_insert_node(struct avtab *h, int hvalue, 35avtab_insert_node(struct avtab *h, int hvalue,
36 struct avtab_node * prev, struct avtab_node * cur, 36 struct avtab_node *prev, struct avtab_node *cur,
37 struct avtab_key *key, struct avtab_datum *datum) 37 struct avtab_key *key, struct avtab_datum *datum)
38{ 38{
39 struct avtab_node * newnode; 39 struct avtab_node *newnode;
40 newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); 40 newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
41 if (newnode == NULL) 41 if (newnode == NULL)
42 return NULL; 42 return NULL;
@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
84 } 84 }
85 85
86 newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); 86 newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
87 if(!newnode) 87 if (!newnode)
88 return -ENOMEM; 88 return -ENOMEM;
89 89
90 return 0; 90 return 0;
@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
95 * It also returns a pointer to the node inserted. 95 * It also returns a pointer to the node inserted.
96 */ 96 */
97struct avtab_node * 97struct avtab_node *
98avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum) 98avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
99{ 99{
100 int hvalue; 100 int hvalue;
101 struct avtab_node *prev, *cur, *newnode; 101 struct avtab_node *prev, *cur, *newnode;
@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
310 } 310 }
311 } 311 }
312 312
313 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " 313 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
314 "chain length %d sum of chain length^2 %Lu\n", 314 "longest chain length %d sum of chain length^2 %Lu\n",
315 tag, h->nel, slots_used, h->nslot, max_chain_len, 315 tag, h->nel, slots_used, h->nslot, max_chain_len,
316 chain2_len_sum); 316 chain2_len_sum);
317} 317}
@@ -326,7 +326,7 @@ static uint16_t spec_order[] = {
326}; 326};
327 327
328int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, 328int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
329 int (*insertf)(struct avtab *a, struct avtab_key *k, 329 int (*insertf)(struct avtab *a, struct avtab_key *k,
330 struct avtab_datum *d, void *p), 330 struct avtab_datum *d, void *p),
331 void *p) 331 void *p)
332{ 332{
@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
364 val = le32_to_cpu(buf32[items++]); 364 val = le32_to_cpu(buf32[items++]);
365 key.source_type = (u16)val; 365 key.source_type = (u16)val;
366 if (key.source_type != val) { 366 if (key.source_type != val) {
367 printk("SELinux: avtab: truncated source type\n"); 367 printk(KERN_ERR "SELinux: avtab: truncated source type\n");
368 return -1; 368 return -1;
369 } 369 }
370 val = le32_to_cpu(buf32[items++]); 370 val = le32_to_cpu(buf32[items++]);
371 key.target_type = (u16)val; 371 key.target_type = (u16)val;
372 if (key.target_type != val) { 372 if (key.target_type != val) {
373 printk("SELinux: avtab: truncated target type\n"); 373 printk(KERN_ERR "SELinux: avtab: truncated target type\n");
374 return -1; 374 return -1;
375 } 375 }
376 val = le32_to_cpu(buf32[items++]); 376 val = le32_to_cpu(buf32[items++]);
377 key.target_class = (u16)val; 377 key.target_class = (u16)val;
378 if (key.target_class != val) { 378 if (key.target_class != val) {
379 printk("SELinux: avtab: truncated target class\n"); 379 printk(KERN_ERR "SELinux: avtab: truncated target class\n");
380 return -1; 380 return -1;
381 } 381 }
382 382
@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; 384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
385 385
386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) { 386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
387 printk("SELinux: avtab: null entry\n"); 387 printk(KERN_ERR "SELinux: avtab: null entry\n");
388 return -1; 388 return -1;
389 } 389 }
390 if ((val & AVTAB_AV) && 390 if ((val & AVTAB_AV) &&
391 (val & AVTAB_TYPE)) { 391 (val & AVTAB_TYPE)) {
392 printk("SELinux: avtab: entry has both access vectors and types\n"); 392 printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
393 return -1; 393 return -1;
394 } 394 }
395 395
@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
398 key.specified = spec_order[i] | enabled; 398 key.specified = spec_order[i] | enabled;
399 datum.data = le32_to_cpu(buf32[items++]); 399 datum.data = le32_to_cpu(buf32[items++]);
400 rc = insertf(a, &key, &datum, p); 400 rc = insertf(a, &key, &datum, p);
401 if (rc) return rc; 401 if (rc)
402 return rc;
402 } 403 }
403 } 404 }
404 405
405 if (items != items2) { 406 if (items != items2) {
406 printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); 407 printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
407 return -1; 408 return -1;
408 } 409 }
409 return 0; 410 return 0;
@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
411 412
412 rc = next_entry(buf16, fp, sizeof(u16)*4); 413 rc = next_entry(buf16, fp, sizeof(u16)*4);
413 if (rc < 0) { 414 if (rc < 0) {
414 printk("SELinux: avtab: truncated entry\n"); 415 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
415 return -1; 416 return -1;
416 } 417 }
417 418
@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
424 if (!policydb_type_isvalid(pol, key.source_type) || 425 if (!policydb_type_isvalid(pol, key.source_type) ||
425 !policydb_type_isvalid(pol, key.target_type) || 426 !policydb_type_isvalid(pol, key.target_type) ||
426 !policydb_class_isvalid(pol, key.target_class)) { 427 !policydb_class_isvalid(pol, key.target_class)) {
427 printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); 428 printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
428 return -1; 429 return -1;
429 } 430 }
430 431
@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
434 set++; 435 set++;
435 } 436 }
436 if (!set || set > 1) { 437 if (!set || set > 1) {
437 printk(KERN_WARNING 438 printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
438 "SELinux: avtab: more than one specifier\n");
439 return -1; 439 return -1;
440 } 440 }
441 441
442 rc = next_entry(buf32, fp, sizeof(u32)); 442 rc = next_entry(buf32, fp, sizeof(u32));
443 if (rc < 0) { 443 if (rc < 0) {
444 printk("SELinux: avtab: truncated entry\n"); 444 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
445 return -1; 445 return -1;
446 } 446 }
447 datum.data = le32_to_cpu(*buf32); 447 datum.data = le32_to_cpu(*buf32);
448 if ((key.specified & AVTAB_TYPE) && 448 if ((key.specified & AVTAB_TYPE) &&
449 !policydb_type_isvalid(pol, datum.data)) { 449 !policydb_type_isvalid(pol, datum.data)) {
450 printk(KERN_WARNING "SELinux: avtab: invalid type\n"); 450 printk(KERN_ERR "SELinux: avtab: invalid type\n");
451 return -1; 451 return -1;
452 } 452 }
453 return insertf(a, &key, &datum, p); 453 return insertf(a, &key, &datum, p);
@@ -513,5 +513,5 @@ void avtab_cache_init(void)
513 513
514void avtab_cache_destroy(void) 514void avtab_cache_destroy(void)
515{ 515{
516 kmem_cache_destroy (avtab_node_cachep); 516 kmem_cache_destroy(avtab_node_cachep);
517} 517}
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index da0566c4f329..fb4efe4f4bc8 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -1,9 +1,9 @@
1/* Authors: Karl MacMillan <kmacmillan@tresys.com> 1/* Authors: Karl MacMillan <kmacmillan@tresys.com>
2 * Frank Mayer <mayerf@tresys.com> 2 * Frank Mayer <mayerf@tresys.com>
3 * 3 *
4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
5 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by 6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2. 7 * the Free Software Foundation, version 2.
8 */ 8 */
9 9
@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
89int evaluate_cond_node(struct policydb *p, struct cond_node *node) 89int evaluate_cond_node(struct policydb *p, struct cond_node *node)
90{ 90{
91 int new_state; 91 int new_state;
92 struct cond_av_list* cur; 92 struct cond_av_list *cur;
93 93
94 new_state = cond_evaluate_expr(p, node->expr); 94 new_state = cond_evaluate_expr(p, node->expr);
95 if (new_state != node->cur_state) { 95 if (new_state != node->cur_state) {
@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
98 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); 98 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
99 /* turn the rules on or off */ 99 /* turn the rules on or off */
100 for (cur = node->true_list; cur != NULL; cur = cur->next) { 100 for (cur = node->true_list; cur != NULL; cur = cur->next) {
101 if (new_state <= 0) { 101 if (new_state <= 0)
102 cur->node->key.specified &= ~AVTAB_ENABLED; 102 cur->node->key.specified &= ~AVTAB_ENABLED;
103 } else { 103 else
104 cur->node->key.specified |= AVTAB_ENABLED; 104 cur->node->key.specified |= AVTAB_ENABLED;
105 }
106 } 105 }
107 106
108 for (cur = node->false_list; cur != NULL; cur = cur->next) { 107 for (cur = node->false_list; cur != NULL; cur = cur->next) {
109 /* -1 or 1 */ 108 /* -1 or 1 */
110 if (new_state) { 109 if (new_state)
111 cur->node->key.specified &= ~AVTAB_ENABLED; 110 cur->node->key.specified &= ~AVTAB_ENABLED;
112 } else { 111 else
113 cur->node->key.specified |= AVTAB_ENABLED; 112 cur->node->key.specified |= AVTAB_ENABLED;
114 }
115 } 113 }
116 } 114 }
117 return 0; 115 return 0;
@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
173int cond_init_bool_indexes(struct policydb *p) 171int cond_init_bool_indexes(struct policydb *p)
174{ 172{
175 kfree(p->bool_val_to_struct); 173 kfree(p->bool_val_to_struct);
176 p->bool_val_to_struct = (struct cond_bool_datum**) 174 p->bool_val_to_struct = (struct cond_bool_datum **)
177 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); 175 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
178 if (!p->bool_val_to_struct) 176 if (!p->bool_val_to_struct)
179 return -1; 177 return -1;
180 return 0; 178 return 0;
@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
199 return -EINVAL; 197 return -EINVAL;
200 198
201 p->p_bool_val_to_name[booldatum->value - 1] = key; 199 p->p_bool_val_to_name[booldatum->value - 1] = key;
202 p->bool_val_to_struct[booldatum->value -1] = booldatum; 200 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
203 201
204 return 0; 202 return 0;
205} 203}
@@ -251,8 +249,7 @@ err:
251 return -1; 249 return -1;
252} 250}
253 251
254struct cond_insertf_data 252struct cond_insertf_data {
255{
256 struct policydb *p; 253 struct policydb *p;
257 struct cond_av_list *other; 254 struct cond_av_list *other;
258 struct cond_av_list *head; 255 struct cond_av_list *head;
@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
275 */ 272 */
276 if (k->specified & AVTAB_TYPE) { 273 if (k->specified & AVTAB_TYPE) {
277 if (avtab_search(&p->te_avtab, k)) { 274 if (avtab_search(&p->te_avtab, k)) {
278 printk("SELinux: type rule already exists outside of a conditional."); 275 printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
279 goto err; 276 goto err;
280 } 277 }
281 /* 278 /*
@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
290 node_ptr = avtab_search_node(&p->te_cond_avtab, k); 287 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
291 if (node_ptr) { 288 if (node_ptr) {
292 if (avtab_search_node_next(node_ptr, k->specified)) { 289 if (avtab_search_node_next(node_ptr, k->specified)) {
293 printk("SELinux: too many conflicting type rules."); 290 printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
294 goto err; 291 goto err;
295 } 292 }
296 found = 0; 293 found = 0;
@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
301 } 298 }
302 } 299 }
303 if (!found) { 300 if (!found) {
304 printk("SELinux: conflicting type rules.\n"); 301 printk(KERN_ERR "SELinux: conflicting type rules.\n");
305 goto err; 302 goto err;
306 } 303 }
307 } 304 }
308 } else { 305 } else {
309 if (avtab_search(&p->te_cond_avtab, k)) { 306 if (avtab_search(&p->te_cond_avtab, k)) {
310 printk("SELinux: conflicting type rules when adding type rule for true.\n"); 307 printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
311 goto err; 308 goto err;
312 } 309 }
313 } 310 }
@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
315 312
316 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 313 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
317 if (!node_ptr) { 314 if (!node_ptr) {
318 printk("SELinux: could not insert rule."); 315 printk(KERN_ERR "SELinux: could not insert rule.\n");
319 goto err; 316 goto err;
320 } 317 }
321 318
@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
352 return -1; 349 return -1;
353 350
354 len = le32_to_cpu(buf[0]); 351 len = le32_to_cpu(buf[0]);
355 if (len == 0) { 352 if (len == 0)
356 return 0; 353 return 0;
357 }
358 354
359 data.p = p; 355 data.p = p;
360 data.other = other; 356 data.other = other;
@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
375static int expr_isvalid(struct policydb *p, struct cond_expr *expr) 371static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
376{ 372{
377 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 373 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
378 printk("SELinux: conditional expressions uses unknown operator.\n"); 374 printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
379 return 0; 375 return 0;
380 } 376 }
381 377
382 if (expr->bool > p->p_bools.nprim) { 378 if (expr->bool > p->p_bools.nprim) {
383 printk("SELinux: conditional expressions uses unknown bool.\n"); 379 printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
384 return 0; 380 return 0;
385 } 381 }
386 return 1; 382 return 1;
@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
407 /* expr */ 403 /* expr */
408 len = le32_to_cpu(buf[0]); 404 len = le32_to_cpu(buf[0]);
409 405
410 for (i = 0; i < len; i++ ) { 406 for (i = 0; i < len; i++) {
411 rc = next_entry(buf, fp, sizeof(u32) * 2); 407 rc = next_entry(buf, fp, sizeof(u32) * 2);
412 if (rc < 0) 408 if (rc < 0)
413 goto err; 409 goto err;
414 410
415 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); 411 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
416 if (!expr) { 412 if (!expr)
417 goto err; 413 goto err;
418 }
419 414
420 expr->expr_type = le32_to_cpu(buf[0]); 415 expr->expr_type = le32_to_cpu(buf[0]);
421 expr->bool = le32_to_cpu(buf[1]); 416 expr->bool = le32_to_cpu(buf[1]);
@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
425 goto err; 420 goto err;
426 } 421 }
427 422
428 if (i == 0) { 423 if (i == 0)
429 node->expr = expr; 424 node->expr = expr;
430 } else { 425 else
431 last->next = expr; 426 last->next = expr;
432 }
433 last = expr; 427 last = expr;
434 } 428 }
435 429
@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
468 if (cond_read_node(p, node, fp) != 0) 462 if (cond_read_node(p, node, fp) != 0)
469 goto err; 463 goto err;
470 464
471 if (i == 0) { 465 if (i == 0)
472 p->cond_list = node; 466 p->cond_list = node;
473 } else { 467 else
474 last->next = node; 468 last->next = node;
475 }
476 last = node; 469 last = node;
477 } 470 }
478 return 0; 471 return 0;
@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
489{ 482{
490 struct avtab_node *node; 483 struct avtab_node *node;
491 484
492 if(!ctab || !key || !avd) 485 if (!ctab || !key || !avd)
493 return; 486 return;
494 487
495 for(node = avtab_search_node(ctab, key); node != NULL; 488 for (node = avtab_search_node(ctab, key); node != NULL;
496 node = avtab_search_node_next(node, key->specified)) { 489 node = avtab_search_node_next(node, key->specified)) {
497 if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == 490 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
498 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) 491 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
499 avd->allowed |= node->datum.data; 492 avd->allowed |= node->datum.data;
500 if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == 493 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
501 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) 494 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
502 /* Since a '0' in an auditdeny mask represents a 495 /* Since a '0' in an auditdeny mask represents a
503 * permission we do NOT want to audit (dontaudit), we use 496 * permission we do NOT want to audit (dontaudit), we use
504 * the '&' operand to ensure that all '0's in the mask 497 * the '&' operand to ensure that all '0's in the mask
505 * are retained (much unlike the allow and auditallow cases). 498 * are retained (much unlike the allow and auditallow cases).
506 */ 499 */
507 avd->auditdeny &= node->datum.data; 500 avd->auditdeny &= node->datum.data;
508 if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == 501 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
509 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) 502 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
510 avd->auditallow |= node->datum.data; 503 avd->auditallow |= node->datum.data;
511 } 504 }
512 return; 505 return;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index e499af474b35..ddc275490af8 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
411 } 411 }
412 /* round down */ 412 /* round down */
413 tmp->startbit = startbit - (startbit % EBITMAP_SIZE); 413 tmp->startbit = startbit - (startbit % EBITMAP_SIZE);
414 if (n) { 414 if (n)
415 n->next = tmp; 415 n->next = tmp;
416 } else { 416 else
417 e->node = tmp; 417 e->node = tmp;
418 }
419 n = tmp; 418 n = tmp;
420 } else if (startbit <= n->startbit) { 419 } else if (startbit <= n->startbit) {
421 printk(KERN_ERR "SELinux: ebitmap: start bit %d" 420 printk(KERN_ERR "SELinux: ebitmap: start bit %d"
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 77b530c3bbce..2e7788e13213 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -9,8 +9,8 @@
9#include "hashtab.h" 9#include "hashtab.h"
10 10
11struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), 11struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
12 int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), 12 int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
13 u32 size) 13 u32 size)
14{ 14{
15 struct hashtab *p; 15 struct hashtab *p;
16 u32 i; 16 u32 i;
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index feaf0a5b828f..8b1706b7b3cc 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -32,7 +32,7 @@
32 * Return the length in bytes for the MLS fields of the 32 * Return the length in bytes for the MLS fields of the
33 * security context string representation of `context'. 33 * security context string representation of `context'.
34 */ 34 */
35int mls_compute_context_len(struct context * context) 35int mls_compute_context_len(struct context *context)
36{ 36{
37 int i, l, len, head, prev; 37 int i, l, len, head, prev;
38 char *nm; 38 char *nm;
@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context)
86 * Update `*scontext' to point to the end of the MLS fields. 86 * Update `*scontext' to point to the end of the MLS fields.
87 */ 87 */
88void mls_sid_to_context(struct context *context, 88void mls_sid_to_context(struct context *context,
89 char **scontext) 89 char **scontext)
90{ 90{
91 char *scontextp, *nm; 91 char *scontextp, *nm;
92 int i, l, head, prev; 92 int i, l, head, prev;
@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context,
146 146
147 if (l == 0) { 147 if (l == 0) {
148 if (mls_level_eq(&context->range.level[0], 148 if (mls_level_eq(&context->range.level[0],
149 &context->range.level[1])) 149 &context->range.level[1]))
150 break; 150 break;
151 else 151 else
152 *scontextp++ = '-'; 152 *scontextp++ = '-';
@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc,
305 *p++ = 0; 305 *p++ = 0;
306 306
307 /* Separate into range if exists */ 307 /* Separate into range if exists */
308 if ((rngptr = strchr(scontextp, '.')) != NULL) { 308 rngptr = strchr(scontextp, '.');
309 if (rngptr != NULL) {
309 /* Remove '.' */ 310 /* Remove '.' */
310 *rngptr++ = 0; 311 *rngptr++ = 0;
311 } 312 }
312 313
313 catdatum = hashtab_search(policydb.p_cats.table, 314 catdatum = hashtab_search(policydb.p_cats.table,
314 scontextp); 315 scontextp);
315 if (!catdatum) { 316 if (!catdatum) {
316 rc = -EINVAL; 317 rc = -EINVAL;
317 goto out; 318 goto out;
318 } 319 }
319 320
320 rc = ebitmap_set_bit(&context->range.level[l].cat, 321 rc = ebitmap_set_bit(&context->range.level[l].cat,
321 catdatum->value - 1, 1); 322 catdatum->value - 1, 1);
322 if (rc) 323 if (rc)
323 goto out; 324 goto out;
324 325
@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
395 rc = -ENOMEM; 396 rc = -ENOMEM;
396 } else { 397 } else {
397 rc = mls_context_to_sid(':', &tmpstr, context, 398 rc = mls_context_to_sid(':', &tmpstr, context,
398 NULL, SECSID_NULL); 399 NULL, SECSID_NULL);
399 kfree(freestr); 400 kfree(freestr);
400 } 401 }
401 402
@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
406 * Copies the MLS range `range' into `context'. 407 * Copies the MLS range `range' into `context'.
407 */ 408 */
408static inline int mls_range_set(struct context *context, 409static inline int mls_range_set(struct context *context,
409 struct mls_range *range) 410 struct mls_range *range)
410{ 411{
411 int l, rc = 0; 412 int l, rc = 0;
412 413
@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context,
423} 424}
424 425
425int mls_setup_user_range(struct context *fromcon, struct user_datum *user, 426int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
426 struct context *usercon) 427 struct context *usercon)
427{ 428{
428 if (selinux_mls_enabled) { 429 if (selinux_mls_enabled) {
429 struct mls_level *fromcon_sen = &(fromcon->range.level[0]); 430 struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
449 that of the user's default clearance (but 450 that of the user's default clearance (but
450 only if the "fromcon" clearance dominates 451 only if the "fromcon" clearance dominates
451 the user's computed sensitivity level) */ 452 the user's computed sensitivity level) */
452 if (mls_level_dom(user_clr, fromcon_clr)) { 453 if (mls_level_dom(user_clr, fromcon_clr))
453 *usercon_clr = *fromcon_clr; 454 *usercon_clr = *fromcon_clr;
454 } else if (mls_level_dom(fromcon_clr, user_clr)) { 455 else if (mls_level_dom(fromcon_clr, user_clr))
455 *usercon_clr = *user_clr; 456 *usercon_clr = *user_clr;
456 } else 457 else
457 return -EINVAL; 458 return -EINVAL;
458 } 459 }
459 460
@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext,
525 rtr->target_class == tclass) { 526 rtr->target_class == tclass) {
526 /* Set the range from the rule */ 527 /* Set the range from the rule */
527 return mls_range_set(newcontext, 528 return mls_range_set(newcontext,
528 &rtr->target_range); 529 &rtr->target_range);
529 } 530 }
530 } 531 }
531 /* Fallthrough */ 532 /* Fallthrough */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 6bdb0ff6a927..84f8cc73c7db 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -21,7 +21,7 @@
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23 * This program is free software; you can redistribute it and/or modify 23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by 24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation, version 2. 25 * the Free Software Foundation, version 2.
26 */ 26 */
27 27
@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = {
51}; 51};
52#endif 52#endif
53 53
54int selinux_mls_enabled = 0; 54int selinux_mls_enabled;
55 55
56static unsigned int symtab_sizes[SYM_NUM] = { 56static unsigned int symtab_sizes[SYM_NUM] = {
57 2, 57 2,
@@ -73,39 +73,39 @@ struct policydb_compat_info {
73/* These need to be updated if SYM_NUM or OCON_NUM changes */ 73/* These need to be updated if SYM_NUM or OCON_NUM changes */
74static struct policydb_compat_info policydb_compat[] = { 74static struct policydb_compat_info policydb_compat[] = {
75 { 75 {
76 .version = POLICYDB_VERSION_BASE, 76 .version = POLICYDB_VERSION_BASE,
77 .sym_num = SYM_NUM - 3, 77 .sym_num = SYM_NUM - 3,
78 .ocon_num = OCON_NUM - 1, 78 .ocon_num = OCON_NUM - 1,
79 }, 79 },
80 { 80 {
81 .version = POLICYDB_VERSION_BOOL, 81 .version = POLICYDB_VERSION_BOOL,
82 .sym_num = SYM_NUM - 2, 82 .sym_num = SYM_NUM - 2,
83 .ocon_num = OCON_NUM - 1, 83 .ocon_num = OCON_NUM - 1,
84 }, 84 },
85 { 85 {
86 .version = POLICYDB_VERSION_IPV6, 86 .version = POLICYDB_VERSION_IPV6,
87 .sym_num = SYM_NUM - 2, 87 .sym_num = SYM_NUM - 2,
88 .ocon_num = OCON_NUM, 88 .ocon_num = OCON_NUM,
89 }, 89 },
90 { 90 {
91 .version = POLICYDB_VERSION_NLCLASS, 91 .version = POLICYDB_VERSION_NLCLASS,
92 .sym_num = SYM_NUM - 2, 92 .sym_num = SYM_NUM - 2,
93 .ocon_num = OCON_NUM, 93 .ocon_num = OCON_NUM,
94 }, 94 },
95 { 95 {
96 .version = POLICYDB_VERSION_MLS, 96 .version = POLICYDB_VERSION_MLS,
97 .sym_num = SYM_NUM, 97 .sym_num = SYM_NUM,
98 .ocon_num = OCON_NUM, 98 .ocon_num = OCON_NUM,
99 }, 99 },
100 { 100 {
101 .version = POLICYDB_VERSION_AVTAB, 101 .version = POLICYDB_VERSION_AVTAB,
102 .sym_num = SYM_NUM, 102 .sym_num = SYM_NUM,
103 .ocon_num = OCON_NUM, 103 .ocon_num = OCON_NUM,
104 }, 104 },
105 { 105 {
106 .version = POLICYDB_VERSION_RANGETRANS, 106 .version = POLICYDB_VERSION_RANGETRANS,
107 .sym_num = SYM_NUM, 107 .sym_num = SYM_NUM,
108 .ocon_num = OCON_NUM, 108 .ocon_num = OCON_NUM,
109 }, 109 },
110 { 110 {
111 .version = POLICYDB_VERSION_POLCAP, 111 .version = POLICYDB_VERSION_POLCAP,
@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p)
152 rc = -EINVAL; 152 rc = -EINVAL;
153 goto out_free_role; 153 goto out_free_role;
154 } 154 }
155 key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL); 155 key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
156 if (!key) { 156 if (!key) {
157 rc = -ENOMEM; 157 rc = -ENOMEM;
158 goto out_free_role; 158 goto out_free_role;
@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s)
390 struct hashtab_info info; 390 struct hashtab_info info;
391 391
392 hashtab_stat(h, &info); 392 hashtab_stat(h, &info);
393 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " 393 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
394 "longest chain length %d\n", symtab_name[i], h->nel, 394 "longest chain length %d\n", symtab_name[i], h->nel,
395 info.slots_used, h->size, info.max_chain_len); 395 info.slots_used, h->size, info.max_chain_len);
396 } 396 }
@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p)
424 424
425 p->role_val_to_struct = 425 p->role_val_to_struct =
426 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), 426 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
427 GFP_KERNEL); 427 GFP_KERNEL);
428 if (!p->role_val_to_struct) { 428 if (!p->role_val_to_struct) {
429 rc = -ENOMEM; 429 rc = -ENOMEM;
430 goto out; 430 goto out;
@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p)
432 432
433 p->user_val_to_struct = 433 p->user_val_to_struct =
434 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), 434 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
435 GFP_KERNEL); 435 GFP_KERNEL);
436 if (!p->user_val_to_struct) { 436 if (!p->user_val_to_struct) {
437 rc = -ENOMEM; 437 rc = -ENOMEM;
438 goto out; 438 goto out;
@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p)
634 while (c) { 634 while (c) {
635 ctmp = c; 635 ctmp = c;
636 c = c->next; 636 c = c->next;
637 ocontext_destroy(ctmp,i); 637 ocontext_destroy(ctmp, i);
638 } 638 }
639 p->ocontexts[i] = NULL; 639 p->ocontexts[i] = NULL;
640 } 640 }
@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p)
647 while (c) { 647 while (c) {
648 ctmp = c; 648 ctmp = c;
649 c = c->next; 649 c = c->next;
650 ocontext_destroy(ctmp,OCON_FSUSE); 650 ocontext_destroy(ctmp, OCON_FSUSE);
651 } 651 }
652 gtmp = g; 652 gtmp = g;
653 g = g->next; 653 g = g->next;
@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p)
664 } 664 }
665 kfree(ltr); 665 kfree(ltr);
666 666
667 for (ra = p->role_allow; ra; ra = ra -> next) { 667 for (ra = p->role_allow; ra; ra = ra->next) {
668 cond_resched(); 668 cond_resched();
669 kfree(lra); 669 kfree(lra);
670 lra = ra; 670 lra = ra;
671 } 671 }
672 kfree(lra); 672 kfree(lra);
673 673
674 for (rt = p->range_tr; rt; rt = rt -> next) { 674 for (rt = p->range_tr; rt; rt = rt->next) {
675 cond_resched(); 675 cond_resched();
676 if (lrt) { 676 if (lrt) {
677 ebitmap_destroy(&lrt->target_range.level[0].cat); 677 ebitmap_destroy(&lrt->target_range.level[0].cat);
@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
924 len = le32_to_cpu(buf[0]); 924 len = le32_to_cpu(buf[0]);
925 perdatum->value = le32_to_cpu(buf[1]); 925 perdatum->value = le32_to_cpu(buf[1]);
926 926
927 key = kmalloc(len + 1,GFP_KERNEL); 927 key = kmalloc(len + 1, GFP_KERNEL);
928 if (!key) { 928 if (!key) {
929 rc = -ENOMEM; 929 rc = -ENOMEM;
930 goto bad; 930 goto bad;
@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
971 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 971 comdatum->permissions.nprim = le32_to_cpu(buf[2]);
972 nel = le32_to_cpu(buf[3]); 972 nel = le32_to_cpu(buf[3]);
973 973
974 key = kmalloc(len + 1,GFP_KERNEL); 974 key = kmalloc(len + 1, GFP_KERNEL);
975 if (!key) { 975 if (!key) {
976 rc = -ENOMEM; 976 rc = -ENOMEM;
977 goto bad; 977 goto bad;
@@ -998,7 +998,7 @@ bad:
998} 998}
999 999
1000static int read_cons_helper(struct constraint_node **nodep, int ncons, 1000static int read_cons_helper(struct constraint_node **nodep, int ncons,
1001 int allowxtarget, void *fp) 1001 int allowxtarget, void *fp)
1002{ 1002{
1003 struct constraint_node *c, *lc; 1003 struct constraint_node *c, *lc;
1004 struct constraint_expr *e, *le; 1004 struct constraint_expr *e, *le;
@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1012 if (!c) 1012 if (!c)
1013 return -ENOMEM; 1013 return -ENOMEM;
1014 1014
1015 if (lc) { 1015 if (lc)
1016 lc->next = c; 1016 lc->next = c;
1017 } else { 1017 else
1018 *nodep = c; 1018 *nodep = c;
1019 }
1020 1019
1021 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1020 rc = next_entry(buf, fp, (sizeof(u32) * 2));
1022 if (rc < 0) 1021 if (rc < 0)
@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1030 if (!e) 1029 if (!e)
1031 return -ENOMEM; 1030 return -ENOMEM;
1032 1031
1033 if (le) { 1032 if (le)
1034 le->next = e; 1033 le->next = e;
1035 } else { 1034 else
1036 c->expr = e; 1035 c->expr = e;
1037 }
1038 1036
1039 rc = next_entry(buf, fp, (sizeof(u32) * 3)); 1037 rc = next_entry(buf, fp, (sizeof(u32) * 3));
1040 if (rc < 0) 1038 if (rc < 0)
@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1111 1109
1112 ncons = le32_to_cpu(buf[5]); 1110 ncons = le32_to_cpu(buf[5]);
1113 1111
1114 key = kmalloc(len + 1,GFP_KERNEL); 1112 key = kmalloc(len + 1, GFP_KERNEL);
1115 if (!key) { 1113 if (!key) {
1116 rc = -ENOMEM; 1114 rc = -ENOMEM;
1117 goto bad; 1115 goto bad;
@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1122 key[len] = 0; 1120 key[len] = 0;
1123 1121
1124 if (len2) { 1122 if (len2) {
1125 cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL); 1123 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1126 if (!cladatum->comkey) { 1124 if (!cladatum->comkey) {
1127 rc = -ENOMEM; 1125 rc = -ENOMEM;
1128 goto bad; 1126 goto bad;
@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1195 len = le32_to_cpu(buf[0]); 1193 len = le32_to_cpu(buf[0]);
1196 role->value = le32_to_cpu(buf[1]); 1194 role->value = le32_to_cpu(buf[1]);
1197 1195
1198 key = kmalloc(len + 1,GFP_KERNEL); 1196 key = kmalloc(len + 1, GFP_KERNEL);
1199 if (!key) { 1197 if (!key) {
1200 rc = -ENOMEM; 1198 rc = -ENOMEM;
1201 goto bad; 1199 goto bad;
@@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1215 1213
1216 if (strcmp(key, OBJECT_R) == 0) { 1214 if (strcmp(key, OBJECT_R) == 0) {
1217 if (role->value != OBJECT_R_VAL) { 1215 if (role->value != OBJECT_R_VAL) {
1218 printk(KERN_ERR "Role %s has wrong value %d\n", 1216 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
1219 OBJECT_R, role->value); 1217 OBJECT_R, role->value);
1220 rc = -EINVAL; 1218 rc = -EINVAL;
1221 goto bad; 1219 goto bad;
@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1242 __le32 buf[3]; 1240 __le32 buf[3];
1243 u32 len; 1241 u32 len;
1244 1242
1245 typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL); 1243 typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1246 if (!typdatum) { 1244 if (!typdatum) {
1247 rc = -ENOMEM; 1245 rc = -ENOMEM;
1248 return rc; 1246 return rc;
@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1256 typdatum->value = le32_to_cpu(buf[1]); 1254 typdatum->value = le32_to_cpu(buf[1]);
1257 typdatum->primary = le32_to_cpu(buf[2]); 1255 typdatum->primary = le32_to_cpu(buf[2]);
1258 1256
1259 key = kmalloc(len + 1,GFP_KERNEL); 1257 key = kmalloc(len + 1, GFP_KERNEL);
1260 if (!key) { 1258 if (!key) {
1261 rc = -ENOMEM; 1259 rc = -ENOMEM;
1262 goto bad; 1260 goto bad;
@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1328 len = le32_to_cpu(buf[0]); 1326 len = le32_to_cpu(buf[0]);
1329 usrdatum->value = le32_to_cpu(buf[1]); 1327 usrdatum->value = le32_to_cpu(buf[1]);
1330 1328
1331 key = kmalloc(len + 1,GFP_KERNEL); 1329 key = kmalloc(len + 1, GFP_KERNEL);
1332 if (!key) { 1330 if (!key) {
1333 rc = -ENOMEM; 1331 rc = -ENOMEM;
1334 goto bad; 1332 goto bad;
@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1382 len = le32_to_cpu(buf[0]); 1380 len = le32_to_cpu(buf[0]);
1383 levdatum->isalias = le32_to_cpu(buf[1]); 1381 levdatum->isalias = le32_to_cpu(buf[1]);
1384 1382
1385 key = kmalloc(len + 1,GFP_ATOMIC); 1383 key = kmalloc(len + 1, GFP_ATOMIC);
1386 if (!key) { 1384 if (!key) {
1387 rc = -ENOMEM; 1385 rc = -ENOMEM;
1388 goto bad; 1386 goto bad;
@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1434 catdatum->value = le32_to_cpu(buf[1]); 1432 catdatum->value = le32_to_cpu(buf[1]);
1435 catdatum->isalias = le32_to_cpu(buf[2]); 1433 catdatum->isalias = le32_to_cpu(buf[2]);
1436 1434
1437 key = kmalloc(len + 1,GFP_ATOMIC); 1435 key = kmalloc(len + 1, GFP_ATOMIC);
1438 if (!key) { 1436 if (!key) {
1439 rc = -ENOMEM; 1437 rc = -ENOMEM;
1440 goto bad; 1438 goto bad;
@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp)
1493 goto out; 1491 goto out;
1494 1492
1495 /* Read the magic number and string length. */ 1493 /* Read the magic number and string length. */
1496 rc = next_entry(buf, fp, sizeof(u32)* 2); 1494 rc = next_entry(buf, fp, sizeof(u32) * 2);
1497 if (rc < 0) 1495 if (rc < 0)
1498 goto bad; 1496 goto bad;
1499 1497
@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp)
1511 len, strlen(POLICYDB_STRING)); 1509 len, strlen(POLICYDB_STRING));
1512 goto bad; 1510 goto bad;
1513 } 1511 }
1514 policydb_str = kmalloc(len + 1,GFP_KERNEL); 1512 policydb_str = kmalloc(len + 1, GFP_KERNEL);
1515 if (!policydb_str) { 1513 if (!policydb_str) {
1516 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 1514 printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
1517 "string of length %d\n", len); 1515 "string of length %d\n", len);
@@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp)
1544 if (p->policyvers < POLICYDB_VERSION_MIN || 1542 if (p->policyvers < POLICYDB_VERSION_MIN ||
1545 p->policyvers > POLICYDB_VERSION_MAX) { 1543 p->policyvers > POLICYDB_VERSION_MAX) {
1546 printk(KERN_ERR "SELinux: policydb version %d does not match " 1544 printk(KERN_ERR "SELinux: policydb version %d does not match "
1547 "my version range %d-%d\n", 1545 "my version range %d-%d\n",
1548 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 1546 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1549 goto bad; 1547 goto bad;
1550 } 1548 }
1551 1549
1552 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1550 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1553 if (ss_initialized && !selinux_mls_enabled) { 1551 if (ss_initialized && !selinux_mls_enabled) {
1554 printk(KERN_ERR "Cannot switch between non-MLS and MLS " 1552 printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
1555 "policies\n"); 1553 " and MLS policies\n");
1556 goto bad; 1554 goto bad;
1557 } 1555 }
1558 selinux_mls_enabled = 1; 1556 selinux_mls_enabled = 1;
1559 config |= POLICYDB_CONFIG_MLS; 1557 config |= POLICYDB_CONFIG_MLS;
1560 1558
1561 if (p->policyvers < POLICYDB_VERSION_MLS) { 1559 if (p->policyvers < POLICYDB_VERSION_MLS) {
1562 printk(KERN_ERR "security policydb version %d (MLS) " 1560 printk(KERN_ERR "SELinux: security policydb version %d "
1563 "not backwards compatible\n", p->policyvers); 1561 "(MLS) not backwards compatible\n",
1562 p->policyvers);
1564 goto bad; 1563 goto bad;
1565 } 1564 }
1566 } else { 1565 } else {
1567 if (ss_initialized && selinux_mls_enabled) { 1566 if (ss_initialized && selinux_mls_enabled) {
1568 printk(KERN_ERR "Cannot switch between MLS and non-MLS " 1567 printk(KERN_ERR "SELinux: Cannot switch between MLS and"
1569 "policies\n"); 1568 " non-MLS policies\n");
1570 goto bad; 1569 goto bad;
1571 } 1570 }
1572 } 1571 }
@@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp)
1633 rc = -ENOMEM; 1632 rc = -ENOMEM;
1634 goto bad; 1633 goto bad;
1635 } 1634 }
1636 if (ltr) { 1635 if (ltr)
1637 ltr->next = tr; 1636 ltr->next = tr;
1638 } else { 1637 else
1639 p->role_tr = tr; 1638 p->role_tr = tr;
1640 }
1641 rc = next_entry(buf, fp, sizeof(u32)*3); 1639 rc = next_entry(buf, fp, sizeof(u32)*3);
1642 if (rc < 0) 1640 if (rc < 0)
1643 goto bad; 1641 goto bad;
@@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp)
1664 rc = -ENOMEM; 1662 rc = -ENOMEM;
1665 goto bad; 1663 goto bad;
1666 } 1664 }
1667 if (lra) { 1665 if (lra)
1668 lra->next = ra; 1666 lra->next = ra;
1669 } else { 1667 else
1670 p->role_allow = ra; 1668 p->role_allow = ra;
1671 }
1672 rc = next_entry(buf, fp, sizeof(u32)*2); 1669 rc = next_entry(buf, fp, sizeof(u32)*2);
1673 if (rc < 0) 1670 if (rc < 0)
1674 goto bad; 1671 goto bad;
@@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp)
1702 rc = -ENOMEM; 1699 rc = -ENOMEM;
1703 goto bad; 1700 goto bad;
1704 } 1701 }
1705 if (l) { 1702 if (l)
1706 l->next = c; 1703 l->next = c;
1707 } else { 1704 else
1708 p->ocontexts[i] = c; 1705 p->ocontexts[i] = c;
1709 }
1710 l = c; 1706 l = c;
1711 rc = -EINVAL; 1707 rc = -EINVAL;
1712 switch (i) { 1708 switch (i) {
@@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp)
1725 if (rc < 0) 1721 if (rc < 0)
1726 goto bad; 1722 goto bad;
1727 len = le32_to_cpu(buf[0]); 1723 len = le32_to_cpu(buf[0]);
1728 c->u.name = kmalloc(len + 1,GFP_KERNEL); 1724 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1729 if (!c->u.name) { 1725 if (!c->u.name) {
1730 rc = -ENOMEM; 1726 rc = -ENOMEM;
1731 goto bad; 1727 goto bad;
@@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp)
1753 goto bad; 1749 goto bad;
1754 break; 1750 break;
1755 case OCON_NODE: 1751 case OCON_NODE:
1756 rc = next_entry(buf, fp, sizeof(u32)* 2); 1752 rc = next_entry(buf, fp, sizeof(u32) * 2);
1757 if (rc < 0) 1753 if (rc < 0)
1758 goto bad; 1754 goto bad;
1759 c->u.node.addr = le32_to_cpu(buf[0]); 1755 c->u.node.addr = le32_to_cpu(buf[0]);
@@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp)
1770 if (c->v.behavior > SECURITY_FS_USE_NONE) 1766 if (c->v.behavior > SECURITY_FS_USE_NONE)
1771 goto bad; 1767 goto bad;
1772 len = le32_to_cpu(buf[1]); 1768 len = le32_to_cpu(buf[1]);
1773 c->u.name = kmalloc(len + 1,GFP_KERNEL); 1769 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1774 if (!c->u.name) { 1770 if (!c->u.name) {
1775 rc = -ENOMEM; 1771 rc = -ENOMEM;
1776 goto bad; 1772 goto bad;
@@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp)
1818 goto bad; 1814 goto bad;
1819 } 1815 }
1820 1816
1821 newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); 1817 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
1822 if (!newgenfs->fstype) { 1818 if (!newgenfs->fstype) {
1823 rc = -ENOMEM; 1819 rc = -ENOMEM;
1824 kfree(newgenfs); 1820 kfree(newgenfs);
@@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp)
1864 goto bad; 1860 goto bad;
1865 } 1861 }
1866 1862
1867 newc->u.name = kmalloc(len + 1,GFP_KERNEL); 1863 newc->u.name = kmalloc(len + 1, GFP_KERNEL);
1868 if (!newc->u.name) { 1864 if (!newc->u.name) {
1869 rc = -ENOMEM; 1865 rc = -ENOMEM;
1870 goto bad_newc; 1866 goto bad_newc;
@@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp)
1968out: 1964out:
1969 return rc; 1965 return rc;
1970bad_newc: 1966bad_newc:
1971 ocontext_destroy(newc,OCON_FSUSE); 1967 ocontext_destroy(newc, OCON_FSUSE);
1972bad: 1968bad:
1973 if (!rc) 1969 if (!rc)
1974 rc = -EINVAL; 1970 rc = -EINVAL;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b341b8fd8c7c..2daaddbb301d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2,7 +2,7 @@
2 * Implementation of the security services. 2 * Implementation of the security services.
3 * 3 *
4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com> 5 * James Morris <jmorris@redhat.com>
6 * 6 *
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 * 8 *
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -27,7 +27,7 @@
27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
29 * This program is free software; you can redistribute it and/or modify 29 * This program is free software; you can redistribute it and/or modify
30 * it under the terms of the GNU General Public License as published by 30 * it under the terms of the GNU General Public License as published by
31 * the Free Software Foundation, version 2. 31 * the Free Software Foundation, version 2.
32 */ 32 */
33#include <linux/kernel.h> 33#include <linux/kernel.h>
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
82 82
83static struct sidtab sidtab; 83static struct sidtab sidtab;
84struct policydb policydb; 84struct policydb policydb;
85int ss_initialized = 0; 85int ss_initialized;
86 86
87/* 87/*
88 * The largest sequence number that has been used when 88 * The largest sequence number that has been used when
@@ -90,7 +90,7 @@ int ss_initialized = 0;
90 * The sequence number only changes when a policy change 90 * The sequence number only changes when a policy change
91 * occurs. 91 * occurs.
92 */ 92 */
93static u32 latest_granting = 0; 93static u32 latest_granting;
94 94
95/* Forward declaration. */ 95/* Forward declaration. */
96static int context_struct_to_string(struct context *context, char **scontext, 96static int context_struct_to_string(struct context *context, char **scontext,
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
163 val1 - 1); 163 val1 - 1);
164 continue; 164 continue;
165 case CEXPR_INCOMP: 165 case CEXPR_INCOMP:
166 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 166 s[++sp] = (!ebitmap_get_bit(&r1->dominates,
167 val2 - 1) && 167 val2 - 1) &&
168 !ebitmap_get_bit(&r2->dominates, 168 !ebitmap_get_bit(&r2->dominates,
169 val1 - 1) ); 169 val1 - 1));
170 continue; 170 continue;
171 default: 171 default:
172 break; 172 break;
@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext,
409 } 409 }
410 if (!ra) 410 if (!ra)
411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
412 PROCESS__DYNTRANSITION); 412 PROCESS__DYNTRANSITION);
413 } 413 }
414 414
415 return 0; 415 return 0;
416 416
417inval_class: 417inval_class:
418 printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); 418 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
419 tclass);
419 return -EINVAL; 420 return -EINVAL;
420} 421}
421 422
@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid)
445} 446}
446 447
447static int security_validtrans_handle_fail(struct context *ocontext, 448static int security_validtrans_handle_fail(struct context *ocontext,
448 struct context *ncontext, 449 struct context *ncontext,
449 struct context *tcontext, 450 struct context *tcontext,
450 u16 tclass) 451 u16 tclass)
451{ 452{
452 char *o = NULL, *n = NULL, *t = NULL; 453 char *o = NULL, *n = NULL, *t = NULL;
453 u32 olen, nlen, tlen; 454 u32 olen, nlen, tlen;
@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
459 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 460 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
460 goto out; 461 goto out;
461 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 462 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
462 "security_validate_transition: denied for" 463 "security_validate_transition: denied for"
463 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 464 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
464 o, n, t, policydb.p_class_val_to_name[tclass-1]); 465 o, n, t, policydb.p_class_val_to_name[tclass-1]);
465out: 466out:
466 kfree(o); 467 kfree(o);
467 kfree(n); 468 kfree(n);
@@ -473,7 +474,7 @@ out:
473} 474}
474 475
475int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 476int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
476 u16 tclass) 477 u16 tclass)
477{ 478{
478 struct context *ocontext; 479 struct context *ocontext;
479 struct context *ncontext; 480 struct context *ncontext;
@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
499 tclass = SECCLASS_NETLINK_SOCKET; 500 tclass = SECCLASS_NETLINK_SOCKET;
500 501
501 if (!tclass || tclass > policydb.p_classes.nprim) { 502 if (!tclass || tclass > policydb.p_classes.nprim) {
502 printk(KERN_ERR "security_validate_transition: " 503 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
503 "unrecognized class %d\n", tclass); 504 __func__, tclass);
504 rc = -EINVAL; 505 rc = -EINVAL;
505 goto out; 506 goto out;
506 } 507 }
@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
508 509
509 ocontext = sidtab_search(&sidtab, oldsid); 510 ocontext = sidtab_search(&sidtab, oldsid);
510 if (!ocontext) { 511 if (!ocontext) {
511 printk(KERN_ERR "security_validate_transition: " 512 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
512 " unrecognized SID %d\n", oldsid); 513 __func__, oldsid);
513 rc = -EINVAL; 514 rc = -EINVAL;
514 goto out; 515 goto out;
515 } 516 }
516 517
517 ncontext = sidtab_search(&sidtab, newsid); 518 ncontext = sidtab_search(&sidtab, newsid);
518 if (!ncontext) { 519 if (!ncontext) {
519 printk(KERN_ERR "security_validate_transition: " 520 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
520 " unrecognized SID %d\n", newsid); 521 __func__, newsid);
521 rc = -EINVAL; 522 rc = -EINVAL;
522 goto out; 523 goto out;
523 } 524 }
524 525
525 tcontext = sidtab_search(&sidtab, tasksid); 526 tcontext = sidtab_search(&sidtab, tasksid);
526 if (!tcontext) { 527 if (!tcontext) {
527 printk(KERN_ERR "security_validate_transition: " 528 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
528 " unrecognized SID %d\n", tasksid); 529 __func__, tasksid);
529 rc = -EINVAL; 530 rc = -EINVAL;
530 goto out; 531 goto out;
531 } 532 }
@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
533 constraint = tclass_datum->validatetrans; 534 constraint = tclass_datum->validatetrans;
534 while (constraint) { 535 while (constraint) {
535 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 536 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
536 constraint->expr)) { 537 constraint->expr)) {
537 rc = security_validtrans_handle_fail(ocontext, ncontext, 538 rc = security_validtrans_handle_fail(ocontext, ncontext,
538 tcontext, tclass); 539 tcontext, tclass);
539 goto out; 540 goto out;
540 } 541 }
541 constraint = constraint->next; 542 constraint = constraint->next;
@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
581 582
582 scontext = sidtab_search(&sidtab, ssid); 583 scontext = sidtab_search(&sidtab, ssid);
583 if (!scontext) { 584 if (!scontext) {
584 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 585 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
585 ssid); 586 __func__, ssid);
586 rc = -EINVAL; 587 rc = -EINVAL;
587 goto out; 588 goto out;
588 } 589 }
589 tcontext = sidtab_search(&sidtab, tsid); 590 tcontext = sidtab_search(&sidtab, tsid);
590 if (!tcontext) { 591 if (!tcontext) {
591 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 592 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
592 tsid); 593 __func__, tsid);
593 rc = -EINVAL; 594 rc = -EINVAL;
594 goto out; 595 goto out;
595 } 596 }
@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
623 624
624 /* Allocate space for the context; caller must free this space. */ 625 /* Allocate space for the context; caller must free this space. */
625 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 626 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
626 if (!scontextp) { 627 if (!scontextp)
627 return -ENOMEM; 628 return -ENOMEM;
628 }
629 *scontext = scontextp; 629 *scontext = scontextp;
630 630
631 /* 631 /*
@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
636 policydb.p_role_val_to_name[context->role - 1], 636 policydb.p_role_val_to_name[context->role - 1],
637 policydb.p_type_val_to_name[context->type - 1]); 637 policydb.p_type_val_to_name[context->type - 1]);
638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
641 641
642 mls_sid_to_context(context, &scontextp); 642 mls_sid_to_context(context, &scontextp);
643 643
@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
678 char *scontextp; 678 char *scontextp;
679 679
680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
681 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 681 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
682 if (!scontextp) { 682 if (!scontextp) {
683 rc = -ENOMEM; 683 rc = -ENOMEM;
684 goto out; 684 goto out;
@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
687 *scontext = scontextp; 687 *scontext = scontextp;
688 goto out; 688 goto out;
689 } 689 }
690 printk(KERN_ERR "security_sid_to_context: called before initial " 690 printk(KERN_ERR "SELinux: %s: called before initial "
691 "load_policy on unknown SID %d\n", sid); 691 "load_policy on unknown SID %d\n", __func__, sid);
692 rc = -EINVAL; 692 rc = -EINVAL;
693 goto out; 693 goto out;
694 } 694 }
695 POLICY_RDLOCK; 695 POLICY_RDLOCK;
696 context = sidtab_search(&sidtab, sid); 696 context = sidtab_search(&sidtab, sid);
697 if (!context) { 697 if (!context) {
698 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 698 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
699 "%d\n", sid); 699 __func__, sid);
700 rc = -EINVAL; 700 rc = -EINVAL;
701 goto out_unlock; 701 goto out_unlock;
702 } 702 }
@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid,
926 926
927 scontext = sidtab_search(&sidtab, ssid); 927 scontext = sidtab_search(&sidtab, ssid);
928 if (!scontext) { 928 if (!scontext) {
929 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 929 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
930 ssid); 930 __func__, ssid);
931 rc = -EINVAL; 931 rc = -EINVAL;
932 goto out_unlock; 932 goto out_unlock;
933 } 933 }
934 tcontext = sidtab_search(&sidtab, tsid); 934 tcontext = sidtab_search(&sidtab, tsid);
935 if (!tcontext) { 935 if (!tcontext) {
936 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 936 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
937 tsid); 937 __func__, tsid);
938 rc = -EINVAL; 938 rc = -EINVAL;
939 goto out_unlock; 939 goto out_unlock;
940 } 940 }
@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid,
974 avdatum = avtab_search(&policydb.te_avtab, &avkey); 974 avdatum = avtab_search(&policydb.te_avtab, &avkey);
975 975
976 /* If no permanent rule, also check for enabled conditional rules */ 976 /* If no permanent rule, also check for enabled conditional rules */
977 if(!avdatum) { 977 if (!avdatum) {
978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
979 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 979 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
980 if (node->key.specified & AVTAB_ENABLED) { 980 if (node->key.specified & AVTAB_ENABLED) {
@@ -1288,26 +1288,23 @@ static int convert_context(u32 key,
1288 1288
1289 /* Convert the user. */ 1289 /* Convert the user. */
1290 usrdatum = hashtab_search(args->newp->p_users.table, 1290 usrdatum = hashtab_search(args->newp->p_users.table,
1291 args->oldp->p_user_val_to_name[c->user - 1]); 1291 args->oldp->p_user_val_to_name[c->user - 1]);
1292 if (!usrdatum) { 1292 if (!usrdatum)
1293 goto bad; 1293 goto bad;
1294 }
1295 c->user = usrdatum->value; 1294 c->user = usrdatum->value;
1296 1295
1297 /* Convert the role. */ 1296 /* Convert the role. */
1298 role = hashtab_search(args->newp->p_roles.table, 1297 role = hashtab_search(args->newp->p_roles.table,
1299 args->oldp->p_role_val_to_name[c->role - 1]); 1298 args->oldp->p_role_val_to_name[c->role - 1]);
1300 if (!role) { 1299 if (!role)
1301 goto bad; 1300 goto bad;
1302 }
1303 c->role = role->value; 1301 c->role = role->value;
1304 1302
1305 /* Convert the type. */ 1303 /* Convert the type. */
1306 typdatum = hashtab_search(args->newp->p_types.table, 1304 typdatum = hashtab_search(args->newp->p_types.table,
1307 args->oldp->p_type_val_to_name[c->type - 1]); 1305 args->oldp->p_type_val_to_name[c->type - 1]);
1308 if (!typdatum) { 1306 if (!typdatum)
1309 goto bad; 1307 goto bad;
1310 }
1311 c->type = typdatum->value; 1308 c->type = typdatum->value;
1312 1309
1313 rc = mls_convert_context(args->oldp, args->newp, c); 1310 rc = mls_convert_context(args->oldp, args->newp, c);
@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1556{ 1553{
1557 int i, fail = 0; 1554 int i, fail = 0;
1558 1555
1559 for(i = 0; i < 4; i++) 1556 for (i = 0; i < 4; i++)
1560 if(addr[i] != (input[i] & mask[i])) { 1557 if (addr[i] != (input[i] & mask[i])) {
1561 fail = 1; 1558 fail = 1;
1562 break; 1559 break;
1563 } 1560 }
@@ -1656,7 +1653,7 @@ out:
1656 */ 1653 */
1657 1654
1658int security_get_user_sids(u32 fromsid, 1655int security_get_user_sids(u32 fromsid,
1659 char *username, 1656 char *username,
1660 u32 **sids, 1657 u32 **sids,
1661 u32 *nel) 1658 u32 *nel)
1662{ 1659{
@@ -1766,7 +1763,7 @@ out:
1766 * transition SIDs or task SIDs. 1763 * transition SIDs or task SIDs.
1767 */ 1764 */
1768int security_genfs_sid(const char *fstype, 1765int security_genfs_sid(const char *fstype,
1769 char *path, 1766 char *path,
1770 u16 sclass, 1767 u16 sclass,
1771 u32 *sid) 1768 u32 *sid)
1772{ 1769{
@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values)
1881 goto out; 1878 goto out;
1882 } 1879 }
1883 1880
1884 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1881 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
1885 if (!*names) 1882 if (!*names)
1886 goto err; 1883 goto err;
1887 1884
@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values)
1893 size_t name_len; 1890 size_t name_len;
1894 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1891 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1895 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1892 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1896 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1893 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1897 if (!(*names)[i]) 1894 if (!(*names)[i])
1898 goto err; 1895 goto err;
1899 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1896 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values)
1938 audit_get_loginuid(current), 1935 audit_get_loginuid(current),
1939 audit_get_sessionid(current)); 1936 audit_get_sessionid(current));
1940 } 1937 }
1941 if (values[i]) { 1938 if (values[i])
1942 policydb.bool_val_to_struct[i]->state = 1; 1939 policydb.bool_val_to_struct[i]->state = 1;
1943 } else { 1940 else
1944 policydb.bool_val_to_struct[i]->state = 0; 1941 policydb.bool_val_to_struct[i]->state = 0;
1945 }
1946 } 1942 }
1947 1943
1948 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1944 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2036 POLICY_RDLOCK; 2032 POLICY_RDLOCK;
2037 context1 = sidtab_search(&sidtab, sid); 2033 context1 = sidtab_search(&sidtab, sid);
2038 if (!context1) { 2034 if (!context1) {
2039 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2035 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2040 "%d\n", sid); 2036 __func__, sid);
2041 rc = -EINVAL; 2037 rc = -EINVAL;
2042 goto out_unlock; 2038 goto out_unlock;
2043 } 2039 }
2044 2040
2045 context2 = sidtab_search(&sidtab, mls_sid); 2041 context2 = sidtab_search(&sidtab, mls_sid);
2046 if (!context2) { 2042 if (!context2) {
2047 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2043 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2048 "%d\n", mls_sid); 2044 __func__, mls_sid);
2049 rc = -EINVAL; 2045 rc = -EINVAL;
2050 goto out_unlock; 2046 goto out_unlock;
2051 } 2047 }
@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2136 2132
2137 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2133 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2138 if (!nlbl_ctx) { 2134 if (!nlbl_ctx) {
2139 printk(KERN_ERR 2135 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2140 "security_sid_mls_cmp: unrecognized SID %d\n", 2136 __func__, nlbl_sid);
2141 nlbl_sid);
2142 rc = -EINVAL; 2137 rc = -EINVAL;
2143 goto out_slowpath; 2138 goto out_slowpath;
2144 } 2139 }
2145 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2140 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2146 if (!xfrm_ctx) { 2141 if (!xfrm_ctx) {
2147 printk(KERN_ERR 2142 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2148 "security_sid_mls_cmp: unrecognized SID %d\n", 2143 __func__, xfrm_sid);
2149 xfrm_sid);
2150 rc = -EINVAL; 2144 rc = -EINVAL;
2151 goto out_slowpath; 2145 goto out_slowpath;
2152 } 2146 }
@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2226 2220
2227 match = hashtab_search(policydb.p_classes.table, class); 2221 match = hashtab_search(policydb.p_classes.table, class);
2228 if (!match) { 2222 if (!match) {
2229 printk(KERN_ERR "%s: unrecognized class %s\n", 2223 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
2230 __func__, class); 2224 __func__, class);
2231 rc = -EINVAL; 2225 rc = -EINVAL;
2232 goto out; 2226 goto out;
@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2435 2429
2436 if (!rule) { 2430 if (!rule) {
2437 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2431 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2438 "selinux_audit_rule_match: missing rule\n"); 2432 "selinux_audit_rule_match: missing rule\n");
2439 return -ENOENT; 2433 return -ENOENT;
2440 } 2434 }
2441 2435
@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2443 2437
2444 if (rule->au_seqno < latest_granting) { 2438 if (rule->au_seqno < latest_granting) {
2445 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2439 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2446 "selinux_audit_rule_match: stale rule\n"); 2440 "selinux_audit_rule_match: stale rule\n");
2447 match = -ESTALE; 2441 match = -ESTALE;
2448 goto out; 2442 goto out;
2449 } 2443 }
@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2451 ctxt = sidtab_search(&sidtab, sid); 2445 ctxt = sidtab_search(&sidtab, sid);
2452 if (!ctxt) { 2446 if (!ctxt) {
2453 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2447 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2454 "selinux_audit_rule_match: unrecognized SID %d\n", 2448 "selinux_audit_rule_match: unrecognized SID %d\n",
2455 sid); 2449 sid);
2456 match = -ENOENT; 2450 match = -ENOENT;
2457 goto out; 2451 goto out;
2458 } 2452 }
@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2498 case AUDIT_OBJ_LEV_LOW: 2492 case AUDIT_OBJ_LEV_LOW:
2499 case AUDIT_OBJ_LEV_HIGH: 2493 case AUDIT_OBJ_LEV_HIGH:
2500 level = ((field == AUDIT_SUBJ_SEN || 2494 level = ((field == AUDIT_SUBJ_SEN ||
2501 field == AUDIT_OBJ_LEV_LOW) ? 2495 field == AUDIT_OBJ_LEV_LOW) ?
2502 &ctxt->range.level[0] : &ctxt->range.level[1]); 2496 &ctxt->range.level[0] : &ctxt->range.level[1]);
2503 switch (op) { 2497 switch (op) {
2504 case AUDIT_EQUAL: 2498 case AUDIT_EQUAL:
2505 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2499 match = mls_level_eq(&rule->au_ctxt.range.level[0],
2506 level); 2500 level);
2507 break; 2501 break;
2508 case AUDIT_NOT_EQUAL: 2502 case AUDIT_NOT_EQUAL:
2509 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2503 match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2510 level); 2504 level);
2511 break; 2505 break;
2512 case AUDIT_LESS_THAN: 2506 case AUDIT_LESS_THAN:
2513 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2507 match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2514 level) && 2508 level) &&
2515 !mls_level_eq(&rule->au_ctxt.range.level[0], 2509 !mls_level_eq(&rule->au_ctxt.range.level[0],
2516 level)); 2510 level));
2517 break; 2511 break;
2518 case AUDIT_LESS_THAN_OR_EQUAL: 2512 case AUDIT_LESS_THAN_OR_EQUAL:
2519 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2513 match = mls_level_dom(&rule->au_ctxt.range.level[0],
2520 level); 2514 level);
2521 break; 2515 break;
2522 case AUDIT_GREATER_THAN: 2516 case AUDIT_GREATER_THAN:
2523 match = (mls_level_dom(level, 2517 match = (mls_level_dom(level,
2524 &rule->au_ctxt.range.level[0]) && 2518 &rule->au_ctxt.range.level[0]) &&
2525 !mls_level_eq(level, 2519 !mls_level_eq(level,
2526 &rule->au_ctxt.range.level[0])); 2520 &rule->au_ctxt.range.level[0]));
2527 break; 2521 break;
2528 case AUDIT_GREATER_THAN_OR_EQUAL: 2522 case AUDIT_GREATER_THAN_OR_EQUAL:
2529 match = mls_level_dom(level, 2523 match = mls_level_dom(level,
2530 &rule->au_ctxt.range.level[0]); 2524 &rule->au_ctxt.range.level[0]);
2531 break; 2525 break;
2532 } 2526 }
2533 } 2527 }
@@ -2554,7 +2548,7 @@ static int __init aurule_init(void)
2554 int err; 2548 int err;
2555 2549
2556 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2550 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2557 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2551 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2558 if (err) 2552 if (err)
2559 panic("avc_add_callback() failed, error %d\n", err); 2553 panic("avc_add_callback() failed, error %d\n", err);
2560 2554
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 53a54a77f1f8..4a516ff4bcde 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s,
156 while (cur != NULL) { 156 while (cur != NULL) {
157 ret = apply(cur->sid, &cur->context, args); 157 ret = apply(cur->sid, &cur->context, args);
158 if (ret) { 158 if (ret) {
159 if (last) { 159 if (last)
160 last->next = cur->next; 160 last->next = cur->next;
161 } else { 161 else
162 s->htable[i] = cur->next; 162 s->htable[i] = cur->next;
163 }
164
165 temp = cur; 163 temp = cur;
166 cur = cur->next; 164 cur = cur->next;
167 context_destroy(&temp->context); 165 context_destroy(&temp->context);