aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/avtab.c40
-rw-r--r--security/selinux/ss/conditional.c16
-rw-r--r--security/selinux/ss/ebitmap.c14
-rw-r--r--security/selinux/ss/policydb.c65
-rw-r--r--security/selinux/ss/policydb.h2
-rw-r--r--security/selinux/ss/services.c69
6 files changed, 121 insertions, 85 deletions
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index cd10e27fc9e6..916e73a18bc5 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -280,8 +280,8 @@ int avtab_alloc(struct avtab *h, u32 nrules)
280 h->nel = 0; 280 h->nel = 0;
281 h->nslot = nslot; 281 h->nslot = nslot;
282 h->mask = mask; 282 h->mask = mask;
283 printk(KERN_DEBUG "SELinux:%d avtab hash slots allocated. " 283 printk(KERN_DEBUG "SELinux: %d avtab hash slots, %d rules.\n",
284 "Num of rules:%d\n", h->nslot, nrules); 284 h->nslot, nrules);
285 return 0; 285 return 0;
286} 286}
287 287
@@ -345,18 +345,18 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
345 if (vers < POLICYDB_VERSION_AVTAB) { 345 if (vers < POLICYDB_VERSION_AVTAB) {
346 rc = next_entry(buf32, fp, sizeof(u32)); 346 rc = next_entry(buf32, fp, sizeof(u32));
347 if (rc < 0) { 347 if (rc < 0) {
348 printk(KERN_ERR "security: avtab: truncated entry\n"); 348 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
349 return -1; 349 return -1;
350 } 350 }
351 items2 = le32_to_cpu(buf32[0]); 351 items2 = le32_to_cpu(buf32[0]);
352 if (items2 > ARRAY_SIZE(buf32)) { 352 if (items2 > ARRAY_SIZE(buf32)) {
353 printk(KERN_ERR "security: avtab: entry overflow\n"); 353 printk(KERN_ERR "SELinux: avtab: entry overflow\n");
354 return -1; 354 return -1;
355 355
356 } 356 }
357 rc = next_entry(buf32, fp, sizeof(u32)*items2); 357 rc = next_entry(buf32, fp, sizeof(u32)*items2);
358 if (rc < 0) { 358 if (rc < 0) {
359 printk(KERN_ERR "security: avtab: truncated entry\n"); 359 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
360 return -1; 360 return -1;
361 } 361 }
362 items = 0; 362 items = 0;
@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
364 val = le32_to_cpu(buf32[items++]); 364 val = le32_to_cpu(buf32[items++]);
365 key.source_type = (u16)val; 365 key.source_type = (u16)val;
366 if (key.source_type != val) { 366 if (key.source_type != val) {
367 printk("security: avtab: truncated source type\n"); 367 printk("SELinux: avtab: truncated source type\n");
368 return -1; 368 return -1;
369 } 369 }
370 val = le32_to_cpu(buf32[items++]); 370 val = le32_to_cpu(buf32[items++]);
371 key.target_type = (u16)val; 371 key.target_type = (u16)val;
372 if (key.target_type != val) { 372 if (key.target_type != val) {
373 printk("security: avtab: truncated target type\n"); 373 printk("SELinux: avtab: truncated target type\n");
374 return -1; 374 return -1;
375 } 375 }
376 val = le32_to_cpu(buf32[items++]); 376 val = le32_to_cpu(buf32[items++]);
377 key.target_class = (u16)val; 377 key.target_class = (u16)val;
378 if (key.target_class != val) { 378 if (key.target_class != val) {
379 printk("security: avtab: truncated target class\n"); 379 printk("SELinux: avtab: truncated target class\n");
380 return -1; 380 return -1;
381 } 381 }
382 382
@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; 384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
385 385
386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) { 386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
387 printk("security: avtab: null entry\n"); 387 printk("SELinux: avtab: null entry\n");
388 return -1; 388 return -1;
389 } 389 }
390 if ((val & AVTAB_AV) && 390 if ((val & AVTAB_AV) &&
391 (val & AVTAB_TYPE)) { 391 (val & AVTAB_TYPE)) {
392 printk("security: avtab: entry has both access vectors and types\n"); 392 printk("SELinux: avtab: entry has both access vectors and types\n");
393 return -1; 393 return -1;
394 } 394 }
395 395
@@ -403,7 +403,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
403 } 403 }
404 404
405 if (items != items2) { 405 if (items != items2) {
406 printk("security: avtab: entry only had %d items, expected %d\n", items2, items); 406 printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
407 return -1; 407 return -1;
408 } 408 }
409 return 0; 409 return 0;
@@ -411,7 +411,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
411 411
412 rc = next_entry(buf16, fp, sizeof(u16)*4); 412 rc = next_entry(buf16, fp, sizeof(u16)*4);
413 if (rc < 0) { 413 if (rc < 0) {
414 printk("security: avtab: truncated entry\n"); 414 printk("SELinux: avtab: truncated entry\n");
415 return -1; 415 return -1;
416 } 416 }
417 417
@@ -424,7 +424,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
424 if (!policydb_type_isvalid(pol, key.source_type) || 424 if (!policydb_type_isvalid(pol, key.source_type) ||
425 !policydb_type_isvalid(pol, key.target_type) || 425 !policydb_type_isvalid(pol, key.target_type) ||
426 !policydb_class_isvalid(pol, key.target_class)) { 426 !policydb_class_isvalid(pol, key.target_class)) {
427 printk(KERN_WARNING "security: avtab: invalid type or class\n"); 427 printk(KERN_WARNING "SELinux: avtab: invalid type or class\n");
428 return -1; 428 return -1;
429 } 429 }
430 430
@@ -435,19 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
435 } 435 }
436 if (!set || set > 1) { 436 if (!set || set > 1) {
437 printk(KERN_WARNING 437 printk(KERN_WARNING
438 "security: avtab: more than one specifier\n"); 438 "SELinux: avtab: more than one specifier\n");
439 return -1; 439 return -1;
440 } 440 }
441 441
442 rc = next_entry(buf32, fp, sizeof(u32)); 442 rc = next_entry(buf32, fp, sizeof(u32));
443 if (rc < 0) { 443 if (rc < 0) {
444 printk("security: avtab: truncated entry\n"); 444 printk("SELinux: avtab: truncated entry\n");
445 return -1; 445 return -1;
446 } 446 }
447 datum.data = le32_to_cpu(*buf32); 447 datum.data = le32_to_cpu(*buf32);
448 if ((key.specified & AVTAB_TYPE) && 448 if ((key.specified & AVTAB_TYPE) &&
449 !policydb_type_isvalid(pol, datum.data)) { 449 !policydb_type_isvalid(pol, datum.data)) {
450 printk(KERN_WARNING "security: avtab: invalid type\n"); 450 printk(KERN_WARNING "SELinux: avtab: invalid type\n");
451 return -1; 451 return -1;
452 } 452 }
453 return insertf(a, &key, &datum, p); 453 return insertf(a, &key, &datum, p);
@@ -468,12 +468,12 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol)
468 468
469 rc = next_entry(buf, fp, sizeof(u32)); 469 rc = next_entry(buf, fp, sizeof(u32));
470 if (rc < 0) { 470 if (rc < 0) {
471 printk(KERN_ERR "security: avtab: truncated table\n"); 471 printk(KERN_ERR "SELinux: avtab: truncated table\n");
472 goto bad; 472 goto bad;
473 } 473 }
474 nel = le32_to_cpu(buf[0]); 474 nel = le32_to_cpu(buf[0]);
475 if (!nel) { 475 if (!nel) {
476 printk(KERN_ERR "security: avtab: table is empty\n"); 476 printk(KERN_ERR "SELinux: avtab: table is empty\n");
477 rc = -EINVAL; 477 rc = -EINVAL;
478 goto bad; 478 goto bad;
479 } 479 }
@@ -486,9 +486,9 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol)
486 rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL); 486 rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL);
487 if (rc) { 487 if (rc) {
488 if (rc == -ENOMEM) 488 if (rc == -ENOMEM)
489 printk(KERN_ERR "security: avtab: out of memory\n"); 489 printk(KERN_ERR "SELinux: avtab: out of memory\n");
490 else if (rc == -EEXIST) 490 else if (rc == -EEXIST)
491 printk(KERN_ERR "security: avtab: duplicate entry\n"); 491 printk(KERN_ERR "SELinux: avtab: duplicate entry\n");
492 else 492 else
493 rc = -EINVAL; 493 rc = -EINVAL;
494 goto bad; 494 goto bad;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 50ad85d4b77c..a996cf1d378a 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -96,7 +96,7 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
96 if (new_state != node->cur_state) { 96 if (new_state != node->cur_state) {
97 node->cur_state = new_state; 97 node->cur_state = new_state;
98 if (new_state == -1) 98 if (new_state == -1)
99 printk(KERN_ERR "security: expression result was undefined - disabling all rules.\n"); 99 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
100 /* turn the rules on or off */ 100 /* turn the rules on or off */
101 for (cur = node->true_list; cur != NULL; cur = cur->next) { 101 for (cur = node->true_list; cur != NULL; cur = cur->next) {
102 if (new_state <= 0) { 102 if (new_state <= 0) {
@@ -276,7 +276,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
276 */ 276 */
277 if (k->specified & AVTAB_TYPE) { 277 if (k->specified & AVTAB_TYPE) {
278 if (avtab_search(&p->te_avtab, k)) { 278 if (avtab_search(&p->te_avtab, k)) {
279 printk("security: type rule already exists outside of a conditional."); 279 printk("SELinux: type rule already exists outside of a conditional.");
280 goto err; 280 goto err;
281 } 281 }
282 /* 282 /*
@@ -291,7 +291,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
291 node_ptr = avtab_search_node(&p->te_cond_avtab, k); 291 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
292 if (node_ptr) { 292 if (node_ptr) {
293 if (avtab_search_node_next(node_ptr, k->specified)) { 293 if (avtab_search_node_next(node_ptr, k->specified)) {
294 printk("security: too many conflicting type rules."); 294 printk("SELinux: too many conflicting type rules.");
295 goto err; 295 goto err;
296 } 296 }
297 found = 0; 297 found = 0;
@@ -302,13 +302,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
302 } 302 }
303 } 303 }
304 if (!found) { 304 if (!found) {
305 printk("security: conflicting type rules.\n"); 305 printk("SELinux: conflicting type rules.\n");
306 goto err; 306 goto err;
307 } 307 }
308 } 308 }
309 } else { 309 } else {
310 if (avtab_search(&p->te_cond_avtab, k)) { 310 if (avtab_search(&p->te_cond_avtab, k)) {
311 printk("security: conflicting type rules when adding type rule for true.\n"); 311 printk("SELinux: conflicting type rules when adding type rule for true.\n");
312 goto err; 312 goto err;
313 } 313 }
314 } 314 }
@@ -316,7 +316,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
316 316
317 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 317 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
318 if (!node_ptr) { 318 if (!node_ptr) {
319 printk("security: could not insert rule."); 319 printk("SELinux: could not insert rule.");
320 goto err; 320 goto err;
321 } 321 }
322 322
@@ -376,12 +376,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
376static int expr_isvalid(struct policydb *p, struct cond_expr *expr) 376static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
377{ 377{
378 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 378 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
379 printk("security: conditional expressions uses unknown operator.\n"); 379 printk("SELinux: conditional expressions uses unknown operator.\n");
380 return 0; 380 return 0;
381 } 381 }
382 382
383 if (expr->bool > p->p_bools.nprim) { 383 if (expr->bool > p->p_bools.nprim) {
384 printk("security: conditional expressions uses unknown bool.\n"); 384 printk("SELinux: conditional expressions uses unknown bool.\n");
385 return 0; 385 return 0;
386 } 386 }
387 return 1; 387 return 1;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 920b5e36a1af..e499af474b35 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -364,7 +364,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
364 count = le32_to_cpu(buf[2]); 364 count = le32_to_cpu(buf[2]);
365 365
366 if (mapunit != sizeof(u64) * 8) { 366 if (mapunit != sizeof(u64) * 8) {
367 printk(KERN_ERR "security: ebitmap: map size %u does not " 367 printk(KERN_ERR "SELinux: ebitmap: map size %u does not "
368 "match my size %Zd (high bit was %d)\n", 368 "match my size %Zd (high bit was %d)\n",
369 mapunit, sizeof(u64) * 8, e->highbit); 369 mapunit, sizeof(u64) * 8, e->highbit);
370 goto bad; 370 goto bad;
@@ -382,19 +382,19 @@ int ebitmap_read(struct ebitmap *e, void *fp)
382 for (i = 0; i < count; i++) { 382 for (i = 0; i < count; i++) {
383 rc = next_entry(&startbit, fp, sizeof(u32)); 383 rc = next_entry(&startbit, fp, sizeof(u32));
384 if (rc < 0) { 384 if (rc < 0) {
385 printk(KERN_ERR "security: ebitmap: truncated map\n"); 385 printk(KERN_ERR "SELinux: ebitmap: truncated map\n");
386 goto bad; 386 goto bad;
387 } 387 }
388 startbit = le32_to_cpu(startbit); 388 startbit = le32_to_cpu(startbit);
389 389
390 if (startbit & (mapunit - 1)) { 390 if (startbit & (mapunit - 1)) {
391 printk(KERN_ERR "security: ebitmap start bit (%d) is " 391 printk(KERN_ERR "SELinux: ebitmap start bit (%d) is "
392 "not a multiple of the map unit size (%u)\n", 392 "not a multiple of the map unit size (%u)\n",
393 startbit, mapunit); 393 startbit, mapunit);
394 goto bad; 394 goto bad;
395 } 395 }
396 if (startbit > e->highbit - mapunit) { 396 if (startbit > e->highbit - mapunit) {
397 printk(KERN_ERR "security: ebitmap start bit (%d) is " 397 printk(KERN_ERR "SELinux: ebitmap start bit (%d) is "
398 "beyond the end of the bitmap (%u)\n", 398 "beyond the end of the bitmap (%u)\n",
399 startbit, (e->highbit - mapunit)); 399 startbit, (e->highbit - mapunit));
400 goto bad; 400 goto bad;
@@ -405,7 +405,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
405 tmp = kzalloc(sizeof(*tmp), GFP_KERNEL); 405 tmp = kzalloc(sizeof(*tmp), GFP_KERNEL);
406 if (!tmp) { 406 if (!tmp) {
407 printk(KERN_ERR 407 printk(KERN_ERR
408 "security: ebitmap: out of memory\n"); 408 "SELinux: ebitmap: out of memory\n");
409 rc = -ENOMEM; 409 rc = -ENOMEM;
410 goto bad; 410 goto bad;
411 } 411 }
@@ -418,7 +418,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
418 } 418 }
419 n = tmp; 419 n = tmp;
420 } else if (startbit <= n->startbit) { 420 } else if (startbit <= n->startbit) {
421 printk(KERN_ERR "security: ebitmap: start bit %d" 421 printk(KERN_ERR "SELinux: ebitmap: start bit %d"
422 " comes after start bit %d\n", 422 " comes after start bit %d\n",
423 startbit, n->startbit); 423 startbit, n->startbit);
424 goto bad; 424 goto bad;
@@ -426,7 +426,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
426 426
427 rc = next_entry(&map, fp, sizeof(u64)); 427 rc = next_entry(&map, fp, sizeof(u64));
428 if (rc < 0) { 428 if (rc < 0) {
429 printk(KERN_ERR "security: ebitmap: truncated map\n"); 429 printk(KERN_ERR "SELinux: ebitmap: truncated map\n");
430 goto bad; 430 goto bad;
431 } 431 }
432 map = le64_to_cpu(map); 432 map = le64_to_cpu(map);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index bd7d6a00342d..6bdb0ff6a927 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -111,6 +111,11 @@ static struct policydb_compat_info policydb_compat[] = {
111 .version = POLICYDB_VERSION_POLCAP, 111 .version = POLICYDB_VERSION_POLCAP,
112 .sym_num = SYM_NUM, 112 .sym_num = SYM_NUM,
113 .ocon_num = OCON_NUM, 113 .ocon_num = OCON_NUM,
114 },
115 {
116 .version = POLICYDB_VERSION_PERMISSIVE,
117 .sym_num = SYM_NUM,
118 .ocon_num = OCON_NUM,
114 } 119 }
115}; 120};
116 121
@@ -194,6 +199,7 @@ static int policydb_init(struct policydb *p)
194 goto out_free_symtab; 199 goto out_free_symtab;
195 200
196 ebitmap_init(&p->policycaps); 201 ebitmap_init(&p->policycaps);
202 ebitmap_init(&p->permissive_map);
197 203
198out: 204out:
199 return rc; 205 return rc;
@@ -401,14 +407,14 @@ static int policydb_index_others(struct policydb *p)
401{ 407{
402 int i, rc = 0; 408 int i, rc = 0;
403 409
404 printk(KERN_DEBUG "security: %d users, %d roles, %d types, %d bools", 410 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools",
405 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); 411 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
406 if (selinux_mls_enabled) 412 if (selinux_mls_enabled)
407 printk(", %d sens, %d cats", p->p_levels.nprim, 413 printk(", %d sens, %d cats", p->p_levels.nprim,
408 p->p_cats.nprim); 414 p->p_cats.nprim);
409 printk("\n"); 415 printk("\n");
410 416
411 printk(KERN_DEBUG "security: %d classes, %d rules\n", 417 printk(KERN_DEBUG "SELinux: %d classes, %d rules\n",
412 p->p_classes.nprim, p->te_avtab.nel); 418 p->p_classes.nprim, p->te_avtab.nel);
413 419
414#ifdef DEBUG_HASHES 420#ifdef DEBUG_HASHES
@@ -687,6 +693,7 @@ void policydb_destroy(struct policydb *p)
687 kfree(p->type_attr_map); 693 kfree(p->type_attr_map);
688 kfree(p->undefined_perms); 694 kfree(p->undefined_perms);
689 ebitmap_destroy(&p->policycaps); 695 ebitmap_destroy(&p->policycaps);
696 ebitmap_destroy(&p->permissive_map);
690 697
691 return; 698 return;
692} 699}
@@ -702,20 +709,20 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
702 709
703 rc = sidtab_init(s); 710 rc = sidtab_init(s);
704 if (rc) { 711 if (rc) {
705 printk(KERN_ERR "security: out of memory on SID table init\n"); 712 printk(KERN_ERR "SELinux: out of memory on SID table init\n");
706 goto out; 713 goto out;
707 } 714 }
708 715
709 head = p->ocontexts[OCON_ISID]; 716 head = p->ocontexts[OCON_ISID];
710 for (c = head; c; c = c->next) { 717 for (c = head; c; c = c->next) {
711 if (!c->context[0].user) { 718 if (!c->context[0].user) {
712 printk(KERN_ERR "security: SID %s was never " 719 printk(KERN_ERR "SELinux: SID %s was never "
713 "defined.\n", c->u.name); 720 "defined.\n", c->u.name);
714 rc = -EINVAL; 721 rc = -EINVAL;
715 goto out; 722 goto out;
716 } 723 }
717 if (sidtab_insert(s, c->sid[0], &c->context[0])) { 724 if (sidtab_insert(s, c->sid[0], &c->context[0])) {
718 printk(KERN_ERR "security: unable to load initial " 725 printk(KERN_ERR "SELinux: unable to load initial "
719 "SID %s.\n", c->u.name); 726 "SID %s.\n", c->u.name);
720 rc = -EINVAL; 727 rc = -EINVAL;
721 goto out; 728 goto out;
@@ -809,13 +816,13 @@ static int mls_read_range_helper(struct mls_range *r, void *fp)
809 816
810 items = le32_to_cpu(buf[0]); 817 items = le32_to_cpu(buf[0]);
811 if (items > ARRAY_SIZE(buf)) { 818 if (items > ARRAY_SIZE(buf)) {
812 printk(KERN_ERR "security: mls: range overflow\n"); 819 printk(KERN_ERR "SELinux: mls: range overflow\n");
813 rc = -EINVAL; 820 rc = -EINVAL;
814 goto out; 821 goto out;
815 } 822 }
816 rc = next_entry(buf, fp, sizeof(u32) * items); 823 rc = next_entry(buf, fp, sizeof(u32) * items);
817 if (rc < 0) { 824 if (rc < 0) {
818 printk(KERN_ERR "security: mls: truncated range\n"); 825 printk(KERN_ERR "SELinux: mls: truncated range\n");
819 goto out; 826 goto out;
820 } 827 }
821 r->level[0].sens = le32_to_cpu(buf[0]); 828 r->level[0].sens = le32_to_cpu(buf[0]);
@@ -826,21 +833,21 @@ static int mls_read_range_helper(struct mls_range *r, void *fp)
826 833
827 rc = ebitmap_read(&r->level[0].cat, fp); 834 rc = ebitmap_read(&r->level[0].cat, fp);
828 if (rc) { 835 if (rc) {
829 printk(KERN_ERR "security: mls: error reading low " 836 printk(KERN_ERR "SELinux: mls: error reading low "
830 "categories\n"); 837 "categories\n");
831 goto out; 838 goto out;
832 } 839 }
833 if (items > 1) { 840 if (items > 1) {
834 rc = ebitmap_read(&r->level[1].cat, fp); 841 rc = ebitmap_read(&r->level[1].cat, fp);
835 if (rc) { 842 if (rc) {
836 printk(KERN_ERR "security: mls: error reading high " 843 printk(KERN_ERR "SELinux: mls: error reading high "
837 "categories\n"); 844 "categories\n");
838 goto bad_high; 845 goto bad_high;
839 } 846 }
840 } else { 847 } else {
841 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat); 848 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
842 if (rc) { 849 if (rc) {
843 printk(KERN_ERR "security: mls: out of memory\n"); 850 printk(KERN_ERR "SELinux: mls: out of memory\n");
844 goto bad_high; 851 goto bad_high;
845 } 852 }
846 } 853 }
@@ -866,7 +873,7 @@ static int context_read_and_validate(struct context *c,
866 873
867 rc = next_entry(buf, fp, sizeof buf); 874 rc = next_entry(buf, fp, sizeof buf);
868 if (rc < 0) { 875 if (rc < 0) {
869 printk(KERN_ERR "security: context truncated\n"); 876 printk(KERN_ERR "SELinux: context truncated\n");
870 goto out; 877 goto out;
871 } 878 }
872 c->user = le32_to_cpu(buf[0]); 879 c->user = le32_to_cpu(buf[0]);
@@ -874,7 +881,7 @@ static int context_read_and_validate(struct context *c,
874 c->type = le32_to_cpu(buf[2]); 881 c->type = le32_to_cpu(buf[2]);
875 if (p->policyvers >= POLICYDB_VERSION_MLS) { 882 if (p->policyvers >= POLICYDB_VERSION_MLS) {
876 if (mls_read_range_helper(&c->range, fp)) { 883 if (mls_read_range_helper(&c->range, fp)) {
877 printk(KERN_ERR "security: error reading MLS range of " 884 printk(KERN_ERR "SELinux: error reading MLS range of "
878 "context\n"); 885 "context\n");
879 rc = -EINVAL; 886 rc = -EINVAL;
880 goto out; 887 goto out;
@@ -882,7 +889,7 @@ static int context_read_and_validate(struct context *c,
882 } 889 }
883 890
884 if (!policydb_context_isvalid(p, c)) { 891 if (!policydb_context_isvalid(p, c)) {
885 printk(KERN_ERR "security: invalid security context\n"); 892 printk(KERN_ERR "SELinux: invalid security context\n");
886 context_destroy(c); 893 context_destroy(c);
887 rc = -EINVAL; 894 rc = -EINVAL;
888 } 895 }
@@ -1128,7 +1135,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1128 cladatum->comdatum = hashtab_search(p->p_commons.table, 1135 cladatum->comdatum = hashtab_search(p->p_commons.table,
1129 cladatum->comkey); 1136 cladatum->comkey);
1130 if (!cladatum->comdatum) { 1137 if (!cladatum->comdatum) {
1131 printk(KERN_ERR "security: unknown common %s\n", 1138 printk(KERN_ERR "SELinux: unknown common %s\n",
1132 cladatum->comkey); 1139 cladatum->comkey);
1133 rc = -EINVAL; 1140 rc = -EINVAL;
1134 goto bad; 1141 goto bad;
@@ -1283,13 +1290,13 @@ static int mls_read_level(struct mls_level *lp, void *fp)
1283 1290
1284 rc = next_entry(buf, fp, sizeof buf); 1291 rc = next_entry(buf, fp, sizeof buf);
1285 if (rc < 0) { 1292 if (rc < 0) {
1286 printk(KERN_ERR "security: mls: truncated level\n"); 1293 printk(KERN_ERR "SELinux: mls: truncated level\n");
1287 goto bad; 1294 goto bad;
1288 } 1295 }
1289 lp->sens = le32_to_cpu(buf[0]); 1296 lp->sens = le32_to_cpu(buf[0]);
1290 1297
1291 if (ebitmap_read(&lp->cat, fp)) { 1298 if (ebitmap_read(&lp->cat, fp)) {
1292 printk(KERN_ERR "security: mls: error reading level " 1299 printk(KERN_ERR "SELinux: mls: error reading level "
1293 "categories\n"); 1300 "categories\n");
1294 goto bad; 1301 goto bad;
1295 } 1302 }
@@ -1491,7 +1498,7 @@ int policydb_read(struct policydb *p, void *fp)
1491 goto bad; 1498 goto bad;
1492 1499
1493 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) { 1500 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
1494 printk(KERN_ERR "security: policydb magic number 0x%x does " 1501 printk(KERN_ERR "SELinux: policydb magic number 0x%x does "
1495 "not match expected magic number 0x%x\n", 1502 "not match expected magic number 0x%x\n",
1496 le32_to_cpu(buf[0]), POLICYDB_MAGIC); 1503 le32_to_cpu(buf[0]), POLICYDB_MAGIC);
1497 goto bad; 1504 goto bad;
@@ -1499,27 +1506,27 @@ int policydb_read(struct policydb *p, void *fp)
1499 1506
1500 len = le32_to_cpu(buf[1]); 1507 len = le32_to_cpu(buf[1]);
1501 if (len != strlen(POLICYDB_STRING)) { 1508 if (len != strlen(POLICYDB_STRING)) {
1502 printk(KERN_ERR "security: policydb string length %d does not " 1509 printk(KERN_ERR "SELinux: policydb string length %d does not "
1503 "match expected length %Zu\n", 1510 "match expected length %Zu\n",
1504 len, strlen(POLICYDB_STRING)); 1511 len, strlen(POLICYDB_STRING));
1505 goto bad; 1512 goto bad;
1506 } 1513 }
1507 policydb_str = kmalloc(len + 1,GFP_KERNEL); 1514 policydb_str = kmalloc(len + 1,GFP_KERNEL);
1508 if (!policydb_str) { 1515 if (!policydb_str) {
1509 printk(KERN_ERR "security: unable to allocate memory for policydb " 1516 printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
1510 "string of length %d\n", len); 1517 "string of length %d\n", len);
1511 rc = -ENOMEM; 1518 rc = -ENOMEM;
1512 goto bad; 1519 goto bad;
1513 } 1520 }
1514 rc = next_entry(policydb_str, fp, len); 1521 rc = next_entry(policydb_str, fp, len);
1515 if (rc < 0) { 1522 if (rc < 0) {
1516 printk(KERN_ERR "security: truncated policydb string identifier\n"); 1523 printk(KERN_ERR "SELinux: truncated policydb string identifier\n");
1517 kfree(policydb_str); 1524 kfree(policydb_str);
1518 goto bad; 1525 goto bad;
1519 } 1526 }
1520 policydb_str[len] = 0; 1527 policydb_str[len] = 0;
1521 if (strcmp(policydb_str, POLICYDB_STRING)) { 1528 if (strcmp(policydb_str, POLICYDB_STRING)) {
1522 printk(KERN_ERR "security: policydb string %s does not match " 1529 printk(KERN_ERR "SELinux: policydb string %s does not match "
1523 "my string %s\n", policydb_str, POLICYDB_STRING); 1530 "my string %s\n", policydb_str, POLICYDB_STRING);
1524 kfree(policydb_str); 1531 kfree(policydb_str);
1525 goto bad; 1532 goto bad;
@@ -1536,7 +1543,7 @@ int policydb_read(struct policydb *p, void *fp)
1536 p->policyvers = le32_to_cpu(buf[0]); 1543 p->policyvers = le32_to_cpu(buf[0]);
1537 if (p->policyvers < POLICYDB_VERSION_MIN || 1544 if (p->policyvers < POLICYDB_VERSION_MIN ||
1538 p->policyvers > POLICYDB_VERSION_MAX) { 1545 p->policyvers > POLICYDB_VERSION_MAX) {
1539 printk(KERN_ERR "security: policydb version %d does not match " 1546 printk(KERN_ERR "SELinux: policydb version %d does not match "
1540 "my version range %d-%d\n", 1547 "my version range %d-%d\n",
1541 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 1548 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1542 goto bad; 1549 goto bad;
@@ -1570,16 +1577,20 @@ int policydb_read(struct policydb *p, void *fp)
1570 ebitmap_read(&p->policycaps, fp) != 0) 1577 ebitmap_read(&p->policycaps, fp) != 0)
1571 goto bad; 1578 goto bad;
1572 1579
1580 if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
1581 ebitmap_read(&p->permissive_map, fp) != 0)
1582 goto bad;
1583
1573 info = policydb_lookup_compat(p->policyvers); 1584 info = policydb_lookup_compat(p->policyvers);
1574 if (!info) { 1585 if (!info) {
1575 printk(KERN_ERR "security: unable to find policy compat info " 1586 printk(KERN_ERR "SELinux: unable to find policy compat info "
1576 "for version %d\n", p->policyvers); 1587 "for version %d\n", p->policyvers);
1577 goto bad; 1588 goto bad;
1578 } 1589 }
1579 1590
1580 if (le32_to_cpu(buf[2]) != info->sym_num || 1591 if (le32_to_cpu(buf[2]) != info->sym_num ||
1581 le32_to_cpu(buf[3]) != info->ocon_num) { 1592 le32_to_cpu(buf[3]) != info->ocon_num) {
1582 printk(KERN_ERR "security: policydb table sizes (%d,%d) do " 1593 printk(KERN_ERR "SELinux: policydb table sizes (%d,%d) do "
1583 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]), 1594 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
1584 le32_to_cpu(buf[3]), 1595 le32_to_cpu(buf[3]),
1585 info->sym_num, info->ocon_num); 1596 info->sym_num, info->ocon_num);
@@ -1823,7 +1834,7 @@ int policydb_read(struct policydb *p, void *fp)
1823 for (genfs_p = NULL, genfs = p->genfs; genfs; 1834 for (genfs_p = NULL, genfs = p->genfs; genfs;
1824 genfs_p = genfs, genfs = genfs->next) { 1835 genfs_p = genfs, genfs = genfs->next) {
1825 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) { 1836 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
1826 printk(KERN_ERR "security: dup genfs " 1837 printk(KERN_ERR "SELinux: dup genfs "
1827 "fstype %s\n", newgenfs->fstype); 1838 "fstype %s\n", newgenfs->fstype);
1828 kfree(newgenfs->fstype); 1839 kfree(newgenfs->fstype);
1829 kfree(newgenfs); 1840 kfree(newgenfs);
@@ -1873,7 +1884,7 @@ int policydb_read(struct policydb *p, void *fp)
1873 if (!strcmp(newc->u.name, c->u.name) && 1884 if (!strcmp(newc->u.name, c->u.name) &&
1874 (!c->v.sclass || !newc->v.sclass || 1885 (!c->v.sclass || !newc->v.sclass ||
1875 newc->v.sclass == c->v.sclass)) { 1886 newc->v.sclass == c->v.sclass)) {
1876 printk(KERN_ERR "security: dup genfs " 1887 printk(KERN_ERR "SELinux: dup genfs "
1877 "entry (%s,%s)\n", 1888 "entry (%s,%s)\n",
1878 newgenfs->fstype, c->u.name); 1889 newgenfs->fstype, c->u.name);
1879 goto bad_newc; 1890 goto bad_newc;
@@ -1931,7 +1942,7 @@ int policydb_read(struct policydb *p, void *fp)
1931 if (rc) 1942 if (rc)
1932 goto bad; 1943 goto bad;
1933 if (!mls_range_isvalid(p, &rt->target_range)) { 1944 if (!mls_range_isvalid(p, &rt->target_range)) {
1934 printk(KERN_WARNING "security: rangetrans: invalid range\n"); 1945 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n");
1935 goto bad; 1946 goto bad;
1936 } 1947 }
1937 lrt = rt; 1948 lrt = rt;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index c4ce996e202c..ba593a3da877 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -243,6 +243,8 @@ struct policydb {
243 243
244 struct ebitmap policycaps; 244 struct ebitmap policycaps;
245 245
246 struct ebitmap permissive_map;
247
246 unsigned int policyvers; 248 unsigned int policyvers;
247 249
248 unsigned int reject_unknown : 1; 250 unsigned int reject_unknown : 1;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 5fd54f2bbaac..33425b1ac8d6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -40,6 +40,7 @@
40#include <linux/sched.h> 40#include <linux/sched.h>
41#include <linux/audit.h> 41#include <linux/audit.h>
42#include <linux/mutex.h> 42#include <linux/mutex.h>
43#include <linux/selinux.h>
43#include <net/netlabel.h> 44#include <net/netlabel.h>
44 45
45#include "flask.h" 46#include "flask.h"
@@ -61,6 +62,7 @@ extern void selnl_notify_policyload(u32 seqno);
61unsigned int policydb_loaded_version; 62unsigned int policydb_loaded_version;
62 63
63int selinux_policycap_netpeer; 64int selinux_policycap_netpeer;
65int selinux_policycap_openperm;
64 66
65/* 67/*
66 * This is declared in avc.c 68 * This is declared in avc.c
@@ -412,10 +414,35 @@ static int context_struct_compute_av(struct context *scontext,
412 return 0; 414 return 0;
413 415
414inval_class: 416inval_class:
415 printk(KERN_ERR "%s: unrecognized class %d\n", __FUNCTION__, tclass); 417 printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass);
416 return -EINVAL; 418 return -EINVAL;
417} 419}
418 420
421/*
422 * Given a sid find if the type has the permissive flag set
423 */
424int security_permissive_sid(u32 sid)
425{
426 struct context *context;
427 u32 type;
428 int rc;
429
430 POLICY_RDLOCK;
431
432 context = sidtab_search(&sidtab, sid);
433 BUG_ON(!context);
434
435 type = context->type;
436 /*
437 * we are intentionally using type here, not type-1, the 0th bit may
438 * someday indicate that we are globally setting permissive in policy.
439 */
440 rc = ebitmap_get_bit(&policydb.permissive_map, type);
441
442 POLICY_RDUNLOCK;
443 return rc;
444}
445
419static int security_validtrans_handle_fail(struct context *ocontext, 446static int security_validtrans_handle_fail(struct context *ocontext,
420 struct context *ncontext, 447 struct context *ncontext,
421 struct context *tcontext, 448 struct context *tcontext,
@@ -1096,7 +1123,7 @@ static int validate_classes(struct policydb *p)
1096 continue; 1123 continue;
1097 if (i > p->p_classes.nprim) { 1124 if (i > p->p_classes.nprim) {
1098 printk(KERN_INFO 1125 printk(KERN_INFO
1099 "security: class %s not defined in policy\n", 1126 "SELinux: class %s not defined in policy\n",
1100 def_class); 1127 def_class);
1101 if (p->reject_unknown) 1128 if (p->reject_unknown)
1102 return -EINVAL; 1129 return -EINVAL;
@@ -1107,7 +1134,7 @@ static int validate_classes(struct policydb *p)
1107 pol_class = p->p_class_val_to_name[i-1]; 1134 pol_class = p->p_class_val_to_name[i-1];
1108 if (strcmp(pol_class, def_class)) { 1135 if (strcmp(pol_class, def_class)) {
1109 printk(KERN_ERR 1136 printk(KERN_ERR
1110 "security: class %d is incorrect, found %s but should be %s\n", 1137 "SELinux: class %d is incorrect, found %s but should be %s\n",
1111 i, pol_class, def_class); 1138 i, pol_class, def_class);
1112 return -EINVAL; 1139 return -EINVAL;
1113 } 1140 }
@@ -1125,7 +1152,7 @@ static int validate_classes(struct policydb *p)
1125 nprim = 1 << (perms->nprim - 1); 1152 nprim = 1 << (perms->nprim - 1);
1126 if (perm_val > nprim) { 1153 if (perm_val > nprim) {
1127 printk(KERN_INFO 1154 printk(KERN_INFO
1128 "security: permission %s in class %s not defined in policy\n", 1155 "SELinux: permission %s in class %s not defined in policy\n",
1129 def_perm, pol_class); 1156 def_perm, pol_class);
1130 if (p->reject_unknown) 1157 if (p->reject_unknown)
1131 return -EINVAL; 1158 return -EINVAL;
@@ -1136,14 +1163,14 @@ static int validate_classes(struct policydb *p)
1136 perdatum = hashtab_search(perms->table, def_perm); 1163 perdatum = hashtab_search(perms->table, def_perm);
1137 if (perdatum == NULL) { 1164 if (perdatum == NULL) {
1138 printk(KERN_ERR 1165 printk(KERN_ERR
1139 "security: permission %s in class %s not found in policy, bad policy\n", 1166 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1140 def_perm, pol_class); 1167 def_perm, pol_class);
1141 return -EINVAL; 1168 return -EINVAL;
1142 } 1169 }
1143 pol_val = 1 << (perdatum->value - 1); 1170 pol_val = 1 << (perdatum->value - 1);
1144 if (pol_val != perm_val) { 1171 if (pol_val != perm_val) {
1145 printk(KERN_ERR 1172 printk(KERN_ERR
1146 "security: permission %s in class %s has incorrect value\n", 1173 "SELinux: permission %s in class %s has incorrect value\n",
1147 def_perm, pol_class); 1174 def_perm, pol_class);
1148 return -EINVAL; 1175 return -EINVAL;
1149 } 1176 }
@@ -1157,7 +1184,7 @@ static int validate_classes(struct policydb *p)
1157 BUG_ON(!cladatum); 1184 BUG_ON(!cladatum);
1158 if (!cladatum->comdatum) { 1185 if (!cladatum->comdatum) {
1159 printk(KERN_ERR 1186 printk(KERN_ERR
1160 "security: class %s should have an inherits clause but does not\n", 1187 "SELinux: class %s should have an inherits clause but does not\n",
1161 pol_class); 1188 pol_class);
1162 return -EINVAL; 1189 return -EINVAL;
1163 } 1190 }
@@ -1172,7 +1199,7 @@ static int validate_classes(struct policydb *p)
1172 def_perm = kdefs->av_inherit[i].common_pts[j]; 1199 def_perm = kdefs->av_inherit[i].common_pts[j];
1173 if (j >= perms->nprim) { 1200 if (j >= perms->nprim) {
1174 printk(KERN_INFO 1201 printk(KERN_INFO
1175 "security: permission %s in class %s not defined in policy\n", 1202 "SELinux: permission %s in class %s not defined in policy\n",
1176 def_perm, pol_class); 1203 def_perm, pol_class);
1177 if (p->reject_unknown) 1204 if (p->reject_unknown)
1178 return -EINVAL; 1205 return -EINVAL;
@@ -1183,13 +1210,13 @@ static int validate_classes(struct policydb *p)
1183 perdatum = hashtab_search(perms->table, def_perm); 1210 perdatum = hashtab_search(perms->table, def_perm);
1184 if (perdatum == NULL) { 1211 if (perdatum == NULL) {
1185 printk(KERN_ERR 1212 printk(KERN_ERR
1186 "security: permission %s in class %s not found in policy, bad policy\n", 1213 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1187 def_perm, pol_class); 1214 def_perm, pol_class);
1188 return -EINVAL; 1215 return -EINVAL;
1189 } 1216 }
1190 if (perdatum->value != j + 1) { 1217 if (perdatum->value != j + 1) {
1191 printk(KERN_ERR 1218 printk(KERN_ERR
1192 "security: permission %s in class %s has incorrect value\n", 1219 "SELinux: permission %s in class %s has incorrect value\n",
1193 def_perm, pol_class); 1220 def_perm, pol_class);
1194 return -EINVAL; 1221 return -EINVAL;
1195 } 1222 }
@@ -1219,7 +1246,7 @@ static inline int convert_context_handle_invalid_context(struct context *context
1219 u32 len; 1246 u32 len;
1220 1247
1221 context_struct_to_string(context, &s, &len); 1248 context_struct_to_string(context, &s, &len);
1222 printk(KERN_ERR "security: context %s is invalid\n", s); 1249 printk(KERN_ERR "SELinux: context %s is invalid\n", s);
1223 kfree(s); 1250 kfree(s);
1224 } 1251 }
1225 return rc; 1252 return rc;
@@ -1299,7 +1326,7 @@ out:
1299bad: 1326bad:
1300 context_struct_to_string(&oldc, &s, &len); 1327 context_struct_to_string(&oldc, &s, &len);
1301 context_destroy(&oldc); 1328 context_destroy(&oldc);
1302 printk(KERN_ERR "security: invalidating context %s\n", s); 1329 printk(KERN_ERR "SELinux: invalidating context %s\n", s);
1303 kfree(s); 1330 kfree(s);
1304 goto out; 1331 goto out;
1305} 1332}
@@ -1308,6 +1335,8 @@ static void security_load_policycaps(void)
1308{ 1335{
1309 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, 1336 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
1310 POLICYDB_CAPABILITY_NETPEER); 1337 POLICYDB_CAPABILITY_NETPEER);
1338 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1339 POLICYDB_CAPABILITY_OPENPERM);
1311} 1340}
1312 1341
1313extern void selinux_complete_init(void); 1342extern void selinux_complete_init(void);
@@ -1350,7 +1379,7 @@ int security_load_policy(void *data, size_t len)
1350 /* Verify that the kernel defined classes are correct. */ 1379 /* Verify that the kernel defined classes are correct. */
1351 if (validate_classes(&policydb)) { 1380 if (validate_classes(&policydb)) {
1352 printk(KERN_ERR 1381 printk(KERN_ERR
1353 "security: the definition of a class is incorrect\n"); 1382 "SELinux: the definition of a class is incorrect\n");
1354 LOAD_UNLOCK; 1383 LOAD_UNLOCK;
1355 sidtab_destroy(&sidtab); 1384 sidtab_destroy(&sidtab);
1356 policydb_destroy(&policydb); 1385 policydb_destroy(&policydb);
@@ -1384,14 +1413,14 @@ int security_load_policy(void *data, size_t len)
1384 /* Verify that the kernel defined classes are correct. */ 1413 /* Verify that the kernel defined classes are correct. */
1385 if (validate_classes(&newpolicydb)) { 1414 if (validate_classes(&newpolicydb)) {
1386 printk(KERN_ERR 1415 printk(KERN_ERR
1387 "security: the definition of a class is incorrect\n"); 1416 "SELinux: the definition of a class is incorrect\n");
1388 rc = -EINVAL; 1417 rc = -EINVAL;
1389 goto err; 1418 goto err;
1390 } 1419 }
1391 1420
1392 rc = security_preserve_bools(&newpolicydb); 1421 rc = security_preserve_bools(&newpolicydb);
1393 if (rc) { 1422 if (rc) {
1394 printk(KERN_ERR "security: unable to preserve booleans\n"); 1423 printk(KERN_ERR "SELinux: unable to preserve booleans\n");
1395 goto err; 1424 goto err;
1396 } 1425 }
1397 1426
@@ -1443,17 +1472,11 @@ err:
1443 1472
1444/** 1473/**
1445 * security_port_sid - Obtain the SID for a port. 1474 * security_port_sid - Obtain the SID for a port.
1446 * @domain: communication domain aka address family
1447 * @type: socket type
1448 * @protocol: protocol number 1475 * @protocol: protocol number
1449 * @port: port number 1476 * @port: port number
1450 * @out_sid: security identifier 1477 * @out_sid: security identifier
1451 */ 1478 */
1452int security_port_sid(u16 domain, 1479int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
1453 u16 type,
1454 u8 protocol,
1455 u16 port,
1456 u32 *out_sid)
1457{ 1480{
1458 struct ocontext *c; 1481 struct ocontext *c;
1459 int rc = 0; 1482 int rc = 0;
@@ -2203,7 +2226,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2203 match = hashtab_search(policydb.p_classes.table, class); 2226 match = hashtab_search(policydb.p_classes.table, class);
2204 if (!match) { 2227 if (!match) {
2205 printk(KERN_ERR "%s: unrecognized class %s\n", 2228 printk(KERN_ERR "%s: unrecognized class %s\n",
2206 __FUNCTION__, class); 2229 __func__, class);
2207 rc = -EINVAL; 2230 rc = -EINVAL;
2208 goto out; 2231 goto out;
2209 } 2232 }
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-28 09:22:26 -0400