3 files changed, 32 insertions, 26 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 372b773f8210..b4eff7a60c50 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -255,7 +255,7 @@ int mls_context_to_sid(struct policydb *pol,
        if (!pol->mls_enabled) {
                if (def_sid != SECSID_NULL && oldc)
-                        *scontext += strlen(*scontext)+1;
+                        *scontext += strlen(*scontext) + 1;
                return 0;
        }
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 23c6e53c102c..c57802a164d5 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -40,7 +40,7 @@
 #define _DEBUG_HASHES
 #ifdef DEBUG_HASHES
-static char *symtab_name[SYM_NUM] = {
+static const char *symtab_name[SYM_NUM] = {
        "common prefixes",
        "classes",
        "roles",
@@ -156,12 +156,11 @@ static int roles_init(struct policydb *p)
                rc = -EINVAL;
                goto out_free_role;
        }
-        key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
+        key = kstrdup(OBJECT_R, GFP_KERNEL);
        if (!key) {
                rc = -ENOMEM;
                goto out_free_role;
        }
-        strcpy(key, OBJECT_R);
        rc = hashtab_insert(p->p_roles.table, key, role);
        if (rc)
                goto out_free_key;
@@ -2195,7 +2194,7 @@ int policydb_read(struct policydb *p, void *fp)
                rangetr_hash_eval(p->range_tr);
        }
-        p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL);
+        p->type_attr_map = kmalloc(p->p_types.nprim * sizeof(struct ebitmap), GFP_KERNEL);
        if (!p->type_attr_map)
                goto bad;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index cf27b3ee1a95..1de60ce90d9a 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -274,15 +274,15 @@ static int constraint_expr_eval(struct context *scontext,
                case CEXPR_AND:
                        BUG_ON(sp < 1);
                        sp--;
-                        s[sp] &= s[sp+1];
+                        s[sp] &= s[sp + 1];
                        break;
                case CEXPR_OR:
                        BUG_ON(sp < 1);
                        sp--;
-                        s[sp] |= s[sp+1];
+                        s[sp] |= s[sp + 1];
                        break;
                case CEXPR_ATTR:
-                        if (sp == (CEXPR_MAXDEPTH-1))
+                        if (sp == (CEXPR_MAXDEPTH - 1))
                                return 0;
                        switch (e->attr) {
                        case CEXPR_USER:
@@ -1216,7 +1216,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
        *sid = SECSID_NULL;
        /* Copy the string so that we can modify the copy as we parse it. */
-        scontext2 = kmalloc(scontext_len+1, gfp_flags);
+        scontext2 = kmalloc(scontext_len + 1, gfp_flags);
        if (!scontext2)
                return -ENOMEM;
        memcpy(scontext2, scontext, scontext_len);
@@ -1760,22 +1760,28 @@ int security_load_policy(void *data, size_t len)
        if (!ss_initialized) {
                avtab_cache_init();
-                if (policydb_read(&policydb, fp)) {
+                rc = policydb_read(&policydb, fp);
+                if (rc) {
                        avtab_cache_destroy();
-                        return -EINVAL;
+                        return rc;
                }
-                if (selinux_set_mapping(&policydb, secclass_map,
-                                        &current_mapping,
+                rc = selinux_set_mapping(&policydb, secclass_map,
-                                        &current_mapping_size)) {
+                                         &current_mapping,
+                                         &current_mapping_size);
+                if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                        return -EINVAL;
+                        return rc;
                }
-                if (policydb_load_isids(&policydb, &sidtab)) {
+                rc = policydb_load_isids(&policydb, &sidtab);
+                if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                        return -EINVAL;
+                        return rc;
                }
                security_load_policycaps();
                ss_initialized = 1;
                seqno = ++latest_granting;
@@ -1791,8 +1797,9 @@ int security_load_policy(void *data, size_t len)
        sidtab_hash_eval(&sidtab, "sids");
 #endif
-        if (policydb_read(&newpolicydb, fp))
+        rc = policydb_read(&newpolicydb, fp);
-                return -EINVAL;
+        if (rc)
+                return rc;
        /* If switching between different policy types, log MLS status */
        if (policydb.mls_enabled && !newpolicydb.mls_enabled)
@@ -1807,8 +1814,8 @@ int security_load_policy(void *data, size_t len)
                return rc;
        }
-        if (selinux_set_mapping(&newpolicydb, secclass_map,
+        rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
-                                &map, &map_size))
+        if (rc)
                goto err;
        rc = security_preserve_bools(&newpolicydb);
@@ -1819,10 +1826,10 @@ int security_load_policy(void *data, size_t len)
        /* Clone the SID table. */
        sidtab_shutdown(&sidtab);
-        if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
-                rc = -ENOMEM;
+        rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
+        if (rc)
                goto err;
-        }
        /*
         * Convert the internal representations of contexts
@@ -2101,9 +2108,9 @@ int security_get_user_sids(u32 fromsid,
        ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
                role = policydb.role_val_to_struct[i];
-                usercon.role = i+1;
+                usercon.role = i + 1;
                ebitmap_for_each_positive_bit(&role->types, tnode, j) {
-                        usercon.type = j+1;
+                        usercon.type = j + 1;
                        if (mls_setup_user_range(fromcon, user, &usercon))
                                continue;

diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 372b773f8210..b4eff7a60c50 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c
@@ -255,7 +255,7 @@ int mls_context_to_sid(struct policydb *pol,
255		255
256	if (!pol->mls_enabled) {	256	if (!pol->mls_enabled) {
257	if (def_sid != SECSID_NULL && oldc)	257	if (def_sid != SECSID_NULL && oldc)
258	scontext += strlen(scontext)+1;	258	scontext += strlen(scontext) + 1;
259	return 0;	259	return 0;
260	}	260	}
261		261


diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 23c6e53c102c..c57802a164d5 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c
@@ -40,7 +40,7 @@
40	#define _DEBUG_HASHES	40	#define _DEBUG_HASHES
41		41
42	#ifdef DEBUG_HASHES	42	#ifdef DEBUG_HASHES
43	static char *symtab_name[SYM_NUM] = {	43	static const char *symtab_name[SYM_NUM] = {
44	"common prefixes",	44	"common prefixes",
45	"classes",	45	"classes",
46	"roles",	46	"roles",
@@ -156,12 +156,11 @@ static int roles_init(struct policydb *p)
156	rc = -EINVAL;	156	rc = -EINVAL;
157	goto out_free_role;	157	goto out_free_role;
158	}	158	}
159	key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);	159	key = kstrdup(OBJECT_R, GFP_KERNEL);
160	if (!key) {	160	if (!key) {
161	rc = -ENOMEM;	161	rc = -ENOMEM;
162	goto out_free_role;	162	goto out_free_role;
163	}	163	}
164	strcpy(key, OBJECT_R);
165	rc = hashtab_insert(p->p_roles.table, key, role);	164	rc = hashtab_insert(p->p_roles.table, key, role);
166	if (rc)	165	if (rc)
167	goto out_free_key;	166	goto out_free_key;
@@ -2195,7 +2194,7 @@ int policydb_read(struct policydb p, void fp)
2195	rangetr_hash_eval(p->range_tr);	2194	rangetr_hash_eval(p->range_tr);
2196	}	2195	}
2197		2196
2198	p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL);	2197	p->type_attr_map = kmalloc(p->p_types.nprim * sizeof(struct ebitmap), GFP_KERNEL);
2199	if (!p->type_attr_map)	2198	if (!p->type_attr_map)
2200	goto bad;	2199	goto bad;
2201		2200


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index cf27b3ee1a95..1de60ce90d9a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -274,15 +274,15 @@ static int constraint_expr_eval(struct context *scontext,
274	case CEXPR_AND:	274	case CEXPR_AND:
275	BUG_ON(sp < 1);	275	BUG_ON(sp < 1);
276	sp--;	276	sp--;
277	s[sp] &= s[sp+1];	277	s[sp] &= s[sp + 1];
278	break;	278	break;
279	case CEXPR_OR:	279	case CEXPR_OR:
280	BUG_ON(sp < 1);	280	BUG_ON(sp < 1);
281	sp--;	281	sp--;
282	s[sp] \|= s[sp+1];	282	s[sp] \|= s[sp + 1];
283	break;	283	break;
284	case CEXPR_ATTR:	284	case CEXPR_ATTR:
285	if (sp == (CEXPR_MAXDEPTH-1))	285	if (sp == (CEXPR_MAXDEPTH - 1))
286	return 0;	286	return 0;
287	switch (e->attr) {	287	switch (e->attr) {
288	case CEXPR_USER:	288	case CEXPR_USER:
@@ -1216,7 +1216,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1216	*sid = SECSID_NULL;	1216	*sid = SECSID_NULL;
1217		1217
1218	/* Copy the string so that we can modify the copy as we parse it. */	1218	/* Copy the string so that we can modify the copy as we parse it. */
1219	scontext2 = kmalloc(scontext_len+1, gfp_flags);	1219	scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1220	if (!scontext2)	1220	if (!scontext2)
1221	return -ENOMEM;	1221	return -ENOMEM;
1222	memcpy(scontext2, scontext, scontext_len);	1222	memcpy(scontext2, scontext, scontext_len);
@@ -1760,22 +1760,28 @@ int security_load_policy(void *data, size_t len)
1760		1760
1761	if (!ss_initialized) {	1761	if (!ss_initialized) {
1762	avtab_cache_init();	1762	avtab_cache_init();
1763	if (policydb_read(&policydb, fp)) {	1763	rc = policydb_read(&policydb, fp);
		1764	if (rc) {
1764	avtab_cache_destroy();	1765	avtab_cache_destroy();
1765	return -EINVAL;	1766	return rc;
1766	}	1767	}
1767	if (selinux_set_mapping(&policydb, secclass_map,	1768
1768	&current_mapping,	1769	rc = selinux_set_mapping(&policydb, secclass_map,
1769	&current_mapping_size)) {	1770	&current_mapping,
		1771	&current_mapping_size);
		1772	if (rc) {
1770	policydb_destroy(&policydb);	1773	policydb_destroy(&policydb);
1771	avtab_cache_destroy();	1774	avtab_cache_destroy();
1772	return -EINVAL;	1775	return rc;
1773	}	1776	}
1774	if (policydb_load_isids(&policydb, &sidtab)) {	1777
		1778	rc = policydb_load_isids(&policydb, &sidtab);
		1779	if (rc) {
1775	policydb_destroy(&policydb);	1780	policydb_destroy(&policydb);
1776	avtab_cache_destroy();	1781	avtab_cache_destroy();
1777	return -EINVAL;	1782	return rc;
1778	}	1783	}
		1784
1779	security_load_policycaps();	1785	security_load_policycaps();
1780	ss_initialized = 1;	1786	ss_initialized = 1;
1781	seqno = ++latest_granting;	1787	seqno = ++latest_granting;
@@ -1791,8 +1797,9 @@ int security_load_policy(void *data, size_t len)
1791	sidtab_hash_eval(&sidtab, "sids");	1797	sidtab_hash_eval(&sidtab, "sids");
1792	#endif	1798	#endif
1793		1799
1794	if (policydb_read(&newpolicydb, fp))	1800	rc = policydb_read(&newpolicydb, fp);
1795	return -EINVAL;	1801	if (rc)
		1802	return rc;
1796		1803
1797	/* If switching between different policy types, log MLS status */	1804	/* If switching between different policy types, log MLS status */
1798	if (policydb.mls_enabled && !newpolicydb.mls_enabled)	1805	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
@@ -1807,8 +1814,8 @@ int security_load_policy(void *data, size_t len)
1807	return rc;	1814	return rc;
1808	}	1815	}
1809		1816
1810	if (selinux_set_mapping(&newpolicydb, secclass_map,	1817	rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
1811	&map, &map_size))	1818	if (rc)
1812	goto err;	1819	goto err;
1813		1820
1814	rc = security_preserve_bools(&newpolicydb);	1821	rc = security_preserve_bools(&newpolicydb);
@@ -1819,10 +1826,10 @@ int security_load_policy(void *data, size_t len)
1819		1826
1820	/* Clone the SID table. */	1827	/* Clone the SID table. */
1821	sidtab_shutdown(&sidtab);	1828	sidtab_shutdown(&sidtab);
1822	if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {	1829
1823	rc = -ENOMEM;	1830	rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
		1831	if (rc)
1824	goto err;	1832	goto err;
1825	}
1826		1833
1827	/*	1834	/*
1828	* Convert the internal representations of contexts	1835	* Convert the internal representations of contexts
@@ -2101,9 +2108,9 @@ int security_get_user_sids(u32 fromsid,
2101		2108
2102	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {	2109	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2103	role = policydb.role_val_to_struct[i];	2110	role = policydb.role_val_to_struct[i];
2104	usercon.role = i+1;	2111	usercon.role = i + 1;
2105	ebitmap_for_each_positive_bit(&role->types, tnode, j) {	2112	ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2106	usercon.type = j+1;	2113	usercon.type = j + 1;
2107		2114
2108	if (mls_setup_user_range(fromcon, user, &usercon))	2115	if (mls_setup_user_range(fromcon, user, &usercon))
2109	continue;	2116	continue;