diff options
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 22 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 2 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 27 |
3 files changed, 14 insertions, 37 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 91200feb3f9c..63f131fc42e4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -555,15 +555,13 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 555 | struct task_security_struct *tsec = current->security; | 555 | struct task_security_struct *tsec = current->security; |
| 556 | struct superblock_security_struct *sbsec = sb->s_security; | 556 | struct superblock_security_struct *sbsec = sb->s_security; |
| 557 | const char *name = sb->s_type->name; | 557 | const char *name = sb->s_type->name; |
| 558 | struct dentry *root = sb->s_root; | 558 | struct inode *inode = sbsec->sb->s_root->d_inode; |
| 559 | struct inode *root_inode = root->d_inode; | 559 | struct inode_security_struct *root_isec = inode->i_security; |
| 560 | struct inode_security_struct *root_isec = root_inode->i_security; | ||
| 561 | u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; | 560 | u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; |
| 562 | u32 defcontext_sid = 0; | 561 | u32 defcontext_sid = 0; |
| 563 | char **mount_options = opts->mnt_opts; | 562 | char **mount_options = opts->mnt_opts; |
| 564 | int *flags = opts->mnt_opts_flags; | 563 | int *flags = opts->mnt_opts_flags; |
| 565 | int num_opts = opts->num_mnt_opts; | 564 | int num_opts = opts->num_mnt_opts; |
| 566 | bool can_xattr = false; | ||
| 567 | 565 | ||
| 568 | mutex_lock(&sbsec->lock); | 566 | mutex_lock(&sbsec->lock); |
| 569 | 567 | ||
| @@ -667,24 +665,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 667 | goto out; | 665 | goto out; |
| 668 | } | 666 | } |
| 669 | 667 | ||
| 670 | if (strcmp(name, "proc") == 0) | 668 | if (strcmp(sb->s_type->name, "proc") == 0) |
| 671 | sbsec->proc = 1; | 669 | sbsec->proc = 1; |
| 672 | 670 | ||
| 673 | /* | ||
| 674 | * test if the fs supports xattrs, fs_use might make use of this if the | ||
| 675 | * fs has no definition in policy. | ||
| 676 | */ | ||
| 677 | if (root_inode->i_op->getxattr) { | ||
| 678 | rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); | ||
| 679 | if (rc >= 0 || rc == -ENODATA) | ||
| 680 | can_xattr = true; | ||
| 681 | } | ||
| 682 | |||
| 683 | /* Determine the labeling behavior to use for this filesystem type. */ | 671 | /* Determine the labeling behavior to use for this filesystem type. */ |
| 684 | rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr); | 672 | rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); |
| 685 | if (rc) { | 673 | if (rc) { |
| 686 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | 674 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", |
| 687 | __func__, name, rc); | 675 | __func__, sb->s_type->name, rc); |
| 688 | goto out; | 676 | goto out; |
| 689 | } | 677 | } |
| 690 | 678 | ||
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 44cba2e21dcf..7c543003d653 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -136,7 +136,7 @@ int security_get_allow_unknown(void); | |||
| 136 | #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ | 136 | #define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ |
| 137 | 137 | ||
| 138 | int security_fs_use(const char *fstype, unsigned int *behavior, | 138 | int security_fs_use(const char *fstype, unsigned int *behavior, |
| 139 | u32 *sid, bool can_xattr); | 139 | u32 *sid); |
| 140 | 140 | ||
| 141 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, | 141 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, |
| 142 | u32 *sid); | 142 | u32 *sid); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8e42da120101..b52f923ce680 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1934,8 +1934,7 @@ out: | |||
| 1934 | int security_fs_use( | 1934 | int security_fs_use( |
| 1935 | const char *fstype, | 1935 | const char *fstype, |
| 1936 | unsigned int *behavior, | 1936 | unsigned int *behavior, |
| 1937 | u32 *sid, | 1937 | u32 *sid) |
| 1938 | bool can_xattr) | ||
| 1939 | { | 1938 | { |
| 1940 | int rc = 0; | 1939 | int rc = 0; |
| 1941 | struct ocontext *c; | 1940 | struct ocontext *c; |
| @@ -1949,7 +1948,6 @@ int security_fs_use( | |||
| 1949 | c = c->next; | 1948 | c = c->next; |
| 1950 | } | 1949 | } |
| 1951 | 1950 | ||
| 1952 | /* look for labeling behavior defined in policy */ | ||
| 1953 | if (c) { | 1951 | if (c) { |
| 1954 | *behavior = c->v.behavior; | 1952 | *behavior = c->v.behavior; |
| 1955 | if (!c->sid[0]) { | 1953 | if (!c->sid[0]) { |
| @@ -1960,23 +1958,14 @@ int security_fs_use( | |||
| 1960 | goto out; | 1958 | goto out; |
| 1961 | } | 1959 | } |
| 1962 | *sid = c->sid[0]; | 1960 | *sid = c->sid[0]; |
| 1963 | goto out; | ||
| 1964 | } | ||
| 1965 | |||
| 1966 | /* labeling behavior not in policy, use xattrs if possible */ | ||
| 1967 | if (can_xattr) { | ||
| 1968 | *behavior = SECURITY_FS_USE_XATTR; | ||
| 1969 | *sid = SECINITSID_FS; | ||
| 1970 | goto out; | ||
| 1971 | } | ||
| 1972 | |||
| 1973 | /* no behavior in policy and can't use xattrs, try GENFS */ | ||
| 1974 | rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); | ||
| 1975 | if (rc) { | ||
| 1976 | *behavior = SECURITY_FS_USE_NONE; | ||
| 1977 | rc = 0; | ||
| 1978 | } else { | 1961 | } else { |
| 1979 | *behavior = SECURITY_FS_USE_GENFS; | 1962 | rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); |
| 1963 | if (rc) { | ||
| 1964 | *behavior = SECURITY_FS_USE_NONE; | ||
| 1965 | rc = 0; | ||
| 1966 | } else { | ||
| 1967 | *behavior = SECURITY_FS_USE_GENFS; | ||
| 1968 | } | ||
| 1980 | } | 1969 | } |
| 1981 | 1970 | ||
| 1982 | out: | 1971 | out: |