diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/avc.c | 9 | ||||
-rw-r--r-- | security/selinux/hooks.c | 15 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 18 |
3 files changed, 15 insertions, 27 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index dad36a6ab45f..fc3e6628a864 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -746,7 +746,6 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
746 | * @tclass: target security class | 746 | * @tclass: target security class |
747 | * @requested: requested permissions, interpreted based on @tclass | 747 | * @requested: requested permissions, interpreted based on @tclass |
748 | * @auditdata: auxiliary audit data | 748 | * @auditdata: auxiliary audit data |
749 | * @flags: VFS walk flags | ||
750 | * | 749 | * |
751 | * Check the AVC to determine whether the @requested permissions are granted | 750 | * Check the AVC to determine whether the @requested permissions are granted |
752 | * for the SID pair (@ssid, @tsid), interpreting the permissions | 751 | * for the SID pair (@ssid, @tsid), interpreting the permissions |
@@ -756,17 +755,15 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
756 | * permissions are granted, -%EACCES if any permissions are denied, or | 755 | * permissions are granted, -%EACCES if any permissions are denied, or |
757 | * another -errno upon other errors. | 756 | * another -errno upon other errors. |
758 | */ | 757 | */ |
759 | int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, | 758 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
760 | u32 requested, struct common_audit_data *auditdata, | 759 | u32 requested, struct common_audit_data *auditdata) |
761 | unsigned flags) | ||
762 | { | 760 | { |
763 | struct av_decision avd; | 761 | struct av_decision avd; |
764 | int rc, rc2; | 762 | int rc, rc2; |
765 | 763 | ||
766 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); | 764 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
767 | 765 | ||
768 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, | 766 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); |
769 | flags); | ||
770 | if (rc2) | 767 | if (rc2) |
771 | return rc2; | 768 | return rc2; |
772 | return rc; | 769 | return rc; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3f224d7795f5..c540795fb3f2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1502,7 +1502,7 @@ static int cred_has_capability(const struct cred *cred, | |||
1502 | 1502 | ||
1503 | rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); | 1503 | rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); |
1504 | if (audit == SECURITY_CAP_AUDIT) { | 1504 | if (audit == SECURITY_CAP_AUDIT) { |
1505 | int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); | 1505 | int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); |
1506 | if (rc2) | 1506 | if (rc2) |
1507 | return rc2; | 1507 | return rc2; |
1508 | } | 1508 | } |
@@ -1525,8 +1525,7 @@ static int task_has_system(struct task_struct *tsk, | |||
1525 | static int inode_has_perm(const struct cred *cred, | 1525 | static int inode_has_perm(const struct cred *cred, |
1526 | struct inode *inode, | 1526 | struct inode *inode, |
1527 | u32 perms, | 1527 | u32 perms, |
1528 | struct common_audit_data *adp, | 1528 | struct common_audit_data *adp) |
1529 | unsigned flags) | ||
1530 | { | 1529 | { |
1531 | struct inode_security_struct *isec; | 1530 | struct inode_security_struct *isec; |
1532 | u32 sid; | 1531 | u32 sid; |
@@ -1539,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred, | |||
1539 | sid = cred_sid(cred); | 1538 | sid = cred_sid(cred); |
1540 | isec = inode->i_security; | 1539 | isec = inode->i_security; |
1541 | 1540 | ||
1542 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); | 1541 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); |
1543 | } | 1542 | } |
1544 | 1543 | ||
1545 | /* Same as inode_has_perm, but pass explicit audit data containing | 1544 | /* Same as inode_has_perm, but pass explicit audit data containing |
@@ -1554,7 +1553,7 @@ static inline int dentry_has_perm(const struct cred *cred, | |||
1554 | 1553 | ||
1555 | ad.type = LSM_AUDIT_DATA_DENTRY; | 1554 | ad.type = LSM_AUDIT_DATA_DENTRY; |
1556 | ad.u.dentry = dentry; | 1555 | ad.u.dentry = dentry; |
1557 | return inode_has_perm(cred, inode, av, &ad, 0); | 1556 | return inode_has_perm(cred, inode, av, &ad); |
1558 | } | 1557 | } |
1559 | 1558 | ||
1560 | /* Same as inode_has_perm, but pass explicit audit data containing | 1559 | /* Same as inode_has_perm, but pass explicit audit data containing |
@@ -1569,7 +1568,7 @@ static inline int path_has_perm(const struct cred *cred, | |||
1569 | 1568 | ||
1570 | ad.type = LSM_AUDIT_DATA_PATH; | 1569 | ad.type = LSM_AUDIT_DATA_PATH; |
1571 | ad.u.path = *path; | 1570 | ad.u.path = *path; |
1572 | return inode_has_perm(cred, inode, av, &ad, 0); | 1571 | return inode_has_perm(cred, inode, av, &ad); |
1573 | } | 1572 | } |
1574 | 1573 | ||
1575 | /* Same as path_has_perm, but uses the inode from the file struct. */ | 1574 | /* Same as path_has_perm, but uses the inode from the file struct. */ |
@@ -1581,7 +1580,7 @@ static inline int file_path_has_perm(const struct cred *cred, | |||
1581 | 1580 | ||
1582 | ad.type = LSM_AUDIT_DATA_PATH; | 1581 | ad.type = LSM_AUDIT_DATA_PATH; |
1583 | ad.u.path = file->f_path; | 1582 | ad.u.path = file->f_path; |
1584 | return inode_has_perm(cred, file_inode(file), av, &ad, 0); | 1583 | return inode_has_perm(cred, file_inode(file), av, &ad); |
1585 | } | 1584 | } |
1586 | 1585 | ||
1587 | /* Check whether a task can use an open file descriptor to | 1586 | /* Check whether a task can use an open file descriptor to |
@@ -1617,7 +1616,7 @@ static int file_has_perm(const struct cred *cred, | |||
1617 | /* av is zero if only checking access to the descriptor. */ | 1616 | /* av is zero if only checking access to the descriptor. */ |
1618 | rc = 0; | 1617 | rc = 0; |
1619 | if (av) | 1618 | if (av) |
1620 | rc = inode_has_perm(cred, inode, av, &ad, 0); | 1619 | rc = inode_has_perm(cred, inode, av, &ad); |
1621 | 1620 | ||
1622 | out: | 1621 | out: |
1623 | return rc; | 1622 | return rc; |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 92d0ab561db8..f53ee3c58d0f 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -130,7 +130,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
130 | u16 tclass, u32 requested, | 130 | u16 tclass, u32 requested, |
131 | struct av_decision *avd, | 131 | struct av_decision *avd, |
132 | int result, | 132 | int result, |
133 | struct common_audit_data *a, unsigned flags) | 133 | struct common_audit_data *a) |
134 | { | 134 | { |
135 | u32 audited, denied; | 135 | u32 audited, denied; |
136 | audited = avc_audit_required(requested, avd, result, 0, &denied); | 136 | audited = avc_audit_required(requested, avd, result, 0, &denied); |
@@ -138,7 +138,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
138 | return 0; | 138 | return 0; |
139 | return slow_avc_audit(ssid, tsid, tclass, | 139 | return slow_avc_audit(ssid, tsid, tclass, |
140 | requested, audited, denied, | 140 | requested, audited, denied, |
141 | a, flags); | 141 | a, 0); |
142 | } | 142 | } |
143 | 143 | ||
144 | #define AVC_STRICT 1 /* Ignore permissive mode. */ | 144 | #define AVC_STRICT 1 /* Ignore permissive mode. */ |
@@ -147,17 +147,9 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
147 | unsigned flags, | 147 | unsigned flags, |
148 | struct av_decision *avd); | 148 | struct av_decision *avd); |
149 | 149 | ||
150 | int avc_has_perm_flags(u32 ssid, u32 tsid, | 150 | int avc_has_perm(u32 ssid, u32 tsid, |
151 | u16 tclass, u32 requested, | 151 | u16 tclass, u32 requested, |
152 | struct common_audit_data *auditdata, | 152 | struct common_audit_data *auditdata); |
153 | unsigned); | ||
154 | |||
155 | static inline int avc_has_perm(u32 ssid, u32 tsid, | ||
156 | u16 tclass, u32 requested, | ||
157 | struct common_audit_data *auditdata) | ||
158 | { | ||
159 | return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0); | ||
160 | } | ||
161 | 153 | ||
162 | u32 avc_policy_seqno(void); | 154 | u32 avc_policy_seqno(void); |
163 | 155 | ||