aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/avc.c9
-rw-r--r--security/selinux/hooks.c15
-rw-r--r--security/selinux/include/avc.h18
3 files changed, 15 insertions, 27 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index dad36a6ab45f..fc3e6628a864 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -746,7 +746,6 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
746 * @tclass: target security class 746 * @tclass: target security class
747 * @requested: requested permissions, interpreted based on @tclass 747 * @requested: requested permissions, interpreted based on @tclass
748 * @auditdata: auxiliary audit data 748 * @auditdata: auxiliary audit data
749 * @flags: VFS walk flags
750 * 749 *
751 * Check the AVC to determine whether the @requested permissions are granted 750 * Check the AVC to determine whether the @requested permissions are granted
752 * for the SID pair (@ssid, @tsid), interpreting the permissions 751 * for the SID pair (@ssid, @tsid), interpreting the permissions
@@ -756,17 +755,15 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
756 * permissions are granted, -%EACCES if any permissions are denied, or 755 * permissions are granted, -%EACCES if any permissions are denied, or
757 * another -errno upon other errors. 756 * another -errno upon other errors.
758 */ 757 */
759int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, 758int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
760 u32 requested, struct common_audit_data *auditdata, 759 u32 requested, struct common_audit_data *auditdata)
761 unsigned flags)
762{ 760{
763 struct av_decision avd; 761 struct av_decision avd;
764 int rc, rc2; 762 int rc, rc2;
765 763
766 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); 764 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
767 765
768 rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 766 rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
769 flags);
770 if (rc2) 767 if (rc2)
771 return rc2; 768 return rc2;
772 return rc; 769 return rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3f224d7795f5..c540795fb3f2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1502,7 +1502,7 @@ static int cred_has_capability(const struct cred *cred,
1502 1502
1503 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1503 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1504 if (audit == SECURITY_CAP_AUDIT) { 1504 if (audit == SECURITY_CAP_AUDIT) {
1505 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1505 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1506 if (rc2) 1506 if (rc2)
1507 return rc2; 1507 return rc2;
1508 } 1508 }
@@ -1525,8 +1525,7 @@ static int task_has_system(struct task_struct *tsk,
1525static int inode_has_perm(const struct cred *cred, 1525static int inode_has_perm(const struct cred *cred,
1526 struct inode *inode, 1526 struct inode *inode,
1527 u32 perms, 1527 u32 perms,
1528 struct common_audit_data *adp, 1528 struct common_audit_data *adp)
1529 unsigned flags)
1530{ 1529{
1531 struct inode_security_struct *isec; 1530 struct inode_security_struct *isec;
1532 u32 sid; 1531 u32 sid;
@@ -1539,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred,
1539 sid = cred_sid(cred); 1538 sid = cred_sid(cred);
1540 isec = inode->i_security; 1539 isec = inode->i_security;
1541 1540
1542 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); 1541 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1543} 1542}
1544 1543
1545/* Same as inode_has_perm, but pass explicit audit data containing 1544/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1554,7 +1553,7 @@ static inline int dentry_has_perm(const struct cred *cred,
1554 1553
1555 ad.type = LSM_AUDIT_DATA_DENTRY; 1554 ad.type = LSM_AUDIT_DATA_DENTRY;
1556 ad.u.dentry = dentry; 1555 ad.u.dentry = dentry;
1557 return inode_has_perm(cred, inode, av, &ad, 0); 1556 return inode_has_perm(cred, inode, av, &ad);
1558} 1557}
1559 1558
1560/* Same as inode_has_perm, but pass explicit audit data containing 1559/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1569,7 +1568,7 @@ static inline int path_has_perm(const struct cred *cred,
1569 1568
1570 ad.type = LSM_AUDIT_DATA_PATH; 1569 ad.type = LSM_AUDIT_DATA_PATH;
1571 ad.u.path = *path; 1570 ad.u.path = *path;
1572 return inode_has_perm(cred, inode, av, &ad, 0); 1571 return inode_has_perm(cred, inode, av, &ad);
1573} 1572}
1574 1573
1575/* Same as path_has_perm, but uses the inode from the file struct. */ 1574/* Same as path_has_perm, but uses the inode from the file struct. */
@@ -1581,7 +1580,7 @@ static inline int file_path_has_perm(const struct cred *cred,
1581 1580
1582 ad.type = LSM_AUDIT_DATA_PATH; 1581 ad.type = LSM_AUDIT_DATA_PATH;
1583 ad.u.path = file->f_path; 1582 ad.u.path = file->f_path;
1584 return inode_has_perm(cred, file_inode(file), av, &ad, 0); 1583 return inode_has_perm(cred, file_inode(file), av, &ad);
1585} 1584}
1586 1585
1587/* Check whether a task can use an open file descriptor to 1586/* Check whether a task can use an open file descriptor to
@@ -1617,7 +1616,7 @@ static int file_has_perm(const struct cred *cred,
1617 /* av is zero if only checking access to the descriptor. */ 1616 /* av is zero if only checking access to the descriptor. */
1618 rc = 0; 1617 rc = 0;
1619 if (av) 1618 if (av)
1620 rc = inode_has_perm(cred, inode, av, &ad, 0); 1619 rc = inode_has_perm(cred, inode, av, &ad);
1621 1620
1622out: 1621out:
1623 return rc; 1622 return rc;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 92d0ab561db8..f53ee3c58d0f 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,7 +130,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
130 u16 tclass, u32 requested, 130 u16 tclass, u32 requested,
131 struct av_decision *avd, 131 struct av_decision *avd,
132 int result, 132 int result,
133 struct common_audit_data *a, unsigned flags) 133 struct common_audit_data *a)
134{ 134{
135 u32 audited, denied; 135 u32 audited, denied;
136 audited = avc_audit_required(requested, avd, result, 0, &denied); 136 audited = avc_audit_required(requested, avd, result, 0, &denied);
@@ -138,7 +138,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
138 return 0; 138 return 0;
139 return slow_avc_audit(ssid, tsid, tclass, 139 return slow_avc_audit(ssid, tsid, tclass,
140 requested, audited, denied, 140 requested, audited, denied,
141 a, flags); 141 a, 0);
142} 142}
143 143
144#define AVC_STRICT 1 /* Ignore permissive mode. */ 144#define AVC_STRICT 1 /* Ignore permissive mode. */
@@ -147,17 +147,9 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
147 unsigned flags, 147 unsigned flags,
148 struct av_decision *avd); 148 struct av_decision *avd);
149 149
150int avc_has_perm_flags(u32 ssid, u32 tsid, 150int avc_has_perm(u32 ssid, u32 tsid,
151 u16 tclass, u32 requested, 151 u16 tclass, u32 requested,
152 struct common_audit_data *auditdata, 152 struct common_audit_data *auditdata);
153 unsigned);
154
155static inline int avc_has_perm(u32 ssid, u32 tsid,
156 u16 tclass, u32 requested,
157 struct common_audit_data *auditdata)
158{
159 return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
160}
161 153
162u32 avc_policy_seqno(void); 154u32 avc_policy_seqno(void);
163 155