diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 18 | ||||
-rw-r--r-- | security/selinux/include/audit.h | 4 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 15 | ||||
-rw-r--r-- | security/selinux/netnode.c | 1 | ||||
-rw-r--r-- | security/selinux/netport.c | 3 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 10 | ||||
-rw-r--r-- | security/selinux/ss/avtab.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 8 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 4 |
9 files changed, 35 insertions, 30 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 59c6e98f7bea..eca70f42e678 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -53,7 +53,7 @@ | |||
53 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ | 53 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ |
54 | #include <net/net_namespace.h> | 54 | #include <net/net_namespace.h> |
55 | #include <net/netlabel.h> | 55 | #include <net/netlabel.h> |
56 | #include <asm/uaccess.h> | 56 | #include <linux/uaccess.h> |
57 | #include <asm/ioctls.h> | 57 | #include <asm/ioctls.h> |
58 | #include <asm/atomic.h> | 58 | #include <asm/atomic.h> |
59 | #include <linux/bitops.h> | 59 | #include <linux/bitops.h> |
@@ -104,7 +104,9 @@ int selinux_enforcing; | |||
104 | 104 | ||
105 | static int __init enforcing_setup(char *str) | 105 | static int __init enforcing_setup(char *str) |
106 | { | 106 | { |
107 | selinux_enforcing = simple_strtol(str, NULL, 0); | 107 | unsigned long enforcing; |
108 | if (!strict_strtoul(str, 0, &enforcing)) | ||
109 | selinux_enforcing = enforcing ? 1 : 0; | ||
108 | return 1; | 110 | return 1; |
109 | } | 111 | } |
110 | __setup("enforcing=", enforcing_setup); | 112 | __setup("enforcing=", enforcing_setup); |
@@ -115,7 +117,9 @@ int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; | |||
115 | 117 | ||
116 | static int __init selinux_enabled_setup(char *str) | 118 | static int __init selinux_enabled_setup(char *str) |
117 | { | 119 | { |
118 | selinux_enabled = simple_strtol(str, NULL, 0); | 120 | unsigned long enabled; |
121 | if (!strict_strtoul(str, 0, &enabled)) | ||
122 | selinux_enabled = enabled ? 1 : 0; | ||
119 | return 1; | 123 | return 1; |
120 | } | 124 | } |
121 | __setup("selinux=", selinux_enabled_setup); | 125 | __setup("selinux=", selinux_enabled_setup); |
@@ -594,7 +598,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
594 | */ | 598 | */ |
595 | if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) | 599 | if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) |
596 | && (num_opts == 0)) | 600 | && (num_opts == 0)) |
597 | goto out; | 601 | goto out; |
598 | 602 | ||
599 | /* | 603 | /* |
600 | * parse the mount options, check if they are valid sids. | 604 | * parse the mount options, check if they are valid sids. |
@@ -2695,7 +2699,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
2695 | } | 2699 | } |
2696 | 2700 | ||
2697 | static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, | 2701 | static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, |
2698 | const void *value, size_t size, | 2702 | const void *value, size_t size, |
2699 | int flags) | 2703 | int flags) |
2700 | { | 2704 | { |
2701 | struct inode *inode = dentry->d_inode; | 2705 | struct inode *inode = dentry->d_inode; |
@@ -5390,7 +5394,7 @@ static struct security_operations selinux_ops = { | |||
5390 | .inode_listsecurity = selinux_inode_listsecurity, | 5394 | .inode_listsecurity = selinux_inode_listsecurity, |
5391 | .inode_need_killpriv = selinux_inode_need_killpriv, | 5395 | .inode_need_killpriv = selinux_inode_need_killpriv, |
5392 | .inode_killpriv = selinux_inode_killpriv, | 5396 | .inode_killpriv = selinux_inode_killpriv, |
5393 | .inode_getsecid = selinux_inode_getsecid, | 5397 | .inode_getsecid = selinux_inode_getsecid, |
5394 | 5398 | ||
5395 | .file_permission = selinux_file_permission, | 5399 | .file_permission = selinux_file_permission, |
5396 | .file_alloc_security = selinux_file_alloc_security, | 5400 | .file_alloc_security = selinux_file_alloc_security, |
@@ -5431,7 +5435,7 @@ static struct security_operations selinux_ops = { | |||
5431 | .task_to_inode = selinux_task_to_inode, | 5435 | .task_to_inode = selinux_task_to_inode, |
5432 | 5436 | ||
5433 | .ipc_permission = selinux_ipc_permission, | 5437 | .ipc_permission = selinux_ipc_permission, |
5434 | .ipc_getsecid = selinux_ipc_getsecid, | 5438 | .ipc_getsecid = selinux_ipc_getsecid, |
5435 | 5439 | ||
5436 | .msg_msg_alloc_security = selinux_msg_msg_alloc_security, | 5440 | .msg_msg_alloc_security = selinux_msg_msg_alloc_security, |
5437 | .msg_msg_free_security = selinux_msg_msg_free_security, | 5441 | .msg_msg_free_security = selinux_msg_msg_free_security, |
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 6c8b9ef15579..1bdf973433cc 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h | |||
@@ -1,7 +1,7 @@ | |||
1 | /* | 1 | /* |
2 | * SELinux support for the Audit LSM hooks | 2 | * SELinux support for the Audit LSM hooks |
3 | * | 3 | * |
4 | * Most of below header was moved from include/linux/selinux.h which | 4 | * Most of below header was moved from include/linux/selinux.h which |
5 | * is released under below copyrights: | 5 | * is released under below copyrights: |
6 | * | 6 | * |
7 | * Author: James Morris <jmorris@redhat.com> | 7 | * Author: James Morris <jmorris@redhat.com> |
@@ -52,7 +52,7 @@ void selinux_audit_rule_free(void *rule); | |||
52 | * -errno on failure. | 52 | * -errno on failure. |
53 | */ | 53 | */ |
54 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, | 54 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, |
55 | struct audit_context *actx); | 55 | struct audit_context *actx); |
56 | 56 | ||
57 | /** | 57 | /** |
58 | * selinux_audit_rule_known - check to see if rule contains selinux fields. | 58 | * selinux_audit_rule_known - check to see if rule contains selinux fields. |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 8e23d7a873a4..7b9769f5e775 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -75,13 +75,12 @@ struct avc_audit_data { | |||
75 | 75 | ||
76 | /* Initialize an AVC audit data structure. */ | 76 | /* Initialize an AVC audit data structure. */ |
77 | #define AVC_AUDIT_DATA_INIT(_d,_t) \ | 77 | #define AVC_AUDIT_DATA_INIT(_d,_t) \ |
78 | { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } | 78 | { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } |
79 | 79 | ||
80 | /* | 80 | /* |
81 | * AVC statistics | 81 | * AVC statistics |
82 | */ | 82 | */ |
83 | struct avc_cache_stats | 83 | struct avc_cache_stats { |
84 | { | ||
85 | unsigned int lookups; | 84 | unsigned int lookups; |
86 | unsigned int hits; | 85 | unsigned int hits; |
87 | unsigned int misses; | 86 | unsigned int misses; |
@@ -97,8 +96,8 @@ struct avc_cache_stats | |||
97 | void __init avc_init(void); | 96 | void __init avc_init(void); |
98 | 97 | ||
99 | void avc_audit(u32 ssid, u32 tsid, | 98 | void avc_audit(u32 ssid, u32 tsid, |
100 | u16 tclass, u32 requested, | 99 | u16 tclass, u32 requested, |
101 | struct av_decision *avd, int result, struct avc_audit_data *auditdata); | 100 | struct av_decision *avd, int result, struct avc_audit_data *auditdata); |
102 | 101 | ||
103 | #define AVC_STRICT 1 /* Ignore permissive mode. */ | 102 | #define AVC_STRICT 1 /* Ignore permissive mode. */ |
104 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | 103 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
@@ -107,8 +106,8 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
107 | struct av_decision *avd); | 106 | struct av_decision *avd); |
108 | 107 | ||
109 | int avc_has_perm(u32 ssid, u32 tsid, | 108 | int avc_has_perm(u32 ssid, u32 tsid, |
110 | u16 tclass, u32 requested, | 109 | u16 tclass, u32 requested, |
111 | struct avc_audit_data *auditdata); | 110 | struct avc_audit_data *auditdata); |
112 | 111 | ||
113 | u32 avc_policy_seqno(void); | 112 | u32 avc_policy_seqno(void); |
114 | 113 | ||
@@ -122,7 +121,7 @@ u32 avc_policy_seqno(void); | |||
122 | #define AVC_CALLBACK_AUDITDENY_DISABLE 128 | 121 | #define AVC_CALLBACK_AUDITDENY_DISABLE 128 |
123 | 122 | ||
124 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, | 123 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, |
125 | u16 tclass, u32 perms, | 124 | u16 tclass, u32 perms, |
126 | u32 *out_retained), | 125 | u32 *out_retained), |
127 | u32 events, u32 ssid, u32 tsid, | 126 | u32 events, u32 ssid, u32 tsid, |
128 | u16 tclass, u32 perms); | 127 | u16 tclass, u32 perms); |
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index b6ccd09379f1..7100072bb1b0 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c | |||
@@ -38,7 +38,6 @@ | |||
38 | #include <linux/ipv6.h> | 38 | #include <linux/ipv6.h> |
39 | #include <net/ip.h> | 39 | #include <net/ip.h> |
40 | #include <net/ipv6.h> | 40 | #include <net/ipv6.h> |
41 | #include <asm/bug.h> | ||
42 | 41 | ||
43 | #include "netnode.h" | 42 | #include "netnode.h" |
44 | #include "objsec.h" | 43 | #include "objsec.h" |
diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 90b4cff7c350..fe7fba67f19f 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c | |||
@@ -37,7 +37,6 @@ | |||
37 | #include <linux/ipv6.h> | 37 | #include <linux/ipv6.h> |
38 | #include <net/ip.h> | 38 | #include <net/ip.h> |
39 | #include <net/ipv6.h> | 39 | #include <net/ipv6.h> |
40 | #include <asm/bug.h> | ||
41 | 40 | ||
42 | #include "netport.h" | 41 | #include "netport.h" |
43 | #include "objsec.h" | 42 | #include "objsec.h" |
@@ -272,7 +271,7 @@ static __init int sel_netport_init(void) | |||
272 | } | 271 | } |
273 | 272 | ||
274 | ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET, | 273 | ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET, |
275 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); | 274 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); |
276 | if (ret != 0) | 275 | if (ret != 0) |
277 | panic("avc_add_callback() failed, error %d\n", ret); | 276 | panic("avc_add_callback() failed, error %d\n", ret); |
278 | 277 | ||
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index ac1ccc13a704..07a5db69571c 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -27,7 +27,7 @@ | |||
27 | #include <linux/seq_file.h> | 27 | #include <linux/seq_file.h> |
28 | #include <linux/percpu.h> | 28 | #include <linux/percpu.h> |
29 | #include <linux/audit.h> | 29 | #include <linux/audit.h> |
30 | #include <asm/uaccess.h> | 30 | #include <linux/uaccess.h> |
31 | 31 | ||
32 | /* selinuxfs pseudo filesystem for exporting the security policy API. | 32 | /* selinuxfs pseudo filesystem for exporting the security policy API. |
33 | Based on the proc code and the fs/nfsd/nfsctl.c code. */ | 33 | Based on the proc code and the fs/nfsd/nfsctl.c code. */ |
@@ -57,14 +57,18 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | |||
57 | 57 | ||
58 | static int __init checkreqprot_setup(char *str) | 58 | static int __init checkreqprot_setup(char *str) |
59 | { | 59 | { |
60 | selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0; | 60 | unsigned long checkreqprot; |
61 | if (!strict_strtoul(str, 0, &checkreqprot)) | ||
62 | selinux_checkreqprot = checkreqprot ? 1 : 0; | ||
61 | return 1; | 63 | return 1; |
62 | } | 64 | } |
63 | __setup("checkreqprot=", checkreqprot_setup); | 65 | __setup("checkreqprot=", checkreqprot_setup); |
64 | 66 | ||
65 | static int __init selinux_compat_net_setup(char *str) | 67 | static int __init selinux_compat_net_setup(char *str) |
66 | { | 68 | { |
67 | selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0; | 69 | unsigned long compat_net; |
70 | if (!strict_strtoul(str, 0, &compat_net)) | ||
71 | selinux_compat_net = compat_net ? 1 : 0; | ||
68 | return 1; | 72 | return 1; |
69 | } | 73 | } |
70 | __setup("selinux_compat_net=", selinux_compat_net_setup); | 74 | __setup("selinux_compat_net=", selinux_compat_net_setup); |
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 9e6626362bfd..a1be97f8beea 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c | |||
@@ -311,7 +311,7 @@ void avtab_hash_eval(struct avtab *h, char *tag) | |||
311 | } | 311 | } |
312 | 312 | ||
313 | printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " | 313 | printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " |
314 | "longest chain length %d sum of chain length^2 %Lu\n", | 314 | "longest chain length %d sum of chain length^2 %llu\n", |
315 | tag, h->nel, slots_used, h->nslot, max_chain_len, | 315 | tag, h->nel, slots_used, h->nslot, max_chain_len, |
316 | chain2_len_sum); | 316 | chain2_len_sum); |
317 | } | 317 | } |
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index a6ca0587e634..77d745da48bb 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -437,13 +437,13 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user, | |||
437 | struct mls_level *usercon_clr = &(usercon->range.level[1]); | 437 | struct mls_level *usercon_clr = &(usercon->range.level[1]); |
438 | 438 | ||
439 | /* Honor the user's default level if we can */ | 439 | /* Honor the user's default level if we can */ |
440 | if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) { | 440 | if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) |
441 | *usercon_sen = *user_def; | 441 | *usercon_sen = *user_def; |
442 | } else if (mls_level_between(fromcon_sen, user_def, user_clr)) { | 442 | else if (mls_level_between(fromcon_sen, user_def, user_clr)) |
443 | *usercon_sen = *fromcon_sen; | 443 | *usercon_sen = *fromcon_sen; |
444 | } else if (mls_level_between(fromcon_clr, user_low, user_def)) { | 444 | else if (mls_level_between(fromcon_clr, user_low, user_def)) |
445 | *usercon_sen = *user_low; | 445 | *usercon_sen = *user_low; |
446 | } else | 446 | else |
447 | return -EINVAL; | 447 | return -EINVAL; |
448 | 448 | ||
449 | /* Lower the clearance of available contexts | 449 | /* Lower the clearance of available contexts |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2d5e5a3a8aa9..0696aadcab6f 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -2531,7 +2531,7 @@ int selinux_audit_rule_known(struct audit_krule *rule) | |||
2531 | } | 2531 | } |
2532 | 2532 | ||
2533 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | 2533 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, |
2534 | struct audit_context *actx) | 2534 | struct audit_context *actx) |
2535 | { | 2535 | { |
2536 | struct context *ctxt; | 2536 | struct context *ctxt; |
2537 | struct mls_level *level; | 2537 | struct mls_level *level; |
@@ -2645,7 +2645,7 @@ out: | |||
2645 | static int (*aurule_callback)(void) = audit_update_lsm_rules; | 2645 | static int (*aurule_callback)(void) = audit_update_lsm_rules; |
2646 | 2646 | ||
2647 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, | 2647 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, |
2648 | u16 class, u32 perms, u32 *retained) | 2648 | u16 class, u32 perms, u32 *retained) |
2649 | { | 2649 | { |
2650 | int err = 0; | 2650 | int err = 0; |
2651 | 2651 | ||