aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c18
-rw-r--r--security/selinux/include/audit.h4
-rw-r--r--security/selinux/include/avc.h15
-rw-r--r--security/selinux/netnode.c1
-rw-r--r--security/selinux/netport.c3
-rw-r--r--security/selinux/selinuxfs.c10
-rw-r--r--security/selinux/ss/avtab.c2
-rw-r--r--security/selinux/ss/mls.c8
-rw-r--r--security/selinux/ss/services.c4
9 files changed, 35 insertions, 30 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 59c6e98f7bea..eca70f42e678 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -53,7 +53,7 @@
53#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
54#include <net/net_namespace.h> 54#include <net/net_namespace.h>
55#include <net/netlabel.h> 55#include <net/netlabel.h>
56#include <asm/uaccess.h> 56#include <linux/uaccess.h>
57#include <asm/ioctls.h> 57#include <asm/ioctls.h>
58#include <asm/atomic.h> 58#include <asm/atomic.h>
59#include <linux/bitops.h> 59#include <linux/bitops.h>
@@ -104,7 +104,9 @@ int selinux_enforcing;
104 104
105static int __init enforcing_setup(char *str) 105static int __init enforcing_setup(char *str)
106{ 106{
107 selinux_enforcing = simple_strtol(str, NULL, 0); 107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
108 return 1; 110 return 1;
109} 111}
110__setup("enforcing=", enforcing_setup); 112__setup("enforcing=", enforcing_setup);
@@ -115,7 +117,9 @@ int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 117
116static int __init selinux_enabled_setup(char *str) 118static int __init selinux_enabled_setup(char *str)
117{ 119{
118 selinux_enabled = simple_strtol(str, NULL, 0); 120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
119 return 1; 123 return 1;
120} 124}
121__setup("selinux=", selinux_enabled_setup); 125__setup("selinux=", selinux_enabled_setup);
@@ -594,7 +598,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
594 */ 598 */
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 599 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0)) 600 && (num_opts == 0))
597 goto out; 601 goto out;
598 602
599 /* 603 /*
600 * parse the mount options, check if they are valid sids. 604 * parse the mount options, check if they are valid sids.
@@ -2695,7 +2699,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2695} 2699}
2696 2700
2697static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 2701static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2698 const void *value, size_t size, 2702 const void *value, size_t size,
2699 int flags) 2703 int flags)
2700{ 2704{
2701 struct inode *inode = dentry->d_inode; 2705 struct inode *inode = dentry->d_inode;
@@ -5390,7 +5394,7 @@ static struct security_operations selinux_ops = {
5390 .inode_listsecurity = selinux_inode_listsecurity, 5394 .inode_listsecurity = selinux_inode_listsecurity,
5391 .inode_need_killpriv = selinux_inode_need_killpriv, 5395 .inode_need_killpriv = selinux_inode_need_killpriv,
5392 .inode_killpriv = selinux_inode_killpriv, 5396 .inode_killpriv = selinux_inode_killpriv,
5393 .inode_getsecid = selinux_inode_getsecid, 5397 .inode_getsecid = selinux_inode_getsecid,
5394 5398
5395 .file_permission = selinux_file_permission, 5399 .file_permission = selinux_file_permission,
5396 .file_alloc_security = selinux_file_alloc_security, 5400 .file_alloc_security = selinux_file_alloc_security,
@@ -5431,7 +5435,7 @@ static struct security_operations selinux_ops = {
5431 .task_to_inode = selinux_task_to_inode, 5435 .task_to_inode = selinux_task_to_inode,
5432 5436
5433 .ipc_permission = selinux_ipc_permission, 5437 .ipc_permission = selinux_ipc_permission,
5434 .ipc_getsecid = selinux_ipc_getsecid, 5438 .ipc_getsecid = selinux_ipc_getsecid,
5435 5439
5436 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5440 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5437 .msg_msg_free_security = selinux_msg_msg_free_security, 5441 .msg_msg_free_security = selinux_msg_msg_free_security,
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index 6c8b9ef15579..1bdf973433cc 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -1,7 +1,7 @@
1/* 1/*
2 * SELinux support for the Audit LSM hooks 2 * SELinux support for the Audit LSM hooks
3 * 3 *
4 * Most of below header was moved from include/linux/selinux.h which 4 * Most of below header was moved from include/linux/selinux.h which
5 * is released under below copyrights: 5 * is released under below copyrights:
6 * 6 *
7 * Author: James Morris <jmorris@redhat.com> 7 * Author: James Morris <jmorris@redhat.com>
@@ -52,7 +52,7 @@ void selinux_audit_rule_free(void *rule);
52 * -errno on failure. 52 * -errno on failure.
53 */ 53 */
54int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, 54int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule,
55 struct audit_context *actx); 55 struct audit_context *actx);
56 56
57/** 57/**
58 * selinux_audit_rule_known - check to see if rule contains selinux fields. 58 * selinux_audit_rule_known - check to see if rule contains selinux fields.
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 8e23d7a873a4..7b9769f5e775 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -75,13 +75,12 @@ struct avc_audit_data {
75 75
76/* Initialize an AVC audit data structure. */ 76/* Initialize an AVC audit data structure. */
77#define AVC_AUDIT_DATA_INIT(_d,_t) \ 77#define AVC_AUDIT_DATA_INIT(_d,_t) \
78 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } 78 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
79 79
80/* 80/*
81 * AVC statistics 81 * AVC statistics
82 */ 82 */
83struct avc_cache_stats 83struct avc_cache_stats {
84{
85 unsigned int lookups; 84 unsigned int lookups;
86 unsigned int hits; 85 unsigned int hits;
87 unsigned int misses; 86 unsigned int misses;
@@ -97,8 +96,8 @@ struct avc_cache_stats
97void __init avc_init(void); 96void __init avc_init(void);
98 97
99void avc_audit(u32 ssid, u32 tsid, 98void avc_audit(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 99 u16 tclass, u32 requested,
101 struct av_decision *avd, int result, struct avc_audit_data *auditdata); 100 struct av_decision *avd, int result, struct avc_audit_data *auditdata);
102 101
103#define AVC_STRICT 1 /* Ignore permissive mode. */ 102#define AVC_STRICT 1 /* Ignore permissive mode. */
104int avc_has_perm_noaudit(u32 ssid, u32 tsid, 103int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -107,8 +106,8 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
107 struct av_decision *avd); 106 struct av_decision *avd);
108 107
109int avc_has_perm(u32 ssid, u32 tsid, 108int avc_has_perm(u32 ssid, u32 tsid,
110 u16 tclass, u32 requested, 109 u16 tclass, u32 requested,
111 struct avc_audit_data *auditdata); 110 struct avc_audit_data *auditdata);
112 111
113u32 avc_policy_seqno(void); 112u32 avc_policy_seqno(void);
114 113
@@ -122,7 +121,7 @@ u32 avc_policy_seqno(void);
122#define AVC_CALLBACK_AUDITDENY_DISABLE 128 121#define AVC_CALLBACK_AUDITDENY_DISABLE 128
123 122
124int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, 123int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
125 u16 tclass, u32 perms, 124 u16 tclass, u32 perms,
126 u32 *out_retained), 125 u32 *out_retained),
127 u32 events, u32 ssid, u32 tsid, 126 u32 events, u32 ssid, u32 tsid,
128 u16 tclass, u32 perms); 127 u16 tclass, u32 perms);
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index b6ccd09379f1..7100072bb1b0 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -38,7 +38,6 @@
38#include <linux/ipv6.h> 38#include <linux/ipv6.h>
39#include <net/ip.h> 39#include <net/ip.h>
40#include <net/ipv6.h> 40#include <net/ipv6.h>
41#include <asm/bug.h>
42 41
43#include "netnode.h" 42#include "netnode.h"
44#include "objsec.h" 43#include "objsec.h"
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 90b4cff7c350..fe7fba67f19f 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -37,7 +37,6 @@
37#include <linux/ipv6.h> 37#include <linux/ipv6.h>
38#include <net/ip.h> 38#include <net/ip.h>
39#include <net/ipv6.h> 39#include <net/ipv6.h>
40#include <asm/bug.h>
41 40
42#include "netport.h" 41#include "netport.h"
43#include "objsec.h" 42#include "objsec.h"
@@ -272,7 +271,7 @@ static __init int sel_netport_init(void)
272 } 271 }
273 272
274 ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET, 273 ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET,
275 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 274 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
276 if (ret != 0) 275 if (ret != 0)
277 panic("avc_add_callback() failed, error %d\n", ret); 276 panic("avc_add_callback() failed, error %d\n", ret);
278 277
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ac1ccc13a704..07a5db69571c 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -27,7 +27,7 @@
27#include <linux/seq_file.h> 27#include <linux/seq_file.h>
28#include <linux/percpu.h> 28#include <linux/percpu.h>
29#include <linux/audit.h> 29#include <linux/audit.h>
30#include <asm/uaccess.h> 30#include <linux/uaccess.h>
31 31
32/* selinuxfs pseudo filesystem for exporting the security policy API. 32/* selinuxfs pseudo filesystem for exporting the security policy API.
33 Based on the proc code and the fs/nfsd/nfsctl.c code. */ 33 Based on the proc code and the fs/nfsd/nfsctl.c code. */
@@ -57,14 +57,18 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
57 57
58static int __init checkreqprot_setup(char *str) 58static int __init checkreqprot_setup(char *str)
59{ 59{
60 selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0; 60 unsigned long checkreqprot;
61 if (!strict_strtoul(str, 0, &checkreqprot))
62 selinux_checkreqprot = checkreqprot ? 1 : 0;
61 return 1; 63 return 1;
62} 64}
63__setup("checkreqprot=", checkreqprot_setup); 65__setup("checkreqprot=", checkreqprot_setup);
64 66
65static int __init selinux_compat_net_setup(char *str) 67static int __init selinux_compat_net_setup(char *str)
66{ 68{
67 selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0; 69 unsigned long compat_net;
70 if (!strict_strtoul(str, 0, &compat_net))
71 selinux_compat_net = compat_net ? 1 : 0;
68 return 1; 72 return 1;
69} 73}
70__setup("selinux_compat_net=", selinux_compat_net_setup); 74__setup("selinux_compat_net=", selinux_compat_net_setup);
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 9e6626362bfd..a1be97f8beea 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -311,7 +311,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
311 } 311 }
312 312
313 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " 313 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
314 "longest chain length %d sum of chain length^2 %Lu\n", 314 "longest chain length %d sum of chain length^2 %llu\n",
315 tag, h->nel, slots_used, h->nslot, max_chain_len, 315 tag, h->nel, slots_used, h->nslot, max_chain_len,
316 chain2_len_sum); 316 chain2_len_sum);
317} 317}
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index a6ca0587e634..77d745da48bb 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -437,13 +437,13 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
437 struct mls_level *usercon_clr = &(usercon->range.level[1]); 437 struct mls_level *usercon_clr = &(usercon->range.level[1]);
438 438
439 /* Honor the user's default level if we can */ 439 /* Honor the user's default level if we can */
440 if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) { 440 if (mls_level_between(user_def, fromcon_sen, fromcon_clr))
441 *usercon_sen = *user_def; 441 *usercon_sen = *user_def;
442 } else if (mls_level_between(fromcon_sen, user_def, user_clr)) { 442 else if (mls_level_between(fromcon_sen, user_def, user_clr))
443 *usercon_sen = *fromcon_sen; 443 *usercon_sen = *fromcon_sen;
444 } else if (mls_level_between(fromcon_clr, user_low, user_def)) { 444 else if (mls_level_between(fromcon_clr, user_low, user_def))
445 *usercon_sen = *user_low; 445 *usercon_sen = *user_low;
446 } else 446 else
447 return -EINVAL; 447 return -EINVAL;
448 448
449 /* Lower the clearance of available contexts 449 /* Lower the clearance of available contexts
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2d5e5a3a8aa9..0696aadcab6f 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2531,7 +2531,7 @@ int selinux_audit_rule_known(struct audit_krule *rule)
2531} 2531}
2532 2532
2533int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 2533int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2534 struct audit_context *actx) 2534 struct audit_context *actx)
2535{ 2535{
2536 struct context *ctxt; 2536 struct context *ctxt;
2537 struct mls_level *level; 2537 struct mls_level *level;
@@ -2645,7 +2645,7 @@ out:
2645static int (*aurule_callback)(void) = audit_update_lsm_rules; 2645static int (*aurule_callback)(void) = audit_update_lsm_rules;
2646 2646
2647static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2647static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2648 u16 class, u32 perms, u32 *retained) 2648 u16 class, u32 perms, u32 *retained)
2649{ 2649{
2650 int err = 0; 2650 int err = 0;
2651 2651