diff options
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 4 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 32 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 4 |
3 files changed, 29 insertions, 11 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index cf6020f85403..12e4fb72bf0f 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -242,7 +242,7 @@ void __init avc_init(void) | |||
| 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), |
| 243 | 0, SLAB_PANIC, NULL, NULL); | 243 | 0, SLAB_PANIC, NULL, NULL); |
| 244 | 244 | ||
| 245 | audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); | 245 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
| 246 | } | 246 | } |
| 247 | 247 | ||
| 248 | int avc_get_hash_stats(char *page) | 248 | int avc_get_hash_stats(char *page) |
| @@ -550,7 +550,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 550 | return; | 550 | return; |
| 551 | } | 551 | } |
| 552 | 552 | ||
| 553 | ab = audit_log_start(current->audit_context, AUDIT_AVC); | 553 | ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); |
| 554 | if (!ab) | 554 | if (!ab) |
| 555 | return; /* audit_panic has been called */ | 555 | return; /* audit_panic has been called */ |
| 556 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | 556 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f40c8221ec1b..b13be15165f5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -630,6 +630,16 @@ static inline u16 inode_mode_to_security_class(umode_t mode) | |||
| 630 | return SECCLASS_FILE; | 630 | return SECCLASS_FILE; |
| 631 | } | 631 | } |
| 632 | 632 | ||
| 633 | static inline int default_protocol_stream(int protocol) | ||
| 634 | { | ||
| 635 | return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); | ||
| 636 | } | ||
| 637 | |||
| 638 | static inline int default_protocol_dgram(int protocol) | ||
| 639 | { | ||
| 640 | return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); | ||
| 641 | } | ||
| 642 | |||
| 633 | static inline u16 socket_type_to_security_class(int family, int type, int protocol) | 643 | static inline u16 socket_type_to_security_class(int family, int type, int protocol) |
| 634 | { | 644 | { |
| 635 | switch (family) { | 645 | switch (family) { |
| @@ -646,10 +656,16 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc | |||
| 646 | case PF_INET6: | 656 | case PF_INET6: |
| 647 | switch (type) { | 657 | switch (type) { |
| 648 | case SOCK_STREAM: | 658 | case SOCK_STREAM: |
| 649 | return SECCLASS_TCP_SOCKET; | 659 | if (default_protocol_stream(protocol)) |
| 660 | return SECCLASS_TCP_SOCKET; | ||
| 661 | else | ||
| 662 | return SECCLASS_RAWIP_SOCKET; | ||
| 650 | case SOCK_DGRAM: | 663 | case SOCK_DGRAM: |
| 651 | return SECCLASS_UDP_SOCKET; | 664 | if (default_protocol_dgram(protocol)) |
| 652 | case SOCK_RAW: | 665 | return SECCLASS_UDP_SOCKET; |
| 666 | else | ||
| 667 | return SECCLASS_RAWIP_SOCKET; | ||
| 668 | default: | ||
| 653 | return SECCLASS_RAWIP_SOCKET; | 669 | return SECCLASS_RAWIP_SOCKET; |
| 654 | } | 670 | } |
| 655 | break; | 671 | break; |
| @@ -2970,6 +2986,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
| 2970 | 2986 | ||
| 2971 | /* | 2987 | /* |
| 2972 | * If PF_INET or PF_INET6, check name_bind permission for the port. | 2988 | * If PF_INET or PF_INET6, check name_bind permission for the port. |
| 2989 | * Multiple address binding for SCTP is not supported yet: we just | ||
| 2990 | * check the first address now. | ||
| 2973 | */ | 2991 | */ |
| 2974 | family = sock->sk->sk_family; | 2992 | family = sock->sk->sk_family; |
| 2975 | if (family == PF_INET || family == PF_INET6) { | 2993 | if (family == PF_INET || family == PF_INET6) { |
| @@ -3014,12 +3032,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
| 3014 | goto out; | 3032 | goto out; |
| 3015 | } | 3033 | } |
| 3016 | 3034 | ||
| 3017 | switch(sk->sk_protocol) { | 3035 | switch(isec->sclass) { |
| 3018 | case IPPROTO_TCP: | 3036 | case SECCLASS_TCP_SOCKET: |
| 3019 | node_perm = TCP_SOCKET__NODE_BIND; | 3037 | node_perm = TCP_SOCKET__NODE_BIND; |
| 3020 | break; | 3038 | break; |
| 3021 | 3039 | ||
| 3022 | case IPPROTO_UDP: | 3040 | case SECCLASS_UDP_SOCKET: |
| 3023 | node_perm = UDP_SOCKET__NODE_BIND; | 3041 | node_perm = UDP_SOCKET__NODE_BIND; |
| 3024 | break; | 3042 | break; |
| 3025 | 3043 | ||
| @@ -3389,7 +3407,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | |||
| 3389 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); | 3407 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); |
| 3390 | if (err) { | 3408 | if (err) { |
| 3391 | if (err == -EINVAL) { | 3409 | if (err == -EINVAL) { |
| 3392 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, | 3410 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, |
| 3393 | "SELinux: unrecognized netlink message" | 3411 | "SELinux: unrecognized netlink message" |
| 3394 | " type=%hu for sclass=%hu\n", | 3412 | " type=%hu for sclass=%hu\n", |
| 3395 | nlh->nlmsg_type, isec->sclass); | 3413 | nlh->nlmsg_type, isec->sclass); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 92b89dc99bcd..aecdded55e74 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -381,7 +381,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
| 381 | goto out; | 381 | goto out; |
| 382 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) | 382 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) |
| 383 | goto out; | 383 | goto out; |
| 384 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, | 384 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
| 385 | "security_validate_transition: denied for" | 385 | "security_validate_transition: denied for" |
| 386 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 386 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
| 387 | o, n, t, policydb.p_class_val_to_name[tclass-1]); | 387 | o, n, t, policydb.p_class_val_to_name[tclass-1]); |
| @@ -787,7 +787,7 @@ static int compute_sid_handle_invalid_context( | |||
| 787 | goto out; | 787 | goto out; |
| 788 | if (context_struct_to_string(newcontext, &n, &nlen) < 0) | 788 | if (context_struct_to_string(newcontext, &n, &nlen) < 0) |
| 789 | goto out; | 789 | goto out; |
| 790 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, | 790 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
| 791 | "security_compute_sid: invalid context %s" | 791 | "security_compute_sid: invalid context %s" |
| 792 | " for scontext=%s" | 792 | " for scontext=%s" |
| 793 | " tcontext=%s" | 793 | " tcontext=%s" |