diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/ss/services.c | 91 |
1 files changed, 0 insertions, 91 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index bfe122764c98..33ae1020091e 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1018,89 +1018,6 @@ int security_change_sid(u32 ssid, | |||
1018 | return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); | 1018 | return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); |
1019 | } | 1019 | } |
1020 | 1020 | ||
1021 | /* | ||
1022 | * Verify that each permission that is defined under the | ||
1023 | * existing policy is still defined with the same value | ||
1024 | * in the new policy. | ||
1025 | */ | ||
1026 | static int validate_perm(void *key, void *datum, void *p) | ||
1027 | { | ||
1028 | struct hashtab *h; | ||
1029 | struct perm_datum *perdatum, *perdatum2; | ||
1030 | int rc = 0; | ||
1031 | |||
1032 | |||
1033 | h = p; | ||
1034 | perdatum = datum; | ||
1035 | |||
1036 | perdatum2 = hashtab_search(h, key); | ||
1037 | if (!perdatum2) { | ||
1038 | printk(KERN_ERR "security: permission %s disappeared", | ||
1039 | (char *)key); | ||
1040 | rc = -ENOENT; | ||
1041 | goto out; | ||
1042 | } | ||
1043 | if (perdatum->value != perdatum2->value) { | ||
1044 | printk(KERN_ERR "security: the value of permission %s changed", | ||
1045 | (char *)key); | ||
1046 | rc = -EINVAL; | ||
1047 | } | ||
1048 | out: | ||
1049 | return rc; | ||
1050 | } | ||
1051 | |||
1052 | /* | ||
1053 | * Verify that each class that is defined under the | ||
1054 | * existing policy is still defined with the same | ||
1055 | * attributes in the new policy. | ||
1056 | */ | ||
1057 | static int validate_class(void *key, void *datum, void *p) | ||
1058 | { | ||
1059 | struct policydb *newp; | ||
1060 | struct class_datum *cladatum, *cladatum2; | ||
1061 | int rc; | ||
1062 | |||
1063 | newp = p; | ||
1064 | cladatum = datum; | ||
1065 | |||
1066 | cladatum2 = hashtab_search(newp->p_classes.table, key); | ||
1067 | if (!cladatum2) { | ||
1068 | printk(KERN_ERR "security: class %s disappeared\n", | ||
1069 | (char *)key); | ||
1070 | rc = -ENOENT; | ||
1071 | goto out; | ||
1072 | } | ||
1073 | if (cladatum->value != cladatum2->value) { | ||
1074 | printk(KERN_ERR "security: the value of class %s changed\n", | ||
1075 | (char *)key); | ||
1076 | rc = -EINVAL; | ||
1077 | goto out; | ||
1078 | } | ||
1079 | if ((cladatum->comdatum && !cladatum2->comdatum) || | ||
1080 | (!cladatum->comdatum && cladatum2->comdatum)) { | ||
1081 | printk(KERN_ERR "security: the inherits clause for the access " | ||
1082 | "vector definition for class %s changed\n", (char *)key); | ||
1083 | rc = -EINVAL; | ||
1084 | goto out; | ||
1085 | } | ||
1086 | if (cladatum->comdatum) { | ||
1087 | rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm, | ||
1088 | cladatum2->comdatum->permissions.table); | ||
1089 | if (rc) { | ||
1090 | printk(" in the access vector definition for class " | ||
1091 | "%s\n", (char *)key); | ||
1092 | goto out; | ||
1093 | } | ||
1094 | } | ||
1095 | rc = hashtab_map(cladatum->permissions.table, validate_perm, | ||
1096 | cladatum2->permissions.table); | ||
1097 | if (rc) | ||
1098 | printk(" in access vector definition for class %s\n", | ||
1099 | (char *)key); | ||
1100 | out: | ||
1101 | return rc; | ||
1102 | } | ||
1103 | |||
1104 | /* Clone the SID into the new SID table. */ | 1021 | /* Clone the SID into the new SID table. */ |
1105 | static int clone_sid(u32 sid, | 1022 | static int clone_sid(u32 sid, |
1106 | struct context *context, | 1023 | struct context *context, |
@@ -1265,14 +1182,6 @@ int security_load_policy(void *data, size_t len) | |||
1265 | 1182 | ||
1266 | sidtab_init(&newsidtab); | 1183 | sidtab_init(&newsidtab); |
1267 | 1184 | ||
1268 | /* Verify that the existing classes did not change. */ | ||
1269 | if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) { | ||
1270 | printk(KERN_ERR "security: the definition of an existing " | ||
1271 | "class changed\n"); | ||
1272 | rc = -EINVAL; | ||
1273 | goto err; | ||
1274 | } | ||
1275 | |||
1276 | /* Clone the SID table. */ | 1185 | /* Clone the SID table. */ |
1277 | sidtab_shutdown(&sidtab); | 1186 | sidtab_shutdown(&sidtab); |
1278 | if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { | 1187 | if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { |