aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c19
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/services.c12
3 files changed, 19 insertions, 15 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c2fef7b12dc7..d39b59cf8a08 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -180,7 +180,7 @@ static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security; 180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec; 181 struct inode_security_struct *isec;
182 182
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
184 if (!isec) 184 if (!isec)
185 return -ENOMEM; 185 return -ENOMEM;
186 186
@@ -760,13 +760,13 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
760 * this early in the boot process. */ 760 * this early in the boot process. */
761 BUG_ON(!ss_initialized); 761 BUG_ON(!ss_initialized);
762 762
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
766
767 /* how can we clone if the old one wasn't set up?? */ 763 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized); 764 BUG_ON(!oldsbsec->initialized);
769 765
766 /* if fs is reusing a sb, just let its options stand... */
767 if (newsbsec->initialized)
768 return;
769
770 mutex_lock(&newsbsec->lock); 770 mutex_lock(&newsbsec->lock);
771 771
772 newsbsec->flags = oldsbsec->flags; 772 newsbsec->flags = oldsbsec->flags;
@@ -1143,7 +1143,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1143 } 1143 }
1144 1144
1145 len = INITCONTEXTLEN; 1145 len = INITCONTEXTLEN;
1146 context = kmalloc(len, GFP_KERNEL); 1146 context = kmalloc(len, GFP_NOFS);
1147 if (!context) { 1147 if (!context) {
1148 rc = -ENOMEM; 1148 rc = -ENOMEM;
1149 dput(dentry); 1149 dput(dentry);
@@ -1161,7 +1161,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1161 } 1161 }
1162 kfree(context); 1162 kfree(context);
1163 len = rc; 1163 len = rc;
1164 context = kmalloc(len, GFP_KERNEL); 1164 context = kmalloc(len, GFP_NOFS);
1165 if (!context) { 1165 if (!context) {
1166 rc = -ENOMEM; 1166 rc = -ENOMEM;
1167 dput(dentry); 1167 dput(dentry);
@@ -1185,7 +1185,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1185 rc = 0; 1185 rc = 0;
1186 } else { 1186 } else {
1187 rc = security_context_to_sid_default(context, rc, &sid, 1187 rc = security_context_to_sid_default(context, rc, &sid,
1188 sbsec->def_sid); 1188 sbsec->def_sid,
1189 GFP_NOFS);
1189 if (rc) { 1190 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) " 1191 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n", 1192 "returned %d for dev=%s ino=%ld\n",
@@ -2429,7 +2430,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2429 return -EOPNOTSUPP; 2430 return -EOPNOTSUPP;
2430 2431
2431 if (name) { 2432 if (name) {
2432 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 2433 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2433 if (!namep) 2434 if (!namep)
2434 return -ENOMEM; 2435 return -ENOMEM;
2435 *name = namep; 2436 *name = namep;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index f7d2f03781f2..44e12ec88090 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -86,7 +86,8 @@ int security_sid_to_context(u32 sid, char **scontext,
86int security_context_to_sid(char *scontext, u32 scontext_len, 86int security_context_to_sid(char *scontext, u32 scontext_len,
87 u32 *out_sid); 87 u32 *out_sid);
88 88
89int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid); 89int security_context_to_sid_default(char *scontext, u32 scontext_len,
90 u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
90 91
91int security_get_user_sids(u32 callsid, char *username, 92int security_get_user_sids(u32 callsid, char *username,
92 u32 **sids, u32 *nel); 93 u32 **sids, u32 *nel);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 47295acd09c9..5fd54f2bbaac 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -680,7 +680,8 @@ out:
680 680
681} 681}
682 682
683static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 683static int security_context_to_sid_core(char *scontext, u32 scontext_len,
684 u32 *sid, u32 def_sid, gfp_t gfp_flags)
684{ 685{
685 char *scontext2; 686 char *scontext2;
686 struct context context; 687 struct context context;
@@ -709,7 +710,7 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
709 null suffix to the copy to avoid problems with the existing 710 null suffix to the copy to avoid problems with the existing
710 attr package, which doesn't view the null terminator as part 711 attr package, which doesn't view the null terminator as part
711 of the attribute value. */ 712 of the attribute value. */
712 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); 713 scontext2 = kmalloc(scontext_len+1, gfp_flags);
713 if (!scontext2) { 714 if (!scontext2) {
714 rc = -ENOMEM; 715 rc = -ENOMEM;
715 goto out; 716 goto out;
@@ -809,7 +810,7 @@ out:
809int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) 810int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
810{ 811{
811 return security_context_to_sid_core(scontext, scontext_len, 812 return security_context_to_sid_core(scontext, scontext_len,
812 sid, SECSID_NULL); 813 sid, SECSID_NULL, GFP_KERNEL);
813} 814}
814 815
815/** 816/**
@@ -829,10 +830,11 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
829 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 830 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
830 * memory is available, or 0 on success. 831 * memory is available, or 0 on success.
831 */ 832 */
832int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 833int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid,
834 u32 def_sid, gfp_t gfp_flags)
833{ 835{
834 return security_context_to_sid_core(scontext, scontext_len, 836 return security_context_to_sid_core(scontext, scontext_len,
835 sid, def_sid); 837 sid, def_sid, gfp_flags);
836} 838}
837 839
838static int compute_sid_handle_invalid_context( 840static int compute_sid_handle_invalid_context(