aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/avc.c9
-rw-r--r--security/selinux/hooks.c32
-rw-r--r--security/selinux/include/avc.h18
-rw-r--r--security/selinux/include/xfrm.h7
4 files changed, 27 insertions, 39 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index dad36a6ab45f..fc3e6628a864 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -746,7 +746,6 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
746 * @tclass: target security class 746 * @tclass: target security class
747 * @requested: requested permissions, interpreted based on @tclass 747 * @requested: requested permissions, interpreted based on @tclass
748 * @auditdata: auxiliary audit data 748 * @auditdata: auxiliary audit data
749 * @flags: VFS walk flags
750 * 749 *
751 * Check the AVC to determine whether the @requested permissions are granted 750 * Check the AVC to determine whether the @requested permissions are granted
752 * for the SID pair (@ssid, @tsid), interpreting the permissions 751 * for the SID pair (@ssid, @tsid), interpreting the permissions
@@ -756,17 +755,15 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
756 * permissions are granted, -%EACCES if any permissions are denied, or 755 * permissions are granted, -%EACCES if any permissions are denied, or
757 * another -errno upon other errors. 756 * another -errno upon other errors.
758 */ 757 */
759int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, 758int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
760 u32 requested, struct common_audit_data *auditdata, 759 u32 requested, struct common_audit_data *auditdata)
761 unsigned flags)
762{ 760{
763 struct av_decision avd; 761 struct av_decision avd;
764 int rc, rc2; 762 int rc, rc2;
765 763
766 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); 764 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
767 765
768 rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 766 rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
769 flags);
770 if (rc2) 767 if (rc2)
771 return rc2; 768 return rc2;
772 return rc; 769 return rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c09211a4d7da..777ee98273d1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1539,7 +1539,7 @@ static int cred_has_capability(const struct cred *cred,
1539 1539
1540 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1540 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1541 if (audit == SECURITY_CAP_AUDIT) { 1541 if (audit == SECURITY_CAP_AUDIT) {
1542 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1542 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1543 if (rc2) 1543 if (rc2)
1544 return rc2; 1544 return rc2;
1545 } 1545 }
@@ -1562,8 +1562,7 @@ static int task_has_system(struct task_struct *tsk,
1562static int inode_has_perm(const struct cred *cred, 1562static int inode_has_perm(const struct cred *cred,
1563 struct inode *inode, 1563 struct inode *inode,
1564 u32 perms, 1564 u32 perms,
1565 struct common_audit_data *adp, 1565 struct common_audit_data *adp)
1566 unsigned flags)
1567{ 1566{
1568 struct inode_security_struct *isec; 1567 struct inode_security_struct *isec;
1569 u32 sid; 1568 u32 sid;
@@ -1576,7 +1575,7 @@ static int inode_has_perm(const struct cred *cred,
1576 sid = cred_sid(cred); 1575 sid = cred_sid(cred);
1577 isec = inode->i_security; 1576 isec = inode->i_security;
1578 1577
1579 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); 1578 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1580} 1579}
1581 1580
1582/* Same as inode_has_perm, but pass explicit audit data containing 1581/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1591,7 +1590,7 @@ static inline int dentry_has_perm(const struct cred *cred,
1591 1590
1592 ad.type = LSM_AUDIT_DATA_DENTRY; 1591 ad.type = LSM_AUDIT_DATA_DENTRY;
1593 ad.u.dentry = dentry; 1592 ad.u.dentry = dentry;
1594 return inode_has_perm(cred, inode, av, &ad, 0); 1593 return inode_has_perm(cred, inode, av, &ad);
1595} 1594}
1596 1595
1597/* Same as inode_has_perm, but pass explicit audit data containing 1596/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1606,7 +1605,7 @@ static inline int path_has_perm(const struct cred *cred,
1606 1605
1607 ad.type = LSM_AUDIT_DATA_PATH; 1606 ad.type = LSM_AUDIT_DATA_PATH;
1608 ad.u.path = *path; 1607 ad.u.path = *path;
1609 return inode_has_perm(cred, inode, av, &ad, 0); 1608 return inode_has_perm(cred, inode, av, &ad);
1610} 1609}
1611 1610
1612/* Same as path_has_perm, but uses the inode from the file struct. */ 1611/* Same as path_has_perm, but uses the inode from the file struct. */
@@ -1618,7 +1617,7 @@ static inline int file_path_has_perm(const struct cred *cred,
1618 1617
1619 ad.type = LSM_AUDIT_DATA_PATH; 1618 ad.type = LSM_AUDIT_DATA_PATH;
1620 ad.u.path = file->f_path; 1619 ad.u.path = file->f_path;
1621 return inode_has_perm(cred, file_inode(file), av, &ad, 0); 1620 return inode_has_perm(cred, file_inode(file), av, &ad);
1622} 1621}
1623 1622
1624/* Check whether a task can use an open file descriptor to 1623/* Check whether a task can use an open file descriptor to
@@ -1654,7 +1653,7 @@ static int file_has_perm(const struct cred *cred,
1654 /* av is zero if only checking access to the descriptor. */ 1653 /* av is zero if only checking access to the descriptor. */
1655 rc = 0; 1654 rc = 0;
1656 if (av) 1655 if (av)
1657 rc = inode_has_perm(cred, inode, av, &ad, 0); 1656 rc = inode_has_perm(cred, inode, av, &ad);
1658 1657
1659out: 1658out:
1660 return rc; 1659 return rc;
@@ -2624,7 +2623,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2624} 2623}
2625 2624
2626static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2625static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2627 const struct qstr *qstr, char **name, 2626 const struct qstr *qstr,
2627 const char **name,
2628 void **value, size_t *len) 2628 void **value, size_t *len)
2629{ 2629{
2630 const struct task_security_struct *tsec = current_security(); 2630 const struct task_security_struct *tsec = current_security();
@@ -2632,7 +2632,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2632 struct superblock_security_struct *sbsec; 2632 struct superblock_security_struct *sbsec;
2633 u32 sid, newsid, clen; 2633 u32 sid, newsid, clen;
2634 int rc; 2634 int rc;
2635 char *namep = NULL, *context; 2635 char *context;
2636 2636
2637 dsec = dir->i_security; 2637 dsec = dir->i_security;
2638 sbsec = dir->i_sb->s_security; 2638 sbsec = dir->i_sb->s_security;
@@ -2668,19 +2668,13 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2668 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2668 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2669 return -EOPNOTSUPP; 2669 return -EOPNOTSUPP;
2670 2670
2671 if (name) { 2671 if (name)
2672 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2672 *name = XATTR_SELINUX_SUFFIX;
2673 if (!namep)
2674 return -ENOMEM;
2675 *name = namep;
2676 }
2677 2673
2678 if (value && len) { 2674 if (value && len) {
2679 rc = security_sid_to_context_force(newsid, &context, &clen); 2675 rc = security_sid_to_context_force(newsid, &context, &clen);
2680 if (rc) { 2676 if (rc)
2681 kfree(namep);
2682 return rc; 2677 return rc;
2683 }
2684 *value = context; 2678 *value = context;
2685 *len = clen; 2679 *len = clen;
2686 } 2680 }
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 92d0ab561db8..f53ee3c58d0f 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,7 +130,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
130 u16 tclass, u32 requested, 130 u16 tclass, u32 requested,
131 struct av_decision *avd, 131 struct av_decision *avd,
132 int result, 132 int result,
133 struct common_audit_data *a, unsigned flags) 133 struct common_audit_data *a)
134{ 134{
135 u32 audited, denied; 135 u32 audited, denied;
136 audited = avc_audit_required(requested, avd, result, 0, &denied); 136 audited = avc_audit_required(requested, avd, result, 0, &denied);
@@ -138,7 +138,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
138 return 0; 138 return 0;
139 return slow_avc_audit(ssid, tsid, tclass, 139 return slow_avc_audit(ssid, tsid, tclass,
140 requested, audited, denied, 140 requested, audited, denied,
141 a, flags); 141 a, 0);
142} 142}
143 143
144#define AVC_STRICT 1 /* Ignore permissive mode. */ 144#define AVC_STRICT 1 /* Ignore permissive mode. */
@@ -147,17 +147,9 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
147 unsigned flags, 147 unsigned flags,
148 struct av_decision *avd); 148 struct av_decision *avd);
149 149
150int avc_has_perm_flags(u32 ssid, u32 tsid, 150int avc_has_perm(u32 ssid, u32 tsid,
151 u16 tclass, u32 requested, 151 u16 tclass, u32 requested,
152 struct common_audit_data *auditdata, 152 struct common_audit_data *auditdata);
153 unsigned);
154
155static inline int avc_has_perm(u32 ssid, u32 tsid,
156 u16 tclass, u32 requested,
157 struct common_audit_data *auditdata)
158{
159 return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
160}
161 153
162u32 avc_policy_seqno(void); 154u32 avc_policy_seqno(void);
163 155
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 7605251936f5..0dec76c64cf5 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -42,8 +42,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
42 42
43static inline void selinux_xfrm_notify_policyload(void) 43static inline void selinux_xfrm_notify_policyload(void)
44{ 44{
45 struct net *net;
46
45 atomic_inc(&flow_cache_genid); 47 atomic_inc(&flow_cache_genid);
46 rt_genid_bump(&init_net); 48 rtnl_lock();
49 for_each_net(net)
50 rt_genid_bump_all(net);
51 rtnl_unlock();
47} 52}
48#else 53#else
49static inline int selinux_xfrm_enabled(void) 54static inline int selinux_xfrm_enabled(void)