aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/apparmorfs.c2
-rw-r--r--security/apparmor/lsm.c11
-rw-r--r--security/apparmor/path.c66
-rw-r--r--security/capability.c13
-rw-r--r--security/inode.c16
-rw-r--r--security/integrity/evm/evm_crypto.c19
-rw-r--r--security/lsm_audit.c7
-rw-r--r--security/security.c19
-rw-r--r--security/selinux/hooks.c21
-rw-r--r--security/selinux/netnode.c2
-rw-r--r--security/selinux/netport.c4
-rw-r--r--security/smack/smack_lsm.c4
-rw-r--r--security/tomoyo/audit.c4
-rw-r--r--security/tomoyo/common.h2
-rw-r--r--security/tomoyo/realpath.c22
-rw-r--r--security/tomoyo/securityfs_if.c2
-rw-r--r--security/tomoyo/tomoyo.c15
17 files changed, 124 insertions, 105 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 69ddb47787b2..e39df6d43779 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -165,7 +165,7 @@ static void __init aafs_remove(const char *name)
165 * 165 *
166 * Used aafs_remove to remove entries created with this fn. 166 * Used aafs_remove to remove entries created with this fn.
167 */ 167 */
168static int __init aafs_create(const char *name, int mask, 168static int __init aafs_create(const char *name, umode_t mask,
169 const struct file_operations *fops) 169 const struct file_operations *fops)
170{ 170{
171 struct dentry *dentry; 171 struct dentry *dentry;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 37832026e58a..2c0a0ff41399 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -262,7 +262,7 @@ static int apparmor_path_unlink(struct path *dir, struct dentry *dentry)
262} 262}
263 263
264static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry, 264static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry,
265 int mode) 265 umode_t mode)
266{ 266{
267 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 267 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
268 S_IFDIR); 268 S_IFDIR);
@@ -274,7 +274,7 @@ static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry)
274} 274}
275 275
276static int apparmor_path_mknod(struct path *dir, struct dentry *dentry, 276static int apparmor_path_mknod(struct path *dir, struct dentry *dentry,
277 int mode, unsigned int dev) 277 umode_t mode, unsigned int dev)
278{ 278{
279 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 279 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
280} 280}
@@ -344,13 +344,12 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
344 return error; 344 return error;
345} 345}
346 346
347static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 347static int apparmor_path_chmod(struct path *path, umode_t mode)
348 mode_t mode)
349{ 348{
350 if (!mediated_filesystem(dentry->d_inode)) 349 if (!mediated_filesystem(path->dentry->d_inode))
351 return 0; 350 return 0;
352 351
353 return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD); 352 return common_perm_mnt_dentry(OP_CHMOD, path->mnt, path->dentry, AA_MAY_CHMOD);
354} 353}
355 354
356static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid) 355static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid)
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 36cc0cc39e78..9d070a7c3ffc 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -13,7 +13,6 @@
13 */ 13 */
14 14
15#include <linux/magic.h> 15#include <linux/magic.h>
16#include <linux/mnt_namespace.h>
17#include <linux/mount.h> 16#include <linux/mount.h>
18#include <linux/namei.h> 17#include <linux/namei.h>
19#include <linux/nsproxy.h> 18#include <linux/nsproxy.h>
@@ -57,23 +56,44 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
57static int d_namespace_path(struct path *path, char *buf, int buflen, 56static int d_namespace_path(struct path *path, char *buf, int buflen,
58 char **name, int flags) 57 char **name, int flags)
59{ 58{
60 struct path root, tmp;
61 char *res; 59 char *res;
62 int connected, error = 0; 60 int error = 0;
61 int connected = 1;
62
63 if (path->mnt->mnt_flags & MNT_INTERNAL) {
64 /* it's not mounted anywhere */
65 res = dentry_path(path->dentry, buf, buflen);
66 *name = res;
67 if (IS_ERR(res)) {
68 *name = buf;
69 return PTR_ERR(res);
70 }
71 if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
72 strncmp(*name, "/sys/", 5) == 0) {
73 /* TODO: convert over to using a per namespace
74 * control instead of hard coded /proc
75 */
76 return prepend(name, *name - buf, "/proc", 5);
77 }
78 return 0;
79 }
63 80
64 /* Get the root we want to resolve too, released below */ 81 /* resolve paths relative to chroot?*/
65 if (flags & PATH_CHROOT_REL) { 82 if (flags & PATH_CHROOT_REL) {
66 /* resolve paths relative to chroot */ 83 struct path root;
67 get_fs_root(current->fs, &root); 84 get_fs_root(current->fs, &root);
68 } else { 85 res = __d_path(path, &root, buf, buflen);
69 /* resolve paths relative to namespace */ 86 if (res && !IS_ERR(res)) {
70 root.mnt = current->nsproxy->mnt_ns->root; 87 /* everything's fine */
71 root.dentry = root.mnt->mnt_root; 88 *name = res;
72 path_get(&root); 89 path_put(&root);
90 goto ok;
91 }
92 path_put(&root);
93 connected = 0;
73 } 94 }
74 95
75 tmp = root; 96 res = d_absolute_path(path, buf, buflen);
76 res = __d_path(path, &tmp, buf, buflen);
77 97
78 *name = res; 98 *name = res;
79 /* handle error conditions - and still allow a partial path to 99 /* handle error conditions - and still allow a partial path to
@@ -84,7 +104,10 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
84 *name = buf; 104 *name = buf;
85 goto out; 105 goto out;
86 } 106 }
107 if (!our_mnt(path->mnt))
108 connected = 0;
87 109
110ok:
88 /* Handle two cases: 111 /* Handle two cases:
89 * 1. A deleted dentry && profile is not allowing mediation of deleted 112 * 1. A deleted dentry && profile is not allowing mediation of deleted
90 * 2. On some filesystems, newly allocated dentries appear to the 113 * 2. On some filesystems, newly allocated dentries appear to the
@@ -97,10 +120,7 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
97 goto out; 120 goto out;
98 } 121 }
99 122
100 /* Determine if the path is connected to the expected root */ 123 /* If the path is not connected to the expected root,
101 connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
102
103 /* If the path is not connected,
104 * check if it is a sysctl and handle specially else remove any 124 * check if it is a sysctl and handle specially else remove any
105 * leading / that __d_path may have returned. 125 * leading / that __d_path may have returned.
106 * Unless 126 * Unless
@@ -112,17 +132,9 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
112 * namespace root. 132 * namespace root.
113 */ 133 */
114 if (!connected) { 134 if (!connected) {
115 /* is the disconnect path a sysctl? */ 135 if (!(flags & PATH_CONNECT_PATH) &&
116 if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
117 strncmp(*name, "/sys/", 5) == 0) {
118 /* TODO: convert over to using a per namespace
119 * control instead of hard coded /proc
120 */
121 error = prepend(name, *name - buf, "/proc", 5);
122 } else if (!(flags & PATH_CONNECT_PATH) &&
123 !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && 136 !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
124 (tmp.mnt == current->nsproxy->mnt_ns->root && 137 our_mnt(path->mnt))) {
125 tmp.dentry == tmp.mnt->mnt_root))) {
126 /* disconnected path, don't return pathname starting 138 /* disconnected path, don't return pathname starting
127 * with '/' 139 * with '/'
128 */ 140 */
@@ -133,8 +145,6 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
133 } 145 }
134 146
135out: 147out:
136 path_put(&root);
137
138 return error; 148 return error;
139} 149}
140 150
diff --git a/security/capability.c b/security/capability.c
index 2984ea4f776f..3b5883b7179f 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -125,7 +125,7 @@ static int cap_inode_init_security(struct inode *inode, struct inode *dir,
125} 125}
126 126
127static int cap_inode_create(struct inode *inode, struct dentry *dentry, 127static int cap_inode_create(struct inode *inode, struct dentry *dentry,
128 int mask) 128 umode_t mask)
129{ 129{
130 return 0; 130 return 0;
131} 131}
@@ -148,7 +148,7 @@ static int cap_inode_symlink(struct inode *inode, struct dentry *dentry,
148} 148}
149 149
150static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry, 150static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry,
151 int mask) 151 umode_t mask)
152{ 152{
153 return 0; 153 return 0;
154} 154}
@@ -159,7 +159,7 @@ static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry)
159} 159}
160 160
161static int cap_inode_mknod(struct inode *inode, struct dentry *dentry, 161static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
162 int mode, dev_t dev) 162 umode_t mode, dev_t dev)
163{ 163{
164 return 0; 164 return 0;
165} 165}
@@ -235,13 +235,13 @@ static void cap_inode_getsecid(const struct inode *inode, u32 *secid)
235} 235}
236 236
237#ifdef CONFIG_SECURITY_PATH 237#ifdef CONFIG_SECURITY_PATH
238static int cap_path_mknod(struct path *dir, struct dentry *dentry, int mode, 238static int cap_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
239 unsigned int dev) 239 unsigned int dev)
240{ 240{
241 return 0; 241 return 0;
242} 242}
243 243
244static int cap_path_mkdir(struct path *dir, struct dentry *dentry, int mode) 244static int cap_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
245{ 245{
246 return 0; 246 return 0;
247} 247}
@@ -279,8 +279,7 @@ static int cap_path_truncate(struct path *path)
279 return 0; 279 return 0;
280} 280}
281 281
282static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 282static int cap_path_chmod(struct path *path, umode_t mode)
283 mode_t mode)
284{ 283{
285 return 0; 284 return 0;
286} 285}
diff --git a/security/inode.c b/security/inode.c
index c4df2fbebe6b..90a70a67d835 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -56,7 +56,7 @@ static const struct file_operations default_file_ops = {
56 .llseek = noop_llseek, 56 .llseek = noop_llseek,
57}; 57};
58 58
59static struct inode *get_inode(struct super_block *sb, int mode, dev_t dev) 59static struct inode *get_inode(struct super_block *sb, umode_t mode, dev_t dev)
60{ 60{
61 struct inode *inode = new_inode(sb); 61 struct inode *inode = new_inode(sb);
62 62
@@ -85,7 +85,7 @@ static struct inode *get_inode(struct super_block *sb, int mode, dev_t dev)
85 85
86/* SMP-safe */ 86/* SMP-safe */
87static int mknod(struct inode *dir, struct dentry *dentry, 87static int mknod(struct inode *dir, struct dentry *dentry,
88 int mode, dev_t dev) 88 umode_t mode, dev_t dev)
89{ 89{
90 struct inode *inode; 90 struct inode *inode;
91 int error = -ENOMEM; 91 int error = -ENOMEM;
@@ -102,7 +102,7 @@ static int mknod(struct inode *dir, struct dentry *dentry,
102 return error; 102 return error;
103} 103}
104 104
105static int mkdir(struct inode *dir, struct dentry *dentry, int mode) 105static int mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
106{ 106{
107 int res; 107 int res;
108 108
@@ -113,7 +113,7 @@ static int mkdir(struct inode *dir, struct dentry *dentry, int mode)
113 return res; 113 return res;
114} 114}
115 115
116static int create(struct inode *dir, struct dentry *dentry, int mode) 116static int create(struct inode *dir, struct dentry *dentry, umode_t mode)
117{ 117{
118 mode = (mode & S_IALLUGO) | S_IFREG; 118 mode = (mode & S_IALLUGO) | S_IFREG;
119 return mknod(dir, dentry, mode, 0); 119 return mknod(dir, dentry, mode, 0);
@@ -145,7 +145,7 @@ static struct file_system_type fs_type = {
145 .kill_sb = kill_litter_super, 145 .kill_sb = kill_litter_super,
146}; 146};
147 147
148static int create_by_name(const char *name, mode_t mode, 148static int create_by_name(const char *name, umode_t mode,
149 struct dentry *parent, 149 struct dentry *parent,
150 struct dentry **dentry) 150 struct dentry **dentry)
151{ 151{
@@ -159,12 +159,12 @@ static int create_by_name(const char *name, mode_t mode,
159 * have around. 159 * have around.
160 */ 160 */
161 if (!parent) 161 if (!parent)
162 parent = mount->mnt_sb->s_root; 162 parent = mount->mnt_root;
163 163
164 mutex_lock(&parent->d_inode->i_mutex); 164 mutex_lock(&parent->d_inode->i_mutex);
165 *dentry = lookup_one_len(name, parent, strlen(name)); 165 *dentry = lookup_one_len(name, parent, strlen(name));
166 if (!IS_ERR(*dentry)) { 166 if (!IS_ERR(*dentry)) {
167 if ((mode & S_IFMT) == S_IFDIR) 167 if (S_ISDIR(mode))
168 error = mkdir(parent->d_inode, *dentry, mode); 168 error = mkdir(parent->d_inode, *dentry, mode);
169 else 169 else
170 error = create(parent->d_inode, *dentry, mode); 170 error = create(parent->d_inode, *dentry, mode);
@@ -205,7 +205,7 @@ static int create_by_name(const char *name, mode_t mode,
205 * If securityfs is not enabled in the kernel, the value %-ENODEV is 205 * If securityfs is not enabled in the kernel, the value %-ENODEV is
206 * returned. 206 * returned.
207 */ 207 */
208struct dentry *securityfs_create_file(const char *name, mode_t mode, 208struct dentry *securityfs_create_file(const char *name, umode_t mode,
209 struct dentry *parent, void *data, 209 struct dentry *parent, void *data,
210 const struct file_operations *fops) 210 const struct file_operations *fops)
211{ 211{
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 5dd5b140242c..8738deff26fa 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -27,20 +27,35 @@ static int evmkey_len = MAX_KEY_SIZE;
27 27
28struct crypto_shash *hmac_tfm; 28struct crypto_shash *hmac_tfm;
29 29
30static DEFINE_MUTEX(mutex);
31
30static struct shash_desc *init_desc(void) 32static struct shash_desc *init_desc(void)
31{ 33{
32 int rc; 34 int rc;
33 struct shash_desc *desc; 35 struct shash_desc *desc;
34 36
35 if (hmac_tfm == NULL) { 37 if (hmac_tfm == NULL) {
38 mutex_lock(&mutex);
39 if (hmac_tfm)
40 goto out;
36 hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC); 41 hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
37 if (IS_ERR(hmac_tfm)) { 42 if (IS_ERR(hmac_tfm)) {
38 pr_err("Can not allocate %s (reason: %ld)\n", 43 pr_err("Can not allocate %s (reason: %ld)\n",
39 evm_hmac, PTR_ERR(hmac_tfm)); 44 evm_hmac, PTR_ERR(hmac_tfm));
40 rc = PTR_ERR(hmac_tfm); 45 rc = PTR_ERR(hmac_tfm);
41 hmac_tfm = NULL; 46 hmac_tfm = NULL;
47 mutex_unlock(&mutex);
48 return ERR_PTR(rc);
49 }
50 rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len);
51 if (rc) {
52 crypto_free_shash(hmac_tfm);
53 hmac_tfm = NULL;
54 mutex_unlock(&mutex);
42 return ERR_PTR(rc); 55 return ERR_PTR(rc);
43 } 56 }
57out:
58 mutex_unlock(&mutex);
44 } 59 }
45 60
46 desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm), 61 desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm),
@@ -51,11 +66,7 @@ static struct shash_desc *init_desc(void)
51 desc->tfm = hmac_tfm; 66 desc->tfm = hmac_tfm;
52 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 67 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
53 68
54 rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len);
55 if (rc)
56 goto out;
57 rc = crypto_shash_init(desc); 69 rc = crypto_shash_init(desc);
58out:
59 if (rc) { 70 if (rc) {
60 kfree(desc); 71 kfree(desc);
61 return ERR_PTR(rc); 72 return ERR_PTR(rc);
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 893af8a2fa1e..7bd6f138236b 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -114,19 +114,20 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
114 int offset, ret = 0; 114 int offset, ret = 0;
115 struct ipv6hdr *ip6; 115 struct ipv6hdr *ip6;
116 u8 nexthdr; 116 u8 nexthdr;
117 __be16 frag_off;
117 118
118 ip6 = ipv6_hdr(skb); 119 ip6 = ipv6_hdr(skb);
119 if (ip6 == NULL) 120 if (ip6 == NULL)
120 return -EINVAL; 121 return -EINVAL;
121 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 122 ad->u.net.v6info.saddr = ip6->saddr;
122 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 123 ad->u.net.v6info.daddr = ip6->daddr;
123 ret = 0; 124 ret = 0;
124 /* IPv6 can have several extension header before the Transport header 125 /* IPv6 can have several extension header before the Transport header
125 * skip them */ 126 * skip them */
126 offset = skb_network_offset(skb); 127 offset = skb_network_offset(skb);
127 offset += sizeof(*ip6); 128 offset += sizeof(*ip6);
128 nexthdr = ip6->nexthdr; 129 nexthdr = ip6->nexthdr;
129 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 130 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
130 if (offset < 0) 131 if (offset < 0)
131 return 0; 132 return 0;
132 if (proto) 133 if (proto)
diff --git a/security/security.c b/security/security.c
index 0c6cc69c8f86..214502c772ab 100644
--- a/security/security.c
+++ b/security/security.c
@@ -381,14 +381,14 @@ int security_old_inode_init_security(struct inode *inode, struct inode *dir,
381 void **value, size_t *len) 381 void **value, size_t *len)
382{ 382{
383 if (unlikely(IS_PRIVATE(inode))) 383 if (unlikely(IS_PRIVATE(inode)))
384 return 0; 384 return -EOPNOTSUPP;
385 return security_ops->inode_init_security(inode, dir, qstr, name, value, 385 return security_ops->inode_init_security(inode, dir, qstr, name, value,
386 len); 386 len);
387} 387}
388EXPORT_SYMBOL(security_old_inode_init_security); 388EXPORT_SYMBOL(security_old_inode_init_security);
389 389
390#ifdef CONFIG_SECURITY_PATH 390#ifdef CONFIG_SECURITY_PATH
391int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, 391int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
392 unsigned int dev) 392 unsigned int dev)
393{ 393{
394 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 394 if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
@@ -397,7 +397,7 @@ int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
397} 397}
398EXPORT_SYMBOL(security_path_mknod); 398EXPORT_SYMBOL(security_path_mknod);
399 399
400int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode) 400int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
401{ 401{
402 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 402 if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
403 return 0; 403 return 0;
@@ -454,12 +454,11 @@ int security_path_truncate(struct path *path)
454 return security_ops->path_truncate(path); 454 return security_ops->path_truncate(path);
455} 455}
456 456
457int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 457int security_path_chmod(struct path *path, umode_t mode)
458 mode_t mode)
459{ 458{
460 if (unlikely(IS_PRIVATE(dentry->d_inode))) 459 if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
461 return 0; 460 return 0;
462 return security_ops->path_chmod(dentry, mnt, mode); 461 return security_ops->path_chmod(path, mode);
463} 462}
464 463
465int security_path_chown(struct path *path, uid_t uid, gid_t gid) 464int security_path_chown(struct path *path, uid_t uid, gid_t gid)
@@ -475,7 +474,7 @@ int security_path_chroot(struct path *path)
475} 474}
476#endif 475#endif
477 476
478int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) 477int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
479{ 478{
480 if (unlikely(IS_PRIVATE(dir))) 479 if (unlikely(IS_PRIVATE(dir)))
481 return 0; 480 return 0;
@@ -506,7 +505,7 @@ int security_inode_symlink(struct inode *dir, struct dentry *dentry,
506 return security_ops->inode_symlink(dir, dentry, old_name); 505 return security_ops->inode_symlink(dir, dentry, old_name);
507} 506}
508 507
509int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) 508int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
510{ 509{
511 if (unlikely(IS_PRIVATE(dir))) 510 if (unlikely(IS_PRIVATE(dir)))
512 return 0; 511 return 0;
@@ -521,7 +520,7 @@ int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
521 return security_ops->inode_rmdir(dir, dentry); 520 return security_ops->inode_rmdir(dir, dentry);
522} 521}
523 522
524int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 523int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
525{ 524{
526 if (unlikely(IS_PRIVATE(dir))) 525 if (unlikely(IS_PRIVATE(dir)))
527 return 0; 526 return 0;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1126c10a5e82..7cd4c3affac8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1090,7 +1090,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
1090 return SECCLASS_NETLINK_ROUTE_SOCKET; 1090 return SECCLASS_NETLINK_ROUTE_SOCKET;
1091 case NETLINK_FIREWALL: 1091 case NETLINK_FIREWALL:
1092 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1092 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1093 case NETLINK_INET_DIAG: 1093 case NETLINK_SOCK_DIAG:
1094 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1094 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1095 case NETLINK_NFLOG: 1095 case NETLINK_NFLOG:
1096 return SECCLASS_NETLINK_NFLOG_SOCKET; 1096 return SECCLASS_NETLINK_NFLOG_SOCKET;
@@ -1740,7 +1740,7 @@ static inline u32 file_mask_to_av(int mode, int mask)
1740{ 1740{
1741 u32 av = 0; 1741 u32 av = 0;
1742 1742
1743 if ((mode & S_IFMT) != S_IFDIR) { 1743 if (!S_ISDIR(mode)) {
1744 if (mask & MAY_EXEC) 1744 if (mask & MAY_EXEC)
1745 av |= FILE__EXECUTE; 1745 av |= FILE__EXECUTE;
1746 if (mask & MAY_READ) 1746 if (mask & MAY_READ)
@@ -2507,7 +2507,7 @@ static int selinux_mount(char *dev_name,
2507 const struct cred *cred = current_cred(); 2507 const struct cred *cred = current_cred();
2508 2508
2509 if (flags & MS_REMOUNT) 2509 if (flags & MS_REMOUNT)
2510 return superblock_has_perm(cred, path->mnt->mnt_sb, 2510 return superblock_has_perm(cred, path->dentry->d_sb,
2511 FILESYSTEM__REMOUNT, NULL); 2511 FILESYSTEM__REMOUNT, NULL);
2512 else 2512 else
2513 return path_has_perm(cred, path, FILE__MOUNTON); 2513 return path_has_perm(cred, path, FILE__MOUNTON);
@@ -2598,7 +2598,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2598 return 0; 2598 return 0;
2599} 2599}
2600 2600
2601static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2601static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2602{ 2602{
2603 return may_create(dir, dentry, SECCLASS_FILE); 2603 return may_create(dir, dentry, SECCLASS_FILE);
2604} 2604}
@@ -2618,7 +2618,7 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
2618 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2618 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2619} 2619}
2620 2620
2621static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2621static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2622{ 2622{
2623 return may_create(dir, dentry, SECCLASS_DIR); 2623 return may_create(dir, dentry, SECCLASS_DIR);
2624} 2624}
@@ -2628,7 +2628,7 @@ static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2628 return may_link(dir, dentry, MAY_RMDIR); 2628 return may_link(dir, dentry, MAY_RMDIR);
2629} 2629}
2630 2630
2631static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2631static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2632{ 2632{
2633 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2633 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2634} 2634}
@@ -3561,19 +3561,20 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3561 u8 nexthdr; 3561 u8 nexthdr;
3562 int ret = -EINVAL, offset; 3562 int ret = -EINVAL, offset;
3563 struct ipv6hdr _ipv6h, *ip6; 3563 struct ipv6hdr _ipv6h, *ip6;
3564 __be16 frag_off;
3564 3565
3565 offset = skb_network_offset(skb); 3566 offset = skb_network_offset(skb);
3566 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3567 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3567 if (ip6 == NULL) 3568 if (ip6 == NULL)
3568 goto out; 3569 goto out;
3569 3570
3570 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3571 ad->u.net.v6info.saddr = ip6->saddr;
3571 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3572 ad->u.net.v6info.daddr = ip6->daddr;
3572 ret = 0; 3573 ret = 0;
3573 3574
3574 nexthdr = ip6->nexthdr; 3575 nexthdr = ip6->nexthdr;
3575 offset += sizeof(_ipv6h); 3576 offset += sizeof(_ipv6h);
3576 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3577 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3577 if (offset < 0) 3578 if (offset < 0)
3578 goto out; 3579 goto out;
3579 3580
@@ -3871,7 +3872,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3871 if (family == PF_INET) 3872 if (family == PF_INET)
3872 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3873 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3873 else 3874 else
3874 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3875 ad.u.net.v6info.saddr = addr6->sin6_addr;
3875 3876
3876 err = avc_has_perm(sksec->sid, sid, 3877 err = avc_has_perm(sksec->sid, sid,
3877 sksec->sclass, node_perm, &ad); 3878 sksec->sclass, node_perm, &ad);
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 3bf46abaa688..86365857c088 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -220,7 +220,7 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
220 case PF_INET6: 220 case PF_INET6:
221 ret = security_node_sid(PF_INET6, 221 ret = security_node_sid(PF_INET6,
222 addr, sizeof(struct in6_addr), sid); 222 addr, sizeof(struct in6_addr), sid);
223 ipv6_addr_copy(&new->nsec.addr.ipv6, addr); 223 new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
224 break; 224 break;
225 default: 225 default:
226 BUG(); 226 BUG();
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 0b62bd112461..7b9eb1faf68b 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -123,7 +123,9 @@ static void sel_netport_insert(struct sel_netport *port)
123 if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { 123 if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
124 struct sel_netport *tail; 124 struct sel_netport *tail;
125 tail = list_entry( 125 tail = list_entry(
126 rcu_dereference(sel_netport_hash[idx].list.prev), 126 rcu_dereference_protected(
127 sel_netport_hash[idx].list.prev,
128 lockdep_is_held(&sel_netport_lock)),
127 struct sel_netport, list); 129 struct sel_netport, list);
128 list_del_rcu(&tail->list); 130 list_del_rcu(&tail->list);
129 kfree_rcu(tail, rcu); 131 kfree_rcu(tail, rcu);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7db62b48eb42..e8af5b0ba80f 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -406,7 +406,7 @@ static int smack_sb_statfs(struct dentry *dentry)
406static int smack_sb_mount(char *dev_name, struct path *path, 406static int smack_sb_mount(char *dev_name, struct path *path,
407 char *type, unsigned long flags, void *data) 407 char *type, unsigned long flags, void *data)
408{ 408{
409 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; 409 struct superblock_smack *sbp = path->dentry->d_sb->s_security;
410 struct smk_audit_info ad; 410 struct smk_audit_info ad;
411 411
412 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 412 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
@@ -435,7 +435,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
435 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 435 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
436 smk_ad_setfield_u_fs_path(&ad, path); 436 smk_ad_setfield_u_fs_path(&ad, path);
437 437
438 sbp = mnt->mnt_sb->s_security; 438 sbp = path.dentry->d_sb->s_security;
439 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 439 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
440} 440}
441 441
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index 075c3a6d1649..5ca47ea3049f 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -112,7 +112,7 @@ out:
112 * 112 *
113 * Returns file type string. 113 * Returns file type string.
114 */ 114 */
115static inline const char *tomoyo_filetype(const mode_t mode) 115static inline const char *tomoyo_filetype(const umode_t mode)
116{ 116{
117 switch (mode & S_IFMT) { 117 switch (mode & S_IFMT) {
118 case S_IFREG: 118 case S_IFREG:
@@ -180,7 +180,7 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
180 for (i = 0; i < TOMOYO_MAX_PATH_STAT; i++) { 180 for (i = 0; i < TOMOYO_MAX_PATH_STAT; i++) {
181 struct tomoyo_mini_stat *stat; 181 struct tomoyo_mini_stat *stat;
182 unsigned int dev; 182 unsigned int dev;
183 mode_t mode; 183 umode_t mode;
184 if (!obj->stat_valid[i]) 184 if (!obj->stat_valid[i])
185 continue; 185 continue;
186 stat = &obj->stat[i]; 186 stat = &obj->stat[i];
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index ed311d7a8ce0..deeab7be5b97 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -564,7 +564,7 @@ struct tomoyo_mini_stat {
564 uid_t uid; 564 uid_t uid;
565 gid_t gid; 565 gid_t gid;
566 ino_t ino; 566 ino_t ino;
567 mode_t mode; 567 umode_t mode;
568 dev_t dev; 568 dev_t dev;
569 dev_t rdev; 569 dev_t rdev;
570}; 570};
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 738bbdf8d4c7..80a09c37cac8 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -4,15 +4,8 @@
4 * Copyright (C) 2005-2011 NTT DATA CORPORATION 4 * Copyright (C) 2005-2011 NTT DATA CORPORATION
5 */ 5 */
6 6
7#include <linux/types.h>
8#include <linux/mount.h>
9#include <linux/mnt_namespace.h>
10#include <linux/fs_struct.h>
11#include <linux/magic.h>
12#include <linux/slab.h>
13#include <net/sock.h>
14#include "common.h" 7#include "common.h"
15#include "../../fs/internal.h" 8#include <linux/magic.h>
16 9
17/** 10/**
18 * tomoyo_encode2 - Encode binary string to ascii string. 11 * tomoyo_encode2 - Encode binary string to ascii string.
@@ -101,9 +94,8 @@ static char *tomoyo_get_absolute_path(struct path *path, char * const buffer,
101{ 94{
102 char *pos = ERR_PTR(-ENOMEM); 95 char *pos = ERR_PTR(-ENOMEM);
103 if (buflen >= 256) { 96 if (buflen >= 256) {
104 struct path ns_root = { };
105 /* go to whatever namespace root we are under */ 97 /* go to whatever namespace root we are under */
106 pos = __d_path(path, &ns_root, buffer, buflen - 1); 98 pos = d_absolute_path(path, buffer, buflen - 1);
107 if (!IS_ERR(pos) && *pos == '/' && pos[1]) { 99 if (!IS_ERR(pos) && *pos == '/' && pos[1]) {
108 struct inode *inode = path->dentry->d_inode; 100 struct inode *inode = path->dentry->d_inode;
109 if (inode && S_ISDIR(inode->i_mode)) { 101 if (inode && S_ISDIR(inode->i_mode)) {
@@ -294,8 +286,16 @@ char *tomoyo_realpath_from_path(struct path *path)
294 pos = tomoyo_get_local_path(path->dentry, buf, 286 pos = tomoyo_get_local_path(path->dentry, buf,
295 buf_len - 1); 287 buf_len - 1);
296 /* Get absolute name for the rest. */ 288 /* Get absolute name for the rest. */
297 else 289 else {
298 pos = tomoyo_get_absolute_path(path, buf, buf_len - 1); 290 pos = tomoyo_get_absolute_path(path, buf, buf_len - 1);
291 /*
292 * Fall back to local name if absolute name is not
293 * available.
294 */
295 if (pos == ERR_PTR(-EINVAL))
296 pos = tomoyo_get_local_path(path->dentry, buf,
297 buf_len - 1);
298 }
299encode: 299encode:
300 if (IS_ERR(pos)) 300 if (IS_ERR(pos))
301 continue; 301 continue;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 2672ac4f3beb..482b2a5f48f0 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -224,7 +224,7 @@ static const struct file_operations tomoyo_operations = {
224 * 224 *
225 * Returns nothing. 225 * Returns nothing.
226 */ 226 */
227static void __init tomoyo_create_entry(const char *name, const mode_t mode, 227static void __init tomoyo_create_entry(const char *name, const umode_t mode,
228 struct dentry *parent, const u8 key) 228 struct dentry *parent, const u8 key)
229{ 229{
230 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, 230 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 4b327b691745..620d37c159a3 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -186,7 +186,7 @@ static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry)
186 * Returns 0 on success, negative value otherwise. 186 * Returns 0 on success, negative value otherwise.
187 */ 187 */
188static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, 188static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry,
189 int mode) 189 umode_t mode)
190{ 190{
191 struct path path = { parent->mnt, dentry }; 191 struct path path = { parent->mnt, dentry };
192 return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path, 192 return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path,
@@ -234,7 +234,7 @@ static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry,
234 * Returns 0 on success, negative value otherwise. 234 * Returns 0 on success, negative value otherwise.
235 */ 235 */
236static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, 236static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry,
237 int mode, unsigned int dev) 237 umode_t mode, unsigned int dev)
238{ 238{
239 struct path path = { parent->mnt, dentry }; 239 struct path path = { parent->mnt, dentry };
240 int type = TOMOYO_TYPE_CREATE; 240 int type = TOMOYO_TYPE_CREATE;
@@ -353,17 +353,14 @@ static int tomoyo_file_ioctl(struct file *file, unsigned int cmd,
353/** 353/**
354 * tomoyo_path_chmod - Target for security_path_chmod(). 354 * tomoyo_path_chmod - Target for security_path_chmod().
355 * 355 *
356 * @dentry: Pointer to "struct dentry". 356 * @path: Pointer to "struct path".
357 * @mnt: Pointer to "struct vfsmount". 357 * @mode: DAC permission mode.
358 * @mode: DAC permission mode.
359 * 358 *
360 * Returns 0 on success, negative value otherwise. 359 * Returns 0 on success, negative value otherwise.
361 */ 360 */
362static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 361static int tomoyo_path_chmod(struct path *path, umode_t mode)
363 mode_t mode)
364{ 362{
365 struct path path = { mnt, dentry }; 363 return tomoyo_path_number_perm(TOMOYO_TYPE_CHMOD, path,
366 return tomoyo_path_number_perm(TOMOYO_TYPE_CHMOD, &path,
367 mode & S_IALLUGO); 364 mode & S_IALLUGO);
368} 365}
369 366
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-21 05:12:04 -0500