aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c58
-rw-r--r--security/selinux/hooks.c512
-rw-r--r--security/selinux/netif.c19
-rw-r--r--security/selinux/netlabel.c2
-rw-r--r--security/selinux/netlink.c20
-rw-r--r--security/selinux/netnode.c2
-rw-r--r--security/selinux/nlmsgtab.c5
-rw-r--r--security/selinux/selinuxfs.c128
-rw-r--r--security/selinux/ss/avtab.c48
-rw-r--r--security/selinux/ss/conditional.c74
-rw-r--r--security/selinux/ss/ebitmap.c5
-rw-r--r--security/selinux/ss/hashtab.c4
-rw-r--r--security/selinux/ss/mls.c27
-rw-r--r--security/selinux/ss/policydb.c148
-rw-r--r--security/selinux/ss/services.c178
-rw-r--r--security/selinux/ss/sidtab.c6
-rw-r--r--security/selinux/xfrm.c10
17 files changed, 609 insertions, 637 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index a4fc6e6d038a..1d69f6649bff 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -2,16 +2,16 @@
2 * Implementation of the kernel access vector cache (AVC). 2 * Implementation of the kernel access vector cache (AVC).
3 * 3 *
4 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 4 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com> 5 * James Morris <jmorris@redhat.com>
6 * 6 *
7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> 7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
8 * Replaced the avc_lock spinlock by RCU. 8 * Replaced the avc_lock spinlock by RCU.
9 * 9 *
10 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
11 * 11 *
12 * This program is free software; you can redistribute it and/or modify 12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2, 13 * it under the terms of the GNU General Public License version 2,
14 * as published by the Free Software Foundation. 14 * as published by the Free Software Foundation.
15 */ 15 */
16#include <linux/types.h> 16#include <linux/types.h>
17#include <linux/stddef.h> 17#include <linux/stddef.h>
@@ -44,7 +44,7 @@ static const char *class_to_string[] = {
44#undef S_ 44#undef S_
45}; 45};
46 46
47#define TB_(s) static const char * s [] = { 47#define TB_(s) static const char *s[] = {
48#define TE_(s) }; 48#define TE_(s) };
49#define S_(s) s, 49#define S_(s) s,
50#include "common_perm_to_string.h" 50#include "common_perm_to_string.h"
@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = {
72#define AVC_CACHE_RECLAIM 16 72#define AVC_CACHE_RECLAIM 16
73 73
74#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 74#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
75#define avc_cache_stats_incr(field) \ 75#define avc_cache_stats_incr(field) \
76do { \ 76do { \
77 per_cpu(avc_cache_stats, get_cpu()).field++; \ 77 per_cpu(avc_cache_stats, get_cpu()).field++; \
78 put_cpu(); \ 78 put_cpu(); \
@@ -92,7 +92,7 @@ struct avc_entry {
92struct avc_node { 92struct avc_node {
93 struct avc_entry ae; 93 struct avc_entry ae;
94 struct list_head list; 94 struct list_head list;
95 struct rcu_head rhead; 95 struct rcu_head rhead;
96}; 96};
97 97
98struct avc_cache { 98struct avc_cache {
@@ -105,8 +105,8 @@ struct avc_cache {
105 105
106struct avc_callback_node { 106struct avc_callback_node {
107 int (*callback) (u32 event, u32 ssid, u32 tsid, 107 int (*callback) (u32 event, u32 ssid, u32 tsid,
108 u16 tclass, u32 perms, 108 u16 tclass, u32 perms,
109 u32 *out_retained); 109 u32 *out_retained);
110 u32 events; 110 u32 events;
111 u32 ssid; 111 u32 ssid;
112 u32 tsid; 112 u32 tsid;
@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
202 char *scontext; 202 char *scontext;
203 u32 scontext_len; 203 u32 scontext_len;
204 204
205 rc = security_sid_to_context(ssid, &scontext, &scontext_len); 205 rc = security_sid_to_context(ssid, &scontext, &scontext_len);
206 if (rc) 206 if (rc)
207 audit_log_format(ab, "ssid=%d", ssid); 207 audit_log_format(ab, "ssid=%d", ssid);
208 else { 208 else {
@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void)
306 int hvalue, try, ecx; 306 int hvalue, try, ecx;
307 unsigned long flags; 307 unsigned long flags;
308 308
309 for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { 309 for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
310 hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); 310 hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
311 311
312 if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) 312 if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
426 spin_lock_irqsave(&notif_lock, flag); 426 spin_lock_irqsave(&notif_lock, flag);
427 if (is_insert) { 427 if (is_insert) {
428 if (seqno < avc_cache.latest_notif) { 428 if (seqno < avc_cache.latest_notif) {
429 printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", 429 printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n",
430 seqno, avc_cache.latest_notif); 430 seqno, avc_cache.latest_notif);
431 ret = -EAGAIN; 431 ret = -EAGAIN;
432 } 432 }
@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en
475 if (pos->ae.ssid == ssid && 475 if (pos->ae.ssid == ssid &&
476 pos->ae.tsid == tsid && 476 pos->ae.tsid == tsid &&
477 pos->ae.tclass == tclass) { 477 pos->ae.tclass == tclass) {
478 avc_node_replace(node, pos); 478 avc_node_replace(node, pos);
479 goto found; 479 goto found;
480 } 480 }
481 } 481 }
@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
526 * before calling the auditing code. 526 * before calling the auditing code.
527 */ 527 */
528void avc_audit(u32 ssid, u32 tsid, 528void avc_audit(u32 ssid, u32 tsid,
529 u16 tclass, u32 requested, 529 u16 tclass, u32 requested,
530 struct av_decision *avd, int result, struct avc_audit_data *a) 530 struct av_decision *avd, int result, struct avc_audit_data *a)
531{ 531{
532 struct task_struct *tsk = current; 532 struct task_struct *tsk = current;
533 struct inode *inode = NULL; 533 struct inode *inode = NULL;
@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid,
541 return; 541 return;
542 } else if (result) { 542 } else if (result) {
543 audited = denied = requested; 543 audited = denied = requested;
544 } else { 544 } else {
545 audited = requested; 545 audited = requested;
546 if (!(audited & avd->auditallow)) 546 if (!(audited & avd->auditallow))
547 return; 547 return;
@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid,
551 if (!ab) 551 if (!ab)
552 return; /* audit_panic has been called */ 552 return; /* audit_panic has been called */
553 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 553 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
554 avc_dump_av(ab, tclass,audited); 554 avc_dump_av(ab, tclass, audited);
555 audit_log_format(ab, " for "); 555 audit_log_format(ab, " for ");
556 if (a && a->tsk) 556 if (a && a->tsk)
557 tsk = a->tsk; 557 tsk = a->tsk;
@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid,
647 break; 647 break;
648 } 648 }
649 } 649 }
650 650
651 switch (a->u.net.family) { 651 switch (a->u.net.family) {
652 case AF_INET: 652 case AF_INET:
653 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, 653 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid,
702 * -%ENOMEM if insufficient memory exists to add the callback. 702 * -%ENOMEM if insufficient memory exists to add the callback.
703 */ 703 */
704int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, 704int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
705 u16 tclass, u32 perms, 705 u16 tclass, u32 perms,
706 u32 *out_retained), 706 u32 *out_retained),
707 u32 events, u32 ssid, u32 tsid, 707 u32 events, u32 ssid, u32 tsid,
708 u16 tclass, u32 perms) 708 u16 tclass, u32 perms)
709{ 709{
710 struct avc_callback_node *c; 710 struct avc_callback_node *c;
711 int rc = 0; 711 int rc = 0;
@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
759 hvalue = avc_hash(ssid, tsid, tclass); 759 hvalue = avc_hash(ssid, tsid, tclass);
760 spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); 760 spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
761 761
762 list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ 762 list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
763 if ( ssid==pos->ae.ssid && 763 if (ssid == pos->ae.ssid &&
764 tsid==pos->ae.tsid && 764 tsid == pos->ae.tsid &&
765 tclass==pos->ae.tclass ){ 765 tclass == pos->ae.tclass){
766 orig = pos; 766 orig = pos;
767 break; 767 break;
768 } 768 }
@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno)
829 for (c = avc_callbacks; c; c = c->next) { 829 for (c = avc_callbacks; c; c = c->next) {
830 if (c->events & AVC_CALLBACK_RESET) { 830 if (c->events & AVC_CALLBACK_RESET) {
831 tmprc = c->callback(AVC_CALLBACK_RESET, 831 tmprc = c->callback(AVC_CALLBACK_RESET,
832 0, 0, 0, 0, NULL); 832 0, 0, 0, 0, NULL);
833 /* save the first error encountered for the return 833 /* save the first error encountered for the return
834 value and continue processing the callbacks */ 834 value and continue processing the callbacks */
835 if (!rc) 835 if (!rc)
@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
878 node = avc_lookup(ssid, tsid, tclass, requested); 878 node = avc_lookup(ssid, tsid, tclass, requested);
879 if (!node) { 879 if (!node) {
880 rcu_read_unlock(); 880 rcu_read_unlock();
881 rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); 881 rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd);
882 if (rc) 882 if (rc)
883 goto out; 883 goto out;
884 rcu_read_lock(); 884 rcu_read_lock();
885 node = avc_insert(ssid,tsid,tclass,&entry); 885 node = avc_insert(ssid, tsid, tclass, &entry);
886 } 886 }
887 887
888 p_ae = node ? &node->ae : &entry; 888 p_ae = node ? &node->ae : &entry;
@@ -924,7 +924,7 @@ out:
924 * another -errno upon other errors. 924 * another -errno upon other errors.
925 */ 925 */
926int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 926int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
927 u32 requested, struct avc_audit_data *auditdata) 927 u32 requested, struct avc_audit_data *auditdata)
928{ 928{
929 struct av_decision avd; 929 struct av_decision avd;
930 int rc; 930 int rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f9927f02bc3d..1bf2543ea942 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4,22 +4,22 @@
4 * This file contains the SELinux hook function implementations. 4 * This file contains the SELinux hook function implementations.
5 * 5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com> 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com> 9 * James Morris <jmorris@redhat.com>
10 * 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com> 14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com> 16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
19 * 19 *
20 * This program is free software; you can redistribute it and/or modify 20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2, 21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation. 22 * as published by the Free Software Foundation.
23 */ 23 */
24 24
25#include <linux/init.h> 25#include <linux/init.h>
@@ -99,11 +99,11 @@ extern struct security_operations *security_ops;
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 100
101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102int selinux_enforcing = 0; 102int selinux_enforcing;
103 103
104static int __init enforcing_setup(char *str) 104static int __init enforcing_setup(char *str)
105{ 105{
106 selinux_enforcing = simple_strtol(str,NULL,0); 106 selinux_enforcing = simple_strtol(str, NULL, 0);
107 return 1; 107 return 1;
108} 108}
109__setup("enforcing=", enforcing_setup); 109__setup("enforcing=", enforcing_setup);
@@ -123,13 +123,13 @@ int selinux_enabled = 1;
123#endif 123#endif
124 124
125/* Original (dummy) security module. */ 125/* Original (dummy) security module. */
126static struct security_operations *original_ops = NULL; 126static struct security_operations *original_ops;
127 127
128/* Minimal support for a secondary security module, 128/* Minimal support for a secondary security module,
129 just to allow the use of the dummy or capability modules. 129 just to allow the use of the dummy or capability modules.
130 The owlsm module can alternatively be used as a secondary 130 The owlsm module can alternatively be used as a secondary
131 module as long as CONFIG_OWLSM_FD is not enabled. */ 131 module as long as CONFIG_OWLSM_FD is not enabled. */
132static struct security_operations *secondary_ops = NULL; 132static struct security_operations *secondary_ops;
133 133
134/* Lists of inode and superblock security structures initialized 134/* Lists of inode and superblock security structures initialized
135 before the policy was loaded. */ 135 before the policy was loaded. */
@@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
575 goto out; 575 goto out;
576 } 576 }
577 rc = -EINVAL; 577 rc = -EINVAL;
578 printk(KERN_WARNING "Unable to set superblock options before " 578 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579 "the security server is initialized\n"); 579 "before the security server is initialized\n");
580 goto out; 580 goto out;
581 } 581 }
582 582
@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de,
1054 int buflen, rc; 1054 int buflen, rc;
1055 char *buffer, *path, *end; 1055 char *buffer, *path, *end;
1056 1056
1057 buffer = (char*)__get_free_page(GFP_KERNEL); 1057 buffer = (char *)__get_free_page(GFP_KERNEL);
1058 if (!buffer) 1058 if (!buffer)
1059 return -ENOMEM; 1059 return -ENOMEM;
1060 1060
@@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1135 dentry = d_find_alias(inode); 1135 dentry = d_find_alias(inode);
1136 } 1136 }
1137 if (!dentry) { 1137 if (!dentry) {
1138 printk(KERN_WARNING "%s: no dentry for dev=%s " 1138 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1139 "ino=%ld\n", __func__, inode->i_sb->s_id, 1139 "ino=%ld\n", __func__, inode->i_sb->s_id,
1140 inode->i_ino); 1140 inode->i_ino);
1141 goto out_unlock; 1141 goto out_unlock;
@@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1173 dput(dentry); 1173 dput(dentry);
1174 if (rc < 0) { 1174 if (rc < 0) {
1175 if (rc != -ENODATA) { 1175 if (rc != -ENODATA) {
1176 printk(KERN_WARNING "%s: getxattr returned " 1176 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1177 "%d for dev=%s ino=%ld\n", __func__, 1177 "%d for dev=%s ino=%ld\n", __func__,
1178 -rc, inode->i_sb->s_id, inode->i_ino); 1178 -rc, inode->i_sb->s_id, inode->i_ino);
1179 kfree(context); 1179 kfree(context);
@@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1187 sbsec->def_sid, 1187 sbsec->def_sid,
1188 GFP_NOFS); 1188 GFP_NOFS);
1189 if (rc) { 1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) " 1190 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n", 1191 "returned %d for dev=%s ino=%ld\n",
1192 __func__, context, -rc, 1192 __func__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino); 1193 inode->i_sb->s_id, inode->i_ino);
@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk,
1305 1305
1306 tsec = tsk->security; 1306 tsec = tsk->security;
1307 1307
1308 AVC_AUDIT_DATA_INIT(&ad,CAP); 1308 AVC_AUDIT_DATA_INIT(&ad, CAP);
1309 ad.tsk = tsk; 1309 ad.tsk = tsk;
1310 ad.u.cap = cap; 1310 ad.u.cap = cap;
1311 1311
@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk,
1348 struct inode_security_struct *isec; 1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad; 1349 struct avc_audit_data ad;
1350 1350
1351 if (unlikely (IS_PRIVATE (inode))) 1351 if (unlikely(IS_PRIVATE(inode)))
1352 return 0; 1352 return 0;
1353 1353
1354 tsec = tsk->security; 1354 tsec = tsk->security;
@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk,
1373{ 1373{
1374 struct inode *inode = dentry->d_inode; 1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad; 1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS); 1376 AVC_AUDIT_DATA_INIT(&ad, FS);
1377 ad.u.fs.path.mnt = mnt; 1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry; 1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad); 1379 return inode_has_perm(tsk, inode, av, &ad);
@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid,
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471} 1471}
1472 1472
1473#define MAY_LINK 0 1473#define MAY_LINK 0
1474#define MAY_UNLINK 1 1474#define MAY_UNLINK 1
1475#define MAY_RMDIR 2 1475#define MAY_RMDIR 2
1476 1476
1477/* Check whether a task can link, unlink, or rmdir a file/directory. */ 1477/* Check whether a task can link, unlink, or rmdir a file/directory. */
1478static int may_link(struct inode *dir, 1478static int may_link(struct inode *dir,
@@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir,
1510 av = DIR__RMDIR; 1510 av = DIR__RMDIR;
1511 break; 1511 break;
1512 default: 1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1513 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1514 __func__, kind);
1514 return 0; 1515 return 0;
1515 } 1516 }
1516 1517
@@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
1640 else if (S_ISDIR(mode)) 1641 else if (S_ISDIR(mode))
1641 av |= DIR__OPEN; 1642 av |= DIR__OPEN;
1642 else 1643 else
1643 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " 1644 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1644 "with unknown mode:%x\n", mode); 1645 "unknown mode:%x\n", __func__, mode);
1645 } 1646 }
1646 return av; 1647 return av;
1647} 1648}
@@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1675{ 1676{
1676 int rc; 1677 int rc;
1677 1678
1678 rc = secondary_ops->ptrace(parent,child); 1679 rc = secondary_ops->ptrace(parent, child);
1679 if (rc) 1680 if (rc)
1680 return rc; 1681 return rc;
1681 1682
@@ -1683,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1683} 1684}
1684 1685
1685static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1686static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1686 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1687 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1687{ 1688{
1688 int error; 1689 int error;
1689 1690
@@ -1695,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1695} 1696}
1696 1697
1697static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1698static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1698 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1699 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1699{ 1700{
1700 int error; 1701 int error;
1701 1702
@@ -1707,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect
1707} 1708}
1708 1709
1709static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1710static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1711 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711{ 1712{
1712 secondary_ops->capset_set(target, effective, inheritable, permitted); 1713 secondary_ops->capset_set(target, effective, inheritable, permitted);
1713} 1714}
@@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap)
1720 if (rc) 1721 if (rc)
1721 return rc; 1722 return rc;
1722 1723
1723 return task_has_capability(tsk,cap); 1724 return task_has_capability(tsk, cap);
1724} 1725}
1725 1726
1726static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1727static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1729 char *buffer, *path, *end; 1730 char *buffer, *path, *end;
1730 1731
1731 rc = -ENOMEM; 1732 rc = -ENOMEM;
1732 buffer = (char*)__get_free_page(GFP_KERNEL); 1733 buffer = (char *)__get_free_page(GFP_KERNEL);
1733 if (!buffer) 1734 if (!buffer)
1734 goto out; 1735 goto out;
1735 1736
@@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1787 1788
1788 /* The op values are "defined" in sysctl.c, thereby creating 1789 /* The op values are "defined" in sysctl.c, thereby creating
1789 * a bad coupling between this module and sysctl.c */ 1790 * a bad coupling between this module and sysctl.c */
1790 if(op == 001) { 1791 if (op == 001) {
1791 error = avc_has_perm(tsec->sid, tsid, 1792 error = avc_has_perm(tsec->sid, tsid,
1792 SECCLASS_DIR, DIR__SEARCH, NULL); 1793 SECCLASS_DIR, DIR__SEARCH, NULL);
1793 } else { 1794 } else {
@@ -1799,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1799 if (av) 1800 if (av)
1800 error = avc_has_perm(tsec->sid, tsid, 1801 error = avc_has_perm(tsec->sid, tsid,
1801 SECCLASS_FILE, av, NULL); 1802 SECCLASS_FILE, av, NULL);
1802 } 1803 }
1803 1804
1804 return error; 1805 return error;
1805} 1806}
@@ -1812,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1812 return 0; 1813 return 0;
1813 1814
1814 switch (cmds) { 1815 switch (cmds) {
1815 case Q_SYNC: 1816 case Q_SYNC:
1816 case Q_QUOTAON: 1817 case Q_QUOTAON:
1817 case Q_QUOTAOFF: 1818 case Q_QUOTAOFF:
1818 case Q_SETINFO: 1819 case Q_SETINFO:
1819 case Q_SETQUOTA: 1820 case Q_SETQUOTA:
1820 rc = superblock_has_perm(current, 1821 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1821 sb, 1822 NULL);
1822 FILESYSTEM__QUOTAMOD, NULL); 1823 break;
1823 break; 1824 case Q_GETFMT:
1824 case Q_GETFMT: 1825 case Q_GETINFO:
1825 case Q_GETINFO: 1826 case Q_GETQUOTA:
1826 case Q_GETQUOTA: 1827 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1827 rc = superblock_has_perm(current, 1828 NULL);
1828 sb, 1829 break;
1829 FILESYSTEM__QUOTAGET, NULL); 1830 default:
1830 break; 1831 rc = 0; /* let the kernel handle invalid cmds */
1831 default: 1832 break;
1832 rc = 0; /* let the kernel handle invalid cmds */
1833 break;
1834 } 1833 }
1835 return rc; 1834 return rc;
1836} 1835}
@@ -1849,23 +1848,23 @@ static int selinux_syslog(int type)
1849 return rc; 1848 return rc;
1850 1849
1851 switch (type) { 1850 switch (type) {
1852 case 3: /* Read last kernel messages */ 1851 case 3: /* Read last kernel messages */
1853 case 10: /* Return size of the log buffer */ 1852 case 10: /* Return size of the log buffer */
1854 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1853 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1855 break; 1854 break;
1856 case 6: /* Disable logging to console */ 1855 case 6: /* Disable logging to console */
1857 case 7: /* Enable logging to console */ 1856 case 7: /* Enable logging to console */
1858 case 8: /* Set level of messages printed to console */ 1857 case 8: /* Set level of messages printed to console */
1859 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1858 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1860 break; 1859 break;
1861 case 0: /* Close log */ 1860 case 0: /* Close log */
1862 case 1: /* Open log */ 1861 case 1: /* Open log */
1863 case 2: /* Read from log */ 1862 case 2: /* Read from log */
1864 case 4: /* Read/clear last kernel messages */ 1863 case 4: /* Read/clear last kernel messages */
1865 case 5: /* Clear ring buffer */ 1864 case 5: /* Clear ring buffer */
1866 default: 1865 default:
1867 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1866 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1868 break; 1867 break;
1869 } 1868 }
1870 return rc; 1869 return rc;
1871} 1870}
@@ -1971,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1971 } else { 1970 } else {
1972 /* Check for a default transition on this program. */ 1971 /* Check for a default transition on this program. */
1973 rc = security_transition_sid(tsec->sid, isec->sid, 1972 rc = security_transition_sid(tsec->sid, isec->sid,
1974 SECCLASS_PROCESS, &newsid); 1973 SECCLASS_PROCESS, &newsid);
1975 if (rc) 1974 if (rc)
1976 return rc; 1975 return rc;
1977 } 1976 }
@@ -1982,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1982 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1981 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1983 newsid = tsec->sid; 1982 newsid = tsec->sid;
1984 1983
1985 if (tsec->sid == newsid) { 1984 if (tsec->sid == newsid) {
1986 rc = avc_has_perm(tsec->sid, isec->sid, 1985 rc = avc_has_perm(tsec->sid, isec->sid,
1987 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1986 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1988 if (rc) 1987 if (rc)
@@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
2010 return 0; 2009 return 0;
2011} 2010}
2012 2011
2013static int selinux_bprm_check_security (struct linux_binprm *bprm) 2012static int selinux_bprm_check_security(struct linux_binprm *bprm)
2014{ 2013{
2015 return secondary_ops->bprm_check_security(bprm); 2014 return secondary_ops->bprm_check_security(bprm);
2016} 2015}
2017 2016
2018 2017
2019static int selinux_bprm_secureexec (struct linux_binprm *bprm) 2018static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2020{ 2019{
2021 struct task_security_struct *tsec = current->security; 2020 struct task_security_struct *tsec = current->security;
2022 int atsecure = 0; 2021 int atsecure = 0;
@@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount;
2043extern struct dentry *selinux_null; 2042extern struct dentry *selinux_null;
2044 2043
2045/* Derived from fs/exec.c:flush_old_files. */ 2044/* Derived from fs/exec.c:flush_old_files. */
2046static inline void flush_unauthorized_files(struct files_struct * files) 2045static inline void flush_unauthorized_files(struct files_struct *files)
2047{ 2046{
2048 struct avc_audit_data ad; 2047 struct avc_audit_data ad;
2049 struct file *file, *devnull = NULL; 2048 struct file *file, *devnull = NULL;
@@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
2078 2077
2079 /* Revalidate access to inherited open files. */ 2078 /* Revalidate access to inherited open files. */
2080 2079
2081 AVC_AUDIT_DATA_INIT(&ad,FS); 2080 AVC_AUDIT_DATA_INIT(&ad, FS);
2082 2081
2083 spin_lock(&files->file_lock); 2082 spin_lock(&files->file_lock);
2084 for (;;) { 2083 for (;;) {
@@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
2094 if (!set) 2093 if (!set)
2095 continue; 2094 continue;
2096 spin_unlock(&files->file_lock); 2095 spin_unlock(&files->file_lock);
2097 for ( ; set ; i++,set >>= 1) { 2096 for ( ; set ; i++, set >>= 1) {
2098 if (set & 1) { 2097 if (set & 1) {
2099 file = fget(i); 2098 file = fget(i);
2100 if (!file) 2099 if (!file)
@@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2251 for (i = 0; i < RLIM_NLIMITS; i++) { 2250 for (i = 0; i < RLIM_NLIMITS; i++) {
2252 rlim = current->signal->rlim + i; 2251 rlim = current->signal->rlim + i;
2253 initrlim = init_task.signal->rlim+i; 2252 initrlim = init_task.signal->rlim+i;
2254 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2253 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2255 } 2254 }
2256 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2255 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2257 /* 2256 /*
@@ -2306,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len)
2306 *to += len; 2305 *to += len;
2307} 2306}
2308 2307
2309static inline void take_selinux_option(char **to, char *from, int *first, 2308static inline void take_selinux_option(char **to, char *from, int *first,
2310 int len) 2309 int len)
2311{ 2310{
2312 int current_size = 0; 2311 int current_size = 0;
2313 2312
2314 if (!*first) { 2313 if (!*first) {
2315 **to = '|'; 2314 **to = '|';
2316 *to += 1; 2315 *to += 1;
2317 } 2316 } else
2318 else
2319 *first = 0; 2317 *first = 0;
2320 2318
2321 while (current_size < len) { 2319 while (current_size < len) {
@@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2379 if (rc) 2377 if (rc)
2380 return rc; 2378 return rc;
2381 2379
2382 AVC_AUDIT_DATA_INIT(&ad,FS); 2380 AVC_AUDIT_DATA_INIT(&ad, FS);
2383 ad.u.fs.path.dentry = sb->s_root; 2381 ad.u.fs.path.dentry = sb->s_root;
2384 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2382 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2385} 2383}
@@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry)
2388{ 2386{
2389 struct avc_audit_data ad; 2387 struct avc_audit_data ad;
2390 2388
2391 AVC_AUDIT_DATA_INIT(&ad,FS); 2389 AVC_AUDIT_DATA_INIT(&ad, FS);
2392 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2390 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2393 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2391 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2394} 2392}
2395 2393
2396static int selinux_mount(char * dev_name, 2394static int selinux_mount(char *dev_name,
2397 struct nameidata *nd, 2395 struct nameidata *nd,
2398 char * type, 2396 char *type,
2399 unsigned long flags, 2397 unsigned long flags,
2400 void * data) 2398 void *data)
2401{ 2399{
2402 int rc; 2400 int rc;
2403 2401
@@ -2407,10 +2405,10 @@ static int selinux_mount(char * dev_name,
2407 2405
2408 if (flags & MS_REMOUNT) 2406 if (flags & MS_REMOUNT)
2409 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2410 FILESYSTEM__REMOUNT, NULL); 2408 FILESYSTEM__REMOUNT, NULL);
2411 else 2409 else
2412 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2413 FILE__MOUNTON); 2411 FILE__MOUNTON);
2414} 2412}
2415 2413
2416static int selinux_umount(struct vfsmount *mnt, int flags) 2414static int selinux_umount(struct vfsmount *mnt, int flags)
@@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
2421 if (rc) 2419 if (rc)
2422 return rc; 2420 return rc;
2423 2421
2424 return superblock_has_perm(current,mnt->mnt_sb, 2422 return superblock_has_perm(current, mnt->mnt_sb,
2425 FILESYSTEM__UNMOUNT,NULL); 2423 FILESYSTEM__UNMOUNT, NULL);
2426} 2424}
2427 2425
2428/* inode security operations */ 2426/* inode security operations */
@@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
2508{ 2506{
2509 int rc; 2507 int rc;
2510 2508
2511 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2509 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2512 if (rc) 2510 if (rc)
2513 return rc; 2511 return rc;
2514 return may_link(dir, old_dentry, MAY_LINK); 2512 return may_link(dir, old_dentry, MAY_LINK);
@@ -2551,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
2551} 2549}
2552 2550
2553static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2551static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2554 struct inode *new_inode, struct dentry *new_dentry) 2552 struct inode *new_inode, struct dentry *new_dentry)
2555{ 2553{
2556 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2554 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2557} 2555}
@@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
2565{ 2563{
2566 int rc; 2564 int rc;
2567 2565
2568 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2566 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2569 if (rc) 2567 if (rc)
2570 return rc; 2568 return rc;
2571 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2569 return dentry_has_perm(current, NULL, dentry, FILE__READ);
@@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2651 if (!is_owner_or_cap(inode)) 2649 if (!is_owner_or_cap(inode))
2652 return -EPERM; 2650 return -EPERM;
2653 2651
2654 AVC_AUDIT_DATA_INIT(&ad,FS); 2652 AVC_AUDIT_DATA_INIT(&ad, FS);
2655 ad.u.fs.path.dentry = dentry; 2653 ad.u.fs.path.dentry = dentry;
2656 2654
2657 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2655 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
@@ -2669,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2669 return rc; 2667 return rc;
2670 2668
2671 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2669 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2672 isec->sclass); 2670 isec->sclass);
2673 if (rc) 2671 if (rc)
2674 return rc; 2672 return rc;
2675 2673
@@ -2681,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2681} 2679}
2682 2680
2683static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2681static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2684 void *value, size_t size, int flags) 2682 void *value, size_t size, int flags)
2685{ 2683{
2686 struct inode *inode = dentry->d_inode; 2684 struct inode *inode = dentry->d_inode;
2687 struct inode_security_struct *isec = inode->i_security; 2685 struct inode_security_struct *isec = inode->i_security;
@@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2704 return; 2702 return;
2705} 2703}
2706 2704
2707static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2705static int selinux_inode_getxattr(struct dentry *dentry, char *name)
2708{ 2706{
2709 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2707 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2710} 2708}
2711 2709
2712static int selinux_inode_listxattr (struct dentry *dentry) 2710static int selinux_inode_listxattr(struct dentry *dentry)
2713{ 2711{
2714 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2712 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2715} 2713}
2716 2714
2717static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2715static int selinux_inode_removexattr(struct dentry *dentry, char *name)
2718{ 2716{
2719 if (strcmp(name, XATTR_NAME_SELINUX)) 2717 if (strcmp(name, XATTR_NAME_SELINUX))
2720 return selinux_inode_setotherxattr(dentry, name); 2718 return selinux_inode_setotherxattr(dentry, name);
@@ -2755,7 +2753,7 @@ out_nofree:
2755} 2753}
2756 2754
2757static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2755static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2758 const void *value, size_t size, int flags) 2756 const void *value, size_t size, int flags)
2759{ 2757{
2760 struct inode_security_struct *isec = inode->i_security; 2758 struct inode_security_struct *isec = inode->i_security;
2761 u32 newsid; 2759 u32 newsid;
@@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2767 if (!value || !size) 2765 if (!value || !size)
2768 return -EACCES; 2766 return -EACCES;
2769 2767
2770 rc = security_context_to_sid((void*)value, size, &newsid); 2768 rc = security_context_to_sid((void *)value, size, &newsid);
2771 if (rc) 2769 if (rc)
2772 return rc; 2770 return rc;
2773 2771
@@ -2858,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2858 int error = 0; 2856 int error = 0;
2859 2857
2860 switch (cmd) { 2858 switch (cmd) {
2861 case FIONREAD: 2859 case FIONREAD:
2862 /* fall through */ 2860 /* fall through */
2863 case FIBMAP: 2861 case FIBMAP:
2864 /* fall through */ 2862 /* fall through */
2865 case FIGETBSZ: 2863 case FIGETBSZ:
2866 /* fall through */ 2864 /* fall through */
2867 case EXT2_IOC_GETFLAGS: 2865 case EXT2_IOC_GETFLAGS:
2868 /* fall through */ 2866 /* fall through */
2869 case EXT2_IOC_GETVERSION: 2867 case EXT2_IOC_GETVERSION:
2870 error = file_has_perm(current, file, FILE__GETATTR); 2868 error = file_has_perm(current, file, FILE__GETATTR);
2871 break; 2869 break;
2872
2873 case EXT2_IOC_SETFLAGS:
2874 /* fall through */
2875 case EXT2_IOC_SETVERSION:
2876 error = file_has_perm(current, file, FILE__SETATTR);
2877 break;
2878 2870
2879 /* sys_ioctl() checks */ 2871 case EXT2_IOC_SETFLAGS:
2880 case FIONBIO: 2872 /* fall through */
2881 /* fall through */ 2873 case EXT2_IOC_SETVERSION:
2882 case FIOASYNC: 2874 error = file_has_perm(current, file, FILE__SETATTR);
2883 error = file_has_perm(current, file, 0); 2875 break;
2884 break;
2885 2876
2886 case KDSKBENT: 2877 /* sys_ioctl() checks */
2887 case KDSKBSENT: 2878 case FIONBIO:
2888 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2879 /* fall through */
2889 break; 2880 case FIOASYNC:
2881 error = file_has_perm(current, file, 0);
2882 break;
2890 2883
2891 /* default case assumes that the command will go 2884 case KDSKBENT:
2892 * to the file's ioctl() function. 2885 case KDSKBSENT:
2893 */ 2886 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2894 default: 2887 break;
2895 error = file_has_perm(current, file, FILE__IOCTL);
2896 2888
2889 /* default case assumes that the command will go
2890 * to the file's ioctl() function.
2891 */
2892 default:
2893 error = file_has_perm(current, file, FILE__IOCTL);
2897 } 2894 }
2898 return error; 2895 return error;
2899} 2896}
@@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2934 unsigned long addr, unsigned long addr_only) 2931 unsigned long addr, unsigned long addr_only)
2935{ 2932{
2936 int rc = 0; 2933 int rc = 0;
2937 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2934 u32 sid = ((struct task_security_struct *)(current->security))->sid;
2938 2935
2939 if (addr < mmap_min_addr) 2936 if (addr < mmap_min_addr)
2940 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2937 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@@ -3003,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3003 int err = 0; 3000 int err = 0;
3004 3001
3005 switch (cmd) { 3002 switch (cmd) {
3006 case F_SETFL: 3003 case F_SETFL:
3007 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3004 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3008 err = -EINVAL; 3005 err = -EINVAL;
3009 break; 3006 break;
3010 } 3007 }
3011 3008
3012 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3009 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3013 err = file_has_perm(current, file,FILE__WRITE); 3010 err = file_has_perm(current, file, FILE__WRITE);
3014 break;
3015 }
3016 /* fall through */
3017 case F_SETOWN:
3018 case F_SETSIG:
3019 case F_GETFL:
3020 case F_GETOWN:
3021 case F_GETSIG:
3022 /* Just check FD__USE permission */
3023 err = file_has_perm(current, file, 0);
3024 break; 3011 break;
3025 case F_GETLK: 3012 }
3026 case F_SETLK: 3013 /* fall through */
3027 case F_SETLKW: 3014 case F_SETOWN:
3015 case F_SETSIG:
3016 case F_GETFL:
3017 case F_GETOWN:
3018 case F_GETSIG:
3019 /* Just check FD__USE permission */
3020 err = file_has_perm(current, file, 0);
3021 break;
3022 case F_GETLK:
3023 case F_SETLK:
3024 case F_SETLKW:
3028#if BITS_PER_LONG == 32 3025#if BITS_PER_LONG == 32
3029 case F_GETLK64: 3026 case F_GETLK64:
3030 case F_SETLK64: 3027 case F_SETLK64:
3031 case F_SETLKW64: 3028 case F_SETLKW64:
3032#endif 3029#endif
3033 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3030 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3034 err = -EINVAL; 3031 err = -EINVAL;
3035 break;
3036 }
3037 err = file_has_perm(current, file, FILE__LOCK);
3038 break; 3032 break;
3033 }
3034 err = file_has_perm(current, file, FILE__LOCK);
3035 break;
3039 } 3036 }
3040 3037
3041 return err; 3038 return err;
@@ -3056,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file)
3056static int selinux_file_send_sigiotask(struct task_struct *tsk, 3053static int selinux_file_send_sigiotask(struct task_struct *tsk,
3057 struct fown_struct *fown, int signum) 3054 struct fown_struct *fown, int signum)
3058{ 3055{
3059 struct file *file; 3056 struct file *file;
3060 u32 perm; 3057 u32 perm;
3061 struct task_security_struct *tsec; 3058 struct task_security_struct *tsec;
3062 struct file_security_struct *fsec; 3059 struct file_security_struct *fsec;
3063 3060
3064 /* struct fown_struct is never outside the context of a struct file */ 3061 /* struct fown_struct is never outside the context of a struct file */
3065 file = container_of(fown, struct file, f_owner); 3062 file = container_of(fown, struct file, f_owner);
3066 3063
3067 tsec = tsk->security; 3064 tsec = tsk->security;
3068 fsec = file->f_security; 3065 fsec = file->f_security;
@@ -3164,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3164 3161
3165static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3162static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3166{ 3163{
3167 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3164 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3168} 3165}
3169 3166
3170static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3167static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -3208,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
3208 if (rc) 3205 if (rc)
3209 return rc; 3206 return rc;
3210 3207
3211 return task_has_perm(current,p, PROCESS__SETSCHED); 3208 return task_has_perm(current, p, PROCESS__SETSCHED);
3212} 3209}
3213 3210
3214static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3211static int selinux_task_setioprio(struct task_struct *p, int ioprio)
@@ -3312,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p)
3312 3309
3313static void selinux_task_reparent_to_init(struct task_struct *p) 3310static void selinux_task_reparent_to_init(struct task_struct *p)
3314{ 3311{
3315 struct task_security_struct *tsec; 3312 struct task_security_struct *tsec;
3316 3313
3317 secondary_ops->task_reparent_to_init(p); 3314 secondary_ops->task_reparent_to_init(p);
3318 3315
@@ -3357,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3357 *proto = ih->protocol; 3354 *proto = ih->protocol;
3358 3355
3359 switch (ih->protocol) { 3356 switch (ih->protocol) {
3360 case IPPROTO_TCP: { 3357 case IPPROTO_TCP: {
3361 struct tcphdr _tcph, *th; 3358 struct tcphdr _tcph, *th;
3362 3359
3363 if (ntohs(ih->frag_off) & IP_OFFSET) 3360 if (ntohs(ih->frag_off) & IP_OFFSET)
3364 break; 3361 break;
3365 3362
3366 offset += ihlen; 3363 offset += ihlen;
3367 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3364 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
@@ -3371,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3371 ad->u.net.sport = th->source; 3368 ad->u.net.sport = th->source;
3372 ad->u.net.dport = th->dest; 3369 ad->u.net.dport = th->dest;
3373 break; 3370 break;
3374 } 3371 }
3375 3372
3376 case IPPROTO_UDP: { 3373 case IPPROTO_UDP: {
3377 struct udphdr _udph, *uh; 3374 struct udphdr _udph, *uh;
3378 3375
3379 if (ntohs(ih->frag_off) & IP_OFFSET) 3376 if (ntohs(ih->frag_off) & IP_OFFSET)
3380 break; 3377 break;
3381 3378
3382 offset += ihlen; 3379 offset += ihlen;
3383 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3380 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3384 if (uh == NULL) 3381 if (uh == NULL)
3385 break; 3382 break;
3386 3383
3387 ad->u.net.sport = uh->source; 3384 ad->u.net.sport = uh->source;
3388 ad->u.net.dport = uh->dest; 3385 ad->u.net.dport = uh->dest;
3389 break; 3386 break;
3390 } 3387 }
3391 3388
3392 case IPPROTO_DCCP: { 3389 case IPPROTO_DCCP: {
3393 struct dccp_hdr _dccph, *dh; 3390 struct dccp_hdr _dccph, *dh;
@@ -3403,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3403 ad->u.net.sport = dh->dccph_sport; 3400 ad->u.net.sport = dh->dccph_sport;
3404 ad->u.net.dport = dh->dccph_dport; 3401 ad->u.net.dport = dh->dccph_dport;
3405 break; 3402 break;
3406 } 3403 }
3407 3404
3408 default: 3405 default:
3409 break; 3406 break;
3410 } 3407 }
3411out: 3408out:
3412 return ret; 3409 return ret;
3413} 3410}
@@ -3442,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3442 3439
3443 switch (nexthdr) { 3440 switch (nexthdr) {
3444 case IPPROTO_TCP: { 3441 case IPPROTO_TCP: {
3445 struct tcphdr _tcph, *th; 3442 struct tcphdr _tcph, *th;
3446 3443
3447 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3444 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3448 if (th == NULL) 3445 if (th == NULL)
@@ -3475,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3475 ad->u.net.sport = dh->dccph_sport; 3472 ad->u.net.sport = dh->dccph_sport;
3476 ad->u.net.dport = dh->dccph_dport; 3473 ad->u.net.dport = dh->dccph_dport;
3477 break; 3474 break;
3478 } 3475 }
3479 3476
3480 /* includes fragments */ 3477 /* includes fragments */
3481 default: 3478 default:
@@ -3573,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3573 if (isec->sid == SECINITSID_KERNEL) 3570 if (isec->sid == SECINITSID_KERNEL)
3574 goto out; 3571 goto out;
3575 3572
3576 AVC_AUDIT_DATA_INIT(&ad,NET); 3573 AVC_AUDIT_DATA_INIT(&ad, NET);
3577 ad.u.net.sk = sock->sk; 3574 ad.u.net.sk = sock->sk;
3578 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3575 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3579 3576
@@ -3683,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3683 snum, &sid); 3680 snum, &sid);
3684 if (err) 3681 if (err)
3685 goto out; 3682 goto out;
3686 AVC_AUDIT_DATA_INIT(&ad,NET); 3683 AVC_AUDIT_DATA_INIT(&ad, NET);
3687 ad.u.net.sport = htons(snum); 3684 ad.u.net.sport = htons(snum);
3688 ad.u.net.family = family; 3685 ad.u.net.family = family;
3689 err = avc_has_perm(isec->sid, sid, 3686 err = avc_has_perm(isec->sid, sid,
@@ -3693,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3693 goto out; 3690 goto out;
3694 } 3691 }
3695 } 3692 }
3696 3693
3697 switch(isec->sclass) { 3694 switch (isec->sclass) {
3698 case SECCLASS_TCP_SOCKET: 3695 case SECCLASS_TCP_SOCKET:
3699 node_perm = TCP_SOCKET__NODE_BIND; 3696 node_perm = TCP_SOCKET__NODE_BIND;
3700 break; 3697 break;
3701 3698
3702 case SECCLASS_UDP_SOCKET: 3699 case SECCLASS_UDP_SOCKET:
3703 node_perm = UDP_SOCKET__NODE_BIND; 3700 node_perm = UDP_SOCKET__NODE_BIND;
3704 break; 3701 break;
@@ -3711,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3711 node_perm = RAWIP_SOCKET__NODE_BIND; 3708 node_perm = RAWIP_SOCKET__NODE_BIND;
3712 break; 3709 break;
3713 } 3710 }
3714 3711
3715 err = sel_netnode_sid(addrp, family, &sid); 3712 err = sel_netnode_sid(addrp, family, &sid);
3716 if (err) 3713 if (err)
3717 goto out; 3714 goto out;
3718 3715
3719 AVC_AUDIT_DATA_INIT(&ad,NET); 3716 AVC_AUDIT_DATA_INIT(&ad, NET);
3720 ad.u.net.sport = htons(snum); 3717 ad.u.net.sport = htons(snum);
3721 ad.u.net.family = family; 3718 ad.u.net.family = family;
3722 3719
@@ -3726,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3726 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3723 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3727 3724
3728 err = avc_has_perm(isec->sid, sid, 3725 err = avc_has_perm(isec->sid, sid,
3729 isec->sclass, node_perm, &ad); 3726 isec->sclass, node_perm, &ad);
3730 if (err) 3727 if (err)
3731 goto out; 3728 goto out;
3732 } 3729 }
@@ -3775,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3775 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3772 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3776 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3773 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3777 3774
3778 AVC_AUDIT_DATA_INIT(&ad,NET); 3775 AVC_AUDIT_DATA_INIT(&ad, NET);
3779 ad.u.net.dport = htons(snum); 3776 ad.u.net.dport = htons(snum);
3780 ad.u.net.family = sk->sk_family; 3777 ad.u.net.family = sk->sk_family;
3781 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3778 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@@ -3813,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3813} 3810}
3814 3811
3815static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3812static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3816 int size) 3813 int size)
3817{ 3814{
3818 int rc; 3815 int rc;
3819 3816
@@ -3840,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock)
3840 return socket_has_perm(current, sock, SOCKET__GETATTR); 3837 return socket_has_perm(current, sock, SOCKET__GETATTR);
3841} 3838}
3842 3839
3843static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3840static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3844{ 3841{
3845 int err; 3842 int err;
3846 3843
@@ -3879,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3879 isec = SOCK_INODE(sock)->i_security; 3876 isec = SOCK_INODE(sock)->i_security;
3880 other_isec = SOCK_INODE(other)->i_security; 3877 other_isec = SOCK_INODE(other)->i_security;
3881 3878
3882 AVC_AUDIT_DATA_INIT(&ad,NET); 3879 AVC_AUDIT_DATA_INIT(&ad, NET);
3883 ad.u.net.sk = other->sk; 3880 ad.u.net.sk = other->sk;
3884 3881
3885 err = avc_has_perm(isec->sid, other_isec->sid, 3882 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3891,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3891 /* connecting socket */ 3888 /* connecting socket */
3892 ssec = sock->sk->sk_security; 3889 ssec = sock->sk->sk_security;
3893 ssec->peer_sid = other_isec->sid; 3890 ssec->peer_sid = other_isec->sid;
3894 3891
3895 /* server child socket */ 3892 /* server child socket */
3896 ssec = newsk->sk_security; 3893 ssec = newsk->sk_security;
3897 ssec->peer_sid = isec->sid; 3894 ssec->peer_sid = isec->sid;
@@ -3911,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3911 isec = SOCK_INODE(sock)->i_security; 3908 isec = SOCK_INODE(sock)->i_security;
3912 other_isec = SOCK_INODE(other)->i_security; 3909 other_isec = SOCK_INODE(other)->i_security;
3913 3910
3914 AVC_AUDIT_DATA_INIT(&ad,NET); 3911 AVC_AUDIT_DATA_INIT(&ad, NET);
3915 ad.u.net.sk = other->sk; 3912 ad.u.net.sk = other->sk;
3916 3913
3917 err = avc_has_perm(isec->sid, other_isec->sid, 3914 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3989,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3989 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3986 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3990 if (err) 3987 if (err)
3991 return err; 3988 return err;
3992 3989
3993 err = sel_netnode_sid(addrp, family, &node_sid); 3990 err = sel_netnode_sid(addrp, family, &node_sid);
3994 if (err) 3991 if (err)
3995 return err; 3992 return err;
@@ -4140,7 +4137,7 @@ out_len:
4140 err = -EFAULT; 4137 err = -EFAULT;
4141 4138
4142 kfree(scontext); 4139 kfree(scontext);
4143out: 4140out:
4144 return err; 4141 return err;
4145} 4142}
4146 4143
@@ -4201,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4201 } 4198 }
4202} 4199}
4203 4200
4204static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4201static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4205{ 4202{
4206 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4203 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4207 struct sk_security_struct *sksec = sk->sk_security; 4204 struct sk_security_struct *sksec = sk->sk_security;
@@ -4278,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4278 struct nlmsghdr *nlh; 4275 struct nlmsghdr *nlh;
4279 struct socket *sock = sk->sk_socket; 4276 struct socket *sock = sk->sk_socket;
4280 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4277 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4281 4278
4282 if (skb->len < NLMSG_SPACE(0)) { 4279 if (skb->len < NLMSG_SPACE(0)) {
4283 err = -EINVAL; 4280 err = -EINVAL;
4284 goto out; 4281 goto out;
4285 } 4282 }
4286 nlh = nlmsg_hdr(skb); 4283 nlh = nlmsg_hdr(skb);
4287 4284
4288 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4285 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4289 if (err) { 4286 if (err) {
4290 if (err == -EINVAL) { 4287 if (err == -EINVAL) {
@@ -4410,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4410 return err; 4407 return err;
4411 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4408 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4412 return err; 4409 return err;
4413 4410
4414 err = sel_netnode_sid(addrp, family, &node_sid); 4411 err = sel_netnode_sid(addrp, family, &node_sid);
4415 if (err) 4412 if (err)
4416 return err; 4413 return err;
@@ -4593,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4593 ad.u.cap = capability; 4590 ad.u.cap = capability;
4594 4591
4595 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4592 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4596 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4593 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4597} 4594}
4598 4595
4599static int ipc_alloc_security(struct task_struct *task, 4596static int ipc_alloc_security(struct task_struct *task,
@@ -4685,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4685 isec = msq->q_perm.security; 4682 isec = msq->q_perm.security;
4686 4683
4687 AVC_AUDIT_DATA_INIT(&ad, IPC); 4684 AVC_AUDIT_DATA_INIT(&ad, IPC);
4688 ad.u.ipc_id = msq->q_perm.key; 4685 ad.u.ipc_id = msq->q_perm.key;
4689 4686
4690 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4687 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4691 MSGQ__CREATE, &ad); 4688 MSGQ__CREATE, &ad);
@@ -4722,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4722 int err; 4719 int err;
4723 int perms; 4720 int perms;
4724 4721
4725 switch(cmd) { 4722 switch (cmd) {
4726 case IPC_INFO: 4723 case IPC_INFO:
4727 case MSG_INFO: 4724 case MSG_INFO:
4728 /* No specific object, just general system-wide information. */ 4725 /* No specific object, just general system-wide information. */
@@ -4806,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4806 msec = msg->security; 4803 msec = msg->security;
4807 4804
4808 AVC_AUDIT_DATA_INIT(&ad, IPC); 4805 AVC_AUDIT_DATA_INIT(&ad, IPC);
4809 ad.u.ipc_id = msq->q_perm.key; 4806 ad.u.ipc_id = msq->q_perm.key;
4810 4807
4811 rc = avc_has_perm(tsec->sid, isec->sid, 4808 rc = avc_has_perm(tsec->sid, isec->sid,
4812 SECCLASS_MSGQ, MSGQ__READ, &ad); 4809 SECCLASS_MSGQ, MSGQ__READ, &ad);
@@ -4832,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4832 isec = shp->shm_perm.security; 4829 isec = shp->shm_perm.security;
4833 4830
4834 AVC_AUDIT_DATA_INIT(&ad, IPC); 4831 AVC_AUDIT_DATA_INIT(&ad, IPC);
4835 ad.u.ipc_id = shp->shm_perm.key; 4832 ad.u.ipc_id = shp->shm_perm.key;
4836 4833
4837 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4834 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4838 SHM__CREATE, &ad); 4835 SHM__CREATE, &ad);
@@ -4870,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4870 int perms; 4867 int perms;
4871 int err; 4868 int err;
4872 4869
4873 switch(cmd) { 4870 switch (cmd) {
4874 case IPC_INFO: 4871 case IPC_INFO:
4875 case SHM_INFO: 4872 case SHM_INFO:
4876 /* No specific object, just general system-wide information. */ 4873 /* No specific object, just general system-wide information. */
@@ -4931,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
4931 isec = sma->sem_perm.security; 4928 isec = sma->sem_perm.security;
4932 4929
4933 AVC_AUDIT_DATA_INIT(&ad, IPC); 4930 AVC_AUDIT_DATA_INIT(&ad, IPC);
4934 ad.u.ipc_id = sma->sem_perm.key; 4931 ad.u.ipc_id = sma->sem_perm.key;
4935 4932
4936 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4933 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4937 SEM__CREATE, &ad); 4934 SEM__CREATE, &ad);
@@ -4969,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4969 int err; 4966 int err;
4970 u32 perms; 4967 u32 perms;
4971 4968
4972 switch(cmd) { 4969 switch (cmd) {
4973 case IPC_INFO: 4970 case IPC_INFO:
4974 case SEM_INFO: 4971 case SEM_INFO:
4975 /* No specific object, just general system-wide information. */ 4972 /* No specific object, just general system-wide information. */
@@ -5041,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5041} 5038}
5042 5039
5043/* module stacking operations */ 5040/* module stacking operations */
5044static int selinux_register_security (const char *name, struct security_operations *ops) 5041static int selinux_register_security(const char *name, struct security_operations *ops)
5045{ 5042{
5046 if (secondary_ops != original_ops) { 5043 if (secondary_ops != original_ops) {
5047 printk(KERN_ERR "%s: There is already a secondary security " 5044 printk(KERN_ERR "%s: There is already a secondary security "
5048 "module registered.\n", __func__); 5045 "module registered.\n", __func__);
5049 return -EINVAL; 5046 return -EINVAL;
5050 } 5047 }
5051 5048
5052 secondary_ops = ops; 5049 secondary_ops = ops;
5053 5050
@@ -5058,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio
5058 return 0; 5055 return 0;
5059} 5056}
5060 5057
5061static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5058static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5062{ 5059{
5063 if (inode) 5060 if (inode)
5064 inode_doinit_with_dentry(inode, dentry); 5061 inode_doinit_with_dentry(inode, dentry);
@@ -5186,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p,
5186 } 5183 }
5187 while_each_thread(g, t); 5184 while_each_thread(g, t);
5188 read_unlock(&tasklist_lock); 5185 read_unlock(&tasklist_lock);
5189 } 5186 }
5190 5187
5191 /* Check permissions for the transition. */ 5188 /* Check permissions for the transition. */
5192 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5189 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5193 PROCESS__DYNTRANSITION, NULL); 5190 PROCESS__DYNTRANSITION, NULL);
5194 if (error) 5191 if (error)
5195 return error; 5192 return error;
5196 5193
@@ -5218,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p,
5218 tsec->sid = sid; 5215 tsec->sid = sid;
5219 task_unlock(p); 5216 task_unlock(p);
5220 } 5217 }
5221 } 5218 } else
5222 else
5223 return -EINVAL; 5219 return -EINVAL;
5224 5220
5225 return size; 5221 return size;
@@ -5309,7 +5305,7 @@ static struct security_operations selinux_ops = {
5309 .vm_enough_memory = selinux_vm_enough_memory, 5305 .vm_enough_memory = selinux_vm_enough_memory,
5310 5306
5311 .netlink_send = selinux_netlink_send, 5307 .netlink_send = selinux_netlink_send,
5312 .netlink_recv = selinux_netlink_recv, 5308 .netlink_recv = selinux_netlink_recv,
5313 5309
5314 .bprm_alloc_security = selinux_bprm_alloc_security, 5310 .bprm_alloc_security = selinux_bprm_alloc_security,
5315 .bprm_free_security = selinux_bprm_free_security, 5311 .bprm_free_security = selinux_bprm_free_security,
@@ -5322,13 +5318,13 @@ static struct security_operations selinux_ops = {
5322 .sb_alloc_security = selinux_sb_alloc_security, 5318 .sb_alloc_security = selinux_sb_alloc_security,
5323 .sb_free_security = selinux_sb_free_security, 5319 .sb_free_security = selinux_sb_free_security,
5324 .sb_copy_data = selinux_sb_copy_data, 5320 .sb_copy_data = selinux_sb_copy_data,
5325 .sb_kern_mount = selinux_sb_kern_mount, 5321 .sb_kern_mount = selinux_sb_kern_mount,
5326 .sb_statfs = selinux_sb_statfs, 5322 .sb_statfs = selinux_sb_statfs,
5327 .sb_mount = selinux_mount, 5323 .sb_mount = selinux_mount,
5328 .sb_umount = selinux_umount, 5324 .sb_umount = selinux_umount,
5329 .sb_get_mnt_opts = selinux_get_mnt_opts, 5325 .sb_get_mnt_opts = selinux_get_mnt_opts,
5330 .sb_set_mnt_opts = selinux_set_mnt_opts, 5326 .sb_set_mnt_opts = selinux_set_mnt_opts,
5331 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5327 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5332 .sb_parse_opts_str = selinux_parse_opts_str, 5328 .sb_parse_opts_str = selinux_parse_opts_str,
5333 5329
5334 5330
@@ -5353,9 +5349,9 @@ static struct security_operations selinux_ops = {
5353 .inode_getxattr = selinux_inode_getxattr, 5349 .inode_getxattr = selinux_inode_getxattr,
5354 .inode_listxattr = selinux_inode_listxattr, 5350 .inode_listxattr = selinux_inode_listxattr,
5355 .inode_removexattr = selinux_inode_removexattr, 5351 .inode_removexattr = selinux_inode_removexattr,
5356 .inode_getsecurity = selinux_inode_getsecurity, 5352 .inode_getsecurity = selinux_inode_getsecurity,
5357 .inode_setsecurity = selinux_inode_setsecurity, 5353 .inode_setsecurity = selinux_inode_setsecurity,
5358 .inode_listsecurity = selinux_inode_listsecurity, 5354 .inode_listsecurity = selinux_inode_listsecurity,
5359 .inode_need_killpriv = selinux_inode_need_killpriv, 5355 .inode_need_killpriv = selinux_inode_need_killpriv,
5360 .inode_killpriv = selinux_inode_killpriv, 5356 .inode_killpriv = selinux_inode_killpriv,
5361 .inode_getsecid = selinux_inode_getsecid, 5357 .inode_getsecid = selinux_inode_getsecid,
@@ -5372,7 +5368,7 @@ static struct security_operations selinux_ops = {
5372 .file_send_sigiotask = selinux_file_send_sigiotask, 5368 .file_send_sigiotask = selinux_file_send_sigiotask,
5373 .file_receive = selinux_file_receive, 5369 .file_receive = selinux_file_receive,
5374 5370
5375 .dentry_open = selinux_dentry_open, 5371 .dentry_open = selinux_dentry_open,
5376 5372
5377 .task_create = selinux_task_create, 5373 .task_create = selinux_task_create,
5378 .task_alloc_security = selinux_task_alloc_security, 5374 .task_alloc_security = selinux_task_alloc_security,
@@ -5382,7 +5378,7 @@ static struct security_operations selinux_ops = {
5382 .task_setgid = selinux_task_setgid, 5378 .task_setgid = selinux_task_setgid,
5383 .task_setpgid = selinux_task_setpgid, 5379 .task_setpgid = selinux_task_setpgid,
5384 .task_getpgid = selinux_task_getpgid, 5380 .task_getpgid = selinux_task_getpgid,
5385 .task_getsid = selinux_task_getsid, 5381 .task_getsid = selinux_task_getsid,
5386 .task_getsecid = selinux_task_getsecid, 5382 .task_getsecid = selinux_task_getsecid,
5387 .task_setgroups = selinux_task_setgroups, 5383 .task_setgroups = selinux_task_setgroups,
5388 .task_setnice = selinux_task_setnice, 5384 .task_setnice = selinux_task_setnice,
@@ -5396,7 +5392,7 @@ static struct security_operations selinux_ops = {
5396 .task_wait = selinux_task_wait, 5392 .task_wait = selinux_task_wait,
5397 .task_prctl = selinux_task_prctl, 5393 .task_prctl = selinux_task_prctl,
5398 .task_reparent_to_init = selinux_task_reparent_to_init, 5394 .task_reparent_to_init = selinux_task_reparent_to_init,
5399 .task_to_inode = selinux_task_to_inode, 5395 .task_to_inode = selinux_task_to_inode,
5400 5396
5401 .ipc_permission = selinux_ipc_permission, 5397 .ipc_permission = selinux_ipc_permission,
5402 .ipc_getsecid = selinux_ipc_getsecid, 5398 .ipc_getsecid = selinux_ipc_getsecid,
@@ -5417,24 +5413,24 @@ static struct security_operations selinux_ops = {
5417 .shm_shmctl = selinux_shm_shmctl, 5413 .shm_shmctl = selinux_shm_shmctl,
5418 .shm_shmat = selinux_shm_shmat, 5414 .shm_shmat = selinux_shm_shmat,
5419 5415
5420 .sem_alloc_security = selinux_sem_alloc_security, 5416 .sem_alloc_security = selinux_sem_alloc_security,
5421 .sem_free_security = selinux_sem_free_security, 5417 .sem_free_security = selinux_sem_free_security,
5422 .sem_associate = selinux_sem_associate, 5418 .sem_associate = selinux_sem_associate,
5423 .sem_semctl = selinux_sem_semctl, 5419 .sem_semctl = selinux_sem_semctl,
5424 .sem_semop = selinux_sem_semop, 5420 .sem_semop = selinux_sem_semop,
5425 5421
5426 .register_security = selinux_register_security, 5422 .register_security = selinux_register_security,
5427 5423
5428 .d_instantiate = selinux_d_instantiate, 5424 .d_instantiate = selinux_d_instantiate,
5429 5425
5430 .getprocattr = selinux_getprocattr, 5426 .getprocattr = selinux_getprocattr,
5431 .setprocattr = selinux_setprocattr, 5427 .setprocattr = selinux_setprocattr,
5432 5428
5433 .secid_to_secctx = selinux_secid_to_secctx, 5429 .secid_to_secctx = selinux_secid_to_secctx,
5434 .secctx_to_secid = selinux_secctx_to_secid, 5430 .secctx_to_secid = selinux_secctx_to_secid,
5435 .release_secctx = selinux_release_secctx, 5431 .release_secctx = selinux_release_secctx,
5436 5432
5437 .unix_stream_connect = selinux_socket_unix_stream_connect, 5433 .unix_stream_connect = selinux_socket_unix_stream_connect,
5438 .unix_may_send = selinux_socket_unix_may_send, 5434 .unix_may_send = selinux_socket_unix_may_send,
5439 5435
5440 .socket_create = selinux_socket_create, 5436 .socket_create = selinux_socket_create,
@@ -5456,7 +5452,7 @@ static struct security_operations selinux_ops = {
5456 .sk_alloc_security = selinux_sk_alloc_security, 5452 .sk_alloc_security = selinux_sk_alloc_security,
5457 .sk_free_security = selinux_sk_free_security, 5453 .sk_free_security = selinux_sk_free_security,
5458 .sk_clone_security = selinux_sk_clone_security, 5454 .sk_clone_security = selinux_sk_clone_security,
5459 .sk_getsecid = selinux_sk_getsecid, 5455 .sk_getsecid = selinux_sk_getsecid,
5460 .sock_graft = selinux_sock_graft, 5456 .sock_graft = selinux_sock_graft,
5461 .inet_conn_request = selinux_inet_conn_request, 5457 .inet_conn_request = selinux_inet_conn_request,
5462 .inet_csk_clone = selinux_inet_csk_clone, 5458 .inet_csk_clone = selinux_inet_csk_clone,
@@ -5471,15 +5467,15 @@ static struct security_operations selinux_ops = {
5471 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5467 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5472 .xfrm_state_free_security = selinux_xfrm_state_free, 5468 .xfrm_state_free_security = selinux_xfrm_state_free,
5473 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5469 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5474 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5470 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5475 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5471 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5476 .xfrm_decode_session = selinux_xfrm_decode_session, 5472 .xfrm_decode_session = selinux_xfrm_decode_session,
5477#endif 5473#endif
5478 5474
5479#ifdef CONFIG_KEYS 5475#ifdef CONFIG_KEYS
5480 .key_alloc = selinux_key_alloc, 5476 .key_alloc = selinux_key_alloc,
5481 .key_free = selinux_key_free, 5477 .key_free = selinux_key_free,
5482 .key_permission = selinux_key_permission, 5478 .key_permission = selinux_key_permission,
5483#endif 5479#endif
5484 5480
5485#ifdef CONFIG_AUDIT 5481#ifdef CONFIG_AUDIT
@@ -5519,15 +5515,14 @@ static __init int selinux_init(void)
5519 5515
5520 original_ops = secondary_ops = security_ops; 5516 original_ops = secondary_ops = security_ops;
5521 if (!secondary_ops) 5517 if (!secondary_ops)
5522 panic ("SELinux: No initial security operations\n"); 5518 panic("SELinux: No initial security operations\n");
5523 if (register_security (&selinux_ops)) 5519 if (register_security(&selinux_ops))
5524 panic("SELinux: Unable to register with kernel.\n"); 5520 panic("SELinux: Unable to register with kernel.\n");
5525 5521
5526 if (selinux_enforcing) { 5522 if (selinux_enforcing)
5527 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5523 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5528 } else { 5524 else
5529 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5525 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5530 }
5531 5526
5532#ifdef CONFIG_KEYS 5527#ifdef CONFIG_KEYS
5533 /* Add security information to initial keyrings */ 5528 /* Add security information to initial keyrings */
@@ -5552,8 +5547,8 @@ next_sb:
5552 if (!list_empty(&superblock_security_head)) { 5547 if (!list_empty(&superblock_security_head)) {
5553 struct superblock_security_struct *sbsec = 5548 struct superblock_security_struct *sbsec =
5554 list_entry(superblock_security_head.next, 5549 list_entry(superblock_security_head.next,
5555 struct superblock_security_struct, 5550 struct superblock_security_struct,
5556 list); 5551 list);
5557 struct super_block *sb = sbsec->sb; 5552 struct super_block *sb = sbsec->sb;
5558 sb->s_count++; 5553 sb->s_count++;
5559 spin_unlock(&sb_security_lock); 5554 spin_unlock(&sb_security_lock);
@@ -5672,10 +5667,11 @@ static void selinux_nf_ip_exit(void)
5672#endif /* CONFIG_NETFILTER */ 5667#endif /* CONFIG_NETFILTER */
5673 5668
5674#ifdef CONFIG_SECURITY_SELINUX_DISABLE 5669#ifdef CONFIG_SECURITY_SELINUX_DISABLE
5670static int selinux_disabled;
5671
5675int selinux_disable(void) 5672int selinux_disable(void)
5676{ 5673{
5677 extern void exit_sel_fs(void); 5674 extern void exit_sel_fs(void);
5678 static int selinux_disabled = 0;
5679 5675
5680 if (ss_initialized) { 5676 if (ss_initialized) {
5681 /* Not permitted after initial policy load. */ 5677 /* Not permitted after initial policy load. */
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 9c8a82aa8baf..c658b84c3196 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -8,7 +8,7 @@
8 * 8 *
9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
10 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 10 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com> 11 * Paul Moore <paul.moore@hp.com>
12 * 12 *
13 * This program is free software; you can redistribute it and/or modify 13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2, 14 * it under the terms of the GNU General Public License version 2,
@@ -31,8 +31,7 @@
31#define SEL_NETIF_HASH_SIZE 64 31#define SEL_NETIF_HASH_SIZE 64
32#define SEL_NETIF_HASH_MAX 1024 32#define SEL_NETIF_HASH_MAX 1024
33 33
34struct sel_netif 34struct sel_netif {
35{
36 struct list_head list; 35 struct list_head list;
37 struct netif_security_struct nsec; 36 struct netif_security_struct nsec;
38 struct rcu_head rcu_head; 37 struct rcu_head rcu_head;
@@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex)
92static int sel_netif_insert(struct sel_netif *netif) 91static int sel_netif_insert(struct sel_netif *netif)
93{ 92{
94 int idx; 93 int idx;
95 94
96 if (sel_netif_total >= SEL_NETIF_HASH_MAX) 95 if (sel_netif_total >= SEL_NETIF_HASH_MAX)
97 return -ENOSPC; 96 return -ENOSPC;
98 97
99 idx = sel_netif_hashfn(netif->nsec.ifindex); 98 idx = sel_netif_hashfn(netif->nsec.ifindex);
100 list_add_rcu(&netif->list, &sel_netif_hash[idx]); 99 list_add_rcu(&netif->list, &sel_netif_hash[idx]);
101 sel_netif_total++; 100 sel_netif_total++;
@@ -267,7 +266,7 @@ static void sel_netif_flush(void)
267} 266}
268 267
269static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, 268static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
270 u16 class, u32 perms, u32 *retained) 269 u16 class, u32 perms, u32 *retained)
271{ 270{
272 if (event == AVC_CALLBACK_RESET) { 271 if (event == AVC_CALLBACK_RESET) {
273 sel_netif_flush(); 272 sel_netif_flush();
@@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
277} 276}
278 277
279static int sel_netif_netdev_notifier_handler(struct notifier_block *this, 278static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
280 unsigned long event, void *ptr) 279 unsigned long event, void *ptr)
281{ 280{
282 struct net_device *dev = ptr; 281 struct net_device *dev = ptr;
283 282
@@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
297static __init int sel_netif_init(void) 296static __init int sel_netif_init(void)
298{ 297{
299 int i, err; 298 int i, err;
300 299
301 if (!selinux_enabled) 300 if (!selinux_enabled)
302 return 0; 301 return 0;
303 302
@@ -305,9 +304,9 @@ static __init int sel_netif_init(void)
305 INIT_LIST_HEAD(&sel_netif_hash[i]); 304 INIT_LIST_HEAD(&sel_netif_hash[i]);
306 305
307 register_netdevice_notifier(&sel_netif_netdev_notifier); 306 register_netdevice_notifier(&sel_netif_netdev_notifier);
308 307
309 err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, 308 err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
310 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 309 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
311 if (err) 310 if (err)
312 panic("avc_add_callback() failed, error %d\n", err); 311 panic("avc_add_callback() failed, error %d\n", err);
313 312
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e8ee91ac12ef..89b418392f11 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void)
118void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 118void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
119 int family) 119 int family)
120{ 120{
121 if (family == PF_INET) 121 if (family == PF_INET)
122 ssec->nlbl_state = NLBL_REQUIRE; 122 ssec->nlbl_state = NLBL_REQUIRE;
123 else 123 else
124 ssec->nlbl_state = NLBL_UNSET; 124 ssec->nlbl_state = NLBL_UNSET;
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
index 6214a7a73149..1ae556446e65 100644
--- a/security/selinux/netlink.c
+++ b/security/selinux/netlink.c
@@ -24,16 +24,16 @@ static struct sock *selnl;
24static int selnl_msglen(int msgtype) 24static int selnl_msglen(int msgtype)
25{ 25{
26 int ret = 0; 26 int ret = 0;
27 27
28 switch (msgtype) { 28 switch (msgtype) {
29 case SELNL_MSG_SETENFORCE: 29 case SELNL_MSG_SETENFORCE:
30 ret = sizeof(struct selnl_msg_setenforce); 30 ret = sizeof(struct selnl_msg_setenforce);
31 break; 31 break;
32 32
33 case SELNL_MSG_POLICYLOAD: 33 case SELNL_MSG_POLICYLOAD:
34 ret = sizeof(struct selnl_msg_policyload); 34 ret = sizeof(struct selnl_msg_policyload);
35 break; 35 break;
36 36
37 default: 37 default:
38 BUG(); 38 BUG();
39 } 39 }
@@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *
45 switch (msgtype) { 45 switch (msgtype) {
46 case SELNL_MSG_SETENFORCE: { 46 case SELNL_MSG_SETENFORCE: {
47 struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); 47 struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
48 48
49 memset(msg, 0, len); 49 memset(msg, 0, len);
50 msg->val = *((int *)data); 50 msg->val = *((int *)data);
51 break; 51 break;
52 } 52 }
53 53
54 case SELNL_MSG_POLICYLOAD: { 54 case SELNL_MSG_POLICYLOAD: {
55 struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); 55 struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
56 56
57 memset(msg, 0, len); 57 memset(msg, 0, len);
58 msg->seqno = *((u32 *)data); 58 msg->seqno = *((u32 *)data);
59 break; 59 break;
@@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data)
70 sk_buff_data_t tmp; 70 sk_buff_data_t tmp;
71 struct sk_buff *skb; 71 struct sk_buff *skb;
72 struct nlmsghdr *nlh; 72 struct nlmsghdr *nlh;
73 73
74 len = selnl_msglen(msgtype); 74 len = selnl_msglen(msgtype);
75 75
76 skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); 76 skb = alloc_skb(NLMSG_SPACE(len), GFP_USER);
77 if (!skb) 77 if (!skb)
78 goto oom; 78 goto oom;
@@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data)
85 netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER); 85 netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER);
86out: 86out:
87 return; 87 return;
88 88
89nlmsg_failure: 89nlmsg_failure:
90 kfree_skb(skb); 90 kfree_skb(skb);
91oom: 91oom:
@@ -109,7 +109,7 @@ static int __init selnl_init(void)
109 SELNLGRP_MAX, NULL, NULL, THIS_MODULE); 109 SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
110 if (selnl == NULL) 110 if (selnl == NULL)
111 panic("SELinux: Cannot create netlink socket."); 111 panic("SELinux: Cannot create netlink socket.");
112 netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); 112 netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);
113 return 0; 113 return 0;
114} 114}
115 115
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index f3c526f2cacb..2edc4c5e0c61 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -344,7 +344,7 @@ static __init int sel_netnode_init(void)
344 INIT_LIST_HEAD(&sel_netnode_hash[iter]); 344 INIT_LIST_HEAD(&sel_netnode_hash[iter]);
345 345
346 ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, 346 ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET,
347 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 347 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
348 if (ret != 0) 348 if (ret != 0)
349 panic("avc_add_callback() failed, error %d\n", ret); 349 panic("avc_add_callback() failed, error %d\n", ret);
350 350
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index eddc7b420109..ff59c0c4804b 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -23,8 +23,7 @@
23#include "flask.h" 23#include "flask.h"
24#include "av_permissions.h" 24#include "av_permissions.h"
25 25
26struct nlmsg_perm 26struct nlmsg_perm {
27{
28 u16 nlmsg_type; 27 u16 nlmsg_type;
29 u32 perm; 28 u32 perm;
30}; 29};
@@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
159 if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && 158 if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
160 nlmsg_type <= AUDIT_LAST_USER_MSG) || 159 nlmsg_type <= AUDIT_LAST_USER_MSG) ||
161 (nlmsg_type >= AUDIT_FIRST_USER_MSG2 && 160 (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
162 nlmsg_type <= AUDIT_LAST_USER_MSG2)) { 161 nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
163 *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; 162 *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
164 } else { 163 } else {
165 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, 164 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 26fabad09769..ac1ccc13a704 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1,16 +1,16 @@
1/* Updated: Karl MacMillan <kmacmillan@tresys.com> 1/* Updated: Karl MacMillan <kmacmillan@tresys.com>
2 * 2 *
3 * Added conditional policy language extensions 3 * Added conditional policy language extensions
4 * 4 *
5 * Updated: Hewlett-Packard <paul.moore@hp.com> 5 * Updated: Hewlett-Packard <paul.moore@hp.com>
6 * 6 *
7 * Added support for the policy capability bitmap 7 * Added support for the policy capability bitmap
8 * 8 *
9 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 9 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
10 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 10 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
11 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 11 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
12 * This program is free software; you can redistribute it and/or modify 12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by 13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation, version 2. 14 * the Free Software Foundation, version 2.
15 */ 15 */
16 16
@@ -28,7 +28,6 @@
28#include <linux/percpu.h> 28#include <linux/percpu.h>
29#include <linux/audit.h> 29#include <linux/audit.h>
30#include <asm/uaccess.h> 30#include <asm/uaccess.h>
31#include <asm/semaphore.h>
32 31
33/* selinuxfs pseudo filesystem for exporting the security policy API. 32/* selinuxfs pseudo filesystem for exporting the security policy API.
34 Based on the proc code and the fs/nfsd/nfsctl.c code. */ 33 Based on the proc code and the fs/nfsd/nfsctl.c code. */
@@ -58,14 +57,14 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
58 57
59static int __init checkreqprot_setup(char *str) 58static int __init checkreqprot_setup(char *str)
60{ 59{
61 selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0; 60 selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0;
62 return 1; 61 return 1;
63} 62}
64__setup("checkreqprot=", checkreqprot_setup); 63__setup("checkreqprot=", checkreqprot_setup);
65 64
66static int __init selinux_compat_net_setup(char *str) 65static int __init selinux_compat_net_setup(char *str)
67{ 66{
68 selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0; 67 selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0;
69 return 1; 68 return 1;
70} 69}
71__setup("selinux_compat_net=", selinux_compat_net_setup); 70__setup("selinux_compat_net=", selinux_compat_net_setup);
@@ -74,17 +73,17 @@ __setup("selinux_compat_net=", selinux_compat_net_setup);
74static DEFINE_MUTEX(sel_mutex); 73static DEFINE_MUTEX(sel_mutex);
75 74
76/* global data for booleans */ 75/* global data for booleans */
77static struct dentry *bool_dir = NULL; 76static struct dentry *bool_dir;
78static int bool_num = 0; 77static int bool_num;
79static char **bool_pending_names; 78static char **bool_pending_names;
80static int *bool_pending_values = NULL; 79static int *bool_pending_values;
81 80
82/* global data for classes */ 81/* global data for classes */
83static struct dentry *class_dir = NULL; 82static struct dentry *class_dir;
84static unsigned long last_class_ino; 83static unsigned long last_class_ino;
85 84
86/* global data for policy capabilities */ 85/* global data for policy capabilities */
87static struct dentry *policycap_dir = NULL; 86static struct dentry *policycap_dir;
88 87
89extern void selnl_notify_setenforce(int val); 88extern void selnl_notify_setenforce(int val);
90 89
@@ -143,7 +142,7 @@ static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
143} 142}
144 143
145#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 144#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
146static ssize_t sel_write_enforce(struct file * file, const char __user * buf, 145static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
147 size_t count, loff_t *ppos) 146 size_t count, loff_t *ppos)
148 147
149{ 148{
@@ -157,7 +156,7 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
157 /* No partial writes. */ 156 /* No partial writes. */
158 return -EINVAL; 157 return -EINVAL;
159 } 158 }
160 page = (char*)get_zeroed_page(GFP_KERNEL); 159 page = (char *)get_zeroed_page(GFP_KERNEL);
161 if (!page) 160 if (!page)
162 return -ENOMEM; 161 return -ENOMEM;
163 length = -EFAULT; 162 length = -EFAULT;
@@ -214,7 +213,7 @@ static const struct file_operations sel_handle_unknown_ops = {
214}; 213};
215 214
216#ifdef CONFIG_SECURITY_SELINUX_DISABLE 215#ifdef CONFIG_SECURITY_SELINUX_DISABLE
217static ssize_t sel_write_disable(struct file * file, const char __user * buf, 216static ssize_t sel_write_disable(struct file *file, const char __user *buf,
218 size_t count, loff_t *ppos) 217 size_t count, loff_t *ppos)
219 218
220{ 219{
@@ -229,7 +228,7 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
229 /* No partial writes. */ 228 /* No partial writes. */
230 return -EINVAL; 229 return -EINVAL;
231 } 230 }
232 page = (char*)get_zeroed_page(GFP_KERNEL); 231 page = (char *)get_zeroed_page(GFP_KERNEL);
233 if (!page) 232 if (!page)
234 return -ENOMEM; 233 return -ENOMEM;
235 length = -EFAULT; 234 length = -EFAULT;
@@ -264,7 +263,7 @@ static const struct file_operations sel_disable_ops = {
264}; 263};
265 264
266static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, 265static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
267 size_t count, loff_t *ppos) 266 size_t count, loff_t *ppos)
268{ 267{
269 char tmpbuf[TMPBUFLEN]; 268 char tmpbuf[TMPBUFLEN];
270 ssize_t length; 269 ssize_t length;
@@ -300,7 +299,7 @@ static const struct file_operations sel_mls_ops = {
300 .read = sel_read_mls, 299 .read = sel_read_mls,
301}; 300};
302 301
303static ssize_t sel_write_load(struct file * file, const char __user * buf, 302static ssize_t sel_write_load(struct file *file, const char __user *buf,
304 size_t count, loff_t *ppos) 303 size_t count, loff_t *ppos)
305 304
306{ 305{
@@ -372,7 +371,7 @@ static const struct file_operations sel_load_ops = {
372 .write = sel_write_load, 371 .write = sel_write_load,
373}; 372};
374 373
375static ssize_t sel_write_context(struct file * file, char *buf, size_t size) 374static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
376{ 375{
377 char *canon; 376 char *canon;
378 u32 sid, len; 377 u32 sid, len;
@@ -391,8 +390,8 @@ static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
391 return length; 390 return length;
392 391
393 if (len > SIMPLE_TRANSACTION_LIMIT) { 392 if (len > SIMPLE_TRANSACTION_LIMIT) {
394 printk(KERN_ERR "%s: context size (%u) exceeds payload " 393 printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
395 "max\n", __func__, len); 394 "payload max\n", __func__, len);
396 length = -ERANGE; 395 length = -ERANGE;
397 goto out; 396 goto out;
398 } 397 }
@@ -414,7 +413,7 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
414 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 413 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
415} 414}
416 415
417static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf, 416static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
418 size_t count, loff_t *ppos) 417 size_t count, loff_t *ppos)
419{ 418{
420 char *page; 419 char *page;
@@ -431,7 +430,7 @@ static ssize_t sel_write_checkreqprot(struct file * file, const char __user * bu
431 /* No partial writes. */ 430 /* No partial writes. */
432 return -EINVAL; 431 return -EINVAL;
433 } 432 }
434 page = (char*)get_zeroed_page(GFP_KERNEL); 433 page = (char *)get_zeroed_page(GFP_KERNEL);
435 if (!page) 434 if (!page)
436 return -ENOMEM; 435 return -ENOMEM;
437 length = -EFAULT; 436 length = -EFAULT;
@@ -463,7 +462,7 @@ static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
463 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 462 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
464} 463}
465 464
466static ssize_t sel_write_compat_net(struct file * file, const char __user * buf, 465static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
467 size_t count, loff_t *ppos) 466 size_t count, loff_t *ppos)
468{ 467{
469 char *page; 468 char *page;
@@ -480,7 +479,7 @@ static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
480 /* No partial writes. */ 479 /* No partial writes. */
481 return -EINVAL; 480 return -EINVAL;
482 } 481 }
483 page = (char*)get_zeroed_page(GFP_KERNEL); 482 page = (char *)get_zeroed_page(GFP_KERNEL);
484 if (!page) 483 if (!page)
485 return -ENOMEM; 484 return -ENOMEM;
486 length = -EFAULT; 485 length = -EFAULT;
@@ -505,11 +504,11 @@ static const struct file_operations sel_compat_net_ops = {
505/* 504/*
506 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c 505 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
507 */ 506 */
508static ssize_t sel_write_access(struct file * file, char *buf, size_t size); 507static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
509static ssize_t sel_write_create(struct file * file, char *buf, size_t size); 508static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
510static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size); 509static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
511static ssize_t sel_write_user(struct file * file, char *buf, size_t size); 510static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
512static ssize_t sel_write_member(struct file * file, char *buf, size_t size); 511static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
513 512
514static ssize_t (*write_op[])(struct file *, char *, size_t) = { 513static ssize_t (*write_op[])(struct file *, char *, size_t) = {
515 [SEL_ACCESS] = sel_write_access, 514 [SEL_ACCESS] = sel_write_access,
@@ -522,7 +521,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
522 521
523static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) 522static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
524{ 523{
525 ino_t ino = file->f_path.dentry->d_inode->i_ino; 524 ino_t ino = file->f_path.dentry->d_inode->i_ino;
526 char *data; 525 char *data;
527 ssize_t rv; 526 ssize_t rv;
528 527
@@ -533,8 +532,8 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b
533 if (IS_ERR(data)) 532 if (IS_ERR(data))
534 return PTR_ERR(data); 533 return PTR_ERR(data);
535 534
536 rv = write_op[ino](file, data, size); 535 rv = write_op[ino](file, data, size);
537 if (rv>0) { 536 if (rv > 0) {
538 simple_transaction_set(file, rv); 537 simple_transaction_set(file, rv);
539 rv = size; 538 rv = size;
540 } 539 }
@@ -553,7 +552,7 @@ static const struct file_operations transaction_ops = {
553 * and the length returned. Otherwise return 0 or and -error. 552 * and the length returned. Otherwise return 0 or and -error.
554 */ 553 */
555 554
556static ssize_t sel_write_access(struct file * file, char *buf, size_t size) 555static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
557{ 556{
558 char *scon, *tcon; 557 char *scon, *tcon;
559 u32 ssid, tsid; 558 u32 ssid, tsid;
@@ -602,7 +601,7 @@ out:
602 return length; 601 return length;
603} 602}
604 603
605static ssize_t sel_write_create(struct file * file, char *buf, size_t size) 604static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
606{ 605{
607 char *scon, *tcon; 606 char *scon, *tcon;
608 u32 ssid, tsid, newsid; 607 u32 ssid, tsid, newsid;
@@ -644,8 +643,8 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
644 goto out2; 643 goto out2;
645 644
646 if (len > SIMPLE_TRANSACTION_LIMIT) { 645 if (len > SIMPLE_TRANSACTION_LIMIT) {
647 printk(KERN_ERR "%s: context size (%u) exceeds payload " 646 printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
648 "max\n", __func__, len); 647 "payload max\n", __func__, len);
649 length = -ERANGE; 648 length = -ERANGE;
650 goto out3; 649 goto out3;
651 } 650 }
@@ -661,7 +660,7 @@ out:
661 return length; 660 return length;
662} 661}
663 662
664static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size) 663static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
665{ 664{
666 char *scon, *tcon; 665 char *scon, *tcon;
667 u32 ssid, tsid, newsid; 666 u32 ssid, tsid, newsid;
@@ -718,7 +717,7 @@ out:
718 return length; 717 return length;
719} 718}
720 719
721static ssize_t sel_write_user(struct file * file, char *buf, size_t size) 720static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
722{ 721{
723 char *con, *user, *ptr; 722 char *con, *user, *ptr;
724 u32 sid, *sids; 723 u32 sid, *sids;
@@ -779,7 +778,7 @@ out:
779 return length; 778 return length;
780} 779}
781 780
782static ssize_t sel_write_member(struct file * file, char *buf, size_t size) 781static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
783{ 782{
784 char *scon, *tcon; 783 char *scon, *tcon;
785 u32 ssid, tsid, newsid; 784 u32 ssid, tsid, newsid;
@@ -821,8 +820,8 @@ static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
821 goto out2; 820 goto out2;
822 821
823 if (len > SIMPLE_TRANSACTION_LIMIT) { 822 if (len > SIMPLE_TRANSACTION_LIMIT) {
824 printk(KERN_ERR "%s: context size (%u) exceeds payload " 823 printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
825 "max\n", __func__, len); 824 "payload max\n", __func__, len);
826 length = -ERANGE; 825 length = -ERANGE;
827 goto out3; 826 goto out3;
828 } 827 }
@@ -873,7 +872,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
873 ret = -EINVAL; 872 ret = -EINVAL;
874 goto out; 873 goto out;
875 } 874 }
876 if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) { 875 page = (char *)get_zeroed_page(GFP_KERNEL);
876 if (!page) {
877 ret = -ENOMEM; 877 ret = -ENOMEM;
878 goto out; 878 goto out;
879 } 879 }
@@ -924,7 +924,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
924 length = -EINVAL; 924 length = -EINVAL;
925 goto out; 925 goto out;
926 } 926 }
927 page = (char*)get_zeroed_page(GFP_KERNEL); 927 page = (char *)get_zeroed_page(GFP_KERNEL);
928 if (!page) { 928 if (!page) {
929 length = -ENOMEM; 929 length = -ENOMEM;
930 goto out; 930 goto out;
@@ -952,8 +952,8 @@ out:
952} 952}
953 953
954static const struct file_operations sel_bool_ops = { 954static const struct file_operations sel_bool_ops = {
955 .read = sel_read_bool, 955 .read = sel_read_bool,
956 .write = sel_write_bool, 956 .write = sel_write_bool,
957}; 957};
958 958
959static ssize_t sel_commit_bools_write(struct file *filep, 959static ssize_t sel_commit_bools_write(struct file *filep,
@@ -978,7 +978,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
978 /* No partial writes. */ 978 /* No partial writes. */
979 goto out; 979 goto out;
980 } 980 }
981 page = (char*)get_zeroed_page(GFP_KERNEL); 981 page = (char *)get_zeroed_page(GFP_KERNEL);
982 if (!page) { 982 if (!page) {
983 length = -ENOMEM; 983 length = -ENOMEM;
984 goto out; 984 goto out;
@@ -992,9 +992,8 @@ static ssize_t sel_commit_bools_write(struct file *filep,
992 if (sscanf(page, "%d", &new_value) != 1) 992 if (sscanf(page, "%d", &new_value) != 1)
993 goto out; 993 goto out;
994 994
995 if (new_value && bool_pending_values) { 995 if (new_value && bool_pending_values)
996 security_set_bools(bool_num, bool_pending_values); 996 security_set_bools(bool_num, bool_pending_values);
997 }
998 997
999 length = count; 998 length = count;
1000 999
@@ -1006,7 +1005,7 @@ out:
1006} 1005}
1007 1006
1008static const struct file_operations sel_commit_bools_ops = { 1007static const struct file_operations sel_commit_bools_ops = {
1009 .write = sel_commit_bools_write, 1008 .write = sel_commit_bools_write,
1010}; 1009};
1011 1010
1012static void sel_remove_entries(struct dentry *de) 1011static void sel_remove_entries(struct dentry *de)
@@ -1056,7 +1055,8 @@ static int sel_make_bools(void)
1056 1055
1057 sel_remove_entries(dir); 1056 sel_remove_entries(dir);
1058 1057
1059 if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) 1058 page = (char *)get_zeroed_page(GFP_KERNEL);
1059 if (!page)
1060 return -ENOMEM; 1060 return -ENOMEM;
1061 1061
1062 ret = security_get_bools(&num, &names, &values); 1062 ret = security_get_bools(&num, &names, &values);
@@ -1083,8 +1083,9 @@ static int sel_make_bools(void)
1083 ret = -ENAMETOOLONG; 1083 ret = -ENAMETOOLONG;
1084 goto err; 1084 goto err;
1085 } 1085 }
1086 isec = (struct inode_security_struct*)inode->i_security; 1086 isec = (struct inode_security_struct *)inode->i_security;
1087 if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid))) 1087 ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
1088 if (ret)
1088 goto err; 1089 goto err;
1089 isec->sid = sid; 1090 isec->sid = sid;
1090 isec->initialized = 1; 1091 isec->initialized = 1;
@@ -1112,7 +1113,7 @@ err:
1112 1113
1113#define NULL_FILE_NAME "null" 1114#define NULL_FILE_NAME "null"
1114 1115
1115struct dentry *selinux_null = NULL; 1116struct dentry *selinux_null;
1116 1117
1117static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, 1118static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
1118 size_t count, loff_t *ppos) 1119 size_t count, loff_t *ppos)
@@ -1124,8 +1125,8 @@ static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
1124 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 1125 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
1125} 1126}
1126 1127
1127static ssize_t sel_write_avc_cache_threshold(struct file * file, 1128static ssize_t sel_write_avc_cache_threshold(struct file *file,
1128 const char __user * buf, 1129 const char __user *buf,
1129 size_t count, loff_t *ppos) 1130 size_t count, loff_t *ppos)
1130 1131
1131{ 1132{
@@ -1144,7 +1145,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file * file,
1144 goto out; 1145 goto out;
1145 } 1146 }
1146 1147
1147 page = (char*)get_zeroed_page(GFP_KERNEL); 1148 page = (char *)get_zeroed_page(GFP_KERNEL);
1148 if (!page) { 1149 if (!page) {
1149 ret = -ENOMEM; 1150 ret = -ENOMEM;
1150 goto out; 1151 goto out;
@@ -1302,7 +1303,7 @@ out:
1302 return ret; 1303 return ret;
1303} 1304}
1304 1305
1305static ssize_t sel_read_initcon(struct file * file, char __user *buf, 1306static ssize_t sel_read_initcon(struct file *file, char __user *buf,
1306 size_t count, loff_t *ppos) 1307 size_t count, loff_t *ppos)
1307{ 1308{
1308 struct inode *inode; 1309 struct inode *inode;
@@ -1376,7 +1377,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino)
1376 return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); 1377 return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
1377} 1378}
1378 1379
1379static ssize_t sel_read_class(struct file * file, char __user *buf, 1380static ssize_t sel_read_class(struct file *file, char __user *buf,
1380 size_t count, loff_t *ppos) 1381 size_t count, loff_t *ppos)
1381{ 1382{
1382 ssize_t rc, len; 1383 ssize_t rc, len;
@@ -1400,7 +1401,7 @@ static const struct file_operations sel_class_ops = {
1400 .read = sel_read_class, 1401 .read = sel_read_class,
1401}; 1402};
1402 1403
1403static ssize_t sel_read_perm(struct file * file, char __user *buf, 1404static ssize_t sel_read_perm(struct file *file, char __user *buf,
1404 size_t count, loff_t *ppos) 1405 size_t count, loff_t *ppos)
1405{ 1406{
1406 ssize_t rc, len; 1407 ssize_t rc, len;
@@ -1413,7 +1414,7 @@ static ssize_t sel_read_perm(struct file * file, char __user *buf,
1413 goto out; 1414 goto out;
1414 } 1415 }
1415 1416
1416 len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino)); 1417 len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
1417 rc = simple_read_from_buffer(buf, count, ppos, page, len); 1418 rc = simple_read_from_buffer(buf, count, ppos, page, len);
1418 free_page((unsigned long)page); 1419 free_page((unsigned long)page);
1419out: 1420out:
@@ -1641,7 +1642,7 @@ out:
1641 return ret; 1642 return ret;
1642} 1643}
1643 1644
1644static int sel_fill_super(struct super_block * sb, void * data, int silent) 1645static int sel_fill_super(struct super_block *sb, void *data, int silent)
1645{ 1646{
1646 int ret; 1647 int ret;
1647 struct dentry *dentry; 1648 struct dentry *dentry;
@@ -1697,7 +1698,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
1697 goto err; 1698 goto err;
1698 } 1699 }
1699 inode->i_ino = ++sel_last_ino; 1700 inode->i_ino = ++sel_last_ino;
1700 isec = (struct inode_security_struct*)inode->i_security; 1701 isec = (struct inode_security_struct *)inode->i_security;
1701 isec->sid = SECINITSID_DEVNULL; 1702 isec->sid = SECINITSID_DEVNULL;
1702 isec->sclass = SECCLASS_CHR_FILE; 1703 isec->sclass = SECCLASS_CHR_FILE;
1703 isec->initialized = 1; 1704 isec->initialized = 1;
@@ -1761,7 +1762,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
1761out: 1762out:
1762 return ret; 1763 return ret;
1763err: 1764err:
1764 printk(KERN_ERR "%s: failed while creating inodes\n", __func__); 1765 printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
1766 __func__);
1765 goto out; 1767 goto out;
1766} 1768}
1767 1769
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 916e73a18bc5..9e6626362bfd 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -6,15 +6,15 @@
6 6
7/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 7/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
8 * 8 *
9 * Added conditional policy language extensions 9 * Added conditional policy language extensions
10 * 10 *
11 * Copyright (C) 2003 Tresys Technology, LLC 11 * Copyright (C) 2003 Tresys Technology, LLC
12 * This program is free software; you can redistribute it and/or modify 12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by 13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation, version 2. 14 * the Free Software Foundation, version 2.
15 * 15 *
16 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> 16 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
17 * Tuned number of hash slots for avtab to reduce memory usage 17 * Tuned number of hash slots for avtab to reduce memory usage
18 */ 18 */
19 19
20#include <linux/kernel.h> 20#include <linux/kernel.h>
@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
33 33
34static struct avtab_node* 34static struct avtab_node*
35avtab_insert_node(struct avtab *h, int hvalue, 35avtab_insert_node(struct avtab *h, int hvalue,
36 struct avtab_node * prev, struct avtab_node * cur, 36 struct avtab_node *prev, struct avtab_node *cur,
37 struct avtab_key *key, struct avtab_datum *datum) 37 struct avtab_key *key, struct avtab_datum *datum)
38{ 38{
39 struct avtab_node * newnode; 39 struct avtab_node *newnode;
40 newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); 40 newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
41 if (newnode == NULL) 41 if (newnode == NULL)
42 return NULL; 42 return NULL;
@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
84 } 84 }
85 85
86 newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); 86 newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
87 if(!newnode) 87 if (!newnode)
88 return -ENOMEM; 88 return -ENOMEM;
89 89
90 return 0; 90 return 0;
@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
95 * It also returns a pointer to the node inserted. 95 * It also returns a pointer to the node inserted.
96 */ 96 */
97struct avtab_node * 97struct avtab_node *
98avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum) 98avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
99{ 99{
100 int hvalue; 100 int hvalue;
101 struct avtab_node *prev, *cur, *newnode; 101 struct avtab_node *prev, *cur, *newnode;
@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
310 } 310 }
311 } 311 }
312 312
313 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " 313 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
314 "chain length %d sum of chain length^2 %Lu\n", 314 "longest chain length %d sum of chain length^2 %Lu\n",
315 tag, h->nel, slots_used, h->nslot, max_chain_len, 315 tag, h->nel, slots_used, h->nslot, max_chain_len,
316 chain2_len_sum); 316 chain2_len_sum);
317} 317}
@@ -326,7 +326,7 @@ static uint16_t spec_order[] = {
326}; 326};
327 327
328int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, 328int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
329 int (*insertf)(struct avtab *a, struct avtab_key *k, 329 int (*insertf)(struct avtab *a, struct avtab_key *k,
330 struct avtab_datum *d, void *p), 330 struct avtab_datum *d, void *p),
331 void *p) 331 void *p)
332{ 332{
@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
364 val = le32_to_cpu(buf32[items++]); 364 val = le32_to_cpu(buf32[items++]);
365 key.source_type = (u16)val; 365 key.source_type = (u16)val;
366 if (key.source_type != val) { 366 if (key.source_type != val) {
367 printk("SELinux: avtab: truncated source type\n"); 367 printk(KERN_ERR "SELinux: avtab: truncated source type\n");
368 return -1; 368 return -1;
369 } 369 }
370 val = le32_to_cpu(buf32[items++]); 370 val = le32_to_cpu(buf32[items++]);
371 key.target_type = (u16)val; 371 key.target_type = (u16)val;
372 if (key.target_type != val) { 372 if (key.target_type != val) {
373 printk("SELinux: avtab: truncated target type\n"); 373 printk(KERN_ERR "SELinux: avtab: truncated target type\n");
374 return -1; 374 return -1;
375 } 375 }
376 val = le32_to_cpu(buf32[items++]); 376 val = le32_to_cpu(buf32[items++]);
377 key.target_class = (u16)val; 377 key.target_class = (u16)val;
378 if (key.target_class != val) { 378 if (key.target_class != val) {
379 printk("SELinux: avtab: truncated target class\n"); 379 printk(KERN_ERR "SELinux: avtab: truncated target class\n");
380 return -1; 380 return -1;
381 } 381 }
382 382
@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; 384 enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
385 385
386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) { 386 if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
387 printk("SELinux: avtab: null entry\n"); 387 printk(KERN_ERR "SELinux: avtab: null entry\n");
388 return -1; 388 return -1;
389 } 389 }
390 if ((val & AVTAB_AV) && 390 if ((val & AVTAB_AV) &&
391 (val & AVTAB_TYPE)) { 391 (val & AVTAB_TYPE)) {
392 printk("SELinux: avtab: entry has both access vectors and types\n"); 392 printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
393 return -1; 393 return -1;
394 } 394 }
395 395
@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
398 key.specified = spec_order[i] | enabled; 398 key.specified = spec_order[i] | enabled;
399 datum.data = le32_to_cpu(buf32[items++]); 399 datum.data = le32_to_cpu(buf32[items++]);
400 rc = insertf(a, &key, &datum, p); 400 rc = insertf(a, &key, &datum, p);
401 if (rc) return rc; 401 if (rc)
402 return rc;
402 } 403 }
403 } 404 }
404 405
405 if (items != items2) { 406 if (items != items2) {
406 printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); 407 printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
407 return -1; 408 return -1;
408 } 409 }
409 return 0; 410 return 0;
@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
411 412
412 rc = next_entry(buf16, fp, sizeof(u16)*4); 413 rc = next_entry(buf16, fp, sizeof(u16)*4);
413 if (rc < 0) { 414 if (rc < 0) {
414 printk("SELinux: avtab: truncated entry\n"); 415 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
415 return -1; 416 return -1;
416 } 417 }
417 418
@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
424 if (!policydb_type_isvalid(pol, key.source_type) || 425 if (!policydb_type_isvalid(pol, key.source_type) ||
425 !policydb_type_isvalid(pol, key.target_type) || 426 !policydb_type_isvalid(pol, key.target_type) ||
426 !policydb_class_isvalid(pol, key.target_class)) { 427 !policydb_class_isvalid(pol, key.target_class)) {
427 printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); 428 printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
428 return -1; 429 return -1;
429 } 430 }
430 431
@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
434 set++; 435 set++;
435 } 436 }
436 if (!set || set > 1) { 437 if (!set || set > 1) {
437 printk(KERN_WARNING 438 printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
438 "SELinux: avtab: more than one specifier\n");
439 return -1; 439 return -1;
440 } 440 }
441 441
442 rc = next_entry(buf32, fp, sizeof(u32)); 442 rc = next_entry(buf32, fp, sizeof(u32));
443 if (rc < 0) { 443 if (rc < 0) {
444 printk("SELinux: avtab: truncated entry\n"); 444 printk(KERN_ERR "SELinux: avtab: truncated entry\n");
445 return -1; 445 return -1;
446 } 446 }
447 datum.data = le32_to_cpu(*buf32); 447 datum.data = le32_to_cpu(*buf32);
448 if ((key.specified & AVTAB_TYPE) && 448 if ((key.specified & AVTAB_TYPE) &&
449 !policydb_type_isvalid(pol, datum.data)) { 449 !policydb_type_isvalid(pol, datum.data)) {
450 printk(KERN_WARNING "SELinux: avtab: invalid type\n"); 450 printk(KERN_ERR "SELinux: avtab: invalid type\n");
451 return -1; 451 return -1;
452 } 452 }
453 return insertf(a, &key, &datum, p); 453 return insertf(a, &key, &datum, p);
@@ -513,5 +513,5 @@ void avtab_cache_init(void)
513 513
514void avtab_cache_destroy(void) 514void avtab_cache_destroy(void)
515{ 515{
516 kmem_cache_destroy (avtab_node_cachep); 516 kmem_cache_destroy(avtab_node_cachep);
517} 517}
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index a996cf1d378a..fb4efe4f4bc8 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -1,9 +1,9 @@
1/* Authors: Karl MacMillan <kmacmillan@tresys.com> 1/* Authors: Karl MacMillan <kmacmillan@tresys.com>
2 * Frank Mayer <mayerf@tresys.com> 2 * Frank Mayer <mayerf@tresys.com>
3 * 3 *
4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
5 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by 6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2. 7 * the Free Software Foundation, version 2.
8 */ 8 */
9 9
@@ -11,7 +11,6 @@
11#include <linux/errno.h> 11#include <linux/errno.h>
12#include <linux/string.h> 12#include <linux/string.h>
13#include <linux/spinlock.h> 13#include <linux/spinlock.h>
14#include <asm/semaphore.h>
15#include <linux/slab.h> 14#include <linux/slab.h>
16 15
17#include "security.h" 16#include "security.h"
@@ -90,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
90int evaluate_cond_node(struct policydb *p, struct cond_node *node) 89int evaluate_cond_node(struct policydb *p, struct cond_node *node)
91{ 90{
92 int new_state; 91 int new_state;
93 struct cond_av_list* cur; 92 struct cond_av_list *cur;
94 93
95 new_state = cond_evaluate_expr(p, node->expr); 94 new_state = cond_evaluate_expr(p, node->expr);
96 if (new_state != node->cur_state) { 95 if (new_state != node->cur_state) {
@@ -99,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
99 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); 98 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
100 /* turn the rules on or off */ 99 /* turn the rules on or off */
101 for (cur = node->true_list; cur != NULL; cur = cur->next) { 100 for (cur = node->true_list; cur != NULL; cur = cur->next) {
102 if (new_state <= 0) { 101 if (new_state <= 0)
103 cur->node->key.specified &= ~AVTAB_ENABLED; 102 cur->node->key.specified &= ~AVTAB_ENABLED;
104 } else { 103 else
105 cur->node->key.specified |= AVTAB_ENABLED; 104 cur->node->key.specified |= AVTAB_ENABLED;
106 }
107 } 105 }
108 106
109 for (cur = node->false_list; cur != NULL; cur = cur->next) { 107 for (cur = node->false_list; cur != NULL; cur = cur->next) {
110 /* -1 or 1 */ 108 /* -1 or 1 */
111 if (new_state) { 109 if (new_state)
112 cur->node->key.specified &= ~AVTAB_ENABLED; 110 cur->node->key.specified &= ~AVTAB_ENABLED;
113 } else { 111 else
114 cur->node->key.specified |= AVTAB_ENABLED; 112 cur->node->key.specified |= AVTAB_ENABLED;
115 }
116 } 113 }
117 } 114 }
118 return 0; 115 return 0;
@@ -174,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
174int cond_init_bool_indexes(struct policydb *p) 171int cond_init_bool_indexes(struct policydb *p)
175{ 172{
176 kfree(p->bool_val_to_struct); 173 kfree(p->bool_val_to_struct);
177 p->bool_val_to_struct = (struct cond_bool_datum**) 174 p->bool_val_to_struct = (struct cond_bool_datum **)
178 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); 175 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
179 if (!p->bool_val_to_struct) 176 if (!p->bool_val_to_struct)
180 return -1; 177 return -1;
181 return 0; 178 return 0;
@@ -200,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
200 return -EINVAL; 197 return -EINVAL;
201 198
202 p->p_bool_val_to_name[booldatum->value - 1] = key; 199 p->p_bool_val_to_name[booldatum->value - 1] = key;
203 p->bool_val_to_struct[booldatum->value -1] = booldatum; 200 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
204 201
205 return 0; 202 return 0;
206} 203}
@@ -252,8 +249,7 @@ err:
252 return -1; 249 return -1;
253} 250}
254 251
255struct cond_insertf_data 252struct cond_insertf_data {
256{
257 struct policydb *p; 253 struct policydb *p;
258 struct cond_av_list *other; 254 struct cond_av_list *other;
259 struct cond_av_list *head; 255 struct cond_av_list *head;
@@ -276,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
276 */ 272 */
277 if (k->specified & AVTAB_TYPE) { 273 if (k->specified & AVTAB_TYPE) {
278 if (avtab_search(&p->te_avtab, k)) { 274 if (avtab_search(&p->te_avtab, k)) {
279 printk("SELinux: type rule already exists outside of a conditional."); 275 printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
280 goto err; 276 goto err;
281 } 277 }
282 /* 278 /*
@@ -291,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
291 node_ptr = avtab_search_node(&p->te_cond_avtab, k); 287 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
292 if (node_ptr) { 288 if (node_ptr) {
293 if (avtab_search_node_next(node_ptr, k->specified)) { 289 if (avtab_search_node_next(node_ptr, k->specified)) {
294 printk("SELinux: too many conflicting type rules."); 290 printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
295 goto err; 291 goto err;
296 } 292 }
297 found = 0; 293 found = 0;
@@ -302,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
302 } 298 }
303 } 299 }
304 if (!found) { 300 if (!found) {
305 printk("SELinux: conflicting type rules.\n"); 301 printk(KERN_ERR "SELinux: conflicting type rules.\n");
306 goto err; 302 goto err;
307 } 303 }
308 } 304 }
309 } else { 305 } else {
310 if (avtab_search(&p->te_cond_avtab, k)) { 306 if (avtab_search(&p->te_cond_avtab, k)) {
311 printk("SELinux: conflicting type rules when adding type rule for true.\n"); 307 printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
312 goto err; 308 goto err;
313 } 309 }
314 } 310 }
@@ -316,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
316 312
317 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 313 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
318 if (!node_ptr) { 314 if (!node_ptr) {
319 printk("SELinux: could not insert rule."); 315 printk(KERN_ERR "SELinux: could not insert rule.\n");
320 goto err; 316 goto err;
321 } 317 }
322 318
@@ -353,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
353 return -1; 349 return -1;
354 350
355 len = le32_to_cpu(buf[0]); 351 len = le32_to_cpu(buf[0]);
356 if (len == 0) { 352 if (len == 0)
357 return 0; 353 return 0;
358 }
359 354
360 data.p = p; 355 data.p = p;
361 data.other = other; 356 data.other = other;
@@ -376,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
376static int expr_isvalid(struct policydb *p, struct cond_expr *expr) 371static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
377{ 372{
378 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 373 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
379 printk("SELinux: conditional expressions uses unknown operator.\n"); 374 printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
380 return 0; 375 return 0;
381 } 376 }
382 377
383 if (expr->bool > p->p_bools.nprim) { 378 if (expr->bool > p->p_bools.nprim) {
384 printk("SELinux: conditional expressions uses unknown bool.\n"); 379 printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
385 return 0; 380 return 0;
386 } 381 }
387 return 1; 382 return 1;
@@ -408,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
408 /* expr */ 403 /* expr */
409 len = le32_to_cpu(buf[0]); 404 len = le32_to_cpu(buf[0]);
410 405
411 for (i = 0; i < len; i++ ) { 406 for (i = 0; i < len; i++) {
412 rc = next_entry(buf, fp, sizeof(u32) * 2); 407 rc = next_entry(buf, fp, sizeof(u32) * 2);
413 if (rc < 0) 408 if (rc < 0)
414 goto err; 409 goto err;
415 410
416 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); 411 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
417 if (!expr) { 412 if (!expr)
418 goto err; 413 goto err;
419 }
420 414
421 expr->expr_type = le32_to_cpu(buf[0]); 415 expr->expr_type = le32_to_cpu(buf[0]);
422 expr->bool = le32_to_cpu(buf[1]); 416 expr->bool = le32_to_cpu(buf[1]);
@@ -426,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
426 goto err; 420 goto err;
427 } 421 }
428 422
429 if (i == 0) { 423 if (i == 0)
430 node->expr = expr; 424 node->expr = expr;
431 } else { 425 else
432 last->next = expr; 426 last->next = expr;
433 }
434 last = expr; 427 last = expr;
435 } 428 }
436 429
@@ -469,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
469 if (cond_read_node(p, node, fp) != 0) 462 if (cond_read_node(p, node, fp) != 0)
470 goto err; 463 goto err;
471 464
472 if (i == 0) { 465 if (i == 0)
473 p->cond_list = node; 466 p->cond_list = node;
474 } else { 467 else
475 last->next = node; 468 last->next = node;
476 }
477 last = node; 469 last = node;
478 } 470 }
479 return 0; 471 return 0;
@@ -490,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
490{ 482{
491 struct avtab_node *node; 483 struct avtab_node *node;
492 484
493 if(!ctab || !key || !avd) 485 if (!ctab || !key || !avd)
494 return; 486 return;
495 487
496 for(node = avtab_search_node(ctab, key); node != NULL; 488 for (node = avtab_search_node(ctab, key); node != NULL;
497 node = avtab_search_node_next(node, key->specified)) { 489 node = avtab_search_node_next(node, key->specified)) {
498 if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == 490 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
499 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) 491 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
500 avd->allowed |= node->datum.data; 492 avd->allowed |= node->datum.data;
501 if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == 493 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
502 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) 494 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
503 /* Since a '0' in an auditdeny mask represents a 495 /* Since a '0' in an auditdeny mask represents a
504 * permission we do NOT want to audit (dontaudit), we use 496 * permission we do NOT want to audit (dontaudit), we use
505 * the '&' operand to ensure that all '0's in the mask 497 * the '&' operand to ensure that all '0's in the mask
506 * are retained (much unlike the allow and auditallow cases). 498 * are retained (much unlike the allow and auditallow cases).
507 */ 499 */
508 avd->auditdeny &= node->datum.data; 500 avd->auditdeny &= node->datum.data;
509 if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == 501 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
510 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) 502 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
511 avd->auditallow |= node->datum.data; 503 avd->auditallow |= node->datum.data;
512 } 504 }
513 return; 505 return;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index e499af474b35..ddc275490af8 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
411 } 411 }
412 /* round down */ 412 /* round down */
413 tmp->startbit = startbit - (startbit % EBITMAP_SIZE); 413 tmp->startbit = startbit - (startbit % EBITMAP_SIZE);
414 if (n) { 414 if (n)
415 n->next = tmp; 415 n->next = tmp;
416 } else { 416 else
417 e->node = tmp; 417 e->node = tmp;
418 }
419 n = tmp; 418 n = tmp;
420 } else if (startbit <= n->startbit) { 419 } else if (startbit <= n->startbit) {
421 printk(KERN_ERR "SELinux: ebitmap: start bit %d" 420 printk(KERN_ERR "SELinux: ebitmap: start bit %d"
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 77b530c3bbce..2e7788e13213 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -9,8 +9,8 @@
9#include "hashtab.h" 9#include "hashtab.h"
10 10
11struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), 11struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
12 int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), 12 int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
13 u32 size) 13 u32 size)
14{ 14{
15 struct hashtab *p; 15 struct hashtab *p;
16 u32 i; 16 u32 i;
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index feaf0a5b828f..8b1706b7b3cc 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -32,7 +32,7 @@
32 * Return the length in bytes for the MLS fields of the 32 * Return the length in bytes for the MLS fields of the
33 * security context string representation of `context'. 33 * security context string representation of `context'.
34 */ 34 */
35int mls_compute_context_len(struct context * context) 35int mls_compute_context_len(struct context *context)
36{ 36{
37 int i, l, len, head, prev; 37 int i, l, len, head, prev;
38 char *nm; 38 char *nm;
@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context)
86 * Update `*scontext' to point to the end of the MLS fields. 86 * Update `*scontext' to point to the end of the MLS fields.
87 */ 87 */
88void mls_sid_to_context(struct context *context, 88void mls_sid_to_context(struct context *context,
89 char **scontext) 89 char **scontext)
90{ 90{
91 char *scontextp, *nm; 91 char *scontextp, *nm;
92 int i, l, head, prev; 92 int i, l, head, prev;
@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context,
146 146
147 if (l == 0) { 147 if (l == 0) {
148 if (mls_level_eq(&context->range.level[0], 148 if (mls_level_eq(&context->range.level[0],
149 &context->range.level[1])) 149 &context->range.level[1]))
150 break; 150 break;
151 else 151 else
152 *scontextp++ = '-'; 152 *scontextp++ = '-';
@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc,
305 *p++ = 0; 305 *p++ = 0;
306 306
307 /* Separate into range if exists */ 307 /* Separate into range if exists */
308 if ((rngptr = strchr(scontextp, '.')) != NULL) { 308 rngptr = strchr(scontextp, '.');
309 if (rngptr != NULL) {
309 /* Remove '.' */ 310 /* Remove '.' */
310 *rngptr++ = 0; 311 *rngptr++ = 0;
311 } 312 }
312 313
313 catdatum = hashtab_search(policydb.p_cats.table, 314 catdatum = hashtab_search(policydb.p_cats.table,
314 scontextp); 315 scontextp);
315 if (!catdatum) { 316 if (!catdatum) {
316 rc = -EINVAL; 317 rc = -EINVAL;
317 goto out; 318 goto out;
318 } 319 }
319 320
320 rc = ebitmap_set_bit(&context->range.level[l].cat, 321 rc = ebitmap_set_bit(&context->range.level[l].cat,
321 catdatum->value - 1, 1); 322 catdatum->value - 1, 1);
322 if (rc) 323 if (rc)
323 goto out; 324 goto out;
324 325
@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
395 rc = -ENOMEM; 396 rc = -ENOMEM;
396 } else { 397 } else {
397 rc = mls_context_to_sid(':', &tmpstr, context, 398 rc = mls_context_to_sid(':', &tmpstr, context,
398 NULL, SECSID_NULL); 399 NULL, SECSID_NULL);
399 kfree(freestr); 400 kfree(freestr);
400 } 401 }
401 402
@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
406 * Copies the MLS range `range' into `context'. 407 * Copies the MLS range `range' into `context'.
407 */ 408 */
408static inline int mls_range_set(struct context *context, 409static inline int mls_range_set(struct context *context,
409 struct mls_range *range) 410 struct mls_range *range)
410{ 411{
411 int l, rc = 0; 412 int l, rc = 0;
412 413
@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context,
423} 424}
424 425
425int mls_setup_user_range(struct context *fromcon, struct user_datum *user, 426int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
426 struct context *usercon) 427 struct context *usercon)
427{ 428{
428 if (selinux_mls_enabled) { 429 if (selinux_mls_enabled) {
429 struct mls_level *fromcon_sen = &(fromcon->range.level[0]); 430 struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
449 that of the user's default clearance (but 450 that of the user's default clearance (but
450 only if the "fromcon" clearance dominates 451 only if the "fromcon" clearance dominates
451 the user's computed sensitivity level) */ 452 the user's computed sensitivity level) */
452 if (mls_level_dom(user_clr, fromcon_clr)) { 453 if (mls_level_dom(user_clr, fromcon_clr))
453 *usercon_clr = *fromcon_clr; 454 *usercon_clr = *fromcon_clr;
454 } else if (mls_level_dom(fromcon_clr, user_clr)) { 455 else if (mls_level_dom(fromcon_clr, user_clr))
455 *usercon_clr = *user_clr; 456 *usercon_clr = *user_clr;
456 } else 457 else
457 return -EINVAL; 458 return -EINVAL;
458 } 459 }
459 460
@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext,
525 rtr->target_class == tclass) { 526 rtr->target_class == tclass) {
526 /* Set the range from the rule */ 527 /* Set the range from the rule */
527 return mls_range_set(newcontext, 528 return mls_range_set(newcontext,
528 &rtr->target_range); 529 &rtr->target_range);
529 } 530 }
530 } 531 }
531 /* Fallthrough */ 532 /* Fallthrough */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 6bdb0ff6a927..84f8cc73c7db 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -21,7 +21,7 @@
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23 * This program is free software; you can redistribute it and/or modify 23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by 24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation, version 2. 25 * the Free Software Foundation, version 2.
26 */ 26 */
27 27
@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = {
51}; 51};
52#endif 52#endif
53 53
54int selinux_mls_enabled = 0; 54int selinux_mls_enabled;
55 55
56static unsigned int symtab_sizes[SYM_NUM] = { 56static unsigned int symtab_sizes[SYM_NUM] = {
57 2, 57 2,
@@ -73,39 +73,39 @@ struct policydb_compat_info {
73/* These need to be updated if SYM_NUM or OCON_NUM changes */ 73/* These need to be updated if SYM_NUM or OCON_NUM changes */
74static struct policydb_compat_info policydb_compat[] = { 74static struct policydb_compat_info policydb_compat[] = {
75 { 75 {
76 .version = POLICYDB_VERSION_BASE, 76 .version = POLICYDB_VERSION_BASE,
77 .sym_num = SYM_NUM - 3, 77 .sym_num = SYM_NUM - 3,
78 .ocon_num = OCON_NUM - 1, 78 .ocon_num = OCON_NUM - 1,
79 }, 79 },
80 { 80 {
81 .version = POLICYDB_VERSION_BOOL, 81 .version = POLICYDB_VERSION_BOOL,
82 .sym_num = SYM_NUM - 2, 82 .sym_num = SYM_NUM - 2,
83 .ocon_num = OCON_NUM - 1, 83 .ocon_num = OCON_NUM - 1,
84 }, 84 },
85 { 85 {
86 .version = POLICYDB_VERSION_IPV6, 86 .version = POLICYDB_VERSION_IPV6,
87 .sym_num = SYM_NUM - 2, 87 .sym_num = SYM_NUM - 2,
88 .ocon_num = OCON_NUM, 88 .ocon_num = OCON_NUM,
89 }, 89 },
90 { 90 {
91 .version = POLICYDB_VERSION_NLCLASS, 91 .version = POLICYDB_VERSION_NLCLASS,
92 .sym_num = SYM_NUM - 2, 92 .sym_num = SYM_NUM - 2,
93 .ocon_num = OCON_NUM, 93 .ocon_num = OCON_NUM,
94 }, 94 },
95 { 95 {
96 .version = POLICYDB_VERSION_MLS, 96 .version = POLICYDB_VERSION_MLS,
97 .sym_num = SYM_NUM, 97 .sym_num = SYM_NUM,
98 .ocon_num = OCON_NUM, 98 .ocon_num = OCON_NUM,
99 }, 99 },
100 { 100 {
101 .version = POLICYDB_VERSION_AVTAB, 101 .version = POLICYDB_VERSION_AVTAB,
102 .sym_num = SYM_NUM, 102 .sym_num = SYM_NUM,
103 .ocon_num = OCON_NUM, 103 .ocon_num = OCON_NUM,
104 }, 104 },
105 { 105 {
106 .version = POLICYDB_VERSION_RANGETRANS, 106 .version = POLICYDB_VERSION_RANGETRANS,
107 .sym_num = SYM_NUM, 107 .sym_num = SYM_NUM,
108 .ocon_num = OCON_NUM, 108 .ocon_num = OCON_NUM,
109 }, 109 },
110 { 110 {
111 .version = POLICYDB_VERSION_POLCAP, 111 .version = POLICYDB_VERSION_POLCAP,
@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p)
152 rc = -EINVAL; 152 rc = -EINVAL;
153 goto out_free_role; 153 goto out_free_role;
154 } 154 }
155 key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL); 155 key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
156 if (!key) { 156 if (!key) {
157 rc = -ENOMEM; 157 rc = -ENOMEM;
158 goto out_free_role; 158 goto out_free_role;
@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s)
390 struct hashtab_info info; 390 struct hashtab_info info;
391 391
392 hashtab_stat(h, &info); 392 hashtab_stat(h, &info);
393 printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " 393 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
394 "longest chain length %d\n", symtab_name[i], h->nel, 394 "longest chain length %d\n", symtab_name[i], h->nel,
395 info.slots_used, h->size, info.max_chain_len); 395 info.slots_used, h->size, info.max_chain_len);
396 } 396 }
@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p)
424 424
425 p->role_val_to_struct = 425 p->role_val_to_struct =
426 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), 426 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
427 GFP_KERNEL); 427 GFP_KERNEL);
428 if (!p->role_val_to_struct) { 428 if (!p->role_val_to_struct) {
429 rc = -ENOMEM; 429 rc = -ENOMEM;
430 goto out; 430 goto out;
@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p)
432 432
433 p->user_val_to_struct = 433 p->user_val_to_struct =
434 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), 434 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
435 GFP_KERNEL); 435 GFP_KERNEL);
436 if (!p->user_val_to_struct) { 436 if (!p->user_val_to_struct) {
437 rc = -ENOMEM; 437 rc = -ENOMEM;
438 goto out; 438 goto out;
@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p)
634 while (c) { 634 while (c) {
635 ctmp = c; 635 ctmp = c;
636 c = c->next; 636 c = c->next;
637 ocontext_destroy(ctmp,i); 637 ocontext_destroy(ctmp, i);
638 } 638 }
639 p->ocontexts[i] = NULL; 639 p->ocontexts[i] = NULL;
640 } 640 }
@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p)
647 while (c) { 647 while (c) {
648 ctmp = c; 648 ctmp = c;
649 c = c->next; 649 c = c->next;
650 ocontext_destroy(ctmp,OCON_FSUSE); 650 ocontext_destroy(ctmp, OCON_FSUSE);
651 } 651 }
652 gtmp = g; 652 gtmp = g;
653 g = g->next; 653 g = g->next;
@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p)
664 } 664 }
665 kfree(ltr); 665 kfree(ltr);
666 666
667 for (ra = p->role_allow; ra; ra = ra -> next) { 667 for (ra = p->role_allow; ra; ra = ra->next) {
668 cond_resched(); 668 cond_resched();
669 kfree(lra); 669 kfree(lra);
670 lra = ra; 670 lra = ra;
671 } 671 }
672 kfree(lra); 672 kfree(lra);
673 673
674 for (rt = p->range_tr; rt; rt = rt -> next) { 674 for (rt = p->range_tr; rt; rt = rt->next) {
675 cond_resched(); 675 cond_resched();
676 if (lrt) { 676 if (lrt) {
677 ebitmap_destroy(&lrt->target_range.level[0].cat); 677 ebitmap_destroy(&lrt->target_range.level[0].cat);
@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
924 len = le32_to_cpu(buf[0]); 924 len = le32_to_cpu(buf[0]);
925 perdatum->value = le32_to_cpu(buf[1]); 925 perdatum->value = le32_to_cpu(buf[1]);
926 926
927 key = kmalloc(len + 1,GFP_KERNEL); 927 key = kmalloc(len + 1, GFP_KERNEL);
928 if (!key) { 928 if (!key) {
929 rc = -ENOMEM; 929 rc = -ENOMEM;
930 goto bad; 930 goto bad;
@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
971 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 971 comdatum->permissions.nprim = le32_to_cpu(buf[2]);
972 nel = le32_to_cpu(buf[3]); 972 nel = le32_to_cpu(buf[3]);
973 973
974 key = kmalloc(len + 1,GFP_KERNEL); 974 key = kmalloc(len + 1, GFP_KERNEL);
975 if (!key) { 975 if (!key) {
976 rc = -ENOMEM; 976 rc = -ENOMEM;
977 goto bad; 977 goto bad;
@@ -998,7 +998,7 @@ bad:
998} 998}
999 999
1000static int read_cons_helper(struct constraint_node **nodep, int ncons, 1000static int read_cons_helper(struct constraint_node **nodep, int ncons,
1001 int allowxtarget, void *fp) 1001 int allowxtarget, void *fp)
1002{ 1002{
1003 struct constraint_node *c, *lc; 1003 struct constraint_node *c, *lc;
1004 struct constraint_expr *e, *le; 1004 struct constraint_expr *e, *le;
@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1012 if (!c) 1012 if (!c)
1013 return -ENOMEM; 1013 return -ENOMEM;
1014 1014
1015 if (lc) { 1015 if (lc)
1016 lc->next = c; 1016 lc->next = c;
1017 } else { 1017 else
1018 *nodep = c; 1018 *nodep = c;
1019 }
1020 1019
1021 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1020 rc = next_entry(buf, fp, (sizeof(u32) * 2));
1022 if (rc < 0) 1021 if (rc < 0)
@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1030 if (!e) 1029 if (!e)
1031 return -ENOMEM; 1030 return -ENOMEM;
1032 1031
1033 if (le) { 1032 if (le)
1034 le->next = e; 1033 le->next = e;
1035 } else { 1034 else
1036 c->expr = e; 1035 c->expr = e;
1037 }
1038 1036
1039 rc = next_entry(buf, fp, (sizeof(u32) * 3)); 1037 rc = next_entry(buf, fp, (sizeof(u32) * 3));
1040 if (rc < 0) 1038 if (rc < 0)
@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1111 1109
1112 ncons = le32_to_cpu(buf[5]); 1110 ncons = le32_to_cpu(buf[5]);
1113 1111
1114 key = kmalloc(len + 1,GFP_KERNEL); 1112 key = kmalloc(len + 1, GFP_KERNEL);
1115 if (!key) { 1113 if (!key) {
1116 rc = -ENOMEM; 1114 rc = -ENOMEM;
1117 goto bad; 1115 goto bad;
@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1122 key[len] = 0; 1120 key[len] = 0;
1123 1121
1124 if (len2) { 1122 if (len2) {
1125 cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL); 1123 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1126 if (!cladatum->comkey) { 1124 if (!cladatum->comkey) {
1127 rc = -ENOMEM; 1125 rc = -ENOMEM;
1128 goto bad; 1126 goto bad;
@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1195 len = le32_to_cpu(buf[0]); 1193 len = le32_to_cpu(buf[0]);
1196 role->value = le32_to_cpu(buf[1]); 1194 role->value = le32_to_cpu(buf[1]);
1197 1195
1198 key = kmalloc(len + 1,GFP_KERNEL); 1196 key = kmalloc(len + 1, GFP_KERNEL);
1199 if (!key) { 1197 if (!key) {
1200 rc = -ENOMEM; 1198 rc = -ENOMEM;
1201 goto bad; 1199 goto bad;
@@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1215 1213
1216 if (strcmp(key, OBJECT_R) == 0) { 1214 if (strcmp(key, OBJECT_R) == 0) {
1217 if (role->value != OBJECT_R_VAL) { 1215 if (role->value != OBJECT_R_VAL) {
1218 printk(KERN_ERR "Role %s has wrong value %d\n", 1216 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
1219 OBJECT_R, role->value); 1217 OBJECT_R, role->value);
1220 rc = -EINVAL; 1218 rc = -EINVAL;
1221 goto bad; 1219 goto bad;
@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1242 __le32 buf[3]; 1240 __le32 buf[3];
1243 u32 len; 1241 u32 len;
1244 1242
1245 typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL); 1243 typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1246 if (!typdatum) { 1244 if (!typdatum) {
1247 rc = -ENOMEM; 1245 rc = -ENOMEM;
1248 return rc; 1246 return rc;
@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1256 typdatum->value = le32_to_cpu(buf[1]); 1254 typdatum->value = le32_to_cpu(buf[1]);
1257 typdatum->primary = le32_to_cpu(buf[2]); 1255 typdatum->primary = le32_to_cpu(buf[2]);
1258 1256
1259 key = kmalloc(len + 1,GFP_KERNEL); 1257 key = kmalloc(len + 1, GFP_KERNEL);
1260 if (!key) { 1258 if (!key) {
1261 rc = -ENOMEM; 1259 rc = -ENOMEM;
1262 goto bad; 1260 goto bad;
@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1328 len = le32_to_cpu(buf[0]); 1326 len = le32_to_cpu(buf[0]);
1329 usrdatum->value = le32_to_cpu(buf[1]); 1327 usrdatum->value = le32_to_cpu(buf[1]);
1330 1328
1331 key = kmalloc(len + 1,GFP_KERNEL); 1329 key = kmalloc(len + 1, GFP_KERNEL);
1332 if (!key) { 1330 if (!key) {
1333 rc = -ENOMEM; 1331 rc = -ENOMEM;
1334 goto bad; 1332 goto bad;
@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1382 len = le32_to_cpu(buf[0]); 1380 len = le32_to_cpu(buf[0]);
1383 levdatum->isalias = le32_to_cpu(buf[1]); 1381 levdatum->isalias = le32_to_cpu(buf[1]);
1384 1382
1385 key = kmalloc(len + 1,GFP_ATOMIC); 1383 key = kmalloc(len + 1, GFP_ATOMIC);
1386 if (!key) { 1384 if (!key) {
1387 rc = -ENOMEM; 1385 rc = -ENOMEM;
1388 goto bad; 1386 goto bad;
@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1434 catdatum->value = le32_to_cpu(buf[1]); 1432 catdatum->value = le32_to_cpu(buf[1]);
1435 catdatum->isalias = le32_to_cpu(buf[2]); 1433 catdatum->isalias = le32_to_cpu(buf[2]);
1436 1434
1437 key = kmalloc(len + 1,GFP_ATOMIC); 1435 key = kmalloc(len + 1, GFP_ATOMIC);
1438 if (!key) { 1436 if (!key) {
1439 rc = -ENOMEM; 1437 rc = -ENOMEM;
1440 goto bad; 1438 goto bad;
@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp)
1493 goto out; 1491 goto out;
1494 1492
1495 /* Read the magic number and string length. */ 1493 /* Read the magic number and string length. */
1496 rc = next_entry(buf, fp, sizeof(u32)* 2); 1494 rc = next_entry(buf, fp, sizeof(u32) * 2);
1497 if (rc < 0) 1495 if (rc < 0)
1498 goto bad; 1496 goto bad;
1499 1497
@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp)
1511 len, strlen(POLICYDB_STRING)); 1509 len, strlen(POLICYDB_STRING));
1512 goto bad; 1510 goto bad;
1513 } 1511 }
1514 policydb_str = kmalloc(len + 1,GFP_KERNEL); 1512 policydb_str = kmalloc(len + 1, GFP_KERNEL);
1515 if (!policydb_str) { 1513 if (!policydb_str) {
1516 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 1514 printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
1517 "string of length %d\n", len); 1515 "string of length %d\n", len);
@@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp)
1544 if (p->policyvers < POLICYDB_VERSION_MIN || 1542 if (p->policyvers < POLICYDB_VERSION_MIN ||
1545 p->policyvers > POLICYDB_VERSION_MAX) { 1543 p->policyvers > POLICYDB_VERSION_MAX) {
1546 printk(KERN_ERR "SELinux: policydb version %d does not match " 1544 printk(KERN_ERR "SELinux: policydb version %d does not match "
1547 "my version range %d-%d\n", 1545 "my version range %d-%d\n",
1548 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 1546 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1549 goto bad; 1547 goto bad;
1550 } 1548 }
1551 1549
1552 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1550 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1553 if (ss_initialized && !selinux_mls_enabled) { 1551 if (ss_initialized && !selinux_mls_enabled) {
1554 printk(KERN_ERR "Cannot switch between non-MLS and MLS " 1552 printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
1555 "policies\n"); 1553 " and MLS policies\n");
1556 goto bad; 1554 goto bad;
1557 } 1555 }
1558 selinux_mls_enabled = 1; 1556 selinux_mls_enabled = 1;
1559 config |= POLICYDB_CONFIG_MLS; 1557 config |= POLICYDB_CONFIG_MLS;
1560 1558
1561 if (p->policyvers < POLICYDB_VERSION_MLS) { 1559 if (p->policyvers < POLICYDB_VERSION_MLS) {
1562 printk(KERN_ERR "security policydb version %d (MLS) " 1560 printk(KERN_ERR "SELinux: security policydb version %d "
1563 "not backwards compatible\n", p->policyvers); 1561 "(MLS) not backwards compatible\n",
1562 p->policyvers);
1564 goto bad; 1563 goto bad;
1565 } 1564 }
1566 } else { 1565 } else {
1567 if (ss_initialized && selinux_mls_enabled) { 1566 if (ss_initialized && selinux_mls_enabled) {
1568 printk(KERN_ERR "Cannot switch between MLS and non-MLS " 1567 printk(KERN_ERR "SELinux: Cannot switch between MLS and"
1569 "policies\n"); 1568 " non-MLS policies\n");
1570 goto bad; 1569 goto bad;
1571 } 1570 }
1572 } 1571 }
@@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp)
1633 rc = -ENOMEM; 1632 rc = -ENOMEM;
1634 goto bad; 1633 goto bad;
1635 } 1634 }
1636 if (ltr) { 1635 if (ltr)
1637 ltr->next = tr; 1636 ltr->next = tr;
1638 } else { 1637 else
1639 p->role_tr = tr; 1638 p->role_tr = tr;
1640 }
1641 rc = next_entry(buf, fp, sizeof(u32)*3); 1639 rc = next_entry(buf, fp, sizeof(u32)*3);
1642 if (rc < 0) 1640 if (rc < 0)
1643 goto bad; 1641 goto bad;
@@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp)
1664 rc = -ENOMEM; 1662 rc = -ENOMEM;
1665 goto bad; 1663 goto bad;
1666 } 1664 }
1667 if (lra) { 1665 if (lra)
1668 lra->next = ra; 1666 lra->next = ra;
1669 } else { 1667 else
1670 p->role_allow = ra; 1668 p->role_allow = ra;
1671 }
1672 rc = next_entry(buf, fp, sizeof(u32)*2); 1669 rc = next_entry(buf, fp, sizeof(u32)*2);
1673 if (rc < 0) 1670 if (rc < 0)
1674 goto bad; 1671 goto bad;
@@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp)
1702 rc = -ENOMEM; 1699 rc = -ENOMEM;
1703 goto bad; 1700 goto bad;
1704 } 1701 }
1705 if (l) { 1702 if (l)
1706 l->next = c; 1703 l->next = c;
1707 } else { 1704 else
1708 p->ocontexts[i] = c; 1705 p->ocontexts[i] = c;
1709 }
1710 l = c; 1706 l = c;
1711 rc = -EINVAL; 1707 rc = -EINVAL;
1712 switch (i) { 1708 switch (i) {
@@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp)
1725 if (rc < 0) 1721 if (rc < 0)
1726 goto bad; 1722 goto bad;
1727 len = le32_to_cpu(buf[0]); 1723 len = le32_to_cpu(buf[0]);
1728 c->u.name = kmalloc(len + 1,GFP_KERNEL); 1724 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1729 if (!c->u.name) { 1725 if (!c->u.name) {
1730 rc = -ENOMEM; 1726 rc = -ENOMEM;
1731 goto bad; 1727 goto bad;
@@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp)
1753 goto bad; 1749 goto bad;
1754 break; 1750 break;
1755 case OCON_NODE: 1751 case OCON_NODE:
1756 rc = next_entry(buf, fp, sizeof(u32)* 2); 1752 rc = next_entry(buf, fp, sizeof(u32) * 2);
1757 if (rc < 0) 1753 if (rc < 0)
1758 goto bad; 1754 goto bad;
1759 c->u.node.addr = le32_to_cpu(buf[0]); 1755 c->u.node.addr = le32_to_cpu(buf[0]);
@@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp)
1770 if (c->v.behavior > SECURITY_FS_USE_NONE) 1766 if (c->v.behavior > SECURITY_FS_USE_NONE)
1771 goto bad; 1767 goto bad;
1772 len = le32_to_cpu(buf[1]); 1768 len = le32_to_cpu(buf[1]);
1773 c->u.name = kmalloc(len + 1,GFP_KERNEL); 1769 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1774 if (!c->u.name) { 1770 if (!c->u.name) {
1775 rc = -ENOMEM; 1771 rc = -ENOMEM;
1776 goto bad; 1772 goto bad;
@@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp)
1818 goto bad; 1814 goto bad;
1819 } 1815 }
1820 1816
1821 newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); 1817 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
1822 if (!newgenfs->fstype) { 1818 if (!newgenfs->fstype) {
1823 rc = -ENOMEM; 1819 rc = -ENOMEM;
1824 kfree(newgenfs); 1820 kfree(newgenfs);
@@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp)
1864 goto bad; 1860 goto bad;
1865 } 1861 }
1866 1862
1867 newc->u.name = kmalloc(len + 1,GFP_KERNEL); 1863 newc->u.name = kmalloc(len + 1, GFP_KERNEL);
1868 if (!newc->u.name) { 1864 if (!newc->u.name) {
1869 rc = -ENOMEM; 1865 rc = -ENOMEM;
1870 goto bad_newc; 1866 goto bad_newc;
@@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp)
1968out: 1964out:
1969 return rc; 1965 return rc;
1970bad_newc: 1966bad_newc:
1971 ocontext_destroy(newc,OCON_FSUSE); 1967 ocontext_destroy(newc, OCON_FSUSE);
1972bad: 1968bad:
1973 if (!rc) 1969 if (!rc)
1974 rc = -EINVAL; 1970 rc = -EINVAL;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b341b8fd8c7c..2daaddbb301d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2,7 +2,7 @@
2 * Implementation of the security services. 2 * Implementation of the security services.
3 * 3 *
4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com> 5 * James Morris <jmorris@redhat.com>
6 * 6 *
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 * 8 *
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -27,7 +27,7 @@
27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
29 * This program is free software; you can redistribute it and/or modify 29 * This program is free software; you can redistribute it and/or modify
30 * it under the terms of the GNU General Public License as published by 30 * it under the terms of the GNU General Public License as published by
31 * the Free Software Foundation, version 2. 31 * the Free Software Foundation, version 2.
32 */ 32 */
33#include <linux/kernel.h> 33#include <linux/kernel.h>
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
82 82
83static struct sidtab sidtab; 83static struct sidtab sidtab;
84struct policydb policydb; 84struct policydb policydb;
85int ss_initialized = 0; 85int ss_initialized;
86 86
87/* 87/*
88 * The largest sequence number that has been used when 88 * The largest sequence number that has been used when
@@ -90,7 +90,7 @@ int ss_initialized = 0;
90 * The sequence number only changes when a policy change 90 * The sequence number only changes when a policy change
91 * occurs. 91 * occurs.
92 */ 92 */
93static u32 latest_granting = 0; 93static u32 latest_granting;
94 94
95/* Forward declaration. */ 95/* Forward declaration. */
96static int context_struct_to_string(struct context *context, char **scontext, 96static int context_struct_to_string(struct context *context, char **scontext,
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
163 val1 - 1); 163 val1 - 1);
164 continue; 164 continue;
165 case CEXPR_INCOMP: 165 case CEXPR_INCOMP:
166 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 166 s[++sp] = (!ebitmap_get_bit(&r1->dominates,
167 val2 - 1) && 167 val2 - 1) &&
168 !ebitmap_get_bit(&r2->dominates, 168 !ebitmap_get_bit(&r2->dominates,
169 val1 - 1) ); 169 val1 - 1));
170 continue; 170 continue;
171 default: 171 default:
172 break; 172 break;
@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext,
409 } 409 }
410 if (!ra) 410 if (!ra)
411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 411 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
412 PROCESS__DYNTRANSITION); 412 PROCESS__DYNTRANSITION);
413 } 413 }
414 414
415 return 0; 415 return 0;
416 416
417inval_class: 417inval_class:
418 printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); 418 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
419 tclass);
419 return -EINVAL; 420 return -EINVAL;
420} 421}
421 422
@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid)
445} 446}
446 447
447static int security_validtrans_handle_fail(struct context *ocontext, 448static int security_validtrans_handle_fail(struct context *ocontext,
448 struct context *ncontext, 449 struct context *ncontext,
449 struct context *tcontext, 450 struct context *tcontext,
450 u16 tclass) 451 u16 tclass)
451{ 452{
452 char *o = NULL, *n = NULL, *t = NULL; 453 char *o = NULL, *n = NULL, *t = NULL;
453 u32 olen, nlen, tlen; 454 u32 olen, nlen, tlen;
@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
459 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 460 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
460 goto out; 461 goto out;
461 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 462 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
462 "security_validate_transition: denied for" 463 "security_validate_transition: denied for"
463 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 464 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
464 o, n, t, policydb.p_class_val_to_name[tclass-1]); 465 o, n, t, policydb.p_class_val_to_name[tclass-1]);
465out: 466out:
466 kfree(o); 467 kfree(o);
467 kfree(n); 468 kfree(n);
@@ -473,7 +474,7 @@ out:
473} 474}
474 475
475int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 476int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
476 u16 tclass) 477 u16 tclass)
477{ 478{
478 struct context *ocontext; 479 struct context *ocontext;
479 struct context *ncontext; 480 struct context *ncontext;
@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
499 tclass = SECCLASS_NETLINK_SOCKET; 500 tclass = SECCLASS_NETLINK_SOCKET;
500 501
501 if (!tclass || tclass > policydb.p_classes.nprim) { 502 if (!tclass || tclass > policydb.p_classes.nprim) {
502 printk(KERN_ERR "security_validate_transition: " 503 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
503 "unrecognized class %d\n", tclass); 504 __func__, tclass);
504 rc = -EINVAL; 505 rc = -EINVAL;
505 goto out; 506 goto out;
506 } 507 }
@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
508 509
509 ocontext = sidtab_search(&sidtab, oldsid); 510 ocontext = sidtab_search(&sidtab, oldsid);
510 if (!ocontext) { 511 if (!ocontext) {
511 printk(KERN_ERR "security_validate_transition: " 512 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
512 " unrecognized SID %d\n", oldsid); 513 __func__, oldsid);
513 rc = -EINVAL; 514 rc = -EINVAL;
514 goto out; 515 goto out;
515 } 516 }
516 517
517 ncontext = sidtab_search(&sidtab, newsid); 518 ncontext = sidtab_search(&sidtab, newsid);
518 if (!ncontext) { 519 if (!ncontext) {
519 printk(KERN_ERR "security_validate_transition: " 520 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
520 " unrecognized SID %d\n", newsid); 521 __func__, newsid);
521 rc = -EINVAL; 522 rc = -EINVAL;
522 goto out; 523 goto out;
523 } 524 }
524 525
525 tcontext = sidtab_search(&sidtab, tasksid); 526 tcontext = sidtab_search(&sidtab, tasksid);
526 if (!tcontext) { 527 if (!tcontext) {
527 printk(KERN_ERR "security_validate_transition: " 528 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
528 " unrecognized SID %d\n", tasksid); 529 __func__, tasksid);
529 rc = -EINVAL; 530 rc = -EINVAL;
530 goto out; 531 goto out;
531 } 532 }
@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
533 constraint = tclass_datum->validatetrans; 534 constraint = tclass_datum->validatetrans;
534 while (constraint) { 535 while (constraint) {
535 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 536 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
536 constraint->expr)) { 537 constraint->expr)) {
537 rc = security_validtrans_handle_fail(ocontext, ncontext, 538 rc = security_validtrans_handle_fail(ocontext, ncontext,
538 tcontext, tclass); 539 tcontext, tclass);
539 goto out; 540 goto out;
540 } 541 }
541 constraint = constraint->next; 542 constraint = constraint->next;
@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
581 582
582 scontext = sidtab_search(&sidtab, ssid); 583 scontext = sidtab_search(&sidtab, ssid);
583 if (!scontext) { 584 if (!scontext) {
584 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 585 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
585 ssid); 586 __func__, ssid);
586 rc = -EINVAL; 587 rc = -EINVAL;
587 goto out; 588 goto out;
588 } 589 }
589 tcontext = sidtab_search(&sidtab, tsid); 590 tcontext = sidtab_search(&sidtab, tsid);
590 if (!tcontext) { 591 if (!tcontext) {
591 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 592 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
592 tsid); 593 __func__, tsid);
593 rc = -EINVAL; 594 rc = -EINVAL;
594 goto out; 595 goto out;
595 } 596 }
@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
623 624
624 /* Allocate space for the context; caller must free this space. */ 625 /* Allocate space for the context; caller must free this space. */
625 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 626 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
626 if (!scontextp) { 627 if (!scontextp)
627 return -ENOMEM; 628 return -ENOMEM;
628 }
629 *scontext = scontextp; 629 *scontext = scontextp;
630 630
631 /* 631 /*
@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
636 policydb.p_role_val_to_name[context->role - 1], 636 policydb.p_role_val_to_name[context->role - 1],
637 policydb.p_type_val_to_name[context->type - 1]); 637 policydb.p_type_val_to_name[context->type - 1]);
638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 638 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 639 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 640 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
641 641
642 mls_sid_to_context(context, &scontextp); 642 mls_sid_to_context(context, &scontextp);
643 643
@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
678 char *scontextp; 678 char *scontextp;
679 679
680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 680 *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
681 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 681 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
682 if (!scontextp) { 682 if (!scontextp) {
683 rc = -ENOMEM; 683 rc = -ENOMEM;
684 goto out; 684 goto out;
@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
687 *scontext = scontextp; 687 *scontext = scontextp;
688 goto out; 688 goto out;
689 } 689 }
690 printk(KERN_ERR "security_sid_to_context: called before initial " 690 printk(KERN_ERR "SELinux: %s: called before initial "
691 "load_policy on unknown SID %d\n", sid); 691 "load_policy on unknown SID %d\n", __func__, sid);
692 rc = -EINVAL; 692 rc = -EINVAL;
693 goto out; 693 goto out;
694 } 694 }
695 POLICY_RDLOCK; 695 POLICY_RDLOCK;
696 context = sidtab_search(&sidtab, sid); 696 context = sidtab_search(&sidtab, sid);
697 if (!context) { 697 if (!context) {
698 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 698 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
699 "%d\n", sid); 699 __func__, sid);
700 rc = -EINVAL; 700 rc = -EINVAL;
701 goto out_unlock; 701 goto out_unlock;
702 } 702 }
@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid,
926 926
927 scontext = sidtab_search(&sidtab, ssid); 927 scontext = sidtab_search(&sidtab, ssid);
928 if (!scontext) { 928 if (!scontext) {
929 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 929 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
930 ssid); 930 __func__, ssid);
931 rc = -EINVAL; 931 rc = -EINVAL;
932 goto out_unlock; 932 goto out_unlock;
933 } 933 }
934 tcontext = sidtab_search(&sidtab, tsid); 934 tcontext = sidtab_search(&sidtab, tsid);
935 if (!tcontext) { 935 if (!tcontext) {
936 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 936 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
937 tsid); 937 __func__, tsid);
938 rc = -EINVAL; 938 rc = -EINVAL;
939 goto out_unlock; 939 goto out_unlock;
940 } 940 }
@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid,
974 avdatum = avtab_search(&policydb.te_avtab, &avkey); 974 avdatum = avtab_search(&policydb.te_avtab, &avkey);
975 975
976 /* If no permanent rule, also check for enabled conditional rules */ 976 /* If no permanent rule, also check for enabled conditional rules */
977 if(!avdatum) { 977 if (!avdatum) {
978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 978 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
979 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 979 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
980 if (node->key.specified & AVTAB_ENABLED) { 980 if (node->key.specified & AVTAB_ENABLED) {
@@ -1288,26 +1288,23 @@ static int convert_context(u32 key,
1288 1288
1289 /* Convert the user. */ 1289 /* Convert the user. */
1290 usrdatum = hashtab_search(args->newp->p_users.table, 1290 usrdatum = hashtab_search(args->newp->p_users.table,
1291 args->oldp->p_user_val_to_name[c->user - 1]); 1291 args->oldp->p_user_val_to_name[c->user - 1]);
1292 if (!usrdatum) { 1292 if (!usrdatum)
1293 goto bad; 1293 goto bad;
1294 }
1295 c->user = usrdatum->value; 1294 c->user = usrdatum->value;
1296 1295
1297 /* Convert the role. */ 1296 /* Convert the role. */
1298 role = hashtab_search(args->newp->p_roles.table, 1297 role = hashtab_search(args->newp->p_roles.table,
1299 args->oldp->p_role_val_to_name[c->role - 1]); 1298 args->oldp->p_role_val_to_name[c->role - 1]);
1300 if (!role) { 1299 if (!role)
1301 goto bad; 1300 goto bad;
1302 }
1303 c->role = role->value; 1301 c->role = role->value;
1304 1302
1305 /* Convert the type. */ 1303 /* Convert the type. */
1306 typdatum = hashtab_search(args->newp->p_types.table, 1304 typdatum = hashtab_search(args->newp->p_types.table,
1307 args->oldp->p_type_val_to_name[c->type - 1]); 1305 args->oldp->p_type_val_to_name[c->type - 1]);
1308 if (!typdatum) { 1306 if (!typdatum)
1309 goto bad; 1307 goto bad;
1310 }
1311 c->type = typdatum->value; 1308 c->type = typdatum->value;
1312 1309
1313 rc = mls_convert_context(args->oldp, args->newp, c); 1310 rc = mls_convert_context(args->oldp, args->newp, c);
@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1556{ 1553{
1557 int i, fail = 0; 1554 int i, fail = 0;
1558 1555
1559 for(i = 0; i < 4; i++) 1556 for (i = 0; i < 4; i++)
1560 if(addr[i] != (input[i] & mask[i])) { 1557 if (addr[i] != (input[i] & mask[i])) {
1561 fail = 1; 1558 fail = 1;
1562 break; 1559 break;
1563 } 1560 }
@@ -1656,7 +1653,7 @@ out:
1656 */ 1653 */
1657 1654
1658int security_get_user_sids(u32 fromsid, 1655int security_get_user_sids(u32 fromsid,
1659 char *username, 1656 char *username,
1660 u32 **sids, 1657 u32 **sids,
1661 u32 *nel) 1658 u32 *nel)
1662{ 1659{
@@ -1766,7 +1763,7 @@ out:
1766 * transition SIDs or task SIDs. 1763 * transition SIDs or task SIDs.
1767 */ 1764 */
1768int security_genfs_sid(const char *fstype, 1765int security_genfs_sid(const char *fstype,
1769 char *path, 1766 char *path,
1770 u16 sclass, 1767 u16 sclass,
1771 u32 *sid) 1768 u32 *sid)
1772{ 1769{
@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values)
1881 goto out; 1878 goto out;
1882 } 1879 }
1883 1880
1884 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1881 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
1885 if (!*names) 1882 if (!*names)
1886 goto err; 1883 goto err;
1887 1884
@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values)
1893 size_t name_len; 1890 size_t name_len;
1894 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1891 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1895 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1892 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1896 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1893 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1897 if (!(*names)[i]) 1894 if (!(*names)[i])
1898 goto err; 1895 goto err;
1899 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1896 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values)
1938 audit_get_loginuid(current), 1935 audit_get_loginuid(current),
1939 audit_get_sessionid(current)); 1936 audit_get_sessionid(current));
1940 } 1937 }
1941 if (values[i]) { 1938 if (values[i])
1942 policydb.bool_val_to_struct[i]->state = 1; 1939 policydb.bool_val_to_struct[i]->state = 1;
1943 } else { 1940 else
1944 policydb.bool_val_to_struct[i]->state = 0; 1941 policydb.bool_val_to_struct[i]->state = 0;
1945 }
1946 } 1942 }
1947 1943
1948 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1944 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2036 POLICY_RDLOCK; 2032 POLICY_RDLOCK;
2037 context1 = sidtab_search(&sidtab, sid); 2033 context1 = sidtab_search(&sidtab, sid);
2038 if (!context1) { 2034 if (!context1) {
2039 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2035 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2040 "%d\n", sid); 2036 __func__, sid);
2041 rc = -EINVAL; 2037 rc = -EINVAL;
2042 goto out_unlock; 2038 goto out_unlock;
2043 } 2039 }
2044 2040
2045 context2 = sidtab_search(&sidtab, mls_sid); 2041 context2 = sidtab_search(&sidtab, mls_sid);
2046 if (!context2) { 2042 if (!context2) {
2047 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2043 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2048 "%d\n", mls_sid); 2044 __func__, mls_sid);
2049 rc = -EINVAL; 2045 rc = -EINVAL;
2050 goto out_unlock; 2046 goto out_unlock;
2051 } 2047 }
@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2136 2132
2137 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2133 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2138 if (!nlbl_ctx) { 2134 if (!nlbl_ctx) {
2139 printk(KERN_ERR 2135 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2140 "security_sid_mls_cmp: unrecognized SID %d\n", 2136 __func__, nlbl_sid);
2141 nlbl_sid);
2142 rc = -EINVAL; 2137 rc = -EINVAL;
2143 goto out_slowpath; 2138 goto out_slowpath;
2144 } 2139 }
2145 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2140 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2146 if (!xfrm_ctx) { 2141 if (!xfrm_ctx) {
2147 printk(KERN_ERR 2142 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2148 "security_sid_mls_cmp: unrecognized SID %d\n", 2143 __func__, xfrm_sid);
2149 xfrm_sid);
2150 rc = -EINVAL; 2144 rc = -EINVAL;
2151 goto out_slowpath; 2145 goto out_slowpath;
2152 } 2146 }
@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2226 2220
2227 match = hashtab_search(policydb.p_classes.table, class); 2221 match = hashtab_search(policydb.p_classes.table, class);
2228 if (!match) { 2222 if (!match) {
2229 printk(KERN_ERR "%s: unrecognized class %s\n", 2223 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
2230 __func__, class); 2224 __func__, class);
2231 rc = -EINVAL; 2225 rc = -EINVAL;
2232 goto out; 2226 goto out;
@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2435 2429
2436 if (!rule) { 2430 if (!rule) {
2437 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2431 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2438 "selinux_audit_rule_match: missing rule\n"); 2432 "selinux_audit_rule_match: missing rule\n");
2439 return -ENOENT; 2433 return -ENOENT;
2440 } 2434 }
2441 2435
@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2443 2437
2444 if (rule->au_seqno < latest_granting) { 2438 if (rule->au_seqno < latest_granting) {
2445 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2439 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2446 "selinux_audit_rule_match: stale rule\n"); 2440 "selinux_audit_rule_match: stale rule\n");
2447 match = -ESTALE; 2441 match = -ESTALE;
2448 goto out; 2442 goto out;
2449 } 2443 }
@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2451 ctxt = sidtab_search(&sidtab, sid); 2445 ctxt = sidtab_search(&sidtab, sid);
2452 if (!ctxt) { 2446 if (!ctxt) {
2453 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2447 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2454 "selinux_audit_rule_match: unrecognized SID %d\n", 2448 "selinux_audit_rule_match: unrecognized SID %d\n",
2455 sid); 2449 sid);
2456 match = -ENOENT; 2450 match = -ENOENT;
2457 goto out; 2451 goto out;
2458 } 2452 }
@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2498 case AUDIT_OBJ_LEV_LOW: 2492 case AUDIT_OBJ_LEV_LOW:
2499 case AUDIT_OBJ_LEV_HIGH: 2493 case AUDIT_OBJ_LEV_HIGH:
2500 level = ((field == AUDIT_SUBJ_SEN || 2494 level = ((field == AUDIT_SUBJ_SEN ||
2501 field == AUDIT_OBJ_LEV_LOW) ? 2495 field == AUDIT_OBJ_LEV_LOW) ?
2502 &ctxt->range.level[0] : &ctxt->range.level[1]); 2496 &ctxt->range.level[0] : &ctxt->range.level[1]);
2503 switch (op) { 2497 switch (op) {
2504 case AUDIT_EQUAL: 2498 case AUDIT_EQUAL:
2505 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2499 match = mls_level_eq(&rule->au_ctxt.range.level[0],
2506 level); 2500 level);
2507 break; 2501 break;
2508 case AUDIT_NOT_EQUAL: 2502 case AUDIT_NOT_EQUAL:
2509 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2503 match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2510 level); 2504 level);
2511 break; 2505 break;
2512 case AUDIT_LESS_THAN: 2506 case AUDIT_LESS_THAN:
2513 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2507 match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2514 level) && 2508 level) &&
2515 !mls_level_eq(&rule->au_ctxt.range.level[0], 2509 !mls_level_eq(&rule->au_ctxt.range.level[0],
2516 level)); 2510 level));
2517 break; 2511 break;
2518 case AUDIT_LESS_THAN_OR_EQUAL: 2512 case AUDIT_LESS_THAN_OR_EQUAL:
2519 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2513 match = mls_level_dom(&rule->au_ctxt.range.level[0],
2520 level); 2514 level);
2521 break; 2515 break;
2522 case AUDIT_GREATER_THAN: 2516 case AUDIT_GREATER_THAN:
2523 match = (mls_level_dom(level, 2517 match = (mls_level_dom(level,
2524 &rule->au_ctxt.range.level[0]) && 2518 &rule->au_ctxt.range.level[0]) &&
2525 !mls_level_eq(level, 2519 !mls_level_eq(level,
2526 &rule->au_ctxt.range.level[0])); 2520 &rule->au_ctxt.range.level[0]));
2527 break; 2521 break;
2528 case AUDIT_GREATER_THAN_OR_EQUAL: 2522 case AUDIT_GREATER_THAN_OR_EQUAL:
2529 match = mls_level_dom(level, 2523 match = mls_level_dom(level,
2530 &rule->au_ctxt.range.level[0]); 2524 &rule->au_ctxt.range.level[0]);
2531 break; 2525 break;
2532 } 2526 }
2533 } 2527 }
@@ -2554,7 +2548,7 @@ static int __init aurule_init(void)
2554 int err; 2548 int err;
2555 2549
2556 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2550 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2557 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2551 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2558 if (err) 2552 if (err)
2559 panic("avc_add_callback() failed, error %d\n", err); 2553 panic("avc_add_callback() failed, error %d\n", err);
2560 2554
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 53a54a77f1f8..4a516ff4bcde 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s,
156 while (cur != NULL) { 156 while (cur != NULL) {
157 ret = apply(cur->sid, &cur->context, args); 157 ret = apply(cur->sid, &cur->context, args);
158 if (ret) { 158 if (ret) {
159 if (last) { 159 if (last)
160 last->next = cur->next; 160 last->next = cur->next;
161 } else { 161 else
162 s->htable[i] = cur->next; 162 s->htable[i] = cur->next;
163 }
164
165 temp = cur; 163 temp = cur;
166 cur = cur->next; 164 cur = cur->next;
167 context_destroy(&temp->context); 165 context_destroy(&temp->context);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 874d17c83c61..8f17f542a116 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -45,7 +45,6 @@
45#include <net/xfrm.h> 45#include <net/xfrm.h>
46#include <net/checksum.h> 46#include <net/checksum.h>
47#include <net/udp.h> 47#include <net/udp.h>
48#include <asm/semaphore.h>
49#include <asm/atomic.h> 48#include <asm/atomic.h>
50 49
51#include "avc.h" 50#include "avc.h"
@@ -181,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
181 180
182 if (!ckall) 181 if (!ckall)
183 break; 182 break;
184 } 183 } else if (*sid != ctx->ctx_sid)
185 else if (*sid != ctx->ctx_sid)
186 return -EINVAL; 184 return -EINVAL;
187 } 185 }
188 } 186 }
@@ -327,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
327 */ 325 */
328void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 326void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
329{ 327{
330 if (ctx) 328 kfree(ctx);
331 kfree(ctx);
332} 329}
333 330
334/* 331/*
@@ -373,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
373void selinux_xfrm_state_free(struct xfrm_state *x) 370void selinux_xfrm_state_free(struct xfrm_state *x)
374{ 371{
375 struct xfrm_sec_ctx *ctx = x->security; 372 struct xfrm_sec_ctx *ctx = x->security;
376 if (ctx) 373 kfree(ctx);
377 kfree(ctx);
378} 374}
379 375
380 /* 376 /*