diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/avc.c | 58 | ||||
-rw-r--r-- | security/selinux/hooks.c | 512 | ||||
-rw-r--r-- | security/selinux/netif.c | 19 | ||||
-rw-r--r-- | security/selinux/netlabel.c | 2 | ||||
-rw-r--r-- | security/selinux/netlink.c | 20 | ||||
-rw-r--r-- | security/selinux/netnode.c | 2 | ||||
-rw-r--r-- | security/selinux/nlmsgtab.c | 5 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 128 | ||||
-rw-r--r-- | security/selinux/ss/avtab.c | 48 | ||||
-rw-r--r-- | security/selinux/ss/conditional.c | 74 | ||||
-rw-r--r-- | security/selinux/ss/ebitmap.c | 5 | ||||
-rw-r--r-- | security/selinux/ss/hashtab.c | 4 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 27 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 148 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 178 | ||||
-rw-r--r-- | security/selinux/ss/sidtab.c | 6 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 10 |
17 files changed, 609 insertions, 637 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index a4fc6e6d038a..1d69f6649bff 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -2,16 +2,16 @@ | |||
2 | * Implementation of the kernel access vector cache (AVC). | 2 | * Implementation of the kernel access vector cache (AVC). |
3 | * | 3 | * |
4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | 4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> |
5 | * James Morris <jmorris@redhat.com> | 5 | * James Morris <jmorris@redhat.com> |
6 | * | 6 | * |
7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | 7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> |
8 | * Replaced the avc_lock spinlock by RCU. | 8 | * Replaced the avc_lock spinlock by RCU. |
9 | * | 9 | * |
10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | 10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
11 | * | 11 | * |
12 | * This program is free software; you can redistribute it and/or modify | 12 | * This program is free software; you can redistribute it and/or modify |
13 | * it under the terms of the GNU General Public License version 2, | 13 | * it under the terms of the GNU General Public License version 2, |
14 | * as published by the Free Software Foundation. | 14 | * as published by the Free Software Foundation. |
15 | */ | 15 | */ |
16 | #include <linux/types.h> | 16 | #include <linux/types.h> |
17 | #include <linux/stddef.h> | 17 | #include <linux/stddef.h> |
@@ -44,7 +44,7 @@ static const char *class_to_string[] = { | |||
44 | #undef S_ | 44 | #undef S_ |
45 | }; | 45 | }; |
46 | 46 | ||
47 | #define TB_(s) static const char * s [] = { | 47 | #define TB_(s) static const char *s[] = { |
48 | #define TE_(s) }; | 48 | #define TE_(s) }; |
49 | #define S_(s) s, | 49 | #define S_(s) s, |
50 | #include "common_perm_to_string.h" | 50 | #include "common_perm_to_string.h" |
@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = { | |||
72 | #define AVC_CACHE_RECLAIM 16 | 72 | #define AVC_CACHE_RECLAIM 16 |
73 | 73 | ||
74 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | 74 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS |
75 | #define avc_cache_stats_incr(field) \ | 75 | #define avc_cache_stats_incr(field) \ |
76 | do { \ | 76 | do { \ |
77 | per_cpu(avc_cache_stats, get_cpu()).field++; \ | 77 | per_cpu(avc_cache_stats, get_cpu()).field++; \ |
78 | put_cpu(); \ | 78 | put_cpu(); \ |
@@ -92,7 +92,7 @@ struct avc_entry { | |||
92 | struct avc_node { | 92 | struct avc_node { |
93 | struct avc_entry ae; | 93 | struct avc_entry ae; |
94 | struct list_head list; | 94 | struct list_head list; |
95 | struct rcu_head rhead; | 95 | struct rcu_head rhead; |
96 | }; | 96 | }; |
97 | 97 | ||
98 | struct avc_cache { | 98 | struct avc_cache { |
@@ -105,8 +105,8 @@ struct avc_cache { | |||
105 | 105 | ||
106 | struct avc_callback_node { | 106 | struct avc_callback_node { |
107 | int (*callback) (u32 event, u32 ssid, u32 tsid, | 107 | int (*callback) (u32 event, u32 ssid, u32 tsid, |
108 | u16 tclass, u32 perms, | 108 | u16 tclass, u32 perms, |
109 | u32 *out_retained); | 109 | u32 *out_retained); |
110 | u32 events; | 110 | u32 events; |
111 | u32 ssid; | 111 | u32 ssid; |
112 | u32 tsid; | 112 | u32 tsid; |
@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla | |||
202 | char *scontext; | 202 | char *scontext; |
203 | u32 scontext_len; | 203 | u32 scontext_len; |
204 | 204 | ||
205 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); | 205 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); |
206 | if (rc) | 206 | if (rc) |
207 | audit_log_format(ab, "ssid=%d", ssid); | 207 | audit_log_format(ab, "ssid=%d", ssid); |
208 | else { | 208 | else { |
@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void) | |||
306 | int hvalue, try, ecx; | 306 | int hvalue, try, ecx; |
307 | unsigned long flags; | 307 | unsigned long flags; |
308 | 308 | ||
309 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { | 309 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
310 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); | 310 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
311 | 311 | ||
312 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) | 312 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) |
@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert) | |||
426 | spin_lock_irqsave(¬if_lock, flag); | 426 | spin_lock_irqsave(¬if_lock, flag); |
427 | if (is_insert) { | 427 | if (is_insert) { |
428 | if (seqno < avc_cache.latest_notif) { | 428 | if (seqno < avc_cache.latest_notif) { |
429 | printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", | 429 | printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", |
430 | seqno, avc_cache.latest_notif); | 430 | seqno, avc_cache.latest_notif); |
431 | ret = -EAGAIN; | 431 | ret = -EAGAIN; |
432 | } | 432 | } |
@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en | |||
475 | if (pos->ae.ssid == ssid && | 475 | if (pos->ae.ssid == ssid && |
476 | pos->ae.tsid == tsid && | 476 | pos->ae.tsid == tsid && |
477 | pos->ae.tclass == tclass) { | 477 | pos->ae.tclass == tclass) { |
478 | avc_node_replace(node, pos); | 478 | avc_node_replace(node, pos); |
479 | goto found; | 479 | goto found; |
480 | } | 480 | } |
481 | } | 481 | } |
@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, | |||
526 | * before calling the auditing code. | 526 | * before calling the auditing code. |
527 | */ | 527 | */ |
528 | void avc_audit(u32 ssid, u32 tsid, | 528 | void avc_audit(u32 ssid, u32 tsid, |
529 | u16 tclass, u32 requested, | 529 | u16 tclass, u32 requested, |
530 | struct av_decision *avd, int result, struct avc_audit_data *a) | 530 | struct av_decision *avd, int result, struct avc_audit_data *a) |
531 | { | 531 | { |
532 | struct task_struct *tsk = current; | 532 | struct task_struct *tsk = current; |
533 | struct inode *inode = NULL; | 533 | struct inode *inode = NULL; |
@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
541 | return; | 541 | return; |
542 | } else if (result) { | 542 | } else if (result) { |
543 | audited = denied = requested; | 543 | audited = denied = requested; |
544 | } else { | 544 | } else { |
545 | audited = requested; | 545 | audited = requested; |
546 | if (!(audited & avd->auditallow)) | 546 | if (!(audited & avd->auditallow)) |
547 | return; | 547 | return; |
@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
551 | if (!ab) | 551 | if (!ab) |
552 | return; /* audit_panic has been called */ | 552 | return; /* audit_panic has been called */ |
553 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | 553 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); |
554 | avc_dump_av(ab, tclass,audited); | 554 | avc_dump_av(ab, tclass, audited); |
555 | audit_log_format(ab, " for "); | 555 | audit_log_format(ab, " for "); |
556 | if (a && a->tsk) | 556 | if (a && a->tsk) |
557 | tsk = a->tsk; | 557 | tsk = a->tsk; |
@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
647 | break; | 647 | break; |
648 | } | 648 | } |
649 | } | 649 | } |
650 | 650 | ||
651 | switch (a->u.net.family) { | 651 | switch (a->u.net.family) { |
652 | case AF_INET: | 652 | case AF_INET: |
653 | avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, | 653 | avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, |
@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid, | |||
702 | * -%ENOMEM if insufficient memory exists to add the callback. | 702 | * -%ENOMEM if insufficient memory exists to add the callback. |
703 | */ | 703 | */ |
704 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, | 704 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, |
705 | u16 tclass, u32 perms, | 705 | u16 tclass, u32 perms, |
706 | u32 *out_retained), | 706 | u32 *out_retained), |
707 | u32 events, u32 ssid, u32 tsid, | 707 | u32 events, u32 ssid, u32 tsid, |
708 | u16 tclass, u32 perms) | 708 | u16 tclass, u32 perms) |
709 | { | 709 | { |
710 | struct avc_callback_node *c; | 710 | struct avc_callback_node *c; |
711 | int rc = 0; | 711 | int rc = 0; |
@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) | |||
759 | hvalue = avc_hash(ssid, tsid, tclass); | 759 | hvalue = avc_hash(ssid, tsid, tclass); |
760 | spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); | 760 | spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); |
761 | 761 | ||
762 | list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ | 762 | list_for_each_entry(pos, &avc_cache.slots[hvalue], list) { |
763 | if ( ssid==pos->ae.ssid && | 763 | if (ssid == pos->ae.ssid && |
764 | tsid==pos->ae.tsid && | 764 | tsid == pos->ae.tsid && |
765 | tclass==pos->ae.tclass ){ | 765 | tclass == pos->ae.tclass){ |
766 | orig = pos; | 766 | orig = pos; |
767 | break; | 767 | break; |
768 | } | 768 | } |
@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno) | |||
829 | for (c = avc_callbacks; c; c = c->next) { | 829 | for (c = avc_callbacks; c; c = c->next) { |
830 | if (c->events & AVC_CALLBACK_RESET) { | 830 | if (c->events & AVC_CALLBACK_RESET) { |
831 | tmprc = c->callback(AVC_CALLBACK_RESET, | 831 | tmprc = c->callback(AVC_CALLBACK_RESET, |
832 | 0, 0, 0, 0, NULL); | 832 | 0, 0, 0, 0, NULL); |
833 | /* save the first error encountered for the return | 833 | /* save the first error encountered for the return |
834 | value and continue processing the callbacks */ | 834 | value and continue processing the callbacks */ |
835 | if (!rc) | 835 | if (!rc) |
@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
878 | node = avc_lookup(ssid, tsid, tclass, requested); | 878 | node = avc_lookup(ssid, tsid, tclass, requested); |
879 | if (!node) { | 879 | if (!node) { |
880 | rcu_read_unlock(); | 880 | rcu_read_unlock(); |
881 | rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); | 881 | rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd); |
882 | if (rc) | 882 | if (rc) |
883 | goto out; | 883 | goto out; |
884 | rcu_read_lock(); | 884 | rcu_read_lock(); |
885 | node = avc_insert(ssid,tsid,tclass,&entry); | 885 | node = avc_insert(ssid, tsid, tclass, &entry); |
886 | } | 886 | } |
887 | 887 | ||
888 | p_ae = node ? &node->ae : &entry; | 888 | p_ae = node ? &node->ae : &entry; |
@@ -924,7 +924,7 @@ out: | |||
924 | * another -errno upon other errors. | 924 | * another -errno upon other errors. |
925 | */ | 925 | */ |
926 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, | 926 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
927 | u32 requested, struct avc_audit_data *auditdata) | 927 | u32 requested, struct avc_audit_data *auditdata) |
928 | { | 928 | { |
929 | struct av_decision avd; | 929 | struct av_decision avd; |
930 | int rc; | 930 | int rc; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f9927f02bc3d..1bf2543ea942 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -4,22 +4,22 @@ | |||
4 | * This file contains the SELinux hook function implementations. | 4 | * This file contains the SELinux hook function implementations. |
5 | * | 5 | * |
6 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | 6 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> |
7 | * Chris Vance, <cvance@nai.com> | 7 | * Chris Vance, <cvance@nai.com> |
8 | * Wayne Salamon, <wsalamon@nai.com> | 8 | * Wayne Salamon, <wsalamon@nai.com> |
9 | * James Morris <jmorris@redhat.com> | 9 | * James Morris <jmorris@redhat.com> |
10 | * | 10 | * |
11 | * Copyright (C) 2001,2002 Networks Associates Technology, Inc. | 11 | * Copyright (C) 2001,2002 Networks Associates Technology, Inc. |
12 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | 12 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
13 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | 13 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. |
14 | * <dgoeddel@trustedcs.com> | 14 | * <dgoeddel@trustedcs.com> |
15 | * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. | 15 | * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. |
16 | * Paul Moore <paul.moore@hp.com> | 16 | * Paul Moore <paul.moore@hp.com> |
17 | * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. | 17 | * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. |
18 | * Yuichi Nakamura <ynakam@hitachisoft.jp> | 18 | * Yuichi Nakamura <ynakam@hitachisoft.jp> |
19 | * | 19 | * |
20 | * This program is free software; you can redistribute it and/or modify | 20 | * This program is free software; you can redistribute it and/or modify |
21 | * it under the terms of the GNU General Public License version 2, | 21 | * it under the terms of the GNU General Public License version 2, |
22 | * as published by the Free Software Foundation. | 22 | * as published by the Free Software Foundation. |
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include <linux/init.h> | 25 | #include <linux/init.h> |
@@ -99,11 +99,11 @@ extern struct security_operations *security_ops; | |||
99 | atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); | 99 | atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); |
100 | 100 | ||
101 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | 101 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
102 | int selinux_enforcing = 0; | 102 | int selinux_enforcing; |
103 | 103 | ||
104 | static int __init enforcing_setup(char *str) | 104 | static int __init enforcing_setup(char *str) |
105 | { | 105 | { |
106 | selinux_enforcing = simple_strtol(str,NULL,0); | 106 | selinux_enforcing = simple_strtol(str, NULL, 0); |
107 | return 1; | 107 | return 1; |
108 | } | 108 | } |
109 | __setup("enforcing=", enforcing_setup); | 109 | __setup("enforcing=", enforcing_setup); |
@@ -123,13 +123,13 @@ int selinux_enabled = 1; | |||
123 | #endif | 123 | #endif |
124 | 124 | ||
125 | /* Original (dummy) security module. */ | 125 | /* Original (dummy) security module. */ |
126 | static struct security_operations *original_ops = NULL; | 126 | static struct security_operations *original_ops; |
127 | 127 | ||
128 | /* Minimal support for a secondary security module, | 128 | /* Minimal support for a secondary security module, |
129 | just to allow the use of the dummy or capability modules. | 129 | just to allow the use of the dummy or capability modules. |
130 | The owlsm module can alternatively be used as a secondary | 130 | The owlsm module can alternatively be used as a secondary |
131 | module as long as CONFIG_OWLSM_FD is not enabled. */ | 131 | module as long as CONFIG_OWLSM_FD is not enabled. */ |
132 | static struct security_operations *secondary_ops = NULL; | 132 | static struct security_operations *secondary_ops; |
133 | 133 | ||
134 | /* Lists of inode and superblock security structures initialized | 134 | /* Lists of inode and superblock security structures initialized |
135 | before the policy was loaded. */ | 135 | before the policy was loaded. */ |
@@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
575 | goto out; | 575 | goto out; |
576 | } | 576 | } |
577 | rc = -EINVAL; | 577 | rc = -EINVAL; |
578 | printk(KERN_WARNING "Unable to set superblock options before " | 578 | printk(KERN_WARNING "SELinux: Unable to set superblock options " |
579 | "the security server is initialized\n"); | 579 | "before the security server is initialized\n"); |
580 | goto out; | 580 | goto out; |
581 | } | 581 | } |
582 | 582 | ||
@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de, | |||
1054 | int buflen, rc; | 1054 | int buflen, rc; |
1055 | char *buffer, *path, *end; | 1055 | char *buffer, *path, *end; |
1056 | 1056 | ||
1057 | buffer = (char*)__get_free_page(GFP_KERNEL); | 1057 | buffer = (char *)__get_free_page(GFP_KERNEL); |
1058 | if (!buffer) | 1058 | if (!buffer) |
1059 | return -ENOMEM; | 1059 | return -ENOMEM; |
1060 | 1060 | ||
@@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1135 | dentry = d_find_alias(inode); | 1135 | dentry = d_find_alias(inode); |
1136 | } | 1136 | } |
1137 | if (!dentry) { | 1137 | if (!dentry) { |
1138 | printk(KERN_WARNING "%s: no dentry for dev=%s " | 1138 | printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " |
1139 | "ino=%ld\n", __func__, inode->i_sb->s_id, | 1139 | "ino=%ld\n", __func__, inode->i_sb->s_id, |
1140 | inode->i_ino); | 1140 | inode->i_ino); |
1141 | goto out_unlock; | 1141 | goto out_unlock; |
@@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1173 | dput(dentry); | 1173 | dput(dentry); |
1174 | if (rc < 0) { | 1174 | if (rc < 0) { |
1175 | if (rc != -ENODATA) { | 1175 | if (rc != -ENODATA) { |
1176 | printk(KERN_WARNING "%s: getxattr returned " | 1176 | printk(KERN_WARNING "SELinux: %s: getxattr returned " |
1177 | "%d for dev=%s ino=%ld\n", __func__, | 1177 | "%d for dev=%s ino=%ld\n", __func__, |
1178 | -rc, inode->i_sb->s_id, inode->i_ino); | 1178 | -rc, inode->i_sb->s_id, inode->i_ino); |
1179 | kfree(context); | 1179 | kfree(context); |
@@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1187 | sbsec->def_sid, | 1187 | sbsec->def_sid, |
1188 | GFP_NOFS); | 1188 | GFP_NOFS); |
1189 | if (rc) { | 1189 | if (rc) { |
1190 | printk(KERN_WARNING "%s: context_to_sid(%s) " | 1190 | printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " |
1191 | "returned %d for dev=%s ino=%ld\n", | 1191 | "returned %d for dev=%s ino=%ld\n", |
1192 | __func__, context, -rc, | 1192 | __func__, context, -rc, |
1193 | inode->i_sb->s_id, inode->i_ino); | 1193 | inode->i_sb->s_id, inode->i_ino); |
@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk, | |||
1305 | 1305 | ||
1306 | tsec = tsk->security; | 1306 | tsec = tsk->security; |
1307 | 1307 | ||
1308 | AVC_AUDIT_DATA_INIT(&ad,CAP); | 1308 | AVC_AUDIT_DATA_INIT(&ad, CAP); |
1309 | ad.tsk = tsk; | 1309 | ad.tsk = tsk; |
1310 | ad.u.cap = cap; | 1310 | ad.u.cap = cap; |
1311 | 1311 | ||
@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk, | |||
1348 | struct inode_security_struct *isec; | 1348 | struct inode_security_struct *isec; |
1349 | struct avc_audit_data ad; | 1349 | struct avc_audit_data ad; |
1350 | 1350 | ||
1351 | if (unlikely (IS_PRIVATE (inode))) | 1351 | if (unlikely(IS_PRIVATE(inode))) |
1352 | return 0; | 1352 | return 0; |
1353 | 1353 | ||
1354 | tsec = tsk->security; | 1354 | tsec = tsk->security; |
@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, | |||
1373 | { | 1373 | { |
1374 | struct inode *inode = dentry->d_inode; | 1374 | struct inode *inode = dentry->d_inode; |
1375 | struct avc_audit_data ad; | 1375 | struct avc_audit_data ad; |
1376 | AVC_AUDIT_DATA_INIT(&ad,FS); | 1376 | AVC_AUDIT_DATA_INIT(&ad, FS); |
1377 | ad.u.fs.path.mnt = mnt; | 1377 | ad.u.fs.path.mnt = mnt; |
1378 | ad.u.fs.path.dentry = dentry; | 1378 | ad.u.fs.path.dentry = dentry; |
1379 | return inode_has_perm(tsk, inode, av, &ad); | 1379 | return inode_has_perm(tsk, inode, av, &ad); |
@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid, | |||
1470 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); | 1470 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); |
1471 | } | 1471 | } |
1472 | 1472 | ||
1473 | #define MAY_LINK 0 | 1473 | #define MAY_LINK 0 |
1474 | #define MAY_UNLINK 1 | 1474 | #define MAY_UNLINK 1 |
1475 | #define MAY_RMDIR 2 | 1475 | #define MAY_RMDIR 2 |
1476 | 1476 | ||
1477 | /* Check whether a task can link, unlink, or rmdir a file/directory. */ | 1477 | /* Check whether a task can link, unlink, or rmdir a file/directory. */ |
1478 | static int may_link(struct inode *dir, | 1478 | static int may_link(struct inode *dir, |
@@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir, | |||
1510 | av = DIR__RMDIR; | 1510 | av = DIR__RMDIR; |
1511 | break; | 1511 | break; |
1512 | default: | 1512 | default: |
1513 | printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); | 1513 | printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", |
1514 | __func__, kind); | ||
1514 | return 0; | 1515 | return 0; |
1515 | } | 1516 | } |
1516 | 1517 | ||
@@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask) | |||
1640 | else if (S_ISDIR(mode)) | 1641 | else if (S_ISDIR(mode)) |
1641 | av |= DIR__OPEN; | 1642 | av |= DIR__OPEN; |
1642 | else | 1643 | else |
1643 | printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " | 1644 | printk(KERN_ERR "SELinux: WARNING: inside %s with " |
1644 | "with unknown mode:%x\n", mode); | 1645 | "unknown mode:%x\n", __func__, mode); |
1645 | } | 1646 | } |
1646 | return av; | 1647 | return av; |
1647 | } | 1648 | } |
@@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) | |||
1675 | { | 1676 | { |
1676 | int rc; | 1677 | int rc; |
1677 | 1678 | ||
1678 | rc = secondary_ops->ptrace(parent,child); | 1679 | rc = secondary_ops->ptrace(parent, child); |
1679 | if (rc) | 1680 | if (rc) |
1680 | return rc; | 1681 | return rc; |
1681 | 1682 | ||
@@ -1683,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) | |||
1683 | } | 1684 | } |
1684 | 1685 | ||
1685 | static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, | 1686 | static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, |
1686 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 1687 | kernel_cap_t *inheritable, kernel_cap_t *permitted) |
1687 | { | 1688 | { |
1688 | int error; | 1689 | int error; |
1689 | 1690 | ||
@@ -1695,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, | |||
1695 | } | 1696 | } |
1696 | 1697 | ||
1697 | static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, | 1698 | static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, |
1698 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 1699 | kernel_cap_t *inheritable, kernel_cap_t *permitted) |
1699 | { | 1700 | { |
1700 | int error; | 1701 | int error; |
1701 | 1702 | ||
@@ -1707,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect | |||
1707 | } | 1708 | } |
1708 | 1709 | ||
1709 | static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, | 1710 | static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, |
1710 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 1711 | kernel_cap_t *inheritable, kernel_cap_t *permitted) |
1711 | { | 1712 | { |
1712 | secondary_ops->capset_set(target, effective, inheritable, permitted); | 1713 | secondary_ops->capset_set(target, effective, inheritable, permitted); |
1713 | } | 1714 | } |
@@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap) | |||
1720 | if (rc) | 1721 | if (rc) |
1721 | return rc; | 1722 | return rc; |
1722 | 1723 | ||
1723 | return task_has_capability(tsk,cap); | 1724 | return task_has_capability(tsk, cap); |
1724 | } | 1725 | } |
1725 | 1726 | ||
1726 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) | 1727 | static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) |
@@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) | |||
1729 | char *buffer, *path, *end; | 1730 | char *buffer, *path, *end; |
1730 | 1731 | ||
1731 | rc = -ENOMEM; | 1732 | rc = -ENOMEM; |
1732 | buffer = (char*)__get_free_page(GFP_KERNEL); | 1733 | buffer = (char *)__get_free_page(GFP_KERNEL); |
1733 | if (!buffer) | 1734 | if (!buffer) |
1734 | goto out; | 1735 | goto out; |
1735 | 1736 | ||
@@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1787 | 1788 | ||
1788 | /* The op values are "defined" in sysctl.c, thereby creating | 1789 | /* The op values are "defined" in sysctl.c, thereby creating |
1789 | * a bad coupling between this module and sysctl.c */ | 1790 | * a bad coupling between this module and sysctl.c */ |
1790 | if(op == 001) { | 1791 | if (op == 001) { |
1791 | error = avc_has_perm(tsec->sid, tsid, | 1792 | error = avc_has_perm(tsec->sid, tsid, |
1792 | SECCLASS_DIR, DIR__SEARCH, NULL); | 1793 | SECCLASS_DIR, DIR__SEARCH, NULL); |
1793 | } else { | 1794 | } else { |
@@ -1799,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1799 | if (av) | 1800 | if (av) |
1800 | error = avc_has_perm(tsec->sid, tsid, | 1801 | error = avc_has_perm(tsec->sid, tsid, |
1801 | SECCLASS_FILE, av, NULL); | 1802 | SECCLASS_FILE, av, NULL); |
1802 | } | 1803 | } |
1803 | 1804 | ||
1804 | return error; | 1805 | return error; |
1805 | } | 1806 | } |
@@ -1812,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) | |||
1812 | return 0; | 1813 | return 0; |
1813 | 1814 | ||
1814 | switch (cmds) { | 1815 | switch (cmds) { |
1815 | case Q_SYNC: | 1816 | case Q_SYNC: |
1816 | case Q_QUOTAON: | 1817 | case Q_QUOTAON: |
1817 | case Q_QUOTAOFF: | 1818 | case Q_QUOTAOFF: |
1818 | case Q_SETINFO: | 1819 | case Q_SETINFO: |
1819 | case Q_SETQUOTA: | 1820 | case Q_SETQUOTA: |
1820 | rc = superblock_has_perm(current, | 1821 | rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD, |
1821 | sb, | 1822 | NULL); |
1822 | FILESYSTEM__QUOTAMOD, NULL); | 1823 | break; |
1823 | break; | 1824 | case Q_GETFMT: |
1824 | case Q_GETFMT: | 1825 | case Q_GETINFO: |
1825 | case Q_GETINFO: | 1826 | case Q_GETQUOTA: |
1826 | case Q_GETQUOTA: | 1827 | rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET, |
1827 | rc = superblock_has_perm(current, | 1828 | NULL); |
1828 | sb, | 1829 | break; |
1829 | FILESYSTEM__QUOTAGET, NULL); | 1830 | default: |
1830 | break; | 1831 | rc = 0; /* let the kernel handle invalid cmds */ |
1831 | default: | 1832 | break; |
1832 | rc = 0; /* let the kernel handle invalid cmds */ | ||
1833 | break; | ||
1834 | } | 1833 | } |
1835 | return rc; | 1834 | return rc; |
1836 | } | 1835 | } |
@@ -1849,23 +1848,23 @@ static int selinux_syslog(int type) | |||
1849 | return rc; | 1848 | return rc; |
1850 | 1849 | ||
1851 | switch (type) { | 1850 | switch (type) { |
1852 | case 3: /* Read last kernel messages */ | 1851 | case 3: /* Read last kernel messages */ |
1853 | case 10: /* Return size of the log buffer */ | 1852 | case 10: /* Return size of the log buffer */ |
1854 | rc = task_has_system(current, SYSTEM__SYSLOG_READ); | 1853 | rc = task_has_system(current, SYSTEM__SYSLOG_READ); |
1855 | break; | 1854 | break; |
1856 | case 6: /* Disable logging to console */ | 1855 | case 6: /* Disable logging to console */ |
1857 | case 7: /* Enable logging to console */ | 1856 | case 7: /* Enable logging to console */ |
1858 | case 8: /* Set level of messages printed to console */ | 1857 | case 8: /* Set level of messages printed to console */ |
1859 | rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); | 1858 | rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); |
1860 | break; | 1859 | break; |
1861 | case 0: /* Close log */ | 1860 | case 0: /* Close log */ |
1862 | case 1: /* Open log */ | 1861 | case 1: /* Open log */ |
1863 | case 2: /* Read from log */ | 1862 | case 2: /* Read from log */ |
1864 | case 4: /* Read/clear last kernel messages */ | 1863 | case 4: /* Read/clear last kernel messages */ |
1865 | case 5: /* Clear ring buffer */ | 1864 | case 5: /* Clear ring buffer */ |
1866 | default: | 1865 | default: |
1867 | rc = task_has_system(current, SYSTEM__SYSLOG_MOD); | 1866 | rc = task_has_system(current, SYSTEM__SYSLOG_MOD); |
1868 | break; | 1867 | break; |
1869 | } | 1868 | } |
1870 | return rc; | 1869 | return rc; |
1871 | } | 1870 | } |
@@ -1971,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
1971 | } else { | 1970 | } else { |
1972 | /* Check for a default transition on this program. */ | 1971 | /* Check for a default transition on this program. */ |
1973 | rc = security_transition_sid(tsec->sid, isec->sid, | 1972 | rc = security_transition_sid(tsec->sid, isec->sid, |
1974 | SECCLASS_PROCESS, &newsid); | 1973 | SECCLASS_PROCESS, &newsid); |
1975 | if (rc) | 1974 | if (rc) |
1976 | return rc; | 1975 | return rc; |
1977 | } | 1976 | } |
@@ -1982,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
1982 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | 1981 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) |
1983 | newsid = tsec->sid; | 1982 | newsid = tsec->sid; |
1984 | 1983 | ||
1985 | if (tsec->sid == newsid) { | 1984 | if (tsec->sid == newsid) { |
1986 | rc = avc_has_perm(tsec->sid, isec->sid, | 1985 | rc = avc_has_perm(tsec->sid, isec->sid, |
1987 | SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); | 1986 | SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); |
1988 | if (rc) | 1987 | if (rc) |
@@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
2010 | return 0; | 2009 | return 0; |
2011 | } | 2010 | } |
2012 | 2011 | ||
2013 | static int selinux_bprm_check_security (struct linux_binprm *bprm) | 2012 | static int selinux_bprm_check_security(struct linux_binprm *bprm) |
2014 | { | 2013 | { |
2015 | return secondary_ops->bprm_check_security(bprm); | 2014 | return secondary_ops->bprm_check_security(bprm); |
2016 | } | 2015 | } |
2017 | 2016 | ||
2018 | 2017 | ||
2019 | static int selinux_bprm_secureexec (struct linux_binprm *bprm) | 2018 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) |
2020 | { | 2019 | { |
2021 | struct task_security_struct *tsec = current->security; | 2020 | struct task_security_struct *tsec = current->security; |
2022 | int atsecure = 0; | 2021 | int atsecure = 0; |
@@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount; | |||
2043 | extern struct dentry *selinux_null; | 2042 | extern struct dentry *selinux_null; |
2044 | 2043 | ||
2045 | /* Derived from fs/exec.c:flush_old_files. */ | 2044 | /* Derived from fs/exec.c:flush_old_files. */ |
2046 | static inline void flush_unauthorized_files(struct files_struct * files) | 2045 | static inline void flush_unauthorized_files(struct files_struct *files) |
2047 | { | 2046 | { |
2048 | struct avc_audit_data ad; | 2047 | struct avc_audit_data ad; |
2049 | struct file *file, *devnull = NULL; | 2048 | struct file *file, *devnull = NULL; |
@@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) | |||
2078 | 2077 | ||
2079 | /* Revalidate access to inherited open files. */ | 2078 | /* Revalidate access to inherited open files. */ |
2080 | 2079 | ||
2081 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2080 | AVC_AUDIT_DATA_INIT(&ad, FS); |
2082 | 2081 | ||
2083 | spin_lock(&files->file_lock); | 2082 | spin_lock(&files->file_lock); |
2084 | for (;;) { | 2083 | for (;;) { |
@@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) | |||
2094 | if (!set) | 2093 | if (!set) |
2095 | continue; | 2094 | continue; |
2096 | spin_unlock(&files->file_lock); | 2095 | spin_unlock(&files->file_lock); |
2097 | for ( ; set ; i++,set >>= 1) { | 2096 | for ( ; set ; i++, set >>= 1) { |
2098 | if (set & 1) { | 2097 | if (set & 1) { |
2099 | file = fget(i); | 2098 | file = fget(i); |
2100 | if (!file) | 2099 | if (!file) |
@@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | |||
2251 | for (i = 0; i < RLIM_NLIMITS; i++) { | 2250 | for (i = 0; i < RLIM_NLIMITS; i++) { |
2252 | rlim = current->signal->rlim + i; | 2251 | rlim = current->signal->rlim + i; |
2253 | initrlim = init_task.signal->rlim+i; | 2252 | initrlim = init_task.signal->rlim+i; |
2254 | rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); | 2253 | rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); |
2255 | } | 2254 | } |
2256 | if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { | 2255 | if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { |
2257 | /* | 2256 | /* |
@@ -2306,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len) | |||
2306 | *to += len; | 2305 | *to += len; |
2307 | } | 2306 | } |
2308 | 2307 | ||
2309 | static inline void take_selinux_option(char **to, char *from, int *first, | 2308 | static inline void take_selinux_option(char **to, char *from, int *first, |
2310 | int len) | 2309 | int len) |
2311 | { | 2310 | { |
2312 | int current_size = 0; | 2311 | int current_size = 0; |
2313 | 2312 | ||
2314 | if (!*first) { | 2313 | if (!*first) { |
2315 | **to = '|'; | 2314 | **to = '|'; |
2316 | *to += 1; | 2315 | *to += 1; |
2317 | } | 2316 | } else |
2318 | else | ||
2319 | *first = 0; | 2317 | *first = 0; |
2320 | 2318 | ||
2321 | while (current_size < len) { | 2319 | while (current_size < len) { |
@@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) | |||
2379 | if (rc) | 2377 | if (rc) |
2380 | return rc; | 2378 | return rc; |
2381 | 2379 | ||
2382 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2380 | AVC_AUDIT_DATA_INIT(&ad, FS); |
2383 | ad.u.fs.path.dentry = sb->s_root; | 2381 | ad.u.fs.path.dentry = sb->s_root; |
2384 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); | 2382 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); |
2385 | } | 2383 | } |
@@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry) | |||
2388 | { | 2386 | { |
2389 | struct avc_audit_data ad; | 2387 | struct avc_audit_data ad; |
2390 | 2388 | ||
2391 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2389 | AVC_AUDIT_DATA_INIT(&ad, FS); |
2392 | ad.u.fs.path.dentry = dentry->d_sb->s_root; | 2390 | ad.u.fs.path.dentry = dentry->d_sb->s_root; |
2393 | return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); | 2391 | return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); |
2394 | } | 2392 | } |
2395 | 2393 | ||
2396 | static int selinux_mount(char * dev_name, | 2394 | static int selinux_mount(char *dev_name, |
2397 | struct nameidata *nd, | 2395 | struct nameidata *nd, |
2398 | char * type, | 2396 | char *type, |
2399 | unsigned long flags, | 2397 | unsigned long flags, |
2400 | void * data) | 2398 | void *data) |
2401 | { | 2399 | { |
2402 | int rc; | 2400 | int rc; |
2403 | 2401 | ||
@@ -2407,10 +2405,10 @@ static int selinux_mount(char * dev_name, | |||
2407 | 2405 | ||
2408 | if (flags & MS_REMOUNT) | 2406 | if (flags & MS_REMOUNT) |
2409 | return superblock_has_perm(current, nd->path.mnt->mnt_sb, | 2407 | return superblock_has_perm(current, nd->path.mnt->mnt_sb, |
2410 | FILESYSTEM__REMOUNT, NULL); | 2408 | FILESYSTEM__REMOUNT, NULL); |
2411 | else | 2409 | else |
2412 | return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, | 2410 | return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, |
2413 | FILE__MOUNTON); | 2411 | FILE__MOUNTON); |
2414 | } | 2412 | } |
2415 | 2413 | ||
2416 | static int selinux_umount(struct vfsmount *mnt, int flags) | 2414 | static int selinux_umount(struct vfsmount *mnt, int flags) |
@@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags) | |||
2421 | if (rc) | 2419 | if (rc) |
2422 | return rc; | 2420 | return rc; |
2423 | 2421 | ||
2424 | return superblock_has_perm(current,mnt->mnt_sb, | 2422 | return superblock_has_perm(current, mnt->mnt_sb, |
2425 | FILESYSTEM__UNMOUNT,NULL); | 2423 | FILESYSTEM__UNMOUNT, NULL); |
2426 | } | 2424 | } |
2427 | 2425 | ||
2428 | /* inode security operations */ | 2426 | /* inode security operations */ |
@@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru | |||
2508 | { | 2506 | { |
2509 | int rc; | 2507 | int rc; |
2510 | 2508 | ||
2511 | rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); | 2509 | rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); |
2512 | if (rc) | 2510 | if (rc) |
2513 | return rc; | 2511 | return rc; |
2514 | return may_link(dir, old_dentry, MAY_LINK); | 2512 | return may_link(dir, old_dentry, MAY_LINK); |
@@ -2551,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod | |||
2551 | } | 2549 | } |
2552 | 2550 | ||
2553 | static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, | 2551 | static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, |
2554 | struct inode *new_inode, struct dentry *new_dentry) | 2552 | struct inode *new_inode, struct dentry *new_dentry) |
2555 | { | 2553 | { |
2556 | return may_rename(old_inode, old_dentry, new_inode, new_dentry); | 2554 | return may_rename(old_inode, old_dentry, new_inode, new_dentry); |
2557 | } | 2555 | } |
@@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na | |||
2565 | { | 2563 | { |
2566 | int rc; | 2564 | int rc; |
2567 | 2565 | ||
2568 | rc = secondary_ops->inode_follow_link(dentry,nameidata); | 2566 | rc = secondary_ops->inode_follow_link(dentry, nameidata); |
2569 | if (rc) | 2567 | if (rc) |
2570 | return rc; | 2568 | return rc; |
2571 | return dentry_has_perm(current, NULL, dentry, FILE__READ); | 2569 | return dentry_has_perm(current, NULL, dentry, FILE__READ); |
@@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value | |||
2651 | if (!is_owner_or_cap(inode)) | 2649 | if (!is_owner_or_cap(inode)) |
2652 | return -EPERM; | 2650 | return -EPERM; |
2653 | 2651 | ||
2654 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2652 | AVC_AUDIT_DATA_INIT(&ad, FS); |
2655 | ad.u.fs.path.dentry = dentry; | 2653 | ad.u.fs.path.dentry = dentry; |
2656 | 2654 | ||
2657 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, | 2655 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, |
@@ -2669,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value | |||
2669 | return rc; | 2667 | return rc; |
2670 | 2668 | ||
2671 | rc = security_validate_transition(isec->sid, newsid, tsec->sid, | 2669 | rc = security_validate_transition(isec->sid, newsid, tsec->sid, |
2672 | isec->sclass); | 2670 | isec->sclass); |
2673 | if (rc) | 2671 | if (rc) |
2674 | return rc; | 2672 | return rc; |
2675 | 2673 | ||
@@ -2681,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value | |||
2681 | } | 2679 | } |
2682 | 2680 | ||
2683 | static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, | 2681 | static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, |
2684 | void *value, size_t size, int flags) | 2682 | void *value, size_t size, int flags) |
2685 | { | 2683 | { |
2686 | struct inode *inode = dentry->d_inode; | 2684 | struct inode *inode = dentry->d_inode; |
2687 | struct inode_security_struct *isec = inode->i_security; | 2685 | struct inode_security_struct *isec = inode->i_security; |
@@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, | |||
2704 | return; | 2702 | return; |
2705 | } | 2703 | } |
2706 | 2704 | ||
2707 | static int selinux_inode_getxattr (struct dentry *dentry, char *name) | 2705 | static int selinux_inode_getxattr(struct dentry *dentry, char *name) |
2708 | { | 2706 | { |
2709 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); | 2707 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); |
2710 | } | 2708 | } |
2711 | 2709 | ||
2712 | static int selinux_inode_listxattr (struct dentry *dentry) | 2710 | static int selinux_inode_listxattr(struct dentry *dentry) |
2713 | { | 2711 | { |
2714 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); | 2712 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); |
2715 | } | 2713 | } |
2716 | 2714 | ||
2717 | static int selinux_inode_removexattr (struct dentry *dentry, char *name) | 2715 | static int selinux_inode_removexattr(struct dentry *dentry, char *name) |
2718 | { | 2716 | { |
2719 | if (strcmp(name, XATTR_NAME_SELINUX)) | 2717 | if (strcmp(name, XATTR_NAME_SELINUX)) |
2720 | return selinux_inode_setotherxattr(dentry, name); | 2718 | return selinux_inode_setotherxattr(dentry, name); |
@@ -2755,7 +2753,7 @@ out_nofree: | |||
2755 | } | 2753 | } |
2756 | 2754 | ||
2757 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, | 2755 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, |
2758 | const void *value, size_t size, int flags) | 2756 | const void *value, size_t size, int flags) |
2759 | { | 2757 | { |
2760 | struct inode_security_struct *isec = inode->i_security; | 2758 | struct inode_security_struct *isec = inode->i_security; |
2761 | u32 newsid; | 2759 | u32 newsid; |
@@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, | |||
2767 | if (!value || !size) | 2765 | if (!value || !size) |
2768 | return -EACCES; | 2766 | return -EACCES; |
2769 | 2767 | ||
2770 | rc = security_context_to_sid((void*)value, size, &newsid); | 2768 | rc = security_context_to_sid((void *)value, size, &newsid); |
2771 | if (rc) | 2769 | if (rc) |
2772 | return rc; | 2770 | return rc; |
2773 | 2771 | ||
@@ -2858,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, | |||
2858 | int error = 0; | 2856 | int error = 0; |
2859 | 2857 | ||
2860 | switch (cmd) { | 2858 | switch (cmd) { |
2861 | case FIONREAD: | 2859 | case FIONREAD: |
2862 | /* fall through */ | 2860 | /* fall through */ |
2863 | case FIBMAP: | 2861 | case FIBMAP: |
2864 | /* fall through */ | 2862 | /* fall through */ |
2865 | case FIGETBSZ: | 2863 | case FIGETBSZ: |
2866 | /* fall through */ | 2864 | /* fall through */ |
2867 | case EXT2_IOC_GETFLAGS: | 2865 | case EXT2_IOC_GETFLAGS: |
2868 | /* fall through */ | 2866 | /* fall through */ |
2869 | case EXT2_IOC_GETVERSION: | 2867 | case EXT2_IOC_GETVERSION: |
2870 | error = file_has_perm(current, file, FILE__GETATTR); | 2868 | error = file_has_perm(current, file, FILE__GETATTR); |
2871 | break; | 2869 | break; |
2872 | |||
2873 | case EXT2_IOC_SETFLAGS: | ||
2874 | /* fall through */ | ||
2875 | case EXT2_IOC_SETVERSION: | ||
2876 | error = file_has_perm(current, file, FILE__SETATTR); | ||
2877 | break; | ||
2878 | 2870 | ||
2879 | /* sys_ioctl() checks */ | 2871 | case EXT2_IOC_SETFLAGS: |
2880 | case FIONBIO: | 2872 | /* fall through */ |
2881 | /* fall through */ | 2873 | case EXT2_IOC_SETVERSION: |
2882 | case FIOASYNC: | 2874 | error = file_has_perm(current, file, FILE__SETATTR); |
2883 | error = file_has_perm(current, file, 0); | 2875 | break; |
2884 | break; | ||
2885 | 2876 | ||
2886 | case KDSKBENT: | 2877 | /* sys_ioctl() checks */ |
2887 | case KDSKBSENT: | 2878 | case FIONBIO: |
2888 | error = task_has_capability(current,CAP_SYS_TTY_CONFIG); | 2879 | /* fall through */ |
2889 | break; | 2880 | case FIOASYNC: |
2881 | error = file_has_perm(current, file, 0); | ||
2882 | break; | ||
2890 | 2883 | ||
2891 | /* default case assumes that the command will go | 2884 | case KDSKBENT: |
2892 | * to the file's ioctl() function. | 2885 | case KDSKBSENT: |
2893 | */ | 2886 | error = task_has_capability(current, CAP_SYS_TTY_CONFIG); |
2894 | default: | 2887 | break; |
2895 | error = file_has_perm(current, file, FILE__IOCTL); | ||
2896 | 2888 | ||
2889 | /* default case assumes that the command will go | ||
2890 | * to the file's ioctl() function. | ||
2891 | */ | ||
2892 | default: | ||
2893 | error = file_has_perm(current, file, FILE__IOCTL); | ||
2897 | } | 2894 | } |
2898 | return error; | 2895 | return error; |
2899 | } | 2896 | } |
@@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, | |||
2934 | unsigned long addr, unsigned long addr_only) | 2931 | unsigned long addr, unsigned long addr_only) |
2935 | { | 2932 | { |
2936 | int rc = 0; | 2933 | int rc = 0; |
2937 | u32 sid = ((struct task_security_struct*)(current->security))->sid; | 2934 | u32 sid = ((struct task_security_struct *)(current->security))->sid; |
2938 | 2935 | ||
2939 | if (addr < mmap_min_addr) | 2936 | if (addr < mmap_min_addr) |
2940 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, | 2937 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, |
@@ -3003,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd, | |||
3003 | int err = 0; | 3000 | int err = 0; |
3004 | 3001 | ||
3005 | switch (cmd) { | 3002 | switch (cmd) { |
3006 | case F_SETFL: | 3003 | case F_SETFL: |
3007 | if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { | 3004 | if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { |
3008 | err = -EINVAL; | 3005 | err = -EINVAL; |
3009 | break; | 3006 | break; |
3010 | } | 3007 | } |
3011 | 3008 | ||
3012 | if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { | 3009 | if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { |
3013 | err = file_has_perm(current, file,FILE__WRITE); | 3010 | err = file_has_perm(current, file, FILE__WRITE); |
3014 | break; | ||
3015 | } | ||
3016 | /* fall through */ | ||
3017 | case F_SETOWN: | ||
3018 | case F_SETSIG: | ||
3019 | case F_GETFL: | ||
3020 | case F_GETOWN: | ||
3021 | case F_GETSIG: | ||
3022 | /* Just check FD__USE permission */ | ||
3023 | err = file_has_perm(current, file, 0); | ||
3024 | break; | 3011 | break; |
3025 | case F_GETLK: | 3012 | } |
3026 | case F_SETLK: | 3013 | /* fall through */ |
3027 | case F_SETLKW: | 3014 | case F_SETOWN: |
3015 | case F_SETSIG: | ||
3016 | case F_GETFL: | ||
3017 | case F_GETOWN: | ||
3018 | case F_GETSIG: | ||
3019 | /* Just check FD__USE permission */ | ||
3020 | err = file_has_perm(current, file, 0); | ||
3021 | break; | ||
3022 | case F_GETLK: | ||
3023 | case F_SETLK: | ||
3024 | case F_SETLKW: | ||
3028 | #if BITS_PER_LONG == 32 | 3025 | #if BITS_PER_LONG == 32 |
3029 | case F_GETLK64: | 3026 | case F_GETLK64: |
3030 | case F_SETLK64: | 3027 | case F_SETLK64: |
3031 | case F_SETLKW64: | 3028 | case F_SETLKW64: |
3032 | #endif | 3029 | #endif |
3033 | if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { | 3030 | if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { |
3034 | err = -EINVAL; | 3031 | err = -EINVAL; |
3035 | break; | ||
3036 | } | ||
3037 | err = file_has_perm(current, file, FILE__LOCK); | ||
3038 | break; | 3032 | break; |
3033 | } | ||
3034 | err = file_has_perm(current, file, FILE__LOCK); | ||
3035 | break; | ||
3039 | } | 3036 | } |
3040 | 3037 | ||
3041 | return err; | 3038 | return err; |
@@ -3056,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file) | |||
3056 | static int selinux_file_send_sigiotask(struct task_struct *tsk, | 3053 | static int selinux_file_send_sigiotask(struct task_struct *tsk, |
3057 | struct fown_struct *fown, int signum) | 3054 | struct fown_struct *fown, int signum) |
3058 | { | 3055 | { |
3059 | struct file *file; | 3056 | struct file *file; |
3060 | u32 perm; | 3057 | u32 perm; |
3061 | struct task_security_struct *tsec; | 3058 | struct task_security_struct *tsec; |
3062 | struct file_security_struct *fsec; | 3059 | struct file_security_struct *fsec; |
3063 | 3060 | ||
3064 | /* struct fown_struct is never outside the context of a struct file */ | 3061 | /* struct fown_struct is never outside the context of a struct file */ |
3065 | file = container_of(fown, struct file, f_owner); | 3062 | file = container_of(fown, struct file, f_owner); |
3066 | 3063 | ||
3067 | tsec = tsk->security; | 3064 | tsec = tsk->security; |
3068 | fsec = file->f_security; | 3065 | fsec = file->f_security; |
@@ -3164,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | |||
3164 | 3161 | ||
3165 | static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | 3162 | static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) |
3166 | { | 3163 | { |
3167 | return secondary_ops->task_post_setuid(id0,id1,id2,flags); | 3164 | return secondary_ops->task_post_setuid(id0, id1, id2, flags); |
3168 | } | 3165 | } |
3169 | 3166 | ||
3170 | static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | 3167 | static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) |
@@ -3208,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) | |||
3208 | if (rc) | 3205 | if (rc) |
3209 | return rc; | 3206 | return rc; |
3210 | 3207 | ||
3211 | return task_has_perm(current,p, PROCESS__SETSCHED); | 3208 | return task_has_perm(current, p, PROCESS__SETSCHED); |
3212 | } | 3209 | } |
3213 | 3210 | ||
3214 | static int selinux_task_setioprio(struct task_struct *p, int ioprio) | 3211 | static int selinux_task_setioprio(struct task_struct *p, int ioprio) |
@@ -3312,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p) | |||
3312 | 3309 | ||
3313 | static void selinux_task_reparent_to_init(struct task_struct *p) | 3310 | static void selinux_task_reparent_to_init(struct task_struct *p) |
3314 | { | 3311 | { |
3315 | struct task_security_struct *tsec; | 3312 | struct task_security_struct *tsec; |
3316 | 3313 | ||
3317 | secondary_ops->task_reparent_to_init(p); | 3314 | secondary_ops->task_reparent_to_init(p); |
3318 | 3315 | ||
@@ -3357,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, | |||
3357 | *proto = ih->protocol; | 3354 | *proto = ih->protocol; |
3358 | 3355 | ||
3359 | switch (ih->protocol) { | 3356 | switch (ih->protocol) { |
3360 | case IPPROTO_TCP: { | 3357 | case IPPROTO_TCP: { |
3361 | struct tcphdr _tcph, *th; | 3358 | struct tcphdr _tcph, *th; |
3362 | 3359 | ||
3363 | if (ntohs(ih->frag_off) & IP_OFFSET) | 3360 | if (ntohs(ih->frag_off) & IP_OFFSET) |
3364 | break; | 3361 | break; |
3365 | 3362 | ||
3366 | offset += ihlen; | 3363 | offset += ihlen; |
3367 | th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); | 3364 | th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); |
@@ -3371,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, | |||
3371 | ad->u.net.sport = th->source; | 3368 | ad->u.net.sport = th->source; |
3372 | ad->u.net.dport = th->dest; | 3369 | ad->u.net.dport = th->dest; |
3373 | break; | 3370 | break; |
3374 | } | 3371 | } |
3375 | 3372 | ||
3376 | case IPPROTO_UDP: { | 3373 | case IPPROTO_UDP: { |
3377 | struct udphdr _udph, *uh; | 3374 | struct udphdr _udph, *uh; |
3378 | 3375 | ||
3379 | if (ntohs(ih->frag_off) & IP_OFFSET) | 3376 | if (ntohs(ih->frag_off) & IP_OFFSET) |
3380 | break; | 3377 | break; |
3381 | 3378 | ||
3382 | offset += ihlen; | 3379 | offset += ihlen; |
3383 | uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); | 3380 | uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); |
3384 | if (uh == NULL) | 3381 | if (uh == NULL) |
3385 | break; | 3382 | break; |
3386 | 3383 | ||
3387 | ad->u.net.sport = uh->source; | 3384 | ad->u.net.sport = uh->source; |
3388 | ad->u.net.dport = uh->dest; | 3385 | ad->u.net.dport = uh->dest; |
3389 | break; | 3386 | break; |
3390 | } | 3387 | } |
3391 | 3388 | ||
3392 | case IPPROTO_DCCP: { | 3389 | case IPPROTO_DCCP: { |
3393 | struct dccp_hdr _dccph, *dh; | 3390 | struct dccp_hdr _dccph, *dh; |
@@ -3403,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, | |||
3403 | ad->u.net.sport = dh->dccph_sport; | 3400 | ad->u.net.sport = dh->dccph_sport; |
3404 | ad->u.net.dport = dh->dccph_dport; | 3401 | ad->u.net.dport = dh->dccph_dport; |
3405 | break; | 3402 | break; |
3406 | } | 3403 | } |
3407 | 3404 | ||
3408 | default: | 3405 | default: |
3409 | break; | 3406 | break; |
3410 | } | 3407 | } |
3411 | out: | 3408 | out: |
3412 | return ret; | 3409 | return ret; |
3413 | } | 3410 | } |
@@ -3442,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, | |||
3442 | 3439 | ||
3443 | switch (nexthdr) { | 3440 | switch (nexthdr) { |
3444 | case IPPROTO_TCP: { | 3441 | case IPPROTO_TCP: { |
3445 | struct tcphdr _tcph, *th; | 3442 | struct tcphdr _tcph, *th; |
3446 | 3443 | ||
3447 | th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); | 3444 | th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); |
3448 | if (th == NULL) | 3445 | if (th == NULL) |
@@ -3475,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, | |||
3475 | ad->u.net.sport = dh->dccph_sport; | 3472 | ad->u.net.sport = dh->dccph_sport; |
3476 | ad->u.net.dport = dh->dccph_dport; | 3473 | ad->u.net.dport = dh->dccph_dport; |
3477 | break; | 3474 | break; |
3478 | } | 3475 | } |
3479 | 3476 | ||
3480 | /* includes fragments */ | 3477 | /* includes fragments */ |
3481 | default: | 3478 | default: |
@@ -3573,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3573 | if (isec->sid == SECINITSID_KERNEL) | 3570 | if (isec->sid == SECINITSID_KERNEL) |
3574 | goto out; | 3571 | goto out; |
3575 | 3572 | ||
3576 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3573 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3577 | ad.u.net.sk = sock->sk; | 3574 | ad.u.net.sk = sock->sk; |
3578 | err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); | 3575 | err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); |
3579 | 3576 | ||
@@ -3683,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3683 | snum, &sid); | 3680 | snum, &sid); |
3684 | if (err) | 3681 | if (err) |
3685 | goto out; | 3682 | goto out; |
3686 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3683 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3687 | ad.u.net.sport = htons(snum); | 3684 | ad.u.net.sport = htons(snum); |
3688 | ad.u.net.family = family; | 3685 | ad.u.net.family = family; |
3689 | err = avc_has_perm(isec->sid, sid, | 3686 | err = avc_has_perm(isec->sid, sid, |
@@ -3693,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3693 | goto out; | 3690 | goto out; |
3694 | } | 3691 | } |
3695 | } | 3692 | } |
3696 | 3693 | ||
3697 | switch(isec->sclass) { | 3694 | switch (isec->sclass) { |
3698 | case SECCLASS_TCP_SOCKET: | 3695 | case SECCLASS_TCP_SOCKET: |
3699 | node_perm = TCP_SOCKET__NODE_BIND; | 3696 | node_perm = TCP_SOCKET__NODE_BIND; |
3700 | break; | 3697 | break; |
3701 | 3698 | ||
3702 | case SECCLASS_UDP_SOCKET: | 3699 | case SECCLASS_UDP_SOCKET: |
3703 | node_perm = UDP_SOCKET__NODE_BIND; | 3700 | node_perm = UDP_SOCKET__NODE_BIND; |
3704 | break; | 3701 | break; |
@@ -3711,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3711 | node_perm = RAWIP_SOCKET__NODE_BIND; | 3708 | node_perm = RAWIP_SOCKET__NODE_BIND; |
3712 | break; | 3709 | break; |
3713 | } | 3710 | } |
3714 | 3711 | ||
3715 | err = sel_netnode_sid(addrp, family, &sid); | 3712 | err = sel_netnode_sid(addrp, family, &sid); |
3716 | if (err) | 3713 | if (err) |
3717 | goto out; | 3714 | goto out; |
3718 | 3715 | ||
3719 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3716 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3720 | ad.u.net.sport = htons(snum); | 3717 | ad.u.net.sport = htons(snum); |
3721 | ad.u.net.family = family; | 3718 | ad.u.net.family = family; |
3722 | 3719 | ||
@@ -3726,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3726 | ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); | 3723 | ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); |
3727 | 3724 | ||
3728 | err = avc_has_perm(isec->sid, sid, | 3725 | err = avc_has_perm(isec->sid, sid, |
3729 | isec->sclass, node_perm, &ad); | 3726 | isec->sclass, node_perm, &ad); |
3730 | if (err) | 3727 | if (err) |
3731 | goto out; | 3728 | goto out; |
3732 | } | 3729 | } |
@@ -3775,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
3775 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? | 3772 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? |
3776 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; | 3773 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; |
3777 | 3774 | ||
3778 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3775 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3779 | ad.u.net.dport = htons(snum); | 3776 | ad.u.net.dport = htons(snum); |
3780 | ad.u.net.family = sk->sk_family; | 3777 | ad.u.net.family = sk->sk_family; |
3781 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); | 3778 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); |
@@ -3813,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) | |||
3813 | } | 3810 | } |
3814 | 3811 | ||
3815 | static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, | 3812 | static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, |
3816 | int size) | 3813 | int size) |
3817 | { | 3814 | { |
3818 | int rc; | 3815 | int rc; |
3819 | 3816 | ||
@@ -3840,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock) | |||
3840 | return socket_has_perm(current, sock, SOCKET__GETATTR); | 3837 | return socket_has_perm(current, sock, SOCKET__GETATTR); |
3841 | } | 3838 | } |
3842 | 3839 | ||
3843 | static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) | 3840 | static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) |
3844 | { | 3841 | { |
3845 | int err; | 3842 | int err; |
3846 | 3843 | ||
@@ -3879,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
3879 | isec = SOCK_INODE(sock)->i_security; | 3876 | isec = SOCK_INODE(sock)->i_security; |
3880 | other_isec = SOCK_INODE(other)->i_security; | 3877 | other_isec = SOCK_INODE(other)->i_security; |
3881 | 3878 | ||
3882 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3879 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3883 | ad.u.net.sk = other->sk; | 3880 | ad.u.net.sk = other->sk; |
3884 | 3881 | ||
3885 | err = avc_has_perm(isec->sid, other_isec->sid, | 3882 | err = avc_has_perm(isec->sid, other_isec->sid, |
@@ -3891,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
3891 | /* connecting socket */ | 3888 | /* connecting socket */ |
3892 | ssec = sock->sk->sk_security; | 3889 | ssec = sock->sk->sk_security; |
3893 | ssec->peer_sid = other_isec->sid; | 3890 | ssec->peer_sid = other_isec->sid; |
3894 | 3891 | ||
3895 | /* server child socket */ | 3892 | /* server child socket */ |
3896 | ssec = newsk->sk_security; | 3893 | ssec = newsk->sk_security; |
3897 | ssec->peer_sid = isec->sid; | 3894 | ssec->peer_sid = isec->sid; |
@@ -3911,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
3911 | isec = SOCK_INODE(sock)->i_security; | 3908 | isec = SOCK_INODE(sock)->i_security; |
3912 | other_isec = SOCK_INODE(other)->i_security; | 3909 | other_isec = SOCK_INODE(other)->i_security; |
3913 | 3910 | ||
3914 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3911 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3915 | ad.u.net.sk = other->sk; | 3912 | ad.u.net.sk = other->sk; |
3916 | 3913 | ||
3917 | err = avc_has_perm(isec->sid, other_isec->sid, | 3914 | err = avc_has_perm(isec->sid, other_isec->sid, |
@@ -3989,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
3989 | err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); | 3986 | err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); |
3990 | if (err) | 3987 | if (err) |
3991 | return err; | 3988 | return err; |
3992 | 3989 | ||
3993 | err = sel_netnode_sid(addrp, family, &node_sid); | 3990 | err = sel_netnode_sid(addrp, family, &node_sid); |
3994 | if (err) | 3991 | if (err) |
3995 | return err; | 3992 | return err; |
@@ -4140,7 +4137,7 @@ out_len: | |||
4140 | err = -EFAULT; | 4137 | err = -EFAULT; |
4141 | 4138 | ||
4142 | kfree(scontext); | 4139 | kfree(scontext); |
4143 | out: | 4140 | out: |
4144 | return err; | 4141 | return err; |
4145 | } | 4142 | } |
4146 | 4143 | ||
@@ -4201,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) | |||
4201 | } | 4198 | } |
4202 | } | 4199 | } |
4203 | 4200 | ||
4204 | static void selinux_sock_graft(struct sock* sk, struct socket *parent) | 4201 | static void selinux_sock_graft(struct sock *sk, struct socket *parent) |
4205 | { | 4202 | { |
4206 | struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; | 4203 | struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; |
4207 | struct sk_security_struct *sksec = sk->sk_security; | 4204 | struct sk_security_struct *sksec = sk->sk_security; |
@@ -4278,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | |||
4278 | struct nlmsghdr *nlh; | 4275 | struct nlmsghdr *nlh; |
4279 | struct socket *sock = sk->sk_socket; | 4276 | struct socket *sock = sk->sk_socket; |
4280 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; | 4277 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; |
4281 | 4278 | ||
4282 | if (skb->len < NLMSG_SPACE(0)) { | 4279 | if (skb->len < NLMSG_SPACE(0)) { |
4283 | err = -EINVAL; | 4280 | err = -EINVAL; |
4284 | goto out; | 4281 | goto out; |
4285 | } | 4282 | } |
4286 | nlh = nlmsg_hdr(skb); | 4283 | nlh = nlmsg_hdr(skb); |
4287 | 4284 | ||
4288 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); | 4285 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); |
4289 | if (err) { | 4286 | if (err) { |
4290 | if (err == -EINVAL) { | 4287 | if (err == -EINVAL) { |
@@ -4410,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, | |||
4410 | return err; | 4407 | return err; |
4411 | err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); | 4408 | err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); |
4412 | return err; | 4409 | return err; |
4413 | 4410 | ||
4414 | err = sel_netnode_sid(addrp, family, &node_sid); | 4411 | err = sel_netnode_sid(addrp, family, &node_sid); |
4415 | if (err) | 4412 | if (err) |
4416 | return err; | 4413 | return err; |
@@ -4593,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) | |||
4593 | ad.u.cap = capability; | 4590 | ad.u.cap = capability; |
4594 | 4591 | ||
4595 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | 4592 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, |
4596 | SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); | 4593 | SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); |
4597 | } | 4594 | } |
4598 | 4595 | ||
4599 | static int ipc_alloc_security(struct task_struct *task, | 4596 | static int ipc_alloc_security(struct task_struct *task, |
@@ -4685,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
4685 | isec = msq->q_perm.security; | 4682 | isec = msq->q_perm.security; |
4686 | 4683 | ||
4687 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4684 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
4688 | ad.u.ipc_id = msq->q_perm.key; | 4685 | ad.u.ipc_id = msq->q_perm.key; |
4689 | 4686 | ||
4690 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, | 4687 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, |
4691 | MSGQ__CREATE, &ad); | 4688 | MSGQ__CREATE, &ad); |
@@ -4722,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) | |||
4722 | int err; | 4719 | int err; |
4723 | int perms; | 4720 | int perms; |
4724 | 4721 | ||
4725 | switch(cmd) { | 4722 | switch (cmd) { |
4726 | case IPC_INFO: | 4723 | case IPC_INFO: |
4727 | case MSG_INFO: | 4724 | case MSG_INFO: |
4728 | /* No specific object, just general system-wide information. */ | 4725 | /* No specific object, just general system-wide information. */ |
@@ -4806,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4806 | msec = msg->security; | 4803 | msec = msg->security; |
4807 | 4804 | ||
4808 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4805 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
4809 | ad.u.ipc_id = msq->q_perm.key; | 4806 | ad.u.ipc_id = msq->q_perm.key; |
4810 | 4807 | ||
4811 | rc = avc_has_perm(tsec->sid, isec->sid, | 4808 | rc = avc_has_perm(tsec->sid, isec->sid, |
4812 | SECCLASS_MSGQ, MSGQ__READ, &ad); | 4809 | SECCLASS_MSGQ, MSGQ__READ, &ad); |
@@ -4832,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
4832 | isec = shp->shm_perm.security; | 4829 | isec = shp->shm_perm.security; |
4833 | 4830 | ||
4834 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4831 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
4835 | ad.u.ipc_id = shp->shm_perm.key; | 4832 | ad.u.ipc_id = shp->shm_perm.key; |
4836 | 4833 | ||
4837 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, | 4834 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, |
4838 | SHM__CREATE, &ad); | 4835 | SHM__CREATE, &ad); |
@@ -4870,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) | |||
4870 | int perms; | 4867 | int perms; |
4871 | int err; | 4868 | int err; |
4872 | 4869 | ||
4873 | switch(cmd) { | 4870 | switch (cmd) { |
4874 | case IPC_INFO: | 4871 | case IPC_INFO: |
4875 | case SHM_INFO: | 4872 | case SHM_INFO: |
4876 | /* No specific object, just general system-wide information. */ | 4873 | /* No specific object, just general system-wide information. */ |
@@ -4931,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
4931 | isec = sma->sem_perm.security; | 4928 | isec = sma->sem_perm.security; |
4932 | 4929 | ||
4933 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4930 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
4934 | ad.u.ipc_id = sma->sem_perm.key; | 4931 | ad.u.ipc_id = sma->sem_perm.key; |
4935 | 4932 | ||
4936 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, | 4933 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, |
4937 | SEM__CREATE, &ad); | 4934 | SEM__CREATE, &ad); |
@@ -4969,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd) | |||
4969 | int err; | 4966 | int err; |
4970 | u32 perms; | 4967 | u32 perms; |
4971 | 4968 | ||
4972 | switch(cmd) { | 4969 | switch (cmd) { |
4973 | case IPC_INFO: | 4970 | case IPC_INFO: |
4974 | case SEM_INFO: | 4971 | case SEM_INFO: |
4975 | /* No specific object, just general system-wide information. */ | 4972 | /* No specific object, just general system-wide information. */ |
@@ -5041,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) | |||
5041 | } | 5038 | } |
5042 | 5039 | ||
5043 | /* module stacking operations */ | 5040 | /* module stacking operations */ |
5044 | static int selinux_register_security (const char *name, struct security_operations *ops) | 5041 | static int selinux_register_security(const char *name, struct security_operations *ops) |
5045 | { | 5042 | { |
5046 | if (secondary_ops != original_ops) { | 5043 | if (secondary_ops != original_ops) { |
5047 | printk(KERN_ERR "%s: There is already a secondary security " | 5044 | printk(KERN_ERR "%s: There is already a secondary security " |
5048 | "module registered.\n", __func__); | 5045 | "module registered.\n", __func__); |
5049 | return -EINVAL; | 5046 | return -EINVAL; |
5050 | } | 5047 | } |
5051 | 5048 | ||
5052 | secondary_ops = ops; | 5049 | secondary_ops = ops; |
5053 | 5050 | ||
@@ -5058,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio | |||
5058 | return 0; | 5055 | return 0; |
5059 | } | 5056 | } |
5060 | 5057 | ||
5061 | static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) | 5058 | static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) |
5062 | { | 5059 | { |
5063 | if (inode) | 5060 | if (inode) |
5064 | inode_doinit_with_dentry(inode, dentry); | 5061 | inode_doinit_with_dentry(inode, dentry); |
@@ -5186,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p, | |||
5186 | } | 5183 | } |
5187 | while_each_thread(g, t); | 5184 | while_each_thread(g, t); |
5188 | read_unlock(&tasklist_lock); | 5185 | read_unlock(&tasklist_lock); |
5189 | } | 5186 | } |
5190 | 5187 | ||
5191 | /* Check permissions for the transition. */ | 5188 | /* Check permissions for the transition. */ |
5192 | error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, | 5189 | error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, |
5193 | PROCESS__DYNTRANSITION, NULL); | 5190 | PROCESS__DYNTRANSITION, NULL); |
5194 | if (error) | 5191 | if (error) |
5195 | return error; | 5192 | return error; |
5196 | 5193 | ||
@@ -5218,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p, | |||
5218 | tsec->sid = sid; | 5215 | tsec->sid = sid; |
5219 | task_unlock(p); | 5216 | task_unlock(p); |
5220 | } | 5217 | } |
5221 | } | 5218 | } else |
5222 | else | ||
5223 | return -EINVAL; | 5219 | return -EINVAL; |
5224 | 5220 | ||
5225 | return size; | 5221 | return size; |
@@ -5309,7 +5305,7 @@ static struct security_operations selinux_ops = { | |||
5309 | .vm_enough_memory = selinux_vm_enough_memory, | 5305 | .vm_enough_memory = selinux_vm_enough_memory, |
5310 | 5306 | ||
5311 | .netlink_send = selinux_netlink_send, | 5307 | .netlink_send = selinux_netlink_send, |
5312 | .netlink_recv = selinux_netlink_recv, | 5308 | .netlink_recv = selinux_netlink_recv, |
5313 | 5309 | ||
5314 | .bprm_alloc_security = selinux_bprm_alloc_security, | 5310 | .bprm_alloc_security = selinux_bprm_alloc_security, |
5315 | .bprm_free_security = selinux_bprm_free_security, | 5311 | .bprm_free_security = selinux_bprm_free_security, |
@@ -5322,13 +5318,13 @@ static struct security_operations selinux_ops = { | |||
5322 | .sb_alloc_security = selinux_sb_alloc_security, | 5318 | .sb_alloc_security = selinux_sb_alloc_security, |
5323 | .sb_free_security = selinux_sb_free_security, | 5319 | .sb_free_security = selinux_sb_free_security, |
5324 | .sb_copy_data = selinux_sb_copy_data, | 5320 | .sb_copy_data = selinux_sb_copy_data, |
5325 | .sb_kern_mount = selinux_sb_kern_mount, | 5321 | .sb_kern_mount = selinux_sb_kern_mount, |
5326 | .sb_statfs = selinux_sb_statfs, | 5322 | .sb_statfs = selinux_sb_statfs, |
5327 | .sb_mount = selinux_mount, | 5323 | .sb_mount = selinux_mount, |
5328 | .sb_umount = selinux_umount, | 5324 | .sb_umount = selinux_umount, |
5329 | .sb_get_mnt_opts = selinux_get_mnt_opts, | 5325 | .sb_get_mnt_opts = selinux_get_mnt_opts, |
5330 | .sb_set_mnt_opts = selinux_set_mnt_opts, | 5326 | .sb_set_mnt_opts = selinux_set_mnt_opts, |
5331 | .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, | 5327 | .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, |
5332 | .sb_parse_opts_str = selinux_parse_opts_str, | 5328 | .sb_parse_opts_str = selinux_parse_opts_str, |
5333 | 5329 | ||
5334 | 5330 | ||
@@ -5353,9 +5349,9 @@ static struct security_operations selinux_ops = { | |||
5353 | .inode_getxattr = selinux_inode_getxattr, | 5349 | .inode_getxattr = selinux_inode_getxattr, |
5354 | .inode_listxattr = selinux_inode_listxattr, | 5350 | .inode_listxattr = selinux_inode_listxattr, |
5355 | .inode_removexattr = selinux_inode_removexattr, | 5351 | .inode_removexattr = selinux_inode_removexattr, |
5356 | .inode_getsecurity = selinux_inode_getsecurity, | 5352 | .inode_getsecurity = selinux_inode_getsecurity, |
5357 | .inode_setsecurity = selinux_inode_setsecurity, | 5353 | .inode_setsecurity = selinux_inode_setsecurity, |
5358 | .inode_listsecurity = selinux_inode_listsecurity, | 5354 | .inode_listsecurity = selinux_inode_listsecurity, |
5359 | .inode_need_killpriv = selinux_inode_need_killpriv, | 5355 | .inode_need_killpriv = selinux_inode_need_killpriv, |
5360 | .inode_killpriv = selinux_inode_killpriv, | 5356 | .inode_killpriv = selinux_inode_killpriv, |
5361 | .inode_getsecid = selinux_inode_getsecid, | 5357 | .inode_getsecid = selinux_inode_getsecid, |
@@ -5372,7 +5368,7 @@ static struct security_operations selinux_ops = { | |||
5372 | .file_send_sigiotask = selinux_file_send_sigiotask, | 5368 | .file_send_sigiotask = selinux_file_send_sigiotask, |
5373 | .file_receive = selinux_file_receive, | 5369 | .file_receive = selinux_file_receive, |
5374 | 5370 | ||
5375 | .dentry_open = selinux_dentry_open, | 5371 | .dentry_open = selinux_dentry_open, |
5376 | 5372 | ||
5377 | .task_create = selinux_task_create, | 5373 | .task_create = selinux_task_create, |
5378 | .task_alloc_security = selinux_task_alloc_security, | 5374 | .task_alloc_security = selinux_task_alloc_security, |
@@ -5382,7 +5378,7 @@ static struct security_operations selinux_ops = { | |||
5382 | .task_setgid = selinux_task_setgid, | 5378 | .task_setgid = selinux_task_setgid, |
5383 | .task_setpgid = selinux_task_setpgid, | 5379 | .task_setpgid = selinux_task_setpgid, |
5384 | .task_getpgid = selinux_task_getpgid, | 5380 | .task_getpgid = selinux_task_getpgid, |
5385 | .task_getsid = selinux_task_getsid, | 5381 | .task_getsid = selinux_task_getsid, |
5386 | .task_getsecid = selinux_task_getsecid, | 5382 | .task_getsecid = selinux_task_getsecid, |
5387 | .task_setgroups = selinux_task_setgroups, | 5383 | .task_setgroups = selinux_task_setgroups, |
5388 | .task_setnice = selinux_task_setnice, | 5384 | .task_setnice = selinux_task_setnice, |
@@ -5396,7 +5392,7 @@ static struct security_operations selinux_ops = { | |||
5396 | .task_wait = selinux_task_wait, | 5392 | .task_wait = selinux_task_wait, |
5397 | .task_prctl = selinux_task_prctl, | 5393 | .task_prctl = selinux_task_prctl, |
5398 | .task_reparent_to_init = selinux_task_reparent_to_init, | 5394 | .task_reparent_to_init = selinux_task_reparent_to_init, |
5399 | .task_to_inode = selinux_task_to_inode, | 5395 | .task_to_inode = selinux_task_to_inode, |
5400 | 5396 | ||
5401 | .ipc_permission = selinux_ipc_permission, | 5397 | .ipc_permission = selinux_ipc_permission, |
5402 | .ipc_getsecid = selinux_ipc_getsecid, | 5398 | .ipc_getsecid = selinux_ipc_getsecid, |
@@ -5417,24 +5413,24 @@ static struct security_operations selinux_ops = { | |||
5417 | .shm_shmctl = selinux_shm_shmctl, | 5413 | .shm_shmctl = selinux_shm_shmctl, |
5418 | .shm_shmat = selinux_shm_shmat, | 5414 | .shm_shmat = selinux_shm_shmat, |
5419 | 5415 | ||
5420 | .sem_alloc_security = selinux_sem_alloc_security, | 5416 | .sem_alloc_security = selinux_sem_alloc_security, |
5421 | .sem_free_security = selinux_sem_free_security, | 5417 | .sem_free_security = selinux_sem_free_security, |
5422 | .sem_associate = selinux_sem_associate, | 5418 | .sem_associate = selinux_sem_associate, |
5423 | .sem_semctl = selinux_sem_semctl, | 5419 | .sem_semctl = selinux_sem_semctl, |
5424 | .sem_semop = selinux_sem_semop, | 5420 | .sem_semop = selinux_sem_semop, |
5425 | 5421 | ||
5426 | .register_security = selinux_register_security, | 5422 | .register_security = selinux_register_security, |
5427 | 5423 | ||
5428 | .d_instantiate = selinux_d_instantiate, | 5424 | .d_instantiate = selinux_d_instantiate, |
5429 | 5425 | ||
5430 | .getprocattr = selinux_getprocattr, | 5426 | .getprocattr = selinux_getprocattr, |
5431 | .setprocattr = selinux_setprocattr, | 5427 | .setprocattr = selinux_setprocattr, |
5432 | 5428 | ||
5433 | .secid_to_secctx = selinux_secid_to_secctx, | 5429 | .secid_to_secctx = selinux_secid_to_secctx, |
5434 | .secctx_to_secid = selinux_secctx_to_secid, | 5430 | .secctx_to_secid = selinux_secctx_to_secid, |
5435 | .release_secctx = selinux_release_secctx, | 5431 | .release_secctx = selinux_release_secctx, |
5436 | 5432 | ||
5437 | .unix_stream_connect = selinux_socket_unix_stream_connect, | 5433 | .unix_stream_connect = selinux_socket_unix_stream_connect, |
5438 | .unix_may_send = selinux_socket_unix_may_send, | 5434 | .unix_may_send = selinux_socket_unix_may_send, |
5439 | 5435 | ||
5440 | .socket_create = selinux_socket_create, | 5436 | .socket_create = selinux_socket_create, |
@@ -5456,7 +5452,7 @@ static struct security_operations selinux_ops = { | |||
5456 | .sk_alloc_security = selinux_sk_alloc_security, | 5452 | .sk_alloc_security = selinux_sk_alloc_security, |
5457 | .sk_free_security = selinux_sk_free_security, | 5453 | .sk_free_security = selinux_sk_free_security, |
5458 | .sk_clone_security = selinux_sk_clone_security, | 5454 | .sk_clone_security = selinux_sk_clone_security, |
5459 | .sk_getsecid = selinux_sk_getsecid, | 5455 | .sk_getsecid = selinux_sk_getsecid, |
5460 | .sock_graft = selinux_sock_graft, | 5456 | .sock_graft = selinux_sock_graft, |
5461 | .inet_conn_request = selinux_inet_conn_request, | 5457 | .inet_conn_request = selinux_inet_conn_request, |
5462 | .inet_csk_clone = selinux_inet_csk_clone, | 5458 | .inet_csk_clone = selinux_inet_csk_clone, |
@@ -5471,15 +5467,15 @@ static struct security_operations selinux_ops = { | |||
5471 | .xfrm_state_alloc_security = selinux_xfrm_state_alloc, | 5467 | .xfrm_state_alloc_security = selinux_xfrm_state_alloc, |
5472 | .xfrm_state_free_security = selinux_xfrm_state_free, | 5468 | .xfrm_state_free_security = selinux_xfrm_state_free, |
5473 | .xfrm_state_delete_security = selinux_xfrm_state_delete, | 5469 | .xfrm_state_delete_security = selinux_xfrm_state_delete, |
5474 | .xfrm_policy_lookup = selinux_xfrm_policy_lookup, | 5470 | .xfrm_policy_lookup = selinux_xfrm_policy_lookup, |
5475 | .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, | 5471 | .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, |
5476 | .xfrm_decode_session = selinux_xfrm_decode_session, | 5472 | .xfrm_decode_session = selinux_xfrm_decode_session, |
5477 | #endif | 5473 | #endif |
5478 | 5474 | ||
5479 | #ifdef CONFIG_KEYS | 5475 | #ifdef CONFIG_KEYS |
5480 | .key_alloc = selinux_key_alloc, | 5476 | .key_alloc = selinux_key_alloc, |
5481 | .key_free = selinux_key_free, | 5477 | .key_free = selinux_key_free, |
5482 | .key_permission = selinux_key_permission, | 5478 | .key_permission = selinux_key_permission, |
5483 | #endif | 5479 | #endif |
5484 | 5480 | ||
5485 | #ifdef CONFIG_AUDIT | 5481 | #ifdef CONFIG_AUDIT |
@@ -5519,15 +5515,14 @@ static __init int selinux_init(void) | |||
5519 | 5515 | ||
5520 | original_ops = secondary_ops = security_ops; | 5516 | original_ops = secondary_ops = security_ops; |
5521 | if (!secondary_ops) | 5517 | if (!secondary_ops) |
5522 | panic ("SELinux: No initial security operations\n"); | 5518 | panic("SELinux: No initial security operations\n"); |
5523 | if (register_security (&selinux_ops)) | 5519 | if (register_security(&selinux_ops)) |
5524 | panic("SELinux: Unable to register with kernel.\n"); | 5520 | panic("SELinux: Unable to register with kernel.\n"); |
5525 | 5521 | ||
5526 | if (selinux_enforcing) { | 5522 | if (selinux_enforcing) |
5527 | printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); | 5523 | printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); |
5528 | } else { | 5524 | else |
5529 | printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); | 5525 | printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); |
5530 | } | ||
5531 | 5526 | ||
5532 | #ifdef CONFIG_KEYS | 5527 | #ifdef CONFIG_KEYS |
5533 | /* Add security information to initial keyrings */ | 5528 | /* Add security information to initial keyrings */ |
@@ -5552,8 +5547,8 @@ next_sb: | |||
5552 | if (!list_empty(&superblock_security_head)) { | 5547 | if (!list_empty(&superblock_security_head)) { |
5553 | struct superblock_security_struct *sbsec = | 5548 | struct superblock_security_struct *sbsec = |
5554 | list_entry(superblock_security_head.next, | 5549 | list_entry(superblock_security_head.next, |
5555 | struct superblock_security_struct, | 5550 | struct superblock_security_struct, |
5556 | list); | 5551 | list); |
5557 | struct super_block *sb = sbsec->sb; | 5552 | struct super_block *sb = sbsec->sb; |
5558 | sb->s_count++; | 5553 | sb->s_count++; |
5559 | spin_unlock(&sb_security_lock); | 5554 | spin_unlock(&sb_security_lock); |
@@ -5672,10 +5667,11 @@ static void selinux_nf_ip_exit(void) | |||
5672 | #endif /* CONFIG_NETFILTER */ | 5667 | #endif /* CONFIG_NETFILTER */ |
5673 | 5668 | ||
5674 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 5669 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
5670 | static int selinux_disabled; | ||
5671 | |||
5675 | int selinux_disable(void) | 5672 | int selinux_disable(void) |
5676 | { | 5673 | { |
5677 | extern void exit_sel_fs(void); | 5674 | extern void exit_sel_fs(void); |
5678 | static int selinux_disabled = 0; | ||
5679 | 5675 | ||
5680 | if (ss_initialized) { | 5676 | if (ss_initialized) { |
5681 | /* Not permitted after initial policy load. */ | 5677 | /* Not permitted after initial policy load. */ |
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 9c8a82aa8baf..c658b84c3196 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * | 8 | * |
9 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | 9 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
10 | * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. | 10 | * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. |
11 | * Paul Moore <paul.moore@hp.com> | 11 | * Paul Moore <paul.moore@hp.com> |
12 | * | 12 | * |
13 | * This program is free software; you can redistribute it and/or modify | 13 | * This program is free software; you can redistribute it and/or modify |
14 | * it under the terms of the GNU General Public License version 2, | 14 | * it under the terms of the GNU General Public License version 2, |
@@ -31,8 +31,7 @@ | |||
31 | #define SEL_NETIF_HASH_SIZE 64 | 31 | #define SEL_NETIF_HASH_SIZE 64 |
32 | #define SEL_NETIF_HASH_MAX 1024 | 32 | #define SEL_NETIF_HASH_MAX 1024 |
33 | 33 | ||
34 | struct sel_netif | 34 | struct sel_netif { |
35 | { | ||
36 | struct list_head list; | 35 | struct list_head list; |
37 | struct netif_security_struct nsec; | 36 | struct netif_security_struct nsec; |
38 | struct rcu_head rcu_head; | 37 | struct rcu_head rcu_head; |
@@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex) | |||
92 | static int sel_netif_insert(struct sel_netif *netif) | 91 | static int sel_netif_insert(struct sel_netif *netif) |
93 | { | 92 | { |
94 | int idx; | 93 | int idx; |
95 | 94 | ||
96 | if (sel_netif_total >= SEL_NETIF_HASH_MAX) | 95 | if (sel_netif_total >= SEL_NETIF_HASH_MAX) |
97 | return -ENOSPC; | 96 | return -ENOSPC; |
98 | 97 | ||
99 | idx = sel_netif_hashfn(netif->nsec.ifindex); | 98 | idx = sel_netif_hashfn(netif->nsec.ifindex); |
100 | list_add_rcu(&netif->list, &sel_netif_hash[idx]); | 99 | list_add_rcu(&netif->list, &sel_netif_hash[idx]); |
101 | sel_netif_total++; | 100 | sel_netif_total++; |
@@ -267,7 +266,7 @@ static void sel_netif_flush(void) | |||
267 | } | 266 | } |
268 | 267 | ||
269 | static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, | 268 | static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, |
270 | u16 class, u32 perms, u32 *retained) | 269 | u16 class, u32 perms, u32 *retained) |
271 | { | 270 | { |
272 | if (event == AVC_CALLBACK_RESET) { | 271 | if (event == AVC_CALLBACK_RESET) { |
273 | sel_netif_flush(); | 272 | sel_netif_flush(); |
@@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, | |||
277 | } | 276 | } |
278 | 277 | ||
279 | static int sel_netif_netdev_notifier_handler(struct notifier_block *this, | 278 | static int sel_netif_netdev_notifier_handler(struct notifier_block *this, |
280 | unsigned long event, void *ptr) | 279 | unsigned long event, void *ptr) |
281 | { | 280 | { |
282 | struct net_device *dev = ptr; | 281 | struct net_device *dev = ptr; |
283 | 282 | ||
@@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = { | |||
297 | static __init int sel_netif_init(void) | 296 | static __init int sel_netif_init(void) |
298 | { | 297 | { |
299 | int i, err; | 298 | int i, err; |
300 | 299 | ||
301 | if (!selinux_enabled) | 300 | if (!selinux_enabled) |
302 | return 0; | 301 | return 0; |
303 | 302 | ||
@@ -305,9 +304,9 @@ static __init int sel_netif_init(void) | |||
305 | INIT_LIST_HEAD(&sel_netif_hash[i]); | 304 | INIT_LIST_HEAD(&sel_netif_hash[i]); |
306 | 305 | ||
307 | register_netdevice_notifier(&sel_netif_netdev_notifier); | 306 | register_netdevice_notifier(&sel_netif_netdev_notifier); |
308 | 307 | ||
309 | err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, | 308 | err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, |
310 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); | 309 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); |
311 | if (err) | 310 | if (err) |
312 | panic("avc_add_callback() failed, error %d\n", err); | 311 | panic("avc_add_callback() failed, error %d\n", err); |
313 | 312 | ||
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index e8ee91ac12ef..89b418392f11 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
@@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void) | |||
118 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, | 118 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, |
119 | int family) | 119 | int family) |
120 | { | 120 | { |
121 | if (family == PF_INET) | 121 | if (family == PF_INET) |
122 | ssec->nlbl_state = NLBL_REQUIRE; | 122 | ssec->nlbl_state = NLBL_REQUIRE; |
123 | else | 123 | else |
124 | ssec->nlbl_state = NLBL_UNSET; | 124 | ssec->nlbl_state = NLBL_UNSET; |
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 6214a7a73149..1ae556446e65 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c | |||
@@ -24,16 +24,16 @@ static struct sock *selnl; | |||
24 | static int selnl_msglen(int msgtype) | 24 | static int selnl_msglen(int msgtype) |
25 | { | 25 | { |
26 | int ret = 0; | 26 | int ret = 0; |
27 | 27 | ||
28 | switch (msgtype) { | 28 | switch (msgtype) { |
29 | case SELNL_MSG_SETENFORCE: | 29 | case SELNL_MSG_SETENFORCE: |
30 | ret = sizeof(struct selnl_msg_setenforce); | 30 | ret = sizeof(struct selnl_msg_setenforce); |
31 | break; | 31 | break; |
32 | 32 | ||
33 | case SELNL_MSG_POLICYLOAD: | 33 | case SELNL_MSG_POLICYLOAD: |
34 | ret = sizeof(struct selnl_msg_policyload); | 34 | ret = sizeof(struct selnl_msg_policyload); |
35 | break; | 35 | break; |
36 | 36 | ||
37 | default: | 37 | default: |
38 | BUG(); | 38 | BUG(); |
39 | } | 39 | } |
@@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void * | |||
45 | switch (msgtype) { | 45 | switch (msgtype) { |
46 | case SELNL_MSG_SETENFORCE: { | 46 | case SELNL_MSG_SETENFORCE: { |
47 | struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); | 47 | struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); |
48 | 48 | ||
49 | memset(msg, 0, len); | 49 | memset(msg, 0, len); |
50 | msg->val = *((int *)data); | 50 | msg->val = *((int *)data); |
51 | break; | 51 | break; |
52 | } | 52 | } |
53 | 53 | ||
54 | case SELNL_MSG_POLICYLOAD: { | 54 | case SELNL_MSG_POLICYLOAD: { |
55 | struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); | 55 | struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); |
56 | 56 | ||
57 | memset(msg, 0, len); | 57 | memset(msg, 0, len); |
58 | msg->seqno = *((u32 *)data); | 58 | msg->seqno = *((u32 *)data); |
59 | break; | 59 | break; |
@@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data) | |||
70 | sk_buff_data_t tmp; | 70 | sk_buff_data_t tmp; |
71 | struct sk_buff *skb; | 71 | struct sk_buff *skb; |
72 | struct nlmsghdr *nlh; | 72 | struct nlmsghdr *nlh; |
73 | 73 | ||
74 | len = selnl_msglen(msgtype); | 74 | len = selnl_msglen(msgtype); |
75 | 75 | ||
76 | skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); | 76 | skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); |
77 | if (!skb) | 77 | if (!skb) |
78 | goto oom; | 78 | goto oom; |
@@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data) | |||
85 | netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER); | 85 | netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER); |
86 | out: | 86 | out: |
87 | return; | 87 | return; |
88 | 88 | ||
89 | nlmsg_failure: | 89 | nlmsg_failure: |
90 | kfree_skb(skb); | 90 | kfree_skb(skb); |
91 | oom: | 91 | oom: |
@@ -109,7 +109,7 @@ static int __init selnl_init(void) | |||
109 | SELNLGRP_MAX, NULL, NULL, THIS_MODULE); | 109 | SELNLGRP_MAX, NULL, NULL, THIS_MODULE); |
110 | if (selnl == NULL) | 110 | if (selnl == NULL) |
111 | panic("SELinux: Cannot create netlink socket."); | 111 | panic("SELinux: Cannot create netlink socket."); |
112 | netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); | 112 | netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); |
113 | return 0; | 113 | return 0; |
114 | } | 114 | } |
115 | 115 | ||
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index f3c526f2cacb..2edc4c5e0c61 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c | |||
@@ -344,7 +344,7 @@ static __init int sel_netnode_init(void) | |||
344 | INIT_LIST_HEAD(&sel_netnode_hash[iter]); | 344 | INIT_LIST_HEAD(&sel_netnode_hash[iter]); |
345 | 345 | ||
346 | ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, | 346 | ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, |
347 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); | 347 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); |
348 | if (ret != 0) | 348 | if (ret != 0) |
349 | panic("avc_add_callback() failed, error %d\n", ret); | 349 | panic("avc_add_callback() failed, error %d\n", ret); |
350 | 350 | ||
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index eddc7b420109..ff59c0c4804b 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
@@ -23,8 +23,7 @@ | |||
23 | #include "flask.h" | 23 | #include "flask.h" |
24 | #include "av_permissions.h" | 24 | #include "av_permissions.h" |
25 | 25 | ||
26 | struct nlmsg_perm | 26 | struct nlmsg_perm { |
27 | { | ||
28 | u16 nlmsg_type; | 27 | u16 nlmsg_type; |
29 | u32 perm; | 28 | u32 perm; |
30 | }; | 29 | }; |
@@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) | |||
159 | if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && | 158 | if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && |
160 | nlmsg_type <= AUDIT_LAST_USER_MSG) || | 159 | nlmsg_type <= AUDIT_LAST_USER_MSG) || |
161 | (nlmsg_type >= AUDIT_FIRST_USER_MSG2 && | 160 | (nlmsg_type >= AUDIT_FIRST_USER_MSG2 && |
162 | nlmsg_type <= AUDIT_LAST_USER_MSG2)) { | 161 | nlmsg_type <= AUDIT_LAST_USER_MSG2)) { |
163 | *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; | 162 | *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; |
164 | } else { | 163 | } else { |
165 | err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, | 164 | err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 26fabad09769..ac1ccc13a704 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -1,16 +1,16 @@ | |||
1 | /* Updated: Karl MacMillan <kmacmillan@tresys.com> | 1 | /* Updated: Karl MacMillan <kmacmillan@tresys.com> |
2 | * | 2 | * |
3 | * Added conditional policy language extensions | 3 | * Added conditional policy language extensions |
4 | * | 4 | * |
5 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 5 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
6 | * | 6 | * |
7 | * Added support for the policy capability bitmap | 7 | * Added support for the policy capability bitmap |
8 | * | 8 | * |
9 | * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. | 9 | * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. |
10 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | 10 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
11 | * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> | 11 | * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> |
12 | * This program is free software; you can redistribute it and/or modify | 12 | * This program is free software; you can redistribute it and/or modify |
13 | * it under the terms of the GNU General Public License as published by | 13 | * it under the terms of the GNU General Public License as published by |
14 | * the Free Software Foundation, version 2. | 14 | * the Free Software Foundation, version 2. |
15 | */ | 15 | */ |
16 | 16 | ||
@@ -28,7 +28,6 @@ | |||
28 | #include <linux/percpu.h> | 28 | #include <linux/percpu.h> |
29 | #include <linux/audit.h> | 29 | #include <linux/audit.h> |
30 | #include <asm/uaccess.h> | 30 | #include <asm/uaccess.h> |
31 | #include <asm/semaphore.h> | ||
32 | 31 | ||
33 | /* selinuxfs pseudo filesystem for exporting the security policy API. | 32 | /* selinuxfs pseudo filesystem for exporting the security policy API. |
34 | Based on the proc code and the fs/nfsd/nfsctl.c code. */ | 33 | Based on the proc code and the fs/nfsd/nfsctl.c code. */ |
@@ -58,14 +57,14 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | |||
58 | 57 | ||
59 | static int __init checkreqprot_setup(char *str) | 58 | static int __init checkreqprot_setup(char *str) |
60 | { | 59 | { |
61 | selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0; | 60 | selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0; |
62 | return 1; | 61 | return 1; |
63 | } | 62 | } |
64 | __setup("checkreqprot=", checkreqprot_setup); | 63 | __setup("checkreqprot=", checkreqprot_setup); |
65 | 64 | ||
66 | static int __init selinux_compat_net_setup(char *str) | 65 | static int __init selinux_compat_net_setup(char *str) |
67 | { | 66 | { |
68 | selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0; | 67 | selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0; |
69 | return 1; | 68 | return 1; |
70 | } | 69 | } |
71 | __setup("selinux_compat_net=", selinux_compat_net_setup); | 70 | __setup("selinux_compat_net=", selinux_compat_net_setup); |
@@ -74,17 +73,17 @@ __setup("selinux_compat_net=", selinux_compat_net_setup); | |||
74 | static DEFINE_MUTEX(sel_mutex); | 73 | static DEFINE_MUTEX(sel_mutex); |
75 | 74 | ||
76 | /* global data for booleans */ | 75 | /* global data for booleans */ |
77 | static struct dentry *bool_dir = NULL; | 76 | static struct dentry *bool_dir; |
78 | static int bool_num = 0; | 77 | static int bool_num; |
79 | static char **bool_pending_names; | 78 | static char **bool_pending_names; |
80 | static int *bool_pending_values = NULL; | 79 | static int *bool_pending_values; |
81 | 80 | ||
82 | /* global data for classes */ | 81 | /* global data for classes */ |
83 | static struct dentry *class_dir = NULL; | 82 | static struct dentry *class_dir; |
84 | static unsigned long last_class_ino; | 83 | static unsigned long last_class_ino; |
85 | 84 | ||
86 | /* global data for policy capabilities */ | 85 | /* global data for policy capabilities */ |
87 | static struct dentry *policycap_dir = NULL; | 86 | static struct dentry *policycap_dir; |
88 | 87 | ||
89 | extern void selnl_notify_setenforce(int val); | 88 | extern void selnl_notify_setenforce(int val); |
90 | 89 | ||
@@ -143,7 +142,7 @@ static ssize_t sel_read_enforce(struct file *filp, char __user *buf, | |||
143 | } | 142 | } |
144 | 143 | ||
145 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | 144 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
146 | static ssize_t sel_write_enforce(struct file * file, const char __user * buf, | 145 | static ssize_t sel_write_enforce(struct file *file, const char __user *buf, |
147 | size_t count, loff_t *ppos) | 146 | size_t count, loff_t *ppos) |
148 | 147 | ||
149 | { | 148 | { |
@@ -157,7 +156,7 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf, | |||
157 | /* No partial writes. */ | 156 | /* No partial writes. */ |
158 | return -EINVAL; | 157 | return -EINVAL; |
159 | } | 158 | } |
160 | page = (char*)get_zeroed_page(GFP_KERNEL); | 159 | page = (char *)get_zeroed_page(GFP_KERNEL); |
161 | if (!page) | 160 | if (!page) |
162 | return -ENOMEM; | 161 | return -ENOMEM; |
163 | length = -EFAULT; | 162 | length = -EFAULT; |
@@ -214,7 +213,7 @@ static const struct file_operations sel_handle_unknown_ops = { | |||
214 | }; | 213 | }; |
215 | 214 | ||
216 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 215 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
217 | static ssize_t sel_write_disable(struct file * file, const char __user * buf, | 216 | static ssize_t sel_write_disable(struct file *file, const char __user *buf, |
218 | size_t count, loff_t *ppos) | 217 | size_t count, loff_t *ppos) |
219 | 218 | ||
220 | { | 219 | { |
@@ -229,7 +228,7 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf, | |||
229 | /* No partial writes. */ | 228 | /* No partial writes. */ |
230 | return -EINVAL; | 229 | return -EINVAL; |
231 | } | 230 | } |
232 | page = (char*)get_zeroed_page(GFP_KERNEL); | 231 | page = (char *)get_zeroed_page(GFP_KERNEL); |
233 | if (!page) | 232 | if (!page) |
234 | return -ENOMEM; | 233 | return -ENOMEM; |
235 | length = -EFAULT; | 234 | length = -EFAULT; |
@@ -264,7 +263,7 @@ static const struct file_operations sel_disable_ops = { | |||
264 | }; | 263 | }; |
265 | 264 | ||
266 | static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, | 265 | static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, |
267 | size_t count, loff_t *ppos) | 266 | size_t count, loff_t *ppos) |
268 | { | 267 | { |
269 | char tmpbuf[TMPBUFLEN]; | 268 | char tmpbuf[TMPBUFLEN]; |
270 | ssize_t length; | 269 | ssize_t length; |
@@ -300,7 +299,7 @@ static const struct file_operations sel_mls_ops = { | |||
300 | .read = sel_read_mls, | 299 | .read = sel_read_mls, |
301 | }; | 300 | }; |
302 | 301 | ||
303 | static ssize_t sel_write_load(struct file * file, const char __user * buf, | 302 | static ssize_t sel_write_load(struct file *file, const char __user *buf, |
304 | size_t count, loff_t *ppos) | 303 | size_t count, loff_t *ppos) |
305 | 304 | ||
306 | { | 305 | { |
@@ -372,7 +371,7 @@ static const struct file_operations sel_load_ops = { | |||
372 | .write = sel_write_load, | 371 | .write = sel_write_load, |
373 | }; | 372 | }; |
374 | 373 | ||
375 | static ssize_t sel_write_context(struct file * file, char *buf, size_t size) | 374 | static ssize_t sel_write_context(struct file *file, char *buf, size_t size) |
376 | { | 375 | { |
377 | char *canon; | 376 | char *canon; |
378 | u32 sid, len; | 377 | u32 sid, len; |
@@ -391,8 +390,8 @@ static ssize_t sel_write_context(struct file * file, char *buf, size_t size) | |||
391 | return length; | 390 | return length; |
392 | 391 | ||
393 | if (len > SIMPLE_TRANSACTION_LIMIT) { | 392 | if (len > SIMPLE_TRANSACTION_LIMIT) { |
394 | printk(KERN_ERR "%s: context size (%u) exceeds payload " | 393 | printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " |
395 | "max\n", __func__, len); | 394 | "payload max\n", __func__, len); |
396 | length = -ERANGE; | 395 | length = -ERANGE; |
397 | goto out; | 396 | goto out; |
398 | } | 397 | } |
@@ -414,7 +413,7 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, | |||
414 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); | 413 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); |
415 | } | 414 | } |
416 | 415 | ||
417 | static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf, | 416 | static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, |
418 | size_t count, loff_t *ppos) | 417 | size_t count, loff_t *ppos) |
419 | { | 418 | { |
420 | char *page; | 419 | char *page; |
@@ -431,7 +430,7 @@ static ssize_t sel_write_checkreqprot(struct file * file, const char __user * bu | |||
431 | /* No partial writes. */ | 430 | /* No partial writes. */ |
432 | return -EINVAL; | 431 | return -EINVAL; |
433 | } | 432 | } |
434 | page = (char*)get_zeroed_page(GFP_KERNEL); | 433 | page = (char *)get_zeroed_page(GFP_KERNEL); |
435 | if (!page) | 434 | if (!page) |
436 | return -ENOMEM; | 435 | return -ENOMEM; |
437 | length = -EFAULT; | 436 | length = -EFAULT; |
@@ -463,7 +462,7 @@ static ssize_t sel_read_compat_net(struct file *filp, char __user *buf, | |||
463 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); | 462 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); |
464 | } | 463 | } |
465 | 464 | ||
466 | static ssize_t sel_write_compat_net(struct file * file, const char __user * buf, | 465 | static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, |
467 | size_t count, loff_t *ppos) | 466 | size_t count, loff_t *ppos) |
468 | { | 467 | { |
469 | char *page; | 468 | char *page; |
@@ -480,7 +479,7 @@ static ssize_t sel_write_compat_net(struct file * file, const char __user * buf, | |||
480 | /* No partial writes. */ | 479 | /* No partial writes. */ |
481 | return -EINVAL; | 480 | return -EINVAL; |
482 | } | 481 | } |
483 | page = (char*)get_zeroed_page(GFP_KERNEL); | 482 | page = (char *)get_zeroed_page(GFP_KERNEL); |
484 | if (!page) | 483 | if (!page) |
485 | return -ENOMEM; | 484 | return -ENOMEM; |
486 | length = -EFAULT; | 485 | length = -EFAULT; |
@@ -505,11 +504,11 @@ static const struct file_operations sel_compat_net_ops = { | |||
505 | /* | 504 | /* |
506 | * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c | 505 | * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c |
507 | */ | 506 | */ |
508 | static ssize_t sel_write_access(struct file * file, char *buf, size_t size); | 507 | static ssize_t sel_write_access(struct file *file, char *buf, size_t size); |
509 | static ssize_t sel_write_create(struct file * file, char *buf, size_t size); | 508 | static ssize_t sel_write_create(struct file *file, char *buf, size_t size); |
510 | static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size); | 509 | static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size); |
511 | static ssize_t sel_write_user(struct file * file, char *buf, size_t size); | 510 | static ssize_t sel_write_user(struct file *file, char *buf, size_t size); |
512 | static ssize_t sel_write_member(struct file * file, char *buf, size_t size); | 511 | static ssize_t sel_write_member(struct file *file, char *buf, size_t size); |
513 | 512 | ||
514 | static ssize_t (*write_op[])(struct file *, char *, size_t) = { | 513 | static ssize_t (*write_op[])(struct file *, char *, size_t) = { |
515 | [SEL_ACCESS] = sel_write_access, | 514 | [SEL_ACCESS] = sel_write_access, |
@@ -522,7 +521,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = { | |||
522 | 521 | ||
523 | static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) | 522 | static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) |
524 | { | 523 | { |
525 | ino_t ino = file->f_path.dentry->d_inode->i_ino; | 524 | ino_t ino = file->f_path.dentry->d_inode->i_ino; |
526 | char *data; | 525 | char *data; |
527 | ssize_t rv; | 526 | ssize_t rv; |
528 | 527 | ||
@@ -533,8 +532,8 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b | |||
533 | if (IS_ERR(data)) | 532 | if (IS_ERR(data)) |
534 | return PTR_ERR(data); | 533 | return PTR_ERR(data); |
535 | 534 | ||
536 | rv = write_op[ino](file, data, size); | 535 | rv = write_op[ino](file, data, size); |
537 | if (rv>0) { | 536 | if (rv > 0) { |
538 | simple_transaction_set(file, rv); | 537 | simple_transaction_set(file, rv); |
539 | rv = size; | 538 | rv = size; |
540 | } | 539 | } |
@@ -553,7 +552,7 @@ static const struct file_operations transaction_ops = { | |||
553 | * and the length returned. Otherwise return 0 or and -error. | 552 | * and the length returned. Otherwise return 0 or and -error. |
554 | */ | 553 | */ |
555 | 554 | ||
556 | static ssize_t sel_write_access(struct file * file, char *buf, size_t size) | 555 | static ssize_t sel_write_access(struct file *file, char *buf, size_t size) |
557 | { | 556 | { |
558 | char *scon, *tcon; | 557 | char *scon, *tcon; |
559 | u32 ssid, tsid; | 558 | u32 ssid, tsid; |
@@ -602,7 +601,7 @@ out: | |||
602 | return length; | 601 | return length; |
603 | } | 602 | } |
604 | 603 | ||
605 | static ssize_t sel_write_create(struct file * file, char *buf, size_t size) | 604 | static ssize_t sel_write_create(struct file *file, char *buf, size_t size) |
606 | { | 605 | { |
607 | char *scon, *tcon; | 606 | char *scon, *tcon; |
608 | u32 ssid, tsid, newsid; | 607 | u32 ssid, tsid, newsid; |
@@ -644,8 +643,8 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size) | |||
644 | goto out2; | 643 | goto out2; |
645 | 644 | ||
646 | if (len > SIMPLE_TRANSACTION_LIMIT) { | 645 | if (len > SIMPLE_TRANSACTION_LIMIT) { |
647 | printk(KERN_ERR "%s: context size (%u) exceeds payload " | 646 | printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " |
648 | "max\n", __func__, len); | 647 | "payload max\n", __func__, len); |
649 | length = -ERANGE; | 648 | length = -ERANGE; |
650 | goto out3; | 649 | goto out3; |
651 | } | 650 | } |
@@ -661,7 +660,7 @@ out: | |||
661 | return length; | 660 | return length; |
662 | } | 661 | } |
663 | 662 | ||
664 | static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size) | 663 | static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) |
665 | { | 664 | { |
666 | char *scon, *tcon; | 665 | char *scon, *tcon; |
667 | u32 ssid, tsid, newsid; | 666 | u32 ssid, tsid, newsid; |
@@ -718,7 +717,7 @@ out: | |||
718 | return length; | 717 | return length; |
719 | } | 718 | } |
720 | 719 | ||
721 | static ssize_t sel_write_user(struct file * file, char *buf, size_t size) | 720 | static ssize_t sel_write_user(struct file *file, char *buf, size_t size) |
722 | { | 721 | { |
723 | char *con, *user, *ptr; | 722 | char *con, *user, *ptr; |
724 | u32 sid, *sids; | 723 | u32 sid, *sids; |
@@ -779,7 +778,7 @@ out: | |||
779 | return length; | 778 | return length; |
780 | } | 779 | } |
781 | 780 | ||
782 | static ssize_t sel_write_member(struct file * file, char *buf, size_t size) | 781 | static ssize_t sel_write_member(struct file *file, char *buf, size_t size) |
783 | { | 782 | { |
784 | char *scon, *tcon; | 783 | char *scon, *tcon; |
785 | u32 ssid, tsid, newsid; | 784 | u32 ssid, tsid, newsid; |
@@ -821,8 +820,8 @@ static ssize_t sel_write_member(struct file * file, char *buf, size_t size) | |||
821 | goto out2; | 820 | goto out2; |
822 | 821 | ||
823 | if (len > SIMPLE_TRANSACTION_LIMIT) { | 822 | if (len > SIMPLE_TRANSACTION_LIMIT) { |
824 | printk(KERN_ERR "%s: context size (%u) exceeds payload " | 823 | printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " |
825 | "max\n", __func__, len); | 824 | "payload max\n", __func__, len); |
826 | length = -ERANGE; | 825 | length = -ERANGE; |
827 | goto out3; | 826 | goto out3; |
828 | } | 827 | } |
@@ -873,7 +872,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf, | |||
873 | ret = -EINVAL; | 872 | ret = -EINVAL; |
874 | goto out; | 873 | goto out; |
875 | } | 874 | } |
876 | if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) { | 875 | page = (char *)get_zeroed_page(GFP_KERNEL); |
876 | if (!page) { | ||
877 | ret = -ENOMEM; | 877 | ret = -ENOMEM; |
878 | goto out; | 878 | goto out; |
879 | } | 879 | } |
@@ -924,7 +924,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, | |||
924 | length = -EINVAL; | 924 | length = -EINVAL; |
925 | goto out; | 925 | goto out; |
926 | } | 926 | } |
927 | page = (char*)get_zeroed_page(GFP_KERNEL); | 927 | page = (char *)get_zeroed_page(GFP_KERNEL); |
928 | if (!page) { | 928 | if (!page) { |
929 | length = -ENOMEM; | 929 | length = -ENOMEM; |
930 | goto out; | 930 | goto out; |
@@ -952,8 +952,8 @@ out: | |||
952 | } | 952 | } |
953 | 953 | ||
954 | static const struct file_operations sel_bool_ops = { | 954 | static const struct file_operations sel_bool_ops = { |
955 | .read = sel_read_bool, | 955 | .read = sel_read_bool, |
956 | .write = sel_write_bool, | 956 | .write = sel_write_bool, |
957 | }; | 957 | }; |
958 | 958 | ||
959 | static ssize_t sel_commit_bools_write(struct file *filep, | 959 | static ssize_t sel_commit_bools_write(struct file *filep, |
@@ -978,7 +978,7 @@ static ssize_t sel_commit_bools_write(struct file *filep, | |||
978 | /* No partial writes. */ | 978 | /* No partial writes. */ |
979 | goto out; | 979 | goto out; |
980 | } | 980 | } |
981 | page = (char*)get_zeroed_page(GFP_KERNEL); | 981 | page = (char *)get_zeroed_page(GFP_KERNEL); |
982 | if (!page) { | 982 | if (!page) { |
983 | length = -ENOMEM; | 983 | length = -ENOMEM; |
984 | goto out; | 984 | goto out; |
@@ -992,9 +992,8 @@ static ssize_t sel_commit_bools_write(struct file *filep, | |||
992 | if (sscanf(page, "%d", &new_value) != 1) | 992 | if (sscanf(page, "%d", &new_value) != 1) |
993 | goto out; | 993 | goto out; |
994 | 994 | ||
995 | if (new_value && bool_pending_values) { | 995 | if (new_value && bool_pending_values) |
996 | security_set_bools(bool_num, bool_pending_values); | 996 | security_set_bools(bool_num, bool_pending_values); |
997 | } | ||
998 | 997 | ||
999 | length = count; | 998 | length = count; |
1000 | 999 | ||
@@ -1006,7 +1005,7 @@ out: | |||
1006 | } | 1005 | } |
1007 | 1006 | ||
1008 | static const struct file_operations sel_commit_bools_ops = { | 1007 | static const struct file_operations sel_commit_bools_ops = { |
1009 | .write = sel_commit_bools_write, | 1008 | .write = sel_commit_bools_write, |
1010 | }; | 1009 | }; |
1011 | 1010 | ||
1012 | static void sel_remove_entries(struct dentry *de) | 1011 | static void sel_remove_entries(struct dentry *de) |
@@ -1056,7 +1055,8 @@ static int sel_make_bools(void) | |||
1056 | 1055 | ||
1057 | sel_remove_entries(dir); | 1056 | sel_remove_entries(dir); |
1058 | 1057 | ||
1059 | if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) | 1058 | page = (char *)get_zeroed_page(GFP_KERNEL); |
1059 | if (!page) | ||
1060 | return -ENOMEM; | 1060 | return -ENOMEM; |
1061 | 1061 | ||
1062 | ret = security_get_bools(&num, &names, &values); | 1062 | ret = security_get_bools(&num, &names, &values); |
@@ -1083,8 +1083,9 @@ static int sel_make_bools(void) | |||
1083 | ret = -ENAMETOOLONG; | 1083 | ret = -ENAMETOOLONG; |
1084 | goto err; | 1084 | goto err; |
1085 | } | 1085 | } |
1086 | isec = (struct inode_security_struct*)inode->i_security; | 1086 | isec = (struct inode_security_struct *)inode->i_security; |
1087 | if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid))) | 1087 | ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid); |
1088 | if (ret) | ||
1088 | goto err; | 1089 | goto err; |
1089 | isec->sid = sid; | 1090 | isec->sid = sid; |
1090 | isec->initialized = 1; | 1091 | isec->initialized = 1; |
@@ -1112,7 +1113,7 @@ err: | |||
1112 | 1113 | ||
1113 | #define NULL_FILE_NAME "null" | 1114 | #define NULL_FILE_NAME "null" |
1114 | 1115 | ||
1115 | struct dentry *selinux_null = NULL; | 1116 | struct dentry *selinux_null; |
1116 | 1117 | ||
1117 | static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, | 1118 | static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, |
1118 | size_t count, loff_t *ppos) | 1119 | size_t count, loff_t *ppos) |
@@ -1124,8 +1125,8 @@ static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, | |||
1124 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); | 1125 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); |
1125 | } | 1126 | } |
1126 | 1127 | ||
1127 | static ssize_t sel_write_avc_cache_threshold(struct file * file, | 1128 | static ssize_t sel_write_avc_cache_threshold(struct file *file, |
1128 | const char __user * buf, | 1129 | const char __user *buf, |
1129 | size_t count, loff_t *ppos) | 1130 | size_t count, loff_t *ppos) |
1130 | 1131 | ||
1131 | { | 1132 | { |
@@ -1144,7 +1145,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file * file, | |||
1144 | goto out; | 1145 | goto out; |
1145 | } | 1146 | } |
1146 | 1147 | ||
1147 | page = (char*)get_zeroed_page(GFP_KERNEL); | 1148 | page = (char *)get_zeroed_page(GFP_KERNEL); |
1148 | if (!page) { | 1149 | if (!page) { |
1149 | ret = -ENOMEM; | 1150 | ret = -ENOMEM; |
1150 | goto out; | 1151 | goto out; |
@@ -1302,7 +1303,7 @@ out: | |||
1302 | return ret; | 1303 | return ret; |
1303 | } | 1304 | } |
1304 | 1305 | ||
1305 | static ssize_t sel_read_initcon(struct file * file, char __user *buf, | 1306 | static ssize_t sel_read_initcon(struct file *file, char __user *buf, |
1306 | size_t count, loff_t *ppos) | 1307 | size_t count, loff_t *ppos) |
1307 | { | 1308 | { |
1308 | struct inode *inode; | 1309 | struct inode *inode; |
@@ -1376,7 +1377,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino) | |||
1376 | return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); | 1377 | return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); |
1377 | } | 1378 | } |
1378 | 1379 | ||
1379 | static ssize_t sel_read_class(struct file * file, char __user *buf, | 1380 | static ssize_t sel_read_class(struct file *file, char __user *buf, |
1380 | size_t count, loff_t *ppos) | 1381 | size_t count, loff_t *ppos) |
1381 | { | 1382 | { |
1382 | ssize_t rc, len; | 1383 | ssize_t rc, len; |
@@ -1400,7 +1401,7 @@ static const struct file_operations sel_class_ops = { | |||
1400 | .read = sel_read_class, | 1401 | .read = sel_read_class, |
1401 | }; | 1402 | }; |
1402 | 1403 | ||
1403 | static ssize_t sel_read_perm(struct file * file, char __user *buf, | 1404 | static ssize_t sel_read_perm(struct file *file, char __user *buf, |
1404 | size_t count, loff_t *ppos) | 1405 | size_t count, loff_t *ppos) |
1405 | { | 1406 | { |
1406 | ssize_t rc, len; | 1407 | ssize_t rc, len; |
@@ -1413,7 +1414,7 @@ static ssize_t sel_read_perm(struct file * file, char __user *buf, | |||
1413 | goto out; | 1414 | goto out; |
1414 | } | 1415 | } |
1415 | 1416 | ||
1416 | len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino)); | 1417 | len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino)); |
1417 | rc = simple_read_from_buffer(buf, count, ppos, page, len); | 1418 | rc = simple_read_from_buffer(buf, count, ppos, page, len); |
1418 | free_page((unsigned long)page); | 1419 | free_page((unsigned long)page); |
1419 | out: | 1420 | out: |
@@ -1641,7 +1642,7 @@ out: | |||
1641 | return ret; | 1642 | return ret; |
1642 | } | 1643 | } |
1643 | 1644 | ||
1644 | static int sel_fill_super(struct super_block * sb, void * data, int silent) | 1645 | static int sel_fill_super(struct super_block *sb, void *data, int silent) |
1645 | { | 1646 | { |
1646 | int ret; | 1647 | int ret; |
1647 | struct dentry *dentry; | 1648 | struct dentry *dentry; |
@@ -1697,7 +1698,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent) | |||
1697 | goto err; | 1698 | goto err; |
1698 | } | 1699 | } |
1699 | inode->i_ino = ++sel_last_ino; | 1700 | inode->i_ino = ++sel_last_ino; |
1700 | isec = (struct inode_security_struct*)inode->i_security; | 1701 | isec = (struct inode_security_struct *)inode->i_security; |
1701 | isec->sid = SECINITSID_DEVNULL; | 1702 | isec->sid = SECINITSID_DEVNULL; |
1702 | isec->sclass = SECCLASS_CHR_FILE; | 1703 | isec->sclass = SECCLASS_CHR_FILE; |
1703 | isec->initialized = 1; | 1704 | isec->initialized = 1; |
@@ -1761,7 +1762,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent) | |||
1761 | out: | 1762 | out: |
1762 | return ret; | 1763 | return ret; |
1763 | err: | 1764 | err: |
1764 | printk(KERN_ERR "%s: failed while creating inodes\n", __func__); | 1765 | printk(KERN_ERR "SELinux: %s: failed while creating inodes\n", |
1766 | __func__); | ||
1765 | goto out; | 1767 | goto out; |
1766 | } | 1768 | } |
1767 | 1769 | ||
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 916e73a18bc5..9e6626362bfd 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c | |||
@@ -6,15 +6,15 @@ | |||
6 | 6 | ||
7 | /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | 7 | /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
8 | * | 8 | * |
9 | * Added conditional policy language extensions | 9 | * Added conditional policy language extensions |
10 | * | 10 | * |
11 | * Copyright (C) 2003 Tresys Technology, LLC | 11 | * Copyright (C) 2003 Tresys Technology, LLC |
12 | * This program is free software; you can redistribute it and/or modify | 12 | * This program is free software; you can redistribute it and/or modify |
13 | * it under the terms of the GNU General Public License as published by | 13 | * it under the terms of the GNU General Public License as published by |
14 | * the Free Software Foundation, version 2. | 14 | * the Free Software Foundation, version 2. |
15 | * | 15 | * |
16 | * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> | 16 | * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> |
17 | * Tuned number of hash slots for avtab to reduce memory usage | 17 | * Tuned number of hash slots for avtab to reduce memory usage |
18 | */ | 18 | */ |
19 | 19 | ||
20 | #include <linux/kernel.h> | 20 | #include <linux/kernel.h> |
@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask) | |||
33 | 33 | ||
34 | static struct avtab_node* | 34 | static struct avtab_node* |
35 | avtab_insert_node(struct avtab *h, int hvalue, | 35 | avtab_insert_node(struct avtab *h, int hvalue, |
36 | struct avtab_node * prev, struct avtab_node * cur, | 36 | struct avtab_node *prev, struct avtab_node *cur, |
37 | struct avtab_key *key, struct avtab_datum *datum) | 37 | struct avtab_key *key, struct avtab_datum *datum) |
38 | { | 38 | { |
39 | struct avtab_node * newnode; | 39 | struct avtab_node *newnode; |
40 | newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); | 40 | newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); |
41 | if (newnode == NULL) | 41 | if (newnode == NULL) |
42 | return NULL; | 42 | return NULL; |
@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat | |||
84 | } | 84 | } |
85 | 85 | ||
86 | newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); | 86 | newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); |
87 | if(!newnode) | 87 | if (!newnode) |
88 | return -ENOMEM; | 88 | return -ENOMEM; |
89 | 89 | ||
90 | return 0; | 90 | return 0; |
@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat | |||
95 | * It also returns a pointer to the node inserted. | 95 | * It also returns a pointer to the node inserted. |
96 | */ | 96 | */ |
97 | struct avtab_node * | 97 | struct avtab_node * |
98 | avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum) | 98 | avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum) |
99 | { | 99 | { |
100 | int hvalue; | 100 | int hvalue; |
101 | struct avtab_node *prev, *cur, *newnode; | 101 | struct avtab_node *prev, *cur, *newnode; |
@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag) | |||
310 | } | 310 | } |
311 | } | 311 | } |
312 | 312 | ||
313 | printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " | 313 | printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " |
314 | "chain length %d sum of chain length^2 %Lu\n", | 314 | "longest chain length %d sum of chain length^2 %Lu\n", |
315 | tag, h->nel, slots_used, h->nslot, max_chain_len, | 315 | tag, h->nel, slots_used, h->nslot, max_chain_len, |
316 | chain2_len_sum); | 316 | chain2_len_sum); |
317 | } | 317 | } |
@@ -326,7 +326,7 @@ static uint16_t spec_order[] = { | |||
326 | }; | 326 | }; |
327 | 327 | ||
328 | int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | 328 | int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, |
329 | int (*insertf)(struct avtab *a, struct avtab_key *k, | 329 | int (*insertf)(struct avtab *a, struct avtab_key *k, |
330 | struct avtab_datum *d, void *p), | 330 | struct avtab_datum *d, void *p), |
331 | void *p) | 331 | void *p) |
332 | { | 332 | { |
@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
364 | val = le32_to_cpu(buf32[items++]); | 364 | val = le32_to_cpu(buf32[items++]); |
365 | key.source_type = (u16)val; | 365 | key.source_type = (u16)val; |
366 | if (key.source_type != val) { | 366 | if (key.source_type != val) { |
367 | printk("SELinux: avtab: truncated source type\n"); | 367 | printk(KERN_ERR "SELinux: avtab: truncated source type\n"); |
368 | return -1; | 368 | return -1; |
369 | } | 369 | } |
370 | val = le32_to_cpu(buf32[items++]); | 370 | val = le32_to_cpu(buf32[items++]); |
371 | key.target_type = (u16)val; | 371 | key.target_type = (u16)val; |
372 | if (key.target_type != val) { | 372 | if (key.target_type != val) { |
373 | printk("SELinux: avtab: truncated target type\n"); | 373 | printk(KERN_ERR "SELinux: avtab: truncated target type\n"); |
374 | return -1; | 374 | return -1; |
375 | } | 375 | } |
376 | val = le32_to_cpu(buf32[items++]); | 376 | val = le32_to_cpu(buf32[items++]); |
377 | key.target_class = (u16)val; | 377 | key.target_class = (u16)val; |
378 | if (key.target_class != val) { | 378 | if (key.target_class != val) { |
379 | printk("SELinux: avtab: truncated target class\n"); | 379 | printk(KERN_ERR "SELinux: avtab: truncated target class\n"); |
380 | return -1; | 380 | return -1; |
381 | } | 381 | } |
382 | 382 | ||
@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
384 | enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; | 384 | enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; |
385 | 385 | ||
386 | if (!(val & (AVTAB_AV | AVTAB_TYPE))) { | 386 | if (!(val & (AVTAB_AV | AVTAB_TYPE))) { |
387 | printk("SELinux: avtab: null entry\n"); | 387 | printk(KERN_ERR "SELinux: avtab: null entry\n"); |
388 | return -1; | 388 | return -1; |
389 | } | 389 | } |
390 | if ((val & AVTAB_AV) && | 390 | if ((val & AVTAB_AV) && |
391 | (val & AVTAB_TYPE)) { | 391 | (val & AVTAB_TYPE)) { |
392 | printk("SELinux: avtab: entry has both access vectors and types\n"); | 392 | printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n"); |
393 | return -1; | 393 | return -1; |
394 | } | 394 | } |
395 | 395 | ||
@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
398 | key.specified = spec_order[i] | enabled; | 398 | key.specified = spec_order[i] | enabled; |
399 | datum.data = le32_to_cpu(buf32[items++]); | 399 | datum.data = le32_to_cpu(buf32[items++]); |
400 | rc = insertf(a, &key, &datum, p); | 400 | rc = insertf(a, &key, &datum, p); |
401 | if (rc) return rc; | 401 | if (rc) |
402 | return rc; | ||
402 | } | 403 | } |
403 | } | 404 | } |
404 | 405 | ||
405 | if (items != items2) { | 406 | if (items != items2) { |
406 | printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); | 407 | printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items); |
407 | return -1; | 408 | return -1; |
408 | } | 409 | } |
409 | return 0; | 410 | return 0; |
@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
411 | 412 | ||
412 | rc = next_entry(buf16, fp, sizeof(u16)*4); | 413 | rc = next_entry(buf16, fp, sizeof(u16)*4); |
413 | if (rc < 0) { | 414 | if (rc < 0) { |
414 | printk("SELinux: avtab: truncated entry\n"); | 415 | printk(KERN_ERR "SELinux: avtab: truncated entry\n"); |
415 | return -1; | 416 | return -1; |
416 | } | 417 | } |
417 | 418 | ||
@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
424 | if (!policydb_type_isvalid(pol, key.source_type) || | 425 | if (!policydb_type_isvalid(pol, key.source_type) || |
425 | !policydb_type_isvalid(pol, key.target_type) || | 426 | !policydb_type_isvalid(pol, key.target_type) || |
426 | !policydb_class_isvalid(pol, key.target_class)) { | 427 | !policydb_class_isvalid(pol, key.target_class)) { |
427 | printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); | 428 | printk(KERN_ERR "SELinux: avtab: invalid type or class\n"); |
428 | return -1; | 429 | return -1; |
429 | } | 430 | } |
430 | 431 | ||
@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, | |||
434 | set++; | 435 | set++; |
435 | } | 436 | } |
436 | if (!set || set > 1) { | 437 | if (!set || set > 1) { |
437 | printk(KERN_WARNING | 438 | printk(KERN_ERR "SELinux: avtab: more than one specifier\n"); |
438 | "SELinux: avtab: more than one specifier\n"); | ||
439 | return -1; | 439 | return -1; |
440 | } | 440 | } |
441 | 441 | ||
442 | rc = next_entry(buf32, fp, sizeof(u32)); | 442 | rc = next_entry(buf32, fp, sizeof(u32)); |
443 | if (rc < 0) { | 443 | if (rc < 0) { |
444 | printk("SELinux: avtab: truncated entry\n"); | 444 | printk(KERN_ERR "SELinux: avtab: truncated entry\n"); |
445 | return -1; | 445 | return -1; |
446 | } | 446 | } |
447 | datum.data = le32_to_cpu(*buf32); | 447 | datum.data = le32_to_cpu(*buf32); |
448 | if ((key.specified & AVTAB_TYPE) && | 448 | if ((key.specified & AVTAB_TYPE) && |
449 | !policydb_type_isvalid(pol, datum.data)) { | 449 | !policydb_type_isvalid(pol, datum.data)) { |
450 | printk(KERN_WARNING "SELinux: avtab: invalid type\n"); | 450 | printk(KERN_ERR "SELinux: avtab: invalid type\n"); |
451 | return -1; | 451 | return -1; |
452 | } | 452 | } |
453 | return insertf(a, &key, &datum, p); | 453 | return insertf(a, &key, &datum, p); |
@@ -513,5 +513,5 @@ void avtab_cache_init(void) | |||
513 | 513 | ||
514 | void avtab_cache_destroy(void) | 514 | void avtab_cache_destroy(void) |
515 | { | 515 | { |
516 | kmem_cache_destroy (avtab_node_cachep); | 516 | kmem_cache_destroy(avtab_node_cachep); |
517 | } | 517 | } |
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index a996cf1d378a..fb4efe4f4bc8 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c | |||
@@ -1,9 +1,9 @@ | |||
1 | /* Authors: Karl MacMillan <kmacmillan@tresys.com> | 1 | /* Authors: Karl MacMillan <kmacmillan@tresys.com> |
2 | * Frank Mayer <mayerf@tresys.com> | 2 | * Frank Mayer <mayerf@tresys.com> |
3 | * | 3 | * |
4 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | 4 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
5 | * This program is free software; you can redistribute it and/or modify | 5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by | 6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation, version 2. | 7 | * the Free Software Foundation, version 2. |
8 | */ | 8 | */ |
9 | 9 | ||
@@ -11,7 +11,6 @@ | |||
11 | #include <linux/errno.h> | 11 | #include <linux/errno.h> |
12 | #include <linux/string.h> | 12 | #include <linux/string.h> |
13 | #include <linux/spinlock.h> | 13 | #include <linux/spinlock.h> |
14 | #include <asm/semaphore.h> | ||
15 | #include <linux/slab.h> | 14 | #include <linux/slab.h> |
16 | 15 | ||
17 | #include "security.h" | 16 | #include "security.h" |
@@ -90,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) | |||
90 | int evaluate_cond_node(struct policydb *p, struct cond_node *node) | 89 | int evaluate_cond_node(struct policydb *p, struct cond_node *node) |
91 | { | 90 | { |
92 | int new_state; | 91 | int new_state; |
93 | struct cond_av_list* cur; | 92 | struct cond_av_list *cur; |
94 | 93 | ||
95 | new_state = cond_evaluate_expr(p, node->expr); | 94 | new_state = cond_evaluate_expr(p, node->expr); |
96 | if (new_state != node->cur_state) { | 95 | if (new_state != node->cur_state) { |
@@ -99,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node) | |||
99 | printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); | 98 | printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); |
100 | /* turn the rules on or off */ | 99 | /* turn the rules on or off */ |
101 | for (cur = node->true_list; cur != NULL; cur = cur->next) { | 100 | for (cur = node->true_list; cur != NULL; cur = cur->next) { |
102 | if (new_state <= 0) { | 101 | if (new_state <= 0) |
103 | cur->node->key.specified &= ~AVTAB_ENABLED; | 102 | cur->node->key.specified &= ~AVTAB_ENABLED; |
104 | } else { | 103 | else |
105 | cur->node->key.specified |= AVTAB_ENABLED; | 104 | cur->node->key.specified |= AVTAB_ENABLED; |
106 | } | ||
107 | } | 105 | } |
108 | 106 | ||
109 | for (cur = node->false_list; cur != NULL; cur = cur->next) { | 107 | for (cur = node->false_list; cur != NULL; cur = cur->next) { |
110 | /* -1 or 1 */ | 108 | /* -1 or 1 */ |
111 | if (new_state) { | 109 | if (new_state) |
112 | cur->node->key.specified &= ~AVTAB_ENABLED; | 110 | cur->node->key.specified &= ~AVTAB_ENABLED; |
113 | } else { | 111 | else |
114 | cur->node->key.specified |= AVTAB_ENABLED; | 112 | cur->node->key.specified |= AVTAB_ENABLED; |
115 | } | ||
116 | } | 113 | } |
117 | } | 114 | } |
118 | return 0; | 115 | return 0; |
@@ -174,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p) | |||
174 | int cond_init_bool_indexes(struct policydb *p) | 171 | int cond_init_bool_indexes(struct policydb *p) |
175 | { | 172 | { |
176 | kfree(p->bool_val_to_struct); | 173 | kfree(p->bool_val_to_struct); |
177 | p->bool_val_to_struct = (struct cond_bool_datum**) | 174 | p->bool_val_to_struct = (struct cond_bool_datum **) |
178 | kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); | 175 | kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL); |
179 | if (!p->bool_val_to_struct) | 176 | if (!p->bool_val_to_struct) |
180 | return -1; | 177 | return -1; |
181 | return 0; | 178 | return 0; |
@@ -200,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap) | |||
200 | return -EINVAL; | 197 | return -EINVAL; |
201 | 198 | ||
202 | p->p_bool_val_to_name[booldatum->value - 1] = key; | 199 | p->p_bool_val_to_name[booldatum->value - 1] = key; |
203 | p->bool_val_to_struct[booldatum->value -1] = booldatum; | 200 | p->bool_val_to_struct[booldatum->value - 1] = booldatum; |
204 | 201 | ||
205 | return 0; | 202 | return 0; |
206 | } | 203 | } |
@@ -252,8 +249,7 @@ err: | |||
252 | return -1; | 249 | return -1; |
253 | } | 250 | } |
254 | 251 | ||
255 | struct cond_insertf_data | 252 | struct cond_insertf_data { |
256 | { | ||
257 | struct policydb *p; | 253 | struct policydb *p; |
258 | struct cond_av_list *other; | 254 | struct cond_av_list *other; |
259 | struct cond_av_list *head; | 255 | struct cond_av_list *head; |
@@ -276,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
276 | */ | 272 | */ |
277 | if (k->specified & AVTAB_TYPE) { | 273 | if (k->specified & AVTAB_TYPE) { |
278 | if (avtab_search(&p->te_avtab, k)) { | 274 | if (avtab_search(&p->te_avtab, k)) { |
279 | printk("SELinux: type rule already exists outside of a conditional."); | 275 | printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n"); |
280 | goto err; | 276 | goto err; |
281 | } | 277 | } |
282 | /* | 278 | /* |
@@ -291,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
291 | node_ptr = avtab_search_node(&p->te_cond_avtab, k); | 287 | node_ptr = avtab_search_node(&p->te_cond_avtab, k); |
292 | if (node_ptr) { | 288 | if (node_ptr) { |
293 | if (avtab_search_node_next(node_ptr, k->specified)) { | 289 | if (avtab_search_node_next(node_ptr, k->specified)) { |
294 | printk("SELinux: too many conflicting type rules."); | 290 | printk(KERN_ERR "SELinux: too many conflicting type rules.\n"); |
295 | goto err; | 291 | goto err; |
296 | } | 292 | } |
297 | found = 0; | 293 | found = 0; |
@@ -302,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
302 | } | 298 | } |
303 | } | 299 | } |
304 | if (!found) { | 300 | if (!found) { |
305 | printk("SELinux: conflicting type rules.\n"); | 301 | printk(KERN_ERR "SELinux: conflicting type rules.\n"); |
306 | goto err; | 302 | goto err; |
307 | } | 303 | } |
308 | } | 304 | } |
309 | } else { | 305 | } else { |
310 | if (avtab_search(&p->te_cond_avtab, k)) { | 306 | if (avtab_search(&p->te_cond_avtab, k)) { |
311 | printk("SELinux: conflicting type rules when adding type rule for true.\n"); | 307 | printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n"); |
312 | goto err; | 308 | goto err; |
313 | } | 309 | } |
314 | } | 310 | } |
@@ -316,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum | |||
316 | 312 | ||
317 | node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); | 313 | node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); |
318 | if (!node_ptr) { | 314 | if (!node_ptr) { |
319 | printk("SELinux: could not insert rule."); | 315 | printk(KERN_ERR "SELinux: could not insert rule.\n"); |
320 | goto err; | 316 | goto err; |
321 | } | 317 | } |
322 | 318 | ||
@@ -353,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * | |||
353 | return -1; | 349 | return -1; |
354 | 350 | ||
355 | len = le32_to_cpu(buf[0]); | 351 | len = le32_to_cpu(buf[0]); |
356 | if (len == 0) { | 352 | if (len == 0) |
357 | return 0; | 353 | return 0; |
358 | } | ||
359 | 354 | ||
360 | data.p = p; | 355 | data.p = p; |
361 | data.other = other; | 356 | data.other = other; |
@@ -376,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * | |||
376 | static int expr_isvalid(struct policydb *p, struct cond_expr *expr) | 371 | static int expr_isvalid(struct policydb *p, struct cond_expr *expr) |
377 | { | 372 | { |
378 | if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { | 373 | if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { |
379 | printk("SELinux: conditional expressions uses unknown operator.\n"); | 374 | printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n"); |
380 | return 0; | 375 | return 0; |
381 | } | 376 | } |
382 | 377 | ||
383 | if (expr->bool > p->p_bools.nprim) { | 378 | if (expr->bool > p->p_bools.nprim) { |
384 | printk("SELinux: conditional expressions uses unknown bool.\n"); | 379 | printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n"); |
385 | return 0; | 380 | return 0; |
386 | } | 381 | } |
387 | return 1; | 382 | return 1; |
@@ -408,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) | |||
408 | /* expr */ | 403 | /* expr */ |
409 | len = le32_to_cpu(buf[0]); | 404 | len = le32_to_cpu(buf[0]); |
410 | 405 | ||
411 | for (i = 0; i < len; i++ ) { | 406 | for (i = 0; i < len; i++) { |
412 | rc = next_entry(buf, fp, sizeof(u32) * 2); | 407 | rc = next_entry(buf, fp, sizeof(u32) * 2); |
413 | if (rc < 0) | 408 | if (rc < 0) |
414 | goto err; | 409 | goto err; |
415 | 410 | ||
416 | expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); | 411 | expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); |
417 | if (!expr) { | 412 | if (!expr) |
418 | goto err; | 413 | goto err; |
419 | } | ||
420 | 414 | ||
421 | expr->expr_type = le32_to_cpu(buf[0]); | 415 | expr->expr_type = le32_to_cpu(buf[0]); |
422 | expr->bool = le32_to_cpu(buf[1]); | 416 | expr->bool = le32_to_cpu(buf[1]); |
@@ -426,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) | |||
426 | goto err; | 420 | goto err; |
427 | } | 421 | } |
428 | 422 | ||
429 | if (i == 0) { | 423 | if (i == 0) |
430 | node->expr = expr; | 424 | node->expr = expr; |
431 | } else { | 425 | else |
432 | last->next = expr; | 426 | last->next = expr; |
433 | } | ||
434 | last = expr; | 427 | last = expr; |
435 | } | 428 | } |
436 | 429 | ||
@@ -469,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp) | |||
469 | if (cond_read_node(p, node, fp) != 0) | 462 | if (cond_read_node(p, node, fp) != 0) |
470 | goto err; | 463 | goto err; |
471 | 464 | ||
472 | if (i == 0) { | 465 | if (i == 0) |
473 | p->cond_list = node; | 466 | p->cond_list = node; |
474 | } else { | 467 | else |
475 | last->next = node; | 468 | last->next = node; |
476 | } | ||
477 | last = node; | 469 | last = node; |
478 | } | 470 | } |
479 | return 0; | 471 | return 0; |
@@ -490,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi | |||
490 | { | 482 | { |
491 | struct avtab_node *node; | 483 | struct avtab_node *node; |
492 | 484 | ||
493 | if(!ctab || !key || !avd) | 485 | if (!ctab || !key || !avd) |
494 | return; | 486 | return; |
495 | 487 | ||
496 | for(node = avtab_search_node(ctab, key); node != NULL; | 488 | for (node = avtab_search_node(ctab, key); node != NULL; |
497 | node = avtab_search_node_next(node, key->specified)) { | 489 | node = avtab_search_node_next(node, key->specified)) { |
498 | if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == | 490 | if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) == |
499 | (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) | 491 | (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) |
500 | avd->allowed |= node->datum.data; | 492 | avd->allowed |= node->datum.data; |
501 | if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == | 493 | if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) == |
502 | (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) | 494 | (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) |
503 | /* Since a '0' in an auditdeny mask represents a | 495 | /* Since a '0' in an auditdeny mask represents a |
504 | * permission we do NOT want to audit (dontaudit), we use | 496 | * permission we do NOT want to audit (dontaudit), we use |
505 | * the '&' operand to ensure that all '0's in the mask | 497 | * the '&' operand to ensure that all '0's in the mask |
506 | * are retained (much unlike the allow and auditallow cases). | 498 | * are retained (much unlike the allow and auditallow cases). |
507 | */ | 499 | */ |
508 | avd->auditdeny &= node->datum.data; | 500 | avd->auditdeny &= node->datum.data; |
509 | if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == | 501 | if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) == |
510 | (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) | 502 | (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) |
511 | avd->auditallow |= node->datum.data; | 503 | avd->auditallow |= node->datum.data; |
512 | } | 504 | } |
513 | return; | 505 | return; |
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index e499af474b35..ddc275490af8 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c | |||
@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp) | |||
411 | } | 411 | } |
412 | /* round down */ | 412 | /* round down */ |
413 | tmp->startbit = startbit - (startbit % EBITMAP_SIZE); | 413 | tmp->startbit = startbit - (startbit % EBITMAP_SIZE); |
414 | if (n) { | 414 | if (n) |
415 | n->next = tmp; | 415 | n->next = tmp; |
416 | } else { | 416 | else |
417 | e->node = tmp; | 417 | e->node = tmp; |
418 | } | ||
419 | n = tmp; | 418 | n = tmp; |
420 | } else if (startbit <= n->startbit) { | 419 | } else if (startbit <= n->startbit) { |
421 | printk(KERN_ERR "SELinux: ebitmap: start bit %d" | 420 | printk(KERN_ERR "SELinux: ebitmap: start bit %d" |
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c index 77b530c3bbce..2e7788e13213 100644 --- a/security/selinux/ss/hashtab.c +++ b/security/selinux/ss/hashtab.c | |||
@@ -9,8 +9,8 @@ | |||
9 | #include "hashtab.h" | 9 | #include "hashtab.h" |
10 | 10 | ||
11 | struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), | 11 | struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), |
12 | int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), | 12 | int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), |
13 | u32 size) | 13 | u32 size) |
14 | { | 14 | { |
15 | struct hashtab *p; | 15 | struct hashtab *p; |
16 | u32 i; | 16 | u32 i; |
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index feaf0a5b828f..8b1706b7b3cc 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -32,7 +32,7 @@ | |||
32 | * Return the length in bytes for the MLS fields of the | 32 | * Return the length in bytes for the MLS fields of the |
33 | * security context string representation of `context'. | 33 | * security context string representation of `context'. |
34 | */ | 34 | */ |
35 | int mls_compute_context_len(struct context * context) | 35 | int mls_compute_context_len(struct context *context) |
36 | { | 36 | { |
37 | int i, l, len, head, prev; | 37 | int i, l, len, head, prev; |
38 | char *nm; | 38 | char *nm; |
@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context) | |||
86 | * Update `*scontext' to point to the end of the MLS fields. | 86 | * Update `*scontext' to point to the end of the MLS fields. |
87 | */ | 87 | */ |
88 | void mls_sid_to_context(struct context *context, | 88 | void mls_sid_to_context(struct context *context, |
89 | char **scontext) | 89 | char **scontext) |
90 | { | 90 | { |
91 | char *scontextp, *nm; | 91 | char *scontextp, *nm; |
92 | int i, l, head, prev; | 92 | int i, l, head, prev; |
@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context, | |||
146 | 146 | ||
147 | if (l == 0) { | 147 | if (l == 0) { |
148 | if (mls_level_eq(&context->range.level[0], | 148 | if (mls_level_eq(&context->range.level[0], |
149 | &context->range.level[1])) | 149 | &context->range.level[1])) |
150 | break; | 150 | break; |
151 | else | 151 | else |
152 | *scontextp++ = '-'; | 152 | *scontextp++ = '-'; |
@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc, | |||
305 | *p++ = 0; | 305 | *p++ = 0; |
306 | 306 | ||
307 | /* Separate into range if exists */ | 307 | /* Separate into range if exists */ |
308 | if ((rngptr = strchr(scontextp, '.')) != NULL) { | 308 | rngptr = strchr(scontextp, '.'); |
309 | if (rngptr != NULL) { | ||
309 | /* Remove '.' */ | 310 | /* Remove '.' */ |
310 | *rngptr++ = 0; | 311 | *rngptr++ = 0; |
311 | } | 312 | } |
312 | 313 | ||
313 | catdatum = hashtab_search(policydb.p_cats.table, | 314 | catdatum = hashtab_search(policydb.p_cats.table, |
314 | scontextp); | 315 | scontextp); |
315 | if (!catdatum) { | 316 | if (!catdatum) { |
316 | rc = -EINVAL; | 317 | rc = -EINVAL; |
317 | goto out; | 318 | goto out; |
318 | } | 319 | } |
319 | 320 | ||
320 | rc = ebitmap_set_bit(&context->range.level[l].cat, | 321 | rc = ebitmap_set_bit(&context->range.level[l].cat, |
321 | catdatum->value - 1, 1); | 322 | catdatum->value - 1, 1); |
322 | if (rc) | 323 | if (rc) |
323 | goto out; | 324 | goto out; |
324 | 325 | ||
@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) | |||
395 | rc = -ENOMEM; | 396 | rc = -ENOMEM; |
396 | } else { | 397 | } else { |
397 | rc = mls_context_to_sid(':', &tmpstr, context, | 398 | rc = mls_context_to_sid(':', &tmpstr, context, |
398 | NULL, SECSID_NULL); | 399 | NULL, SECSID_NULL); |
399 | kfree(freestr); | 400 | kfree(freestr); |
400 | } | 401 | } |
401 | 402 | ||
@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) | |||
406 | * Copies the MLS range `range' into `context'. | 407 | * Copies the MLS range `range' into `context'. |
407 | */ | 408 | */ |
408 | static inline int mls_range_set(struct context *context, | 409 | static inline int mls_range_set(struct context *context, |
409 | struct mls_range *range) | 410 | struct mls_range *range) |
410 | { | 411 | { |
411 | int l, rc = 0; | 412 | int l, rc = 0; |
412 | 413 | ||
@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context, | |||
423 | } | 424 | } |
424 | 425 | ||
425 | int mls_setup_user_range(struct context *fromcon, struct user_datum *user, | 426 | int mls_setup_user_range(struct context *fromcon, struct user_datum *user, |
426 | struct context *usercon) | 427 | struct context *usercon) |
427 | { | 428 | { |
428 | if (selinux_mls_enabled) { | 429 | if (selinux_mls_enabled) { |
429 | struct mls_level *fromcon_sen = &(fromcon->range.level[0]); | 430 | struct mls_level *fromcon_sen = &(fromcon->range.level[0]); |
@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user, | |||
449 | that of the user's default clearance (but | 450 | that of the user's default clearance (but |
450 | only if the "fromcon" clearance dominates | 451 | only if the "fromcon" clearance dominates |
451 | the user's computed sensitivity level) */ | 452 | the user's computed sensitivity level) */ |
452 | if (mls_level_dom(user_clr, fromcon_clr)) { | 453 | if (mls_level_dom(user_clr, fromcon_clr)) |
453 | *usercon_clr = *fromcon_clr; | 454 | *usercon_clr = *fromcon_clr; |
454 | } else if (mls_level_dom(fromcon_clr, user_clr)) { | 455 | else if (mls_level_dom(fromcon_clr, user_clr)) |
455 | *usercon_clr = *user_clr; | 456 | *usercon_clr = *user_clr; |
456 | } else | 457 | else |
457 | return -EINVAL; | 458 | return -EINVAL; |
458 | } | 459 | } |
459 | 460 | ||
@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext, | |||
525 | rtr->target_class == tclass) { | 526 | rtr->target_class == tclass) { |
526 | /* Set the range from the rule */ | 527 | /* Set the range from the rule */ |
527 | return mls_range_set(newcontext, | 528 | return mls_range_set(newcontext, |
528 | &rtr->target_range); | 529 | &rtr->target_range); |
529 | } | 530 | } |
530 | } | 531 | } |
531 | /* Fallthrough */ | 532 | /* Fallthrough */ |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 6bdb0ff6a927..84f8cc73c7db 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -11,7 +11,7 @@ | |||
11 | * | 11 | * |
12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | 12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
13 | * | 13 | * |
14 | * Added conditional policy language extensions | 14 | * Added conditional policy language extensions |
15 | * | 15 | * |
16 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 16 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
17 | * | 17 | * |
@@ -21,7 +21,7 @@ | |||
21 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | 21 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. |
22 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | 22 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
23 | * This program is free software; you can redistribute it and/or modify | 23 | * This program is free software; you can redistribute it and/or modify |
24 | * it under the terms of the GNU General Public License as published by | 24 | * it under the terms of the GNU General Public License as published by |
25 | * the Free Software Foundation, version 2. | 25 | * the Free Software Foundation, version 2. |
26 | */ | 26 | */ |
27 | 27 | ||
@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = { | |||
51 | }; | 51 | }; |
52 | #endif | 52 | #endif |
53 | 53 | ||
54 | int selinux_mls_enabled = 0; | 54 | int selinux_mls_enabled; |
55 | 55 | ||
56 | static unsigned int symtab_sizes[SYM_NUM] = { | 56 | static unsigned int symtab_sizes[SYM_NUM] = { |
57 | 2, | 57 | 2, |
@@ -73,39 +73,39 @@ struct policydb_compat_info { | |||
73 | /* These need to be updated if SYM_NUM or OCON_NUM changes */ | 73 | /* These need to be updated if SYM_NUM or OCON_NUM changes */ |
74 | static struct policydb_compat_info policydb_compat[] = { | 74 | static struct policydb_compat_info policydb_compat[] = { |
75 | { | 75 | { |
76 | .version = POLICYDB_VERSION_BASE, | 76 | .version = POLICYDB_VERSION_BASE, |
77 | .sym_num = SYM_NUM - 3, | 77 | .sym_num = SYM_NUM - 3, |
78 | .ocon_num = OCON_NUM - 1, | 78 | .ocon_num = OCON_NUM - 1, |
79 | }, | 79 | }, |
80 | { | 80 | { |
81 | .version = POLICYDB_VERSION_BOOL, | 81 | .version = POLICYDB_VERSION_BOOL, |
82 | .sym_num = SYM_NUM - 2, | 82 | .sym_num = SYM_NUM - 2, |
83 | .ocon_num = OCON_NUM - 1, | 83 | .ocon_num = OCON_NUM - 1, |
84 | }, | 84 | }, |
85 | { | 85 | { |
86 | .version = POLICYDB_VERSION_IPV6, | 86 | .version = POLICYDB_VERSION_IPV6, |
87 | .sym_num = SYM_NUM - 2, | 87 | .sym_num = SYM_NUM - 2, |
88 | .ocon_num = OCON_NUM, | 88 | .ocon_num = OCON_NUM, |
89 | }, | 89 | }, |
90 | { | 90 | { |
91 | .version = POLICYDB_VERSION_NLCLASS, | 91 | .version = POLICYDB_VERSION_NLCLASS, |
92 | .sym_num = SYM_NUM - 2, | 92 | .sym_num = SYM_NUM - 2, |
93 | .ocon_num = OCON_NUM, | 93 | .ocon_num = OCON_NUM, |
94 | }, | 94 | }, |
95 | { | 95 | { |
96 | .version = POLICYDB_VERSION_MLS, | 96 | .version = POLICYDB_VERSION_MLS, |
97 | .sym_num = SYM_NUM, | 97 | .sym_num = SYM_NUM, |
98 | .ocon_num = OCON_NUM, | 98 | .ocon_num = OCON_NUM, |
99 | }, | 99 | }, |
100 | { | 100 | { |
101 | .version = POLICYDB_VERSION_AVTAB, | 101 | .version = POLICYDB_VERSION_AVTAB, |
102 | .sym_num = SYM_NUM, | 102 | .sym_num = SYM_NUM, |
103 | .ocon_num = OCON_NUM, | 103 | .ocon_num = OCON_NUM, |
104 | }, | 104 | }, |
105 | { | 105 | { |
106 | .version = POLICYDB_VERSION_RANGETRANS, | 106 | .version = POLICYDB_VERSION_RANGETRANS, |
107 | .sym_num = SYM_NUM, | 107 | .sym_num = SYM_NUM, |
108 | .ocon_num = OCON_NUM, | 108 | .ocon_num = OCON_NUM, |
109 | }, | 109 | }, |
110 | { | 110 | { |
111 | .version = POLICYDB_VERSION_POLCAP, | 111 | .version = POLICYDB_VERSION_POLCAP, |
@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p) | |||
152 | rc = -EINVAL; | 152 | rc = -EINVAL; |
153 | goto out_free_role; | 153 | goto out_free_role; |
154 | } | 154 | } |
155 | key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL); | 155 | key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL); |
156 | if (!key) { | 156 | if (!key) { |
157 | rc = -ENOMEM; | 157 | rc = -ENOMEM; |
158 | goto out_free_role; | 158 | goto out_free_role; |
@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s) | |||
390 | struct hashtab_info info; | 390 | struct hashtab_info info; |
391 | 391 | ||
392 | hashtab_stat(h, &info); | 392 | hashtab_stat(h, &info); |
393 | printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " | 393 | printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " |
394 | "longest chain length %d\n", symtab_name[i], h->nel, | 394 | "longest chain length %d\n", symtab_name[i], h->nel, |
395 | info.slots_used, h->size, info.max_chain_len); | 395 | info.slots_used, h->size, info.max_chain_len); |
396 | } | 396 | } |
@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p) | |||
424 | 424 | ||
425 | p->role_val_to_struct = | 425 | p->role_val_to_struct = |
426 | kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), | 426 | kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), |
427 | GFP_KERNEL); | 427 | GFP_KERNEL); |
428 | if (!p->role_val_to_struct) { | 428 | if (!p->role_val_to_struct) { |
429 | rc = -ENOMEM; | 429 | rc = -ENOMEM; |
430 | goto out; | 430 | goto out; |
@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p) | |||
432 | 432 | ||
433 | p->user_val_to_struct = | 433 | p->user_val_to_struct = |
434 | kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), | 434 | kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), |
435 | GFP_KERNEL); | 435 | GFP_KERNEL); |
436 | if (!p->user_val_to_struct) { | 436 | if (!p->user_val_to_struct) { |
437 | rc = -ENOMEM; | 437 | rc = -ENOMEM; |
438 | goto out; | 438 | goto out; |
@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p) | |||
634 | while (c) { | 634 | while (c) { |
635 | ctmp = c; | 635 | ctmp = c; |
636 | c = c->next; | 636 | c = c->next; |
637 | ocontext_destroy(ctmp,i); | 637 | ocontext_destroy(ctmp, i); |
638 | } | 638 | } |
639 | p->ocontexts[i] = NULL; | 639 | p->ocontexts[i] = NULL; |
640 | } | 640 | } |
@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p) | |||
647 | while (c) { | 647 | while (c) { |
648 | ctmp = c; | 648 | ctmp = c; |
649 | c = c->next; | 649 | c = c->next; |
650 | ocontext_destroy(ctmp,OCON_FSUSE); | 650 | ocontext_destroy(ctmp, OCON_FSUSE); |
651 | } | 651 | } |
652 | gtmp = g; | 652 | gtmp = g; |
653 | g = g->next; | 653 | g = g->next; |
@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p) | |||
664 | } | 664 | } |
665 | kfree(ltr); | 665 | kfree(ltr); |
666 | 666 | ||
667 | for (ra = p->role_allow; ra; ra = ra -> next) { | 667 | for (ra = p->role_allow; ra; ra = ra->next) { |
668 | cond_resched(); | 668 | cond_resched(); |
669 | kfree(lra); | 669 | kfree(lra); |
670 | lra = ra; | 670 | lra = ra; |
671 | } | 671 | } |
672 | kfree(lra); | 672 | kfree(lra); |
673 | 673 | ||
674 | for (rt = p->range_tr; rt; rt = rt -> next) { | 674 | for (rt = p->range_tr; rt; rt = rt->next) { |
675 | cond_resched(); | 675 | cond_resched(); |
676 | if (lrt) { | 676 | if (lrt) { |
677 | ebitmap_destroy(&lrt->target_range.level[0].cat); | 677 | ebitmap_destroy(&lrt->target_range.level[0].cat); |
@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp) | |||
924 | len = le32_to_cpu(buf[0]); | 924 | len = le32_to_cpu(buf[0]); |
925 | perdatum->value = le32_to_cpu(buf[1]); | 925 | perdatum->value = le32_to_cpu(buf[1]); |
926 | 926 | ||
927 | key = kmalloc(len + 1,GFP_KERNEL); | 927 | key = kmalloc(len + 1, GFP_KERNEL); |
928 | if (!key) { | 928 | if (!key) { |
929 | rc = -ENOMEM; | 929 | rc = -ENOMEM; |
930 | goto bad; | 930 | goto bad; |
@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp) | |||
971 | comdatum->permissions.nprim = le32_to_cpu(buf[2]); | 971 | comdatum->permissions.nprim = le32_to_cpu(buf[2]); |
972 | nel = le32_to_cpu(buf[3]); | 972 | nel = le32_to_cpu(buf[3]); |
973 | 973 | ||
974 | key = kmalloc(len + 1,GFP_KERNEL); | 974 | key = kmalloc(len + 1, GFP_KERNEL); |
975 | if (!key) { | 975 | if (!key) { |
976 | rc = -ENOMEM; | 976 | rc = -ENOMEM; |
977 | goto bad; | 977 | goto bad; |
@@ -998,7 +998,7 @@ bad: | |||
998 | } | 998 | } |
999 | 999 | ||
1000 | static int read_cons_helper(struct constraint_node **nodep, int ncons, | 1000 | static int read_cons_helper(struct constraint_node **nodep, int ncons, |
1001 | int allowxtarget, void *fp) | 1001 | int allowxtarget, void *fp) |
1002 | { | 1002 | { |
1003 | struct constraint_node *c, *lc; | 1003 | struct constraint_node *c, *lc; |
1004 | struct constraint_expr *e, *le; | 1004 | struct constraint_expr *e, *le; |
@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons, | |||
1012 | if (!c) | 1012 | if (!c) |
1013 | return -ENOMEM; | 1013 | return -ENOMEM; |
1014 | 1014 | ||
1015 | if (lc) { | 1015 | if (lc) |
1016 | lc->next = c; | 1016 | lc->next = c; |
1017 | } else { | 1017 | else |
1018 | *nodep = c; | 1018 | *nodep = c; |
1019 | } | ||
1020 | 1019 | ||
1021 | rc = next_entry(buf, fp, (sizeof(u32) * 2)); | 1020 | rc = next_entry(buf, fp, (sizeof(u32) * 2)); |
1022 | if (rc < 0) | 1021 | if (rc < 0) |
@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons, | |||
1030 | if (!e) | 1029 | if (!e) |
1031 | return -ENOMEM; | 1030 | return -ENOMEM; |
1032 | 1031 | ||
1033 | if (le) { | 1032 | if (le) |
1034 | le->next = e; | 1033 | le->next = e; |
1035 | } else { | 1034 | else |
1036 | c->expr = e; | 1035 | c->expr = e; |
1037 | } | ||
1038 | 1036 | ||
1039 | rc = next_entry(buf, fp, (sizeof(u32) * 3)); | 1037 | rc = next_entry(buf, fp, (sizeof(u32) * 3)); |
1040 | if (rc < 0) | 1038 | if (rc < 0) |
@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1111 | 1109 | ||
1112 | ncons = le32_to_cpu(buf[5]); | 1110 | ncons = le32_to_cpu(buf[5]); |
1113 | 1111 | ||
1114 | key = kmalloc(len + 1,GFP_KERNEL); | 1112 | key = kmalloc(len + 1, GFP_KERNEL); |
1115 | if (!key) { | 1113 | if (!key) { |
1116 | rc = -ENOMEM; | 1114 | rc = -ENOMEM; |
1117 | goto bad; | 1115 | goto bad; |
@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1122 | key[len] = 0; | 1120 | key[len] = 0; |
1123 | 1121 | ||
1124 | if (len2) { | 1122 | if (len2) { |
1125 | cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL); | 1123 | cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL); |
1126 | if (!cladatum->comkey) { | 1124 | if (!cladatum->comkey) { |
1127 | rc = -ENOMEM; | 1125 | rc = -ENOMEM; |
1128 | goto bad; | 1126 | goto bad; |
@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1195 | len = le32_to_cpu(buf[0]); | 1193 | len = le32_to_cpu(buf[0]); |
1196 | role->value = le32_to_cpu(buf[1]); | 1194 | role->value = le32_to_cpu(buf[1]); |
1197 | 1195 | ||
1198 | key = kmalloc(len + 1,GFP_KERNEL); | 1196 | key = kmalloc(len + 1, GFP_KERNEL); |
1199 | if (!key) { | 1197 | if (!key) { |
1200 | rc = -ENOMEM; | 1198 | rc = -ENOMEM; |
1201 | goto bad; | 1199 | goto bad; |
@@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1215 | 1213 | ||
1216 | if (strcmp(key, OBJECT_R) == 0) { | 1214 | if (strcmp(key, OBJECT_R) == 0) { |
1217 | if (role->value != OBJECT_R_VAL) { | 1215 | if (role->value != OBJECT_R_VAL) { |
1218 | printk(KERN_ERR "Role %s has wrong value %d\n", | 1216 | printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", |
1219 | OBJECT_R, role->value); | 1217 | OBJECT_R, role->value); |
1220 | rc = -EINVAL; | 1218 | rc = -EINVAL; |
1221 | goto bad; | 1219 | goto bad; |
@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1242 | __le32 buf[3]; | 1240 | __le32 buf[3]; |
1243 | u32 len; | 1241 | u32 len; |
1244 | 1242 | ||
1245 | typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL); | 1243 | typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); |
1246 | if (!typdatum) { | 1244 | if (!typdatum) { |
1247 | rc = -ENOMEM; | 1245 | rc = -ENOMEM; |
1248 | return rc; | 1246 | return rc; |
@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1256 | typdatum->value = le32_to_cpu(buf[1]); | 1254 | typdatum->value = le32_to_cpu(buf[1]); |
1257 | typdatum->primary = le32_to_cpu(buf[2]); | 1255 | typdatum->primary = le32_to_cpu(buf[2]); |
1258 | 1256 | ||
1259 | key = kmalloc(len + 1,GFP_KERNEL); | 1257 | key = kmalloc(len + 1, GFP_KERNEL); |
1260 | if (!key) { | 1258 | if (!key) { |
1261 | rc = -ENOMEM; | 1259 | rc = -ENOMEM; |
1262 | goto bad; | 1260 | goto bad; |
@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1328 | len = le32_to_cpu(buf[0]); | 1326 | len = le32_to_cpu(buf[0]); |
1329 | usrdatum->value = le32_to_cpu(buf[1]); | 1327 | usrdatum->value = le32_to_cpu(buf[1]); |
1330 | 1328 | ||
1331 | key = kmalloc(len + 1,GFP_KERNEL); | 1329 | key = kmalloc(len + 1, GFP_KERNEL); |
1332 | if (!key) { | 1330 | if (!key) { |
1333 | rc = -ENOMEM; | 1331 | rc = -ENOMEM; |
1334 | goto bad; | 1332 | goto bad; |
@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1382 | len = le32_to_cpu(buf[0]); | 1380 | len = le32_to_cpu(buf[0]); |
1383 | levdatum->isalias = le32_to_cpu(buf[1]); | 1381 | levdatum->isalias = le32_to_cpu(buf[1]); |
1384 | 1382 | ||
1385 | key = kmalloc(len + 1,GFP_ATOMIC); | 1383 | key = kmalloc(len + 1, GFP_ATOMIC); |
1386 | if (!key) { | 1384 | if (!key) { |
1387 | rc = -ENOMEM; | 1385 | rc = -ENOMEM; |
1388 | goto bad; | 1386 | goto bad; |
@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp) | |||
1434 | catdatum->value = le32_to_cpu(buf[1]); | 1432 | catdatum->value = le32_to_cpu(buf[1]); |
1435 | catdatum->isalias = le32_to_cpu(buf[2]); | 1433 | catdatum->isalias = le32_to_cpu(buf[2]); |
1436 | 1434 | ||
1437 | key = kmalloc(len + 1,GFP_ATOMIC); | 1435 | key = kmalloc(len + 1, GFP_ATOMIC); |
1438 | if (!key) { | 1436 | if (!key) { |
1439 | rc = -ENOMEM; | 1437 | rc = -ENOMEM; |
1440 | goto bad; | 1438 | goto bad; |
@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1493 | goto out; | 1491 | goto out; |
1494 | 1492 | ||
1495 | /* Read the magic number and string length. */ | 1493 | /* Read the magic number and string length. */ |
1496 | rc = next_entry(buf, fp, sizeof(u32)* 2); | 1494 | rc = next_entry(buf, fp, sizeof(u32) * 2); |
1497 | if (rc < 0) | 1495 | if (rc < 0) |
1498 | goto bad; | 1496 | goto bad; |
1499 | 1497 | ||
@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1511 | len, strlen(POLICYDB_STRING)); | 1509 | len, strlen(POLICYDB_STRING)); |
1512 | goto bad; | 1510 | goto bad; |
1513 | } | 1511 | } |
1514 | policydb_str = kmalloc(len + 1,GFP_KERNEL); | 1512 | policydb_str = kmalloc(len + 1, GFP_KERNEL); |
1515 | if (!policydb_str) { | 1513 | if (!policydb_str) { |
1516 | printk(KERN_ERR "SELinux: unable to allocate memory for policydb " | 1514 | printk(KERN_ERR "SELinux: unable to allocate memory for policydb " |
1517 | "string of length %d\n", len); | 1515 | "string of length %d\n", len); |
@@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp) | |||
1544 | if (p->policyvers < POLICYDB_VERSION_MIN || | 1542 | if (p->policyvers < POLICYDB_VERSION_MIN || |
1545 | p->policyvers > POLICYDB_VERSION_MAX) { | 1543 | p->policyvers > POLICYDB_VERSION_MAX) { |
1546 | printk(KERN_ERR "SELinux: policydb version %d does not match " | 1544 | printk(KERN_ERR "SELinux: policydb version %d does not match " |
1547 | "my version range %d-%d\n", | 1545 | "my version range %d-%d\n", |
1548 | le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); | 1546 | le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); |
1549 | goto bad; | 1547 | goto bad; |
1550 | } | 1548 | } |
1551 | 1549 | ||
1552 | if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { | 1550 | if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { |
1553 | if (ss_initialized && !selinux_mls_enabled) { | 1551 | if (ss_initialized && !selinux_mls_enabled) { |
1554 | printk(KERN_ERR "Cannot switch between non-MLS and MLS " | 1552 | printk(KERN_ERR "SELinux: Cannot switch between non-MLS" |
1555 | "policies\n"); | 1553 | " and MLS policies\n"); |
1556 | goto bad; | 1554 | goto bad; |
1557 | } | 1555 | } |
1558 | selinux_mls_enabled = 1; | 1556 | selinux_mls_enabled = 1; |
1559 | config |= POLICYDB_CONFIG_MLS; | 1557 | config |= POLICYDB_CONFIG_MLS; |
1560 | 1558 | ||
1561 | if (p->policyvers < POLICYDB_VERSION_MLS) { | 1559 | if (p->policyvers < POLICYDB_VERSION_MLS) { |
1562 | printk(KERN_ERR "security policydb version %d (MLS) " | 1560 | printk(KERN_ERR "SELinux: security policydb version %d " |
1563 | "not backwards compatible\n", p->policyvers); | 1561 | "(MLS) not backwards compatible\n", |
1562 | p->policyvers); | ||
1564 | goto bad; | 1563 | goto bad; |
1565 | } | 1564 | } |
1566 | } else { | 1565 | } else { |
1567 | if (ss_initialized && selinux_mls_enabled) { | 1566 | if (ss_initialized && selinux_mls_enabled) { |
1568 | printk(KERN_ERR "Cannot switch between MLS and non-MLS " | 1567 | printk(KERN_ERR "SELinux: Cannot switch between MLS and" |
1569 | "policies\n"); | 1568 | " non-MLS policies\n"); |
1570 | goto bad; | 1569 | goto bad; |
1571 | } | 1570 | } |
1572 | } | 1571 | } |
@@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
1633 | rc = -ENOMEM; | 1632 | rc = -ENOMEM; |
1634 | goto bad; | 1633 | goto bad; |
1635 | } | 1634 | } |
1636 | if (ltr) { | 1635 | if (ltr) |
1637 | ltr->next = tr; | 1636 | ltr->next = tr; |
1638 | } else { | 1637 | else |
1639 | p->role_tr = tr; | 1638 | p->role_tr = tr; |
1640 | } | ||
1641 | rc = next_entry(buf, fp, sizeof(u32)*3); | 1639 | rc = next_entry(buf, fp, sizeof(u32)*3); |
1642 | if (rc < 0) | 1640 | if (rc < 0) |
1643 | goto bad; | 1641 | goto bad; |
@@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
1664 | rc = -ENOMEM; | 1662 | rc = -ENOMEM; |
1665 | goto bad; | 1663 | goto bad; |
1666 | } | 1664 | } |
1667 | if (lra) { | 1665 | if (lra) |
1668 | lra->next = ra; | 1666 | lra->next = ra; |
1669 | } else { | 1667 | else |
1670 | p->role_allow = ra; | 1668 | p->role_allow = ra; |
1671 | } | ||
1672 | rc = next_entry(buf, fp, sizeof(u32)*2); | 1669 | rc = next_entry(buf, fp, sizeof(u32)*2); |
1673 | if (rc < 0) | 1670 | if (rc < 0) |
1674 | goto bad; | 1671 | goto bad; |
@@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp) | |||
1702 | rc = -ENOMEM; | 1699 | rc = -ENOMEM; |
1703 | goto bad; | 1700 | goto bad; |
1704 | } | 1701 | } |
1705 | if (l) { | 1702 | if (l) |
1706 | l->next = c; | 1703 | l->next = c; |
1707 | } else { | 1704 | else |
1708 | p->ocontexts[i] = c; | 1705 | p->ocontexts[i] = c; |
1709 | } | ||
1710 | l = c; | 1706 | l = c; |
1711 | rc = -EINVAL; | 1707 | rc = -EINVAL; |
1712 | switch (i) { | 1708 | switch (i) { |
@@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1725 | if (rc < 0) | 1721 | if (rc < 0) |
1726 | goto bad; | 1722 | goto bad; |
1727 | len = le32_to_cpu(buf[0]); | 1723 | len = le32_to_cpu(buf[0]); |
1728 | c->u.name = kmalloc(len + 1,GFP_KERNEL); | 1724 | c->u.name = kmalloc(len + 1, GFP_KERNEL); |
1729 | if (!c->u.name) { | 1725 | if (!c->u.name) { |
1730 | rc = -ENOMEM; | 1726 | rc = -ENOMEM; |
1731 | goto bad; | 1727 | goto bad; |
@@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1753 | goto bad; | 1749 | goto bad; |
1754 | break; | 1750 | break; |
1755 | case OCON_NODE: | 1751 | case OCON_NODE: |
1756 | rc = next_entry(buf, fp, sizeof(u32)* 2); | 1752 | rc = next_entry(buf, fp, sizeof(u32) * 2); |
1757 | if (rc < 0) | 1753 | if (rc < 0) |
1758 | goto bad; | 1754 | goto bad; |
1759 | c->u.node.addr = le32_to_cpu(buf[0]); | 1755 | c->u.node.addr = le32_to_cpu(buf[0]); |
@@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1770 | if (c->v.behavior > SECURITY_FS_USE_NONE) | 1766 | if (c->v.behavior > SECURITY_FS_USE_NONE) |
1771 | goto bad; | 1767 | goto bad; |
1772 | len = le32_to_cpu(buf[1]); | 1768 | len = le32_to_cpu(buf[1]); |
1773 | c->u.name = kmalloc(len + 1,GFP_KERNEL); | 1769 | c->u.name = kmalloc(len + 1, GFP_KERNEL); |
1774 | if (!c->u.name) { | 1770 | if (!c->u.name) { |
1775 | rc = -ENOMEM; | 1771 | rc = -ENOMEM; |
1776 | goto bad; | 1772 | goto bad; |
@@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1818 | goto bad; | 1814 | goto bad; |
1819 | } | 1815 | } |
1820 | 1816 | ||
1821 | newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); | 1817 | newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL); |
1822 | if (!newgenfs->fstype) { | 1818 | if (!newgenfs->fstype) { |
1823 | rc = -ENOMEM; | 1819 | rc = -ENOMEM; |
1824 | kfree(newgenfs); | 1820 | kfree(newgenfs); |
@@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1864 | goto bad; | 1860 | goto bad; |
1865 | } | 1861 | } |
1866 | 1862 | ||
1867 | newc->u.name = kmalloc(len + 1,GFP_KERNEL); | 1863 | newc->u.name = kmalloc(len + 1, GFP_KERNEL); |
1868 | if (!newc->u.name) { | 1864 | if (!newc->u.name) { |
1869 | rc = -ENOMEM; | 1865 | rc = -ENOMEM; |
1870 | goto bad_newc; | 1866 | goto bad_newc; |
@@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp) | |||
1968 | out: | 1964 | out: |
1969 | return rc; | 1965 | return rc; |
1970 | bad_newc: | 1966 | bad_newc: |
1971 | ocontext_destroy(newc,OCON_FSUSE); | 1967 | ocontext_destroy(newc, OCON_FSUSE); |
1972 | bad: | 1968 | bad: |
1973 | if (!rc) | 1969 | if (!rc) |
1974 | rc = -EINVAL; | 1970 | rc = -EINVAL; |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b341b8fd8c7c..2daaddbb301d 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -2,7 +2,7 @@ | |||
2 | * Implementation of the security services. | 2 | * Implementation of the security services. |
3 | * | 3 | * |
4 | * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> | 4 | * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> |
5 | * James Morris <jmorris@redhat.com> | 5 | * James Morris <jmorris@redhat.com> |
6 | * | 6 | * |
7 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | 7 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> |
8 | * | 8 | * |
@@ -11,7 +11,7 @@ | |||
11 | * | 11 | * |
12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> | 12 | * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> |
13 | * | 13 | * |
14 | * Added conditional policy language extensions | 14 | * Added conditional policy language extensions |
15 | * | 15 | * |
16 | * Updated: Hewlett-Packard <paul.moore@hp.com> | 16 | * Updated: Hewlett-Packard <paul.moore@hp.com> |
17 | * | 17 | * |
@@ -27,7 +27,7 @@ | |||
27 | * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC | 27 | * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC |
28 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | 28 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
29 | * This program is free software; you can redistribute it and/or modify | 29 | * This program is free software; you can redistribute it and/or modify |
30 | * it under the terms of the GNU General Public License as published by | 30 | * it under the terms of the GNU General Public License as published by |
31 | * the Free Software Foundation, version 2. | 31 | * the Free Software Foundation, version 2. |
32 | */ | 32 | */ |
33 | #include <linux/kernel.h> | 33 | #include <linux/kernel.h> |
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex); | |||
82 | 82 | ||
83 | static struct sidtab sidtab; | 83 | static struct sidtab sidtab; |
84 | struct policydb policydb; | 84 | struct policydb policydb; |
85 | int ss_initialized = 0; | 85 | int ss_initialized; |
86 | 86 | ||
87 | /* | 87 | /* |
88 | * The largest sequence number that has been used when | 88 | * The largest sequence number that has been used when |
@@ -90,7 +90,7 @@ int ss_initialized = 0; | |||
90 | * The sequence number only changes when a policy change | 90 | * The sequence number only changes when a policy change |
91 | * occurs. | 91 | * occurs. |
92 | */ | 92 | */ |
93 | static u32 latest_granting = 0; | 93 | static u32 latest_granting; |
94 | 94 | ||
95 | /* Forward declaration. */ | 95 | /* Forward declaration. */ |
96 | static int context_struct_to_string(struct context *context, char **scontext, | 96 | static int context_struct_to_string(struct context *context, char **scontext, |
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext, | |||
163 | val1 - 1); | 163 | val1 - 1); |
164 | continue; | 164 | continue; |
165 | case CEXPR_INCOMP: | 165 | case CEXPR_INCOMP: |
166 | s[++sp] = ( !ebitmap_get_bit(&r1->dominates, | 166 | s[++sp] = (!ebitmap_get_bit(&r1->dominates, |
167 | val2 - 1) && | 167 | val2 - 1) && |
168 | !ebitmap_get_bit(&r2->dominates, | 168 | !ebitmap_get_bit(&r2->dominates, |
169 | val1 - 1) ); | 169 | val1 - 1)); |
170 | continue; | 170 | continue; |
171 | default: | 171 | default: |
172 | break; | 172 | break; |
@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext, | |||
409 | } | 409 | } |
410 | if (!ra) | 410 | if (!ra) |
411 | avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | | 411 | avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | |
412 | PROCESS__DYNTRANSITION); | 412 | PROCESS__DYNTRANSITION); |
413 | } | 413 | } |
414 | 414 | ||
415 | return 0; | 415 | return 0; |
416 | 416 | ||
417 | inval_class: | 417 | inval_class: |
418 | printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); | 418 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__, |
419 | tclass); | ||
419 | return -EINVAL; | 420 | return -EINVAL; |
420 | } | 421 | } |
421 | 422 | ||
@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid) | |||
445 | } | 446 | } |
446 | 447 | ||
447 | static int security_validtrans_handle_fail(struct context *ocontext, | 448 | static int security_validtrans_handle_fail(struct context *ocontext, |
448 | struct context *ncontext, | 449 | struct context *ncontext, |
449 | struct context *tcontext, | 450 | struct context *tcontext, |
450 | u16 tclass) | 451 | u16 tclass) |
451 | { | 452 | { |
452 | char *o = NULL, *n = NULL, *t = NULL; | 453 | char *o = NULL, *n = NULL, *t = NULL; |
453 | u32 olen, nlen, tlen; | 454 | u32 olen, nlen, tlen; |
@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
459 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) | 460 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) |
460 | goto out; | 461 | goto out; |
461 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 462 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
462 | "security_validate_transition: denied for" | 463 | "security_validate_transition: denied for" |
463 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 464 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
464 | o, n, t, policydb.p_class_val_to_name[tclass-1]); | 465 | o, n, t, policydb.p_class_val_to_name[tclass-1]); |
465 | out: | 466 | out: |
466 | kfree(o); | 467 | kfree(o); |
467 | kfree(n); | 468 | kfree(n); |
@@ -473,7 +474,7 @@ out: | |||
473 | } | 474 | } |
474 | 475 | ||
475 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | 476 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, |
476 | u16 tclass) | 477 | u16 tclass) |
477 | { | 478 | { |
478 | struct context *ocontext; | 479 | struct context *ocontext; |
479 | struct context *ncontext; | 480 | struct context *ncontext; |
@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
499 | tclass = SECCLASS_NETLINK_SOCKET; | 500 | tclass = SECCLASS_NETLINK_SOCKET; |
500 | 501 | ||
501 | if (!tclass || tclass > policydb.p_classes.nprim) { | 502 | if (!tclass || tclass > policydb.p_classes.nprim) { |
502 | printk(KERN_ERR "security_validate_transition: " | 503 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", |
503 | "unrecognized class %d\n", tclass); | 504 | __func__, tclass); |
504 | rc = -EINVAL; | 505 | rc = -EINVAL; |
505 | goto out; | 506 | goto out; |
506 | } | 507 | } |
@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
508 | 509 | ||
509 | ocontext = sidtab_search(&sidtab, oldsid); | 510 | ocontext = sidtab_search(&sidtab, oldsid); |
510 | if (!ocontext) { | 511 | if (!ocontext) { |
511 | printk(KERN_ERR "security_validate_transition: " | 512 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
512 | " unrecognized SID %d\n", oldsid); | 513 | __func__, oldsid); |
513 | rc = -EINVAL; | 514 | rc = -EINVAL; |
514 | goto out; | 515 | goto out; |
515 | } | 516 | } |
516 | 517 | ||
517 | ncontext = sidtab_search(&sidtab, newsid); | 518 | ncontext = sidtab_search(&sidtab, newsid); |
518 | if (!ncontext) { | 519 | if (!ncontext) { |
519 | printk(KERN_ERR "security_validate_transition: " | 520 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
520 | " unrecognized SID %d\n", newsid); | 521 | __func__, newsid); |
521 | rc = -EINVAL; | 522 | rc = -EINVAL; |
522 | goto out; | 523 | goto out; |
523 | } | 524 | } |
524 | 525 | ||
525 | tcontext = sidtab_search(&sidtab, tasksid); | 526 | tcontext = sidtab_search(&sidtab, tasksid); |
526 | if (!tcontext) { | 527 | if (!tcontext) { |
527 | printk(KERN_ERR "security_validate_transition: " | 528 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
528 | " unrecognized SID %d\n", tasksid); | 529 | __func__, tasksid); |
529 | rc = -EINVAL; | 530 | rc = -EINVAL; |
530 | goto out; | 531 | goto out; |
531 | } | 532 | } |
@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
533 | constraint = tclass_datum->validatetrans; | 534 | constraint = tclass_datum->validatetrans; |
534 | while (constraint) { | 535 | while (constraint) { |
535 | if (!constraint_expr_eval(ocontext, ncontext, tcontext, | 536 | if (!constraint_expr_eval(ocontext, ncontext, tcontext, |
536 | constraint->expr)) { | 537 | constraint->expr)) { |
537 | rc = security_validtrans_handle_fail(ocontext, ncontext, | 538 | rc = security_validtrans_handle_fail(ocontext, ncontext, |
538 | tcontext, tclass); | 539 | tcontext, tclass); |
539 | goto out; | 540 | goto out; |
540 | } | 541 | } |
541 | constraint = constraint->next; | 542 | constraint = constraint->next; |
@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid, | |||
581 | 582 | ||
582 | scontext = sidtab_search(&sidtab, ssid); | 583 | scontext = sidtab_search(&sidtab, ssid); |
583 | if (!scontext) { | 584 | if (!scontext) { |
584 | printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", | 585 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
585 | ssid); | 586 | __func__, ssid); |
586 | rc = -EINVAL; | 587 | rc = -EINVAL; |
587 | goto out; | 588 | goto out; |
588 | } | 589 | } |
589 | tcontext = sidtab_search(&sidtab, tsid); | 590 | tcontext = sidtab_search(&sidtab, tsid); |
590 | if (!tcontext) { | 591 | if (!tcontext) { |
591 | printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", | 592 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
592 | tsid); | 593 | __func__, tsid); |
593 | rc = -EINVAL; | 594 | rc = -EINVAL; |
594 | goto out; | 595 | goto out; |
595 | } | 596 | } |
@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
623 | 624 | ||
624 | /* Allocate space for the context; caller must free this space. */ | 625 | /* Allocate space for the context; caller must free this space. */ |
625 | scontextp = kmalloc(*scontext_len, GFP_ATOMIC); | 626 | scontextp = kmalloc(*scontext_len, GFP_ATOMIC); |
626 | if (!scontextp) { | 627 | if (!scontextp) |
627 | return -ENOMEM; | 628 | return -ENOMEM; |
628 | } | ||
629 | *scontext = scontextp; | 629 | *scontext = scontextp; |
630 | 630 | ||
631 | /* | 631 | /* |
@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
636 | policydb.p_role_val_to_name[context->role - 1], | 636 | policydb.p_role_val_to_name[context->role - 1], |
637 | policydb.p_type_val_to_name[context->type - 1]); | 637 | policydb.p_type_val_to_name[context->type - 1]); |
638 | scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + | 638 | scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + |
639 | 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + | 639 | 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + |
640 | 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); | 640 | 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); |
641 | 641 | ||
642 | mls_sid_to_context(context, &scontextp); | 642 | mls_sid_to_context(context, &scontextp); |
643 | 643 | ||
@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) | |||
678 | char *scontextp; | 678 | char *scontextp; |
679 | 679 | ||
680 | *scontext_len = strlen(initial_sid_to_string[sid]) + 1; | 680 | *scontext_len = strlen(initial_sid_to_string[sid]) + 1; |
681 | scontextp = kmalloc(*scontext_len,GFP_ATOMIC); | 681 | scontextp = kmalloc(*scontext_len, GFP_ATOMIC); |
682 | if (!scontextp) { | 682 | if (!scontextp) { |
683 | rc = -ENOMEM; | 683 | rc = -ENOMEM; |
684 | goto out; | 684 | goto out; |
@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) | |||
687 | *scontext = scontextp; | 687 | *scontext = scontextp; |
688 | goto out; | 688 | goto out; |
689 | } | 689 | } |
690 | printk(KERN_ERR "security_sid_to_context: called before initial " | 690 | printk(KERN_ERR "SELinux: %s: called before initial " |
691 | "load_policy on unknown SID %d\n", sid); | 691 | "load_policy on unknown SID %d\n", __func__, sid); |
692 | rc = -EINVAL; | 692 | rc = -EINVAL; |
693 | goto out; | 693 | goto out; |
694 | } | 694 | } |
695 | POLICY_RDLOCK; | 695 | POLICY_RDLOCK; |
696 | context = sidtab_search(&sidtab, sid); | 696 | context = sidtab_search(&sidtab, sid); |
697 | if (!context) { | 697 | if (!context) { |
698 | printk(KERN_ERR "security_sid_to_context: unrecognized SID " | 698 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
699 | "%d\n", sid); | 699 | __func__, sid); |
700 | rc = -EINVAL; | 700 | rc = -EINVAL; |
701 | goto out_unlock; | 701 | goto out_unlock; |
702 | } | 702 | } |
@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid, | |||
926 | 926 | ||
927 | scontext = sidtab_search(&sidtab, ssid); | 927 | scontext = sidtab_search(&sidtab, ssid); |
928 | if (!scontext) { | 928 | if (!scontext) { |
929 | printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", | 929 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
930 | ssid); | 930 | __func__, ssid); |
931 | rc = -EINVAL; | 931 | rc = -EINVAL; |
932 | goto out_unlock; | 932 | goto out_unlock; |
933 | } | 933 | } |
934 | tcontext = sidtab_search(&sidtab, tsid); | 934 | tcontext = sidtab_search(&sidtab, tsid); |
935 | if (!tcontext) { | 935 | if (!tcontext) { |
936 | printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", | 936 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
937 | tsid); | 937 | __func__, tsid); |
938 | rc = -EINVAL; | 938 | rc = -EINVAL; |
939 | goto out_unlock; | 939 | goto out_unlock; |
940 | } | 940 | } |
@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid, | |||
974 | avdatum = avtab_search(&policydb.te_avtab, &avkey); | 974 | avdatum = avtab_search(&policydb.te_avtab, &avkey); |
975 | 975 | ||
976 | /* If no permanent rule, also check for enabled conditional rules */ | 976 | /* If no permanent rule, also check for enabled conditional rules */ |
977 | if(!avdatum) { | 977 | if (!avdatum) { |
978 | node = avtab_search_node(&policydb.te_cond_avtab, &avkey); | 978 | node = avtab_search_node(&policydb.te_cond_avtab, &avkey); |
979 | for (; node != NULL; node = avtab_search_node_next(node, specified)) { | 979 | for (; node != NULL; node = avtab_search_node_next(node, specified)) { |
980 | if (node->key.specified & AVTAB_ENABLED) { | 980 | if (node->key.specified & AVTAB_ENABLED) { |
@@ -1288,26 +1288,23 @@ static int convert_context(u32 key, | |||
1288 | 1288 | ||
1289 | /* Convert the user. */ | 1289 | /* Convert the user. */ |
1290 | usrdatum = hashtab_search(args->newp->p_users.table, | 1290 | usrdatum = hashtab_search(args->newp->p_users.table, |
1291 | args->oldp->p_user_val_to_name[c->user - 1]); | 1291 | args->oldp->p_user_val_to_name[c->user - 1]); |
1292 | if (!usrdatum) { | 1292 | if (!usrdatum) |
1293 | goto bad; | 1293 | goto bad; |
1294 | } | ||
1295 | c->user = usrdatum->value; | 1294 | c->user = usrdatum->value; |
1296 | 1295 | ||
1297 | /* Convert the role. */ | 1296 | /* Convert the role. */ |
1298 | role = hashtab_search(args->newp->p_roles.table, | 1297 | role = hashtab_search(args->newp->p_roles.table, |
1299 | args->oldp->p_role_val_to_name[c->role - 1]); | 1298 | args->oldp->p_role_val_to_name[c->role - 1]); |
1300 | if (!role) { | 1299 | if (!role) |
1301 | goto bad; | 1300 | goto bad; |
1302 | } | ||
1303 | c->role = role->value; | 1301 | c->role = role->value; |
1304 | 1302 | ||
1305 | /* Convert the type. */ | 1303 | /* Convert the type. */ |
1306 | typdatum = hashtab_search(args->newp->p_types.table, | 1304 | typdatum = hashtab_search(args->newp->p_types.table, |
1307 | args->oldp->p_type_val_to_name[c->type - 1]); | 1305 | args->oldp->p_type_val_to_name[c->type - 1]); |
1308 | if (!typdatum) { | 1306 | if (!typdatum) |
1309 | goto bad; | 1307 | goto bad; |
1310 | } | ||
1311 | c->type = typdatum->value; | 1308 | c->type = typdatum->value; |
1312 | 1309 | ||
1313 | rc = mls_convert_context(args->oldp, args->newp, c); | 1310 | rc = mls_convert_context(args->oldp, args->newp, c); |
@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) | |||
1556 | { | 1553 | { |
1557 | int i, fail = 0; | 1554 | int i, fail = 0; |
1558 | 1555 | ||
1559 | for(i = 0; i < 4; i++) | 1556 | for (i = 0; i < 4; i++) |
1560 | if(addr[i] != (input[i] & mask[i])) { | 1557 | if (addr[i] != (input[i] & mask[i])) { |
1561 | fail = 1; | 1558 | fail = 1; |
1562 | break; | 1559 | break; |
1563 | } | 1560 | } |
@@ -1656,7 +1653,7 @@ out: | |||
1656 | */ | 1653 | */ |
1657 | 1654 | ||
1658 | int security_get_user_sids(u32 fromsid, | 1655 | int security_get_user_sids(u32 fromsid, |
1659 | char *username, | 1656 | char *username, |
1660 | u32 **sids, | 1657 | u32 **sids, |
1661 | u32 *nel) | 1658 | u32 *nel) |
1662 | { | 1659 | { |
@@ -1766,7 +1763,7 @@ out: | |||
1766 | * transition SIDs or task SIDs. | 1763 | * transition SIDs or task SIDs. |
1767 | */ | 1764 | */ |
1768 | int security_genfs_sid(const char *fstype, | 1765 | int security_genfs_sid(const char *fstype, |
1769 | char *path, | 1766 | char *path, |
1770 | u16 sclass, | 1767 | u16 sclass, |
1771 | u32 *sid) | 1768 | u32 *sid) |
1772 | { | 1769 | { |
@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values) | |||
1881 | goto out; | 1878 | goto out; |
1882 | } | 1879 | } |
1883 | 1880 | ||
1884 | *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); | 1881 | *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); |
1885 | if (!*names) | 1882 | if (!*names) |
1886 | goto err; | 1883 | goto err; |
1887 | 1884 | ||
@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values) | |||
1893 | size_t name_len; | 1890 | size_t name_len; |
1894 | (*values)[i] = policydb.bool_val_to_struct[i]->state; | 1891 | (*values)[i] = policydb.bool_val_to_struct[i]->state; |
1895 | name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; | 1892 | name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; |
1896 | (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); | 1893 | (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); |
1897 | if (!(*names)[i]) | 1894 | if (!(*names)[i]) |
1898 | goto err; | 1895 | goto err; |
1899 | strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); | 1896 | strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); |
@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values) | |||
1938 | audit_get_loginuid(current), | 1935 | audit_get_loginuid(current), |
1939 | audit_get_sessionid(current)); | 1936 | audit_get_sessionid(current)); |
1940 | } | 1937 | } |
1941 | if (values[i]) { | 1938 | if (values[i]) |
1942 | policydb.bool_val_to_struct[i]->state = 1; | 1939 | policydb.bool_val_to_struct[i]->state = 1; |
1943 | } else { | 1940 | else |
1944 | policydb.bool_val_to_struct[i]->state = 0; | 1941 | policydb.bool_val_to_struct[i]->state = 0; |
1945 | } | ||
1946 | } | 1942 | } |
1947 | 1943 | ||
1948 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { | 1944 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { |
@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) | |||
2036 | POLICY_RDLOCK; | 2032 | POLICY_RDLOCK; |
2037 | context1 = sidtab_search(&sidtab, sid); | 2033 | context1 = sidtab_search(&sidtab, sid); |
2038 | if (!context1) { | 2034 | if (!context1) { |
2039 | printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " | 2035 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2040 | "%d\n", sid); | 2036 | __func__, sid); |
2041 | rc = -EINVAL; | 2037 | rc = -EINVAL; |
2042 | goto out_unlock; | 2038 | goto out_unlock; |
2043 | } | 2039 | } |
2044 | 2040 | ||
2045 | context2 = sidtab_search(&sidtab, mls_sid); | 2041 | context2 = sidtab_search(&sidtab, mls_sid); |
2046 | if (!context2) { | 2042 | if (!context2) { |
2047 | printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " | 2043 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2048 | "%d\n", mls_sid); | 2044 | __func__, mls_sid); |
2049 | rc = -EINVAL; | 2045 | rc = -EINVAL; |
2050 | goto out_unlock; | 2046 | goto out_unlock; |
2051 | } | 2047 | } |
@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, | |||
2136 | 2132 | ||
2137 | nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); | 2133 | nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); |
2138 | if (!nlbl_ctx) { | 2134 | if (!nlbl_ctx) { |
2139 | printk(KERN_ERR | 2135 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2140 | "security_sid_mls_cmp: unrecognized SID %d\n", | 2136 | __func__, nlbl_sid); |
2141 | nlbl_sid); | ||
2142 | rc = -EINVAL; | 2137 | rc = -EINVAL; |
2143 | goto out_slowpath; | 2138 | goto out_slowpath; |
2144 | } | 2139 | } |
2145 | xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); | 2140 | xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); |
2146 | if (!xfrm_ctx) { | 2141 | if (!xfrm_ctx) { |
2147 | printk(KERN_ERR | 2142 | printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", |
2148 | "security_sid_mls_cmp: unrecognized SID %d\n", | 2143 | __func__, xfrm_sid); |
2149 | xfrm_sid); | ||
2150 | rc = -EINVAL; | 2144 | rc = -EINVAL; |
2151 | goto out_slowpath; | 2145 | goto out_slowpath; |
2152 | } | 2146 | } |
@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms) | |||
2226 | 2220 | ||
2227 | match = hashtab_search(policydb.p_classes.table, class); | 2221 | match = hashtab_search(policydb.p_classes.table, class); |
2228 | if (!match) { | 2222 | if (!match) { |
2229 | printk(KERN_ERR "%s: unrecognized class %s\n", | 2223 | printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", |
2230 | __func__, class); | 2224 | __func__, class); |
2231 | rc = -EINVAL; | 2225 | rc = -EINVAL; |
2232 | goto out; | 2226 | goto out; |
@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2435 | 2429 | ||
2436 | if (!rule) { | 2430 | if (!rule) { |
2437 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2431 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
2438 | "selinux_audit_rule_match: missing rule\n"); | 2432 | "selinux_audit_rule_match: missing rule\n"); |
2439 | return -ENOENT; | 2433 | return -ENOENT; |
2440 | } | 2434 | } |
2441 | 2435 | ||
@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2443 | 2437 | ||
2444 | if (rule->au_seqno < latest_granting) { | 2438 | if (rule->au_seqno < latest_granting) { |
2445 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2439 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
2446 | "selinux_audit_rule_match: stale rule\n"); | 2440 | "selinux_audit_rule_match: stale rule\n"); |
2447 | match = -ESTALE; | 2441 | match = -ESTALE; |
2448 | goto out; | 2442 | goto out; |
2449 | } | 2443 | } |
@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2451 | ctxt = sidtab_search(&sidtab, sid); | 2445 | ctxt = sidtab_search(&sidtab, sid); |
2452 | if (!ctxt) { | 2446 | if (!ctxt) { |
2453 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 2447 | audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
2454 | "selinux_audit_rule_match: unrecognized SID %d\n", | 2448 | "selinux_audit_rule_match: unrecognized SID %d\n", |
2455 | sid); | 2449 | sid); |
2456 | match = -ENOENT; | 2450 | match = -ENOENT; |
2457 | goto out; | 2451 | goto out; |
2458 | } | 2452 | } |
@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | |||
2498 | case AUDIT_OBJ_LEV_LOW: | 2492 | case AUDIT_OBJ_LEV_LOW: |
2499 | case AUDIT_OBJ_LEV_HIGH: | 2493 | case AUDIT_OBJ_LEV_HIGH: |
2500 | level = ((field == AUDIT_SUBJ_SEN || | 2494 | level = ((field == AUDIT_SUBJ_SEN || |
2501 | field == AUDIT_OBJ_LEV_LOW) ? | 2495 | field == AUDIT_OBJ_LEV_LOW) ? |
2502 | &ctxt->range.level[0] : &ctxt->range.level[1]); | 2496 | &ctxt->range.level[0] : &ctxt->range.level[1]); |
2503 | switch (op) { | 2497 | switch (op) { |
2504 | case AUDIT_EQUAL: | 2498 | case AUDIT_EQUAL: |
2505 | match = mls_level_eq(&rule->au_ctxt.range.level[0], | 2499 | match = mls_level_eq(&rule->au_ctxt.range.level[0], |
2506 | level); | 2500 | level); |
2507 | break; | 2501 | break; |
2508 | case AUDIT_NOT_EQUAL: | 2502 | case AUDIT_NOT_EQUAL: |
2509 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], | 2503 | match = !mls_level_eq(&rule->au_ctxt.range.level[0], |
2510 | level); | 2504 | level); |
2511 | break; | 2505 | break; |
2512 | case AUDIT_LESS_THAN: | 2506 | case AUDIT_LESS_THAN: |
2513 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], | 2507 | match = (mls_level_dom(&rule->au_ctxt.range.level[0], |
2514 | level) && | 2508 | level) && |
2515 | !mls_level_eq(&rule->au_ctxt.range.level[0], | 2509 | !mls_level_eq(&rule->au_ctxt.range.level[0], |
2516 | level)); | 2510 | level)); |
2517 | break; | 2511 | break; |
2518 | case AUDIT_LESS_THAN_OR_EQUAL: | 2512 | case AUDIT_LESS_THAN_OR_EQUAL: |
2519 | match = mls_level_dom(&rule->au_ctxt.range.level[0], | 2513 | match = mls_level_dom(&rule->au_ctxt.range.level[0], |
2520 | level); | 2514 | level); |
2521 | break; | 2515 | break; |
2522 | case AUDIT_GREATER_THAN: | 2516 | case AUDIT_GREATER_THAN: |
2523 | match = (mls_level_dom(level, | 2517 | match = (mls_level_dom(level, |
2524 | &rule->au_ctxt.range.level[0]) && | 2518 | &rule->au_ctxt.range.level[0]) && |
2525 | !mls_level_eq(level, | 2519 | !mls_level_eq(level, |
2526 | &rule->au_ctxt.range.level[0])); | 2520 | &rule->au_ctxt.range.level[0])); |
2527 | break; | 2521 | break; |
2528 | case AUDIT_GREATER_THAN_OR_EQUAL: | 2522 | case AUDIT_GREATER_THAN_OR_EQUAL: |
2529 | match = mls_level_dom(level, | 2523 | match = mls_level_dom(level, |
2530 | &rule->au_ctxt.range.level[0]); | 2524 | &rule->au_ctxt.range.level[0]); |
2531 | break; | 2525 | break; |
2532 | } | 2526 | } |
2533 | } | 2527 | } |
@@ -2554,7 +2548,7 @@ static int __init aurule_init(void) | |||
2554 | int err; | 2548 | int err; |
2555 | 2549 | ||
2556 | err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, | 2550 | err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, |
2557 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); | 2551 | SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); |
2558 | if (err) | 2552 | if (err) |
2559 | panic("avc_add_callback() failed, error %d\n", err); | 2553 | panic("avc_add_callback() failed, error %d\n", err); |
2560 | 2554 | ||
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 53a54a77f1f8..4a516ff4bcde 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c | |||
@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s, | |||
156 | while (cur != NULL) { | 156 | while (cur != NULL) { |
157 | ret = apply(cur->sid, &cur->context, args); | 157 | ret = apply(cur->sid, &cur->context, args); |
158 | if (ret) { | 158 | if (ret) { |
159 | if (last) { | 159 | if (last) |
160 | last->next = cur->next; | 160 | last->next = cur->next; |
161 | } else { | 161 | else |
162 | s->htable[i] = cur->next; | 162 | s->htable[i] = cur->next; |
163 | } | ||
164 | |||
165 | temp = cur; | 163 | temp = cur; |
166 | cur = cur->next; | 164 | cur = cur->next; |
167 | context_destroy(&temp->context); | 165 | context_destroy(&temp->context); |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 874d17c83c61..8f17f542a116 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -45,7 +45,6 @@ | |||
45 | #include <net/xfrm.h> | 45 | #include <net/xfrm.h> |
46 | #include <net/checksum.h> | 46 | #include <net/checksum.h> |
47 | #include <net/udp.h> | 47 | #include <net/udp.h> |
48 | #include <asm/semaphore.h> | ||
49 | #include <asm/atomic.h> | 48 | #include <asm/atomic.h> |
50 | 49 | ||
51 | #include "avc.h" | 50 | #include "avc.h" |
@@ -181,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | |||
181 | 180 | ||
182 | if (!ckall) | 181 | if (!ckall) |
183 | break; | 182 | break; |
184 | } | 183 | } else if (*sid != ctx->ctx_sid) |
185 | else if (*sid != ctx->ctx_sid) | ||
186 | return -EINVAL; | 184 | return -EINVAL; |
187 | } | 185 | } |
188 | } | 186 | } |
@@ -327,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, | |||
327 | */ | 325 | */ |
328 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) | 326 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
329 | { | 327 | { |
330 | if (ctx) | 328 | kfree(ctx); |
331 | kfree(ctx); | ||
332 | } | 329 | } |
333 | 330 | ||
334 | /* | 331 | /* |
@@ -373,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct | |||
373 | void selinux_xfrm_state_free(struct xfrm_state *x) | 370 | void selinux_xfrm_state_free(struct xfrm_state *x) |
374 | { | 371 | { |
375 | struct xfrm_sec_ctx *ctx = x->security; | 372 | struct xfrm_sec_ctx *ctx = x->security; |
376 | if (ctx) | 373 | kfree(ctx); |
377 | kfree(ctx); | ||
378 | } | 374 | } |
379 | 375 | ||
380 | /* | 376 | /* |