aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c91
1 files changed, 0 insertions, 91 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index bfe122764c98..33ae1020091e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1018,89 +1018,6 @@ int security_change_sid(u32 ssid,
1018 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1018 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1019} 1019}
1020 1020
1021/*
1022 * Verify that each permission that is defined under the
1023 * existing policy is still defined with the same value
1024 * in the new policy.
1025 */
1026static int validate_perm(void *key, void *datum, void *p)
1027{
1028 struct hashtab *h;
1029 struct perm_datum *perdatum, *perdatum2;
1030 int rc = 0;
1031
1032
1033 h = p;
1034 perdatum = datum;
1035
1036 perdatum2 = hashtab_search(h, key);
1037 if (!perdatum2) {
1038 printk(KERN_ERR "security: permission %s disappeared",
1039 (char *)key);
1040 rc = -ENOENT;
1041 goto out;
1042 }
1043 if (perdatum->value != perdatum2->value) {
1044 printk(KERN_ERR "security: the value of permission %s changed",
1045 (char *)key);
1046 rc = -EINVAL;
1047 }
1048out:
1049 return rc;
1050}
1051
1052/*
1053 * Verify that each class that is defined under the
1054 * existing policy is still defined with the same
1055 * attributes in the new policy.
1056 */
1057static int validate_class(void *key, void *datum, void *p)
1058{
1059 struct policydb *newp;
1060 struct class_datum *cladatum, *cladatum2;
1061 int rc;
1062
1063 newp = p;
1064 cladatum = datum;
1065
1066 cladatum2 = hashtab_search(newp->p_classes.table, key);
1067 if (!cladatum2) {
1068 printk(KERN_ERR "security: class %s disappeared\n",
1069 (char *)key);
1070 rc = -ENOENT;
1071 goto out;
1072 }
1073 if (cladatum->value != cladatum2->value) {
1074 printk(KERN_ERR "security: the value of class %s changed\n",
1075 (char *)key);
1076 rc = -EINVAL;
1077 goto out;
1078 }
1079 if ((cladatum->comdatum && !cladatum2->comdatum) ||
1080 (!cladatum->comdatum && cladatum2->comdatum)) {
1081 printk(KERN_ERR "security: the inherits clause for the access "
1082 "vector definition for class %s changed\n", (char *)key);
1083 rc = -EINVAL;
1084 goto out;
1085 }
1086 if (cladatum->comdatum) {
1087 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1088 cladatum2->comdatum->permissions.table);
1089 if (rc) {
1090 printk(" in the access vector definition for class "
1091 "%s\n", (char *)key);
1092 goto out;
1093 }
1094 }
1095 rc = hashtab_map(cladatum->permissions.table, validate_perm,
1096 cladatum2->permissions.table);
1097 if (rc)
1098 printk(" in access vector definition for class %s\n",
1099 (char *)key);
1100out:
1101 return rc;
1102}
1103
1104/* Clone the SID into the new SID table. */ 1021/* Clone the SID into the new SID table. */
1105static int clone_sid(u32 sid, 1022static int clone_sid(u32 sid,
1106 struct context *context, 1023 struct context *context,
@@ -1265,14 +1182,6 @@ int security_load_policy(void *data, size_t len)
1265 1182
1266 sidtab_init(&newsidtab); 1183 sidtab_init(&newsidtab);
1267 1184
1268 /* Verify that the existing classes did not change. */
1269 if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1270 printk(KERN_ERR "security: the definition of an existing "
1271 "class changed\n");
1272 rc = -EINVAL;
1273 goto err;
1274 }
1275
1276 /* Clone the SID table. */ 1185 /* Clone the SID table. */
1277 sidtab_shutdown(&sidtab); 1186 sidtab_shutdown(&sidtab);
1278 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1187 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {