diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/dummy.c | 10 | ||||
| -rw-r--r-- | security/security.c | 20 | ||||
| -rw-r--r-- | security/selinux/avc.c | 9 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 23 | ||||
| -rw-r--r-- | security/selinux/netif.c | 2 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 4 |
6 files changed, 44 insertions, 24 deletions
diff --git a/security/dummy.c b/security/dummy.c index 98d5f969cdc8..b0232bbf427b 100644 --- a/security/dummy.c +++ b/security/dummy.c | |||
| @@ -196,13 +196,13 @@ static int dummy_sb_statfs (struct dentry *dentry) | |||
| 196 | return 0; | 196 | return 0; |
| 197 | } | 197 | } |
| 198 | 198 | ||
| 199 | static int dummy_sb_mount (char *dev_name, struct nameidata *nd, char *type, | 199 | static int dummy_sb_mount (char *dev_name, struct path *path, char *type, |
| 200 | unsigned long flags, void *data) | 200 | unsigned long flags, void *data) |
| 201 | { | 201 | { |
| 202 | return 0; | 202 | return 0; |
| 203 | } | 203 | } |
| 204 | 204 | ||
| 205 | static int dummy_sb_check_sb (struct vfsmount *mnt, struct nameidata *nd) | 205 | static int dummy_sb_check_sb (struct vfsmount *mnt, struct path *path) |
| 206 | { | 206 | { |
| 207 | return 0; | 207 | return 0; |
| 208 | } | 208 | } |
| @@ -229,17 +229,17 @@ static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags, | |||
| 229 | } | 229 | } |
| 230 | 230 | ||
| 231 | 231 | ||
| 232 | static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) | 232 | static void dummy_sb_post_addmount (struct vfsmount *mnt, struct path *path) |
| 233 | { | 233 | { |
| 234 | return; | 234 | return; |
| 235 | } | 235 | } |
| 236 | 236 | ||
| 237 | static int dummy_sb_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) | 237 | static int dummy_sb_pivotroot (struct path *old_path, struct path *new_path) |
| 238 | { | 238 | { |
| 239 | return 0; | 239 | return 0; |
| 240 | } | 240 | } |
| 241 | 241 | ||
| 242 | static void dummy_sb_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) | 242 | static void dummy_sb_post_pivotroot (struct path *old_path, struct path *new_path) |
| 243 | { | 243 | { |
| 244 | return; | 244 | return; |
| 245 | } | 245 | } |
diff --git a/security/security.c b/security/security.c index 2e250c7028eb..8a285c7b9962 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -296,15 +296,15 @@ int security_sb_statfs(struct dentry *dentry) | |||
| 296 | return security_ops->sb_statfs(dentry); | 296 | return security_ops->sb_statfs(dentry); |
| 297 | } | 297 | } |
| 298 | 298 | ||
| 299 | int security_sb_mount(char *dev_name, struct nameidata *nd, | 299 | int security_sb_mount(char *dev_name, struct path *path, |
| 300 | char *type, unsigned long flags, void *data) | 300 | char *type, unsigned long flags, void *data) |
| 301 | { | 301 | { |
| 302 | return security_ops->sb_mount(dev_name, nd, type, flags, data); | 302 | return security_ops->sb_mount(dev_name, path, type, flags, data); |
| 303 | } | 303 | } |
| 304 | 304 | ||
| 305 | int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd) | 305 | int security_sb_check_sb(struct vfsmount *mnt, struct path *path) |
| 306 | { | 306 | { |
| 307 | return security_ops->sb_check_sb(mnt, nd); | 307 | return security_ops->sb_check_sb(mnt, path); |
| 308 | } | 308 | } |
| 309 | 309 | ||
| 310 | int security_sb_umount(struct vfsmount *mnt, int flags) | 310 | int security_sb_umount(struct vfsmount *mnt, int flags) |
| @@ -327,19 +327,19 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d | |||
| 327 | security_ops->sb_post_remount(mnt, flags, data); | 327 | security_ops->sb_post_remount(mnt, flags, data); |
| 328 | } | 328 | } |
| 329 | 329 | ||
| 330 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) | 330 | void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint) |
| 331 | { | 331 | { |
| 332 | security_ops->sb_post_addmount(mnt, mountpoint_nd); | 332 | security_ops->sb_post_addmount(mnt, mountpoint); |
| 333 | } | 333 | } |
| 334 | 334 | ||
| 335 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | 335 | int security_sb_pivotroot(struct path *old_path, struct path *new_path) |
| 336 | { | 336 | { |
| 337 | return security_ops->sb_pivotroot(old_nd, new_nd); | 337 | return security_ops->sb_pivotroot(old_path, new_path); |
| 338 | } | 338 | } |
| 339 | 339 | ||
| 340 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | 340 | void security_sb_post_pivotroot(struct path *old_path, struct path *new_path) |
| 341 | { | 341 | { |
| 342 | security_ops->sb_post_pivotroot(old_nd, new_nd); | 342 | security_ops->sb_post_pivotroot(old_path, new_path); |
| 343 | } | 343 | } |
| 344 | 344 | ||
| 345 | int security_sb_get_mnt_opts(const struct super_block *sb, | 345 | int security_sb_get_mnt_opts(const struct super_block *sb, |
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 1d69f6649bff..95a8ef4a5073 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -312,6 +312,7 @@ static inline int avc_reclaim_node(void) | |||
| 312 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) | 312 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) |
| 313 | continue; | 313 | continue; |
| 314 | 314 | ||
| 315 | rcu_read_lock(); | ||
| 315 | list_for_each_entry(node, &avc_cache.slots[hvalue], list) { | 316 | list_for_each_entry(node, &avc_cache.slots[hvalue], list) { |
| 316 | if (atomic_dec_and_test(&node->ae.used)) { | 317 | if (atomic_dec_and_test(&node->ae.used)) { |
| 317 | /* Recently Unused */ | 318 | /* Recently Unused */ |
| @@ -319,11 +320,13 @@ static inline int avc_reclaim_node(void) | |||
| 319 | avc_cache_stats_incr(reclaims); | 320 | avc_cache_stats_incr(reclaims); |
| 320 | ecx++; | 321 | ecx++; |
| 321 | if (ecx >= AVC_CACHE_RECLAIM) { | 322 | if (ecx >= AVC_CACHE_RECLAIM) { |
| 323 | rcu_read_unlock(); | ||
| 322 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); | 324 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); |
| 323 | goto out; | 325 | goto out; |
| 324 | } | 326 | } |
| 325 | } | 327 | } |
| 326 | } | 328 | } |
| 329 | rcu_read_unlock(); | ||
| 327 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); | 330 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); |
| 328 | } | 331 | } |
| 329 | out: | 332 | out: |
| @@ -821,8 +824,14 @@ int avc_ss_reset(u32 seqno) | |||
| 821 | 824 | ||
| 822 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | 825 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { |
| 823 | spin_lock_irqsave(&avc_cache.slots_lock[i], flag); | 826 | spin_lock_irqsave(&avc_cache.slots_lock[i], flag); |
| 827 | /* | ||
| 828 | * With preemptable RCU, the outer spinlock does not | ||
| 829 | * prevent RCU grace periods from ending. | ||
| 830 | */ | ||
| 831 | rcu_read_lock(); | ||
| 824 | list_for_each_entry(node, &avc_cache.slots[i], list) | 832 | list_for_each_entry(node, &avc_cache.slots[i], list) |
| 825 | avc_node_delete(node); | 833 | avc_node_delete(node); |
| 834 | rcu_read_unlock(); | ||
| 826 | spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag); | 835 | spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag); |
| 827 | } | 836 | } |
| 828 | 837 | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1bf2543ea942..308e2cf17d75 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -755,9 +755,18 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, | |||
| 755 | int set_context = (oldsbsec->flags & CONTEXT_MNT); | 755 | int set_context = (oldsbsec->flags & CONTEXT_MNT); |
| 756 | int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); | 756 | int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); |
| 757 | 757 | ||
| 758 | /* we can't error, we can't save the info, this shouldn't get called | 758 | /* |
| 759 | * this early in the boot process. */ | 759 | * if the parent was able to be mounted it clearly had no special lsm |
| 760 | BUG_ON(!ss_initialized); | 760 | * mount options. thus we can safely put this sb on the list and deal |
| 761 | * with it later | ||
| 762 | */ | ||
| 763 | if (!ss_initialized) { | ||
| 764 | spin_lock(&sb_security_lock); | ||
| 765 | if (list_empty(&newsbsec->list)) | ||
| 766 | list_add(&newsbsec->list, &superblock_security_head); | ||
| 767 | spin_unlock(&sb_security_lock); | ||
| 768 | return; | ||
| 769 | } | ||
| 761 | 770 | ||
| 762 | /* how can we clone if the old one wasn't set up?? */ | 771 | /* how can we clone if the old one wasn't set up?? */ |
| 763 | BUG_ON(!oldsbsec->initialized); | 772 | BUG_ON(!oldsbsec->initialized); |
| @@ -2392,22 +2401,22 @@ static int selinux_sb_statfs(struct dentry *dentry) | |||
| 2392 | } | 2401 | } |
| 2393 | 2402 | ||
| 2394 | static int selinux_mount(char *dev_name, | 2403 | static int selinux_mount(char *dev_name, |
| 2395 | struct nameidata *nd, | 2404 | struct path *path, |
| 2396 | char *type, | 2405 | char *type, |
| 2397 | unsigned long flags, | 2406 | unsigned long flags, |
| 2398 | void *data) | 2407 | void *data) |
| 2399 | { | 2408 | { |
| 2400 | int rc; | 2409 | int rc; |
| 2401 | 2410 | ||
| 2402 | rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); | 2411 | rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); |
| 2403 | if (rc) | 2412 | if (rc) |
| 2404 | return rc; | 2413 | return rc; |
| 2405 | 2414 | ||
| 2406 | if (flags & MS_REMOUNT) | 2415 | if (flags & MS_REMOUNT) |
| 2407 | return superblock_has_perm(current, nd->path.mnt->mnt_sb, | 2416 | return superblock_has_perm(current, path->mnt->mnt_sb, |
| 2408 | FILESYSTEM__REMOUNT, NULL); | 2417 | FILESYSTEM__REMOUNT, NULL); |
| 2409 | else | 2418 | else |
| 2410 | return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, | 2419 | return dentry_has_perm(current, path->mnt, path->dentry, |
| 2411 | FILE__MOUNTON); | 2420 | FILE__MOUNTON); |
| 2412 | } | 2421 | } |
| 2413 | 2422 | ||
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index c658b84c3196..b4e14bc0bf32 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
| @@ -239,11 +239,13 @@ static void sel_netif_kill(int ifindex) | |||
| 239 | { | 239 | { |
| 240 | struct sel_netif *netif; | 240 | struct sel_netif *netif; |
| 241 | 241 | ||
| 242 | rcu_read_lock(); | ||
| 242 | spin_lock_bh(&sel_netif_lock); | 243 | spin_lock_bh(&sel_netif_lock); |
| 243 | netif = sel_netif_find(ifindex); | 244 | netif = sel_netif_find(ifindex); |
| 244 | if (netif) | 245 | if (netif) |
| 245 | sel_netif_destroy(netif); | 246 | sel_netif_destroy(netif); |
| 246 | spin_unlock_bh(&sel_netif_lock); | 247 | spin_unlock_bh(&sel_netif_lock); |
| 248 | rcu_read_unlock(); | ||
| 247 | } | 249 | } |
| 248 | 250 | ||
| 249 | /** | 251 | /** |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 93f5b0ce662a..4215971434e6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -315,10 +315,10 @@ static int smack_sb_statfs(struct dentry *dentry) | |||
| 315 | * Returns 0 if current can write the floor of the filesystem | 315 | * Returns 0 if current can write the floor of the filesystem |
| 316 | * being mounted on, an error code otherwise. | 316 | * being mounted on, an error code otherwise. |
| 317 | */ | 317 | */ |
| 318 | static int smack_sb_mount(char *dev_name, struct nameidata *nd, | 318 | static int smack_sb_mount(char *dev_name, struct path *path, |
| 319 | char *type, unsigned long flags, void *data) | 319 | char *type, unsigned long flags, void *data) |
| 320 | { | 320 | { |
| 321 | struct superblock_smack *sbp = nd->path.mnt->mnt_sb->s_security; | 321 | struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; |
| 322 | 322 | ||
| 323 | return smk_curacc(sbp->smk_floor, MAY_WRITE); | 323 | return smk_curacc(sbp->smk_floor, MAY_WRITE); |
| 324 | } | 324 | } |