diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 19 | ||||
-rw-r--r-- | security/selinux/include/security.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 12 |
3 files changed, 19 insertions, 15 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c2fef7b12dc7..d39b59cf8a08 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -180,7 +180,7 @@ static int inode_alloc_security(struct inode *inode) | |||
180 | struct task_security_struct *tsec = current->security; | 180 | struct task_security_struct *tsec = current->security; |
181 | struct inode_security_struct *isec; | 181 | struct inode_security_struct *isec; |
182 | 182 | ||
183 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); | 183 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); |
184 | if (!isec) | 184 | if (!isec) |
185 | return -ENOMEM; | 185 | return -ENOMEM; |
186 | 186 | ||
@@ -760,13 +760,13 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, | |||
760 | * this early in the boot process. */ | 760 | * this early in the boot process. */ |
761 | BUG_ON(!ss_initialized); | 761 | BUG_ON(!ss_initialized); |
762 | 762 | ||
763 | /* this might go away sometime down the line if there is a new user | ||
764 | * of clone, but for now, nfs better not get here... */ | ||
765 | BUG_ON(newsbsec->initialized); | ||
766 | |||
767 | /* how can we clone if the old one wasn't set up?? */ | 763 | /* how can we clone if the old one wasn't set up?? */ |
768 | BUG_ON(!oldsbsec->initialized); | 764 | BUG_ON(!oldsbsec->initialized); |
769 | 765 | ||
766 | /* if fs is reusing a sb, just let its options stand... */ | ||
767 | if (newsbsec->initialized) | ||
768 | return; | ||
769 | |||
770 | mutex_lock(&newsbsec->lock); | 770 | mutex_lock(&newsbsec->lock); |
771 | 771 | ||
772 | newsbsec->flags = oldsbsec->flags; | 772 | newsbsec->flags = oldsbsec->flags; |
@@ -1143,7 +1143,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1143 | } | 1143 | } |
1144 | 1144 | ||
1145 | len = INITCONTEXTLEN; | 1145 | len = INITCONTEXTLEN; |
1146 | context = kmalloc(len, GFP_KERNEL); | 1146 | context = kmalloc(len, GFP_NOFS); |
1147 | if (!context) { | 1147 | if (!context) { |
1148 | rc = -ENOMEM; | 1148 | rc = -ENOMEM; |
1149 | dput(dentry); | 1149 | dput(dentry); |
@@ -1161,7 +1161,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1161 | } | 1161 | } |
1162 | kfree(context); | 1162 | kfree(context); |
1163 | len = rc; | 1163 | len = rc; |
1164 | context = kmalloc(len, GFP_KERNEL); | 1164 | context = kmalloc(len, GFP_NOFS); |
1165 | if (!context) { | 1165 | if (!context) { |
1166 | rc = -ENOMEM; | 1166 | rc = -ENOMEM; |
1167 | dput(dentry); | 1167 | dput(dentry); |
@@ -1185,7 +1185,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1185 | rc = 0; | 1185 | rc = 0; |
1186 | } else { | 1186 | } else { |
1187 | rc = security_context_to_sid_default(context, rc, &sid, | 1187 | rc = security_context_to_sid_default(context, rc, &sid, |
1188 | sbsec->def_sid); | 1188 | sbsec->def_sid, |
1189 | GFP_NOFS); | ||
1189 | if (rc) { | 1190 | if (rc) { |
1190 | printk(KERN_WARNING "%s: context_to_sid(%s) " | 1191 | printk(KERN_WARNING "%s: context_to_sid(%s) " |
1191 | "returned %d for dev=%s ino=%ld\n", | 1192 | "returned %d for dev=%s ino=%ld\n", |
@@ -2429,7 +2430,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2429 | return -EOPNOTSUPP; | 2430 | return -EOPNOTSUPP; |
2430 | 2431 | ||
2431 | if (name) { | 2432 | if (name) { |
2432 | namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); | 2433 | namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); |
2433 | if (!namep) | 2434 | if (!namep) |
2434 | return -ENOMEM; | 2435 | return -ENOMEM; |
2435 | *name = namep; | 2436 | *name = namep; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index f7d2f03781f2..44e12ec88090 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -86,7 +86,8 @@ int security_sid_to_context(u32 sid, char **scontext, | |||
86 | int security_context_to_sid(char *scontext, u32 scontext_len, | 86 | int security_context_to_sid(char *scontext, u32 scontext_len, |
87 | u32 *out_sid); | 87 | u32 *out_sid); |
88 | 88 | ||
89 | int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid); | 89 | int security_context_to_sid_default(char *scontext, u32 scontext_len, |
90 | u32 *out_sid, u32 def_sid, gfp_t gfp_flags); | ||
90 | 91 | ||
91 | int security_get_user_sids(u32 callsid, char *username, | 92 | int security_get_user_sids(u32 callsid, char *username, |
92 | u32 **sids, u32 *nel); | 93 | u32 **sids, u32 *nel); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 47295acd09c9..5fd54f2bbaac 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -680,7 +680,8 @@ out: | |||
680 | 680 | ||
681 | } | 681 | } |
682 | 682 | ||
683 | static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) | 683 | static int security_context_to_sid_core(char *scontext, u32 scontext_len, |
684 | u32 *sid, u32 def_sid, gfp_t gfp_flags) | ||
684 | { | 685 | { |
685 | char *scontext2; | 686 | char *scontext2; |
686 | struct context context; | 687 | struct context context; |
@@ -709,7 +710,7 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s | |||
709 | null suffix to the copy to avoid problems with the existing | 710 | null suffix to the copy to avoid problems with the existing |
710 | attr package, which doesn't view the null terminator as part | 711 | attr package, which doesn't view the null terminator as part |
711 | of the attribute value. */ | 712 | of the attribute value. */ |
712 | scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); | 713 | scontext2 = kmalloc(scontext_len+1, gfp_flags); |
713 | if (!scontext2) { | 714 | if (!scontext2) { |
714 | rc = -ENOMEM; | 715 | rc = -ENOMEM; |
715 | goto out; | 716 | goto out; |
@@ -809,7 +810,7 @@ out: | |||
809 | int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) | 810 | int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) |
810 | { | 811 | { |
811 | return security_context_to_sid_core(scontext, scontext_len, | 812 | return security_context_to_sid_core(scontext, scontext_len, |
812 | sid, SECSID_NULL); | 813 | sid, SECSID_NULL, GFP_KERNEL); |
813 | } | 814 | } |
814 | 815 | ||
815 | /** | 816 | /** |
@@ -829,10 +830,11 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) | |||
829 | * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient | 830 | * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient |
830 | * memory is available, or 0 on success. | 831 | * memory is available, or 0 on success. |
831 | */ | 832 | */ |
832 | int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) | 833 | int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, |
834 | u32 def_sid, gfp_t gfp_flags) | ||
833 | { | 835 | { |
834 | return security_context_to_sid_core(scontext, scontext_len, | 836 | return security_context_to_sid_core(scontext, scontext_len, |
835 | sid, def_sid); | 837 | sid, def_sid, gfp_flags); |
836 | } | 838 | } |
837 | 839 | ||
838 | static int compute_sid_handle_invalid_context( | 840 | static int compute_sid_handle_invalid_context( |