Skip to content

L
linux
Commit 19b5b517 authored by Linus Torvalds's avatar Linus Torvalds
Browse files
Options

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
  SELinux: one little, two little, three little whitespaces, the avc.c saga.
  SELinux: cleanup on isle selinuxfs.c
  changing whitespace for fun and profit: policydb.c
  SELinux: whitespace and formating fixes for hooks.c
  SELinux: clean up printks
  SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: services.c whitespace, syntax, and static declaraction cleanups
  SELinux: mls.c whitespace, syntax, and static declaraction cleanups
  SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups
  SELinux: conditional.c whitespace, syntax, and static declaraction cleanups
  SELinux: avtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups
  SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: netnode.c whitespace, syntax, and static declaraction cleanups
  SELinux: netlink.c whitespace, syntax, and static declaraction cleanups
  SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups
  SELinux: netif.c whitespace, syntax, and static declaraction cleanups
parents bda0c0af 95fff33b
Hide whitespace changes
Inline Side-by-side
Showing with 609 additions and 634 deletions
security/selinux/avc.c
View file @ 19b5b517
...@@ -2,16 +2,16 @@ ...@@ -2,16 +2,16 @@
* Implementation of the kernel access vector cache (AVC). * Implementation of the kernel access vector cache (AVC).
* *
* Authors: Stephen Smalley, <sds@epoch.ncsc.mil> * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
* James Morris <jmorris@redhat.com> * James Morris <jmorris@redhat.com>
* *
* Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
* Replaced the avc_lock spinlock by RCU. * Replaced the avc_lock spinlock by RCU.
* *
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, * it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation. * as published by the Free Software Foundation.
*/ */
#include <linux/types.h> #include <linux/types.h>
#include <linux/stddef.h> #include <linux/stddef.h>
...@@ -44,7 +44,7 @@ static const char *class_to_string[] = { ...@@ -44,7 +44,7 @@ static const char *class_to_string[] = {
#undef S_ #undef S_
}; };
#define TB_(s) static const char * s [] = { #define TB_(s) static const char *s[] = {
#define TE_(s) }; #define TE_(s) };
#define S_(s) s, #define S_(s) s,
#include "common_perm_to_string.h" #include "common_perm_to_string.h"
...@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = { ...@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = {
#define AVC_CACHE_RECLAIM 16 #define AVC_CACHE_RECLAIM 16
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
#define avc_cache_stats_incr(field) \ #define avc_cache_stats_incr(field) \
do { \ do { \
per_cpu(avc_cache_stats, get_cpu()).field++; \ per_cpu(avc_cache_stats, get_cpu()).field++; \
put_cpu(); \ put_cpu(); \
...@@ -92,7 +92,7 @@ struct avc_entry { ...@@ -92,7 +92,7 @@ struct avc_entry {
struct avc_node { struct avc_node {
struct avc_entry ae; struct avc_entry ae;
struct list_head list; struct list_head list;
struct rcu_head rhead; struct rcu_head rhead;
}; };
struct avc_cache { struct avc_cache {
...@@ -105,8 +105,8 @@ struct avc_cache { ...@@ -105,8 +105,8 @@ struct avc_cache {
struct avc_callback_node { struct avc_callback_node {
int (*callback) (u32 event, u32 ssid, u32 tsid, int (*callback) (u32 event, u32 ssid, u32 tsid,
u16 tclass, u32 perms, u16 tclass, u32 perms,
u32 *out_retained); u32 *out_retained);
u32 events; u32 events;
u32 ssid; u32 ssid;
u32 tsid; u32 tsid;
...@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla ...@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
char *scontext; char *scontext;
u32 scontext_len; u32 scontext_len;
rc = security_sid_to_context(ssid, &scontext, &scontext_len); rc = security_sid_to_context(ssid, &scontext, &scontext_len);
if (rc) if (rc)
audit_log_format(ab, "ssid=%d", ssid); audit_log_format(ab, "ssid=%d", ssid);
else { else {
...@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void) ...@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void)
int hvalue, try, ecx; int hvalue, try, ecx;
unsigned long flags; unsigned long flags;
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
...@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert) ...@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
spin_lock_irqsave(&notif_lock, flag); spin_lock_irqsave(&notif_lock, flag);
if (is_insert) { if (is_insert) {
if (seqno < avc_cache.latest_notif) { if (seqno < avc_cache.latest_notif) {
printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n",
seqno, avc_cache.latest_notif); seqno, avc_cache.latest_notif);
ret = -EAGAIN; ret = -EAGAIN;
} }
...@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en ...@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en
if (pos->ae.ssid == ssid && if (pos->ae.ssid == ssid &&
pos->ae.tsid == tsid && pos->ae.tsid == tsid &&
pos->ae.tclass == tclass) { pos->ae.tclass == tclass) {
avc_node_replace(node, pos); avc_node_replace(node, pos);
goto found; goto found;
} }
} }
...@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, ...@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
* before calling the auditing code. * before calling the auditing code.
*/ */
void avc_audit(u32 ssid, u32 tsid, void avc_audit(u32 ssid, u32 tsid,
u16 tclass, u32 requested, u16 tclass, u32 requested,
struct av_decision *avd, int result, struct avc_audit_data *a) struct av_decision *avd, int result, struct avc_audit_data *a)
{ {
struct task_struct *tsk = current; struct task_struct *tsk = current;
struct inode *inode = NULL; struct inode *inode = NULL;
...@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid,
return; return;
} else if (result) { } else if (result) {
audited = denied = requested; audited = denied = requested;
} else { } else {
audited = requested; audited = requested;
if (!(audited & avd->auditallow)) if (!(audited & avd->auditallow))
return; return;
...@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid,
if (!ab) if (!ab)
return; /* audit_panic has been called */ return; /* audit_panic has been called */
audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
avc_dump_av(ab, tclass,audited); avc_dump_av(ab, tclass, audited);
audit_log_format(ab, " for "); audit_log_format(ab, " for ");
if (a && a->tsk) if (a && a->tsk)
tsk = a->tsk; tsk = a->tsk;
...@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid,
break; break;
} }
} }
switch (a->u.net.family) { switch (a->u.net.family) {
case AF_INET: case AF_INET:
avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
...@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid,
* -%ENOMEM if insufficient memory exists to add the callback. * -%ENOMEM if insufficient memory exists to add the callback.
*/ */
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
u16 tclass, u32 perms, u16 tclass, u32 perms,
u32 *out_retained), u32 *out_retained),
u32 events, u32 ssid, u32 tsid, u32 events, u32 ssid, u32 tsid,
u16 tclass, u32 perms) u16 tclass, u32 perms)
{ {
struct avc_callback_node *c; struct avc_callback_node *c;
int rc = 0; int rc = 0;
...@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) ...@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
hvalue = avc_hash(ssid, tsid, tclass); hvalue = avc_hash(ssid, tsid, tclass);
spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
if ( ssid==pos->ae.ssid && if (ssid == pos->ae.ssid &&
tsid==pos->ae.tsid && tsid == pos->ae.tsid &&
tclass==pos->ae.tclass ){ tclass == pos->ae.tclass){
orig = pos; orig = pos;
break; break;
} }
...@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno) ...@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno)
for (c = avc_callbacks; c; c = c->next) { for (c = avc_callbacks; c; c = c->next) {
if (c->events & AVC_CALLBACK_RESET) { if (c->events & AVC_CALLBACK_RESET) {
tmprc = c->callback(AVC_CALLBACK_RESET, tmprc = c->callback(AVC_CALLBACK_RESET,
0, 0, 0, 0, NULL); 0, 0, 0, 0, NULL);
/* save the first error encountered for the return /* save the first error encountered for the return
value and continue processing the callbacks */ value and continue processing the callbacks */
if (!rc) if (!rc)
...@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, ...@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
node = avc_lookup(ssid, tsid, tclass, requested); node = avc_lookup(ssid, tsid, tclass, requested);
if (!node) { if (!node) {
rcu_read_unlock(); rcu_read_unlock();
rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd);
if (rc) if (rc)
goto out; goto out;
rcu_read_lock(); rcu_read_lock();
node = avc_insert(ssid,tsid,tclass,&entry); node = avc_insert(ssid, tsid, tclass, &entry);
} }
p_ae = node ? &node->ae : &entry; p_ae = node ? &node->ae : &entry;
...@@ -924,7 +924,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, ...@@ -924,7 +924,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
* another -errno upon other errors. * another -errno upon other errors.
*/ */
int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct avc_audit_data *auditdata) u32 requested, struct avc_audit_data *auditdata)
{ {
struct av_decision avd; struct av_decision avd;
int rc; int rc;
......
security/selinux/hooks.c
View file @ 19b5b517
...@@ -4,22 +4,22 @@ ...@@ -4,22 +4,22 @@
* This file contains the SELinux hook function implementations. * This file contains the SELinux hook function implementations.
* *
* Authors: Stephen Smalley, <sds@epoch.ncsc.mil> * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
* Chris Vance, <cvance@nai.com> * Chris Vance, <cvance@nai.com>
* Wayne Salamon, <wsalamon@nai.com> * Wayne Salamon, <wsalamon@nai.com>
* James Morris <jmorris@redhat.com> * James Morris <jmorris@redhat.com>
* *
* Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* <dgoeddel@trustedcs.com> * <dgoeddel@trustedcs.com>
* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
* Paul Moore <paul.moore@hp.com> * Paul Moore <paul.moore@hp.com>
* Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
* Yuichi Nakamura <ynakam@hitachisoft.jp> * Yuichi Nakamura <ynakam@hitachisoft.jp>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, * it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation. * as published by the Free Software Foundation.
*/ */
#include <linux/init.h> #include <linux/init.h>
...@@ -99,11 +99,11 @@ extern struct security_operations *security_ops; ...@@ -99,11 +99,11 @@ extern struct security_operations *security_ops;
atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing = 0; int selinux_enforcing;
static int __init enforcing_setup(char *str) static int __init enforcing_setup(char *str)
{ {
selinux_enforcing = simple_strtol(str,NULL,0); selinux_enforcing = simple_strtol(str, NULL, 0);
return 1; return 1;
} }
__setup("enforcing=", enforcing_setup); __setup("enforcing=", enforcing_setup);
...@@ -123,13 +123,13 @@ int selinux_enabled = 1; ...@@ -123,13 +123,13 @@ int selinux_enabled = 1;
#endif #endif
/* Original (dummy) security module. */ /* Original (dummy) security module. */
static struct security_operations *original_ops = NULL; static struct security_operations *original_ops;
/* Minimal support for a secondary security module, /* Minimal support for a secondary security module,
just to allow the use of the dummy or capability modules. just to allow the use of the dummy or capability modules.
The owlsm module can alternatively be used as a secondary The owlsm module can alternatively be used as a secondary
module as long as CONFIG_OWLSM_FD is not enabled. */ module as long as CONFIG_OWLSM_FD is not enabled. */
static struct security_operations *secondary_ops = NULL; static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized /* Lists of inode and superblock security structures initialized
before the policy was loaded. */ before the policy was loaded. */
...@@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, ...@@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
goto out; goto out;
} }
rc = -EINVAL; rc = -EINVAL;
printk(KERN_WARNING "Unable to set superblock options before " printk(KERN_WARNING "SELinux: Unable to set superblock options "
"the security server is initialized\n"); "before the security server is initialized\n");
goto out; goto out;
} }
...@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de, ...@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de,
int buflen, rc; int buflen, rc;
char *buffer, *path, *end; char *buffer, *path, *end;
buffer = (char*)__get_free_page(GFP_KERNEL); buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer) if (!buffer)
return -ENOMEM; return -ENOMEM;
...@@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent ...@@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
dentry = d_find_alias(inode); dentry = d_find_alias(inode);
} }
if (!dentry) { if (!dentry) {
printk(KERN_WARNING "%s: no dentry for dev=%s " printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
"ino=%ld\n", __func__, inode->i_sb->s_id, "ino=%ld\n", __func__, inode->i_sb->s_id,
inode->i_ino); inode->i_ino);
goto out_unlock; goto out_unlock;
...@@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent ...@@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
dput(dentry); dput(dentry);
if (rc < 0) { if (rc < 0) {
if (rc != -ENODATA) { if (rc != -ENODATA) {
printk(KERN_WARNING "%s: getxattr returned " printk(KERN_WARNING "SELinux: %s: getxattr returned "
"%d for dev=%s ino=%ld\n", __func__, "%d for dev=%s ino=%ld\n", __func__,
-rc, inode->i_sb->s_id, inode->i_ino); -rc, inode->i_sb->s_id, inode->i_ino);
kfree(context); kfree(context);
...@@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent ...@@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
sbsec->def_sid, sbsec->def_sid,
GFP_NOFS); GFP_NOFS);
if (rc) { if (rc) {
printk(KERN_WARNING "%s: context_to_sid(%s) " printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
"returned %d for dev=%s ino=%ld\n", "returned %d for dev=%s ino=%ld\n",
__func__, context, -rc, __func__, context, -rc,
inode->i_sb->s_id, inode->i_ino); inode->i_sb->s_id, inode->i_ino);
...@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk, ...@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk,
tsec = tsk->security; tsec = tsk->security;
AVC_AUDIT_DATA_INIT(&ad,CAP); AVC_AUDIT_DATA_INIT(&ad, CAP);
ad.tsk = tsk; ad.tsk = tsk;
ad.u.cap = cap; ad.u.cap = cap;
...@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk, ...@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk,
struct inode_security_struct *isec; struct inode_security_struct *isec;
struct avc_audit_data ad; struct avc_audit_data ad;
if (unlikely (IS_PRIVATE (inode))) if (unlikely(IS_PRIVATE(inode)))
return 0; return 0;
tsec = tsk->security; tsec = tsk->security;
...@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, ...@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk,
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
struct avc_audit_data ad; struct avc_audit_data ad;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.mnt = mnt; ad.u.fs.path.mnt = mnt;
ad.u.fs.path.dentry = dentry; ad.u.fs.path.dentry = dentry;
return inode_has_perm(tsk, inode, av, &ad); return inode_has_perm(tsk, inode, av, &ad);
...@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid, ...@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid,
return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
} }
#define MAY_LINK 0 #define MAY_LINK 0
#define MAY_UNLINK 1 #define MAY_UNLINK 1
#define MAY_RMDIR 2 #define MAY_RMDIR 2
/* Check whether a task can link, unlink, or rmdir a file/directory. */ /* Check whether a task can link, unlink, or rmdir a file/directory. */
static int may_link(struct inode *dir, static int may_link(struct inode *dir,
...@@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir, ...@@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir,
av = DIR__RMDIR; av = DIR__RMDIR;
break; break;
default: default:
printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
__func__, kind);
return 0; return 0;
} }
...@@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask) ...@@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
else if (S_ISDIR(mode)) else if (S_ISDIR(mode))
av |= DIR__OPEN; av |= DIR__OPEN;
else else
printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " printk(KERN_ERR "SELinux: WARNING: inside %s with "
"with unknown mode:%x\n", mode); "unknown mode:%x\n", __func__, mode);
} }
return av; return av;
} }
...@@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) ...@@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
{ {
int rc; int rc;
rc = secondary_ops->ptrace(parent,child); rc = secondary_ops->ptrace(parent, child);
if (rc) if (rc)
return rc; return rc;
...@@ -1683,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) ...@@ -1683,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
} }
static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
int error; int error;
...@@ -1695,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, ...@@ -1695,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
} }
static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
int error; int error;
...@@ -1707,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect ...@@ -1707,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect
} }
static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
secondary_ops->capset_set(target, effective, inheritable, permitted); secondary_ops->capset_set(target, effective, inheritable, permitted);
} }
...@@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap) ...@@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap)
if (rc) if (rc)
return rc; return rc;
return task_has_capability(tsk,cap); return task_has_capability(tsk, cap);
} }
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
...@@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) ...@@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
char *buffer, *path, *end; char *buffer, *path, *end;
rc = -ENOMEM; rc = -ENOMEM;
buffer = (char*)__get_free_page(GFP_KERNEL); buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer) if (!buffer)
goto out; goto out;
...@@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op) ...@@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op)
/* The op values are "defined" in sysctl.c, thereby creating /* The op values are "defined" in sysctl.c, thereby creating
* a bad coupling between this module and sysctl.c */ * a bad coupling between this module and sysctl.c */
if(op == 001) { if (op == 001) {
error = avc_has_perm(tsec->sid, tsid, error = avc_has_perm(tsec->sid, tsid,
SECCLASS_DIR, DIR__SEARCH, NULL); SECCLASS_DIR, DIR__SEARCH, NULL);
} else { } else {
...@@ -1799,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op) ...@@ -1799,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op)
if (av) if (av)
error = avc_has_perm(tsec->sid, tsid, error = avc_has_perm(tsec->sid, tsid,
SECCLASS_FILE, av, NULL); SECCLASS_FILE, av, NULL);
} }
return error; return error;
} }
...@@ -1812,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) ...@@ -1812,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
return 0; return 0;
switch (cmds) { switch (cmds) {
case Q_SYNC: case Q_SYNC:
case Q_QUOTAON: case Q_QUOTAON:
case Q_QUOTAOFF: case Q_QUOTAOFF:
case Q_SETINFO: case Q_SETINFO:
case Q_SETQUOTA: case Q_SETQUOTA:
rc = superblock_has_perm(current, rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
sb, NULL);
FILESYSTEM__QUOTAMOD, NULL); break;
break; case Q_GETFMT:
case Q_GETFMT: case Q_GETINFO:
case Q_GETINFO: case Q_GETQUOTA:
case Q_GETQUOTA: rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
rc = superblock_has_perm(current, NULL);
sb, break;
FILESYSTEM__QUOTAGET, NULL); default:
break; rc = 0; /* let the kernel handle invalid cmds */
default: break;
rc = 0; /* let the kernel handle invalid cmds */
break;
} }
return rc; return rc;
} }
...@@ -1849,23 +1848,23 @@ static int selinux_syslog(int type) ...@@ -1849,23 +1848,23 @@ static int selinux_syslog(int type)
return rc; return rc;
switch (type) { switch (type) {
case 3: /* Read last kernel messages */ case 3: /* Read last kernel messages */
case 10: /* Return size of the log buffer */ case 10: /* Return size of the log buffer */
rc = task_has_system(current, SYSTEM__SYSLOG_READ); rc = task_has_system(current, SYSTEM__SYSLOG_READ);
break; break;
case 6: /* Disable logging to console */ case 6: /* Disable logging to console */
case 7: /* Enable logging to console */ case 7: /* Enable logging to console */
case 8: /* Set level of messages printed to console */ case 8: /* Set level of messages printed to console */
rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
break; break;
case 0: /* Close log */ case 0: /* Close log */
case 1: /* Open log */ case 1: /* Open log */
case 2: /* Read from log */ case 2: /* Read from log */
case 4: /* Read/clear last kernel messages */ case 4: /* Read/clear last kernel messages */
case 5: /* Clear ring buffer */ case 5: /* Clear ring buffer */
default: default:
rc = task_has_system(current, SYSTEM__SYSLOG_MOD); rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
break; break;
} }
return rc; return rc;
} }
...@@ -1971,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -1971,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
} else { } else {
/* Check for a default transition on this program. */ /* Check for a default transition on this program. */
rc = security_transition_sid(tsec->sid, isec->sid, rc = security_transition_sid(tsec->sid, isec->sid,
SECCLASS_PROCESS, &newsid); SECCLASS_PROCESS, &newsid);
if (rc) if (rc)
return rc; return rc;
} }
...@@ -1982,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -1982,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
newsid = tsec->sid; newsid = tsec->sid;
if (tsec->sid == newsid) { if (tsec->sid == newsid) {
rc = avc_has_perm(tsec->sid, isec->sid, rc = avc_has_perm(tsec->sid, isec->sid,
SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
if (rc) if (rc)
...@@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
return 0; return 0;
} }
static int selinux_bprm_check_security (struct linux_binprm *bprm) static int selinux_bprm_check_security(struct linux_binprm *bprm)
{ {
return secondary_ops->bprm_check_security(bprm); return secondary_ops->bprm_check_security(bprm);
} }
static int selinux_bprm_secureexec (struct linux_binprm *bprm) static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{ {
struct task_security_struct *tsec = current->security; struct task_security_struct *tsec = current->security;
int atsecure = 0; int atsecure = 0;
...@@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount; ...@@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount;
extern struct dentry *selinux_null; extern struct dentry *selinux_null;
/* Derived from fs/exec.c:flush_old_files. */ /* Derived from fs/exec.c:flush_old_files. */
static inline void flush_unauthorized_files(struct files_struct * files) static inline void flush_unauthorized_files(struct files_struct *files)
{ {
struct avc_audit_data ad; struct avc_audit_data ad;
struct file *file, *devnull = NULL; struct file *file, *devnull = NULL;
...@@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) ...@@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
/* Revalidate access to inherited open files. */ /* Revalidate access to inherited open files. */
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
spin_lock(&files->file_lock); spin_lock(&files->file_lock);
for (;;) { for (;;) {
...@@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) ...@@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
if (!set) if (!set)
continue; continue;
spin_unlock(&files->file_lock); spin_unlock(&files->file_lock);
for ( ; set ; i++,set >>= 1) { for ( ; set ; i++, set >>= 1) {
if (set & 1) { if (set & 1) {
file = fget(i); file = fget(i);
if (!file) if (!file)
...@@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) ...@@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
for (i = 0; i < RLIM_NLIMITS; i++) { for (i = 0; i < RLIM_NLIMITS; i++) {
rlim = current->signal->rlim + i; rlim = current->signal->rlim + i;
initrlim = init_task.signal->rlim+i; initrlim = init_task.signal->rlim+i;
rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
} }
if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
/* /*
...@@ -2306,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len) ...@@ -2306,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len)
*to += len; *to += len;
} }
static inline void take_selinux_option(char **to, char *from, int *first, static inline void take_selinux_option(char **to, char *from, int *first,
int len) int len)
{ {
int current_size = 0; int current_size = 0;
if (!*first) { if (!*first) {
**to = '|'; **to = '|';
*to += 1; *to += 1;
} } else
else
*first = 0; *first = 0;
while (current_size < len) { while (current_size < len) {
...@@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) ...@@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
if (rc) if (rc)
return rc; return rc;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = sb->s_root; ad.u.fs.path.dentry = sb->s_root;
return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
} }
...@@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry) ...@@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry)
{ {
struct avc_audit_data ad; struct avc_audit_data ad;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = dentry->d_sb->s_root; ad.u.fs.path.dentry = dentry->d_sb->s_root;
return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
} }
static int selinux_mount(char * dev_name, static int selinux_mount(char *dev_name,
struct nameidata *nd, struct nameidata *nd,
char * type, char *type,
unsigned long flags, unsigned long flags,
void * data) void *data)
{ {
int rc; int rc;
...@@ -2407,10 +2405,10 @@ static int selinux_mount(char * dev_name, ...@@ -2407,10 +2405,10 @@ static int selinux_mount(char * dev_name,
if (flags & MS_REMOUNT) if (flags & MS_REMOUNT)
return superblock_has_perm(current, nd->path.mnt->mnt_sb, return superblock_has_perm(current, nd->path.mnt->mnt_sb,
FILESYSTEM__REMOUNT, NULL); FILESYSTEM__REMOUNT, NULL);
else else
return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
FILE__MOUNTON); FILE__MOUNTON);
} }
static int selinux_umount(struct vfsmount *mnt, int flags) static int selinux_umount(struct vfsmount *mnt, int flags)
...@@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags) ...@@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
if (rc) if (rc)
return rc; return rc;
return superblock_has_perm(current,mnt->mnt_sb, return superblock_has_perm(current, mnt->mnt_sb,
FILESYSTEM__UNMOUNT,NULL); FILESYSTEM__UNMOUNT, NULL);
} }
/* inode security operations */ /* inode security operations */
...@@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru ...@@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
{ {
int rc; int rc;
rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
if (rc) if (rc)
return rc; return rc;
return may_link(dir, old_dentry, MAY_LINK); return may_link(dir, old_dentry, MAY_LINK);
...@@ -2551,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod ...@@ -2551,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
} }
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
struct inode *new_inode, struct dentry *new_dentry) struct inode *new_inode, struct dentry *new_dentry)
{ {
return may_rename(old_inode, old_dentry, new_inode, new_dentry); return may_rename(old_inode, old_dentry, new_inode, new_dentry);
} }
...@@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na ...@@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
{ {
int rc; int rc;
rc = secondary_ops->inode_follow_link(dentry,nameidata); rc = secondary_ops->inode_follow_link(dentry, nameidata);
if (rc) if (rc)
return rc; return rc;
return dentry_has_perm(current, NULL, dentry, FILE__READ); return dentry_has_perm(current, NULL, dentry, FILE__READ);
...@@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
if (!is_owner_or_cap(inode)) if (!is_owner_or_cap(inode))
return -EPERM; return -EPERM;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = dentry; ad.u.fs.path.dentry = dentry;
rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
...@@ -2669,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2669,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
return rc; return rc;
rc = security_validate_transition(isec->sid, newsid, tsec->sid, rc = security_validate_transition(isec->sid, newsid, tsec->sid,
isec->sclass); isec->sclass);
if (rc) if (rc)
return rc; return rc;
...@@ -2681,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2681,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
} }
static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
void *value, size_t size, int flags) void *value, size_t size, int flags)
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
struct inode_security_struct *isec = inode->i_security; struct inode_security_struct *isec = inode->i_security;
...@@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, ...@@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
return; return;
} }
static int selinux_inode_getxattr (struct dentry *dentry, char *name) static int selinux_inode_getxattr(struct dentry *dentry, char *name)
{ {
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
} }
static int selinux_inode_listxattr (struct dentry *dentry) static int selinux_inode_listxattr(struct dentry *dentry)
{ {
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
} }
static int selinux_inode_removexattr (struct dentry *dentry, char *name) static int selinux_inode_removexattr(struct dentry *dentry, char *name)
{ {
if (strcmp(name, XATTR_NAME_SELINUX)) if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name); return selinux_inode_setotherxattr(dentry, name);
...@@ -2755,7 +2753,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name ...@@ -2755,7 +2753,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
} }
static int selinux_inode_setsecurity(struct inode *inode, const char *name, static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags) const void *value, size_t size, int flags)
{ {
struct inode_security_struct *isec = inode->i_security; struct inode_security_struct *isec = inode->i_security;
u32 newsid; u32 newsid;
...@@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, ...@@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
if (!value || !size) if (!value || !size)
return -EACCES; return -EACCES;
rc = security_context_to_sid((void*)value, size, &newsid); rc = security_context_to_sid((void *)value, size, &newsid);
if (rc) if (rc)
return rc; return rc;
...@@ -2858,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, ...@@ -2858,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
int error = 0; int error = 0;
switch (cmd) { switch (cmd) {
case FIONREAD: case FIONREAD:
/* fall through */ /* fall through */
case FIBMAP: case FIBMAP:
/* fall through */ /* fall through */
case FIGETBSZ: case FIGETBSZ:
/* fall through */ /* fall through */
case EXT2_IOC_GETFLAGS: case EXT2_IOC_GETFLAGS:
/* fall through */ /* fall through */
case EXT2_IOC_GETVERSION: case EXT2_IOC_GETVERSION:
error = file_has_perm(current, file, FILE__GETATTR); error = file_has_perm(current, file, FILE__GETATTR);
break; break;
case EXT2_IOC_SETFLAGS:
/* fall through */
case EXT2_IOC_SETVERSION:
error = file_has_perm(current, file, FILE__SETATTR);
break;
/* sys_ioctl() checks */ case EXT2_IOC_SETFLAGS:
case FIONBIO: /* fall through */
/* fall through */ case EXT2_IOC_SETVERSION:
case FIOASYNC: error = file_has_perm(current, file, FILE__SETATTR);
error = file_has_perm(current, file, 0); break;
break;
case KDSKBENT: /* sys_ioctl() checks */
case KDSKBSENT: case FIONBIO:
error = task_has_capability(current,CAP_SYS_TTY_CONFIG); /* fall through */
break; case FIOASYNC:
error = file_has_perm(current, file, 0);
break;
/* default case assumes that the command will go case KDSKBENT:
* to the file's ioctl() function. case KDSKBSENT:
*/ error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
default: break;
error = file_has_perm(current, file, FILE__IOCTL);
/* default case assumes that the command will go
* to the file's ioctl() function.
*/
default:
error = file_has_perm(current, file, FILE__IOCTL);
} }
return error; return error;
} }
...@@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, ...@@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
unsigned long addr, unsigned long addr_only) unsigned long addr, unsigned long addr_only)
{ {
int rc = 0; int rc = 0;
u32 sid = ((struct task_security_struct*)(current->security))->sid; u32 sid = ((struct task_security_struct *)(current->security))->sid;
if (addr < mmap_min_addr) if (addr < mmap_min_addr)
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
...@@ -3003,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd, ...@@ -3003,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
int err = 0; int err = 0;
switch (cmd) { switch (cmd) {
case F_SETFL: case F_SETFL:
if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
err = -EINVAL; err = -EINVAL;
break; break;
} }
if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
err = file_has_perm(current, file,FILE__WRITE); err = file_has_perm(current, file, FILE__WRITE);
break;
}
/* fall through */
case F_SETOWN:
case F_SETSIG:
case F_GETFL:
case F_GETOWN:
case F_GETSIG:
/* Just check FD__USE permission */
err = file_has_perm(current, file, 0);
break; break;
case F_GETLK: }
case F_SETLK: /* fall through */
case F_SETLKW: case F_SETOWN:
case F_SETSIG:
case F_GETFL:
case F_GETOWN:
case F_GETSIG:
/* Just check FD__USE permission */
err = file_has_perm(current, file, 0);
break;
case F_GETLK:
case F_SETLK:
case F_SETLKW:
#if BITS_PER_LONG == 32 #if BITS_PER_LONG == 32
case F_GETLK64: case F_GETLK64:
case F_SETLK64: case F_SETLK64:
case F_SETLKW64: case F_SETLKW64:
#endif #endif
if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
err = -EINVAL; err = -EINVAL;
break;
}
err = file_has_perm(current, file, FILE__LOCK);
break; break;
}
err = file_has_perm(current, file, FILE__LOCK);
break;
} }
return err; return err;
...@@ -3056,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file) ...@@ -3056,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file)
static int selinux_file_send_sigiotask(struct task_struct *tsk, static int selinux_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum) struct fown_struct *fown, int signum)
{ {
struct file *file; struct file *file;
u32 perm; u32 perm;
struct task_security_struct *tsec; struct task_security_struct *tsec;
struct file_security_struct *fsec; struct file_security_struct *fsec;
/* struct fown_struct is never outside the context of a struct file */ /* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner); file = container_of(fown, struct file, f_owner);
tsec = tsk->security; tsec = tsk->security;
fsec = file->f_security; fsec = file->f_security;
...@@ -3164,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) ...@@ -3164,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{ {
return secondary_ops->task_post_setuid(id0,id1,id2,flags); return secondary_ops->task_post_setuid(id0, id1, id2, flags);
} }
static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
...@@ -3208,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) ...@@ -3208,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
if (rc) if (rc)
return rc; return rc;
return task_has_perm(current,p, PROCESS__SETSCHED); return task_has_perm(current, p, PROCESS__SETSCHED);
} }
static int selinux_task_setioprio(struct task_struct *p, int ioprio) static int selinux_task_setioprio(struct task_struct *p, int ioprio)
...@@ -3312,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p) ...@@ -3312,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p)
static void selinux_task_reparent_to_init(struct task_struct *p) static void selinux_task_reparent_to_init(struct task_struct *p)
{ {
struct task_security_struct *tsec; struct task_security_struct *tsec;
secondary_ops->task_reparent_to_init(p); secondary_ops->task_reparent_to_init(p);
...@@ -3357,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ...@@ -3357,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
*proto = ih->protocol; *proto = ih->protocol;
switch (ih->protocol) { switch (ih->protocol) {
case IPPROTO_TCP: { case IPPROTO_TCP: {
struct tcphdr _tcph, *th; struct tcphdr _tcph, *th;
if (ntohs(ih->frag_off) & IP_OFFSET) if (ntohs(ih->frag_off) & IP_OFFSET)
break; break;
offset += ihlen; offset += ihlen;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
...@@ -3371,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ...@@ -3371,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
ad->u.net.sport = th->source; ad->u.net.sport = th->source;
ad->u.net.dport = th->dest; ad->u.net.dport = th->dest;
break; break;
} }
case IPPROTO_UDP: { case IPPROTO_UDP: {
struct udphdr _udph, *uh; struct udphdr _udph, *uh;
if (ntohs(ih->frag_off) & IP_OFFSET) if (ntohs(ih->frag_off) & IP_OFFSET)
break; break;
offset += ihlen; offset += ihlen;
uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
if (uh == NULL) if (uh == NULL)
break; break;
ad->u.net.sport = uh->source; ad->u.net.sport = uh->source;
ad->u.net.dport = uh->dest; ad->u.net.dport = uh->dest;
break; break;
} }
case IPPROTO_DCCP: { case IPPROTO_DCCP: {
struct dccp_hdr _dccph, *dh; struct dccp_hdr _dccph, *dh;
...@@ -3403,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ...@@ -3403,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
ad->u.net.sport = dh->dccph_sport; ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport; ad->u.net.dport = dh->dccph_dport;
break; break;
} }
default: default:
break; break;
} }
out: out:
return ret; return ret;
} }
...@@ -3442,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, ...@@ -3442,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
switch (nexthdr) { switch (nexthdr) {
case IPPROTO_TCP: { case IPPROTO_TCP: {
struct tcphdr _tcph, *th; struct tcphdr _tcph, *th;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
if (th == NULL) if (th == NULL)
...@@ -3475,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, ...@@ -3475,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
ad->u.net.sport = dh->dccph_sport; ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport; ad->u.net.dport = dh->dccph_dport;
break; break;
} }
/* includes fragments */ /* includes fragments */
default: default:
...@@ -3573,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, ...@@ -3573,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
if (isec->sid == SECINITSID_KERNEL) if (isec->sid == SECINITSID_KERNEL)
goto out; goto out;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = sock->sk; ad.u.net.sk = sock->sk;
err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
...@@ -3683,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3683,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
snum, &sid); snum, &sid);
if (err) if (err)
goto out; goto out;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum); ad.u.net.sport = htons(snum);
ad.u.net.family = family; ad.u.net.family = family;
err = avc_has_perm(isec->sid, sid, err = avc_has_perm(isec->sid, sid,
...@@ -3693,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3693,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
goto out; goto out;
} }
} }
switch(isec->sclass) { switch (isec->sclass) {
case SECCLASS_TCP_SOCKET: case SECCLASS_TCP_SOCKET:
node_perm = TCP_SOCKET__NODE_BIND; node_perm = TCP_SOCKET__NODE_BIND;
break; break;
case SECCLASS_UDP_SOCKET: case SECCLASS_UDP_SOCKET:
node_perm = UDP_SOCKET__NODE_BIND; node_perm = UDP_SOCKET__NODE_BIND;
break; break;
...@@ -3711,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3711,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
node_perm = RAWIP_SOCKET__NODE_BIND; node_perm = RAWIP_SOCKET__NODE_BIND;
break; break;
} }
err = sel_netnode_sid(addrp, family, &sid); err = sel_netnode_sid(addrp, family, &sid);
if (err) if (err)
goto out; goto out;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum); ad.u.net.sport = htons(snum);
ad.u.net.family = family; ad.u.net.family = family;
...@@ -3726,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3726,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
err = avc_has_perm(isec->sid, sid, err = avc_has_perm(isec->sid, sid,
isec->sclass, node_perm, &ad); isec->sclass, node_perm, &ad);
if (err) if (err)
goto out; goto out;
} }
...@@ -3775,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, ...@@ -3775,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.dport = htons(snum); ad.u.net.dport = htons(snum);
ad.u.net.family = sk->sk_family; ad.u.net.family = sk->sk_family;
err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
...@@ -3813,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) ...@@ -3813,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
} }
static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
int size) int size)
{ {
int rc; int rc;
...@@ -3840,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock) ...@@ -3840,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock)
return socket_has_perm(current, sock, SOCKET__GETATTR); return socket_has_perm(current, sock, SOCKET__GETATTR);
} }
static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
{ {
int err; int err;
...@@ -3879,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, ...@@ -3879,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
isec = SOCK_INODE(sock)->i_security; isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security; other_isec = SOCK_INODE(other)->i_security;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk; ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid, err = avc_has_perm(isec->sid, other_isec->sid,
...@@ -3891,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, ...@@ -3891,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
/* connecting socket */ /* connecting socket */
ssec = sock->sk->sk_security; ssec = sock->sk->sk_security;
ssec->peer_sid = other_isec->sid; ssec->peer_sid = other_isec->sid;
/* server child socket */ /* server child socket */
ssec = newsk->sk_security; ssec = newsk->sk_security;
ssec->peer_sid = isec->sid; ssec->peer_sid = isec->sid;
...@@ -3911,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, ...@@ -3911,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
isec = SOCK_INODE(sock)->i_security; isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security; other_isec = SOCK_INODE(other)->i_security;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk; ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid, err = avc_has_perm(isec->sid, other_isec->sid,
...@@ -3989,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, ...@@ -3989,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
if (err) if (err)
return err; return err;
err = sel_netnode_sid(addrp, family, &node_sid); err = sel_netnode_sid(addrp, family, &node_sid);
if (err) if (err)
return err; return err;
...@@ -4140,7 +4137,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op ...@@ -4140,7 +4137,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
err = -EFAULT; err = -EFAULT;
kfree(scontext); kfree(scontext);
out: out:
return err; return err;
} }
...@@ -4201,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) ...@@ -4201,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
} }
} }
static void selinux_sock_graft(struct sock* sk, struct socket *parent) static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{ {
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
...@@ -4278,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) ...@@ -4278,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
struct nlmsghdr *nlh; struct nlmsghdr *nlh;
struct socket *sock = sk->sk_socket; struct socket *sock = sk->sk_socket;
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
if (skb->len < NLMSG_SPACE(0)) { if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL; err = -EINVAL;
goto out; goto out;
} }
nlh = nlmsg_hdr(skb); nlh = nlmsg_hdr(skb);
err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
if (err) { if (err) {
if (err == -EINVAL) { if (err == -EINVAL) {
...@@ -4410,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, ...@@ -4410,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
return err; return err;
err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
return err; return err;
err = sel_netnode_sid(addrp, family, &node_sid); err = sel_netnode_sid(addrp, family, &node_sid);
if (err) if (err)
return err; return err;
...@@ -4593,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) ...@@ -4593,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
ad.u.cap = capability; ad.u.cap = capability;
return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
} }
static int ipc_alloc_security(struct task_struct *task, static int ipc_alloc_security(struct task_struct *task,
...@@ -4685,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) ...@@ -4685,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
isec = msq->q_perm.security; isec = msq->q_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key; ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad); MSGQ__CREATE, &ad);
...@@ -4722,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) ...@@ -4722,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
int err; int err;
int perms; int perms;
switch(cmd) { switch (cmd) {
case IPC_INFO: case IPC_INFO:
case MSG_INFO: case MSG_INFO:
/* No specific object, just general system-wide information. */ /* No specific object, just general system-wide information. */
...@@ -4806,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, ...@@ -4806,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
msec = msg->security; msec = msg->security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key; ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, rc = avc_has_perm(tsec->sid, isec->sid,
SECCLASS_MSGQ, MSGQ__READ, &ad); SECCLASS_MSGQ, MSGQ__READ, &ad);
...@@ -4832,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) ...@@ -4832,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
isec = shp->shm_perm.security; isec = shp->shm_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = shp->shm_perm.key; ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad); SHM__CREATE, &ad);
...@@ -4870,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) ...@@ -4870,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
int perms; int perms;
int err; int err;
switch(cmd) { switch (cmd) {
case IPC_INFO: case IPC_INFO:
case SHM_INFO: case SHM_INFO:
/* No specific object, just general system-wide information. */ /* No specific object, just general system-wide information. */
...@@ -4931,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) ...@@ -4931,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
isec = sma->sem_perm.security; isec = sma->sem_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = sma->sem_perm.key; ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad); SEM__CREATE, &ad);
...@@ -4969,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd) ...@@ -4969,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
int err; int err;
u32 perms; u32 perms;
switch(cmd) { switch (cmd) {
case IPC_INFO: case IPC_INFO:
case SEM_INFO: case SEM_INFO:
/* No specific object, just general system-wide information. */ /* No specific object, just general system-wide information. */
...@@ -5041,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) ...@@ -5041,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
} }
/* module stacking operations */ /* module stacking operations */
static int selinux_register_security (const char *name, struct security_operations *ops) static int selinux_register_security(const char *name, struct security_operations *ops)
{ {
if (secondary_ops != original_ops) { if (secondary_ops != original_ops) {
printk(KERN_ERR "%s: There is already a secondary security " printk(KERN_ERR "%s: There is already a secondary security "
"module registered.\n", __func__); "module registered.\n", __func__);
return -EINVAL; return -EINVAL;
} }
secondary_ops = ops; secondary_ops = ops;
...@@ -5058,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio ...@@ -5058,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio
return 0; return 0;
} }
static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{ {
if (inode) if (inode)
inode_doinit_with_dentry(inode, dentry); inode_doinit_with_dentry(inode, dentry);
...@@ -5186,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p, ...@@ -5186,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p,
} }
while_each_thread(g, t); while_each_thread(g, t);
read_unlock(&tasklist_lock); read_unlock(&tasklist_lock);
} }
/* Check permissions for the transition. */ /* Check permissions for the transition. */
error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
PROCESS__DYNTRANSITION, NULL); PROCESS__DYNTRANSITION, NULL);
if (error) if (error)
return error; return error;
...@@ -5218,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p, ...@@ -5218,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p,
tsec->sid = sid; tsec->sid = sid;
task_unlock(p); task_unlock(p);
} }
} } else
else
return -EINVAL; return -EINVAL;
return size; return size;
...@@ -5309,7 +5305,7 @@ static struct security_operations selinux_ops = { ...@@ -5309,7 +5305,7 @@ static struct security_operations selinux_ops = {
.vm_enough_memory = selinux_vm_enough_memory, .vm_enough_memory = selinux_vm_enough_memory,
.netlink_send = selinux_netlink_send, .netlink_send = selinux_netlink_send,
.netlink_recv = selinux_netlink_recv, .netlink_recv = selinux_netlink_recv,
.bprm_alloc_security = selinux_bprm_alloc_security, .bprm_alloc_security = selinux_bprm_alloc_security,
.bprm_free_security = selinux_bprm_free_security, .bprm_free_security = selinux_bprm_free_security,
...@@ -5322,13 +5318,13 @@ static struct security_operations selinux_ops = { ...@@ -5322,13 +5318,13 @@ static struct security_operations selinux_ops = {
.sb_alloc_security = selinux_sb_alloc_security, .sb_alloc_security = selinux_sb_alloc_security,
.sb_free_security = selinux_sb_free_security, .sb_free_security = selinux_sb_free_security,
.sb_copy_data = selinux_sb_copy_data, .sb_copy_data = selinux_sb_copy_data,
.sb_kern_mount = selinux_sb_kern_mount, .sb_kern_mount = selinux_sb_kern_mount,
.sb_statfs = selinux_sb_statfs, .sb_statfs = selinux_sb_statfs,
.sb_mount = selinux_mount, .sb_mount = selinux_mount,
.sb_umount = selinux_umount, .sb_umount = selinux_umount,
.sb_get_mnt_opts = selinux_get_mnt_opts, .sb_get_mnt_opts = selinux_get_mnt_opts,
.sb_set_mnt_opts = selinux_set_mnt_opts, .sb_set_mnt_opts = selinux_set_mnt_opts,
.sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
.sb_parse_opts_str = selinux_parse_opts_str, .sb_parse_opts_str = selinux_parse_opts_str,
...@@ -5353,9 +5349,9 @@ static struct security_operations selinux_ops = { ...@@ -5353,9 +5349,9 @@ static struct security_operations selinux_ops = {
.inode_getxattr = selinux_inode_getxattr, .inode_getxattr = selinux_inode_getxattr,
.inode_listxattr = selinux_inode_listxattr, .inode_listxattr = selinux_inode_listxattr,
.inode_removexattr = selinux_inode_removexattr, .inode_removexattr = selinux_inode_removexattr,
.inode_getsecurity = selinux_inode_getsecurity, .inode_getsecurity = selinux_inode_getsecurity,
.inode_setsecurity = selinux_inode_setsecurity, .inode_setsecurity = selinux_inode_setsecurity,
.inode_listsecurity = selinux_inode_listsecurity, .inode_listsecurity = selinux_inode_listsecurity,
.inode_need_killpriv = selinux_inode_need_killpriv, .inode_need_killpriv = selinux_inode_need_killpriv,
.inode_killpriv = selinux_inode_killpriv, .inode_killpriv = selinux_inode_killpriv,
.inode_getsecid = selinux_inode_getsecid, .inode_getsecid = selinux_inode_getsecid,
...@@ -5372,7 +5368,7 @@ static struct security_operations selinux_ops = { ...@@ -5372,7 +5368,7 @@ static struct security_operations selinux_ops = {
.file_send_sigiotask = selinux_file_send_sigiotask, .file_send_sigiotask = selinux_file_send_sigiotask,
.file_receive = selinux_file_receive, .file_receive = selinux_file_receive,
.dentry_open = selinux_dentry_open, .dentry_open = selinux_dentry_open,
.task_create = selinux_task_create, .task_create = selinux_task_create,
.task_alloc_security = selinux_task_alloc_security, .task_alloc_security = selinux_task_alloc_security,
...@@ -5382,7 +5378,7 @@ static struct security_operations selinux_ops = { ...@@ -5382,7 +5378,7 @@ static struct security_operations selinux_ops = {
.task_setgid = selinux_task_setgid, .task_setgid = selinux_task_setgid,
.task_setpgid = selinux_task_setpgid, .task_setpgid = selinux_task_setpgid,
.task_getpgid = selinux_task_getpgid, .task_getpgid = selinux_task_getpgid,
.task_getsid = selinux_task_getsid, .task_getsid = selinux_task_getsid,
.task_getsecid = selinux_task_getsecid, .task_getsecid = selinux_task_getsecid,
.task_setgroups = selinux_task_setgroups, .task_setgroups = selinux_task_setgroups,
.task_setnice = selinux_task_setnice, .task_setnice = selinux_task_setnice,
...@@ -5396,7 +5392,7 @@ static struct security_operations selinux_ops = { ...@@ -5396,7 +5392,7 @@ static struct security_operations selinux_ops = {
.task_wait = selinux_task_wait, .task_wait = selinux_task_wait,
.task_prctl = selinux_task_prctl, .task_prctl = selinux_task_prctl,
.task_reparent_to_init = selinux_task_reparent_to_init, .task_reparent_to_init = selinux_task_reparent_to_init,
.task_to_inode = selinux_task_to_inode, .task_to_inode = selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission, .ipc_permission = selinux_ipc_permission,
.ipc_getsecid = selinux_ipc_getsecid, .ipc_getsecid = selinux_ipc_getsecid,
...@@ -5417,24 +5413,24 @@ static struct security_operations selinux_ops = { ...@@ -5417,24 +5413,24 @@ static struct security_operations selinux_ops = {
.shm_shmctl = selinux_shm_shmctl, .shm_shmctl = selinux_shm_shmctl,
.shm_shmat = selinux_shm_shmat, .shm_shmat = selinux_shm_shmat,
.sem_alloc_security = selinux_sem_alloc_security, .sem_alloc_security = selinux_sem_alloc_security,
.sem_free_security = selinux_sem_free_security, .sem_free_security = selinux_sem_free_security,
.sem_associate = selinux_sem_associate, .sem_associate = selinux_sem_associate,
.sem_semctl = selinux_sem_semctl, .sem_semctl = selinux_sem_semctl,
.sem_semop = selinux_sem_semop, .sem_semop = selinux_sem_semop,
.register_security = selinux_register_security, .register_security = selinux_register_security,
.d_instantiate = selinux_d_instantiate, .d_instantiate = selinux_d_instantiate,
.getprocattr = selinux_getprocattr, .getprocattr = selinux_getprocattr,
.setprocattr = selinux_setprocattr, .setprocattr = selinux_setprocattr,
.secid_to_secctx = selinux_secid_to_secctx, .secid_to_secctx = selinux_secid_to_secctx,
.secctx_to_secid = selinux_secctx_to_secid, .secctx_to_secid = selinux_secctx_to_secid,
.release_secctx = selinux_release_secctx, .release_secctx = selinux_release_secctx,
.unix_stream_connect = selinux_socket_unix_stream_connect, .unix_stream_connect = selinux_socket_unix_stream_connect,
.unix_may_send = selinux_socket_unix_may_send, .unix_may_send = selinux_socket_unix_may_send,
.socket_create = selinux_socket_create, .socket_create = selinux_socket_create,
...@@ -5456,7 +5452,7 @@ static struct security_operations selinux_ops = { ...@@ -5456,7 +5452,7 @@ static struct security_operations selinux_ops = {
.sk_alloc_security = selinux_sk_alloc_security, .sk_alloc_security = selinux_sk_alloc_security,
.sk_free_security = selinux_sk_free_security, .sk_free_security = selinux_sk_free_security,
.sk_clone_security = selinux_sk_clone_security, .sk_clone_security = selinux_sk_clone_security,
.sk_getsecid = selinux_sk_getsecid, .sk_getsecid = selinux_sk_getsecid,
.sock_graft = selinux_sock_graft, .sock_graft = selinux_sock_graft,
.inet_conn_request = selinux_inet_conn_request, .inet_conn_request = selinux_inet_conn_request,
.inet_csk_clone = selinux_inet_csk_clone, .inet_csk_clone = selinux_inet_csk_clone,
...@@ -5471,15 +5467,15 @@ static struct security_operations selinux_ops = { ...@@ -5471,15 +5467,15 @@ static struct security_operations selinux_ops = {
.xfrm_state_alloc_security = selinux_xfrm_state_alloc, .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
.xfrm_state_free_security = selinux_xfrm_state_free, .xfrm_state_free_security = selinux_xfrm_state_free,
.xfrm_state_delete_security = selinux_xfrm_state_delete, .xfrm_state_delete_security = selinux_xfrm_state_delete,
.xfrm_policy_lookup = selinux_xfrm_policy_lookup, .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
.xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
.xfrm_decode_session = selinux_xfrm_decode_session, .xfrm_decode_session = selinux_xfrm_decode_session,
#endif #endif
#ifdef CONFIG_KEYS #ifdef CONFIG_KEYS
.key_alloc = selinux_key_alloc, .key_alloc = selinux_key_alloc,
.key_free = selinux_key_free, .key_free = selinux_key_free,
.key_permission = selinux_key_permission, .key_permission = selinux_key_permission,
#endif #endif
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
...@@ -5519,15 +5515,14 @@ static __init int selinux_init(void) ...@@ -5519,15 +5515,14 @@ static __init int selinux_init(void)
original_ops = secondary_ops = security_ops; original_ops = secondary_ops = security_ops;
if (!secondary_ops) if (!secondary_ops)
panic ("SELinux: No initial security operations\n"); panic("SELinux: No initial security operations\n");
if (register_security (&selinux_ops)) if (register_security(&selinux_ops))
panic("SELinux: Unable to register with kernel.\n"); panic("SELinux: Unable to register with kernel.\n");
if (selinux_enforcing) { if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
} else { else
printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
}
#ifdef CONFIG_KEYS #ifdef CONFIG_KEYS
/* Add security information to initial keyrings */ /* Add security information to initial keyrings */
...@@ -5552,8 +5547,8 @@ void selinux_complete_init(void) ...@@ -5552,8 +5547,8 @@ void selinux_complete_init(void)
if (!list_empty(&superblock_security_head)) { if (!list_empty(&superblock_security_head)) {
struct superblock_security_struct *sbsec = struct superblock_security_struct *sbsec =
list_entry(superblock_security_head.next, list_entry(superblock_security_head.next,
struct superblock_security_struct, struct superblock_security_struct,
list); list);
struct super_block *sb = sbsec->sb; struct super_block *sb = sbsec->sb;
sb->s_count++; sb->s_count++;
spin_unlock(&sb_security_lock); spin_unlock(&sb_security_lock);
...@@ -5672,10 +5667,11 @@ static void selinux_nf_ip_exit(void) ...@@ -5672,10 +5667,11 @@ static void selinux_nf_ip_exit(void)
#endif /* CONFIG_NETFILTER */ #endif /* CONFIG_NETFILTER */
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
static int selinux_disabled;
int selinux_disable(void) int selinux_disable(void)
{ {
extern void exit_sel_fs(void); extern void exit_sel_fs(void);
static int selinux_disabled = 0;
if (ss_initialized) { if (ss_initialized) {
/* Not permitted after initial policy load. */ /* Not permitted after initial policy load. */
......
security/selinux/netif.c
View file @ 19b5b517
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* *
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P. * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Paul Moore <paul.moore@hp.com> * Paul Moore <paul.moore@hp.com>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, * it under the terms of the GNU General Public License version 2,
...@@ -31,8 +31,7 @@ ...@@ -31,8 +31,7 @@
#define SEL_NETIF_HASH_SIZE 64 #define SEL_NETIF_HASH_SIZE 64
#define SEL_NETIF_HASH_MAX 1024 #define SEL_NETIF_HASH_MAX 1024
struct sel_netif struct sel_netif {
{
struct list_head list; struct list_head list;
struct netif_security_struct nsec; struct netif_security_struct nsec;
struct rcu_head rcu_head; struct rcu_head rcu_head;
...@@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex) ...@@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex)
static int sel_netif_insert(struct sel_netif *netif) static int sel_netif_insert(struct sel_netif *netif)
{ {
int idx; int idx;
if (sel_netif_total >= SEL_NETIF_HASH_MAX) if (sel_netif_total >= SEL_NETIF_HASH_MAX)
return -ENOSPC; return -ENOSPC;
idx = sel_netif_hashfn(netif->nsec.ifindex); idx = sel_netif_hashfn(netif->nsec.ifindex);
list_add_rcu(&netif->list, &sel_netif_hash[idx]); list_add_rcu(&netif->list, &sel_netif_hash[idx]);
sel_netif_total++; sel_netif_total++;
...@@ -267,7 +266,7 @@ static void sel_netif_flush(void) ...@@ -267,7 +266,7 @@ static void sel_netif_flush(void)
} }
static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
u16 class, u32 perms, u32 *retained) u16 class, u32 perms, u32 *retained)
{ {
if (event == AVC_CALLBACK_RESET) { if (event == AVC_CALLBACK_RESET) {
sel_netif_flush(); sel_netif_flush();
...@@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, ...@@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
} }
static int sel_netif_netdev_notifier_handler(struct notifier_block *this, static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
unsigned long event, void *ptr) unsigned long event, void *ptr)
{ {
struct net_device *dev = ptr; struct net_device *dev = ptr;
...@@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = { ...@@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
static __init int sel_netif_init(void) static __init int sel_netif_init(void)
{ {
int i, err; int i, err;
if (!selinux_enabled) if (!selinux_enabled)
return 0; return 0;
...@@ -305,9 +304,9 @@ static __init int sel_netif_init(void) ...@@ -305,9 +304,9 @@ static __init int sel_netif_init(void)
INIT_LIST_HEAD(&sel_netif_hash[i]); INIT_LIST_HEAD(&sel_netif_hash[i]);
register_netdevice_notifier(&sel_netif_netdev_notifier); register_netdevice_notifier(&sel_netif_netdev_notifier);
err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
if (err) if (err)
panic("avc_add_callback() failed, error %d\n", err); panic("avc_add_callback() failed, error %d\n", err);
......
security/selinux/netlabel.c
View file @ 19b5b517
...@@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void) ...@@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void)
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
int family) int family)
{ {
if (family == PF_INET) if (family == PF_INET)
ssec->nlbl_state = NLBL_REQUIRE; ssec->nlbl_state = NLBL_REQUIRE;
else else
ssec->nlbl_state = NLBL_UNSET; ssec->nlbl_state = NLBL_UNSET;
......
security/selinux/netlink.c
View file @ 19b5b517
...@@ -24,16 +24,16 @@ static struct sock *selnl; ...@@ -24,16 +24,16 @@ static struct sock *selnl;
static int selnl_msglen(int msgtype) static int selnl_msglen(int msgtype)
{ {
int ret = 0; int ret = 0;
switch (msgtype) { switch (msgtype) {
case SELNL_MSG_SETENFORCE: case SELNL_MSG_SETENFORCE:
ret = sizeof(struct selnl_msg_setenforce); ret = sizeof(struct selnl_msg_setenforce);
break; break;
case SELNL_MSG_POLICYLOAD: case SELNL_MSG_POLICYLOAD:
ret = sizeof(struct selnl_msg_policyload); ret = sizeof(struct selnl_msg_policyload);
break; break;
default: default:
BUG(); BUG();
} }
...@@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void * ...@@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *
switch (msgtype) { switch (msgtype) {
case SELNL_MSG_SETENFORCE: { case SELNL_MSG_SETENFORCE: {
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
memset(msg, 0, len); memset(msg, 0, len);
msg->val = *((int *)data); msg->val = *((int *)data);
break; break;
} }
case SELNL_MSG_POLICYLOAD: { case SELNL_MSG_POLICYLOAD: {
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
memset(msg, 0, len); memset(msg, 0, len);
msg->seqno = *((u32 *)data); msg->seqno = *((u32 *)data);
break; break;
...@@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data) ...@@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data)
sk_buff_data_t tmp; sk_buff_data_t tmp;
struct sk_buff *skb; struct sk_buff *skb;
struct nlmsghdr *nlh; struct nlmsghdr *nlh;
len = selnl_msglen(msgtype); len = selnl_msglen(msgtype);
skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); skb = alloc_skb(NLMSG_SPACE(len), GFP_USER);
if (!skb) if (!skb)
goto oom; goto oom;
...@@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data) ...@@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data)
netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER); netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER);
out: out:
return; return;
nlmsg_failure: nlmsg_failure:
kfree_skb(skb); kfree_skb(skb);
oom: oom:
...@@ -109,7 +109,7 @@ static int __init selnl_init(void) ...@@ -109,7 +109,7 @@ static int __init selnl_init(void)
SELNLGRP_MAX, NULL, NULL, THIS_MODULE); SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
if (selnl == NULL) if (selnl == NULL)
panic("SELinux: Cannot create netlink socket."); panic("SELinux: Cannot create netlink socket.");
netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);
return 0; return 0;
} }
......
security/selinux/netnode.c
View file @ 19b5b517
...@@ -344,7 +344,7 @@ static __init int sel_netnode_init(void) ...@@ -344,7 +344,7 @@ static __init int sel_netnode_init(void)
INIT_LIST_HEAD(&sel_netnode_hash[iter]); INIT_LIST_HEAD(&sel_netnode_hash[iter]);
ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET,
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
if (ret != 0) if (ret != 0)
panic("avc_add_callback() failed, error %d\n", ret); panic("avc_add_callback() failed, error %d\n", ret);
......
security/selinux/nlmsgtab.c
View file @ 19b5b517
...@@ -23,8 +23,7 @@ ...@@ -23,8 +23,7 @@
#include "flask.h" #include "flask.h"
#include "av_permissions.h" #include "av_permissions.h"
struct nlmsg_perm struct nlmsg_perm {
{
u16 nlmsg_type; u16 nlmsg_type;
u32 perm; u32 perm;
}; };
...@@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) ...@@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
nlmsg_type <= AUDIT_LAST_USER_MSG) || nlmsg_type <= AUDIT_LAST_USER_MSG) ||
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 && (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
nlmsg_type <= AUDIT_LAST_USER_MSG2)) { nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
} else { } else {
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
......
security/selinux/selinuxfs.c
View file @ 19b5b517
/* Updated: Karl MacMillan <kmacmillan@tresys.com> /* Updated: Karl MacMillan <kmacmillan@tresys.com>
* *
* Added conditional policy language extensions * Added conditional policy language extensions
* *
* Updated: Hewlett-Packard <paul.moore@hp.com> * Updated: Hewlett-Packard <paul.moore@hp.com>
* *
* Added support for the policy capability bitmap * Added support for the policy capability bitmap
* *
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P. * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 - 2004 Tresys Technology, LLC
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
*/ */
...@@ -57,14 +57,14 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; ...@@ -57,14 +57,14 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
static int __init checkreqprot_setup(char *str) static int __init checkreqprot_setup(char *str)
{ {
selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0; selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1; return 1;
} }
__setup("checkreqprot=", checkreqprot_setup); __setup("checkreqprot=", checkreqprot_setup);
static int __init selinux_compat_net_setup(char *str) static int __init selinux_compat_net_setup(char *str)
{ {
selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0; selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1; return 1;
} }
__setup("selinux_compat_net=", selinux_compat_net_setup); __setup("selinux_compat_net=", selinux_compat_net_setup);
...@@ -73,17 +73,17 @@ __setup("selinux_compat_net=", selinux_compat_net_setup); ...@@ -73,17 +73,17 @@ __setup("selinux_compat_net=", selinux_compat_net_setup);
static DEFINE_MUTEX(sel_mutex); static DEFINE_MUTEX(sel_mutex);
/* global data for booleans */ /* global data for booleans */
static struct dentry *bool_dir = NULL; static struct dentry *bool_dir;
static int bool_num = 0; static int bool_num;
static char **bool_pending_names; static char **bool_pending_names;
static int *bool_pending_values = NULL; static int *bool_pending_values;
/* global data for classes */ /* global data for classes */
static struct dentry *class_dir = NULL; static struct dentry *class_dir;
static unsigned long last_class_ino; static unsigned long last_class_ino;
/* global data for policy capabilities */ /* global data for policy capabilities */
static struct dentry *policycap_dir = NULL; static struct dentry *policycap_dir;
extern void selnl_notify_setenforce(int val); extern void selnl_notify_setenforce(int val);
...@@ -142,7 +142,7 @@ static ssize_t sel_read_enforce(struct file *filp, char __user *buf, ...@@ -142,7 +142,7 @@ static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
} }
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static ssize_t sel_write_enforce(struct file * file, const char __user * buf, static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
...@@ -156,7 +156,7 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf, ...@@ -156,7 +156,7 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
/* No partial writes. */ /* No partial writes. */
return -EINVAL; return -EINVAL;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) if (!page)
return -ENOMEM; return -ENOMEM;
length = -EFAULT; length = -EFAULT;
...@@ -213,7 +213,7 @@ static const struct file_operations sel_handle_unknown_ops = { ...@@ -213,7 +213,7 @@ static const struct file_operations sel_handle_unknown_ops = {
}; };
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
static ssize_t sel_write_disable(struct file * file, const char __user * buf, static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
...@@ -228,7 +228,7 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf, ...@@ -228,7 +228,7 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
/* No partial writes. */ /* No partial writes. */
return -EINVAL; return -EINVAL;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) if (!page)
return -ENOMEM; return -ENOMEM;
length = -EFAULT; length = -EFAULT;
...@@ -263,7 +263,7 @@ static const struct file_operations sel_disable_ops = { ...@@ -263,7 +263,7 @@ static const struct file_operations sel_disable_ops = {
}; };
static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
char tmpbuf[TMPBUFLEN]; char tmpbuf[TMPBUFLEN];
ssize_t length; ssize_t length;
...@@ -299,7 +299,7 @@ static const struct file_operations sel_mls_ops = { ...@@ -299,7 +299,7 @@ static const struct file_operations sel_mls_ops = {
.read = sel_read_mls, .read = sel_read_mls,
}; };
static ssize_t sel_write_load(struct file * file, const char __user * buf, static ssize_t sel_write_load(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
...@@ -371,7 +371,7 @@ static const struct file_operations sel_load_ops = { ...@@ -371,7 +371,7 @@ static const struct file_operations sel_load_ops = {
.write = sel_write_load, .write = sel_write_load,
}; };
static ssize_t sel_write_context(struct file * file, char *buf, size_t size) static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
{ {
char *canon; char *canon;
u32 sid, len; u32 sid, len;
...@@ -390,8 +390,8 @@ static ssize_t sel_write_context(struct file * file, char *buf, size_t size) ...@@ -390,8 +390,8 @@ static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
return length; return length;
if (len > SIMPLE_TRANSACTION_LIMIT) { if (len > SIMPLE_TRANSACTION_LIMIT) {
printk(KERN_ERR "%s: context size (%u) exceeds payload " printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
"max\n", __func__, len); "payload max\n", __func__, len);
length = -ERANGE; length = -ERANGE;
goto out; goto out;
} }
...@@ -413,7 +413,7 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, ...@@ -413,7 +413,7 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
} }
static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf, static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
char *page; char *page;
...@@ -430,7 +430,7 @@ static ssize_t sel_write_checkreqprot(struct file * file, const char __user * bu ...@@ -430,7 +430,7 @@ static ssize_t sel_write_checkreqprot(struct file * file, const char __user * bu
/* No partial writes. */ /* No partial writes. */
return -EINVAL; return -EINVAL;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) if (!page)
return -ENOMEM; return -ENOMEM;
length = -EFAULT; length = -EFAULT;
...@@ -462,7 +462,7 @@ static ssize_t sel_read_compat_net(struct file *filp, char __user *buf, ...@@ -462,7 +462,7 @@ static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
} }
static ssize_t sel_write_compat_net(struct file * file, const char __user * buf, static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
char *page; char *page;
...@@ -479,7 +479,7 @@ static ssize_t sel_write_compat_net(struct file * file, const char __user * buf, ...@@ -479,7 +479,7 @@ static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
/* No partial writes. */ /* No partial writes. */
return -EINVAL; return -EINVAL;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) if (!page)
return -ENOMEM; return -ENOMEM;
length = -EFAULT; length = -EFAULT;
...@@ -504,11 +504,11 @@ static const struct file_operations sel_compat_net_ops = { ...@@ -504,11 +504,11 @@ static const struct file_operations sel_compat_net_ops = {
/* /*
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
*/ */
static ssize_t sel_write_access(struct file * file, char *buf, size_t size); static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
static ssize_t sel_write_create(struct file * file, char *buf, size_t size); static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size); static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
static ssize_t sel_write_user(struct file * file, char *buf, size_t size); static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
static ssize_t sel_write_member(struct file * file, char *buf, size_t size); static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
static ssize_t (*write_op[])(struct file *, char *, size_t) = { static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_ACCESS] = sel_write_access, [SEL_ACCESS] = sel_write_access,
...@@ -521,7 +521,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = { ...@@ -521,7 +521,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
{ {
ino_t ino = file->f_path.dentry->d_inode->i_ino; ino_t ino = file->f_path.dentry->d_inode->i_ino;
char *data; char *data;
ssize_t rv; ssize_t rv;
...@@ -532,8 +532,8 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b ...@@ -532,8 +532,8 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b
if (IS_ERR(data)) if (IS_ERR(data))
return PTR_ERR(data); return PTR_ERR(data);
rv = write_op[ino](file, data, size); rv = write_op[ino](file, data, size);
if (rv>0) { if (rv > 0) {
simple_transaction_set(file, rv); simple_transaction_set(file, rv);
rv = size; rv = size;
} }
...@@ -552,7 +552,7 @@ static const struct file_operations transaction_ops = { ...@@ -552,7 +552,7 @@ static const struct file_operations transaction_ops = {
* and the length returned. Otherwise return 0 or and -error. * and the length returned. Otherwise return 0 or and -error.
*/ */
static ssize_t sel_write_access(struct file * file, char *buf, size_t size) static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
{ {
char *scon, *tcon; char *scon, *tcon;
u32 ssid, tsid; u32 ssid, tsid;
...@@ -601,7 +601,7 @@ static ssize_t sel_write_access(struct file * file, char *buf, size_t size) ...@@ -601,7 +601,7 @@ static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
return length; return length;
} }
static ssize_t sel_write_create(struct file * file, char *buf, size_t size) static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{ {
char *scon, *tcon; char *scon, *tcon;
u32 ssid, tsid, newsid; u32 ssid, tsid, newsid;
...@@ -643,8 +643,8 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size) ...@@ -643,8 +643,8 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
goto out2; goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) { if (len > SIMPLE_TRANSACTION_LIMIT) {
printk(KERN_ERR "%s: context size (%u) exceeds payload " printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
"max\n", __func__, len); "payload max\n", __func__, len);
length = -ERANGE; length = -ERANGE;
goto out3; goto out3;
} }
...@@ -660,7 +660,7 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size) ...@@ -660,7 +660,7 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
return length; return length;
} }
static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size) static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
{ {
char *scon, *tcon; char *scon, *tcon;
u32 ssid, tsid, newsid; u32 ssid, tsid, newsid;
...@@ -717,7 +717,7 @@ static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size) ...@@ -717,7 +717,7 @@ static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
return length; return length;
} }
static ssize_t sel_write_user(struct file * file, char *buf, size_t size) static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{ {
char *con, *user, *ptr; char *con, *user, *ptr;
u32 sid, *sids; u32 sid, *sids;
...@@ -778,7 +778,7 @@ static ssize_t sel_write_user(struct file * file, char *buf, size_t size) ...@@ -778,7 +778,7 @@ static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
return length; return length;
} }
static ssize_t sel_write_member(struct file * file, char *buf, size_t size) static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
{ {
char *scon, *tcon; char *scon, *tcon;
u32 ssid, tsid, newsid; u32 ssid, tsid, newsid;
...@@ -820,8 +820,8 @@ static ssize_t sel_write_member(struct file * file, char *buf, size_t size) ...@@ -820,8 +820,8 @@ static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
goto out2; goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) { if (len > SIMPLE_TRANSACTION_LIMIT) {
printk(KERN_ERR "%s: context size (%u) exceeds payload " printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
"max\n", __func__, len); "payload max\n", __func__, len);
length = -ERANGE; length = -ERANGE;
goto out3; goto out3;
} }
...@@ -872,7 +872,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf, ...@@ -872,7 +872,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }
if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) { page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM; ret = -ENOMEM;
goto out; goto out;
} }
...@@ -923,7 +924,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, ...@@ -923,7 +924,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
length = -EINVAL; length = -EINVAL;
goto out; goto out;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) { if (!page) {
length = -ENOMEM; length = -ENOMEM;
goto out; goto out;
...@@ -951,8 +952,8 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, ...@@ -951,8 +952,8 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
} }
static const struct file_operations sel_bool_ops = { static const struct file_operations sel_bool_ops = {
.read = sel_read_bool, .read = sel_read_bool,
.write = sel_write_bool, .write = sel_write_bool,
}; };
static ssize_t sel_commit_bools_write(struct file *filep, static ssize_t sel_commit_bools_write(struct file *filep,
...@@ -977,7 +978,7 @@ static ssize_t sel_commit_bools_write(struct file *filep, ...@@ -977,7 +978,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
/* No partial writes. */ /* No partial writes. */
goto out; goto out;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) { if (!page) {
length = -ENOMEM; length = -ENOMEM;
goto out; goto out;
...@@ -991,9 +992,8 @@ static ssize_t sel_commit_bools_write(struct file *filep, ...@@ -991,9 +992,8 @@ static ssize_t sel_commit_bools_write(struct file *filep,
if (sscanf(page, "%d", &new_value) != 1) if (sscanf(page, "%d", &new_value) != 1)
goto out; goto out;
if (new_value && bool_pending_values) { if (new_value && bool_pending_values)
security_set_bools(bool_num, bool_pending_values); security_set_bools(bool_num, bool_pending_values);
}
length = count; length = count;
...@@ -1005,7 +1005,7 @@ static ssize_t sel_commit_bools_write(struct file *filep, ...@@ -1005,7 +1005,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
} }
static const struct file_operations sel_commit_bools_ops = { static const struct file_operations sel_commit_bools_ops = {
.write = sel_commit_bools_write, .write = sel_commit_bools_write,
}; };
static void sel_remove_entries(struct dentry *de) static void sel_remove_entries(struct dentry *de)
...@@ -1055,7 +1055,8 @@ static int sel_make_bools(void) ...@@ -1055,7 +1055,8 @@ static int sel_make_bools(void)
sel_remove_entries(dir); sel_remove_entries(dir);
if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM; return -ENOMEM;
ret = security_get_bools(&num, &names, &values); ret = security_get_bools(&num, &names, &values);
...@@ -1082,8 +1083,9 @@ static int sel_make_bools(void) ...@@ -1082,8 +1083,9 @@ static int sel_make_bools(void)
ret = -ENAMETOOLONG; ret = -ENAMETOOLONG;
goto err; goto err;
} }
isec = (struct inode_security_struct*)inode->i_security; isec = (struct inode_security_struct *)inode->i_security;
if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid))) ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret)
goto err; goto err;
isec->sid = sid; isec->sid = sid;
isec->initialized = 1; isec->initialized = 1;
...@@ -1111,7 +1113,7 @@ static int sel_make_bools(void) ...@@ -1111,7 +1113,7 @@ static int sel_make_bools(void)
#define NULL_FILE_NAME "null" #define NULL_FILE_NAME "null"
struct dentry *selinux_null = NULL; struct dentry *selinux_null;
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
...@@ -1123,8 +1125,8 @@ static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, ...@@ -1123,8 +1125,8 @@ static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
} }
static ssize_t sel_write_avc_cache_threshold(struct file * file, static ssize_t sel_write_avc_cache_threshold(struct file *file,
const char __user * buf, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
...@@ -1143,7 +1145,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file * file, ...@@ -1143,7 +1145,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file * file,
goto out; goto out;
} }
page = (char*)get_zeroed_page(GFP_KERNEL); page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) { if (!page) {
ret = -ENOMEM; ret = -ENOMEM;
goto out; goto out;
...@@ -1301,7 +1303,7 @@ static int sel_make_avc_files(struct dentry *dir) ...@@ -1301,7 +1303,7 @@ static int sel_make_avc_files(struct dentry *dir)
return ret; return ret;
} }
static ssize_t sel_read_initcon(struct file * file, char __user *buf, static ssize_t sel_read_initcon(struct file *file, char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct inode *inode; struct inode *inode;
...@@ -1375,7 +1377,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino) ...@@ -1375,7 +1377,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino)
return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
} }
static ssize_t sel_read_class(struct file * file, char __user *buf, static ssize_t sel_read_class(struct file *file, char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
ssize_t rc, len; ssize_t rc, len;
...@@ -1399,7 +1401,7 @@ static const struct file_operations sel_class_ops = { ...@@ -1399,7 +1401,7 @@ static const struct file_operations sel_class_ops = {
.read = sel_read_class, .read = sel_read_class,
}; };
static ssize_t sel_read_perm(struct file * file, char __user *buf, static ssize_t sel_read_perm(struct file *file, char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
ssize_t rc, len; ssize_t rc, len;
...@@ -1412,7 +1414,7 @@ static ssize_t sel_read_perm(struct file * file, char __user *buf, ...@@ -1412,7 +1414,7 @@ static ssize_t sel_read_perm(struct file * file, char __user *buf,
goto out; goto out;
} }
len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino)); len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
rc = simple_read_from_buffer(buf, count, ppos, page, len); rc = simple_read_from_buffer(buf, count, ppos, page, len);
free_page((unsigned long)page); free_page((unsigned long)page);
out: out:
...@@ -1640,7 +1642,7 @@ static int sel_make_dir(struct inode *dir, struct dentry *dentry, ...@@ -1640,7 +1642,7 @@ static int sel_make_dir(struct inode *dir, struct dentry *dentry,
return ret; return ret;
} }
static int sel_fill_super(struct super_block * sb, void * data, int silent) static int sel_fill_super(struct super_block *sb, void *data, int silent)
{ {
int ret; int ret;
struct dentry *dentry; struct dentry *dentry;
...@@ -1696,7 +1698,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent) ...@@ -1696,7 +1698,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
goto err; goto err;
} }
inode->i_ino = ++sel_last_ino; inode->i_ino = ++sel_last_ino;
isec = (struct inode_security_struct*)inode->i_security; isec = (struct inode_security_struct *)inode->i_security;
isec->sid = SECINITSID_DEVNULL; isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE; isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1; isec->initialized = 1;
...@@ -1760,7 +1762,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent) ...@@ -1760,7 +1762,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
out: out:
return ret; return ret;
err: err:
printk(KERN_ERR "%s: failed while creating inodes\n", __func__); printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
__func__);
goto out; goto out;
} }
......
security/selinux/ss/avtab.c
View file @ 19b5b517
...@@ -6,15 +6,15 @@ ...@@ -6,15 +6,15 @@
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
* *
* Added conditional policy language extensions * Added conditional policy language extensions
* *
* Copyright (C) 2003 Tresys Technology, LLC * Copyright (C) 2003 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
* *
* Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
* Tuned number of hash slots for avtab to reduce memory usage * Tuned number of hash slots for avtab to reduce memory usage
*/ */
#include <linux/kernel.h> #include <linux/kernel.h>
...@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask) ...@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
static struct avtab_node* static struct avtab_node*
avtab_insert_node(struct avtab *h, int hvalue, avtab_insert_node(struct avtab *h, int hvalue,
struct avtab_node * prev, struct avtab_node * cur, struct avtab_node *prev, struct avtab_node *cur,
struct avtab_key *key, struct avtab_datum *datum) struct avtab_key *key, struct avtab_datum *datum)
{ {
struct avtab_node * newnode; struct avtab_node *newnode;
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL) if (newnode == NULL)
return NULL; return NULL;
...@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat ...@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
} }
newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
if(!newnode) if (!newnode)
return -ENOMEM; return -ENOMEM;
return 0; return 0;
...@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat ...@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
* It also returns a pointer to the node inserted. * It also returns a pointer to the node inserted.
*/ */
struct avtab_node * struct avtab_node *
avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum) avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
{ {
int hvalue; int hvalue;
struct avtab_node *prev, *cur, *newnode; struct avtab_node *prev, *cur, *newnode;
...@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag) ...@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
} }
} }
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
"chain length %d sum of chain length^2 %Lu\n", "longest chain length %d sum of chain length^2 %Lu\n",
tag, h->nel, slots_used, h->nslot, max_chain_len, tag, h->nel, slots_used, h->nslot, max_chain_len,
chain2_len_sum); chain2_len_sum);
} }
...@@ -326,7 +326,7 @@ static uint16_t spec_order[] = { ...@@ -326,7 +326,7 @@ static uint16_t spec_order[] = {
}; };
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
int (*insertf)(struct avtab *a, struct avtab_key *k, int (*insertf)(struct avtab *a, struct avtab_key *k,
struct avtab_datum *d, void *p), struct avtab_datum *d, void *p),
void *p) void *p)
{ {
...@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
val = le32_to_cpu(buf32[items++]); val = le32_to_cpu(buf32[items++]);
key.source_type = (u16)val; key.source_type = (u16)val;
if (key.source_type != val) { if (key.source_type != val) {
printk("SELinux: avtab: truncated source type\n"); printk(KERN_ERR "SELinux: avtab: truncated source type\n");
return -1; return -1;
} }
val = le32_to_cpu(buf32[items++]); val = le32_to_cpu(buf32[items++]);
key.target_type = (u16)val; key.target_type = (u16)val;
if (key.target_type != val) { if (key.target_type != val) {
printk("SELinux: avtab: truncated target type\n"); printk(KERN_ERR "SELinux: avtab: truncated target type\n");
return -1; return -1;
} }
val = le32_to_cpu(buf32[items++]); val = le32_to_cpu(buf32[items++]);
key.target_class = (u16)val; key.target_class = (u16)val;
if (key.target_class != val) { if (key.target_class != val) {
printk("SELinux: avtab: truncated target class\n"); printk(KERN_ERR "SELinux: avtab: truncated target class\n");
return -1; return -1;
} }
...@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
if (!(val & (AVTAB_AV | AVTAB_TYPE))) { if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
printk("SELinux: avtab: null entry\n"); printk(KERN_ERR "SELinux: avtab: null entry\n");
return -1; return -1;
} }
if ((val & AVTAB_AV) && if ((val & AVTAB_AV) &&
(val & AVTAB_TYPE)) { (val & AVTAB_TYPE)) {
printk("SELinux: avtab: entry has both access vectors and types\n"); printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
return -1; return -1;
} }
...@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
key.specified = spec_order[i] | enabled; key.specified = spec_order[i] | enabled;
datum.data = le32_to_cpu(buf32[items++]); datum.data = le32_to_cpu(buf32[items++]);
rc = insertf(a, &key, &datum, p); rc = insertf(a, &key, &datum, p);
if (rc) return rc; if (rc)
return rc;
} }
} }
if (items != items2) { if (items != items2) {
printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
return -1; return -1;
} }
return 0; return 0;
...@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
rc = next_entry(buf16, fp, sizeof(u16)*4); rc = next_entry(buf16, fp, sizeof(u16)*4);
if (rc < 0) { if (rc < 0) {
printk("SELinux: avtab: truncated entry\n"); printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return -1; return -1;
} }
...@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
if (!policydb_type_isvalid(pol, key.source_type) || if (!policydb_type_isvalid(pol, key.source_type) ||
!policydb_type_isvalid(pol, key.target_type) || !policydb_type_isvalid(pol, key.target_type) ||
!policydb_class_isvalid(pol, key.target_class)) { !policydb_class_isvalid(pol, key.target_class)) {
printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
return -1; return -1;
} }
...@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
set++; set++;
} }
if (!set || set > 1) { if (!set || set > 1) {
printk(KERN_WARNING printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
"SELinux: avtab: more than one specifier\n");
return -1; return -1;
} }
rc = next_entry(buf32, fp, sizeof(u32)); rc = next_entry(buf32, fp, sizeof(u32));
if (rc < 0) { if (rc < 0) {
printk("SELinux: avtab: truncated entry\n"); printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return -1; return -1;
} }
datum.data = le32_to_cpu(*buf32); datum.data = le32_to_cpu(*buf32);
if ((key.specified & AVTAB_TYPE) && if ((key.specified & AVTAB_TYPE) &&
!policydb_type_isvalid(pol, datum.data)) { !policydb_type_isvalid(pol, datum.data)) {
printk(KERN_WARNING "SELinux: avtab: invalid type\n"); printk(KERN_ERR "SELinux: avtab: invalid type\n");
return -1; return -1;
} }
return insertf(a, &key, &datum, p); return insertf(a, &key, &datum, p);
...@@ -513,5 +513,5 @@ void avtab_cache_init(void) ...@@ -513,5 +513,5 @@ void avtab_cache_init(void)
void avtab_cache_destroy(void) void avtab_cache_destroy(void)
{ {
kmem_cache_destroy (avtab_node_cachep); kmem_cache_destroy(avtab_node_cachep);
} }
security/selinux/ss/conditional.c
View file @ 19b5b517
/* Authors: Karl MacMillan <kmacmillan@tresys.com> /* Authors: Karl MacMillan <kmacmillan@tresys.com>
* Frank Mayer <mayerf@tresys.com> * Frank Mayer <mayerf@tresys.com>
* *
* Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 - 2004 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
*/ */
...@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) ...@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
int evaluate_cond_node(struct policydb *p, struct cond_node *node) int evaluate_cond_node(struct policydb *p, struct cond_node *node)
{ {
int new_state; int new_state;
struct cond_av_list* cur; struct cond_av_list *cur;
new_state = cond_evaluate_expr(p, node->expr); new_state = cond_evaluate_expr(p, node->expr);
if (new_state != node->cur_state) { if (new_state != node->cur_state) {
...@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node) ...@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
/* turn the rules on or off */ /* turn the rules on or off */
for (cur = node->true_list; cur != NULL; cur = cur->next) { for (cur = node->true_list; cur != NULL; cur = cur->next) {
if (new_state <= 0) { if (new_state <= 0)
cur->node->key.specified &= ~AVTAB_ENABLED; cur->node->key.specified &= ~AVTAB_ENABLED;
} else { else
cur->node->key.specified |= AVTAB_ENABLED; cur->node->key.specified |= AVTAB_ENABLED;
}
} }
for (cur = node->false_list; cur != NULL; cur = cur->next) { for (cur = node->false_list; cur != NULL; cur = cur->next) {
/* -1 or 1 */ /* -1 or 1 */
if (new_state) { if (new_state)
cur->node->key.specified &= ~AVTAB_ENABLED; cur->node->key.specified &= ~AVTAB_ENABLED;
} else { else
cur->node->key.specified |= AVTAB_ENABLED; cur->node->key.specified |= AVTAB_ENABLED;
}
} }
} }
return 0; return 0;
...@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p) ...@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
int cond_init_bool_indexes(struct policydb *p) int cond_init_bool_indexes(struct policydb *p)
{ {
kfree(p->bool_val_to_struct); kfree(p->bool_val_to_struct);
p->bool_val_to_struct = (struct cond_bool_datum**) p->bool_val_to_struct = (struct cond_bool_datum **)
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
if (!p->bool_val_to_struct) if (!p->bool_val_to_struct)
return -1; return -1;
return 0; return 0;
...@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap) ...@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
return -EINVAL; return -EINVAL;
p->p_bool_val_to_name[booldatum->value - 1] = key; p->p_bool_val_to_name[booldatum->value - 1] = key;
p->bool_val_to_struct[booldatum->value -1] = booldatum; p->bool_val_to_struct[booldatum->value - 1] = booldatum;
return 0; return 0;
} }
...@@ -251,8 +249,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) ...@@ -251,8 +249,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
return -1; return -1;
} }
struct cond_insertf_data struct cond_insertf_data {
{
struct policydb *p; struct policydb *p;
struct cond_av_list *other; struct cond_av_list *other;
struct cond_av_list *head; struct cond_av_list *head;
...@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
*/ */
if (k->specified & AVTAB_TYPE) { if (k->specified & AVTAB_TYPE) {
if (avtab_search(&p->te_avtab, k)) { if (avtab_search(&p->te_avtab, k)) {
printk("SELinux: type rule already exists outside of a conditional."); printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
goto err; goto err;
} }
/* /*
...@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
node_ptr = avtab_search_node(&p->te_cond_avtab, k); node_ptr = avtab_search_node(&p->te_cond_avtab, k);
if (node_ptr) { if (node_ptr) {
if (avtab_search_node_next(node_ptr, k->specified)) { if (avtab_search_node_next(node_ptr, k->specified)) {
printk("SELinux: too many conflicting type rules."); printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
goto err; goto err;
} }
found = 0; found = 0;
...@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
} }
} }
if (!found) { if (!found) {
printk("SELinux: conflicting type rules.\n"); printk(KERN_ERR "SELinux: conflicting type rules.\n");
goto err; goto err;
} }
} }
} else { } else {
if (avtab_search(&p->te_cond_avtab, k)) { if (avtab_search(&p->te_cond_avtab, k)) {
printk("SELinux: conflicting type rules when adding type rule for true.\n"); printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
goto err; goto err;
} }
} }
...@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
if (!node_ptr) { if (!node_ptr) {
printk("SELinux: could not insert rule."); printk(KERN_ERR "SELinux: could not insert rule.\n");
goto err; goto err;
} }
...@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * ...@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
return -1; return -1;
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
if (len == 0) { if (len == 0)
return 0; return 0;
}
data.p = p; data.p = p;
data.other = other; data.other = other;
...@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * ...@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
static int expr_isvalid(struct policydb *p, struct cond_expr *expr) static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
{ {
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
printk("SELinux: conditional expressions uses unknown operator.\n"); printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
return 0; return 0;
} }
if (expr->bool > p->p_bools.nprim) { if (expr->bool > p->p_bools.nprim) {
printk("SELinux: conditional expressions uses unknown bool.\n"); printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
return 0; return 0;
} }
return 1; return 1;
...@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) ...@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
/* expr */ /* expr */
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
for (i = 0; i < len; i++ ) { for (i = 0; i < len; i++) {
rc = next_entry(buf, fp, sizeof(u32) * 2); rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0) if (rc < 0)
goto err; goto err;
expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
if (!expr) { if (!expr)
goto err; goto err;
}
expr->expr_type = le32_to_cpu(buf[0]); expr->expr_type = le32_to_cpu(buf[0]);
expr->bool = le32_to_cpu(buf[1]); expr->bool = le32_to_cpu(buf[1]);
...@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) ...@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err; goto err;
} }
if (i == 0) { if (i == 0)
node->expr = expr; node->expr = expr;
} else { else
last->next = expr; last->next = expr;
}
last = expr; last = expr;
} }
...@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp) ...@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
if (cond_read_node(p, node, fp) != 0) if (cond_read_node(p, node, fp) != 0)
goto err; goto err;
if (i == 0) { if (i == 0)
p->cond_list = node; p->cond_list = node;
} else { else
last->next = node; last->next = node;
}
last = node; last = node;
} }
return 0; return 0;
...@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi ...@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
{ {
struct avtab_node *node; struct avtab_node *node;
if(!ctab || !key || !avd) if (!ctab || !key || !avd)
return; return;
for(node = avtab_search_node(ctab, key); node != NULL; for (node = avtab_search_node(ctab, key); node != NULL;
node = avtab_search_node_next(node, key->specified)) { node = avtab_search_node_next(node, key->specified)) {
if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
avd->allowed |= node->datum.data; avd->allowed |= node->datum.data;
if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a /* Since a '0' in an auditdeny mask represents a
* permission we do NOT want to audit (dontaudit), we use * permission we do NOT want to audit (dontaudit), we use
* the '&' operand to ensure that all '0's in the mask * the '&' operand to ensure that all '0's in the mask
* are retained (much unlike the allow and auditallow cases). * are retained (much unlike the allow and auditallow cases).
*/ */
avd->auditdeny &= node->datum.data; avd->auditdeny &= node->datum.data;
if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
avd->auditallow |= node->datum.data; avd->auditallow |= node->datum.data;
} }
return; return;
......
security/selinux/ss/ebitmap.c
View file @ 19b5b517
...@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp) ...@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
} }
/* round down */ /* round down */
tmp->startbit = startbit - (startbit % EBITMAP_SIZE); tmp->startbit = startbit - (startbit % EBITMAP_SIZE);
if (n) { if (n)
n->next = tmp; n->next = tmp;
} else { else
e->node = tmp; e->node = tmp;
}
n = tmp; n = tmp;
} else if (startbit <= n->startbit) { } else if (startbit <= n->startbit) {
printk(KERN_ERR "SELinux: ebitmap: start bit %d" printk(KERN_ERR "SELinux: ebitmap: start bit %d"
......
security/selinux/ss/hashtab.c
View file @ 19b5b517
...@@ -9,8 +9,8 @@ ...@@ -9,8 +9,8 @@
#include "hashtab.h" #include "hashtab.h"
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
u32 size) u32 size)
{ {
struct hashtab *p; struct hashtab *p;
u32 i; u32 i;
......
security/selinux/ss/mls.c
View file @ 19b5b517
...@@ -32,7 +32,7 @@ ...@@ -32,7 +32,7 @@
* Return the length in bytes for the MLS fields of the * Return the length in bytes for the MLS fields of the
* security context string representation of `context'. * security context string representation of `context'.
*/ */
int mls_compute_context_len(struct context * context) int mls_compute_context_len(struct context *context)
{ {
int i, l, len, head, prev; int i, l, len, head, prev;
char *nm; char *nm;
...@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context) ...@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context)
* Update `*scontext' to point to the end of the MLS fields. * Update `*scontext' to point to the end of the MLS fields.
*/ */
void mls_sid_to_context(struct context *context, void mls_sid_to_context(struct context *context,
char **scontext) char **scontext)
{ {
char *scontextp, *nm; char *scontextp, *nm;
int i, l, head, prev; int i, l, head, prev;
...@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context, ...@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context,
if (l == 0) { if (l == 0) {
if (mls_level_eq(&context->range.level[0], if (mls_level_eq(&context->range.level[0],
&context->range.level[1])) &context->range.level[1]))
break; break;
else else
*scontextp++ = '-'; *scontextp++ = '-';
...@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc, ...@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc,
*p++ = 0; *p++ = 0;
/* Separate into range if exists */ /* Separate into range if exists */
if ((rngptr = strchr(scontextp, '.')) != NULL) { rngptr = strchr(scontextp, '.');
if (rngptr != NULL) {
/* Remove '.' */ /* Remove '.' */
*rngptr++ = 0; *rngptr++ = 0;
} }
catdatum = hashtab_search(policydb.p_cats.table, catdatum = hashtab_search(policydb.p_cats.table,
scontextp); scontextp);
if (!catdatum) { if (!catdatum) {
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
rc = ebitmap_set_bit(&context->range.level[l].cat, rc = ebitmap_set_bit(&context->range.level[l].cat,
catdatum->value - 1, 1); catdatum->value - 1, 1);
if (rc) if (rc)
goto out; goto out;
...@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) ...@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
rc = -ENOMEM; rc = -ENOMEM;
} else { } else {
rc = mls_context_to_sid(':', &tmpstr, context, rc = mls_context_to_sid(':', &tmpstr, context,
NULL, SECSID_NULL); NULL, SECSID_NULL);
kfree(freestr); kfree(freestr);
} }
...@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) ...@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
* Copies the MLS range `range' into `context'. * Copies the MLS range `range' into `context'.
*/ */
static inline int mls_range_set(struct context *context, static inline int mls_range_set(struct context *context,
struct mls_range *range) struct mls_range *range)
{ {
int l, rc = 0; int l, rc = 0;
...@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context, ...@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context,
} }
int mls_setup_user_range(struct context *fromcon, struct user_datum *user, int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
struct context *usercon) struct context *usercon)
{ {
if (selinux_mls_enabled) { if (selinux_mls_enabled) {
struct mls_level *fromcon_sen = &(fromcon->range.level[0]); struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
...@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user, ...@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
that of the user's default clearance (but that of the user's default clearance (but
only if the "fromcon" clearance dominates only if the "fromcon" clearance dominates
the user's computed sensitivity level) */ the user's computed sensitivity level) */
if (mls_level_dom(user_clr, fromcon_clr)) { if (mls_level_dom(user_clr, fromcon_clr))
*usercon_clr = *fromcon_clr; *usercon_clr = *fromcon_clr;
} else if (mls_level_dom(fromcon_clr, user_clr)) { else if (mls_level_dom(fromcon_clr, user_clr))
*usercon_clr = *user_clr; *usercon_clr = *user_clr;
} else else
return -EINVAL; return -EINVAL;
} }
...@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext, ...@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext,
rtr->target_class == tclass) { rtr->target_class == tclass) {
/* Set the range from the rule */ /* Set the range from the rule */
return mls_range_set(newcontext, return mls_range_set(newcontext,
&rtr->target_range); &rtr->target_range);
} }
} }
/* Fallthrough */ /* Fallthrough */
......
security/selinux/ss/policydb.c
View file @ 19b5b517
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
* *
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
* *
* Added conditional policy language extensions * Added conditional policy language extensions
* *
* Updated: Hewlett-Packard <paul.moore@hp.com> * Updated: Hewlett-Packard <paul.moore@hp.com>
* *
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 - 2004 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
*/ */
...@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = { ...@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = {
}; };
#endif #endif
int selinux_mls_enabled = 0; int selinux_mls_enabled;
static unsigned int symtab_sizes[SYM_NUM] = { static unsigned int symtab_sizes[SYM_NUM] = {
2, 2,
...@@ -73,39 +73,39 @@ struct policydb_compat_info { ...@@ -73,39 +73,39 @@ struct policydb_compat_info {
/* These need to be updated if SYM_NUM or OCON_NUM changes */ /* These need to be updated if SYM_NUM or OCON_NUM changes */
static struct policydb_compat_info policydb_compat[] = { static struct policydb_compat_info policydb_compat[] = {
{ {
.version = POLICYDB_VERSION_BASE, .version = POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM - 3, .sym_num = SYM_NUM - 3,
.ocon_num = OCON_NUM - 1, .ocon_num = OCON_NUM - 1,
}, },
{ {
.version = POLICYDB_VERSION_BOOL, .version = POLICYDB_VERSION_BOOL,
.sym_num = SYM_NUM - 2, .sym_num = SYM_NUM - 2,
.ocon_num = OCON_NUM - 1, .ocon_num = OCON_NUM - 1,
}, },
{ {
.version = POLICYDB_VERSION_IPV6, .version = POLICYDB_VERSION_IPV6,
.sym_num = SYM_NUM - 2, .sym_num = SYM_NUM - 2,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{ {
.version = POLICYDB_VERSION_NLCLASS, .version = POLICYDB_VERSION_NLCLASS,
.sym_num = SYM_NUM - 2, .sym_num = SYM_NUM - 2,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{ {
.version = POLICYDB_VERSION_MLS, .version = POLICYDB_VERSION_MLS,
.sym_num = SYM_NUM, .sym_num = SYM_NUM,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{ {
.version = POLICYDB_VERSION_AVTAB, .version = POLICYDB_VERSION_AVTAB,
.sym_num = SYM_NUM, .sym_num = SYM_NUM,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{ {
.version = POLICYDB_VERSION_RANGETRANS, .version = POLICYDB_VERSION_RANGETRANS,
.sym_num = SYM_NUM, .sym_num = SYM_NUM,
.ocon_num = OCON_NUM, .ocon_num = OCON_NUM,
}, },
{ {
.version = POLICYDB_VERSION_POLCAP, .version = POLICYDB_VERSION_POLCAP,
...@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p) ...@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p)
rc = -EINVAL; rc = -EINVAL;
goto out_free_role; goto out_free_role;
} }
key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL); key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto out_free_role; goto out_free_role;
...@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s) ...@@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s)
struct hashtab_info info; struct hashtab_info info;
hashtab_stat(h, &info); hashtab_stat(h, &info);
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
"longest chain length %d\n", symtab_name[i], h->nel, "longest chain length %d\n", symtab_name[i], h->nel,
info.slots_used, h->size, info.max_chain_len); info.slots_used, h->size, info.max_chain_len);
} }
...@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p) ...@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p)
p->role_val_to_struct = p->role_val_to_struct =
kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
GFP_KERNEL); GFP_KERNEL);
if (!p->role_val_to_struct) { if (!p->role_val_to_struct) {
rc = -ENOMEM; rc = -ENOMEM;
goto out; goto out;
...@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p) ...@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p)
p->user_val_to_struct = p->user_val_to_struct =
kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
GFP_KERNEL); GFP_KERNEL);
if (!p->user_val_to_struct) { if (!p->user_val_to_struct) {
rc = -ENOMEM; rc = -ENOMEM;
goto out; goto out;
...@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p) ...@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p)
while (c) { while (c) {
ctmp = c; ctmp = c;
c = c->next; c = c->next;
ocontext_destroy(ctmp,i); ocontext_destroy(ctmp, i);
} }
p->ocontexts[i] = NULL; p->ocontexts[i] = NULL;
} }
...@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p) ...@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p)
while (c) { while (c) {
ctmp = c; ctmp = c;
c = c->next; c = c->next;
ocontext_destroy(ctmp,OCON_FSUSE); ocontext_destroy(ctmp, OCON_FSUSE);
} }
gtmp = g; gtmp = g;
g = g->next; g = g->next;
...@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p) ...@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p)
} }
kfree(ltr); kfree(ltr);
for (ra = p->role_allow; ra; ra = ra -> next) { for (ra = p->role_allow; ra; ra = ra->next) {
cond_resched(); cond_resched();
kfree(lra); kfree(lra);
lra = ra; lra = ra;
} }
kfree(lra); kfree(lra);
for (rt = p->range_tr; rt; rt = rt -> next) { for (rt = p->range_tr; rt; rt = rt->next) {
cond_resched(); cond_resched();
if (lrt) { if (lrt) {
ebitmap_destroy(&lrt->target_range.level[0].cat); ebitmap_destroy(&lrt->target_range.level[0].cat);
...@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
perdatum->value = le32_to_cpu(buf[1]); perdatum->value = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_KERNEL); key = kmalloc(len + 1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
comdatum->permissions.nprim = le32_to_cpu(buf[2]); comdatum->permissions.nprim = le32_to_cpu(buf[2]);
nel = le32_to_cpu(buf[3]); nel = le32_to_cpu(buf[3]);
key = kmalloc(len + 1,GFP_KERNEL); key = kmalloc(len + 1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -998,7 +998,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -998,7 +998,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
} }
static int read_cons_helper(struct constraint_node **nodep, int ncons, static int read_cons_helper(struct constraint_node **nodep, int ncons,
int allowxtarget, void *fp) int allowxtarget, void *fp)
{ {
struct constraint_node *c, *lc; struct constraint_node *c, *lc;
struct constraint_expr *e, *le; struct constraint_expr *e, *le;
...@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons, ...@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
if (!c) if (!c)
return -ENOMEM; return -ENOMEM;
if (lc) { if (lc)
lc->next = c; lc->next = c;
} else { else
*nodep = c; *nodep = c;
}
rc = next_entry(buf, fp, (sizeof(u32) * 2)); rc = next_entry(buf, fp, (sizeof(u32) * 2));
if (rc < 0) if (rc < 0)
...@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons, ...@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
if (!e) if (!e)
return -ENOMEM; return -ENOMEM;
if (le) { if (le)
le->next = e; le->next = e;
} else { else
c->expr = e; c->expr = e;
}
rc = next_entry(buf, fp, (sizeof(u32) * 3)); rc = next_entry(buf, fp, (sizeof(u32) * 3));
if (rc < 0) if (rc < 0)
...@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
ncons = le32_to_cpu(buf[5]); ncons = le32_to_cpu(buf[5]);
key = kmalloc(len + 1,GFP_KERNEL); key = kmalloc(len + 1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
key[len] = 0; key[len] = 0;
if (len2) { if (len2) {
cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL); cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
if (!cladatum->comkey) { if (!cladatum->comkey) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
role->value = le32_to_cpu(buf[1]); role->value = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_KERNEL); key = kmalloc(len + 1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
if (strcmp(key, OBJECT_R) == 0) { if (strcmp(key, OBJECT_R) == 0) {
if (role->value != OBJECT_R_VAL) { if (role->value != OBJECT_R_VAL) {
printk(KERN_ERR "Role %s has wrong value %d\n", printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
OBJECT_R, role->value); OBJECT_R, role->value);
rc = -EINVAL; rc = -EINVAL;
goto bad; goto bad;
...@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3]; __le32 buf[3];
u32 len; u32 len;
typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL); typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
if (!typdatum) { if (!typdatum) {
rc = -ENOMEM; rc = -ENOMEM;
return rc; return rc;
...@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
typdatum->value = le32_to_cpu(buf[1]); typdatum->value = le32_to_cpu(buf[1]);
typdatum->primary = le32_to_cpu(buf[2]); typdatum->primary = le32_to_cpu(buf[2]);
key = kmalloc(len + 1,GFP_KERNEL); key = kmalloc(len + 1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
usrdatum->value = le32_to_cpu(buf[1]); usrdatum->value = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_KERNEL); key = kmalloc(len + 1, GFP_KERNEL);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
levdatum->isalias = le32_to_cpu(buf[1]); levdatum->isalias = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_ATOMIC); key = kmalloc(len + 1, GFP_ATOMIC);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
catdatum->value = le32_to_cpu(buf[1]); catdatum->value = le32_to_cpu(buf[1]);
catdatum->isalias = le32_to_cpu(buf[2]); catdatum->isalias = le32_to_cpu(buf[2]);
key = kmalloc(len + 1,GFP_ATOMIC); key = kmalloc(len + 1, GFP_ATOMIC);
if (!key) { if (!key) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp)
goto out; goto out;
/* Read the magic number and string length. */ /* Read the magic number and string length. */
rc = next_entry(buf, fp, sizeof(u32)* 2); rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0) if (rc < 0)
goto bad; goto bad;
...@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp)
len, strlen(POLICYDB_STRING)); len, strlen(POLICYDB_STRING));
goto bad; goto bad;
} }
policydb_str = kmalloc(len + 1,GFP_KERNEL); policydb_str = kmalloc(len + 1, GFP_KERNEL);
if (!policydb_str) { if (!policydb_str) {
printk(KERN_ERR "SELinux: unable to allocate memory for policydb " printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
"string of length %d\n", len); "string of length %d\n", len);
...@@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp)
if (p->policyvers < POLICYDB_VERSION_MIN || if (p->policyvers < POLICYDB_VERSION_MIN ||
p->policyvers > POLICYDB_VERSION_MAX) { p->policyvers > POLICYDB_VERSION_MAX) {
printk(KERN_ERR "SELinux: policydb version %d does not match " printk(KERN_ERR "SELinux: policydb version %d does not match "
"my version range %d-%d\n", "my version range %d-%d\n",
le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
goto bad; goto bad;
} }
if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
if (ss_initialized && !selinux_mls_enabled) { if (ss_initialized && !selinux_mls_enabled) {
printk(KERN_ERR "Cannot switch between non-MLS and MLS " printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
"policies\n"); " and MLS policies\n");
goto bad; goto bad;
} }
selinux_mls_enabled = 1; selinux_mls_enabled = 1;
config |= POLICYDB_CONFIG_MLS; config |= POLICYDB_CONFIG_MLS;
if (p->policyvers < POLICYDB_VERSION_MLS) { if (p->policyvers < POLICYDB_VERSION_MLS) {
printk(KERN_ERR "security policydb version %d (MLS) " printk(KERN_ERR "SELinux: security policydb version %d "
"not backwards compatible\n", p->policyvers); "(MLS) not backwards compatible\n",
p->policyvers);
goto bad; goto bad;
} }
} else { } else {
if (ss_initialized && selinux_mls_enabled) { if (ss_initialized && selinux_mls_enabled) {
printk(KERN_ERR "Cannot switch between MLS and non-MLS " printk(KERN_ERR "SELinux: Cannot switch between MLS and"
"policies\n"); " non-MLS policies\n");
goto bad; goto bad;
} }
} }
...@@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
} }
if (ltr) { if (ltr)
ltr->next = tr; ltr->next = tr;
} else { else
p->role_tr = tr; p->role_tr = tr;
}
rc = next_entry(buf, fp, sizeof(u32)*3); rc = next_entry(buf, fp, sizeof(u32)*3);
if (rc < 0) if (rc < 0)
goto bad; goto bad;
...@@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
} }
if (lra) { if (lra)
lra->next = ra; lra->next = ra;
} else { else
p->role_allow = ra; p->role_allow = ra;
}
rc = next_entry(buf, fp, sizeof(u32)*2); rc = next_entry(buf, fp, sizeof(u32)*2);
if (rc < 0) if (rc < 0)
goto bad; goto bad;
...@@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
} }
if (l) { if (l)
l->next = c; l->next = c;
} else { else
p->ocontexts[i] = c; p->ocontexts[i] = c;
}
l = c; l = c;
rc = -EINVAL; rc = -EINVAL;
switch (i) { switch (i) {
...@@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp)
if (rc < 0) if (rc < 0)
goto bad; goto bad;
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
c->u.name = kmalloc(len + 1,GFP_KERNEL); c->u.name = kmalloc(len + 1, GFP_KERNEL);
if (!c->u.name) { if (!c->u.name) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad; goto bad;
break; break;
case OCON_NODE: case OCON_NODE:
rc = next_entry(buf, fp, sizeof(u32)* 2); rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0) if (rc < 0)
goto bad; goto bad;
c->u.node.addr = le32_to_cpu(buf[0]); c->u.node.addr = le32_to_cpu(buf[0]);
...@@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp)
if (c->v.behavior > SECURITY_FS_USE_NONE) if (c->v.behavior > SECURITY_FS_USE_NONE)
goto bad; goto bad;
len = le32_to_cpu(buf[1]); len = le32_to_cpu(buf[1]);
c->u.name = kmalloc(len + 1,GFP_KERNEL); c->u.name = kmalloc(len + 1, GFP_KERNEL);
if (!c->u.name) { if (!c->u.name) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad; goto bad;
...@@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad; goto bad;
} }
newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
if (!newgenfs->fstype) { if (!newgenfs->fstype) {
rc = -ENOMEM; rc = -ENOMEM;
kfree(newgenfs); kfree(newgenfs);
...@@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad; goto bad;
} }
newc->u.name = kmalloc(len + 1,GFP_KERNEL); newc->u.name = kmalloc(len + 1, GFP_KERNEL);
if (!newc->u.name) { if (!newc->u.name) {
rc = -ENOMEM; rc = -ENOMEM;
goto bad_newc; goto bad_newc;
...@@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp)
out: out:
return rc; return rc;
bad_newc: bad_newc:
ocontext_destroy(newc,OCON_FSUSE); ocontext_destroy(newc, OCON_FSUSE);
bad: bad:
if (!rc) if (!rc)
rc = -EINVAL; rc = -EINVAL;
......
security/selinux/ss/services.c
View file @ 19b5b517
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
* Implementation of the security services. * Implementation of the security services.
* *
* Authors : Stephen Smalley, <sds@epoch.ncsc.mil> * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
* James Morris <jmorris@redhat.com> * James Morris <jmorris@redhat.com>
* *
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
* *
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
* *
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
* *
* Added conditional policy language extensions * Added conditional policy language extensions
* *
* Updated: Hewlett-Packard <paul.moore@hp.com> * Updated: Hewlett-Packard <paul.moore@hp.com>
* *
...@@ -27,7 +27,7 @@ ...@@ -27,7 +27,7 @@
* Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
*/ */
#include <linux/kernel.h> #include <linux/kernel.h>
...@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex); ...@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
static struct sidtab sidtab; static struct sidtab sidtab;
struct policydb policydb; struct policydb policydb;
int ss_initialized = 0; int ss_initialized;
/* /*
* The largest sequence number that has been used when * The largest sequence number that has been used when
...@@ -90,7 +90,7 @@ int ss_initialized = 0; ...@@ -90,7 +90,7 @@ int ss_initialized = 0;
* The sequence number only changes when a policy change * The sequence number only changes when a policy change
* occurs. * occurs.
*/ */
static u32 latest_granting = 0; static u32 latest_granting;
/* Forward declaration. */ /* Forward declaration. */
static int context_struct_to_string(struct context *context, char **scontext, static int context_struct_to_string(struct context *context, char **scontext,
...@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext, ...@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
val1 - 1); val1 - 1);
continue; continue;
case CEXPR_INCOMP: case CEXPR_INCOMP:
s[++sp] = ( !ebitmap_get_bit(&r1->dominates, s[++sp] = (!ebitmap_get_bit(&r1->dominates,
val2 - 1) && val2 - 1) &&
!ebitmap_get_bit(&r2->dominates, !ebitmap_get_bit(&r2->dominates,
val1 - 1) ); val1 - 1));
continue; continue;
default: default:
break; break;
...@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext, ...@@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext,
} }
if (!ra) if (!ra)
avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
PROCESS__DYNTRANSITION); PROCESS__DYNTRANSITION);
} }
return 0; return 0;
inval_class: inval_class:
printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass); printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
tclass);
return -EINVAL; return -EINVAL;
} }
...@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid) ...@@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid)
} }
static int security_validtrans_handle_fail(struct context *ocontext, static int security_validtrans_handle_fail(struct context *ocontext,
struct context *ncontext, struct context *ncontext,
struct context *tcontext, struct context *tcontext,
u16 tclass) u16 tclass)
{ {
char *o = NULL, *n = NULL, *t = NULL; char *o = NULL, *n = NULL, *t = NULL;
u32 olen, nlen, tlen; u32 olen, nlen, tlen;
...@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext, ...@@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
if (context_struct_to_string(tcontext, &t, &tlen) < 0) if (context_struct_to_string(tcontext, &t, &tlen) < 0)
goto out; goto out;
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"security_validate_transition: denied for" "security_validate_transition: denied for"
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
o, n, t, policydb.p_class_val_to_name[tclass-1]); o, n, t, policydb.p_class_val_to_name[tclass-1]);
out: out:
kfree(o); kfree(o);
kfree(n); kfree(n);
...@@ -473,7 +474,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, ...@@ -473,7 +474,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
} }
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass) u16 tclass)
{ {
struct context *ocontext; struct context *ocontext;
struct context *ncontext; struct context *ncontext;
...@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, ...@@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
tclass = SECCLASS_NETLINK_SOCKET; tclass = SECCLASS_NETLINK_SOCKET;
if (!tclass || tclass > policydb.p_classes.nprim) { if (!tclass || tclass > policydb.p_classes.nprim) {
printk(KERN_ERR "security_validate_transition: " printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
"unrecognized class %d\n", tclass); __func__, tclass);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
...@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, ...@@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
ocontext = sidtab_search(&sidtab, oldsid); ocontext = sidtab_search(&sidtab, oldsid);
if (!ocontext) { if (!ocontext) {
printk(KERN_ERR "security_validate_transition: " printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
" unrecognized SID %d\n", oldsid); __func__, oldsid);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
ncontext = sidtab_search(&sidtab, newsid); ncontext = sidtab_search(&sidtab, newsid);
if (!ncontext) { if (!ncontext) {
printk(KERN_ERR "security_validate_transition: " printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
" unrecognized SID %d\n", newsid); __func__, newsid);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
tcontext = sidtab_search(&sidtab, tasksid); tcontext = sidtab_search(&sidtab, tasksid);
if (!tcontext) { if (!tcontext) {
printk(KERN_ERR "security_validate_transition: " printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
" unrecognized SID %d\n", tasksid); __func__, tasksid);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
...@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, ...@@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
constraint = tclass_datum->validatetrans; constraint = tclass_datum->validatetrans;
while (constraint) { while (constraint) {
if (!constraint_expr_eval(ocontext, ncontext, tcontext, if (!constraint_expr_eval(ocontext, ncontext, tcontext,
constraint->expr)) { constraint->expr)) {
rc = security_validtrans_handle_fail(ocontext, ncontext, rc = security_validtrans_handle_fail(ocontext, ncontext,
tcontext, tclass); tcontext, tclass);
goto out; goto out;
} }
constraint = constraint->next; constraint = constraint->next;
...@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid, ...@@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
scontext = sidtab_search(&sidtab, ssid); scontext = sidtab_search(&sidtab, ssid);
if (!scontext) { if (!scontext) {
printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
ssid); __func__, ssid);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
tcontext = sidtab_search(&sidtab, tsid); tcontext = sidtab_search(&sidtab, tsid);
if (!tcontext) { if (!tcontext) {
printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
tsid); __func__, tsid);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
...@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 ...@@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
/* Allocate space for the context; caller must free this space. */ /* Allocate space for the context; caller must free this space. */
scontextp = kmalloc(*scontext_len, GFP_ATOMIC); scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
if (!scontextp) { if (!scontextp)
return -ENOMEM; return -ENOMEM;
}
*scontext = scontextp; *scontext = scontextp;
/* /*
...@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 ...@@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
policydb.p_role_val_to_name[context->role - 1], policydb.p_role_val_to_name[context->role - 1],
policydb.p_type_val_to_name[context->type - 1]); policydb.p_type_val_to_name[context->type - 1]);
scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
mls_sid_to_context(context, &scontextp); mls_sid_to_context(context, &scontextp);
...@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) ...@@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
char *scontextp; char *scontextp;
*scontext_len = strlen(initial_sid_to_string[sid]) + 1; *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
scontextp = kmalloc(*scontext_len,GFP_ATOMIC); scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
if (!scontextp) { if (!scontextp) {
rc = -ENOMEM; rc = -ENOMEM;
goto out; goto out;
...@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) ...@@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
*scontext = scontextp; *scontext = scontextp;
goto out; goto out;
} }
printk(KERN_ERR "security_sid_to_context: called before initial " printk(KERN_ERR "SELinux: %s: called before initial "
"load_policy on unknown SID %d\n", sid); "load_policy on unknown SID %d\n", __func__, sid);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
POLICY_RDLOCK; POLICY_RDLOCK;
context = sidtab_search(&sidtab, sid); context = sidtab_search(&sidtab, sid);
if (!context) { if (!context) {
printk(KERN_ERR "security_sid_to_context: unrecognized SID " printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
"%d\n", sid); __func__, sid);
rc = -EINVAL; rc = -EINVAL;
goto out_unlock; goto out_unlock;
} }
...@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid, ...@@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid,
scontext = sidtab_search(&sidtab, ssid); scontext = sidtab_search(&sidtab, ssid);
if (!scontext) { if (!scontext) {
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
ssid); __func__, ssid);
rc = -EINVAL; rc = -EINVAL;
goto out_unlock; goto out_unlock;
} }
tcontext = sidtab_search(&sidtab, tsid); tcontext = sidtab_search(&sidtab, tsid);
if (!tcontext) { if (!tcontext) {
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
tsid); __func__, tsid);
rc = -EINVAL; rc = -EINVAL;
goto out_unlock; goto out_unlock;
} }
...@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid, ...@@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid,
avdatum = avtab_search(&policydb.te_avtab, &avkey); avdatum = avtab_search(&policydb.te_avtab, &avkey);
/* If no permanent rule, also check for enabled conditional rules */ /* If no permanent rule, also check for enabled conditional rules */
if(!avdatum) { if (!avdatum) {
node = avtab_search_node(&policydb.te_cond_avtab, &avkey); node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
for (; node != NULL; node = avtab_search_node_next(node, specified)) { for (; node != NULL; node = avtab_search_node_next(node, specified)) {
if (node->key.specified & AVTAB_ENABLED) { if (node->key.specified & AVTAB_ENABLED) {
...@@ -1288,26 +1288,23 @@ static int convert_context(u32 key, ...@@ -1288,26 +1288,23 @@ static int convert_context(u32 key,
/* Convert the user. */ /* Convert the user. */
usrdatum = hashtab_search(args->newp->p_users.table, usrdatum = hashtab_search(args->newp->p_users.table,
args->oldp->p_user_val_to_name[c->user - 1]); args->oldp->p_user_val_to_name[c->user - 1]);
if (!usrdatum) { if (!usrdatum)
goto bad; goto bad;
}
c->user = usrdatum->value; c->user = usrdatum->value;
/* Convert the role. */ /* Convert the role. */
role = hashtab_search(args->newp->p_roles.table, role = hashtab_search(args->newp->p_roles.table,
args->oldp->p_role_val_to_name[c->role - 1]); args->oldp->p_role_val_to_name[c->role - 1]);
if (!role) { if (!role)
goto bad; goto bad;
}
c->role = role->value; c->role = role->value;
/* Convert the type. */ /* Convert the type. */
typdatum = hashtab_search(args->newp->p_types.table, typdatum = hashtab_search(args->newp->p_types.table,
args->oldp->p_type_val_to_name[c->type - 1]); args->oldp->p_type_val_to_name[c->type - 1]);
if (!typdatum) { if (!typdatum)
goto bad; goto bad;
}
c->type = typdatum->value; c->type = typdatum->value;
rc = mls_convert_context(args->oldp, args->newp, c); rc = mls_convert_context(args->oldp, args->newp, c);
...@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) ...@@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
{ {
int i, fail = 0; int i, fail = 0;
for(i = 0; i < 4; i++) for (i = 0; i < 4; i++)
if(addr[i] != (input[i] & mask[i])) { if (addr[i] != (input[i] & mask[i])) {
fail = 1; fail = 1;
break; break;
} }
...@@ -1656,7 +1653,7 @@ int security_node_sid(u16 domain, ...@@ -1656,7 +1653,7 @@ int security_node_sid(u16 domain,
*/ */
int security_get_user_sids(u32 fromsid, int security_get_user_sids(u32 fromsid,
char *username, char *username,
u32 **sids, u32 **sids,
u32 *nel) u32 *nel)
{ {
...@@ -1766,7 +1763,7 @@ int security_get_user_sids(u32 fromsid, ...@@ -1766,7 +1763,7 @@ int security_get_user_sids(u32 fromsid,
* transition SIDs or task SIDs. * transition SIDs or task SIDs.
*/ */
int security_genfs_sid(const char *fstype, int security_genfs_sid(const char *fstype,
char *path, char *path,
u16 sclass, u16 sclass,
u32 *sid) u32 *sid)
{ {
...@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values) ...@@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values)
goto out; goto out;
} }
*names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
if (!*names) if (!*names)
goto err; goto err;
...@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values) ...@@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values)
size_t name_len; size_t name_len;
(*values)[i] = policydb.bool_val_to_struct[i]->state; (*values)[i] = policydb.bool_val_to_struct[i]->state;
name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
(*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
if (!(*names)[i]) if (!(*names)[i])
goto err; goto err;
strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
...@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values) ...@@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values)
audit_get_loginuid(current), audit_get_loginuid(current),
audit_get_sessionid(current)); audit_get_sessionid(current));
} }
if (values[i]) { if (values[i])
policydb.bool_val_to_struct[i]->state = 1; policydb.bool_val_to_struct[i]->state = 1;
} else { else
policydb.bool_val_to_struct[i]->state = 0; policydb.bool_val_to_struct[i]->state = 0;
}
} }
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
...@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) ...@@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
POLICY_RDLOCK; POLICY_RDLOCK;
context1 = sidtab_search(&sidtab, sid); context1 = sidtab_search(&sidtab, sid);
if (!context1) { if (!context1) {
printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
"%d\n", sid); __func__, sid);
rc = -EINVAL; rc = -EINVAL;
goto out_unlock; goto out_unlock;
} }
context2 = sidtab_search(&sidtab, mls_sid); context2 = sidtab_search(&sidtab, mls_sid);
if (!context2) { if (!context2) {
printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
"%d\n", mls_sid); __func__, mls_sid);
rc = -EINVAL; rc = -EINVAL;
goto out_unlock; goto out_unlock;
} }
...@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, ...@@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
if (!nlbl_ctx) { if (!nlbl_ctx) {
printk(KERN_ERR printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
"security_sid_mls_cmp: unrecognized SID %d\n", __func__, nlbl_sid);
nlbl_sid);
rc = -EINVAL; rc = -EINVAL;
goto out_slowpath; goto out_slowpath;
} }
xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
if (!xfrm_ctx) { if (!xfrm_ctx) {
printk(KERN_ERR printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
"security_sid_mls_cmp: unrecognized SID %d\n", __func__, xfrm_sid);
xfrm_sid);
rc = -EINVAL; rc = -EINVAL;
goto out_slowpath; goto out_slowpath;
} }
...@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms) ...@@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
match = hashtab_search(policydb.p_classes.table, class); match = hashtab_search(policydb.p_classes.table, class);
if (!match) { if (!match) {
printk(KERN_ERR "%s: unrecognized class %s\n", printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
__func__, class); __func__, class);
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
...@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, ...@@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
if (!rule) { if (!rule) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"selinux_audit_rule_match: missing rule\n"); "selinux_audit_rule_match: missing rule\n");
return -ENOENT; return -ENOENT;
} }
...@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, ...@@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
if (rule->au_seqno < latest_granting) { if (rule->au_seqno < latest_granting) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"selinux_audit_rule_match: stale rule\n"); "selinux_audit_rule_match: stale rule\n");
match = -ESTALE; match = -ESTALE;
goto out; goto out;
} }
...@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, ...@@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
ctxt = sidtab_search(&sidtab, sid); ctxt = sidtab_search(&sidtab, sid);
if (!ctxt) { if (!ctxt) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
"selinux_audit_rule_match: unrecognized SID %d\n", "selinux_audit_rule_match: unrecognized SID %d\n",
sid); sid);
match = -ENOENT; match = -ENOENT;
goto out; goto out;
} }
...@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, ...@@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_LOW:
case AUDIT_OBJ_LEV_HIGH: case AUDIT_OBJ_LEV_HIGH:
level = ((field == AUDIT_SUBJ_SEN || level = ((field == AUDIT_SUBJ_SEN ||
field == AUDIT_OBJ_LEV_LOW) ? field == AUDIT_OBJ_LEV_LOW) ?
&ctxt->range.level[0] : &ctxt->range.level[1]); &ctxt->range.level[0] : &ctxt->range.level[1]);
switch (op) { switch (op) {
case AUDIT_EQUAL: case AUDIT_EQUAL:
match = mls_level_eq(&rule->au_ctxt.range.level[0], match = mls_level_eq(&rule->au_ctxt.range.level[0],
level); level);
break; break;
case AUDIT_NOT_EQUAL: case AUDIT_NOT_EQUAL:
match = !mls_level_eq(&rule->au_ctxt.range.level[0], match = !mls_level_eq(&rule->au_ctxt.range.level[0],
level); level);
break; break;
case AUDIT_LESS_THAN: case AUDIT_LESS_THAN:
match = (mls_level_dom(&rule->au_ctxt.range.level[0], match = (mls_level_dom(&rule->au_ctxt.range.level[0],
level) && level) &&
!mls_level_eq(&rule->au_ctxt.range.level[0], !mls_level_eq(&rule->au_ctxt.range.level[0],
level)); level));
break; break;
case AUDIT_LESS_THAN_OR_EQUAL: case AUDIT_LESS_THAN_OR_EQUAL:
match = mls_level_dom(&rule->au_ctxt.range.level[0], match = mls_level_dom(&rule->au_ctxt.range.level[0],
level); level);
break; break;
case AUDIT_GREATER_THAN: case AUDIT_GREATER_THAN:
match = (mls_level_dom(level, match = (mls_level_dom(level,
&rule->au_ctxt.range.level[0]) && &rule->au_ctxt.range.level[0]) &&
!mls_level_eq(level, !mls_level_eq(level,
&rule->au_ctxt.range.level[0])); &rule->au_ctxt.range.level[0]));
break; break;
case AUDIT_GREATER_THAN_OR_EQUAL: case AUDIT_GREATER_THAN_OR_EQUAL:
match = mls_level_dom(level, match = mls_level_dom(level,
&rule->au_ctxt.range.level[0]); &rule->au_ctxt.range.level[0]);
break; break;
} }
} }
...@@ -2554,7 +2548,7 @@ static int __init aurule_init(void) ...@@ -2554,7 +2548,7 @@ static int __init aurule_init(void)
int err; int err;
err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
if (err) if (err)
panic("avc_add_callback() failed, error %d\n", err); panic("avc_add_callback() failed, error %d\n", err);
......
security/selinux/ss/sidtab.c
View file @ 19b5b517
...@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s, ...@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s,
while (cur != NULL) { while (cur != NULL) {
ret = apply(cur->sid, &cur->context, args); ret = apply(cur->sid, &cur->context, args);
if (ret) { if (ret) {
if (last) { if (last)
last->next = cur->next; last->next = cur->next;
} else { else
s->htable[i] = cur->next; s->htable[i] = cur->next;
}
temp = cur; temp = cur;
cur = cur->next; cur = cur->next;
context_destroy(&temp->context); context_destroy(&temp->context);
......
security/selinux/xfrm.c
View file @ 19b5b517
...@@ -180,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) ...@@ -180,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
if (!ckall) if (!ckall)
break; break;
} } else if (*sid != ctx->ctx_sid)
else if (*sid != ctx->ctx_sid)
return -EINVAL; return -EINVAL;
} }
} }
...@@ -326,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, ...@@ -326,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/ */
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{ {
if (ctx) kfree(ctx);
kfree(ctx);
} }
/* /*
...@@ -372,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct ...@@ -372,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
void selinux_xfrm_state_free(struct xfrm_state *x) void selinux_xfrm_state_free(struct xfrm_state *x)
{ {
struct xfrm_sec_ctx *ctx = x->security; struct xfrm_sec_ctx *ctx = x->security;
if (ctx) kfree(ctx);
kfree(ctx);
} }
/* /*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7