mirror of
https://github.com/torvalds/linux
synced 2024-11-05 18:23:50 +00:00
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6: SELinux: one little, two little, three little whitespaces, the avc.c saga. SELinux: cleanup on isle selinuxfs.c changing whitespace for fun and profit: policydb.c SELinux: whitespace and formating fixes for hooks.c SELinux: clean up printks SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups SELinux: services.c whitespace, syntax, and static declaraction cleanups SELinux: mls.c whitespace, syntax, and static declaraction cleanups SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups SELinux: conditional.c whitespace, syntax, and static declaraction cleanups SELinux: avtab.c whitespace, syntax, and static declaraction cleanups SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups SELinux: netnode.c whitespace, syntax, and static declaraction cleanups SELinux: netlink.c whitespace, syntax, and static declaraction cleanups SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups SELinux: netif.c whitespace, syntax, and static declaraction cleanups
This commit is contained in:
commit
19b5b517a8
17 changed files with 611 additions and 636 deletions
|
@ -2,16 +2,16 @@
|
|||
* Implementation of the kernel access vector cache (AVC).
|
||||
*
|
||||
* Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
|
||||
* James Morris <jmorris@redhat.com>
|
||||
* James Morris <jmorris@redhat.com>
|
||||
*
|
||||
* Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
|
||||
* Replaced the avc_lock spinlock by RCU.
|
||||
* Replaced the avc_lock spinlock by RCU.
|
||||
*
|
||||
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2,
|
||||
* as published by the Free Software Foundation.
|
||||
* as published by the Free Software Foundation.
|
||||
*/
|
||||
#include <linux/types.h>
|
||||
#include <linux/stddef.h>
|
||||
|
@ -44,7 +44,7 @@ static const char *class_to_string[] = {
|
|||
#undef S_
|
||||
};
|
||||
|
||||
#define TB_(s) static const char * s [] = {
|
||||
#define TB_(s) static const char *s[] = {
|
||||
#define TE_(s) };
|
||||
#define S_(s) s,
|
||||
#include "common_perm_to_string.h"
|
||||
|
@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = {
|
|||
#define AVC_CACHE_RECLAIM 16
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
|
||||
#define avc_cache_stats_incr(field) \
|
||||
#define avc_cache_stats_incr(field) \
|
||||
do { \
|
||||
per_cpu(avc_cache_stats, get_cpu()).field++; \
|
||||
put_cpu(); \
|
||||
|
@ -92,7 +92,7 @@ struct avc_entry {
|
|||
struct avc_node {
|
||||
struct avc_entry ae;
|
||||
struct list_head list;
|
||||
struct rcu_head rhead;
|
||||
struct rcu_head rhead;
|
||||
};
|
||||
|
||||
struct avc_cache {
|
||||
|
@ -105,8 +105,8 @@ struct avc_cache {
|
|||
|
||||
struct avc_callback_node {
|
||||
int (*callback) (u32 event, u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 perms,
|
||||
u32 *out_retained);
|
||||
u16 tclass, u32 perms,
|
||||
u32 *out_retained);
|
||||
u32 events;
|
||||
u32 ssid;
|
||||
u32 tsid;
|
||||
|
@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
|
|||
char *scontext;
|
||||
u32 scontext_len;
|
||||
|
||||
rc = security_sid_to_context(ssid, &scontext, &scontext_len);
|
||||
rc = security_sid_to_context(ssid, &scontext, &scontext_len);
|
||||
if (rc)
|
||||
audit_log_format(ab, "ssid=%d", ssid);
|
||||
else {
|
||||
|
@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void)
|
|||
int hvalue, try, ecx;
|
||||
unsigned long flags;
|
||||
|
||||
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) {
|
||||
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
|
||||
hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
|
||||
|
||||
if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
|
||||
|
@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
|
|||
spin_lock_irqsave(¬if_lock, flag);
|
||||
if (is_insert) {
|
||||
if (seqno < avc_cache.latest_notif) {
|
||||
printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n",
|
||||
printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n",
|
||||
seqno, avc_cache.latest_notif);
|
||||
ret = -EAGAIN;
|
||||
}
|
||||
|
@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en
|
|||
if (pos->ae.ssid == ssid &&
|
||||
pos->ae.tsid == tsid &&
|
||||
pos->ae.tclass == tclass) {
|
||||
avc_node_replace(node, pos);
|
||||
avc_node_replace(node, pos);
|
||||
goto found;
|
||||
}
|
||||
}
|
||||
|
@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
|
|||
* before calling the auditing code.
|
||||
*/
|
||||
void avc_audit(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 requested,
|
||||
struct av_decision *avd, int result, struct avc_audit_data *a)
|
||||
u16 tclass, u32 requested,
|
||||
struct av_decision *avd, int result, struct avc_audit_data *a)
|
||||
{
|
||||
struct task_struct *tsk = current;
|
||||
struct inode *inode = NULL;
|
||||
|
@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid,
|
|||
return;
|
||||
} else if (result) {
|
||||
audited = denied = requested;
|
||||
} else {
|
||||
} else {
|
||||
audited = requested;
|
||||
if (!(audited & avd->auditallow))
|
||||
return;
|
||||
|
@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid,
|
|||
if (!ab)
|
||||
return; /* audit_panic has been called */
|
||||
audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
|
||||
avc_dump_av(ab, tclass,audited);
|
||||
avc_dump_av(ab, tclass, audited);
|
||||
audit_log_format(ab, " for ");
|
||||
if (a && a->tsk)
|
||||
tsk = a->tsk;
|
||||
|
@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid,
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
switch (a->u.net.family) {
|
||||
case AF_INET:
|
||||
avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
|
||||
|
@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid,
|
|||
* -%ENOMEM if insufficient memory exists to add the callback.
|
||||
*/
|
||||
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 perms,
|
||||
u32 *out_retained),
|
||||
u32 events, u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 perms)
|
||||
u16 tclass, u32 perms,
|
||||
u32 *out_retained),
|
||||
u32 events, u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 perms)
|
||||
{
|
||||
struct avc_callback_node *c;
|
||||
int rc = 0;
|
||||
|
@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
|
|||
hvalue = avc_hash(ssid, tsid, tclass);
|
||||
spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
|
||||
|
||||
list_for_each_entry(pos, &avc_cache.slots[hvalue], list){
|
||||
if ( ssid==pos->ae.ssid &&
|
||||
tsid==pos->ae.tsid &&
|
||||
tclass==pos->ae.tclass ){
|
||||
list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
|
||||
if (ssid == pos->ae.ssid &&
|
||||
tsid == pos->ae.tsid &&
|
||||
tclass == pos->ae.tclass){
|
||||
orig = pos;
|
||||
break;
|
||||
}
|
||||
|
@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno)
|
|||
for (c = avc_callbacks; c; c = c->next) {
|
||||
if (c->events & AVC_CALLBACK_RESET) {
|
||||
tmprc = c->callback(AVC_CALLBACK_RESET,
|
||||
0, 0, 0, 0, NULL);
|
||||
0, 0, 0, 0, NULL);
|
||||
/* save the first error encountered for the return
|
||||
value and continue processing the callbacks */
|
||||
if (!rc)
|
||||
|
@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
|||
node = avc_lookup(ssid, tsid, tclass, requested);
|
||||
if (!node) {
|
||||
rcu_read_unlock();
|
||||
rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd);
|
||||
rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd);
|
||||
if (rc)
|
||||
goto out;
|
||||
rcu_read_lock();
|
||||
node = avc_insert(ssid,tsid,tclass,&entry);
|
||||
node = avc_insert(ssid, tsid, tclass, &entry);
|
||||
}
|
||||
|
||||
p_ae = node ? &node->ae : &entry;
|
||||
|
@ -924,7 +924,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
|||
* another -errno upon other errors.
|
||||
*/
|
||||
int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
|
||||
u32 requested, struct avc_audit_data *auditdata)
|
||||
u32 requested, struct avc_audit_data *auditdata)
|
||||
{
|
||||
struct av_decision avd;
|
||||
int rc;
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -8,7 +8,7 @@
|
|||
*
|
||||
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
||||
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
|
||||
* Paul Moore <paul.moore@hp.com>
|
||||
* Paul Moore <paul.moore@hp.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2,
|
||||
|
@ -31,8 +31,7 @@
|
|||
#define SEL_NETIF_HASH_SIZE 64
|
||||
#define SEL_NETIF_HASH_MAX 1024
|
||||
|
||||
struct sel_netif
|
||||
{
|
||||
struct sel_netif {
|
||||
struct list_head list;
|
||||
struct netif_security_struct nsec;
|
||||
struct rcu_head rcu_head;
|
||||
|
@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex)
|
|||
static int sel_netif_insert(struct sel_netif *netif)
|
||||
{
|
||||
int idx;
|
||||
|
||||
|
||||
if (sel_netif_total >= SEL_NETIF_HASH_MAX)
|
||||
return -ENOSPC;
|
||||
|
||||
|
||||
idx = sel_netif_hashfn(netif->nsec.ifindex);
|
||||
list_add_rcu(&netif->list, &sel_netif_hash[idx]);
|
||||
sel_netif_total++;
|
||||
|
@ -267,7 +266,7 @@ static void sel_netif_flush(void)
|
|||
}
|
||||
|
||||
static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
|
||||
u16 class, u32 perms, u32 *retained)
|
||||
u16 class, u32 perms, u32 *retained)
|
||||
{
|
||||
if (event == AVC_CALLBACK_RESET) {
|
||||
sel_netif_flush();
|
||||
|
@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
|
|||
}
|
||||
|
||||
static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
|
||||
unsigned long event, void *ptr)
|
||||
unsigned long event, void *ptr)
|
||||
{
|
||||
struct net_device *dev = ptr;
|
||||
|
||||
|
@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
|
|||
static __init int sel_netif_init(void)
|
||||
{
|
||||
int i, err;
|
||||
|
||||
|
||||
if (!selinux_enabled)
|
||||
return 0;
|
||||
|
||||
|
@ -305,9 +304,9 @@ static __init int sel_netif_init(void)
|
|||
INIT_LIST_HEAD(&sel_netif_hash[i]);
|
||||
|
||||
register_netdevice_notifier(&sel_netif_netdev_notifier);
|
||||
|
||||
|
||||
err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
|
||||
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
|
||||
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
|
||||
if (err)
|
||||
panic("avc_add_callback() failed, error %d\n", err);
|
||||
|
||||
|
|
|
@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void)
|
|||
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
|
||||
int family)
|
||||
{
|
||||
if (family == PF_INET)
|
||||
if (family == PF_INET)
|
||||
ssec->nlbl_state = NLBL_REQUIRE;
|
||||
else
|
||||
ssec->nlbl_state = NLBL_UNSET;
|
||||
|
|
|
@ -24,16 +24,16 @@ static struct sock *selnl;
|
|||
static int selnl_msglen(int msgtype)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
|
||||
switch (msgtype) {
|
||||
case SELNL_MSG_SETENFORCE:
|
||||
ret = sizeof(struct selnl_msg_setenforce);
|
||||
break;
|
||||
|
||||
|
||||
case SELNL_MSG_POLICYLOAD:
|
||||
ret = sizeof(struct selnl_msg_policyload);
|
||||
break;
|
||||
|
||||
|
||||
default:
|
||||
BUG();
|
||||
}
|
||||
|
@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *
|
|||
switch (msgtype) {
|
||||
case SELNL_MSG_SETENFORCE: {
|
||||
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
|
||||
|
||||
|
||||
memset(msg, 0, len);
|
||||
msg->val = *((int *)data);
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
case SELNL_MSG_POLICYLOAD: {
|
||||
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
|
||||
|
||||
|
||||
memset(msg, 0, len);
|
||||
msg->seqno = *((u32 *)data);
|
||||
break;
|
||||
|
@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data)
|
|||
sk_buff_data_t tmp;
|
||||
struct sk_buff *skb;
|
||||
struct nlmsghdr *nlh;
|
||||
|
||||
|
||||
len = selnl_msglen(msgtype);
|
||||
|
||||
|
||||
skb = alloc_skb(NLMSG_SPACE(len), GFP_USER);
|
||||
if (!skb)
|
||||
goto oom;
|
||||
|
@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data)
|
|||
netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER);
|
||||
out:
|
||||
return;
|
||||
|
||||
|
||||
nlmsg_failure:
|
||||
kfree_skb(skb);
|
||||
oom:
|
||||
|
@ -109,7 +109,7 @@ static int __init selnl_init(void)
|
|||
SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
|
||||
if (selnl == NULL)
|
||||
panic("SELinux: Cannot create netlink socket.");
|
||||
netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);
|
||||
netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -344,7 +344,7 @@ static __init int sel_netnode_init(void)
|
|||
INIT_LIST_HEAD(&sel_netnode_hash[iter]);
|
||||
|
||||
ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET,
|
||||
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
|
||||
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
|
||||
if (ret != 0)
|
||||
panic("avc_add_callback() failed, error %d\n", ret);
|
||||
|
||||
|
|
|
@ -23,8 +23,7 @@
|
|||
#include "flask.h"
|
||||
#include "av_permissions.h"
|
||||
|
||||
struct nlmsg_perm
|
||||
{
|
||||
struct nlmsg_perm {
|
||||
u16 nlmsg_type;
|
||||
u32 perm;
|
||||
};
|
||||
|
@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
|
|||
if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG) ||
|
||||
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
|
||||
nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
|
||||
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
|
||||
} else {
|
||||
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
/* Updated: Karl MacMillan <kmacmillan@tresys.com>
|
||||
*
|
||||
* Added conditional policy language extensions
|
||||
* Added conditional policy language extensions
|
||||
*
|
||||
* Updated: Hewlett-Packard <paul.moore@hp.com>
|
||||
*
|
||||
* Added support for the policy capability bitmap
|
||||
* Added support for the policy capability bitmap
|
||||
*
|
||||
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
|
||||
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
|
||||
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2.
|
||||
*/
|
||||
|
||||
|
@ -57,14 +57,14 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
|
|||
|
||||
static int __init checkreqprot_setup(char *str)
|
||||
{
|
||||
selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
|
||||
selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0;
|
||||
return 1;
|
||||
}
|
||||
__setup("checkreqprot=", checkreqprot_setup);
|
||||
|
||||
static int __init selinux_compat_net_setup(char *str)
|
||||
{
|
||||
selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
|
||||
selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0;
|
||||
return 1;
|
||||
}
|
||||
__setup("selinux_compat_net=", selinux_compat_net_setup);
|
||||
|
@ -73,17 +73,17 @@ __setup("selinux_compat_net=", selinux_compat_net_setup);
|
|||
static DEFINE_MUTEX(sel_mutex);
|
||||
|
||||
/* global data for booleans */
|
||||
static struct dentry *bool_dir = NULL;
|
||||
static int bool_num = 0;
|
||||
static struct dentry *bool_dir;
|
||||
static int bool_num;
|
||||
static char **bool_pending_names;
|
||||
static int *bool_pending_values = NULL;
|
||||
static int *bool_pending_values;
|
||||
|
||||
/* global data for classes */
|
||||
static struct dentry *class_dir = NULL;
|
||||
static struct dentry *class_dir;
|
||||
static unsigned long last_class_ino;
|
||||
|
||||
/* global data for policy capabilities */
|
||||
static struct dentry *policycap_dir = NULL;
|
||||
static struct dentry *policycap_dir;
|
||||
|
||||
extern void selnl_notify_setenforce(int val);
|
||||
|
||||
|
@ -142,7 +142,7 @@ static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
|
|||
}
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
||||
static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
|
||||
static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
|
||||
{
|
||||
|
@ -156,7 +156,7 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
|
|||
/* No partial writes. */
|
||||
return -EINVAL;
|
||||
}
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page)
|
||||
return -ENOMEM;
|
||||
length = -EFAULT;
|
||||
|
@ -213,7 +213,7 @@ static const struct file_operations sel_handle_unknown_ops = {
|
|||
};
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
|
||||
static ssize_t sel_write_disable(struct file * file, const char __user * buf,
|
||||
static ssize_t sel_write_disable(struct file *file, const char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
|
||||
{
|
||||
|
@ -228,7 +228,7 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
|
|||
/* No partial writes. */
|
||||
return -EINVAL;
|
||||
}
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page)
|
||||
return -ENOMEM;
|
||||
length = -EFAULT;
|
||||
|
@ -263,7 +263,7 @@ static const struct file_operations sel_disable_ops = {
|
|||
};
|
||||
|
||||
static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
char tmpbuf[TMPBUFLEN];
|
||||
ssize_t length;
|
||||
|
@ -299,7 +299,7 @@ static const struct file_operations sel_mls_ops = {
|
|||
.read = sel_read_mls,
|
||||
};
|
||||
|
||||
static ssize_t sel_write_load(struct file * file, const char __user * buf,
|
||||
static ssize_t sel_write_load(struct file *file, const char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
|
||||
{
|
||||
|
@ -371,7 +371,7 @@ static const struct file_operations sel_load_ops = {
|
|||
.write = sel_write_load,
|
||||
};
|
||||
|
||||
static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
|
||||
static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
|
||||
{
|
||||
char *canon;
|
||||
u32 sid, len;
|
||||
|
@ -390,8 +390,8 @@ static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
|
|||
return length;
|
||||
|
||||
if (len > SIMPLE_TRANSACTION_LIMIT) {
|
||||
printk(KERN_ERR "%s: context size (%u) exceeds payload "
|
||||
"max\n", __func__, len);
|
||||
printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
|
||||
"payload max\n", __func__, len);
|
||||
length = -ERANGE;
|
||||
goto out;
|
||||
}
|
||||
|
@ -413,7 +413,7 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
|
|||
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
|
||||
}
|
||||
|
||||
static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf,
|
||||
static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
char *page;
|
||||
|
@ -430,7 +430,7 @@ static ssize_t sel_write_checkreqprot(struct file * file, const char __user * bu
|
|||
/* No partial writes. */
|
||||
return -EINVAL;
|
||||
}
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page)
|
||||
return -ENOMEM;
|
||||
length = -EFAULT;
|
||||
|
@ -462,7 +462,7 @@ static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
|
|||
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
|
||||
}
|
||||
|
||||
static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
|
||||
static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
char *page;
|
||||
|
@ -479,7 +479,7 @@ static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
|
|||
/* No partial writes. */
|
||||
return -EINVAL;
|
||||
}
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page)
|
||||
return -ENOMEM;
|
||||
length = -EFAULT;
|
||||
|
@ -504,11 +504,11 @@ static const struct file_operations sel_compat_net_ops = {
|
|||
/*
|
||||
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
|
||||
*/
|
||||
static ssize_t sel_write_access(struct file * file, char *buf, size_t size);
|
||||
static ssize_t sel_write_create(struct file * file, char *buf, size_t size);
|
||||
static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size);
|
||||
static ssize_t sel_write_user(struct file * file, char *buf, size_t size);
|
||||
static ssize_t sel_write_member(struct file * file, char *buf, size_t size);
|
||||
static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
|
||||
static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
|
||||
static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
|
||||
static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
|
||||
static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
|
||||
|
||||
static ssize_t (*write_op[])(struct file *, char *, size_t) = {
|
||||
[SEL_ACCESS] = sel_write_access,
|
||||
|
@ -521,7 +521,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
|
|||
|
||||
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
|
||||
{
|
||||
ino_t ino = file->f_path.dentry->d_inode->i_ino;
|
||||
ino_t ino = file->f_path.dentry->d_inode->i_ino;
|
||||
char *data;
|
||||
ssize_t rv;
|
||||
|
||||
|
@ -532,8 +532,8 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b
|
|||
if (IS_ERR(data))
|
||||
return PTR_ERR(data);
|
||||
|
||||
rv = write_op[ino](file, data, size);
|
||||
if (rv>0) {
|
||||
rv = write_op[ino](file, data, size);
|
||||
if (rv > 0) {
|
||||
simple_transaction_set(file, rv);
|
||||
rv = size;
|
||||
}
|
||||
|
@ -552,7 +552,7 @@ static const struct file_operations transaction_ops = {
|
|||
* and the length returned. Otherwise return 0 or and -error.
|
||||
*/
|
||||
|
||||
static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
|
||||
static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
|
||||
{
|
||||
char *scon, *tcon;
|
||||
u32 ssid, tsid;
|
||||
|
@ -601,7 +601,7 @@ static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
|
|||
return length;
|
||||
}
|
||||
|
||||
static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
|
||||
static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
|
||||
{
|
||||
char *scon, *tcon;
|
||||
u32 ssid, tsid, newsid;
|
||||
|
@ -643,8 +643,8 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
|
|||
goto out2;
|
||||
|
||||
if (len > SIMPLE_TRANSACTION_LIMIT) {
|
||||
printk(KERN_ERR "%s: context size (%u) exceeds payload "
|
||||
"max\n", __func__, len);
|
||||
printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
|
||||
"payload max\n", __func__, len);
|
||||
length = -ERANGE;
|
||||
goto out3;
|
||||
}
|
||||
|
@ -660,7 +660,7 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
|
|||
return length;
|
||||
}
|
||||
|
||||
static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
|
||||
static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
|
||||
{
|
||||
char *scon, *tcon;
|
||||
u32 ssid, tsid, newsid;
|
||||
|
@ -717,7 +717,7 @@ static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
|
|||
return length;
|
||||
}
|
||||
|
||||
static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
|
||||
static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
|
||||
{
|
||||
char *con, *user, *ptr;
|
||||
u32 sid, *sids;
|
||||
|
@ -778,7 +778,7 @@ static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
|
|||
return length;
|
||||
}
|
||||
|
||||
static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
|
||||
static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
|
||||
{
|
||||
char *scon, *tcon;
|
||||
u32 ssid, tsid, newsid;
|
||||
|
@ -820,8 +820,8 @@ static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
|
|||
goto out2;
|
||||
|
||||
if (len > SIMPLE_TRANSACTION_LIMIT) {
|
||||
printk(KERN_ERR "%s: context size (%u) exceeds payload "
|
||||
"max\n", __func__, len);
|
||||
printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
|
||||
"payload max\n", __func__, len);
|
||||
length = -ERANGE;
|
||||
goto out3;
|
||||
}
|
||||
|
@ -872,7 +872,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
|
|||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page) {
|
||||
ret = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
|
@ -923,7 +924,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
|
|||
length = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page) {
|
||||
length = -ENOMEM;
|
||||
goto out;
|
||||
|
@ -951,8 +952,8 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
|
|||
}
|
||||
|
||||
static const struct file_operations sel_bool_ops = {
|
||||
.read = sel_read_bool,
|
||||
.write = sel_write_bool,
|
||||
.read = sel_read_bool,
|
||||
.write = sel_write_bool,
|
||||
};
|
||||
|
||||
static ssize_t sel_commit_bools_write(struct file *filep,
|
||||
|
@ -977,7 +978,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
|
|||
/* No partial writes. */
|
||||
goto out;
|
||||
}
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page) {
|
||||
length = -ENOMEM;
|
||||
goto out;
|
||||
|
@ -991,9 +992,8 @@ static ssize_t sel_commit_bools_write(struct file *filep,
|
|||
if (sscanf(page, "%d", &new_value) != 1)
|
||||
goto out;
|
||||
|
||||
if (new_value && bool_pending_values) {
|
||||
if (new_value && bool_pending_values)
|
||||
security_set_bools(bool_num, bool_pending_values);
|
||||
}
|
||||
|
||||
length = count;
|
||||
|
||||
|
@ -1005,7 +1005,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
|
|||
}
|
||||
|
||||
static const struct file_operations sel_commit_bools_ops = {
|
||||
.write = sel_commit_bools_write,
|
||||
.write = sel_commit_bools_write,
|
||||
};
|
||||
|
||||
static void sel_remove_entries(struct dentry *de)
|
||||
|
@ -1055,7 +1055,8 @@ static int sel_make_bools(void)
|
|||
|
||||
sel_remove_entries(dir);
|
||||
|
||||
if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page)
|
||||
return -ENOMEM;
|
||||
|
||||
ret = security_get_bools(&num, &names, &values);
|
||||
|
@ -1082,8 +1083,9 @@ static int sel_make_bools(void)
|
|||
ret = -ENAMETOOLONG;
|
||||
goto err;
|
||||
}
|
||||
isec = (struct inode_security_struct*)inode->i_security;
|
||||
if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
|
||||
isec = (struct inode_security_struct *)inode->i_security;
|
||||
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
|
||||
if (ret)
|
||||
goto err;
|
||||
isec->sid = sid;
|
||||
isec->initialized = 1;
|
||||
|
@ -1111,7 +1113,7 @@ static int sel_make_bools(void)
|
|||
|
||||
#define NULL_FILE_NAME "null"
|
||||
|
||||
struct dentry *selinux_null = NULL;
|
||||
struct dentry *selinux_null;
|
||||
|
||||
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
|
@ -1123,8 +1125,8 @@ static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
|
|||
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
|
||||
}
|
||||
|
||||
static ssize_t sel_write_avc_cache_threshold(struct file * file,
|
||||
const char __user * buf,
|
||||
static ssize_t sel_write_avc_cache_threshold(struct file *file,
|
||||
const char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
|
||||
{
|
||||
|
@ -1143,7 +1145,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file * file,
|
|||
goto out;
|
||||
}
|
||||
|
||||
page = (char*)get_zeroed_page(GFP_KERNEL);
|
||||
page = (char *)get_zeroed_page(GFP_KERNEL);
|
||||
if (!page) {
|
||||
ret = -ENOMEM;
|
||||
goto out;
|
||||
|
@ -1301,7 +1303,7 @@ static int sel_make_avc_files(struct dentry *dir)
|
|||
return ret;
|
||||
}
|
||||
|
||||
static ssize_t sel_read_initcon(struct file * file, char __user *buf,
|
||||
static ssize_t sel_read_initcon(struct file *file, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
struct inode *inode;
|
||||
|
@ -1375,7 +1377,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino)
|
|||
return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
|
||||
}
|
||||
|
||||
static ssize_t sel_read_class(struct file * file, char __user *buf,
|
||||
static ssize_t sel_read_class(struct file *file, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
ssize_t rc, len;
|
||||
|
@ -1399,7 +1401,7 @@ static const struct file_operations sel_class_ops = {
|
|||
.read = sel_read_class,
|
||||
};
|
||||
|
||||
static ssize_t sel_read_perm(struct file * file, char __user *buf,
|
||||
static ssize_t sel_read_perm(struct file *file, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
ssize_t rc, len;
|
||||
|
@ -1412,7 +1414,7 @@ static ssize_t sel_read_perm(struct file * file, char __user *buf,
|
|||
goto out;
|
||||
}
|
||||
|
||||
len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino));
|
||||
len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
|
||||
rc = simple_read_from_buffer(buf, count, ppos, page, len);
|
||||
free_page((unsigned long)page);
|
||||
out:
|
||||
|
@ -1640,7 +1642,7 @@ static int sel_make_dir(struct inode *dir, struct dentry *dentry,
|
|||
return ret;
|
||||
}
|
||||
|
||||
static int sel_fill_super(struct super_block * sb, void * data, int silent)
|
||||
static int sel_fill_super(struct super_block *sb, void *data, int silent)
|
||||
{
|
||||
int ret;
|
||||
struct dentry *dentry;
|
||||
|
@ -1696,7 +1698,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
|
|||
goto err;
|
||||
}
|
||||
inode->i_ino = ++sel_last_ino;
|
||||
isec = (struct inode_security_struct*)inode->i_security;
|
||||
isec = (struct inode_security_struct *)inode->i_security;
|
||||
isec->sid = SECINITSID_DEVNULL;
|
||||
isec->sclass = SECCLASS_CHR_FILE;
|
||||
isec->initialized = 1;
|
||||
|
@ -1760,7 +1762,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
|
|||
out:
|
||||
return ret;
|
||||
err:
|
||||
printk(KERN_ERR "%s: failed while creating inodes\n", __func__);
|
||||
printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
|
||||
__func__);
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
|
@ -6,15 +6,15 @@
|
|||
|
||||
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
|
||||
*
|
||||
* Added conditional policy language extensions
|
||||
* Added conditional policy language extensions
|
||||
*
|
||||
* Copyright (C) 2003 Tresys Technology, LLC
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2.
|
||||
*
|
||||
* Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
|
||||
* Tuned number of hash slots for avtab to reduce memory usage
|
||||
* Tuned number of hash slots for avtab to reduce memory usage
|
||||
*/
|
||||
|
||||
#include <linux/kernel.h>
|
||||
|
@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
|
|||
|
||||
static struct avtab_node*
|
||||
avtab_insert_node(struct avtab *h, int hvalue,
|
||||
struct avtab_node * prev, struct avtab_node * cur,
|
||||
struct avtab_node *prev, struct avtab_node *cur,
|
||||
struct avtab_key *key, struct avtab_datum *datum)
|
||||
{
|
||||
struct avtab_node * newnode;
|
||||
struct avtab_node *newnode;
|
||||
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
|
||||
if (newnode == NULL)
|
||||
return NULL;
|
||||
|
@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
|
|||
}
|
||||
|
||||
newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
|
||||
if(!newnode)
|
||||
if (!newnode)
|
||||
return -ENOMEM;
|
||||
|
||||
return 0;
|
||||
|
@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
|
|||
* It also returns a pointer to the node inserted.
|
||||
*/
|
||||
struct avtab_node *
|
||||
avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum)
|
||||
avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
|
||||
{
|
||||
int hvalue;
|
||||
struct avtab_node *prev, *cur, *newnode;
|
||||
|
@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
|
|||
}
|
||||
}
|
||||
|
||||
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest "
|
||||
"chain length %d sum of chain length^2 %Lu\n",
|
||||
printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
|
||||
"longest chain length %d sum of chain length^2 %Lu\n",
|
||||
tag, h->nel, slots_used, h->nslot, max_chain_len,
|
||||
chain2_len_sum);
|
||||
}
|
||||
|
@ -326,7 +326,7 @@ static uint16_t spec_order[] = {
|
|||
};
|
||||
|
||||
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
||||
int (*insertf)(struct avtab *a, struct avtab_key *k,
|
||||
int (*insertf)(struct avtab *a, struct avtab_key *k,
|
||||
struct avtab_datum *d, void *p),
|
||||
void *p)
|
||||
{
|
||||
|
@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
|||
val = le32_to_cpu(buf32[items++]);
|
||||
key.source_type = (u16)val;
|
||||
if (key.source_type != val) {
|
||||
printk("SELinux: avtab: truncated source type\n");
|
||||
printk(KERN_ERR "SELinux: avtab: truncated source type\n");
|
||||
return -1;
|
||||
}
|
||||
val = le32_to_cpu(buf32[items++]);
|
||||
key.target_type = (u16)val;
|
||||
if (key.target_type != val) {
|
||||
printk("SELinux: avtab: truncated target type\n");
|
||||
printk(KERN_ERR "SELinux: avtab: truncated target type\n");
|
||||
return -1;
|
||||
}
|
||||
val = le32_to_cpu(buf32[items++]);
|
||||
key.target_class = (u16)val;
|
||||
if (key.target_class != val) {
|
||||
printk("SELinux: avtab: truncated target class\n");
|
||||
printk(KERN_ERR "SELinux: avtab: truncated target class\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
|||
enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
|
||||
|
||||
if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
|
||||
printk("SELinux: avtab: null entry\n");
|
||||
printk(KERN_ERR "SELinux: avtab: null entry\n");
|
||||
return -1;
|
||||
}
|
||||
if ((val & AVTAB_AV) &&
|
||||
(val & AVTAB_TYPE)) {
|
||||
printk("SELinux: avtab: entry has both access vectors and types\n");
|
||||
printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
|||
key.specified = spec_order[i] | enabled;
|
||||
datum.data = le32_to_cpu(buf32[items++]);
|
||||
rc = insertf(a, &key, &datum, p);
|
||||
if (rc) return rc;
|
||||
if (rc)
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
|
||||
if (items != items2) {
|
||||
printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
|
||||
printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
|
@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
|||
|
||||
rc = next_entry(buf16, fp, sizeof(u16)*4);
|
||||
if (rc < 0) {
|
||||
printk("SELinux: avtab: truncated entry\n");
|
||||
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
|||
if (!policydb_type_isvalid(pol, key.source_type) ||
|
||||
!policydb_type_isvalid(pol, key.target_type) ||
|
||||
!policydb_class_isvalid(pol, key.target_class)) {
|
||||
printk(KERN_WARNING "SELinux: avtab: invalid type or class\n");
|
||||
printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
|||
set++;
|
||||
}
|
||||
if (!set || set > 1) {
|
||||
printk(KERN_WARNING
|
||||
"SELinux: avtab: more than one specifier\n");
|
||||
printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
rc = next_entry(buf32, fp, sizeof(u32));
|
||||
if (rc < 0) {
|
||||
printk("SELinux: avtab: truncated entry\n");
|
||||
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
|
||||
return -1;
|
||||
}
|
||||
datum.data = le32_to_cpu(*buf32);
|
||||
if ((key.specified & AVTAB_TYPE) &&
|
||||
!policydb_type_isvalid(pol, datum.data)) {
|
||||
printk(KERN_WARNING "SELinux: avtab: invalid type\n");
|
||||
printk(KERN_ERR "SELinux: avtab: invalid type\n");
|
||||
return -1;
|
||||
}
|
||||
return insertf(a, &key, &datum, p);
|
||||
|
@ -513,5 +513,5 @@ void avtab_cache_init(void)
|
|||
|
||||
void avtab_cache_destroy(void)
|
||||
{
|
||||
kmem_cache_destroy (avtab_node_cachep);
|
||||
kmem_cache_destroy(avtab_node_cachep);
|
||||
}
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
/* Authors: Karl MacMillan <kmacmillan@tresys.com>
|
||||
* Frank Mayer <mayerf@tresys.com>
|
||||
* Frank Mayer <mayerf@tresys.com>
|
||||
*
|
||||
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2.
|
||||
*/
|
||||
|
||||
|
@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
|
|||
int evaluate_cond_node(struct policydb *p, struct cond_node *node)
|
||||
{
|
||||
int new_state;
|
||||
struct cond_av_list* cur;
|
||||
struct cond_av_list *cur;
|
||||
|
||||
new_state = cond_evaluate_expr(p, node->expr);
|
||||
if (new_state != node->cur_state) {
|
||||
|
@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
|
|||
printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
|
||||
/* turn the rules on or off */
|
||||
for (cur = node->true_list; cur != NULL; cur = cur->next) {
|
||||
if (new_state <= 0) {
|
||||
if (new_state <= 0)
|
||||
cur->node->key.specified &= ~AVTAB_ENABLED;
|
||||
} else {
|
||||
else
|
||||
cur->node->key.specified |= AVTAB_ENABLED;
|
||||
}
|
||||
}
|
||||
|
||||
for (cur = node->false_list; cur != NULL; cur = cur->next) {
|
||||
/* -1 or 1 */
|
||||
if (new_state) {
|
||||
if (new_state)
|
||||
cur->node->key.specified &= ~AVTAB_ENABLED;
|
||||
} else {
|
||||
else
|
||||
cur->node->key.specified |= AVTAB_ENABLED;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
|
@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
|
|||
int cond_init_bool_indexes(struct policydb *p)
|
||||
{
|
||||
kfree(p->bool_val_to_struct);
|
||||
p->bool_val_to_struct = (struct cond_bool_datum**)
|
||||
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL);
|
||||
p->bool_val_to_struct = (struct cond_bool_datum **)
|
||||
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
|
||||
if (!p->bool_val_to_struct)
|
||||
return -1;
|
||||
return 0;
|
||||
|
@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
|
|||
return -EINVAL;
|
||||
|
||||
p->p_bool_val_to_name[booldatum->value - 1] = key;
|
||||
p->bool_val_to_struct[booldatum->value -1] = booldatum;
|
||||
p->bool_val_to_struct[booldatum->value - 1] = booldatum;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -251,8 +249,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
|
|||
return -1;
|
||||
}
|
||||
|
||||
struct cond_insertf_data
|
||||
{
|
||||
struct cond_insertf_data {
|
||||
struct policydb *p;
|
||||
struct cond_av_list *other;
|
||||
struct cond_av_list *head;
|
||||
|
@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
|
|||
*/
|
||||
if (k->specified & AVTAB_TYPE) {
|
||||
if (avtab_search(&p->te_avtab, k)) {
|
||||
printk("SELinux: type rule already exists outside of a conditional.");
|
||||
printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
|
||||
goto err;
|
||||
}
|
||||
/*
|
||||
|
@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
|
|||
node_ptr = avtab_search_node(&p->te_cond_avtab, k);
|
||||
if (node_ptr) {
|
||||
if (avtab_search_node_next(node_ptr, k->specified)) {
|
||||
printk("SELinux: too many conflicting type rules.");
|
||||
printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
|
||||
goto err;
|
||||
}
|
||||
found = 0;
|
||||
|
@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
|
|||
}
|
||||
}
|
||||
if (!found) {
|
||||
printk("SELinux: conflicting type rules.\n");
|
||||
printk(KERN_ERR "SELinux: conflicting type rules.\n");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (avtab_search(&p->te_cond_avtab, k)) {
|
||||
printk("SELinux: conflicting type rules when adding type rule for true.\n");
|
||||
printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
|
|||
|
||||
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
|
||||
if (!node_ptr) {
|
||||
printk("SELinux: could not insert rule.");
|
||||
printk(KERN_ERR "SELinux: could not insert rule.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
|
|||
return -1;
|
||||
|
||||
len = le32_to_cpu(buf[0]);
|
||||
if (len == 0) {
|
||||
if (len == 0)
|
||||
return 0;
|
||||
}
|
||||
|
||||
data.p = p;
|
||||
data.other = other;
|
||||
|
@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
|
|||
static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
|
||||
{
|
||||
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
|
||||
printk("SELinux: conditional expressions uses unknown operator.\n");
|
||||
printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (expr->bool > p->p_bools.nprim) {
|
||||
printk("SELinux: conditional expressions uses unknown bool.\n");
|
||||
printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
|
@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
|
|||
/* expr */
|
||||
len = le32_to_cpu(buf[0]);
|
||||
|
||||
for (i = 0; i < len; i++ ) {
|
||||
for (i = 0; i < len; i++) {
|
||||
rc = next_entry(buf, fp, sizeof(u32) * 2);
|
||||
if (rc < 0)
|
||||
goto err;
|
||||
|
||||
expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
|
||||
if (!expr) {
|
||||
if (!expr)
|
||||
goto err;
|
||||
}
|
||||
|
||||
expr->expr_type = le32_to_cpu(buf[0]);
|
||||
expr->bool = le32_to_cpu(buf[1]);
|
||||
|
@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (i == 0) {
|
||||
if (i == 0)
|
||||
node->expr = expr;
|
||||
} else {
|
||||
else
|
||||
last->next = expr;
|
||||
}
|
||||
last = expr;
|
||||
}
|
||||
|
||||
|
@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
|
|||
if (cond_read_node(p, node, fp) != 0)
|
||||
goto err;
|
||||
|
||||
if (i == 0) {
|
||||
if (i == 0)
|
||||
p->cond_list = node;
|
||||
} else {
|
||||
else
|
||||
last->next = node;
|
||||
}
|
||||
last = node;
|
||||
}
|
||||
return 0;
|
||||
|
@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
|
|||
{
|
||||
struct avtab_node *node;
|
||||
|
||||
if(!ctab || !key || !avd)
|
||||
if (!ctab || !key || !avd)
|
||||
return;
|
||||
|
||||
for(node = avtab_search_node(ctab, key); node != NULL;
|
||||
for (node = avtab_search_node(ctab, key); node != NULL;
|
||||
node = avtab_search_node_next(node, key->specified)) {
|
||||
if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
|
||||
if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
|
||||
avd->allowed |= node->datum.data;
|
||||
if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
|
||||
if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
|
||||
/* Since a '0' in an auditdeny mask represents a
|
||||
* permission we do NOT want to audit (dontaudit), we use
|
||||
* the '&' operand to ensure that all '0's in the mask
|
||||
* are retained (much unlike the allow and auditallow cases).
|
||||
*/
|
||||
avd->auditdeny &= node->datum.data;
|
||||
if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
|
||||
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
|
||||
avd->auditallow |= node->datum.data;
|
||||
}
|
||||
return;
|
||||
|
|
|
@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
|
|||
}
|
||||
/* round down */
|
||||
tmp->startbit = startbit - (startbit % EBITMAP_SIZE);
|
||||
if (n) {
|
||||
if (n)
|
||||
n->next = tmp;
|
||||
} else {
|
||||
else
|
||||
e->node = tmp;
|
||||
}
|
||||
n = tmp;
|
||||
} else if (startbit <= n->startbit) {
|
||||
printk(KERN_ERR "SELinux: ebitmap: start bit %d"
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
#include "hashtab.h"
|
||||
|
||||
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
|
||||
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
|
||||
u32 size)
|
||||
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
|
||||
u32 size)
|
||||
{
|
||||
struct hashtab *p;
|
||||
u32 i;
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
* Return the length in bytes for the MLS fields of the
|
||||
* security context string representation of `context'.
|
||||
*/
|
||||
int mls_compute_context_len(struct context * context)
|
||||
int mls_compute_context_len(struct context *context)
|
||||
{
|
||||
int i, l, len, head, prev;
|
||||
char *nm;
|
||||
|
@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context)
|
|||
* Update `*scontext' to point to the end of the MLS fields.
|
||||
*/
|
||||
void mls_sid_to_context(struct context *context,
|
||||
char **scontext)
|
||||
char **scontext)
|
||||
{
|
||||
char *scontextp, *nm;
|
||||
int i, l, head, prev;
|
||||
|
@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context,
|
|||
|
||||
if (l == 0) {
|
||||
if (mls_level_eq(&context->range.level[0],
|
||||
&context->range.level[1]))
|
||||
&context->range.level[1]))
|
||||
break;
|
||||
else
|
||||
*scontextp++ = '-';
|
||||
|
@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc,
|
|||
*p++ = 0;
|
||||
|
||||
/* Separate into range if exists */
|
||||
if ((rngptr = strchr(scontextp, '.')) != NULL) {
|
||||
rngptr = strchr(scontextp, '.');
|
||||
if (rngptr != NULL) {
|
||||
/* Remove '.' */
|
||||
*rngptr++ = 0;
|
||||
}
|
||||
|
||||
catdatum = hashtab_search(policydb.p_cats.table,
|
||||
scontextp);
|
||||
scontextp);
|
||||
if (!catdatum) {
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
rc = ebitmap_set_bit(&context->range.level[l].cat,
|
||||
catdatum->value - 1, 1);
|
||||
catdatum->value - 1, 1);
|
||||
if (rc)
|
||||
goto out;
|
||||
|
||||
|
@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
|
|||
rc = -ENOMEM;
|
||||
} else {
|
||||
rc = mls_context_to_sid(':', &tmpstr, context,
|
||||
NULL, SECSID_NULL);
|
||||
NULL, SECSID_NULL);
|
||||
kfree(freestr);
|
||||
}
|
||||
|
||||
|
@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
|
|||
* Copies the MLS range `range' into `context'.
|
||||
*/
|
||||
static inline int mls_range_set(struct context *context,
|
||||
struct mls_range *range)
|
||||
struct mls_range *range)
|
||||
{
|
||||
int l, rc = 0;
|
||||
|
||||
|
@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context,
|
|||
}
|
||||
|
||||
int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
|
||||
struct context *usercon)
|
||||
struct context *usercon)
|
||||
{
|
||||
if (selinux_mls_enabled) {
|
||||
struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
|
||||
|
@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
|
|||
that of the user's default clearance (but
|
||||
only if the "fromcon" clearance dominates
|
||||
the user's computed sensitivity level) */
|
||||
if (mls_level_dom(user_clr, fromcon_clr)) {
|
||||
if (mls_level_dom(user_clr, fromcon_clr))
|
||||
*usercon_clr = *fromcon_clr;
|
||||
} else if (mls_level_dom(fromcon_clr, user_clr)) {
|
||||
else if (mls_level_dom(fromcon_clr, user_clr))
|
||||
*usercon_clr = *user_clr;
|
||||
} else
|
||||
else
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext,
|
|||
rtr->target_class == tclass) {
|
||||
/* Set the range from the rule */
|
||||
return mls_range_set(newcontext,
|
||||
&rtr->target_range);
|
||||
&rtr->target_range);
|
||||
}
|
||||
}
|
||||
/* Fallthrough */
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
*
|
||||
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
|
||||
*
|
||||
* Added conditional policy language extensions
|
||||
* Added conditional policy language extensions
|
||||
*
|
||||
* Updated: Hewlett-Packard <paul.moore@hp.com>
|
||||
*
|
||||
|
@ -21,7 +21,7 @@
|
|||
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
|
||||
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2.
|
||||
*/
|
||||
|
||||
|
@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = {
|
|||
};
|
||||
#endif
|
||||
|
||||
int selinux_mls_enabled = 0;
|
||||
int selinux_mls_enabled;
|
||||
|
||||
static unsigned int symtab_sizes[SYM_NUM] = {
|
||||
2,
|
||||
|
@ -73,39 +73,39 @@ struct policydb_compat_info {
|
|||
/* These need to be updated if SYM_NUM or OCON_NUM changes */
|
||||
static struct policydb_compat_info policydb_compat[] = {
|
||||
{
|
||||
.version = POLICYDB_VERSION_BASE,
|
||||
.sym_num = SYM_NUM - 3,
|
||||
.ocon_num = OCON_NUM - 1,
|
||||
.version = POLICYDB_VERSION_BASE,
|
||||
.sym_num = SYM_NUM - 3,
|
||||
.ocon_num = OCON_NUM - 1,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_BOOL,
|
||||
.sym_num = SYM_NUM - 2,
|
||||
.ocon_num = OCON_NUM - 1,
|
||||
.version = POLICYDB_VERSION_BOOL,
|
||||
.sym_num = SYM_NUM - 2,
|
||||
.ocon_num = OCON_NUM - 1,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_IPV6,
|
||||
.sym_num = SYM_NUM - 2,
|
||||
.ocon_num = OCON_NUM,
|
||||
.version = POLICYDB_VERSION_IPV6,
|
||||
.sym_num = SYM_NUM - 2,
|
||||
.ocon_num = OCON_NUM,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_NLCLASS,
|
||||
.sym_num = SYM_NUM - 2,
|
||||
.ocon_num = OCON_NUM,
|
||||
.version = POLICYDB_VERSION_NLCLASS,
|
||||
.sym_num = SYM_NUM - 2,
|
||||
.ocon_num = OCON_NUM,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_MLS,
|
||||
.sym_num = SYM_NUM,
|
||||
.ocon_num = OCON_NUM,
|
||||
.version = POLICYDB_VERSION_MLS,
|
||||
.sym_num = SYM_NUM,
|
||||
.ocon_num = OCON_NUM,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_AVTAB,
|
||||
.sym_num = SYM_NUM,
|
||||
.ocon_num = OCON_NUM,
|
||||
.version = POLICYDB_VERSION_AVTAB,
|
||||
.sym_num = SYM_NUM,
|
||||
.ocon_num = OCON_NUM,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_RANGETRANS,
|
||||
.sym_num = SYM_NUM,
|
||||
.ocon_num = OCON_NUM,
|
||||
.version = POLICYDB_VERSION_RANGETRANS,
|
||||
.sym_num = SYM_NUM,
|
||||
.ocon_num = OCON_NUM,
|
||||
},
|
||||
{
|
||||
.version = POLICYDB_VERSION_POLCAP,
|
||||
|
@ -152,7 +152,7 @@ static int roles_init(struct policydb *p)
|
|||
rc = -EINVAL;
|
||||
goto out_free_role;
|
||||
}
|
||||
key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL);
|
||||
key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto out_free_role;
|
||||
|
@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s)
|
|||
struct hashtab_info info;
|
||||
|
||||
hashtab_stat(h, &info);
|
||||
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, "
|
||||
printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
|
||||
"longest chain length %d\n", symtab_name[i], h->nel,
|
||||
info.slots_used, h->size, info.max_chain_len);
|
||||
}
|
||||
|
@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p)
|
|||
|
||||
p->role_val_to_struct =
|
||||
kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
|
||||
GFP_KERNEL);
|
||||
GFP_KERNEL);
|
||||
if (!p->role_val_to_struct) {
|
||||
rc = -ENOMEM;
|
||||
goto out;
|
||||
|
@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p)
|
|||
|
||||
p->user_val_to_struct =
|
||||
kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
|
||||
GFP_KERNEL);
|
||||
GFP_KERNEL);
|
||||
if (!p->user_val_to_struct) {
|
||||
rc = -ENOMEM;
|
||||
goto out;
|
||||
|
@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p)
|
|||
while (c) {
|
||||
ctmp = c;
|
||||
c = c->next;
|
||||
ocontext_destroy(ctmp,i);
|
||||
ocontext_destroy(ctmp, i);
|
||||
}
|
||||
p->ocontexts[i] = NULL;
|
||||
}
|
||||
|
@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p)
|
|||
while (c) {
|
||||
ctmp = c;
|
||||
c = c->next;
|
||||
ocontext_destroy(ctmp,OCON_FSUSE);
|
||||
ocontext_destroy(ctmp, OCON_FSUSE);
|
||||
}
|
||||
gtmp = g;
|
||||
g = g->next;
|
||||
|
@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p)
|
|||
}
|
||||
kfree(ltr);
|
||||
|
||||
for (ra = p->role_allow; ra; ra = ra -> next) {
|
||||
for (ra = p->role_allow; ra; ra = ra->next) {
|
||||
cond_resched();
|
||||
kfree(lra);
|
||||
lra = ra;
|
||||
}
|
||||
kfree(lra);
|
||||
|
||||
for (rt = p->range_tr; rt; rt = rt -> next) {
|
||||
for (rt = p->range_tr; rt; rt = rt->next) {
|
||||
cond_resched();
|
||||
if (lrt) {
|
||||
ebitmap_destroy(&lrt->target_range.level[0].cat);
|
||||
|
@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
len = le32_to_cpu(buf[0]);
|
||||
perdatum->value = le32_to_cpu(buf[1]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_KERNEL);
|
||||
key = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
comdatum->permissions.nprim = le32_to_cpu(buf[2]);
|
||||
nel = le32_to_cpu(buf[3]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_KERNEL);
|
||||
key = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -998,7 +998,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
}
|
||||
|
||||
static int read_cons_helper(struct constraint_node **nodep, int ncons,
|
||||
int allowxtarget, void *fp)
|
||||
int allowxtarget, void *fp)
|
||||
{
|
||||
struct constraint_node *c, *lc;
|
||||
struct constraint_expr *e, *le;
|
||||
|
@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
|
|||
if (!c)
|
||||
return -ENOMEM;
|
||||
|
||||
if (lc) {
|
||||
if (lc)
|
||||
lc->next = c;
|
||||
} else {
|
||||
else
|
||||
*nodep = c;
|
||||
}
|
||||
|
||||
rc = next_entry(buf, fp, (sizeof(u32) * 2));
|
||||
if (rc < 0)
|
||||
|
@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
|
|||
if (!e)
|
||||
return -ENOMEM;
|
||||
|
||||
if (le) {
|
||||
if (le)
|
||||
le->next = e;
|
||||
} else {
|
||||
else
|
||||
c->expr = e;
|
||||
}
|
||||
|
||||
rc = next_entry(buf, fp, (sizeof(u32) * 3));
|
||||
if (rc < 0)
|
||||
|
@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
|
||||
ncons = le32_to_cpu(buf[5]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_KERNEL);
|
||||
key = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
key[len] = 0;
|
||||
|
||||
if (len2) {
|
||||
cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL);
|
||||
cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
|
||||
if (!cladatum->comkey) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
len = le32_to_cpu(buf[0]);
|
||||
role->value = le32_to_cpu(buf[1]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_KERNEL);
|
||||
key = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
|
||||
if (strcmp(key, OBJECT_R) == 0) {
|
||||
if (role->value != OBJECT_R_VAL) {
|
||||
printk(KERN_ERR "Role %s has wrong value %d\n",
|
||||
printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
|
||||
OBJECT_R, role->value);
|
||||
rc = -EINVAL;
|
||||
goto bad;
|
||||
|
@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
__le32 buf[3];
|
||||
u32 len;
|
||||
|
||||
typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL);
|
||||
typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
|
||||
if (!typdatum) {
|
||||
rc = -ENOMEM;
|
||||
return rc;
|
||||
|
@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
typdatum->value = le32_to_cpu(buf[1]);
|
||||
typdatum->primary = le32_to_cpu(buf[2]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_KERNEL);
|
||||
key = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
len = le32_to_cpu(buf[0]);
|
||||
usrdatum->value = le32_to_cpu(buf[1]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_KERNEL);
|
||||
key = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
len = le32_to_cpu(buf[0]);
|
||||
levdatum->isalias = le32_to_cpu(buf[1]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_ATOMIC);
|
||||
key = kmalloc(len + 1, GFP_ATOMIC);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
|
|||
catdatum->value = le32_to_cpu(buf[1]);
|
||||
catdatum->isalias = le32_to_cpu(buf[2]);
|
||||
|
||||
key = kmalloc(len + 1,GFP_ATOMIC);
|
||||
key = kmalloc(len + 1, GFP_ATOMIC);
|
||||
if (!key) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
goto out;
|
||||
|
||||
/* Read the magic number and string length. */
|
||||
rc = next_entry(buf, fp, sizeof(u32)* 2);
|
||||
rc = next_entry(buf, fp, sizeof(u32) * 2);
|
||||
if (rc < 0)
|
||||
goto bad;
|
||||
|
||||
|
@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
len, strlen(POLICYDB_STRING));
|
||||
goto bad;
|
||||
}
|
||||
policydb_str = kmalloc(len + 1,GFP_KERNEL);
|
||||
policydb_str = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!policydb_str) {
|
||||
printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
|
||||
"string of length %d\n", len);
|
||||
|
@ -1544,29 +1542,30 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
if (p->policyvers < POLICYDB_VERSION_MIN ||
|
||||
p->policyvers > POLICYDB_VERSION_MAX) {
|
||||
printk(KERN_ERR "SELinux: policydb version %d does not match "
|
||||
"my version range %d-%d\n",
|
||||
le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
|
||||
goto bad;
|
||||
"my version range %d-%d\n",
|
||||
le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
|
||||
goto bad;
|
||||
}
|
||||
|
||||
if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
|
||||
if (ss_initialized && !selinux_mls_enabled) {
|
||||
printk(KERN_ERR "Cannot switch between non-MLS and MLS "
|
||||
"policies\n");
|
||||
printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
|
||||
" and MLS policies\n");
|
||||
goto bad;
|
||||
}
|
||||
selinux_mls_enabled = 1;
|
||||
config |= POLICYDB_CONFIG_MLS;
|
||||
|
||||
if (p->policyvers < POLICYDB_VERSION_MLS) {
|
||||
printk(KERN_ERR "security policydb version %d (MLS) "
|
||||
"not backwards compatible\n", p->policyvers);
|
||||
printk(KERN_ERR "SELinux: security policydb version %d "
|
||||
"(MLS) not backwards compatible\n",
|
||||
p->policyvers);
|
||||
goto bad;
|
||||
}
|
||||
} else {
|
||||
if (ss_initialized && selinux_mls_enabled) {
|
||||
printk(KERN_ERR "Cannot switch between MLS and non-MLS "
|
||||
"policies\n");
|
||||
printk(KERN_ERR "SELinux: Cannot switch between MLS and"
|
||||
" non-MLS policies\n");
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
|
@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
}
|
||||
if (ltr) {
|
||||
if (ltr)
|
||||
ltr->next = tr;
|
||||
} else {
|
||||
else
|
||||
p->role_tr = tr;
|
||||
}
|
||||
rc = next_entry(buf, fp, sizeof(u32)*3);
|
||||
if (rc < 0)
|
||||
goto bad;
|
||||
|
@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
}
|
||||
if (lra) {
|
||||
if (lra)
|
||||
lra->next = ra;
|
||||
} else {
|
||||
else
|
||||
p->role_allow = ra;
|
||||
}
|
||||
rc = next_entry(buf, fp, sizeof(u32)*2);
|
||||
if (rc < 0)
|
||||
goto bad;
|
||||
|
@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
}
|
||||
if (l) {
|
||||
if (l)
|
||||
l->next = c;
|
||||
} else {
|
||||
else
|
||||
p->ocontexts[i] = c;
|
||||
}
|
||||
l = c;
|
||||
rc = -EINVAL;
|
||||
switch (i) {
|
||||
|
@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
if (rc < 0)
|
||||
goto bad;
|
||||
len = le32_to_cpu(buf[0]);
|
||||
c->u.name = kmalloc(len + 1,GFP_KERNEL);
|
||||
c->u.name = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!c->u.name) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
goto bad;
|
||||
break;
|
||||
case OCON_NODE:
|
||||
rc = next_entry(buf, fp, sizeof(u32)* 2);
|
||||
rc = next_entry(buf, fp, sizeof(u32) * 2);
|
||||
if (rc < 0)
|
||||
goto bad;
|
||||
c->u.node.addr = le32_to_cpu(buf[0]);
|
||||
|
@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
if (c->v.behavior > SECURITY_FS_USE_NONE)
|
||||
goto bad;
|
||||
len = le32_to_cpu(buf[1]);
|
||||
c->u.name = kmalloc(len + 1,GFP_KERNEL);
|
||||
c->u.name = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!c->u.name) {
|
||||
rc = -ENOMEM;
|
||||
goto bad;
|
||||
|
@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
goto bad;
|
||||
}
|
||||
|
||||
newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL);
|
||||
newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!newgenfs->fstype) {
|
||||
rc = -ENOMEM;
|
||||
kfree(newgenfs);
|
||||
|
@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
goto bad;
|
||||
}
|
||||
|
||||
newc->u.name = kmalloc(len + 1,GFP_KERNEL);
|
||||
newc->u.name = kmalloc(len + 1, GFP_KERNEL);
|
||||
if (!newc->u.name) {
|
||||
rc = -ENOMEM;
|
||||
goto bad_newc;
|
||||
|
@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp)
|
|||
out:
|
||||
return rc;
|
||||
bad_newc:
|
||||
ocontext_destroy(newc,OCON_FSUSE);
|
||||
ocontext_destroy(newc, OCON_FSUSE);
|
||||
bad:
|
||||
if (!rc)
|
||||
rc = -EINVAL;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* Implementation of the security services.
|
||||
*
|
||||
* Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
|
||||
* James Morris <jmorris@redhat.com>
|
||||
* James Morris <jmorris@redhat.com>
|
||||
*
|
||||
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
|
||||
*
|
||||
|
@ -11,7 +11,7 @@
|
|||
*
|
||||
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
|
||||
*
|
||||
* Added conditional policy language extensions
|
||||
* Added conditional policy language extensions
|
||||
*
|
||||
* Updated: Hewlett-Packard <paul.moore@hp.com>
|
||||
*
|
||||
|
@ -27,7 +27,7 @@
|
|||
* Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
|
||||
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, version 2.
|
||||
*/
|
||||
#include <linux/kernel.h>
|
||||
|
@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
|
|||
|
||||
static struct sidtab sidtab;
|
||||
struct policydb policydb;
|
||||
int ss_initialized = 0;
|
||||
int ss_initialized;
|
||||
|
||||
/*
|
||||
* The largest sequence number that has been used when
|
||||
|
@ -90,7 +90,7 @@ int ss_initialized = 0;
|
|||
* The sequence number only changes when a policy change
|
||||
* occurs.
|
||||
*/
|
||||
static u32 latest_granting = 0;
|
||||
static u32 latest_granting;
|
||||
|
||||
/* Forward declaration. */
|
||||
static int context_struct_to_string(struct context *context, char **scontext,
|
||||
|
@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
|
|||
val1 - 1);
|
||||
continue;
|
||||
case CEXPR_INCOMP:
|
||||
s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
|
||||
val2 - 1) &&
|
||||
!ebitmap_get_bit(&r2->dominates,
|
||||
val1 - 1) );
|
||||
s[++sp] = (!ebitmap_get_bit(&r1->dominates,
|
||||
val2 - 1) &&
|
||||
!ebitmap_get_bit(&r2->dominates,
|
||||
val1 - 1));
|
||||
continue;
|
||||
default:
|
||||
break;
|
||||
|
@ -409,13 +409,14 @@ static int context_struct_compute_av(struct context *scontext,
|
|||
}
|
||||
if (!ra)
|
||||
avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
|
||||
PROCESS__DYNTRANSITION);
|
||||
PROCESS__DYNTRANSITION);
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
inval_class:
|
||||
printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
|
||||
tclass);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
@ -445,9 +446,9 @@ int security_permissive_sid(u32 sid)
|
|||
}
|
||||
|
||||
static int security_validtrans_handle_fail(struct context *ocontext,
|
||||
struct context *ncontext,
|
||||
struct context *tcontext,
|
||||
u16 tclass)
|
||||
struct context *ncontext,
|
||||
struct context *tcontext,
|
||||
u16 tclass)
|
||||
{
|
||||
char *o = NULL, *n = NULL, *t = NULL;
|
||||
u32 olen, nlen, tlen;
|
||||
|
@ -459,9 +460,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
|
|||
if (context_struct_to_string(tcontext, &t, &tlen) < 0)
|
||||
goto out;
|
||||
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
|
||||
"security_validate_transition: denied for"
|
||||
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
|
||||
o, n, t, policydb.p_class_val_to_name[tclass-1]);
|
||||
"security_validate_transition: denied for"
|
||||
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
|
||||
o, n, t, policydb.p_class_val_to_name[tclass-1]);
|
||||
out:
|
||||
kfree(o);
|
||||
kfree(n);
|
||||
|
@ -473,7 +474,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
|
|||
}
|
||||
|
||||
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
||||
u16 tclass)
|
||||
u16 tclass)
|
||||
{
|
||||
struct context *ocontext;
|
||||
struct context *ncontext;
|
||||
|
@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
|||
tclass = SECCLASS_NETLINK_SOCKET;
|
||||
|
||||
if (!tclass || tclass > policydb.p_classes.nprim) {
|
||||
printk(KERN_ERR "security_validate_transition: "
|
||||
"unrecognized class %d\n", tclass);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
|
||||
__func__, tclass);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
|||
|
||||
ocontext = sidtab_search(&sidtab, oldsid);
|
||||
if (!ocontext) {
|
||||
printk(KERN_ERR "security_validate_transition: "
|
||||
" unrecognized SID %d\n", oldsid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, oldsid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ncontext = sidtab_search(&sidtab, newsid);
|
||||
if (!ncontext) {
|
||||
printk(KERN_ERR "security_validate_transition: "
|
||||
" unrecognized SID %d\n", newsid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, newsid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
tcontext = sidtab_search(&sidtab, tasksid);
|
||||
if (!tcontext) {
|
||||
printk(KERN_ERR "security_validate_transition: "
|
||||
" unrecognized SID %d\n", tasksid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, tasksid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
@ -533,9 +534,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
|||
constraint = tclass_datum->validatetrans;
|
||||
while (constraint) {
|
||||
if (!constraint_expr_eval(ocontext, ncontext, tcontext,
|
||||
constraint->expr)) {
|
||||
constraint->expr)) {
|
||||
rc = security_validtrans_handle_fail(ocontext, ncontext,
|
||||
tcontext, tclass);
|
||||
tcontext, tclass);
|
||||
goto out;
|
||||
}
|
||||
constraint = constraint->next;
|
||||
|
@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
|
|||
|
||||
scontext = sidtab_search(&sidtab, ssid);
|
||||
if (!scontext) {
|
||||
printk(KERN_ERR "security_compute_av: unrecognized SID %d\n",
|
||||
ssid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, ssid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
tcontext = sidtab_search(&sidtab, tsid);
|
||||
if (!tcontext) {
|
||||
printk(KERN_ERR "security_compute_av: unrecognized SID %d\n",
|
||||
tsid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, tsid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
|
|||
|
||||
/* Allocate space for the context; caller must free this space. */
|
||||
scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
|
||||
if (!scontextp) {
|
||||
if (!scontextp)
|
||||
return -ENOMEM;
|
||||
}
|
||||
*scontext = scontextp;
|
||||
|
||||
/*
|
||||
|
@ -636,8 +636,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
|
|||
policydb.p_role_val_to_name[context->role - 1],
|
||||
policydb.p_type_val_to_name[context->type - 1]);
|
||||
scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
|
||||
1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
|
||||
1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
|
||||
1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
|
||||
1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
|
||||
|
||||
mls_sid_to_context(context, &scontextp);
|
||||
|
||||
|
@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
|
|||
char *scontextp;
|
||||
|
||||
*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
|
||||
scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
|
||||
scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
|
||||
if (!scontextp) {
|
||||
rc = -ENOMEM;
|
||||
goto out;
|
||||
|
@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
|
|||
*scontext = scontextp;
|
||||
goto out;
|
||||
}
|
||||
printk(KERN_ERR "security_sid_to_context: called before initial "
|
||||
"load_policy on unknown SID %d\n", sid);
|
||||
printk(KERN_ERR "SELinux: %s: called before initial "
|
||||
"load_policy on unknown SID %d\n", __func__, sid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
POLICY_RDLOCK;
|
||||
context = sidtab_search(&sidtab, sid);
|
||||
if (!context) {
|
||||
printk(KERN_ERR "security_sid_to_context: unrecognized SID "
|
||||
"%d\n", sid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, sid);
|
||||
rc = -EINVAL;
|
||||
goto out_unlock;
|
||||
}
|
||||
|
@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid,
|
|||
|
||||
scontext = sidtab_search(&sidtab, ssid);
|
||||
if (!scontext) {
|
||||
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n",
|
||||
ssid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, ssid);
|
||||
rc = -EINVAL;
|
||||
goto out_unlock;
|
||||
}
|
||||
tcontext = sidtab_search(&sidtab, tsid);
|
||||
if (!tcontext) {
|
||||
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n",
|
||||
tsid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, tsid);
|
||||
rc = -EINVAL;
|
||||
goto out_unlock;
|
||||
}
|
||||
|
@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid,
|
|||
avdatum = avtab_search(&policydb.te_avtab, &avkey);
|
||||
|
||||
/* If no permanent rule, also check for enabled conditional rules */
|
||||
if(!avdatum) {
|
||||
if (!avdatum) {
|
||||
node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
|
||||
for (; node != NULL; node = avtab_search_node_next(node, specified)) {
|
||||
if (node->key.specified & AVTAB_ENABLED) {
|
||||
|
@ -1288,26 +1288,23 @@ static int convert_context(u32 key,
|
|||
|
||||
/* Convert the user. */
|
||||
usrdatum = hashtab_search(args->newp->p_users.table,
|
||||
args->oldp->p_user_val_to_name[c->user - 1]);
|
||||
if (!usrdatum) {
|
||||
args->oldp->p_user_val_to_name[c->user - 1]);
|
||||
if (!usrdatum)
|
||||
goto bad;
|
||||
}
|
||||
c->user = usrdatum->value;
|
||||
|
||||
/* Convert the role. */
|
||||
role = hashtab_search(args->newp->p_roles.table,
|
||||
args->oldp->p_role_val_to_name[c->role - 1]);
|
||||
if (!role) {
|
||||
args->oldp->p_role_val_to_name[c->role - 1]);
|
||||
if (!role)
|
||||
goto bad;
|
||||
}
|
||||
c->role = role->value;
|
||||
|
||||
/* Convert the type. */
|
||||
typdatum = hashtab_search(args->newp->p_types.table,
|
||||
args->oldp->p_type_val_to_name[c->type - 1]);
|
||||
if (!typdatum) {
|
||||
args->oldp->p_type_val_to_name[c->type - 1]);
|
||||
if (!typdatum)
|
||||
goto bad;
|
||||
}
|
||||
c->type = typdatum->value;
|
||||
|
||||
rc = mls_convert_context(args->oldp, args->newp, c);
|
||||
|
@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
|
|||
{
|
||||
int i, fail = 0;
|
||||
|
||||
for(i = 0; i < 4; i++)
|
||||
if(addr[i] != (input[i] & mask[i])) {
|
||||
for (i = 0; i < 4; i++)
|
||||
if (addr[i] != (input[i] & mask[i])) {
|
||||
fail = 1;
|
||||
break;
|
||||
}
|
||||
|
@ -1656,7 +1653,7 @@ int security_node_sid(u16 domain,
|
|||
*/
|
||||
|
||||
int security_get_user_sids(u32 fromsid,
|
||||
char *username,
|
||||
char *username,
|
||||
u32 **sids,
|
||||
u32 *nel)
|
||||
{
|
||||
|
@ -1766,7 +1763,7 @@ int security_get_user_sids(u32 fromsid,
|
|||
* transition SIDs or task SIDs.
|
||||
*/
|
||||
int security_genfs_sid(const char *fstype,
|
||||
char *path,
|
||||
char *path,
|
||||
u16 sclass,
|
||||
u32 *sid)
|
||||
{
|
||||
|
@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values)
|
|||
goto out;
|
||||
}
|
||||
|
||||
*names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
|
||||
*names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
|
||||
if (!*names)
|
||||
goto err;
|
||||
|
||||
|
@ -1893,7 +1890,7 @@ int security_get_bools(int *len, char ***names, int **values)
|
|||
size_t name_len;
|
||||
(*values)[i] = policydb.bool_val_to_struct[i]->state;
|
||||
name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
|
||||
(*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
|
||||
(*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
|
||||
if (!(*names)[i])
|
||||
goto err;
|
||||
strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
|
||||
|
@ -1938,11 +1935,10 @@ int security_set_bools(int len, int *values)
|
|||
audit_get_loginuid(current),
|
||||
audit_get_sessionid(current));
|
||||
}
|
||||
if (values[i]) {
|
||||
if (values[i])
|
||||
policydb.bool_val_to_struct[i]->state = 1;
|
||||
} else {
|
||||
else
|
||||
policydb.bool_val_to_struct[i]->state = 0;
|
||||
}
|
||||
}
|
||||
|
||||
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
|
||||
|
@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
|
|||
POLICY_RDLOCK;
|
||||
context1 = sidtab_search(&sidtab, sid);
|
||||
if (!context1) {
|
||||
printk(KERN_ERR "security_sid_mls_copy: unrecognized SID "
|
||||
"%d\n", sid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, sid);
|
||||
rc = -EINVAL;
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
context2 = sidtab_search(&sidtab, mls_sid);
|
||||
if (!context2) {
|
||||
printk(KERN_ERR "security_sid_mls_copy: unrecognized SID "
|
||||
"%d\n", mls_sid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, mls_sid);
|
||||
rc = -EINVAL;
|
||||
goto out_unlock;
|
||||
}
|
||||
|
@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
|
|||
|
||||
nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
|
||||
if (!nlbl_ctx) {
|
||||
printk(KERN_ERR
|
||||
"security_sid_mls_cmp: unrecognized SID %d\n",
|
||||
nlbl_sid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, nlbl_sid);
|
||||
rc = -EINVAL;
|
||||
goto out_slowpath;
|
||||
}
|
||||
xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
|
||||
if (!xfrm_ctx) {
|
||||
printk(KERN_ERR
|
||||
"security_sid_mls_cmp: unrecognized SID %d\n",
|
||||
xfrm_sid);
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, xfrm_sid);
|
||||
rc = -EINVAL;
|
||||
goto out_slowpath;
|
||||
}
|
||||
|
@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
|
|||
|
||||
match = hashtab_search(policydb.p_classes.table, class);
|
||||
if (!match) {
|
||||
printk(KERN_ERR "%s: unrecognized class %s\n",
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
|
||||
__func__, class);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
|
@ -2435,7 +2429,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
|
|||
|
||||
if (!rule) {
|
||||
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
|
||||
"selinux_audit_rule_match: missing rule\n");
|
||||
"selinux_audit_rule_match: missing rule\n");
|
||||
return -ENOENT;
|
||||
}
|
||||
|
||||
|
@ -2443,7 +2437,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
|
|||
|
||||
if (rule->au_seqno < latest_granting) {
|
||||
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
|
||||
"selinux_audit_rule_match: stale rule\n");
|
||||
"selinux_audit_rule_match: stale rule\n");
|
||||
match = -ESTALE;
|
||||
goto out;
|
||||
}
|
||||
|
@ -2451,8 +2445,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
|
|||
ctxt = sidtab_search(&sidtab, sid);
|
||||
if (!ctxt) {
|
||||
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
|
||||
"selinux_audit_rule_match: unrecognized SID %d\n",
|
||||
sid);
|
||||
"selinux_audit_rule_match: unrecognized SID %d\n",
|
||||
sid);
|
||||
match = -ENOENT;
|
||||
goto out;
|
||||
}
|
||||
|
@ -2498,36 +2492,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
|
|||
case AUDIT_OBJ_LEV_LOW:
|
||||
case AUDIT_OBJ_LEV_HIGH:
|
||||
level = ((field == AUDIT_SUBJ_SEN ||
|
||||
field == AUDIT_OBJ_LEV_LOW) ?
|
||||
&ctxt->range.level[0] : &ctxt->range.level[1]);
|
||||
field == AUDIT_OBJ_LEV_LOW) ?
|
||||
&ctxt->range.level[0] : &ctxt->range.level[1]);
|
||||
switch (op) {
|
||||
case AUDIT_EQUAL:
|
||||
match = mls_level_eq(&rule->au_ctxt.range.level[0],
|
||||
level);
|
||||
level);
|
||||
break;
|
||||
case AUDIT_NOT_EQUAL:
|
||||
match = !mls_level_eq(&rule->au_ctxt.range.level[0],
|
||||
level);
|
||||
level);
|
||||
break;
|
||||
case AUDIT_LESS_THAN:
|
||||
match = (mls_level_dom(&rule->au_ctxt.range.level[0],
|
||||
level) &&
|
||||
!mls_level_eq(&rule->au_ctxt.range.level[0],
|
||||
level));
|
||||
level) &&
|
||||
!mls_level_eq(&rule->au_ctxt.range.level[0],
|
||||
level));
|
||||
break;
|
||||
case AUDIT_LESS_THAN_OR_EQUAL:
|
||||
match = mls_level_dom(&rule->au_ctxt.range.level[0],
|
||||
level);
|
||||
level);
|
||||
break;
|
||||
case AUDIT_GREATER_THAN:
|
||||
match = (mls_level_dom(level,
|
||||
&rule->au_ctxt.range.level[0]) &&
|
||||
!mls_level_eq(level,
|
||||
&rule->au_ctxt.range.level[0]));
|
||||
&rule->au_ctxt.range.level[0]) &&
|
||||
!mls_level_eq(level,
|
||||
&rule->au_ctxt.range.level[0]));
|
||||
break;
|
||||
case AUDIT_GREATER_THAN_OR_EQUAL:
|
||||
match = mls_level_dom(level,
|
||||
&rule->au_ctxt.range.level[0]);
|
||||
&rule->au_ctxt.range.level[0]);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
@ -2554,7 +2548,7 @@ static int __init aurule_init(void)
|
|||
int err;
|
||||
|
||||
err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
|
||||
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
|
||||
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
|
||||
if (err)
|
||||
panic("avc_add_callback() failed, error %d\n", err);
|
||||
|
||||
|
|
|
@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s,
|
|||
while (cur != NULL) {
|
||||
ret = apply(cur->sid, &cur->context, args);
|
||||
if (ret) {
|
||||
if (last) {
|
||||
if (last)
|
||||
last->next = cur->next;
|
||||
} else {
|
||||
else
|
||||
s->htable[i] = cur->next;
|
||||
}
|
||||
|
||||
temp = cur;
|
||||
cur = cur->next;
|
||||
context_destroy(&temp->context);
|
||||
|
|
|
@ -180,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
|
|||
|
||||
if (!ckall)
|
||||
break;
|
||||
}
|
||||
else if (*sid != ctx->ctx_sid)
|
||||
} else if (*sid != ctx->ctx_sid)
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
|
@ -326,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
|
|||
*/
|
||||
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
|
||||
{
|
||||
if (ctx)
|
||||
kfree(ctx);
|
||||
kfree(ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -372,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
|
|||
void selinux_xfrm_state_free(struct xfrm_state *x)
|
||||
{
|
||||
struct xfrm_sec_ctx *ctx = x->security;
|
||||
if (ctx)
|
||||
kfree(ctx);
|
||||
kfree(ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in a new issue