Commit 828dfe1d authored by Eric Paris's avatar Eric Paris Committed by James Morris

SELinux: whitespace and formating fixes for hooks.c

All whitespace and formatting.  Nothing interesting to see here.  About
the only thing to remember is that we aren't supposed to initialize
static variables to 0/NULL.  It is done for us and doing it ourselves
puts them in a different section.

With this patch running checkpatch.pl against hooks.c only gives us
complaints about busting the 80 character limit and declaring extern's
in .c files.  Apparently they don't like it, but I don't feel like going
to the trouble of moving those to .h files...
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 744ba35e
...@@ -4,22 +4,22 @@ ...@@ -4,22 +4,22 @@
* This file contains the SELinux hook function implementations. * This file contains the SELinux hook function implementations.
* *
* Authors: Stephen Smalley, <sds@epoch.ncsc.mil> * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
* Chris Vance, <cvance@nai.com> * Chris Vance, <cvance@nai.com>
* Wayne Salamon, <wsalamon@nai.com> * Wayne Salamon, <wsalamon@nai.com>
* James Morris <jmorris@redhat.com> * James Morris <jmorris@redhat.com>
* *
* Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* <dgoeddel@trustedcs.com> * <dgoeddel@trustedcs.com>
* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
* Paul Moore <paul.moore@hp.com> * Paul Moore <paul.moore@hp.com>
* Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
* Yuichi Nakamura <ynakam@hitachisoft.jp> * Yuichi Nakamura <ynakam@hitachisoft.jp>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, * it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation. * as published by the Free Software Foundation.
*/ */
#include <linux/init.h> #include <linux/init.h>
...@@ -99,11 +99,11 @@ extern struct security_operations *security_ops; ...@@ -99,11 +99,11 @@ extern struct security_operations *security_ops;
atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing = 0; int selinux_enforcing;
static int __init enforcing_setup(char *str) static int __init enforcing_setup(char *str)
{ {
selinux_enforcing = simple_strtol(str,NULL,0); selinux_enforcing = simple_strtol(str, NULL, 0);
return 1; return 1;
} }
__setup("enforcing=", enforcing_setup); __setup("enforcing=", enforcing_setup);
...@@ -123,13 +123,13 @@ int selinux_enabled = 1; ...@@ -123,13 +123,13 @@ int selinux_enabled = 1;
#endif #endif
/* Original (dummy) security module. */ /* Original (dummy) security module. */
static struct security_operations *original_ops = NULL; static struct security_operations *original_ops;
/* Minimal support for a secondary security module, /* Minimal support for a secondary security module,
just to allow the use of the dummy or capability modules. just to allow the use of the dummy or capability modules.
The owlsm module can alternatively be used as a secondary The owlsm module can alternatively be used as a secondary
module as long as CONFIG_OWLSM_FD is not enabled. */ module as long as CONFIG_OWLSM_FD is not enabled. */
static struct security_operations *secondary_ops = NULL; static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized /* Lists of inode and superblock security structures initialized
before the policy was loaded. */ before the policy was loaded. */
...@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de, ...@@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de,
int buflen, rc; int buflen, rc;
char *buffer, *path, *end; char *buffer, *path, *end;
buffer = (char*)__get_free_page(GFP_KERNEL); buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer) if (!buffer)
return -ENOMEM; return -ENOMEM;
...@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk, ...@@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk,
tsec = tsk->security; tsec = tsk->security;
AVC_AUDIT_DATA_INIT(&ad,CAP); AVC_AUDIT_DATA_INIT(&ad, CAP);
ad.tsk = tsk; ad.tsk = tsk;
ad.u.cap = cap; ad.u.cap = cap;
...@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk, ...@@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk,
struct inode_security_struct *isec; struct inode_security_struct *isec;
struct avc_audit_data ad; struct avc_audit_data ad;
if (unlikely (IS_PRIVATE (inode))) if (unlikely(IS_PRIVATE(inode)))
return 0; return 0;
tsec = tsk->security; tsec = tsk->security;
...@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, ...@@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk,
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
struct avc_audit_data ad; struct avc_audit_data ad;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.mnt = mnt; ad.u.fs.path.mnt = mnt;
ad.u.fs.path.dentry = dentry; ad.u.fs.path.dentry = dentry;
return inode_has_perm(tsk, inode, av, &ad); return inode_has_perm(tsk, inode, av, &ad);
...@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid, ...@@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid,
return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
} }
#define MAY_LINK 0 #define MAY_LINK 0
#define MAY_UNLINK 1 #define MAY_UNLINK 1
#define MAY_RMDIR 2 #define MAY_RMDIR 2
/* Check whether a task can link, unlink, or rmdir a file/directory. */ /* Check whether a task can link, unlink, or rmdir a file/directory. */
static int may_link(struct inode *dir, static int may_link(struct inode *dir,
...@@ -1676,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) ...@@ -1676,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
{ {
int rc; int rc;
rc = secondary_ops->ptrace(parent,child); rc = secondary_ops->ptrace(parent, child);
if (rc) if (rc)
return rc; return rc;
...@@ -1684,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) ...@@ -1684,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
} }
static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
int error; int error;
...@@ -1696,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, ...@@ -1696,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
} }
static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
int error; int error;
...@@ -1708,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect ...@@ -1708,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect
} }
static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
secondary_ops->capset_set(target, effective, inheritable, permitted); secondary_ops->capset_set(target, effective, inheritable, permitted);
} }
...@@ -1721,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap) ...@@ -1721,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap)
if (rc) if (rc)
return rc; return rc;
return task_has_capability(tsk,cap); return task_has_capability(tsk, cap);
} }
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
...@@ -1730,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) ...@@ -1730,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
char *buffer, *path, *end; char *buffer, *path, *end;
rc = -ENOMEM; rc = -ENOMEM;
buffer = (char*)__get_free_page(GFP_KERNEL); buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer) if (!buffer)
goto out; goto out;
...@@ -1788,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op) ...@@ -1788,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op)
/* The op values are "defined" in sysctl.c, thereby creating /* The op values are "defined" in sysctl.c, thereby creating
* a bad coupling between this module and sysctl.c */ * a bad coupling between this module and sysctl.c */
if(op == 001) { if (op == 001) {
error = avc_has_perm(tsec->sid, tsid, error = avc_has_perm(tsec->sid, tsid,
SECCLASS_DIR, DIR__SEARCH, NULL); SECCLASS_DIR, DIR__SEARCH, NULL);
} else { } else {
...@@ -1800,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op) ...@@ -1800,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op)
if (av) if (av)
error = avc_has_perm(tsec->sid, tsid, error = avc_has_perm(tsec->sid, tsid,
SECCLASS_FILE, av, NULL); SECCLASS_FILE, av, NULL);
} }
return error; return error;
} }
...@@ -1813,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) ...@@ -1813,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
return 0; return 0;
switch (cmds) { switch (cmds) {
case Q_SYNC: case Q_SYNC:
case Q_QUOTAON: case Q_QUOTAON:
case Q_QUOTAOFF: case Q_QUOTAOFF:
case Q_SETINFO: case Q_SETINFO:
case Q_SETQUOTA: case Q_SETQUOTA:
rc = superblock_has_perm(current, rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
sb, NULL);
FILESYSTEM__QUOTAMOD, NULL); break;
break; case Q_GETFMT:
case Q_GETFMT: case Q_GETINFO:
case Q_GETINFO: case Q_GETQUOTA:
case Q_GETQUOTA: rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
rc = superblock_has_perm(current, NULL);
sb, break;
FILESYSTEM__QUOTAGET, NULL); default:
break; rc = 0; /* let the kernel handle invalid cmds */
default: break;
rc = 0; /* let the kernel handle invalid cmds */
break;
} }
return rc; return rc;
} }
...@@ -1850,23 +1848,23 @@ static int selinux_syslog(int type) ...@@ -1850,23 +1848,23 @@ static int selinux_syslog(int type)
return rc; return rc;
switch (type) { switch (type) {
case 3: /* Read last kernel messages */ case 3: /* Read last kernel messages */
case 10: /* Return size of the log buffer */ case 10: /* Return size of the log buffer */
rc = task_has_system(current, SYSTEM__SYSLOG_READ); rc = task_has_system(current, SYSTEM__SYSLOG_READ);
break; break;
case 6: /* Disable logging to console */ case 6: /* Disable logging to console */
case 7: /* Enable logging to console */ case 7: /* Enable logging to console */
case 8: /* Set level of messages printed to console */ case 8: /* Set level of messages printed to console */
rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
break; break;
case 0: /* Close log */ case 0: /* Close log */
case 1: /* Open log */ case 1: /* Open log */
case 2: /* Read from log */ case 2: /* Read from log */
case 4: /* Read/clear last kernel messages */ case 4: /* Read/clear last kernel messages */
case 5: /* Clear ring buffer */ case 5: /* Clear ring buffer */
default: default:
rc = task_has_system(current, SYSTEM__SYSLOG_MOD); rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
break; break;
} }
return rc; return rc;
} }
...@@ -1972,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -1972,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
} else { } else {
/* Check for a default transition on this program. */ /* Check for a default transition on this program. */
rc = security_transition_sid(tsec->sid, isec->sid, rc = security_transition_sid(tsec->sid, isec->sid,
SECCLASS_PROCESS, &newsid); SECCLASS_PROCESS, &newsid);
if (rc) if (rc)
return rc; return rc;
} }
...@@ -1983,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -1983,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
newsid = tsec->sid; newsid = tsec->sid;
if (tsec->sid == newsid) { if (tsec->sid == newsid) {
rc = avc_has_perm(tsec->sid, isec->sid, rc = avc_has_perm(tsec->sid, isec->sid,
SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
if (rc) if (rc)
...@@ -2011,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -2011,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
return 0; return 0;
} }
static int selinux_bprm_check_security (struct linux_binprm *bprm) static int selinux_bprm_check_security(struct linux_binprm *bprm)
{ {
return secondary_ops->bprm_check_security(bprm); return secondary_ops->bprm_check_security(bprm);
} }
static int selinux_bprm_secureexec (struct linux_binprm *bprm) static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{ {
struct task_security_struct *tsec = current->security; struct task_security_struct *tsec = current->security;
int atsecure = 0; int atsecure = 0;
...@@ -2044,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount; ...@@ -2044,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount;
extern struct dentry *selinux_null; extern struct dentry *selinux_null;
/* Derived from fs/exec.c:flush_old_files. */ /* Derived from fs/exec.c:flush_old_files. */
static inline void flush_unauthorized_files(struct files_struct * files) static inline void flush_unauthorized_files(struct files_struct *files)
{ {
struct avc_audit_data ad; struct avc_audit_data ad;
struct file *file, *devnull = NULL; struct file *file, *devnull = NULL;
...@@ -2079,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) ...@@ -2079,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
/* Revalidate access to inherited open files. */ /* Revalidate access to inherited open files. */
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
spin_lock(&files->file_lock); spin_lock(&files->file_lock);
for (;;) { for (;;) {
...@@ -2095,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) ...@@ -2095,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
if (!set) if (!set)
continue; continue;
spin_unlock(&files->file_lock); spin_unlock(&files->file_lock);
for ( ; set ; i++,set >>= 1) { for ( ; set ; i++, set >>= 1) {
if (set & 1) { if (set & 1) {
file = fget(i); file = fget(i);
if (!file) if (!file)
...@@ -2252,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) ...@@ -2252,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
for (i = 0; i < RLIM_NLIMITS; i++) { for (i = 0; i < RLIM_NLIMITS; i++) {
rlim = current->signal->rlim + i; rlim = current->signal->rlim + i;
initrlim = init_task.signal->rlim+i; initrlim = init_task.signal->rlim+i;
rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
} }
if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
/* /*
...@@ -2307,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len) ...@@ -2307,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len)
*to += len; *to += len;
} }
static inline void take_selinux_option(char **to, char *from, int *first, static inline void take_selinux_option(char **to, char *from, int *first,
int len) int len)
{ {
int current_size = 0; int current_size = 0;
if (!*first) { if (!*first) {
**to = '|'; **to = '|';
*to += 1; *to += 1;
} } else
else
*first = 0; *first = 0;
while (current_size < len) { while (current_size < len) {
...@@ -2380,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) ...@@ -2380,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
if (rc) if (rc)
return rc; return rc;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = sb->s_root; ad.u.fs.path.dentry = sb->s_root;
return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
} }
...@@ -2389,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry) ...@@ -2389,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry)
{ {
struct avc_audit_data ad; struct avc_audit_data ad;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = dentry->d_sb->s_root; ad.u.fs.path.dentry = dentry->d_sb->s_root;
return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
} }
static int selinux_mount(char * dev_name, static int selinux_mount(char *dev_name,
struct nameidata *nd, struct nameidata *nd,
char * type, char *type,
unsigned long flags, unsigned long flags,
void * data) void *data)
{ {
int rc; int rc;
...@@ -2408,10 +2405,10 @@ static int selinux_mount(char * dev_name, ...@@ -2408,10 +2405,10 @@ static int selinux_mount(char * dev_name,
if (flags & MS_REMOUNT) if (flags & MS_REMOUNT)
return superblock_has_perm(current, nd->path.mnt->mnt_sb, return superblock_has_perm(current, nd->path.mnt->mnt_sb,
FILESYSTEM__REMOUNT, NULL); FILESYSTEM__REMOUNT, NULL);
else else
return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
FILE__MOUNTON); FILE__MOUNTON);
} }
static int selinux_umount(struct vfsmount *mnt, int flags) static int selinux_umount(struct vfsmount *mnt, int flags)
...@@ -2422,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags) ...@@ -2422,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
if (rc) if (rc)
return rc; return rc;
return superblock_has_perm(current,mnt->mnt_sb, return superblock_has_perm(current, mnt->mnt_sb,
FILESYSTEM__UNMOUNT,NULL); FILESYSTEM__UNMOUNT, NULL);
} }
/* inode security operations */ /* inode security operations */
...@@ -2509,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru ...@@ -2509,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
{ {
int rc; int rc;
rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
if (rc) if (rc)
return rc; return rc;
return may_link(dir, old_dentry, MAY_LINK); return may_link(dir, old_dentry, MAY_LINK);
...@@ -2552,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod ...@@ -2552,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
} }
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
struct inode *new_inode, struct dentry *new_dentry) struct inode *new_inode, struct dentry *new_dentry)
{ {
return may_rename(old_inode, old_dentry, new_inode, new_dentry); return may_rename(old_inode, old_dentry, new_inode, new_dentry);
} }
...@@ -2566,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na ...@@ -2566,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
{ {
int rc; int rc;
rc = secondary_ops->inode_follow_link(dentry,nameidata); rc = secondary_ops->inode_follow_link(dentry, nameidata);
if (rc) if (rc)
return rc; return rc;
return dentry_has_perm(current, NULL, dentry, FILE__READ); return dentry_has_perm(current, NULL, dentry, FILE__READ);
...@@ -2652,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2652,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
if (!is_owner_or_cap(inode)) if (!is_owner_or_cap(inode))
return -EPERM; return -EPERM;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = dentry; ad.u.fs.path.dentry = dentry;
rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
...@@ -2670,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2670,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
return rc; return rc;
rc = security_validate_transition(isec->sid, newsid, tsec->sid, rc = security_validate_transition(isec->sid, newsid, tsec->sid,
isec->sclass); isec->sclass);
if (rc) if (rc)
return rc; return rc;
...@@ -2682,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2682,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
} }
static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
void *value, size_t size, int flags) void *value, size_t size, int flags)
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
struct inode_security_struct *isec = inode->i_security; struct inode_security_struct *isec = inode->i_security;
...@@ -2705,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, ...@@ -2705,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
return; return;
} }
static int selinux_inode_getxattr (struct dentry *dentry, char *name) static int selinux_inode_getxattr(struct dentry *dentry, char *name)
{ {
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
} }
static int selinux_inode_listxattr (struct dentry *dentry) static int selinux_inode_listxattr(struct dentry *dentry)
{ {
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
} }
static int selinux_inode_removexattr (struct dentry *dentry, char *name) static int selinux_inode_removexattr(struct dentry *dentry, char *name)
{ {
if (strcmp(name, XATTR_NAME_SELINUX)) if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name); return selinux_inode_setotherxattr(dentry, name);
...@@ -2756,7 +2753,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name ...@@ -2756,7 +2753,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
} }
static int selinux_inode_setsecurity(struct inode *inode, const char *name, static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags) const void *value, size_t size, int flags)
{ {
struct inode_security_struct *isec = inode->i_security; struct inode_security_struct *isec = inode->i_security;
u32 newsid; u32 newsid;
...@@ -2768,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, ...@@ -2768,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
if (!value || !size) if (!value || !size)
return -EACCES; return -EACCES;
rc = security_context_to_sid((void*)value, size, &newsid); rc = security_context_to_sid((void *)value, size, &newsid);
if (rc) if (rc)
return rc; return rc;
...@@ -2859,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, ...@@ -2859,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
int error = 0; int error = 0;
switch (cmd) { switch (cmd) {
case FIONREAD: case FIONREAD:
/* fall through */ /* fall through */
case FIBMAP: case FIBMAP:
/* fall through */ /* fall through */
case FIGETBSZ: case FIGETBSZ:
/* fall through */ /* fall through */
case EXT2_IOC_GETFLAGS: case EXT2_IOC_GETFLAGS:
/* fall through */ /* fall through */
case EXT2_IOC_GETVERSION: case EXT2_IOC_GETVERSION:
error = file_has_perm(current, file, FILE__GETATTR); error = file_has_perm(current, file, FILE__GETATTR);
break; break;
case EXT2_IOC_SETFLAGS:
/* fall through */
case EXT2_IOC_SETVERSION:
error = file_has_perm(current, file, FILE__SETATTR);
break;
/* sys_ioctl() checks */ case EXT2_IOC_SETFLAGS:
case FIONBIO: /* fall through */
/* fall through */ case EXT2_IOC_SETVERSION:
case FIOASYNC: error = file_has_perm(current, file, FILE__SETATTR);
error = file_has_perm(current, file, 0); break;
break;
case KDSKBENT: /* sys_ioctl() checks */
case KDSKBSENT: case FIONBIO:
error = task_has_capability(current,CAP_SYS_TTY_CONFIG); /* fall through */
break; case FIOASYNC:
error = file_has_perm(current, file, 0);
break;
/* default case assumes that the command will go case KDSKBENT:
* to the file's ioctl() function. case KDSKBSENT:
*/ error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
default: break;
error = file_has_perm(current, file, FILE__IOCTL);
/* default case assumes that the command will go
* to the file's ioctl() function.
*/
default:
error = file_has_perm(current, file, FILE__IOCTL);
} }
return error; return error;
} }
...@@ -2935,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, ...@@ -2935,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
unsigned long addr, unsigned long addr_only) unsigned long addr, unsigned long addr_only)
{ {
int rc = 0; int rc = 0;
u32 sid = ((struct task_security_struct*)(current->security))->sid; u32 sid = ((struct task_security_struct *)(current->security))->sid;
if (addr < mmap_min_addr) if (addr < mmap_min_addr)
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
...@@ -3004,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd, ...@@ -3004,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
int err = 0; int err = 0;
switch (cmd) { switch (cmd) {
case F_SETFL: case F_SETFL:
if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
err = -EINVAL; err = -EINVAL;
break; break;
} }
if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
err = file_has_perm(current, file,FILE__WRITE); err = file_has_perm(current, file, FILE__WRITE);
break;
}
/* fall through */
case F_SETOWN:
case F_SETSIG:
case F_GETFL:
case F_GETOWN:
case F_GETSIG:
/* Just check FD__USE permission */
err = file_has_perm(current, file, 0);
break; break;
case F_GETLK: }
case F_SETLK: /* fall through */
case F_SETLKW: case F_SETOWN:
case F_SETSIG:
case F_GETFL:
case F_GETOWN:
case F_GETSIG:
/* Just check FD__USE permission */
err = file_has_perm(current, file, 0);
break;
case F_GETLK:
case F_SETLK:
case F_SETLKW:
#if BITS_PER_LONG == 32 #if BITS_PER_LONG == 32
case F_GETLK64: case F_GETLK64:
case F_SETLK64: case F_SETLK64:
case F_SETLKW64: case F_SETLKW64:
#endif #endif
if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
err = -EINVAL; err = -EINVAL;
break;
}
err = file_has_perm(current, file, FILE__LOCK);
break; break;
}
err = file_has_perm(current, file, FILE__LOCK);
break;
} }
return err; return err;
...@@ -3057,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file) ...@@ -3057,13 +3053,13 @@ static int selinux_file_set_fowner(struct file *file)
static int selinux_file_send_sigiotask(struct task_struct *tsk, static int selinux_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum) struct fown_struct *fown, int signum)
{ {
struct file *file; struct file *file;
u32 perm; u32 perm;
struct task_security_struct *tsec; struct task_security_struct *tsec;
struct file_security_struct *fsec; struct file_security_struct *fsec;
/* struct fown_struct is never outside the context of a struct file */ /* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner); file = container_of(fown, struct file, f_owner);
tsec = tsk->security; tsec = tsk->security;
fsec = file->f_security; fsec = file->f_security;
...@@ -3165,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) ...@@ -3165,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{ {
return secondary_ops->task_post_setuid(id0,id1,id2,flags); return secondary_ops->task_post_setuid(id0, id1, id2, flags);
} }
static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
...@@ -3209,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) ...@@ -3209,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
if (rc) if (rc)
return rc; return rc;
return task_has_perm(current,p, PROCESS__SETSCHED); return task_has_perm(current, p, PROCESS__SETSCHED);
} }
static int selinux_task_setioprio(struct task_struct *p, int ioprio) static int selinux_task_setioprio(struct task_struct *p, int ioprio)
...@@ -3313,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p) ...@@ -3313,7 +3309,7 @@ static int selinux_task_wait(struct task_struct *p)
static void selinux_task_reparent_to_init(struct task_struct *p) static void selinux_task_reparent_to_init(struct task_struct *p)
{ {
struct task_security_struct *tsec; struct task_security_struct *tsec;
secondary_ops->task_reparent_to_init(p); secondary_ops->task_reparent_to_init(p);
...@@ -3358,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ...@@ -3358,11 +3354,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
*proto = ih->protocol; *proto = ih->protocol;
switch (ih->protocol) { switch (ih->protocol) {
case IPPROTO_TCP: { case IPPROTO_TCP: {
struct tcphdr _tcph, *th; struct tcphdr _tcph, *th;
if (ntohs(ih->frag_off) & IP_OFFSET) if (ntohs(ih->frag_off) & IP_OFFSET)
break; break;
offset += ihlen; offset += ihlen;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
...@@ -3372,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ...@@ -3372,23 +3368,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
ad->u.net.sport = th->source; ad->u.net.sport = th->source;
ad->u.net.dport = th->dest; ad->u.net.dport = th->dest;
break; break;
} }
case IPPROTO_UDP: { case IPPROTO_UDP: {
struct udphdr _udph, *uh; struct udphdr _udph, *uh;
if (ntohs(ih->frag_off) & IP_OFFSET) if (ntohs(ih->frag_off) & IP_OFFSET)
break; break;
offset += ihlen; offset += ihlen;
uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
if (uh == NULL) if (uh == NULL)
break; break;
ad->u.net.sport = uh->source; ad->u.net.sport = uh->source;
ad->u.net.dport = uh->dest; ad->u.net.dport = uh->dest;
break; break;
} }
case IPPROTO_DCCP: { case IPPROTO_DCCP: {
struct dccp_hdr _dccph, *dh; struct dccp_hdr _dccph, *dh;
...@@ -3404,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ...@@ -3404,11 +3400,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
ad->u.net.sport = dh->dccph_sport; ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport; ad->u.net.dport = dh->dccph_dport;
break; break;
} }
default: default:
break; break;
} }
out: out:
return ret; return ret;
} }
...@@ -3443,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, ...@@ -3443,7 +3439,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
switch (nexthdr) { switch (nexthdr) {
case IPPROTO_TCP: { case IPPROTO_TCP: {
struct tcphdr _tcph, *th; struct tcphdr _tcph, *th;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
if (th == NULL) if (th == NULL)
...@@ -3476,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, ...@@ -3476,7 +3472,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
ad->u.net.sport = dh->dccph_sport; ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport; ad->u.net.dport = dh->dccph_dport;
break; break;
} }
/* includes fragments */ /* includes fragments */
default: default:
...@@ -3574,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, ...@@ -3574,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
if (isec->sid == SECINITSID_KERNEL) if (isec->sid == SECINITSID_KERNEL)
goto out; goto out;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = sock->sk; ad.u.net.sk = sock->sk;
err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
...@@ -3684,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3684,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
snum, &sid); snum, &sid);
if (err) if (err)
goto out; goto out;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum); ad.u.net.sport = htons(snum);
ad.u.net.family = family; ad.u.net.family = family;
err = avc_has_perm(isec->sid, sid, err = avc_has_perm(isec->sid, sid,
...@@ -3694,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3694,12 +3690,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
goto out; goto out;
} }
} }
switch(isec->sclass) { switch (isec->sclass) {
case SECCLASS_TCP_SOCKET: case SECCLASS_TCP_SOCKET:
node_perm = TCP_SOCKET__NODE_BIND; node_perm = TCP_SOCKET__NODE_BIND;
break; break;
case SECCLASS_UDP_SOCKET: case SECCLASS_UDP_SOCKET:
node_perm = UDP_SOCKET__NODE_BIND; node_perm = UDP_SOCKET__NODE_BIND;
break; break;
...@@ -3712,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3712,12 +3708,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
node_perm = RAWIP_SOCKET__NODE_BIND; node_perm = RAWIP_SOCKET__NODE_BIND;
break; break;
} }
err = sel_netnode_sid(addrp, family, &sid); err = sel_netnode_sid(addrp, family, &sid);
if (err) if (err)
goto out; goto out;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum); ad.u.net.sport = htons(snum);
ad.u.net.family = family; ad.u.net.family = family;
...@@ -3727,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ...@@ -3727,7 +3723,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
err = avc_has_perm(isec->sid, sid, err = avc_has_perm(isec->sid, sid,
isec->sclass, node_perm, &ad); isec->sclass, node_perm, &ad);
if (err) if (err)
goto out; goto out;
} }
...@@ -3776,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, ...@@ -3776,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.dport = htons(snum); ad.u.net.dport = htons(snum);
ad.u.net.family = sk->sk_family; ad.u.net.family = sk->sk_family;
err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
...@@ -3814,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) ...@@ -3814,7 +3810,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
} }
static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
int size) int size)
{ {
int rc; int rc;
...@@ -3841,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock) ...@@ -3841,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock)
return socket_has_perm(current, sock, SOCKET__GETATTR); return socket_has_perm(current, sock, SOCKET__GETATTR);
} }
static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
{ {
int err; int err;
...@@ -3880,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, ...@@ -3880,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
isec = SOCK_INODE(sock)->i_security; isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security; other_isec = SOCK_INODE(other)->i_security;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk; ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid, err = avc_has_perm(isec->sid, other_isec->sid,
...@@ -3892,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, ...@@ -3892,7 +3888,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
/* connecting socket */ /* connecting socket */
ssec = sock->sk->sk_security; ssec = sock->sk->sk_security;
ssec->peer_sid = other_isec->sid; ssec->peer_sid = other_isec->sid;
/* server child socket */ /* server child socket */
ssec = newsk->sk_security; ssec = newsk->sk_security;
ssec->peer_sid = isec->sid; ssec->peer_sid = isec->sid;
...@@ -3912,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, ...@@ -3912,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
isec = SOCK_INODE(sock)->i_security; isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security; other_isec = SOCK_INODE(other)->i_security;
AVC_AUDIT_DATA_INIT(&ad,NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk; ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid, err = avc_has_perm(isec->sid, other_isec->sid,
...@@ -3990,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, ...@@ -3990,7 +3986,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
if (err) if (err)
return err; return err;
err = sel_netnode_sid(addrp, family, &node_sid); err = sel_netnode_sid(addrp, family, &node_sid);
if (err) if (err)
return err; return err;
...@@ -4141,7 +4137,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op ...@@ -4141,7 +4137,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
err = -EFAULT; err = -EFAULT;
kfree(scontext); kfree(scontext);
out: out:
return err; return err;
} }
...@@ -4202,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) ...@@ -4202,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
} }
} }
static void selinux_sock_graft(struct sock* sk, struct socket *parent) static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{ {
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
...@@ -4279,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) ...@@ -4279,13 +4275,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
struct nlmsghdr *nlh; struct nlmsghdr *nlh;
struct socket *sock = sk->sk_socket; struct socket *sock = sk->sk_socket;
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
if (skb->len < NLMSG_SPACE(0)) { if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL; err = -EINVAL;
goto out; goto out;
} }
nlh = nlmsg_hdr(skb); nlh = nlmsg_hdr(skb);
err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
if (err) { if (err) {
if (err == -EINVAL) { if (err == -EINVAL) {
...@@ -4411,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, ...@@ -4411,7 +4407,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
return err; return err;
err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
return err; return err;
err = sel_netnode_sid(addrp, family, &node_sid); err = sel_netnode_sid(addrp, family, &node_sid);
if (err) if (err)
return err; return err;
...@@ -4594,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) ...@@ -4594,7 +4590,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
ad.u.cap = capability; ad.u.cap = capability;
return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
} }
static int ipc_alloc_security(struct task_struct *task, static int ipc_alloc_security(struct task_struct *task,
...@@ -4686,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) ...@@ -4686,7 +4682,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
isec = msq->q_perm.security; isec = msq->q_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key; ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad); MSGQ__CREATE, &ad);
...@@ -4723,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) ...@@ -4723,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
int err; int err;
int perms; int perms;
switch(cmd) { switch (cmd) {
case IPC_INFO: case IPC_INFO:
case MSG_INFO: case MSG_INFO:
/* No specific object, just general system-wide information. */ /* No specific object, just general system-wide information. */
...@@ -4807,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, ...@@ -4807,7 +4803,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
msec = msg->security; msec = msg->security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = msq->q_perm.key; ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, rc = avc_has_perm(tsec->sid, isec->sid,
SECCLASS_MSGQ, MSGQ__READ, &ad); SECCLASS_MSGQ, MSGQ__READ, &ad);
...@@ -4833,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) ...@@ -4833,7 +4829,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
isec = shp->shm_perm.security; isec = shp->shm_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = shp->shm_perm.key; ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad); SHM__CREATE, &ad);
...@@ -4871,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) ...@@ -4871,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
int perms; int perms;
int err; int err;
switch(cmd) { switch (cmd) {
case IPC_INFO: case IPC_INFO:
case SHM_INFO: case SHM_INFO:
/* No specific object, just general system-wide information. */ /* No specific object, just general system-wide information. */
...@@ -4932,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) ...@@ -4932,7 +4928,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
isec = sma->sem_perm.security; isec = sma->sem_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC); AVC_AUDIT_DATA_INIT(&ad, IPC);
ad.u.ipc_id = sma->sem_perm.key; ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad); SEM__CREATE, &ad);
...@@ -4970,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd) ...@@ -4970,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
int err; int err;
u32 perms; u32 perms;
switch(cmd) { switch (cmd) {
case IPC_INFO: case IPC_INFO:
case SEM_INFO: case SEM_INFO:
/* No specific object, just general system-wide information. */ /* No specific object, just general system-wide information. */
...@@ -5042,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) ...@@ -5042,13 +5038,13 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
} }
/* module stacking operations */ /* module stacking operations */
static int selinux_register_security (const char *name, struct security_operations *ops) static int selinux_register_security(const char *name, struct security_operations *ops)
{ {
if (secondary_ops != original_ops) { if (secondary_ops != original_ops) {
printk(KERN_ERR "%s: There is already a secondary security " printk(KERN_ERR "%s: There is already a secondary security "
"module registered.\n", __func__); "module registered.\n", __func__);
return -EINVAL; return -EINVAL;
} }
secondary_ops = ops; secondary_ops = ops;
...@@ -5059,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio ...@@ -5059,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio
return 0; return 0;
} }
static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{ {
if (inode) if (inode)
inode_doinit_with_dentry(inode, dentry); inode_doinit_with_dentry(inode, dentry);
...@@ -5187,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p, ...@@ -5187,11 +5183,11 @@ static int selinux_setprocattr(struct task_struct *p,
} }
while_each_thread(g, t); while_each_thread(g, t);
read_unlock(&tasklist_lock); read_unlock(&tasklist_lock);
} }
/* Check permissions for the transition. */ /* Check permissions for the transition. */
error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
PROCESS__DYNTRANSITION, NULL); PROCESS__DYNTRANSITION, NULL);
if (error) if (error)
return error; return error;
...@@ -5219,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p, ...@@ -5219,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p,
tsec->sid = sid; tsec->sid = sid;
task_unlock(p); task_unlock(p);
} }
} } else
else
return -EINVAL; return -EINVAL;
return size; return size;
...@@ -5310,7 +5305,7 @@ static struct security_operations selinux_ops = { ...@@ -5310,7 +5305,7 @@ static struct security_operations selinux_ops = {
.vm_enough_memory = selinux_vm_enough_memory, .vm_enough_memory = selinux_vm_enough_memory,
.netlink_send = selinux_netlink_send, .netlink_send = selinux_netlink_send,
.netlink_recv = selinux_netlink_recv, .netlink_recv = selinux_netlink_recv,
.bprm_alloc_security = selinux_bprm_alloc_security, .bprm_alloc_security = selinux_bprm_alloc_security,
.bprm_free_security = selinux_bprm_free_security, .bprm_free_security = selinux_bprm_free_security,
...@@ -5323,13 +5318,13 @@ static struct security_operations selinux_ops = { ...@@ -5323,13 +5318,13 @@ static struct security_operations selinux_ops = {
.sb_alloc_security = selinux_sb_alloc_security, .sb_alloc_security = selinux_sb_alloc_security,
.sb_free_security = selinux_sb_free_security, .sb_free_security = selinux_sb_free_security,
.sb_copy_data = selinux_sb_copy_data, .sb_copy_data = selinux_sb_copy_data,
.sb_kern_mount = selinux_sb_kern_mount, .sb_kern_mount = selinux_sb_kern_mount,
.sb_statfs = selinux_sb_statfs, .sb_statfs = selinux_sb_statfs,
.sb_mount = selinux_mount, .sb_mount = selinux_mount,
.sb_umount = selinux_umount, .sb_umount = selinux_umount,
.sb_get_mnt_opts = selinux_get_mnt_opts, .sb_get_mnt_opts = selinux_get_mnt_opts,
.sb_set_mnt_opts = selinux_set_mnt_opts, .sb_set_mnt_opts = selinux_set_mnt_opts,
.sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
.sb_parse_opts_str = selinux_parse_opts_str, .sb_parse_opts_str = selinux_parse_opts_str,
...@@ -5354,9 +5349,9 @@ static struct security_operations selinux_ops = { ...@@ -5354,9 +5349,9 @@ static struct security_operations selinux_ops = {
.inode_getxattr = selinux_inode_getxattr, .inode_getxattr = selinux_inode_getxattr,
.inode_listxattr = selinux_inode_listxattr, .inode_listxattr = selinux_inode_listxattr,
.inode_removexattr = selinux_inode_removexattr, .inode_removexattr = selinux_inode_removexattr,
.inode_getsecurity = selinux_inode_getsecurity, .inode_getsecurity = selinux_inode_getsecurity,
.inode_setsecurity = selinux_inode_setsecurity, .inode_setsecurity = selinux_inode_setsecurity,
.inode_listsecurity = selinux_inode_listsecurity, .inode_listsecurity = selinux_inode_listsecurity,
.inode_need_killpriv = selinux_inode_need_killpriv, .inode_need_killpriv = selinux_inode_need_killpriv,
.inode_killpriv = selinux_inode_killpriv, .inode_killpriv = selinux_inode_killpriv,
.inode_getsecid = selinux_inode_getsecid, .inode_getsecid = selinux_inode_getsecid,
...@@ -5373,7 +5368,7 @@ static struct security_operations selinux_ops = { ...@@ -5373,7 +5368,7 @@ static struct security_operations selinux_ops = {
.file_send_sigiotask = selinux_file_send_sigiotask, .file_send_sigiotask = selinux_file_send_sigiotask,
.file_receive = selinux_file_receive, .file_receive = selinux_file_receive,
.dentry_open = selinux_dentry_open, .dentry_open = selinux_dentry_open,
.task_create = selinux_task_create, .task_create = selinux_task_create,
.task_alloc_security = selinux_task_alloc_security, .task_alloc_security = selinux_task_alloc_security,
...@@ -5383,7 +5378,7 @@ static struct security_operations selinux_ops = { ...@@ -5383,7 +5378,7 @@ static struct security_operations selinux_ops = {
.task_setgid = selinux_task_setgid, .task_setgid = selinux_task_setgid,
.task_setpgid = selinux_task_setpgid, .task_setpgid = selinux_task_setpgid,
.task_getpgid = selinux_task_getpgid, .task_getpgid = selinux_task_getpgid,
.task_getsid = selinux_task_getsid, .task_getsid = selinux_task_getsid,
.task_getsecid = selinux_task_getsecid, .task_getsecid = selinux_task_getsecid,
.task_setgroups = selinux_task_setgroups, .task_setgroups = selinux_task_setgroups,
.task_setnice = selinux_task_setnice, .task_setnice = selinux_task_setnice,
...@@ -5397,7 +5392,7 @@ static struct security_operations selinux_ops = { ...@@ -5397,7 +5392,7 @@ static struct security_operations selinux_ops = {
.task_wait = selinux_task_wait, .task_wait = selinux_task_wait,
.task_prctl = selinux_task_prctl, .task_prctl = selinux_task_prctl,
.task_reparent_to_init = selinux_task_reparent_to_init, .task_reparent_to_init = selinux_task_reparent_to_init,
.task_to_inode = selinux_task_to_inode, .task_to_inode = selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission, .ipc_permission = selinux_ipc_permission,
.ipc_getsecid = selinux_ipc_getsecid, .ipc_getsecid = selinux_ipc_getsecid,
...@@ -5418,24 +5413,24 @@ static struct security_operations selinux_ops = { ...@@ -5418,24 +5413,24 @@ static struct security_operations selinux_ops = {
.shm_shmctl = selinux_shm_shmctl, .shm_shmctl = selinux_shm_shmctl,
.shm_shmat = selinux_shm_shmat, .shm_shmat = selinux_shm_shmat,
.sem_alloc_security = selinux_sem_alloc_security, .sem_alloc_security = selinux_sem_alloc_security,
.sem_free_security = selinux_sem_free_security, .sem_free_security = selinux_sem_free_security,
.sem_associate = selinux_sem_associate, .sem_associate = selinux_sem_associate,
.sem_semctl = selinux_sem_semctl, .sem_semctl = selinux_sem_semctl,
.sem_semop = selinux_sem_semop, .sem_semop = selinux_sem_semop,
.register_security = selinux_register_security, .register_security = selinux_register_security,
.d_instantiate = selinux_d_instantiate, .d_instantiate = selinux_d_instantiate,
.getprocattr = selinux_getprocattr, .getprocattr = selinux_getprocattr,
.setprocattr = selinux_setprocattr, .setprocattr = selinux_setprocattr,
.secid_to_secctx = selinux_secid_to_secctx, .secid_to_secctx = selinux_secid_to_secctx,
.secctx_to_secid = selinux_secctx_to_secid, .secctx_to_secid = selinux_secctx_to_secid,
.release_secctx = selinux_release_secctx, .release_secctx = selinux_release_secctx,
.unix_stream_connect = selinux_socket_unix_stream_connect, .unix_stream_connect = selinux_socket_unix_stream_connect,
.unix_may_send = selinux_socket_unix_may_send, .unix_may_send = selinux_socket_unix_may_send,
.socket_create = selinux_socket_create, .socket_create = selinux_socket_create,
...@@ -5457,7 +5452,7 @@ static struct security_operations selinux_ops = { ...@@ -5457,7 +5452,7 @@ static struct security_operations selinux_ops = {
.sk_alloc_security = selinux_sk_alloc_security, .sk_alloc_security = selinux_sk_alloc_security,
.sk_free_security = selinux_sk_free_security, .sk_free_security = selinux_sk_free_security,
.sk_clone_security = selinux_sk_clone_security, .sk_clone_security = selinux_sk_clone_security,
.sk_getsecid = selinux_sk_getsecid, .sk_getsecid = selinux_sk_getsecid,
.sock_graft = selinux_sock_graft, .sock_graft = selinux_sock_graft,
.inet_conn_request = selinux_inet_conn_request, .inet_conn_request = selinux_inet_conn_request,
.inet_csk_clone = selinux_inet_csk_clone, .inet_csk_clone = selinux_inet_csk_clone,
...@@ -5472,15 +5467,15 @@ static struct security_operations selinux_ops = { ...@@ -5472,15 +5467,15 @@ static struct security_operations selinux_ops = {
.xfrm_state_alloc_security = selinux_xfrm_state_alloc, .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
.xfrm_state_free_security = selinux_xfrm_state_free, .xfrm_state_free_security = selinux_xfrm_state_free,
.xfrm_state_delete_security = selinux_xfrm_state_delete, .xfrm_state_delete_security = selinux_xfrm_state_delete,
.xfrm_policy_lookup = selinux_xfrm_policy_lookup, .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
.xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
.xfrm_decode_session = selinux_xfrm_decode_session, .xfrm_decode_session = selinux_xfrm_decode_session,
#endif #endif
#ifdef CONFIG_KEYS #ifdef CONFIG_KEYS
.key_alloc = selinux_key_alloc, .key_alloc = selinux_key_alloc,
.key_free = selinux_key_free, .key_free = selinux_key_free,
.key_permission = selinux_key_permission, .key_permission = selinux_key_permission,
#endif #endif
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
...@@ -5520,15 +5515,14 @@ static __init int selinux_init(void) ...@@ -5520,15 +5515,14 @@ static __init int selinux_init(void)
original_ops = secondary_ops = security_ops; original_ops = secondary_ops = security_ops;
if (!secondary_ops) if (!secondary_ops)
panic ("SELinux: No initial security operations\n"); panic("SELinux: No initial security operations\n");
if (register_security (&selinux_ops)) if (register_security(&selinux_ops))
panic("SELinux: Unable to register with kernel.\n"); panic("SELinux: Unable to register with kernel.\n");
if (selinux_enforcing) { if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
} else { else
printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
}
#ifdef CONFIG_KEYS #ifdef CONFIG_KEYS
/* Add security information to initial keyrings */ /* Add security information to initial keyrings */
...@@ -5553,8 +5547,8 @@ void selinux_complete_init(void) ...@@ -5553,8 +5547,8 @@ void selinux_complete_init(void)
if (!list_empty(&superblock_security_head)) { if (!list_empty(&superblock_security_head)) {
struct superblock_security_struct *sbsec = struct superblock_security_struct *sbsec =
list_entry(superblock_security_head.next, list_entry(superblock_security_head.next,
struct superblock_security_struct, struct superblock_security_struct,
list); list);
struct super_block *sb = sbsec->sb; struct super_block *sb = sbsec->sb;
sb->s_count++; sb->s_count++;
spin_unlock(&sb_security_lock); spin_unlock(&sb_security_lock);
...@@ -5673,10 +5667,11 @@ static void selinux_nf_ip_exit(void) ...@@ -5673,10 +5667,11 @@ static void selinux_nf_ip_exit(void)
#endif /* CONFIG_NETFILTER */ #endif /* CONFIG_NETFILTER */
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
static int selinux_disabled;
int selinux_disable(void) int selinux_disable(void)
{ {
extern void exit_sel_fs(void); extern void exit_sel_fs(void);
static int selinux_disabled = 0;
if (ss_initialized) { if (ss_initialized) {
/* Not permitted after initial policy load. */ /* Not permitted after initial policy load. */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment