mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-28 05:12:49 +00:00
selinux/stable-5.14 PR 20210629
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmDbjYgUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXP5fw//aqCDO1LLp3ecf0Lam1C7bJuYt3fT aIi6wm2nEpkudwVOGH5/M5x5SEPL28KQHZHXvhaXtpQPmmlwbtfkEALT7I2nPAuC ACQUQOdDx7mHAFBGEPJdyk+AveThJ5IgieftAlJEvN/FZEq3pO3emOx8I01TgfLg Oq146HIDxiHNe1C1PGghRBJXIcIeoDEzjWYSdfRCRT5o9Jixm7cWIPx6JVdd5Ftl 2UHUw/jV+yeJ3h5vZv06KQQ0SmSZ/ZbAT4YUJHHYHHsRu+7WpY/veai4LHqOT8XI J0SLZq/EhYLBmdsla4q0UaPi1UdKGiywlXzhwkix5shet0ayjcy9+kdUyjRkZAi3 alGagbBrH9ED9r6LNxW8SpNwkw1Bi8cbWN877AYW5m/KkzC8V8ico0lTczNaOWKU VTc2osy+AWpE5Q6Mm+Iz5jHp2UFPnW08a61HrSNAJWmwfBRsRFQuphNQPrzasGVo ZyXhPbNmjwEXxmA8hdsY8//cI6fJPhRq3fVnCVqU4KqgyX1+odinp6Zny/mnOHPj dYfmgkxkntErcNMRVaTvrG22mPfjgUl++IXjIGJ37c4XX4s0ayqtK8ZyjEf1dixh wi4SARsUgxCG9TTKcs+HV0yu4YIRNaYPKvRbTVrfl6W77hnxzs8pxh6F5HxwJNT4 8EucVfegEW1YsD8= =tmak -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20210629' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull SELinux updates from Paul Moore: - The slow_avc_audit() function is now non-blocking so we can remove the AVC_NONBLOCKING tricks; this also includes the 'flags' variant of avc_has_perm(). - Use kmemdup() instead of kcalloc()+copy when copying parts of the SELinux policydb. - The InfiniBand device name is now passed by reference when possible in the SELinux code, removing a strncpy(). - Minor cleanups including: constification of avtab function args, removal of useless LSM/XFRM function args, SELinux kdoc fixes, and removal of redundant assignments. * tag 'selinux-pr-20210629' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: kill 'flags' argument in avc_has_perm_flags() and avc_audit() selinux: slow_avc_audit has become non-blocking selinux: Fix kernel-doc selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC lsm_audit,selinux: pass IB device name by reference selinux: Remove redundant assignment to rc selinux: Corrected comment to match kernel-doc comment selinux: delete selinux_xfrm_policy_lookup() useless argument selinux: constify some avtab function arguments selinux: simplify duplicate_policydb_cond_list() by using kmemdup()
This commit is contained in:
commit
6bd344e55f
15 changed files with 90 additions and 121 deletions
|
@ -48,13 +48,13 @@ struct lsm_ioctlop_audit {
|
||||||
};
|
};
|
||||||
|
|
||||||
struct lsm_ibpkey_audit {
|
struct lsm_ibpkey_audit {
|
||||||
u64 subnet_prefix;
|
u64 subnet_prefix;
|
||||||
u16 pkey;
|
u16 pkey;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct lsm_ibendport_audit {
|
struct lsm_ibendport_audit {
|
||||||
char dev_name[IB_DEVICE_NAME_MAX];
|
const char *dev_name;
|
||||||
u8 port;
|
u8 port;
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Auxiliary data to use in generating the audit record. */
|
/* Auxiliary data to use in generating the audit record. */
|
||||||
|
|
|
@ -358,8 +358,7 @@ LSM_HOOK(int, 0, xfrm_state_alloc_acquire, struct xfrm_state *x,
|
||||||
struct xfrm_sec_ctx *polsec, u32 secid)
|
struct xfrm_sec_ctx *polsec, u32 secid)
|
||||||
LSM_HOOK(void, LSM_RET_VOID, xfrm_state_free_security, struct xfrm_state *x)
|
LSM_HOOK(void, LSM_RET_VOID, xfrm_state_free_security, struct xfrm_state *x)
|
||||||
LSM_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x)
|
LSM_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x)
|
||||||
LSM_HOOK(int, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid,
|
LSM_HOOK(int, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid)
|
||||||
u8 dir)
|
|
||||||
LSM_HOOK(int, 1, xfrm_state_pol_flow_match, struct xfrm_state *x,
|
LSM_HOOK(int, 1, xfrm_state_pol_flow_match, struct xfrm_state *x,
|
||||||
struct xfrm_policy *xp, const struct flowi_common *flic)
|
struct xfrm_policy *xp, const struct flowi_common *flic)
|
||||||
LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
|
LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
|
||||||
|
|
|
@ -1681,7 +1681,7 @@ int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
|
||||||
struct xfrm_sec_ctx *polsec, u32 secid);
|
struct xfrm_sec_ctx *polsec, u32 secid);
|
||||||
int security_xfrm_state_delete(struct xfrm_state *x);
|
int security_xfrm_state_delete(struct xfrm_state *x);
|
||||||
void security_xfrm_state_free(struct xfrm_state *x);
|
void security_xfrm_state_free(struct xfrm_state *x);
|
||||||
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
|
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
|
||||||
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
||||||
struct xfrm_policy *xp,
|
struct xfrm_policy *xp,
|
||||||
const struct flowi_common *flic);
|
const struct flowi_common *flic);
|
||||||
|
@ -1732,7 +1732,7 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
|
static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1902,8 +1902,7 @@ static int xfrm_policy_match(const struct xfrm_policy *pol,
|
||||||
|
|
||||||
match = xfrm_selector_match(sel, fl, family);
|
match = xfrm_selector_match(sel, fl, family);
|
||||||
if (match)
|
if (match)
|
||||||
ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
|
ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid);
|
||||||
dir);
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2181,8 +2180,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
err = security_xfrm_policy_lookup(pol->security,
|
err = security_xfrm_policy_lookup(pol->security,
|
||||||
fl->flowi_secid,
|
fl->flowi_secid);
|
||||||
dir);
|
|
||||||
if (!err) {
|
if (!err) {
|
||||||
if (!xfrm_pol_hold_rcu(pol))
|
if (!xfrm_pol_hold_rcu(pol))
|
||||||
goto again;
|
goto again;
|
||||||
|
|
|
@ -2466,9 +2466,9 @@ void security_xfrm_state_free(struct xfrm_state *x)
|
||||||
call_void_hook(xfrm_state_free_security, x);
|
call_void_hook(xfrm_state_free_security, x);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
|
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
|
||||||
{
|
{
|
||||||
return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
|
return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
||||||
|
|
|
@ -297,26 +297,27 @@ static struct avc_xperms_decision_node
|
||||||
struct avc_xperms_decision_node *xpd_node;
|
struct avc_xperms_decision_node *xpd_node;
|
||||||
struct extended_perms_decision *xpd;
|
struct extended_perms_decision *xpd;
|
||||||
|
|
||||||
xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT);
|
xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
|
||||||
|
GFP_NOWAIT | __GFP_NOWARN);
|
||||||
if (!xpd_node)
|
if (!xpd_node)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
xpd = &xpd_node->xpd;
|
xpd = &xpd_node->xpd;
|
||||||
if (which & XPERMS_ALLOWED) {
|
if (which & XPERMS_ALLOWED) {
|
||||||
xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
|
xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
|
||||||
GFP_NOWAIT);
|
GFP_NOWAIT | __GFP_NOWARN);
|
||||||
if (!xpd->allowed)
|
if (!xpd->allowed)
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (which & XPERMS_AUDITALLOW) {
|
if (which & XPERMS_AUDITALLOW) {
|
||||||
xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
|
xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
|
||||||
GFP_NOWAIT);
|
GFP_NOWAIT | __GFP_NOWARN);
|
||||||
if (!xpd->auditallow)
|
if (!xpd->auditallow)
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (which & XPERMS_DONTAUDIT) {
|
if (which & XPERMS_DONTAUDIT) {
|
||||||
xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
|
xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
|
||||||
GFP_NOWAIT);
|
GFP_NOWAIT | __GFP_NOWARN);
|
||||||
if (!xpd->dontaudit)
|
if (!xpd->dontaudit)
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
@ -344,7 +345,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void)
|
||||||
{
|
{
|
||||||
struct avc_xperms_node *xp_node;
|
struct avc_xperms_node *xp_node;
|
||||||
|
|
||||||
xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT);
|
xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN);
|
||||||
if (!xp_node)
|
if (!xp_node)
|
||||||
return xp_node;
|
return xp_node;
|
||||||
INIT_LIST_HEAD(&xp_node->xpd_head);
|
INIT_LIST_HEAD(&xp_node->xpd_head);
|
||||||
|
@ -500,7 +501,7 @@ static struct avc_node *avc_alloc_node(struct selinux_avc *avc)
|
||||||
{
|
{
|
||||||
struct avc_node *node;
|
struct avc_node *node;
|
||||||
|
|
||||||
node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT);
|
node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN);
|
||||||
if (!node)
|
if (!node)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
@ -758,7 +759,11 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This is the slow part of avc audit with big stack footprint */
|
/*
|
||||||
|
* This is the slow part of avc audit with big stack footprint.
|
||||||
|
* Note that it is non-blocking and can be called from under
|
||||||
|
* rcu_read_lock().
|
||||||
|
*/
|
||||||
noinline int slow_avc_audit(struct selinux_state *state,
|
noinline int slow_avc_audit(struct selinux_state *state,
|
||||||
u32 ssid, u32 tsid, u16 tclass,
|
u32 ssid, u32 tsid, u16 tclass,
|
||||||
u32 requested, u32 audited, u32 denied, int result,
|
u32 requested, u32 audited, u32 denied, int result,
|
||||||
|
@ -819,13 +824,13 @@ int __init avc_add_callback(int (*callback)(u32 event), u32 events)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* avc_update_node Update an AVC entry
|
* avc_update_node - Update an AVC entry
|
||||||
* @event : Updating event
|
* @event : Updating event
|
||||||
* @perms : Permission mask bits
|
* @perms : Permission mask bits
|
||||||
* @ssid,@tsid,@tclass : identifier of an AVC entry
|
* @ssid,@tsid,@tclass : identifier of an AVC entry
|
||||||
* @seqno : sequence number when decision was made
|
* @seqno : sequence number when decision was made
|
||||||
* @xpd: extended_perms_decision to be added to the node
|
* @xpd: extended_perms_decision to be added to the node
|
||||||
* @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.
|
* @flags: the AVC_* flags, e.g. AVC_EXTENDED_PERMS, or 0.
|
||||||
*
|
*
|
||||||
* if a valid AVC entry doesn't exist,this function returns -ENOENT.
|
* if a valid AVC entry doesn't exist,this function returns -ENOENT.
|
||||||
* if kmalloc() called internal returns NULL, this function returns -ENOMEM.
|
* if kmalloc() called internal returns NULL, this function returns -ENOMEM.
|
||||||
|
@ -844,21 +849,6 @@ static int avc_update_node(struct selinux_avc *avc,
|
||||||
struct hlist_head *head;
|
struct hlist_head *head;
|
||||||
spinlock_t *lock;
|
spinlock_t *lock;
|
||||||
|
|
||||||
/*
|
|
||||||
* If we are in a non-blocking code path, e.g. VFS RCU walk,
|
|
||||||
* then we must not add permissions to a cache entry
|
|
||||||
* because we will not audit the denial. Otherwise,
|
|
||||||
* during the subsequent blocking retry (e.g. VFS ref walk), we
|
|
||||||
* will find the permissions already granted in the cache entry
|
|
||||||
* and won't audit anything at all, leading to silent denials in
|
|
||||||
* permissive mode that only appear when in enforcing mode.
|
|
||||||
*
|
|
||||||
* See the corresponding handling of MAY_NOT_BLOCK in avc_audit()
|
|
||||||
* and selinux_inode_permission().
|
|
||||||
*/
|
|
||||||
if (flags & AVC_NONBLOCKING)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
node = avc_alloc_node(avc);
|
node = avc_alloc_node(avc);
|
||||||
if (!node) {
|
if (!node) {
|
||||||
rc = -ENOMEM;
|
rc = -ENOMEM;
|
||||||
|
@ -1119,7 +1109,7 @@ int avc_has_extended_perms(struct selinux_state *state,
|
||||||
* @tsid: target security identifier
|
* @tsid: target security identifier
|
||||||
* @tclass: target security class
|
* @tclass: target security class
|
||||||
* @requested: requested permissions, interpreted based on @tclass
|
* @requested: requested permissions, interpreted based on @tclass
|
||||||
* @flags: AVC_STRICT, AVC_NONBLOCKING, or 0
|
* @flags: AVC_STRICT or 0
|
||||||
* @avd: access vector decisions
|
* @avd: access vector decisions
|
||||||
*
|
*
|
||||||
* Check the AVC to determine whether the @requested permissions are granted
|
* Check the AVC to determine whether the @requested permissions are granted
|
||||||
|
@ -1190,26 +1180,7 @@ int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass,
|
||||||
&avd);
|
&avd);
|
||||||
|
|
||||||
rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
|
rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
|
||||||
auditdata, 0);
|
auditdata);
|
||||||
if (rc2)
|
|
||||||
return rc2;
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
int avc_has_perm_flags(struct selinux_state *state,
|
|
||||||
u32 ssid, u32 tsid, u16 tclass, u32 requested,
|
|
||||||
struct common_audit_data *auditdata,
|
|
||||||
int flags)
|
|
||||||
{
|
|
||||||
struct av_decision avd;
|
|
||||||
int rc, rc2;
|
|
||||||
|
|
||||||
rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested,
|
|
||||||
(flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
|
|
||||||
&avd);
|
|
||||||
|
|
||||||
rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
|
|
||||||
auditdata, flags);
|
|
||||||
if (rc2)
|
if (rc2)
|
||||||
return rc2;
|
return rc2;
|
||||||
return rc;
|
return rc;
|
||||||
|
|
|
@ -1676,7 +1676,7 @@ static int cred_has_capability(const struct cred *cred,
|
||||||
sid, sid, sclass, av, 0, &avd);
|
sid, sid, sclass, av, 0, &avd);
|
||||||
if (!(opts & CAP_OPT_NOAUDIT)) {
|
if (!(opts & CAP_OPT_NOAUDIT)) {
|
||||||
int rc2 = avc_audit(&selinux_state,
|
int rc2 = avc_audit(&selinux_state,
|
||||||
sid, sid, sclass, av, &avd, rc, &ad, 0);
|
sid, sid, sclass, av, &avd, rc, &ad);
|
||||||
if (rc2)
|
if (rc2)
|
||||||
return rc2;
|
return rc2;
|
||||||
}
|
}
|
||||||
|
@ -3153,9 +3153,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
|
||||||
if (IS_ERR(isec))
|
if (IS_ERR(isec))
|
||||||
return PTR_ERR(isec);
|
return PTR_ERR(isec);
|
||||||
|
|
||||||
return avc_has_perm_flags(&selinux_state,
|
return avc_has_perm(&selinux_state,
|
||||||
sid, isec->sid, isec->sclass, FILE__READ, &ad,
|
sid, isec->sid, isec->sclass, FILE__READ, &ad);
|
||||||
rcu ? MAY_NOT_BLOCK : 0);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static noinline int audit_inode_permission(struct inode *inode,
|
static noinline int audit_inode_permission(struct inode *inode,
|
||||||
|
@ -3164,17 +3163,13 @@ static noinline int audit_inode_permission(struct inode *inode,
|
||||||
{
|
{
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct inode_security_struct *isec = selinux_inode(inode);
|
struct inode_security_struct *isec = selinux_inode(inode);
|
||||||
int rc;
|
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_INODE;
|
ad.type = LSM_AUDIT_DATA_INODE;
|
||||||
ad.u.inode = inode;
|
ad.u.inode = inode;
|
||||||
|
|
||||||
rc = slow_avc_audit(&selinux_state,
|
return slow_avc_audit(&selinux_state,
|
||||||
current_sid(), isec->sid, isec->sclass, perms,
|
current_sid(), isec->sid, isec->sclass, perms,
|
||||||
audited, denied, result, &ad);
|
audited, denied, result, &ad);
|
||||||
if (rc)
|
|
||||||
return rc;
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int selinux_inode_permission(struct inode *inode, int mask)
|
static int selinux_inode_permission(struct inode *inode, int mask)
|
||||||
|
@ -3209,8 +3204,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
|
||||||
return PTR_ERR(isec);
|
return PTR_ERR(isec);
|
||||||
|
|
||||||
rc = avc_has_perm_noaudit(&selinux_state,
|
rc = avc_has_perm_noaudit(&selinux_state,
|
||||||
sid, isec->sid, isec->sclass, perms,
|
sid, isec->sid, isec->sclass, perms, 0,
|
||||||
no_block ? AVC_NONBLOCKING : 0,
|
|
||||||
&avd);
|
&avd);
|
||||||
audited = avc_audit_required(perms, &avd, rc,
|
audited = avc_audit_required(perms, &avd, rc,
|
||||||
from_access ? FILE__AUDIT_ACCESS : 0,
|
from_access ? FILE__AUDIT_ACCESS : 0,
|
||||||
|
@ -3218,10 +3212,6 @@ static int selinux_inode_permission(struct inode *inode, int mask)
|
||||||
if (likely(!audited))
|
if (likely(!audited))
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
/* fall back to ref-walk if we have to generate audit */
|
|
||||||
if (no_block)
|
|
||||||
return -ECHILD;
|
|
||||||
|
|
||||||
rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
|
rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
|
||||||
if (rc2)
|
if (rc2)
|
||||||
return rc2;
|
return rc2;
|
||||||
|
@ -6850,7 +6840,7 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IBENDPORT;
|
ad.type = LSM_AUDIT_DATA_IBENDPORT;
|
||||||
strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
|
ibendport.dev_name = dev_name;
|
||||||
ibendport.port = port_num;
|
ibendport.port = port_num;
|
||||||
ad.u.ibendport = &ibendport;
|
ad.u.ibendport = &ibendport;
|
||||||
return avc_has_perm(&selinux_state,
|
return avc_has_perm(&selinux_state,
|
||||||
|
|
|
@ -111,7 +111,6 @@ int slow_avc_audit(struct selinux_state *state,
|
||||||
* @avd: access vector decisions
|
* @avd: access vector decisions
|
||||||
* @result: result from avc_has_perm_noaudit
|
* @result: result from avc_has_perm_noaudit
|
||||||
* @a: auxiliary audit data
|
* @a: auxiliary audit data
|
||||||
* @flags: VFS walk flags
|
|
||||||
*
|
*
|
||||||
* Audit the granting or denial of permissions in accordance
|
* Audit the granting or denial of permissions in accordance
|
||||||
* with the policy. This function is typically called by
|
* with the policy. This function is typically called by
|
||||||
|
@ -127,16 +126,12 @@ static inline int avc_audit(struct selinux_state *state,
|
||||||
u16 tclass, u32 requested,
|
u16 tclass, u32 requested,
|
||||||
struct av_decision *avd,
|
struct av_decision *avd,
|
||||||
int result,
|
int result,
|
||||||
struct common_audit_data *a,
|
struct common_audit_data *a)
|
||||||
int flags)
|
|
||||||
{
|
{
|
||||||
u32 audited, denied;
|
u32 audited, denied;
|
||||||
audited = avc_audit_required(requested, avd, result, 0, &denied);
|
audited = avc_audit_required(requested, avd, result, 0, &denied);
|
||||||
if (likely(!audited))
|
if (likely(!audited))
|
||||||
return 0;
|
return 0;
|
||||||
/* fall back to ref-walk if we have to generate audit */
|
|
||||||
if (flags & MAY_NOT_BLOCK)
|
|
||||||
return -ECHILD;
|
|
||||||
return slow_avc_audit(state, ssid, tsid, tclass,
|
return slow_avc_audit(state, ssid, tsid, tclass,
|
||||||
requested, audited, denied, result,
|
requested, audited, denied, result,
|
||||||
a);
|
a);
|
||||||
|
@ -144,7 +139,6 @@ static inline int avc_audit(struct selinux_state *state,
|
||||||
|
|
||||||
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
#define AVC_STRICT 1 /* Ignore permissive mode. */
|
||||||
#define AVC_EXTENDED_PERMS 2 /* update extended permissions */
|
#define AVC_EXTENDED_PERMS 2 /* update extended permissions */
|
||||||
#define AVC_NONBLOCKING 4 /* non blocking */
|
|
||||||
int avc_has_perm_noaudit(struct selinux_state *state,
|
int avc_has_perm_noaudit(struct selinux_state *state,
|
||||||
u32 ssid, u32 tsid,
|
u32 ssid, u32 tsid,
|
||||||
u16 tclass, u32 requested,
|
u16 tclass, u32 requested,
|
||||||
|
@ -155,11 +149,6 @@ int avc_has_perm(struct selinux_state *state,
|
||||||
u32 ssid, u32 tsid,
|
u32 ssid, u32 tsid,
|
||||||
u16 tclass, u32 requested,
|
u16 tclass, u32 requested,
|
||||||
struct common_audit_data *auditdata);
|
struct common_audit_data *auditdata);
|
||||||
int avc_has_perm_flags(struct selinux_state *state,
|
|
||||||
u32 ssid, u32 tsid,
|
|
||||||
u16 tclass, u32 requested,
|
|
||||||
struct common_audit_data *auditdata,
|
|
||||||
int flags);
|
|
||||||
|
|
||||||
int avc_has_extended_perms(struct selinux_state *state,
|
int avc_has_extended_perms(struct selinux_state *state,
|
||||||
u32 ssid, u32 tsid, u16 tclass, u32 requested,
|
u32 ssid, u32 tsid, u16 tclass, u32 requested,
|
||||||
|
|
|
@ -23,7 +23,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
|
||||||
struct xfrm_sec_ctx *polsec, u32 secid);
|
struct xfrm_sec_ctx *polsec, u32 secid);
|
||||||
void selinux_xfrm_state_free(struct xfrm_state *x);
|
void selinux_xfrm_state_free(struct xfrm_state *x);
|
||||||
int selinux_xfrm_state_delete(struct xfrm_state *x);
|
int selinux_xfrm_state_delete(struct xfrm_state *x);
|
||||||
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
|
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
|
||||||
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
||||||
struct xfrm_policy *xp,
|
struct xfrm_policy *xp,
|
||||||
const struct flowi_common *flic);
|
const struct flowi_common *flic);
|
||||||
|
|
|
@ -29,7 +29,7 @@ static struct kmem_cache *avtab_xperms_cachep __ro_after_init;
|
||||||
/* Based on MurmurHash3, written by Austin Appleby and placed in the
|
/* Based on MurmurHash3, written by Austin Appleby and placed in the
|
||||||
* public domain.
|
* public domain.
|
||||||
*/
|
*/
|
||||||
static inline int avtab_hash(struct avtab_key *keyp, u32 mask)
|
static inline int avtab_hash(const struct avtab_key *keyp, u32 mask)
|
||||||
{
|
{
|
||||||
static const u32 c1 = 0xcc9e2d51;
|
static const u32 c1 = 0xcc9e2d51;
|
||||||
static const u32 c2 = 0x1b873593;
|
static const u32 c2 = 0x1b873593;
|
||||||
|
@ -68,7 +68,7 @@ static inline int avtab_hash(struct avtab_key *keyp, u32 mask)
|
||||||
static struct avtab_node*
|
static struct avtab_node*
|
||||||
avtab_insert_node(struct avtab *h, int hvalue,
|
avtab_insert_node(struct avtab *h, int hvalue,
|
||||||
struct avtab_node *prev, struct avtab_node *cur,
|
struct avtab_node *prev, struct avtab_node *cur,
|
||||||
struct avtab_key *key, struct avtab_datum *datum)
|
const struct avtab_key *key, const struct avtab_datum *datum)
|
||||||
{
|
{
|
||||||
struct avtab_node *newnode;
|
struct avtab_node *newnode;
|
||||||
struct avtab_extended_perms *xperms;
|
struct avtab_extended_perms *xperms;
|
||||||
|
@ -103,7 +103,8 @@ avtab_insert_node(struct avtab *h, int hvalue,
|
||||||
return newnode;
|
return newnode;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
|
static int avtab_insert(struct avtab *h, const struct avtab_key *key,
|
||||||
|
const struct avtab_datum *datum)
|
||||||
{
|
{
|
||||||
int hvalue;
|
int hvalue;
|
||||||
struct avtab_node *prev, *cur, *newnode;
|
struct avtab_node *prev, *cur, *newnode;
|
||||||
|
@ -147,8 +148,9 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
|
||||||
* key/specified mask into the table, as needed by the conditional avtab.
|
* key/specified mask into the table, as needed by the conditional avtab.
|
||||||
* It also returns a pointer to the node inserted.
|
* It also returns a pointer to the node inserted.
|
||||||
*/
|
*/
|
||||||
struct avtab_node *
|
struct avtab_node *avtab_insert_nonunique(struct avtab *h,
|
||||||
avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
|
const struct avtab_key *key,
|
||||||
|
const struct avtab_datum *datum)
|
||||||
{
|
{
|
||||||
int hvalue;
|
int hvalue;
|
||||||
struct avtab_node *prev, *cur;
|
struct avtab_node *prev, *cur;
|
||||||
|
@ -178,7 +180,7 @@ avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datu
|
||||||
return avtab_insert_node(h, hvalue, prev, cur, key, datum);
|
return avtab_insert_node(h, hvalue, prev, cur, key, datum);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
|
struct avtab_datum *avtab_search(struct avtab *h, const struct avtab_key *key)
|
||||||
{
|
{
|
||||||
int hvalue;
|
int hvalue;
|
||||||
struct avtab_node *cur;
|
struct avtab_node *cur;
|
||||||
|
@ -213,8 +215,8 @@ struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
|
||||||
/* This search function returns a node pointer, and can be used in
|
/* This search function returns a node pointer, and can be used in
|
||||||
* conjunction with avtab_search_next_node()
|
* conjunction with avtab_search_next_node()
|
||||||
*/
|
*/
|
||||||
struct avtab_node*
|
struct avtab_node *avtab_search_node(struct avtab *h,
|
||||||
avtab_search_node(struct avtab *h, struct avtab_key *key)
|
const struct avtab_key *key)
|
||||||
{
|
{
|
||||||
int hvalue;
|
int hvalue;
|
||||||
struct avtab_node *cur;
|
struct avtab_node *cur;
|
||||||
|
@ -396,8 +398,8 @@ static uint16_t spec_order[] = {
|
||||||
};
|
};
|
||||||
|
|
||||||
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
||||||
int (*insertf)(struct avtab *a, struct avtab_key *k,
|
int (*insertf)(struct avtab *a, const struct avtab_key *k,
|
||||||
struct avtab_datum *d, void *p),
|
const struct avtab_datum *d, void *p),
|
||||||
void *p)
|
void *p)
|
||||||
{
|
{
|
||||||
__le16 buf16[4];
|
__le16 buf16[4];
|
||||||
|
@ -557,8 +559,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
||||||
return insertf(a, &key, &datum, p);
|
return insertf(a, &key, &datum, p);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int avtab_insertf(struct avtab *a, struct avtab_key *k,
|
static int avtab_insertf(struct avtab *a, const struct avtab_key *k,
|
||||||
struct avtab_datum *d, void *p)
|
const struct avtab_datum *d, void *p)
|
||||||
{
|
{
|
||||||
return avtab_insert(a, k, d);
|
return avtab_insert(a, k, d);
|
||||||
}
|
}
|
||||||
|
@ -607,7 +609,7 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol)
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp)
|
int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp)
|
||||||
{
|
{
|
||||||
__le16 buf16[4];
|
__le16 buf16[4];
|
||||||
__le32 buf32[ARRAY_SIZE(cur->datum.u.xperms->perms.p)];
|
__le32 buf32[ARRAY_SIZE(cur->datum.u.xperms->perms.p)];
|
||||||
|
|
|
@ -90,24 +90,26 @@ struct avtab {
|
||||||
void avtab_init(struct avtab *h);
|
void avtab_init(struct avtab *h);
|
||||||
int avtab_alloc(struct avtab *, u32);
|
int avtab_alloc(struct avtab *, u32);
|
||||||
int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);
|
int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);
|
||||||
struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
|
struct avtab_datum *avtab_search(struct avtab *h, const struct avtab_key *k);
|
||||||
void avtab_destroy(struct avtab *h);
|
void avtab_destroy(struct avtab *h);
|
||||||
void avtab_hash_eval(struct avtab *h, char *tag);
|
void avtab_hash_eval(struct avtab *h, char *tag);
|
||||||
|
|
||||||
struct policydb;
|
struct policydb;
|
||||||
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
|
||||||
int (*insert)(struct avtab *a, struct avtab_key *k,
|
int (*insert)(struct avtab *a, const struct avtab_key *k,
|
||||||
struct avtab_datum *d, void *p),
|
const struct avtab_datum *d, void *p),
|
||||||
void *p);
|
void *p);
|
||||||
|
|
||||||
int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
|
int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
|
||||||
int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp);
|
int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp);
|
||||||
int avtab_write(struct policydb *p, struct avtab *a, void *fp);
|
int avtab_write(struct policydb *p, struct avtab *a, void *fp);
|
||||||
|
|
||||||
struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
|
struct avtab_node *avtab_insert_nonunique(struct avtab *h,
|
||||||
struct avtab_datum *datum);
|
const struct avtab_key *key,
|
||||||
|
const struct avtab_datum *datum);
|
||||||
|
|
||||||
struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
|
struct avtab_node *avtab_search_node(struct avtab *h,
|
||||||
|
const struct avtab_key *key);
|
||||||
|
|
||||||
struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
|
struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
|
||||||
|
|
||||||
|
|
|
@ -254,7 +254,8 @@ struct cond_insertf_data {
|
||||||
struct cond_av_list *other;
|
struct cond_av_list *other;
|
||||||
};
|
};
|
||||||
|
|
||||||
static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
|
static int cond_insertf(struct avtab *a, const struct avtab_key *k,
|
||||||
|
const struct avtab_datum *d, void *ptr)
|
||||||
{
|
{
|
||||||
struct cond_insertf_data *data = ptr;
|
struct cond_insertf_data *data = ptr;
|
||||||
struct policydb *p = data->p;
|
struct policydb *p = data->p;
|
||||||
|
@ -628,7 +629,8 @@ static int cond_dup_av_list(struct cond_av_list *new,
|
||||||
static int duplicate_policydb_cond_list(struct policydb *newp,
|
static int duplicate_policydb_cond_list(struct policydb *newp,
|
||||||
struct policydb *origp)
|
struct policydb *origp)
|
||||||
{
|
{
|
||||||
int rc, i, j;
|
int rc;
|
||||||
|
u32 i;
|
||||||
|
|
||||||
rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab);
|
rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab);
|
||||||
if (rc)
|
if (rc)
|
||||||
|
@ -648,12 +650,12 @@ static int duplicate_policydb_cond_list(struct policydb *newp,
|
||||||
newp->cond_list_len++;
|
newp->cond_list_len++;
|
||||||
|
|
||||||
newn->cur_state = orign->cur_state;
|
newn->cur_state = orign->cur_state;
|
||||||
newn->expr.nodes = kcalloc(orign->expr.len,
|
newn->expr.nodes = kmemdup(orign->expr.nodes,
|
||||||
sizeof(*newn->expr.nodes), GFP_KERNEL);
|
orign->expr.len * sizeof(*orign->expr.nodes),
|
||||||
|
GFP_KERNEL);
|
||||||
if (!newn->expr.nodes)
|
if (!newn->expr.nodes)
|
||||||
goto error;
|
goto error;
|
||||||
for (j = 0; j < orign->expr.len; j++)
|
|
||||||
newn->expr.nodes[j] = orign->expr.nodes[j];
|
|
||||||
newn->expr.len = orign->expr.len;
|
newn->expr.len = orign->expr.len;
|
||||||
|
|
||||||
rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
|
rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
|
||||||
|
|
|
@ -2589,7 +2589,6 @@ int policydb_read(struct policydb *p, void *fp)
|
||||||
if (rc)
|
if (rc)
|
||||||
goto bad;
|
goto bad;
|
||||||
|
|
||||||
rc = -EINVAL;
|
|
||||||
rtk->role = le32_to_cpu(buf[0]);
|
rtk->role = le32_to_cpu(buf[0]);
|
||||||
rtk->type = le32_to_cpu(buf[1]);
|
rtk->type = le32_to_cpu(buf[1]);
|
||||||
rtd->new_role = le32_to_cpu(buf[2]);
|
rtd->new_role = le32_to_cpu(buf[2]);
|
||||||
|
|
|
@ -859,6 +859,7 @@ int security_validate_transition(struct selinux_state *state,
|
||||||
* It returns 0, if @newsid is bounded by @oldsid.
|
* It returns 0, if @newsid is bounded by @oldsid.
|
||||||
* Otherwise, it returns error code.
|
* Otherwise, it returns error code.
|
||||||
*
|
*
|
||||||
|
* @state: SELinux state
|
||||||
* @oldsid : current security identifier
|
* @oldsid : current security identifier
|
||||||
* @newsid : destinated security identifier
|
* @newsid : destinated security identifier
|
||||||
*/
|
*/
|
||||||
|
@ -1098,6 +1099,7 @@ void security_compute_xperms_decision(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_compute_av - Compute access vector decisions.
|
* security_compute_av - Compute access vector decisions.
|
||||||
|
* @state: SELinux state
|
||||||
* @ssid: source security identifier
|
* @ssid: source security identifier
|
||||||
* @tsid: target security identifier
|
* @tsid: target security identifier
|
||||||
* @tclass: target security class
|
* @tclass: target security class
|
||||||
|
@ -1386,6 +1388,7 @@ static int security_sid_to_context_core(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_sid_to_context - Obtain a context for a given SID.
|
* security_sid_to_context - Obtain a context for a given SID.
|
||||||
|
* @state: SELinux state
|
||||||
* @sid: security identifier, SID
|
* @sid: security identifier, SID
|
||||||
* @scontext: security context
|
* @scontext: security context
|
||||||
* @scontext_len: length in bytes
|
* @scontext_len: length in bytes
|
||||||
|
@ -1411,6 +1414,7 @@ int security_sid_to_context_force(struct selinux_state *state, u32 sid,
|
||||||
/**
|
/**
|
||||||
* security_sid_to_context_inval - Obtain a context for a given SID if it
|
* security_sid_to_context_inval - Obtain a context for a given SID if it
|
||||||
* is invalid.
|
* is invalid.
|
||||||
|
* @state: SELinux state
|
||||||
* @sid: security identifier, SID
|
* @sid: security identifier, SID
|
||||||
* @scontext: security context
|
* @scontext: security context
|
||||||
* @scontext_len: length in bytes
|
* @scontext_len: length in bytes
|
||||||
|
@ -1587,6 +1591,7 @@ static int security_context_to_sid_core(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_context_to_sid - Obtain a SID for a given security context.
|
* security_context_to_sid - Obtain a SID for a given security context.
|
||||||
|
* @state: SELinux state
|
||||||
* @scontext: security context
|
* @scontext: security context
|
||||||
* @scontext_len: length in bytes
|
* @scontext_len: length in bytes
|
||||||
* @sid: security identifier, SID
|
* @sid: security identifier, SID
|
||||||
|
@ -1616,6 +1621,7 @@ int security_context_str_to_sid(struct selinux_state *state,
|
||||||
* security_context_to_sid_default - Obtain a SID for a given security context,
|
* security_context_to_sid_default - Obtain a SID for a given security context,
|
||||||
* falling back to specified default if needed.
|
* falling back to specified default if needed.
|
||||||
*
|
*
|
||||||
|
* @state: SELinux state
|
||||||
* @scontext: security context
|
* @scontext: security context
|
||||||
* @scontext_len: length in bytes
|
* @scontext_len: length in bytes
|
||||||
* @sid: security identifier, SID
|
* @sid: security identifier, SID
|
||||||
|
@ -1907,6 +1913,7 @@ static int security_compute_sid(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_transition_sid - Compute the SID for a new subject/object.
|
* security_transition_sid - Compute the SID for a new subject/object.
|
||||||
|
* @state: SELinux state
|
||||||
* @ssid: source security identifier
|
* @ssid: source security identifier
|
||||||
* @tsid: target security identifier
|
* @tsid: target security identifier
|
||||||
* @tclass: target security class
|
* @tclass: target security class
|
||||||
|
@ -1962,6 +1969,7 @@ int security_member_sid(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_change_sid - Compute the SID for object relabeling.
|
* security_change_sid - Compute the SID for object relabeling.
|
||||||
|
* @state: SELinux state
|
||||||
* @ssid: source security identifier
|
* @ssid: source security identifier
|
||||||
* @tsid: target security identifier
|
* @tsid: target security identifier
|
||||||
* @tclass: target security class
|
* @tclass: target security class
|
||||||
|
@ -2060,7 +2068,6 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
|
||||||
context_init(newc);
|
context_init(newc);
|
||||||
|
|
||||||
/* Convert the user. */
|
/* Convert the user. */
|
||||||
rc = -EINVAL;
|
|
||||||
usrdatum = symtab_search(&args->newp->p_users,
|
usrdatum = symtab_search(&args->newp->p_users,
|
||||||
sym_name(args->oldp,
|
sym_name(args->oldp,
|
||||||
SYM_USERS, oldc->user - 1));
|
SYM_USERS, oldc->user - 1));
|
||||||
|
@ -2069,7 +2076,6 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
|
||||||
newc->user = usrdatum->value;
|
newc->user = usrdatum->value;
|
||||||
|
|
||||||
/* Convert the role. */
|
/* Convert the role. */
|
||||||
rc = -EINVAL;
|
|
||||||
role = symtab_search(&args->newp->p_roles,
|
role = symtab_search(&args->newp->p_roles,
|
||||||
sym_name(args->oldp, SYM_ROLES, oldc->role - 1));
|
sym_name(args->oldp, SYM_ROLES, oldc->role - 1));
|
||||||
if (!role)
|
if (!role)
|
||||||
|
@ -2077,7 +2083,6 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
|
||||||
newc->role = role->value;
|
newc->role = role->value;
|
||||||
|
|
||||||
/* Convert the type. */
|
/* Convert the type. */
|
||||||
rc = -EINVAL;
|
|
||||||
typdatum = symtab_search(&args->newp->p_types,
|
typdatum = symtab_search(&args->newp->p_types,
|
||||||
sym_name(args->oldp,
|
sym_name(args->oldp,
|
||||||
SYM_TYPES, oldc->type - 1));
|
SYM_TYPES, oldc->type - 1));
|
||||||
|
@ -2101,7 +2106,6 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
|
||||||
oc = args->newp->ocontexts[OCON_ISID];
|
oc = args->newp->ocontexts[OCON_ISID];
|
||||||
while (oc && oc->sid[0] != SECINITSID_UNLABELED)
|
while (oc && oc->sid[0] != SECINITSID_UNLABELED)
|
||||||
oc = oc->next;
|
oc = oc->next;
|
||||||
rc = -EINVAL;
|
|
||||||
if (!oc) {
|
if (!oc) {
|
||||||
pr_err("SELinux: unable to look up"
|
pr_err("SELinux: unable to look up"
|
||||||
" the initial SIDs list\n");
|
" the initial SIDs list\n");
|
||||||
|
@ -2264,6 +2268,7 @@ void selinux_policy_commit(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_load_policy - Load a security policy configuration.
|
* security_load_policy - Load a security policy configuration.
|
||||||
|
* @state: SELinux state
|
||||||
* @data: binary policy data
|
* @data: binary policy data
|
||||||
* @len: length of data in bytes
|
* @len: length of data in bytes
|
||||||
*
|
*
|
||||||
|
@ -2371,6 +2376,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_port_sid - Obtain the SID for a port.
|
* security_port_sid - Obtain the SID for a port.
|
||||||
|
* @state: SELinux state
|
||||||
* @protocol: protocol number
|
* @protocol: protocol number
|
||||||
* @port: port number
|
* @port: port number
|
||||||
* @out_sid: security identifier
|
* @out_sid: security identifier
|
||||||
|
@ -2427,7 +2433,8 @@ int security_port_sid(struct selinux_state *state,
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_pkey_sid - Obtain the SID for a pkey.
|
* security_ib_pkey_sid - Obtain the SID for a pkey.
|
||||||
|
* @state: SELinux state
|
||||||
* @subnet_prefix: Subnet Prefix
|
* @subnet_prefix: Subnet Prefix
|
||||||
* @pkey_num: pkey number
|
* @pkey_num: pkey number
|
||||||
* @out_sid: security identifier
|
* @out_sid: security identifier
|
||||||
|
@ -2486,6 +2493,7 @@ int security_ib_pkey_sid(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_ib_endport_sid - Obtain the SID for a subnet management interface.
|
* security_ib_endport_sid - Obtain the SID for a subnet management interface.
|
||||||
|
* @state: SELinux state
|
||||||
* @dev_name: device name
|
* @dev_name: device name
|
||||||
* @port: port number
|
* @port: port number
|
||||||
* @out_sid: security identifier
|
* @out_sid: security identifier
|
||||||
|
@ -2544,6 +2552,7 @@ int security_ib_endport_sid(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_netif_sid - Obtain the SID for a network interface.
|
* security_netif_sid - Obtain the SID for a network interface.
|
||||||
|
* @state: SELinux state
|
||||||
* @name: interface name
|
* @name: interface name
|
||||||
* @if_sid: interface SID
|
* @if_sid: interface SID
|
||||||
*/
|
*/
|
||||||
|
@ -2618,6 +2627,7 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_node_sid - Obtain the SID for a node (host).
|
* security_node_sid - Obtain the SID for a node (host).
|
||||||
|
* @state: SELinux state
|
||||||
* @domain: communication domain aka address family
|
* @domain: communication domain aka address family
|
||||||
* @addrp: address
|
* @addrp: address
|
||||||
* @addrlen: address length in bytes
|
* @addrlen: address length in bytes
|
||||||
|
@ -2711,6 +2721,7 @@ int security_node_sid(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_get_user_sids - Obtain reachable SIDs for a user.
|
* security_get_user_sids - Obtain reachable SIDs for a user.
|
||||||
|
* @state: SELinux state
|
||||||
* @fromsid: starting SID
|
* @fromsid: starting SID
|
||||||
* @username: username
|
* @username: username
|
||||||
* @sids: array of reachable SIDs for user
|
* @sids: array of reachable SIDs for user
|
||||||
|
@ -2903,6 +2914,7 @@ static inline int __security_genfs_sid(struct selinux_policy *policy,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_genfs_sid - Obtain a SID for a file in a filesystem
|
* security_genfs_sid - Obtain a SID for a file in a filesystem
|
||||||
|
* @state: SELinux state
|
||||||
* @fstype: filesystem type
|
* @fstype: filesystem type
|
||||||
* @path: path from root of mount
|
* @path: path from root of mount
|
||||||
* @sclass: file security class
|
* @sclass: file security class
|
||||||
|
@ -2947,6 +2959,7 @@ int selinux_policy_genfs_sid(struct selinux_policy *policy,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_fs_use - Determine how to handle labeling for a filesystem.
|
* security_fs_use - Determine how to handle labeling for a filesystem.
|
||||||
|
* @state: SELinux state
|
||||||
* @sb: superblock in question
|
* @sb: superblock in question
|
||||||
*/
|
*/
|
||||||
int security_fs_use(struct selinux_state *state, struct super_block *sb)
|
int security_fs_use(struct selinux_state *state, struct super_block *sb)
|
||||||
|
@ -3286,6 +3299,7 @@ int security_sid_mls_copy(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_net_peersid_resolve - Compare and resolve two network peer SIDs
|
* security_net_peersid_resolve - Compare and resolve two network peer SIDs
|
||||||
|
* @state: SELinux state
|
||||||
* @nlbl_sid: NetLabel SID
|
* @nlbl_sid: NetLabel SID
|
||||||
* @nlbl_type: NetLabel labeling protocol type
|
* @nlbl_type: NetLabel labeling protocol type
|
||||||
* @xfrm_sid: XFRM SID
|
* @xfrm_sid: XFRM SID
|
||||||
|
@ -3510,6 +3524,7 @@ int security_get_allow_unknown(struct selinux_state *state)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_policycap_supported - Check for a specific policy capability
|
* security_policycap_supported - Check for a specific policy capability
|
||||||
|
* @state: SELinux state
|
||||||
* @req_cap: capability
|
* @req_cap: capability
|
||||||
*
|
*
|
||||||
* Description:
|
* Description:
|
||||||
|
@ -3844,6 +3859,7 @@ static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
|
* security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
|
||||||
|
* @state: SELinux state
|
||||||
* @secattr: the NetLabel packet security attributes
|
* @secattr: the NetLabel packet security attributes
|
||||||
* @sid: the SELinux SID
|
* @sid: the SELinux SID
|
||||||
*
|
*
|
||||||
|
@ -3926,6 +3942,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
|
* security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
|
||||||
|
* @state: SELinux state
|
||||||
* @sid: the SELinux SID
|
* @sid: the SELinux SID
|
||||||
* @secattr: the NetLabel packet security attributes
|
* @secattr: the NetLabel packet security attributes
|
||||||
*
|
*
|
||||||
|
|
|
@ -150,7 +150,7 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
|
||||||
* LSM hook implementation that authorizes that a flow can use a xfrm policy
|
* LSM hook implementation that authorizes that a flow can use a xfrm policy
|
||||||
* rule.
|
* rule.
|
||||||
*/
|
*/
|
||||||
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
|
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue