static LIST_HEAD(superblock_security_head);
static DEFINE_SPINLOCK(sb_security_lock);
-static kmem_cache_t *sel_inode_cache;
+static struct kmem_cache *sel_inode_cache;
/* Return security context for a given sid or just the context
length if the buffer is null or length is 0 */
struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec;
- isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
+ isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
if (!isec)
return -ENOMEM;
- memset(isec, 0, sizeof(*isec));
mutex_init(&isec->lock);
INIT_LIST_HEAD(&isec->list);
isec->inode = inode;
sbsec->initialized = 1;
if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
- printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
+ printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
sb->s_id, sb->s_type->name);
}
else {
- printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
+ printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
sb->s_id, sb->s_type->name,
labeling_behaviors[sbsec->behavior-1]);
}
struct inode_security_struct *isec;
struct avc_audit_data ad;
+ if (unlikely (IS_PRIVATE (inode)))
+ return 0;
+
tsec = tsk->security;
isec = inode->i_security;
{
struct task_security_struct *tsec = tsk->security;
struct file_security_struct *fsec = file->f_security;
- struct vfsmount *mnt = file->f_vfsmnt;
- struct dentry *dentry = file->f_dentry;
+ struct vfsmount *mnt = file->f_path.mnt;
+ struct dentry *dentry = file->f_path.dentry;
struct inode *inode = dentry->d_inode;
struct avc_audit_data ad;
int rc;
return task_has_capability(tsk,cap);
}
+static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
+{
+ int buflen, rc;
+ char *buffer, *path, *end;
+
+ rc = -ENOMEM;
+ buffer = (char*)__get_free_page(GFP_KERNEL);
+ if (!buffer)
+ goto out;
+
+ buflen = PAGE_SIZE;
+ end = buffer+buflen;
+ *--end = '\0';
+ buflen--;
+ path = end-1;
+ *path = '/';
+ while (table) {
+ const char *name = table->procname;
+ size_t namelen = strlen(name);
+ buflen -= namelen + 1;
+ if (buflen < 0)
+ goto out_free;
+ end -= namelen;
+ memcpy(end, name, namelen);
+ *--end = '/';
+ path = end;
+ table = table->parent;
+ }
+ buflen -= 4;
+ if (buflen < 0)
+ goto out_free;
+ end -= 4;
+ memcpy(end, "/sys", 4);
+ path = end;
+ rc = security_genfs_sid("proc", path, tclass, sid);
+out_free:
+ free_page((unsigned long)buffer);
+out:
+ return rc;
+}
+
static int selinux_sysctl(ctl_table *table, int op)
{
int error = 0;
tsec = current->security;
- rc = selinux_proc_get_sid(table->de, (op == 001) ?
- SECCLASS_DIR : SECCLASS_FILE, &tsid);
+ rc = selinux_sysctl_get_sid(table, (op == 0001) ?
+ SECCLASS_DIR : SECCLASS_FILE, &tsid);
if (rc) {
/* Default to the well-defined sysctl SID. */
tsid = SECINITSID_SYSCTL;
static int selinux_bprm_set_security(struct linux_binprm *bprm)
{
struct task_security_struct *tsec;
- struct inode *inode = bprm->file->f_dentry->d_inode;
+ struct inode *inode = bprm->file->f_path.dentry->d_inode;
struct inode_security_struct *isec;
struct bprm_security_struct *bsec;
u32 newsid;
}
AVC_AUDIT_DATA_INIT(&ad, FS);
- ad.u.fs.mnt = bprm->file->f_vfsmnt;
- ad.u.fs.dentry = bprm->file->f_dentry;
+ ad.u.fs.mnt = bprm->file->f_path.mnt;
+ ad.u.fs.dentry = bprm->file->f_path.dentry;
- if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
newsid = tsec->sid;
if (tsec->sid == newsid) {
struct tty_struct *tty;
struct fdtable *fdt;
long j = -1;
+ int drop_tty = 0;
mutex_lock(&tty_mutex);
- tty = current->signal->tty;
+ tty = get_current_tty();
if (tty) {
file_list_lock();
file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
than using file_has_perm, as this particular open
file may belong to another process and we are only
interested in the inode-based check here. */
- struct inode *inode = file->f_dentry->d_inode;
+ struct inode *inode = file->f_path.dentry->d_inode;
if (inode_has_perm(current, inode,
FILE__READ | FILE__WRITE, NULL)) {
- /* Reset controlling tty. */
- current->signal->tty = NULL;
- current->signal->tty_old_pgrp = 0;
+ drop_tty = 1;
}
}
file_list_unlock();
+
+ /* Reset controlling tty. */
+ if (drop_tty)
+ proc_set_tty(current, NULL);
}
mutex_unlock(&tty_mutex);
j++;
i = j * __NFDBITS;
fdt = files_fdtable(files);
- if (i >= fdt->max_fds || i >= fdt->max_fdset)
+ if (i >= fdt->max_fds)
break;
set = fdt->open_fds->fds_bits[j];
if (!set)
static int selinux_file_permission(struct file *file, int mask)
{
int rc;
- struct inode *inode = file->f_dentry->d_inode;
+ struct inode *inode = file->f_path.dentry->d_inode;
if (!mask) {
/* No permission to check. Existence test. */
switch (cmd) {
case F_SETFL:
- if (!file->f_dentry || !file->f_dentry->d_inode) {
+ if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
err = -EINVAL;
break;
}
case F_SETLK64:
case F_SETLKW64:
#endif
- if (!file->f_dentry || !file->f_dentry->d_inode) {
+ if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
err = -EINVAL;
break;
}
struct file_security_struct *fsec;
/* struct fown_struct is never outside the context of a struct file */
- file = (struct file *)((long)fown - offsetof(struct file,f_owner));
+ file = container_of(fown, struct file, f_owner);
tsec = tsk->security;
fsec = file->f_security;
static int selinux_register_security (const char *name, struct security_operations *ops)
{
if (secondary_ops != original_ops) {
- printk(KERN_INFO "%s: There is already a secondary security "
+ printk(KERN_ERR "%s: There is already a secondary security "
"module registered.\n", __FUNCTION__);
return -EINVAL;
}
static int selinux_unregister_security (const char *name, struct security_operations *ops)
{
if (ops != secondary_ops) {
- printk (KERN_INFO "%s: trying to unregister a security module "
+ printk(KERN_ERR "%s: trying to unregister a security module "
"that is not registered.\n", __FUNCTION__);
return -EINVAL;
}
panic("SELinux: Unable to register with kernel.\n");
if (selinux_enforcing) {
- printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
+ printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
} else {
- printk(KERN_INFO "SELinux: Starting in permissive mode\n");
+ printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
}
#ifdef CONFIG_KEYS
void selinux_complete_init(void)
{
- printk(KERN_INFO "SELinux: Completing initialization.\n");
+ printk(KERN_DEBUG "SELinux: Completing initialization.\n");
/* Set up any superblocks initialized prior to the policy load. */
- printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
+ printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
spin_lock(&sb_lock);
spin_lock(&sb_security_lock);
next_sb:
if (!selinux_enabled)
goto out;
-
- printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
-
+
+ printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
+
err = nf_register_hook(&selinux_ipv4_op);
if (err)
panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static void selinux_nf_ip_exit(void)
{
- printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
+ printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
nf_unregister_hook(&selinux_ipv4_op);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
projects / ~andy / linux / blobdiff