Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
aeda4ac3
Commit
aeda4ac3
authored
Jan 10, 2011
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://git.infradead.org/users/eparis/selinux
into next
parents
d2e7ad19
350e4f31
Changes
11
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
944 additions
and
931 deletions
+944
-931
include/linux/flex_array.h
include/linux/flex_array.h
+1
-1
security/selinux/hooks.c
security/selinux/hooks.c
+4
-1
security/selinux/nlmsgtab.c
security/selinux/nlmsgtab.c
+2
-0
security/selinux/selinuxfs.c
security/selinux/selinuxfs.c
+311
-338
security/selinux/ss/conditional.c
security/selinux/ss/conditional.c
+5
-1
security/selinux/ss/mls.c
security/selinux/ss/mls.c
+13
-12
security/selinux/ss/policydb.c
security/selinux/ss/policydb.c
+351
-350
security/selinux/ss/policydb.h
security/selinux/ss/policydb.h
+9
-10
security/selinux/ss/services.c
security/selinux/ss/services.c
+209
-216
security/selinux/ss/sidtab.c
security/selinux/ss/sidtab.c
+37
-2
security/selinux/ss/sidtab.h
security/selinux/ss/sidtab.h
+2
-0
No files found.
include/linux/flex_array.h
View file @
aeda4ac3
...
@@ -71,7 +71,7 @@ void *flex_array_get(struct flex_array *fa, unsigned int element_nr);
...
@@ -71,7 +71,7 @@ void *flex_array_get(struct flex_array *fa, unsigned int element_nr);
int
flex_array_shrink
(
struct
flex_array
*
fa
);
int
flex_array_shrink
(
struct
flex_array
*
fa
);
#define flex_array_put_ptr(fa, nr, src, gfp) \
#define flex_array_put_ptr(fa, nr, src, gfp) \
flex_array_put(fa, nr,
&(void *)
(src), gfp)
flex_array_put(fa, nr,
(void *)&
(src), gfp)
void
*
flex_array_get_ptr
(
struct
flex_array
*
fa
,
unsigned
int
element_nr
);
void
*
flex_array_get_ptr
(
struct
flex_array
*
fa
,
unsigned
int
element_nr
);
...
...
security/selinux/hooks.c
View file @
aeda4ac3
...
@@ -2525,7 +2525,10 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
...
@@ -2525,7 +2525,10 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
sid
=
tsec
->
sid
;
sid
=
tsec
->
sid
;
newsid
=
tsec
->
create_sid
;
newsid
=
tsec
->
create_sid
;
if
(
!
newsid
||
!
(
sbsec
->
flags
&
SE_SBLABELSUPP
))
{
if
((
sbsec
->
flags
&
SE_SBINITIALIZED
)
&&
(
sbsec
->
behavior
==
SECURITY_FS_USE_MNTPOINT
))
newsid
=
sbsec
->
mntpoint_sid
;
else
if
(
!
newsid
||
!
(
sbsec
->
flags
&
SE_SBLABELSUPP
))
{
rc
=
security_transition_sid
(
sid
,
dsec
->
sid
,
rc
=
security_transition_sid
(
sid
,
dsec
->
sid
,
inode_mode_to_security_class
(
inode
->
i_mode
),
inode_mode_to_security_class
(
inode
->
i_mode
),
&
newsid
);
&
newsid
);
...
...
security/selinux/nlmsgtab.c
View file @
aeda4ac3
...
@@ -65,6 +65,8 @@ static struct nlmsg_perm nlmsg_route_perms[] =
...
@@ -65,6 +65,8 @@ static struct nlmsg_perm nlmsg_route_perms[] =
{
RTM_NEWADDRLABEL
,
NETLINK_ROUTE_SOCKET__NLMSG_WRITE
},
{
RTM_NEWADDRLABEL
,
NETLINK_ROUTE_SOCKET__NLMSG_WRITE
},
{
RTM_DELADDRLABEL
,
NETLINK_ROUTE_SOCKET__NLMSG_WRITE
},
{
RTM_DELADDRLABEL
,
NETLINK_ROUTE_SOCKET__NLMSG_WRITE
},
{
RTM_GETADDRLABEL
,
NETLINK_ROUTE_SOCKET__NLMSG_READ
},
{
RTM_GETADDRLABEL
,
NETLINK_ROUTE_SOCKET__NLMSG_READ
},
{
RTM_GETDCB
,
NETLINK_ROUTE_SOCKET__NLMSG_READ
},
{
RTM_SETDCB
,
NETLINK_ROUTE_SOCKET__NLMSG_WRITE
},
};
};
static
struct
nlmsg_perm
nlmsg_firewall_perms
[]
=
static
struct
nlmsg_perm
nlmsg_firewall_perms
[]
=
...
...
security/selinux/selinuxfs.c
View file @
aeda4ac3
This diff is collapsed.
Click to expand it.
security/selinux/ss/conditional.c
View file @
aeda4ac3
...
@@ -193,6 +193,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
...
@@ -193,6 +193,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
{
{
struct
policydb
*
p
;
struct
policydb
*
p
;
struct
cond_bool_datum
*
booldatum
;
struct
cond_bool_datum
*
booldatum
;
struct
flex_array
*
fa
;
booldatum
=
datum
;
booldatum
=
datum
;
p
=
datap
;
p
=
datap
;
...
@@ -200,7 +201,10 @@ int cond_index_bool(void *key, void *datum, void *datap)
...
@@ -200,7 +201,10 @@ int cond_index_bool(void *key, void *datum, void *datap)
if
(
!
booldatum
->
value
||
booldatum
->
value
>
p
->
p_bools
.
nprim
)
if
(
!
booldatum
->
value
||
booldatum
->
value
>
p
->
p_bools
.
nprim
)
return
-
EINVAL
;
return
-
EINVAL
;
p
->
p_bool_val_to_name
[
booldatum
->
value
-
1
]
=
key
;
fa
=
p
->
sym_val_to_name
[
SYM_BOOLS
];
if
(
flex_array_put_ptr
(
fa
,
booldatum
->
value
-
1
,
key
,
GFP_KERNEL
|
__GFP_ZERO
))
BUG
();
p
->
bool_val_to_struct
[
booldatum
->
value
-
1
]
=
booldatum
;
p
->
bool_val_to_struct
[
booldatum
->
value
-
1
]
=
booldatum
;
return
0
;
return
0
;
...
...
security/selinux/ss/mls.c
View file @
aeda4ac3
...
@@ -45,7 +45,7 @@ int mls_compute_context_len(struct context *context)
...
@@ -45,7 +45,7 @@ int mls_compute_context_len(struct context *context)
len
=
1
;
/* for the beginning ":" */
len
=
1
;
/* for the beginning ":" */
for
(
l
=
0
;
l
<
2
;
l
++
)
{
for
(
l
=
0
;
l
<
2
;
l
++
)
{
int
index_sens
=
context
->
range
.
level
[
l
].
sens
;
int
index_sens
=
context
->
range
.
level
[
l
].
sens
;
len
+=
strlen
(
policydb
.
p_sens_val_to_name
[
index_sens
-
1
]
);
len
+=
strlen
(
sym_name
(
&
policydb
,
SYM_LEVELS
,
index_sens
-
1
)
);
/* categories */
/* categories */
head
=
-
2
;
head
=
-
2
;
...
@@ -55,17 +55,17 @@ int mls_compute_context_len(struct context *context)
...
@@ -55,17 +55,17 @@ int mls_compute_context_len(struct context *context)
if
(
i
-
prev
>
1
)
{
if
(
i
-
prev
>
1
)
{
/* one or more negative bits are skipped */
/* one or more negative bits are skipped */
if
(
head
!=
prev
)
{
if
(
head
!=
prev
)
{
nm
=
policydb
.
p_cat_val_to_name
[
prev
]
;
nm
=
sym_name
(
&
policydb
,
SYM_CATS
,
prev
)
;
len
+=
strlen
(
nm
)
+
1
;
len
+=
strlen
(
nm
)
+
1
;
}
}
nm
=
policydb
.
p_cat_val_to_name
[
i
]
;
nm
=
sym_name
(
&
policydb
,
SYM_CATS
,
i
)
;
len
+=
strlen
(
nm
)
+
1
;
len
+=
strlen
(
nm
)
+
1
;
head
=
i
;
head
=
i
;
}
}
prev
=
i
;
prev
=
i
;
}
}
if
(
prev
!=
head
)
{
if
(
prev
!=
head
)
{
nm
=
policydb
.
p_cat_val_to_name
[
prev
]
;
nm
=
sym_name
(
&
policydb
,
SYM_CATS
,
prev
)
;
len
+=
strlen
(
nm
)
+
1
;
len
+=
strlen
(
nm
)
+
1
;
}
}
if
(
l
==
0
)
{
if
(
l
==
0
)
{
...
@@ -102,8 +102,8 @@ void mls_sid_to_context(struct context *context,
...
@@ -102,8 +102,8 @@ void mls_sid_to_context(struct context *context,
scontextp
++
;
scontextp
++
;
for
(
l
=
0
;
l
<
2
;
l
++
)
{
for
(
l
=
0
;
l
<
2
;
l
++
)
{
strcpy
(
scontextp
,
strcpy
(
scontextp
,
sym_name
(
&
policydb
,
SYM_LEVELS
,
policydb
.
p_sens_val_to_name
[
context
->
range
.
level
[
l
].
sens
-
1
]
);
context
->
range
.
level
[
l
].
sens
-
1
)
);
scontextp
+=
strlen
(
scontextp
);
scontextp
+=
strlen
(
scontextp
);
/* categories */
/* categories */
...
@@ -118,7 +118,7 @@ void mls_sid_to_context(struct context *context,
...
@@ -118,7 +118,7 @@ void mls_sid_to_context(struct context *context,
*
scontextp
++
=
'.'
;
*
scontextp
++
=
'.'
;
else
else
*
scontextp
++
=
','
;
*
scontextp
++
=
','
;
nm
=
policydb
.
p_cat_val_to_name
[
prev
]
;
nm
=
sym_name
(
&
policydb
,
SYM_CATS
,
prev
)
;
strcpy
(
scontextp
,
nm
);
strcpy
(
scontextp
,
nm
);
scontextp
+=
strlen
(
nm
);
scontextp
+=
strlen
(
nm
);
}
}
...
@@ -126,7 +126,7 @@ void mls_sid_to_context(struct context *context,
...
@@ -126,7 +126,7 @@ void mls_sid_to_context(struct context *context,
*
scontextp
++
=
':'
;
*
scontextp
++
=
':'
;
else
else
*
scontextp
++
=
','
;
*
scontextp
++
=
','
;
nm
=
policydb
.
p_cat_val_to_name
[
i
]
;
nm
=
sym_name
(
&
policydb
,
SYM_CATS
,
i
)
;
strcpy
(
scontextp
,
nm
);
strcpy
(
scontextp
,
nm
);
scontextp
+=
strlen
(
nm
);
scontextp
+=
strlen
(
nm
);
head
=
i
;
head
=
i
;
...
@@ -139,7 +139,7 @@ void mls_sid_to_context(struct context *context,
...
@@ -139,7 +139,7 @@ void mls_sid_to_context(struct context *context,
*
scontextp
++
=
'.'
;
*
scontextp
++
=
'.'
;
else
else
*
scontextp
++
=
','
;
*
scontextp
++
=
','
;
nm
=
policydb
.
p_cat_val_to_name
[
prev
]
;
nm
=
sym_name
(
&
policydb
,
SYM_CATS
,
prev
)
;
strcpy
(
scontextp
,
nm
);
strcpy
(
scontextp
,
nm
);
scontextp
+=
strlen
(
nm
);
scontextp
+=
strlen
(
nm
);
}
}
...
@@ -166,7 +166,7 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l)
...
@@ -166,7 +166,7 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l)
if
(
!
l
->
sens
||
l
->
sens
>
p
->
p_levels
.
nprim
)
if
(
!
l
->
sens
||
l
->
sens
>
p
->
p_levels
.
nprim
)
return
0
;
return
0
;
levdatum
=
hashtab_search
(
p
->
p_levels
.
table
,
levdatum
=
hashtab_search
(
p
->
p_levels
.
table
,
p
->
p_sens_val_to_name
[
l
->
sens
-
1
]
);
sym_name
(
p
,
SYM_LEVELS
,
l
->
sens
-
1
)
);
if
(
!
levdatum
)
if
(
!
levdatum
)
return
0
;
return
0
;
...
@@ -482,7 +482,8 @@ int mls_convert_context(struct policydb *oldp,
...
@@ -482,7 +482,8 @@ int mls_convert_context(struct policydb *oldp,
for
(
l
=
0
;
l
<
2
;
l
++
)
{
for
(
l
=
0
;
l
<
2
;
l
++
)
{
levdatum
=
hashtab_search
(
newp
->
p_levels
.
table
,
levdatum
=
hashtab_search
(
newp
->
p_levels
.
table
,
oldp
->
p_sens_val_to_name
[
c
->
range
.
level
[
l
].
sens
-
1
]);
sym_name
(
oldp
,
SYM_LEVELS
,
c
->
range
.
level
[
l
].
sens
-
1
));
if
(
!
levdatum
)
if
(
!
levdatum
)
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -493,7 +494,7 @@ int mls_convert_context(struct policydb *oldp,
...
@@ -493,7 +494,7 @@ int mls_convert_context(struct policydb *oldp,
int
rc
;
int
rc
;
catdatum
=
hashtab_search
(
newp
->
p_cats
.
table
,
catdatum
=
hashtab_search
(
newp
->
p_cats
.
table
,
oldp
->
p_cat_val_to_name
[
i
]
);
sym_name
(
oldp
,
SYM_CATS
,
i
)
);
if
(
!
catdatum
)
if
(
!
catdatum
)
return
-
EINVAL
;
return
-
EINVAL
;
rc
=
ebitmap_set_bit
(
&
bitmap
,
catdatum
->
value
-
1
,
1
);
rc
=
ebitmap_set_bit
(
&
bitmap
,
catdatum
->
value
-
1
,
1
);
...
...
security/selinux/ss/policydb.c
View file @
aeda4ac3
This diff is collapsed.
Click to expand it.
security/selinux/ss/policydb.h
View file @
aeda4ac3
...
@@ -203,21 +203,13 @@ struct policydb {
...
@@ -203,21 +203,13 @@ struct policydb {
#define p_cats symtab[SYM_CATS]
#define p_cats symtab[SYM_CATS]
/* symbol names indexed by (value - 1) */
/* symbol names indexed by (value - 1) */
char
**
sym_val_to_name
[
SYM_NUM
];
struct
flex_array
*
sym_val_to_name
[
SYM_NUM
];
#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
#define p_user_val_to_name sym_val_to_name[SYM_USERS]
#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
/* class, role, and user attributes indexed by (value - 1) */
/* class, role, and user attributes indexed by (value - 1) */
struct
class_datum
**
class_val_to_struct
;
struct
class_datum
**
class_val_to_struct
;
struct
role_datum
**
role_val_to_struct
;
struct
role_datum
**
role_val_to_struct
;
struct
user_datum
**
user_val_to_struct
;
struct
user_datum
**
user_val_to_struct
;
struct
type_datum
**
type_val_to_struct
;
struct
flex_array
*
type_val_to_struct_array
;
/* type enforcement access vectors and transitions */
/* type enforcement access vectors and transitions */
struct
avtab
te_avtab
;
struct
avtab
te_avtab
;
...
@@ -321,6 +313,13 @@ static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file
...
@@ -321,6 +313,13 @@ static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file
return
0
;
return
0
;
}
}
static
inline
char
*
sym_name
(
struct
policydb
*
p
,
unsigned
int
sym_num
,
unsigned
int
element_nr
)
{
struct
flex_array
*
fa
=
p
->
sym_val_to_name
[
sym_num
];
return
flex_array_get_ptr
(
fa
,
element_nr
);
}
extern
u16
string_to_security_class
(
struct
policydb
*
p
,
const
char
*
name
);
extern
u16
string_to_security_class
(
struct
policydb
*
p
,
const
char
*
name
);
extern
u32
string_to_av_perm
(
struct
policydb
*
p
,
u16
tclass
,
const
char
*
name
);
extern
u32
string_to_av_perm
(
struct
policydb
*
p
,
u16
tclass
,
const
char
*
name
);
...
...
security/selinux/ss/services.c
View file @
aeda4ac3
This diff is collapsed.
Click to expand it.
security/selinux/ss/sidtab.c
View file @
aeda4ac3
...
@@ -147,6 +147,17 @@ int sidtab_map(struct sidtab *s,
...
@@ -147,6 +147,17 @@ int sidtab_map(struct sidtab *s,
return
rc
;
return
rc
;
}
}
static
void
sidtab_update_cache
(
struct
sidtab
*
s
,
struct
sidtab_node
*
n
,
int
loc
)
{
BUG_ON
(
loc
>=
SIDTAB_CACHE_LEN
);
while
(
loc
>
0
)
{
s
->
cache
[
loc
]
=
s
->
cache
[
loc
-
1
];
loc
--
;
}
s
->
cache
[
0
]
=
n
;
}
static
inline
u32
sidtab_search_context
(
struct
sidtab
*
s
,
static
inline
u32
sidtab_search_context
(
struct
sidtab
*
s
,
struct
context
*
context
)
struct
context
*
context
)
{
{
...
@@ -156,14 +167,33 @@ static inline u32 sidtab_search_context(struct sidtab *s,
...
@@ -156,14 +167,33 @@ static inline u32 sidtab_search_context(struct sidtab *s,
for
(
i
=
0
;
i
<
SIDTAB_SIZE
;
i
++
)
{
for
(
i
=
0
;
i
<
SIDTAB_SIZE
;
i
++
)
{
cur
=
s
->
htable
[
i
];
cur
=
s
->
htable
[
i
];
while
(
cur
)
{
while
(
cur
)
{
if
(
context_cmp
(
&
cur
->
context
,
context
))
if
(
context_cmp
(
&
cur
->
context
,
context
))
{
sidtab_update_cache
(
s
,
cur
,
SIDTAB_CACHE_LEN
-
1
);
return
cur
->
sid
;
return
cur
->
sid
;
}
cur
=
cur
->
next
;
cur
=
cur
->
next
;
}
}
}
}
return
0
;
return
0
;
}
}
static
inline
u32
sidtab_search_cache
(
struct
sidtab
*
s
,
struct
context
*
context
)
{
int
i
;
struct
sidtab_node
*
node
;
for
(
i
=
0
;
i
<
SIDTAB_CACHE_LEN
;
i
++
)
{
node
=
s
->
cache
[
i
];
if
(
unlikely
(
!
node
))
return
0
;
if
(
context_cmp
(
&
node
->
context
,
context
))
{
sidtab_update_cache
(
s
,
node
,
i
);
return
node
->
sid
;
}
}
return
0
;
}
int
sidtab_context_to_sid
(
struct
sidtab
*
s
,
int
sidtab_context_to_sid
(
struct
sidtab
*
s
,
struct
context
*
context
,
struct
context
*
context
,
u32
*
out_sid
)
u32
*
out_sid
)
...
@@ -174,6 +204,8 @@ int sidtab_context_to_sid(struct sidtab *s,
...
@@ -174,6 +204,8 @@ int sidtab_context_to_sid(struct sidtab *s,
*
out_sid
=
SECSID_NULL
;
*
out_sid
=
SECSID_NULL
;
sid
=
sidtab_search_cache
(
s
,
context
);
if
(
!
sid
)
sid
=
sidtab_search_context
(
s
,
context
);
sid
=
sidtab_search_context
(
s
,
context
);
if
(
!
sid
)
{
if
(
!
sid
)
{
spin_lock_irqsave
(
&
s
->
lock
,
flags
);
spin_lock_irqsave
(
&
s
->
lock
,
flags
);
...
@@ -259,12 +291,15 @@ void sidtab_destroy(struct sidtab *s)
...
@@ -259,12 +291,15 @@ void sidtab_destroy(struct sidtab *s)
void
sidtab_set
(
struct
sidtab
*
dst
,
struct
sidtab
*
src
)
void
sidtab_set
(
struct
sidtab
*
dst
,
struct
sidtab
*
src
)
{
{
unsigned
long
flags
;
unsigned
long
flags
;
int
i
;
spin_lock_irqsave
(
&
src
->
lock
,
flags
);
spin_lock_irqsave
(
&
src
->
lock
,
flags
);
dst
->
htable
=
src
->
htable
;
dst
->
htable
=
src
->
htable
;
dst
->
nel
=
src
->
nel
;
dst
->
nel
=
src
->
nel
;
dst
->
next_sid
=
src
->
next_sid
;
dst
->
next_sid
=
src
->
next_sid
;
dst
->
shutdown
=
0
;
dst
->
shutdown
=
0
;
for
(
i
=
0
;
i
<
SIDTAB_CACHE_LEN
;
i
++
)
dst
->
cache
[
i
]
=
NULL
;
spin_unlock_irqrestore
(
&
src
->
lock
,
flags
);
spin_unlock_irqrestore
(
&
src
->
lock
,
flags
);
}
}
...
...
security/selinux/ss/sidtab.h
View file @
aeda4ac3
...
@@ -26,6 +26,8 @@ struct sidtab {
...
@@ -26,6 +26,8 @@ struct sidtab {
unsigned
int
nel
;
/* number of elements */
unsigned
int
nel
;
/* number of elements */
unsigned
int
next_sid
;
/* next SID to allocate */
unsigned
int
next_sid
;
/* next SID to allocate */
unsigned
char
shutdown
;
unsigned
char
shutdown
;
#define SIDTAB_CACHE_LEN 3
struct
sidtab_node
*
cache
[
SIDTAB_CACHE_LEN
];
spinlock_t
lock
;
spinlock_t
lock
;
};
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment