Commit 19b5b517 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
  SELinux: one little, two little, three little whitespaces, the avc.c saga.
  SELinux: cleanup on isle selinuxfs.c
  changing whitespace for fun and profit: policydb.c
  SELinux: whitespace and formating fixes for hooks.c
  SELinux: clean up printks
  SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: services.c whitespace, syntax, and static declaraction cleanups
  SELinux: mls.c whitespace, syntax, and static declaraction cleanups
  SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups
  SELinux: conditional.c whitespace, syntax, and static declaraction cleanups
  SELinux: avtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups
  SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: netnode.c whitespace, syntax, and static declaraction cleanups
  SELinux: netlink.c whitespace, syntax, and static declaraction cleanups
  SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups
  SELinux: netif.c whitespace, syntax, and static declaraction cleanups
parents bda0c0af 95fff33b
...@@ -2,16 +2,16 @@ ...@@ -2,16 +2,16 @@
* Implementation of the kernel access vector cache (AVC). * Implementation of the kernel access vector cache (AVC).
* *
* Authors: Stephen Smalley, <sds@epoch.ncsc.mil> * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
* James Morris <jmorris@redhat.com> * James Morris <jmorris@redhat.com>
* *
* Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
* Replaced the avc_lock spinlock by RCU. * Replaced the avc_lock spinlock by RCU.
* *
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, * it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation. * as published by the Free Software Foundation.
*/ */
#include <linux/types.h> #include <linux/types.h>
#include <linux/stddef.h> #include <linux/stddef.h>
...@@ -44,7 +44,7 @@ static const char *class_to_string[] = { ...@@ -44,7 +44,7 @@ static const char *class_to_string[] = {
#undef S_ #undef S_
}; };
#define TB_(s) static const char * s [] = { #define TB_(s) static const char *s[] = {
#define TE_(s) }; #define TE_(s) };
#define S_(s) s, #define S_(s) s,
#include "common_perm_to_string.h" #include "common_perm_to_string.h"
...@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = { ...@@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = {
#define AVC_CACHE_RECLAIM 16 #define AVC_CACHE_RECLAIM 16
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
#define avc_cache_stats_incr(field) \ #define avc_cache_stats_incr(field) \
do { \ do { \
per_cpu(avc_cache_stats, get_cpu()).field++; \ per_cpu(avc_cache_stats, get_cpu()).field++; \
put_cpu(); \ put_cpu(); \
...@@ -92,7 +92,7 @@ struct avc_entry { ...@@ -92,7 +92,7 @@ struct avc_entry {
struct avc_node { struct avc_node {
struct avc_entry ae; struct avc_entry ae;
struct list_head list; struct list_head list;
struct rcu_head rhead; struct rcu_head rhead;
}; };
struct avc_cache { struct avc_cache {
...@@ -105,8 +105,8 @@ struct avc_cache { ...@@ -105,8 +105,8 @@ struct avc_cache {
struct avc_callback_node { struct avc_callback_node {
int (*callback) (u32 event, u32 ssid, u32 tsid, int (*callback) (u32 event, u32 ssid, u32 tsid,
u16 tclass, u32 perms, u16 tclass, u32 perms,
u32 *out_retained); u32 *out_retained);
u32 events; u32 events;
u32 ssid; u32 ssid;
u32 tsid; u32 tsid;
...@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla ...@@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
char *scontext; char *scontext;
u32 scontext_len; u32 scontext_len;
rc = security_sid_to_context(ssid, &scontext, &scontext_len); rc = security_sid_to_context(ssid, &scontext, &scontext_len);
if (rc) if (rc)
audit_log_format(ab, "ssid=%d", ssid); audit_log_format(ab, "ssid=%d", ssid);
else { else {
...@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void) ...@@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void)
int hvalue, try, ecx; int hvalue, try, ecx;
unsigned long flags; unsigned long flags;
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
...@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert) ...@@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
spin_lock_irqsave(&notif_lock, flag); spin_lock_irqsave(&notif_lock, flag);
if (is_insert) { if (is_insert) {
if (seqno < avc_cache.latest_notif) { if (seqno < avc_cache.latest_notif) {
printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n",
seqno, avc_cache.latest_notif); seqno, avc_cache.latest_notif);
ret = -EAGAIN; ret = -EAGAIN;
} }
...@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en ...@@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en
if (pos->ae.ssid == ssid && if (pos->ae.ssid == ssid &&
pos->ae.tsid == tsid && pos->ae.tsid == tsid &&
pos->ae.tclass == tclass) { pos->ae.tclass == tclass) {
avc_node_replace(node, pos); avc_node_replace(node, pos);
goto found; goto found;
} }
} }
...@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, ...@@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
* before calling the auditing code. * before calling the auditing code.
*/ */
void avc_audit(u32 ssid, u32 tsid, void avc_audit(u32 ssid, u32 tsid,
u16 tclass, u32 requested, u16 tclass, u32 requested,
struct av_decision *avd, int result, struct avc_audit_data *a) struct av_decision *avd, int result, struct avc_audit_data *a)
{ {
struct task_struct *tsk = current; struct task_struct *tsk = current;
struct inode *inode = NULL; struct inode *inode = NULL;
...@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid,
return; return;
} else if (result) { } else if (result) {
audited = denied = requested; audited = denied = requested;
} else { } else {
audited = requested; audited = requested;
if (!(audited & avd->auditallow)) if (!(audited & avd->auditallow))
return; return;
...@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid,
if (!ab) if (!ab)
return; /* audit_panic has been called */ return; /* audit_panic has been called */
audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
avc_dump_av(ab, tclass,audited); avc_dump_av(ab, tclass, audited);
audit_log_format(ab, " for "); audit_log_format(ab, " for ");
if (a && a->tsk) if (a && a->tsk)
tsk = a->tsk; tsk = a->tsk;
...@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid,
break; break;
} }
} }
switch (a->u.net.family) { switch (a->u.net.family) {
case AF_INET: case AF_INET:
avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
...@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid, ...@@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid,
* -%ENOMEM if insufficient memory exists to add the callback. * -%ENOMEM if insufficient memory exists to add the callback.
*/ */
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
u16 tclass, u32 perms, u16 tclass, u32 perms,
u32 *out_retained), u32 *out_retained),
u32 events, u32 ssid, u32 tsid, u32 events, u32 ssid, u32 tsid,
u16 tclass, u32 perms) u16 tclass, u32 perms)
{ {
struct avc_callback_node *c; struct avc_callback_node *c;
int rc = 0; int rc = 0;
...@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) ...@@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
hvalue = avc_hash(ssid, tsid, tclass); hvalue = avc_hash(ssid, tsid, tclass);
spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
if ( ssid==pos->ae.ssid && if (ssid == pos->ae.ssid &&
tsid==pos->ae.tsid && tsid == pos->ae.tsid &&
tclass==pos->ae.tclass ){ tclass == pos->ae.tclass){
orig = pos; orig = pos;
break; break;
} }
...@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno) ...@@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno)
for (c = avc_callbacks; c; c = c->next) { for (c = avc_callbacks; c; c = c->next) {
if (c->events & AVC_CALLBACK_RESET) { if (c->events & AVC_CALLBACK_RESET) {
tmprc = c->callback(AVC_CALLBACK_RESET, tmprc = c->callback(AVC_CALLBACK_RESET,
0, 0, 0, 0, NULL); 0, 0, 0, 0, NULL);
/* save the first error encountered for the return /* save the first error encountered for the return
value and continue processing the callbacks */ value and continue processing the callbacks */
if (!rc) if (!rc)
...@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, ...@@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
node = avc_lookup(ssid, tsid, tclass, requested); node = avc_lookup(ssid, tsid, tclass, requested);
if (!node) { if (!node) {
rcu_read_unlock(); rcu_read_unlock();
rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd);
if (rc) if (rc)
goto out; goto out;
rcu_read_lock(); rcu_read_lock();
node = avc_insert(ssid,tsid,tclass,&entry); node = avc_insert(ssid, tsid, tclass, &entry);
} }
p_ae = node ? &node->ae : &entry; p_ae = node ? &node->ae : &entry;
...@@ -924,7 +924,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, ...@@ -924,7 +924,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
* another -errno upon other errors. * another -errno upon other errors.
*/ */
int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct avc_audit_data *auditdata) u32 requested, struct avc_audit_data *auditdata)
{ {
struct av_decision avd; struct av_decision avd;
int rc; int rc;
......
This diff is collapsed.
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* *
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P. * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Paul Moore <paul.moore@hp.com> * Paul Moore <paul.moore@hp.com>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, * it under the terms of the GNU General Public License version 2,
...@@ -31,8 +31,7 @@ ...@@ -31,8 +31,7 @@
#define SEL_NETIF_HASH_SIZE 64 #define SEL_NETIF_HASH_SIZE 64
#define SEL_NETIF_HASH_MAX 1024 #define SEL_NETIF_HASH_MAX 1024
struct sel_netif struct sel_netif {
{
struct list_head list; struct list_head list;
struct netif_security_struct nsec; struct netif_security_struct nsec;
struct rcu_head rcu_head; struct rcu_head rcu_head;
...@@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex) ...@@ -92,10 +91,10 @@ static inline struct sel_netif *sel_netif_find(int ifindex)
static int sel_netif_insert(struct sel_netif *netif) static int sel_netif_insert(struct sel_netif *netif)
{ {
int idx; int idx;
if (sel_netif_total >= SEL_NETIF_HASH_MAX) if (sel_netif_total >= SEL_NETIF_HASH_MAX)
return -ENOSPC; return -ENOSPC;
idx = sel_netif_hashfn(netif->nsec.ifindex); idx = sel_netif_hashfn(netif->nsec.ifindex);
list_add_rcu(&netif->list, &sel_netif_hash[idx]); list_add_rcu(&netif->list, &sel_netif_hash[idx]);
sel_netif_total++; sel_netif_total++;
...@@ -267,7 +266,7 @@ static void sel_netif_flush(void) ...@@ -267,7 +266,7 @@ static void sel_netif_flush(void)
} }
static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
u16 class, u32 perms, u32 *retained) u16 class, u32 perms, u32 *retained)
{ {
if (event == AVC_CALLBACK_RESET) { if (event == AVC_CALLBACK_RESET) {
sel_netif_flush(); sel_netif_flush();
...@@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, ...@@ -277,7 +276,7 @@ static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
} }
static int sel_netif_netdev_notifier_handler(struct notifier_block *this, static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
unsigned long event, void *ptr) unsigned long event, void *ptr)
{ {
struct net_device *dev = ptr; struct net_device *dev = ptr;
...@@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = { ...@@ -297,7 +296,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
static __init int sel_netif_init(void) static __init int sel_netif_init(void)
{ {
int i, err; int i, err;
if (!selinux_enabled) if (!selinux_enabled)
return 0; return 0;
...@@ -305,9 +304,9 @@ static __init int sel_netif_init(void) ...@@ -305,9 +304,9 @@ static __init int sel_netif_init(void)
INIT_LIST_HEAD(&sel_netif_hash[i]); INIT_LIST_HEAD(&sel_netif_hash[i]);
register_netdevice_notifier(&sel_netif_netdev_notifier); register_netdevice_notifier(&sel_netif_netdev_notifier);
err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
if (err) if (err)
panic("avc_add_callback() failed, error %d\n", err); panic("avc_add_callback() failed, error %d\n", err);
......
...@@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void) ...@@ -118,7 +118,7 @@ void selinux_netlbl_cache_invalidate(void)
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
int family) int family)
{ {
if (family == PF_INET) if (family == PF_INET)
ssec->nlbl_state = NLBL_REQUIRE; ssec->nlbl_state = NLBL_REQUIRE;
else else
ssec->nlbl_state = NLBL_UNSET; ssec->nlbl_state = NLBL_UNSET;
......
...@@ -24,16 +24,16 @@ static struct sock *selnl; ...@@ -24,16 +24,16 @@ static struct sock *selnl;
static int selnl_msglen(int msgtype) static int selnl_msglen(int msgtype)
{ {
int ret = 0; int ret = 0;
switch (msgtype) { switch (msgtype) {
case SELNL_MSG_SETENFORCE: case SELNL_MSG_SETENFORCE:
ret = sizeof(struct selnl_msg_setenforce); ret = sizeof(struct selnl_msg_setenforce);
break; break;
case SELNL_MSG_POLICYLOAD: case SELNL_MSG_POLICYLOAD:
ret = sizeof(struct selnl_msg_policyload); ret = sizeof(struct selnl_msg_policyload);
break; break;
default: default:
BUG(); BUG();
} }
...@@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void * ...@@ -45,15 +45,15 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *
switch (msgtype) { switch (msgtype) {
case SELNL_MSG_SETENFORCE: { case SELNL_MSG_SETENFORCE: {
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
memset(msg, 0, len); memset(msg, 0, len);
msg->val = *((int *)data); msg->val = *((int *)data);
break; break;
} }
case SELNL_MSG_POLICYLOAD: { case SELNL_MSG_POLICYLOAD: {
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
memset(msg, 0, len); memset(msg, 0, len);
msg->seqno = *((u32 *)data); msg->seqno = *((u32 *)data);
break; break;
...@@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data) ...@@ -70,9 +70,9 @@ static void selnl_notify(int msgtype, void *data)
sk_buff_data_t tmp; sk_buff_data_t tmp;
struct sk_buff *skb; struct sk_buff *skb;
struct nlmsghdr *nlh; struct nlmsghdr *nlh;
len = selnl_msglen(msgtype); len = selnl_msglen(msgtype);
skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); skb = alloc_skb(NLMSG_SPACE(len), GFP_USER);
if (!skb) if (!skb)
goto oom; goto oom;
...@@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data) ...@@ -85,7 +85,7 @@ static void selnl_notify(int msgtype, void *data)
netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER); netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER);
out: out:
return; return;
nlmsg_failure: nlmsg_failure:
kfree_skb(skb); kfree_skb(skb);
oom: oom:
...@@ -109,7 +109,7 @@ static int __init selnl_init(void) ...@@ -109,7 +109,7 @@ static int __init selnl_init(void)
SELNLGRP_MAX, NULL, NULL, THIS_MODULE); SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
if (selnl == NULL) if (selnl == NULL)
panic("SELinux: Cannot create netlink socket."); panic("SELinux: Cannot create netlink socket.");
netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);
return 0; return 0;
} }
......
...@@ -344,7 +344,7 @@ static __init int sel_netnode_init(void) ...@@ -344,7 +344,7 @@ static __init int sel_netnode_init(void)
INIT_LIST_HEAD(&sel_netnode_hash[iter]); INIT_LIST_HEAD(&sel_netnode_hash[iter]);
ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET,
SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
if (ret != 0) if (ret != 0)
panic("avc_add_callback() failed, error %d\n", ret); panic("avc_add_callback() failed, error %d\n", ret);
......
...@@ -23,8 +23,7 @@ ...@@ -23,8 +23,7 @@
#include "flask.h" #include "flask.h"
#include "av_permissions.h" #include "av_permissions.h"
struct nlmsg_perm struct nlmsg_perm {
{
u16 nlmsg_type; u16 nlmsg_type;
u32 perm; u32 perm;
}; };
...@@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) ...@@ -159,7 +158,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
nlmsg_type <= AUDIT_LAST_USER_MSG) || nlmsg_type <= AUDIT_LAST_USER_MSG) ||
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 && (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
nlmsg_type <= AUDIT_LAST_USER_MSG2)) { nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
} else { } else {
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
......
This diff is collapsed.
...@@ -6,15 +6,15 @@ ...@@ -6,15 +6,15 @@
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> /* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
* *
* Added conditional policy language extensions * Added conditional policy language extensions
* *
* Copyright (C) 2003 Tresys Technology, LLC * Copyright (C) 2003 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
* *
* Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
* Tuned number of hash slots for avtab to reduce memory usage * Tuned number of hash slots for avtab to reduce memory usage
*/ */
#include <linux/kernel.h> #include <linux/kernel.h>
...@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask) ...@@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
static struct avtab_node* static struct avtab_node*
avtab_insert_node(struct avtab *h, int hvalue, avtab_insert_node(struct avtab *h, int hvalue,
struct avtab_node * prev, struct avtab_node * cur, struct avtab_node *prev, struct avtab_node *cur,
struct avtab_key *key, struct avtab_datum *datum) struct avtab_key *key, struct avtab_datum *datum)
{ {
struct avtab_node * newnode; struct avtab_node *newnode;
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL) if (newnode == NULL)
return NULL; return NULL;
...@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat ...@@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
} }
newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
if(!newnode) if (!newnode)
return -ENOMEM; return -ENOMEM;
return 0; return 0;
...@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat ...@@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
* It also returns a pointer to the node inserted. * It also returns a pointer to the node inserted.
*/ */
struct avtab_node * struct avtab_node *
avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum) avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
{ {
int hvalue; int hvalue;
struct avtab_node *prev, *cur, *newnode; struct avtab_node *prev, *cur, *newnode;
...@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag) ...@@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
} }
} }
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
"chain length %d sum of chain length^2 %Lu\n", "longest chain length %d sum of chain length^2 %Lu\n",
tag, h->nel, slots_used, h->nslot, max_chain_len, tag, h->nel, slots_used, h->nslot, max_chain_len,
chain2_len_sum); chain2_len_sum);
} }
...@@ -326,7 +326,7 @@ static uint16_t spec_order[] = { ...@@ -326,7 +326,7 @@ static uint16_t spec_order[] = {
}; };
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
int (*insertf)(struct avtab *a, struct avtab_key *k, int (*insertf)(struct avtab *a, struct avtab_key *k,
struct avtab_datum *d, void *p), struct avtab_datum *d, void *p),
void *p) void *p)
{ {
...@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
val = le32_to_cpu(buf32[items++]); val = le32_to_cpu(buf32[items++]);
key.source_type = (u16)val; key.source_type = (u16)val;
if (key.source_type != val) { if (key.source_type != val) {
printk("SELinux: avtab: truncated source type\n"); printk(KERN_ERR "SELinux: avtab: truncated source type\n");
return -1; return -1;
} }
val = le32_to_cpu(buf32[items++]); val = le32_to_cpu(buf32[items++]);
key.target_type = (u16)val; key.target_type = (u16)val;
if (key.target_type != val) { if (key.target_type != val) {
printk("SELinux: avtab: truncated target type\n"); printk(KERN_ERR "SELinux: avtab: truncated target type\n");
return -1; return -1;
} }
val = le32_to_cpu(buf32[items++]); val = le32_to_cpu(buf32[items++]);
key.target_class = (u16)val; key.target_class = (u16)val;
if (key.target_class != val) { if (key.target_class != val) {
printk("SELinux: avtab: truncated target class\n"); printk(KERN_ERR "SELinux: avtab: truncated target class\n");
return -1; return -1;
} }
...@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
if (!(val & (AVTAB_AV | AVTAB_TYPE))) { if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
printk("SELinux: avtab: null entry\n"); printk(KERN_ERR "SELinux: avtab: null entry\n");
return -1; return -1;
} }
if ((val & AVTAB_AV) && if ((val & AVTAB_AV) &&
(val & AVTAB_TYPE)) { (val & AVTAB_TYPE)) {
printk("SELinux: avtab: entry has both access vectors and types\n"); printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
return -1; return -1;
} }
...@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
key.specified = spec_order[i] | enabled; key.specified = spec_order[i] | enabled;
datum.data = le32_to_cpu(buf32[items++]); datum.data = le32_to_cpu(buf32[items++]);
rc = insertf(a, &key, &datum, p); rc = insertf(a, &key, &datum, p);
if (rc) return rc; if (rc)
return rc;
} }
} }
if (items != items2) { if (items != items2) {
printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items); printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
return -1; return -1;
} }
return 0; return 0;
...@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
rc = next_entry(buf16, fp, sizeof(u16)*4); rc = next_entry(buf16, fp, sizeof(u16)*4);
if (rc < 0) { if (rc < 0) {
printk("SELinux: avtab: truncated entry\n"); printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return -1; return -1;
} }
...@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
if (!policydb_type_isvalid(pol, key.source_type) || if (!policydb_type_isvalid(pol, key.source_type) ||
!policydb_type_isvalid(pol, key.target_type) || !policydb_type_isvalid(pol, key.target_type) ||
!policydb_class_isvalid(pol, key.target_class)) { !policydb_class_isvalid(pol, key.target_class)) {
printk(KERN_WARNING "SELinux: avtab: invalid type or class\n"); printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
return -1; return -1;
} }
...@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, ...@@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
set++; set++;
} }
if (!set || set > 1) { if (!set || set > 1) {
printk(KERN_WARNING printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
"SELinux: avtab: more than one specifier\n");
return -1; return -1;
} }
rc = next_entry(buf32, fp, sizeof(u32)); rc = next_entry(buf32, fp, sizeof(u32));
if (rc < 0) { if (rc < 0) {
printk("SELinux: avtab: truncated entry\n"); printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return -1; return -1;
} }
datum.data = le32_to_cpu(*buf32); datum.data = le32_to_cpu(*buf32);
if ((key.specified & AVTAB_TYPE) && if ((key.specified & AVTAB_TYPE) &&
!policydb_type_isvalid(pol, datum.data)) { !policydb_type_isvalid(pol, datum.data)) {
printk(KERN_WARNING "SELinux: avtab: invalid type\n"); printk(KERN_ERR "SELinux: avtab: invalid type\n");
return -1; return -1;
} }
return insertf(a, &key, &datum, p); return insertf(a, &key, &datum, p);
...@@ -513,5 +513,5 @@ void avtab_cache_init(void) ...@@ -513,5 +513,5 @@ void avtab_cache_init(void)
void avtab_cache_destroy(void) void avtab_cache_destroy(void)
{ {
kmem_cache_destroy (avtab_node_cachep); kmem_cache_destroy(avtab_node_cachep);
} }
/* Authors: Karl MacMillan <kmacmillan@tresys.com> /* Authors: Karl MacMillan <kmacmillan@tresys.com>
* Frank Mayer <mayerf@tresys.com> * Frank Mayer <mayerf@tresys.com>
* *
* Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 - 2004 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2. * the Free Software Foundation, version 2.
*/ */
...@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) ...@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
int evaluate_cond_node(struct policydb *p, struct cond_node *node) int evaluate_cond_node(struct policydb *p, struct cond_node *node)
{ {
int new_state; int new_state;
struct cond_av_list* cur; struct cond_av_list *cur;
new_state = cond_evaluate_expr(p, node->expr); new_state = cond_evaluate_expr(p, node->expr);
if (new_state != node->cur_state) { if (new_state != node->cur_state) {
...@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node) ...@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
/* turn the rules on or off */ /* turn the rules on or off */
for (cur = node->true_list; cur != NULL; cur = cur->next) { for (cur = node->true_list; cur != NULL; cur = cur->next) {
if (new_state <= 0) { if (new_state <= 0)
cur->node->key.specified &= ~AVTAB_ENABLED; cur->node->key.specified &= ~AVTAB_ENABLED;
} else { else
cur->node->key.specified |= AVTAB_ENABLED; cur->node->key.specified |= AVTAB_ENABLED;
}
} }
for (cur = node->false_list; cur != NULL; cur = cur->next) { for (cur = node->false_list; cur != NULL; cur = cur->next) {
/* -1 or 1 */ /* -1 or 1 */
if (new_state) { if (new_state)
cur->node->key.specified &= ~AVTAB_ENABLED; cur->node->key.specified &= ~AVTAB_ENABLED;
} else { else
cur->node->key.specified |= AVTAB_ENABLED; cur->node->key.specified |= AVTAB_ENABLED;
}
} }
} }
return 0; return 0;
...@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p) ...@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
int cond_init_bool_indexes(struct policydb *p) int cond_init_bool_indexes(struct policydb *p)
{ {
kfree(p->bool_val_to_struct); kfree(p->bool_val_to_struct);
p->bool_val_to_struct = (struct cond_bool_datum**) p->bool_val_to_struct = (struct cond_bool_datum **)
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
if (!p->bool_val_to_struct) if (!p->bool_val_to_struct)
return -1; return -1;
return 0; return 0;
...@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap) ...@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
return -EINVAL; return -EINVAL;
p->p_bool_val_to_name[booldatum->value - 1] = key; p->p_bool_val_to_name[booldatum->value - 1] = key;
p->bool_val_to_struct[booldatum->value -1] = booldatum; p->bool_val_to_struct[booldatum->value - 1] = booldatum;
return 0; return 0;
} }
...@@ -251,8 +249,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) ...@@ -251,8 +249,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
return -1; return -1;
} }
struct cond_insertf_data struct cond_insertf_data {
{
struct policydb *p; struct policydb *p;
struct cond_av_list *other; struct cond_av_list *other;
struct cond_av_list *head; struct cond_av_list *head;
...@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
*/ */
if (k->specified & AVTAB_TYPE) { if (k->specified & AVTAB_TYPE) {
if (avtab_search(&p->te_avtab, k)) { if (avtab_search(&p->te_avtab, k)) {
printk("SELinux: type rule already exists outside of a conditional."); printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
goto err; goto err;
} }
/* /*
...@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
node_ptr = avtab_search_node(&p->te_cond_avtab, k); node_ptr = avtab_search_node(&p->te_cond_avtab, k);
if (node_ptr) { if (node_ptr) {
if (avtab_search_node_next(node_ptr, k->specified)) { if (avtab_search_node_next(node_ptr, k->specified)) {
printk("SELinux: too many conflicting type rules."); printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
goto err; goto err;
} }
found = 0; found = 0;
...@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
} }
} }
if (!found) { if (!found) {
printk("SELinux: conflicting type rules.\n"); printk(KERN_ERR "SELinux: conflicting type rules.\n");
goto err; goto err;
} }
} }
} else { } else {
if (avtab_search(&p->te_cond_avtab, k)) { if (avtab_search(&p->te_cond_avtab, k)) {
printk("SELinux: conflicting type rules when adding type rule for true.\n"); printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
goto err; goto err;
} }
} }
...@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum ...@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
if (!node_ptr) { if (!node_ptr) {
printk("SELinux: could not insert rule."); printk(KERN_ERR "SELinux: could not insert rule.\n");
goto err; goto err;
} }
...@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * ...@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
return -1; return -1;
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
if (len == 0) { if (len == 0)
return 0; return 0;
}
data.p = p; data.p = p;
data.other = other; data.other = other;
...@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list * ...@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
static int expr_isvalid(struct policydb *p, struct cond_expr *expr) static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
{ {
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
printk("SELinux: conditional expressions uses unknown operator.\n"); printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
return 0; return 0;
} }
if (expr->bool > p->p_bools.nprim) { if (expr->bool > p->p_bools.nprim) {
printk("SELinux: conditional expressions uses unknown bool.\n"); printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
return 0; return 0;
} }
return 1; return 1;
...@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) ...@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
/* expr */ /* expr */
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
for (i = 0; i < len; i++ ) { for (i = 0; i < len; i++) {
rc = next_entry(buf, fp, sizeof(u32) * 2); rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0) if (rc < 0)
goto err; goto err;
expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
if (!expr) { if (!expr)
goto err; goto err;
}
expr->expr_type = le32_to_cpu(buf[0]); expr->expr_type = le32_to_cpu(buf[0]);
expr->bool = le32_to_cpu(buf[1]); expr->bool = le32_to_cpu(buf[1]);
...@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) ...@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err; goto err;
} }
if (i == 0) { if (i == 0)
node->expr = expr; node->expr = expr;
} else { else
last->next = expr; last->next = expr;
}
last = expr; last = expr;
} }
...@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp) ...@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
if (cond_read_node(p, node, fp) != 0) if (cond_read_node(p, node, fp) != 0)
goto err; goto err;
if (i == 0) { if (i == 0)
p->cond_list = node; p->cond_list = node;
} else { else
last->next = node; last->next = node;
}
last = node; last = node;
} }
return 0; return 0;
...@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi ...@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
{ {
struct avtab_node *node; struct avtab_node *node;
if(!ctab || !key || !avd) if (!ctab || !key || !avd)
return; return;
for(node = avtab_search_node(ctab, key); node != NULL; for (node = avtab_search_node(ctab, key); node != NULL;
node = avtab_search_node_next(node, key->specified)) { node = avtab_search_node_next(node, key->specified)) {
if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
avd->allowed |= node->datum.data; avd->allowed |= node->datum.data;
if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a /* Since a '0' in an auditdeny mask represents a
* permission we do NOT want to audit (dontaudit), we use * permission we do NOT want to audit (dontaudit), we use
* the '&' operand to ensure that all '0's in the mask * the '&' operand to ensure that all '0's in the mask
* are retained (much unlike the allow and auditallow cases). * are retained (much unlike the allow and auditallow cases).
*/ */
avd->auditdeny &= node->datum.data; avd->auditdeny &= node->datum.data;
if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
avd->auditallow |= node->datum.data; avd->auditallow |= node->datum.data;
} }
return; return;
......
...@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp) ...@@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
} }
/* round down */ /* round down */
tmp->startbit = startbit - (startbit % EBITMAP_SIZE); tmp->startbit = startbit - (startbit % EBITMAP_SIZE);
if (n) { if (n)
n->next = tmp; n->next = tmp;
} else { else
e->node = tmp; e->node = tmp;
}
n = tmp; n = tmp;
} else if (startbit <= n->startbit) { } else if (startbit <= n->startbit) {
printk(KERN_ERR "SELinux: ebitmap: start bit %d" printk(KERN_ERR "SELinux: ebitmap: start bit %d"
......
...@@ -9,8 +9,8 @@ ...@@ -9,8 +9,8 @@
#include "hashtab.h" #include "hashtab.h"
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
u32 size) u32 size)
{ {
struct hashtab *p; struct hashtab *p;
u32 i; u32 i;
......
...@@ -32,7 +32,7 @@ ...@@ -32,7 +32,7 @@
* Return the length in bytes for the MLS fields of the * Return the length in bytes for the MLS fields of the
* security context string representation of `context'. * security context string representation of `context'.
*/ */
int mls_compute_context_len(struct context * context) int mls_compute_context_len(struct context *context)
{ {
int i, l, len, head, prev; int i, l, len, head, prev;
char *nm; char *nm;
...@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context) ...@@ -86,7 +86,7 @@ int mls_compute_context_len(struct context * context)
* Update `*scontext' to point to the end of the MLS fields. * Update `*scontext' to point to the end of the MLS fields.
*/ */
void mls_sid_to_context(struct context *context, void mls_sid_to_context(struct context *context,
char **scontext) char **scontext)
{ {
char *scontextp, *nm; char *scontextp, *nm;
int i, l, head, prev; int i, l, head, prev;
...@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context, ...@@ -146,7 +146,7 @@ void mls_sid_to_context(struct context *context,
if (l == 0) { if (l == 0) {
if (mls_level_eq(&context->range.level[0], if (mls_level_eq(&context->range.level[0],
&context->range.level[1])) &context->range.level[1]))
break; break;
else else
*scontextp++ = '-'; *scontextp++ = '-';
...@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc, ...@@ -305,20 +305,21 @@ int mls_context_to_sid(char oldc,
*p++ = 0; *p++ = 0;
/* Separate into range if exists */ /* Separate into range if exists */
if ((rngptr = strchr(scontextp, '.')) != NULL) { rngptr = strchr(scontextp, '.');
if (rngptr != NULL) {
/* Remove '.' */ /* Remove '.' */
*rngptr++ = 0; *rngptr++ = 0;
} }
catdatum = hashtab_search(policydb.p_cats.table, catdatum = hashtab_search(policydb.p_cats.table,
scontextp); scontextp);
if (!catdatum) { if (!catdatum) {
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
rc = ebitmap_set_bit(&context->range.level[l].cat, rc = ebitmap_set_bit(&context->range.level[l].cat,
catdatum->value - 1, 1); catdatum->value - 1, 1);
if (rc) if (rc)
goto out; goto out;
...@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) ...@@ -395,7 +396,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
rc = -ENOMEM; rc = -ENOMEM;
} else { } else {
rc = mls_context_to_sid(':', &tmpstr, context, rc = mls_context_to_sid(':', &tmpstr, context,
NULL, SECSID_NULL); NULL, SECSID_NULL);
kfree(freestr); kfree(freestr);
} }
...@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) ...@@ -406,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
* Copies the MLS range `range' into `context'. * Copies the MLS range `range' into `context'.
*/ */
static inline int mls_range_set(struct context *context, static inline int mls_range_set(struct context *context,
struct mls_range *range) struct mls_range *range)
{ {
int l, rc = 0; int l, rc = 0;
...@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context, ...@@ -423,7 +424,7 @@ static inline int mls_range_set(struct context *context,
} }
int mls_setup_user_range(struct context *fromcon, struct user_datum *user, int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
struct context *usercon) struct context *usercon)
{ {
if (selinux_mls_enabled) { if (selinux_mls_enabled) {
struct mls_level *fromcon_sen = &(fromcon->range.level[0]); struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
...@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user, ...@@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
that of the user's default clearance (but that of the user's default clearance (but
only if the "fromcon" clearance dominates only if the "fromcon" clearance dominates
the user's computed sensitivity level) */ the user's computed sensitivity level) */
if (mls_level_dom(user_clr, fromcon_clr)) { if (mls_level_dom(user_clr, fromcon_clr))
*usercon_clr = *fromcon_clr; *usercon_clr = *fromcon_clr;
} else if (mls_level_dom(fromcon_clr, user_clr)) { else if (mls_level_dom(fromcon_clr, user_clr))
*usercon_clr = *user_clr; *usercon_clr = *user_clr;
} else else
return -EINVAL; return -EINVAL;
} }
...@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext, ...@@ -525,7 +526,7 @@ int mls_compute_sid(struct context *scontext,
rtr->target_class == tclass) { rtr->target_class == tclass) {
/* Set the range from the rule */ /* Set the range from the rule */
return mls_range_set(newcontext, return mls_range_set(newcontext,
&rtr->target_range); &rtr->target_range);
} }
} }
/* Fallthrough */ /* Fallthrough */
......
This diff is collapsed.
This diff is collapsed.
...@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s, ...@@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s,
while (cur != NULL) { while (cur != NULL) {
ret = apply(cur->sid, &cur->context, args); ret = apply(cur->sid, &cur->context, args);
if (ret) { if (ret) {
if (last) { if (last)
last->next = cur->next; last->next = cur->next;
} else { else
s->htable[i] = cur->next; s->htable[i] = cur->next;
}
temp = cur; temp = cur;
cur = cur->next; cur = cur->next;
context_destroy(&temp->context); context_destroy(&temp->context);
......
...@@ -180,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) ...@@ -180,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
if (!ckall) if (!ckall)
break; break;
} } else if (*sid != ctx->ctx_sid)
else if (*sid != ctx->ctx_sid)
return -EINVAL; return -EINVAL;
} }
} }
...@@ -326,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, ...@@ -326,8 +325,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/ */
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{ {
if (ctx) kfree(ctx);
kfree(ctx);
} }
/* /*
...@@ -372,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct ...@@ -372,8 +370,7 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
void selinux_xfrm_state_free(struct xfrm_state *x) void selinux_xfrm_state_free(struct xfrm_state *x)
{ {
struct xfrm_sec_ctx *ctx = x->security; struct xfrm_sec_ctx *ctx = x->security;
if (ctx) kfree(ctx);
kfree(ctx);
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment