Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 732b7206 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of... 

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  Revert "SELinux: allow fstype unknown to policy to use xattrs if present"
parents 97c7d1ea 089be43e

security/selinux/hooks.c

+5 −17
Original line number Diff line number Diff line
@@ -555,15 +555,13 @@ static int selinux_set_mnt_opts(struct super_block *sb, 
	struct task_security_struct *tsec = current->security;

	struct superblock_security_struct *sbsec = sb->s_security;

	const char *name = sb->s_type->name;

	struct dentry *root = sb->s_root;

	struct inode *root_inode = root->d_inode;

	struct inode_security_struct *root_isec = root_inode->i_security;

	struct inode *inode = sbsec->sb->s_root->d_inode;

	struct inode_security_struct *root_isec = inode->i_security;

	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;

	u32 defcontext_sid = 0;

	char **mount_options = opts->mnt_opts;

	int *flags = opts->mnt_opts_flags;

	int num_opts = opts->num_mnt_opts;

	bool can_xattr = false;



	mutex_lock(&sbsec->lock);
@@ -667,24 +665,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, 
		goto out;

	}



	if (strcmp(name, "proc") == 0)

	if (strcmp(sb->s_type->name, "proc") == 0)

		sbsec->proc = 1;



	/*

	 * test if the fs supports xattrs, fs_use might make use of this if the

	 * fs has no definition in policy.

	 */

	if (root_inode->i_op->getxattr) {

		rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);

		if (rc >= 0 || rc == -ENODATA)

			can_xattr = true;

	}



	/* Determine the labeling behavior to use for this filesystem type. */

	rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);

	rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);

	if (rc) {

		printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",

		       __func__, name, rc);

		       __func__, sb->s_type->name, rc);

		goto out;

	}

security/selinux/include/security.h

+1 −1
Original line number Diff line number Diff line
@@ -136,7 +136,7 @@ int security_get_allow_unknown(void); 
#define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */



int security_fs_use(const char *fstype, unsigned int *behavior,

	u32 *sid, bool can_xattr);

	u32 *sid);



int security_genfs_sid(const char *fstype, char *name, u16 sclass,

	u32 *sid);

security/selinux/ss/services.c

+8 −19
Original line number Diff line number Diff line
@@ -1934,8 +1934,7 @@ int security_genfs_sid(const char *fstype, 
int security_fs_use(

	const char *fstype,

	unsigned int *behavior,

	u32 *sid,

	bool can_xattr)

	u32 *sid)

{

	int rc = 0;

	struct ocontext *c;
@@ -1949,7 +1948,6 @@ int security_fs_use( 
		c = c->next;

	}



	/* look for labeling behavior defined in policy */

	if (c) {

		*behavior = c->v.behavior;

		if (!c->sid[0]) {
@@ -1960,17 +1958,7 @@ int security_fs_use( 
				goto out;

		}

		*sid = c->sid[0];

		goto out;

	}



	/* labeling behavior not in policy, use xattrs if possible */

	if (can_xattr) {

		*behavior = SECURITY_FS_USE_XATTR;

		*sid = SECINITSID_FS;

		goto out;

	}



	/* no behavior in policy and can't use xattrs, try GENFS */

	} else {

		rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);

		if (rc) {

			*behavior = SECURITY_FS_USE_NONE;
@@ -1978,6 +1966,7 @@ int security_fs_use( 
		} else {

			*behavior = SECURITY_FS_USE_GENFS;

		}

	}



out:

	read_unlock(&policy_rwlock);