Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa8e712c authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

selinux: wrap global selinux state 



Define a selinux state structure (struct selinux_state) for
global SELinux state and pass it explicitly to all security server
functions.  The public portion of the structure contains state
that is used throughout the SELinux code, such as the enforcing mode.
The structure also contains a pointer to a selinux_ss structure whose
definition is private to the security server and contains security
server specific state such as the policy database and SID table.

This change should have no effect on SELinux behavior or APIs
(userspace or LSM).  It merely wraps SELinux state and passes it
explicitly as needed.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
[PM: minor fixups needed due to collisions with the SCTP patches]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 2572f5b4

security/selinux/avc.c

+10 −6
Original line number Diff line number Diff line
@@ -149,7 +149,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla 
	char *scontext;

	u32 scontext_len;



	rc = security_sid_to_context(ssid, &scontext, &scontext_len);

	rc = security_sid_to_context(&selinux_state, ssid,

				     &scontext, &scontext_len);

	if (rc)

		audit_log_format(ab, "ssid=%d", ssid);

	else {
@@ -157,7 +158,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla 
		kfree(scontext);

	}



	rc = security_sid_to_context(tsid, &scontext, &scontext_len);

	rc = security_sid_to_context(&selinux_state, tsid,

				     &scontext, &scontext_len);

	if (rc)

		audit_log_format(ab, " tsid=%d", tsid);

	else {
@@ -969,7 +971,8 @@ static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, 
{

	rcu_read_unlock();

	INIT_LIST_HEAD(&xp_node->xpd_head);

	security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp);

	security_compute_av(&selinux_state, ssid, tsid, tclass,

			    avd, &xp_node->xp);

	rcu_read_lock();

	return avc_insert(ssid, tsid, tclass, avd, xp_node);

}
@@ -982,7 +985,8 @@ static noinline int avc_denied(u32 ssid, u32 tsid, 
	if (flags & AVC_STRICT)

		return -EACCES;



	if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))

	if (is_enforcing(&selinux_state) &&

	    !(avd->flags & AVD_FLAGS_PERMISSIVE))

		return -EACCES;



	avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid,
@@ -1043,8 +1047,8 @@ int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, 
			goto decision;

		}

		rcu_read_unlock();

		security_compute_xperms_decision(ssid, tsid, tclass, driver,

						&local_xpd);

		security_compute_xperms_decision(&selinux_state, ssid, tsid,

						 tclass, driver, &local_xpd);

		rcu_read_lock();

		avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver, xperm,

				ssid, tsid, tclass, avd.seqno, &local_xpd, 0);

security/selinux/hooks.c

+140 −74

File changed.

Preview size limit exceeded, changes collapsed.

security/selinux/ibpkey.c

+2 −1
Original line number Diff line number Diff line
@@ -152,7 +152,8 @@ static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid) 
		return 0;

	}



	ret = security_ib_pkey_sid(subnet_prefix, pkey_num, sid);

	ret = security_ib_pkey_sid(&selinux_state, subnet_prefix, pkey_num,

				   sid);

	if (ret)

		goto out;

security/selinux/include/avc.h

+0 −6
Original line number Diff line number Diff line
@@ -20,12 +20,6 @@ 
#include "av_permissions.h"

#include "security.h"



#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

extern int selinux_enforcing;

#else

#define selinux_enforcing 1

#endif



/*

 * An entry in the AVC.

 */

security/selinux/include/avc_ss.h

+0 −6
Original line number Diff line number Diff line
@@ -19,11 +19,5 @@ struct security_class_mapping { 


extern struct security_class_mapping secclass_map[];



/*

 * The security server must be initialized before

 * any labeling or access decisions can be provided.

 */

extern int ss_initialized;



#endif /* _SELINUX_AVC_SS_H_ */