Loading security/selinux/Kconfig +2 −2 Original line number Diff line number Diff line Loading @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX range 0 1 default 1 default 0 help This option sets the default value for the 'checkreqprot' flag that determines whether SELinux checks the protection requested Loading @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 'checkreqprot=' boot parameter. It may also be changed at runtime via /selinux/checkreqprot if authorized by policy. If you are unsure how to answer this question, answer 1. If you are unsure how to answer this question, answer 0. config SECURITY_SELINUX_POLICYDB_VERSION_MAX bool "NSA SELinux maximum supported policy format version" Loading security/selinux/hooks.c +14 −13 Original line number Diff line number Diff line Loading @@ -126,6 +126,7 @@ int selinux_enabled = 1; #endif static struct kmem_cache *sel_inode_cache; static struct kmem_cache *file_security_cache; /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled Loading Loading @@ -287,7 +288,7 @@ static int file_alloc_security(struct file *file) struct file_security_struct *fsec; u32 sid = current_sid(); fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); if (!fsec) return -ENOMEM; Loading @@ -302,7 +303,7 @@ static void file_free_security(struct file *file) { struct file_security_struct *fsec = file->f_security; file->f_security = NULL; kfree(fsec); kmem_cache_free(file_security_cache, fsec); } static int superblock_alloc_security(struct super_block *sb) Loading Loading @@ -674,10 +675,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (flags[i] == SBLABEL_MNT) continue; rc = security_context_to_sid(mount_options[i], strlen(mount_options[i]), &sid, GFP_KERNEL); rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); if (rc) { printk(KERN_WARNING "SELinux: security_context_to_sid" printk(KERN_WARNING "SELinux: security_context_str_to_sid" "(%s) failed for (dev %s, type %s) errno=%d\n", mount_options[i], sb->s_id, name, rc); goto out; Loading Loading @@ -2617,15 +2617,12 @@ static int selinux_sb_remount(struct super_block *sb, void *data) for (i = 0; i < opts.num_mnt_opts; i++) { u32 sid; size_t len; if (flags[i] == SBLABEL_MNT) continue; len = strlen(mount_options[i]); rc = security_context_to_sid(mount_options[i], len, &sid, GFP_KERNEL); rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); if (rc) { printk(KERN_WARNING "SELinux: security_context_to_sid" printk(KERN_WARNING "SELinux: security_context_str_to_sid" "(%s) failed for (dev %s, type %s) errno=%d\n", mount_options[i], sb->s_id, sb->s_type->name, rc); goto out_free_opts; Loading Loading @@ -2946,7 +2943,8 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) return dentry_has_perm(cred, dentry, FILE__SETATTR); if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) && !(ia_valid & ATTR_FILE)) av |= FILE__OPEN; return dentry_has_perm(cred, dentry, av); Loading Loading @@ -3166,7 +3164,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, if (!value || !size) return -EACCES; rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL); rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); if (rc) return rc; Loading Loading @@ -3238,7 +3236,7 @@ static void selinux_file_free_security(struct file *file) * Check whether a task has the ioctl permission and cmd * operation to an inode. */ int ioctl_has_perm(const struct cred *cred, struct file *file, static int ioctl_has_perm(const struct cred *cred, struct file *file, u32 requested, u16 cmd) { struct common_audit_data ad; Loading Loading @@ -6089,6 +6087,9 @@ static __init int selinux_init(void) sel_inode_cache = kmem_cache_create("selinux_inode_security", sizeof(struct inode_security_struct), 0, SLAB_PANIC, NULL); file_security_cache = kmem_cache_create("selinux_file_security", sizeof(struct file_security_struct), 0, SLAB_PANIC, NULL); avc_init(); security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); Loading security/selinux/include/security.h +2 −0 Original line number Diff line number Diff line Loading @@ -166,6 +166,8 @@ int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len); int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *out_sid, gfp_t gfp); int security_context_str_to_sid(const char *scontext, u32 *out_sid, gfp_t gfp); int security_context_to_sid_default(const char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid, gfp_t gfp_flags); Loading security/selinux/selinuxfs.c +9 −17 Original line number Diff line number Diff line Loading @@ -731,13 +731,11 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out; length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -819,13 +817,11 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) objname = namebuf; } length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -882,13 +878,11 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out; length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -940,7 +934,7 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s", con, user) != 2) goto out; length = security_context_to_sid(con, strlen(con) + 1, &sid, GFP_KERNEL); length = security_context_str_to_sid(con, &sid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -1000,13 +994,11 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out; length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading security/selinux/ss/services.c +9 −13 Original line number Diff line number Diff line Loading @@ -1218,13 +1218,10 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 /* * Copy the user name, role name and type name into the context. */ sprintf(scontextp, "%s:%s:%s", scontextp += sprintf(scontextp, "%s:%s:%s", sym_name(&policydb, SYM_USERS, context->user - 1), sym_name(&policydb, SYM_ROLES, context->role - 1), sym_name(&policydb, SYM_TYPES, context->type - 1)); scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)); mls_sid_to_context(context, &scontextp); Loading Loading @@ -1259,12 +1256,12 @@ static int security_sid_to_context_core(u32 sid, char **scontext, *scontext_len = strlen(initial_sid_to_string[sid]) + 1; if (!scontext) goto out; scontextp = kmalloc(*scontext_len, GFP_ATOMIC); scontextp = kmemdup(initial_sid_to_string[sid], *scontext_len, GFP_ATOMIC); if (!scontextp) { rc = -ENOMEM; goto out; } strcpy(scontextp, initial_sid_to_string[sid]); *scontext = scontextp; goto out; } Loading Loading @@ -1476,6 +1473,11 @@ int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid, sid, SECSID_NULL, gfp, 0); } int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp) { return security_context_to_sid(scontext, strlen(scontext), sid, gfp); } /** * security_context_to_sid_default - Obtain a SID for a given security context, * falling back to specified default if needed. Loading Loading @@ -2604,18 +2606,12 @@ int security_get_bools(int *len, char ***names, int **values) goto err; for (i = 0; i < *len; i++) { size_t name_len; (*values)[i] = policydb.bool_val_to_struct[i]->state; name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1; rc = -ENOMEM; (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); (*names)[i] = kstrdup(sym_name(&policydb, SYM_BOOLS, i), GFP_ATOMIC); if (!(*names)[i]) goto err; strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len); (*names)[i][name_len - 1] = 0; } rc = 0; out: Loading Loading
security/selinux/Kconfig +2 −2 Original line number Diff line number Diff line Loading @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX range 0 1 default 1 default 0 help This option sets the default value for the 'checkreqprot' flag that determines whether SELinux checks the protection requested Loading @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 'checkreqprot=' boot parameter. It may also be changed at runtime via /selinux/checkreqprot if authorized by policy. If you are unsure how to answer this question, answer 1. If you are unsure how to answer this question, answer 0. config SECURITY_SELINUX_POLICYDB_VERSION_MAX bool "NSA SELinux maximum supported policy format version" Loading
security/selinux/hooks.c +14 −13 Original line number Diff line number Diff line Loading @@ -126,6 +126,7 @@ int selinux_enabled = 1; #endif static struct kmem_cache *sel_inode_cache; static struct kmem_cache *file_security_cache; /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled Loading Loading @@ -287,7 +288,7 @@ static int file_alloc_security(struct file *file) struct file_security_struct *fsec; u32 sid = current_sid(); fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); if (!fsec) return -ENOMEM; Loading @@ -302,7 +303,7 @@ static void file_free_security(struct file *file) { struct file_security_struct *fsec = file->f_security; file->f_security = NULL; kfree(fsec); kmem_cache_free(file_security_cache, fsec); } static int superblock_alloc_security(struct super_block *sb) Loading Loading @@ -674,10 +675,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (flags[i] == SBLABEL_MNT) continue; rc = security_context_to_sid(mount_options[i], strlen(mount_options[i]), &sid, GFP_KERNEL); rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); if (rc) { printk(KERN_WARNING "SELinux: security_context_to_sid" printk(KERN_WARNING "SELinux: security_context_str_to_sid" "(%s) failed for (dev %s, type %s) errno=%d\n", mount_options[i], sb->s_id, name, rc); goto out; Loading Loading @@ -2617,15 +2617,12 @@ static int selinux_sb_remount(struct super_block *sb, void *data) for (i = 0; i < opts.num_mnt_opts; i++) { u32 sid; size_t len; if (flags[i] == SBLABEL_MNT) continue; len = strlen(mount_options[i]); rc = security_context_to_sid(mount_options[i], len, &sid, GFP_KERNEL); rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); if (rc) { printk(KERN_WARNING "SELinux: security_context_to_sid" printk(KERN_WARNING "SELinux: security_context_str_to_sid" "(%s) failed for (dev %s, type %s) errno=%d\n", mount_options[i], sb->s_id, sb->s_type->name, rc); goto out_free_opts; Loading Loading @@ -2946,7 +2943,8 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) return dentry_has_perm(cred, dentry, FILE__SETATTR); if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) && !(ia_valid & ATTR_FILE)) av |= FILE__OPEN; return dentry_has_perm(cred, dentry, av); Loading Loading @@ -3166,7 +3164,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, if (!value || !size) return -EACCES; rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL); rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); if (rc) return rc; Loading Loading @@ -3238,7 +3236,7 @@ static void selinux_file_free_security(struct file *file) * Check whether a task has the ioctl permission and cmd * operation to an inode. */ int ioctl_has_perm(const struct cred *cred, struct file *file, static int ioctl_has_perm(const struct cred *cred, struct file *file, u32 requested, u16 cmd) { struct common_audit_data ad; Loading Loading @@ -6089,6 +6087,9 @@ static __init int selinux_init(void) sel_inode_cache = kmem_cache_create("selinux_inode_security", sizeof(struct inode_security_struct), 0, SLAB_PANIC, NULL); file_security_cache = kmem_cache_create("selinux_file_security", sizeof(struct file_security_struct), 0, SLAB_PANIC, NULL); avc_init(); security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); Loading
security/selinux/include/security.h +2 −0 Original line number Diff line number Diff line Loading @@ -166,6 +166,8 @@ int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len); int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *out_sid, gfp_t gfp); int security_context_str_to_sid(const char *scontext, u32 *out_sid, gfp_t gfp); int security_context_to_sid_default(const char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid, gfp_t gfp_flags); Loading
security/selinux/selinuxfs.c +9 −17 Original line number Diff line number Diff line Loading @@ -731,13 +731,11 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out; length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -819,13 +817,11 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size) objname = namebuf; } length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -882,13 +878,11 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out; length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -940,7 +934,7 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s", con, user) != 2) goto out; length = security_context_to_sid(con, strlen(con) + 1, &sid, GFP_KERNEL); length = security_context_str_to_sid(con, &sid, GFP_KERNEL); if (length) goto out; Loading Loading @@ -1000,13 +994,11 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) goto out; length = security_context_to_sid(scon, strlen(scon) + 1, &ssid, GFP_KERNEL); length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); if (length) goto out; length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid, GFP_KERNEL); length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); if (length) goto out; Loading
security/selinux/ss/services.c +9 −13 Original line number Diff line number Diff line Loading @@ -1218,13 +1218,10 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 /* * Copy the user name, role name and type name into the context. */ sprintf(scontextp, "%s:%s:%s", scontextp += sprintf(scontextp, "%s:%s:%s", sym_name(&policydb, SYM_USERS, context->user - 1), sym_name(&policydb, SYM_ROLES, context->role - 1), sym_name(&policydb, SYM_TYPES, context->type - 1)); scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)); mls_sid_to_context(context, &scontextp); Loading Loading @@ -1259,12 +1256,12 @@ static int security_sid_to_context_core(u32 sid, char **scontext, *scontext_len = strlen(initial_sid_to_string[sid]) + 1; if (!scontext) goto out; scontextp = kmalloc(*scontext_len, GFP_ATOMIC); scontextp = kmemdup(initial_sid_to_string[sid], *scontext_len, GFP_ATOMIC); if (!scontextp) { rc = -ENOMEM; goto out; } strcpy(scontextp, initial_sid_to_string[sid]); *scontext = scontextp; goto out; } Loading Loading @@ -1476,6 +1473,11 @@ int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid, sid, SECSID_NULL, gfp, 0); } int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp) { return security_context_to_sid(scontext, strlen(scontext), sid, gfp); } /** * security_context_to_sid_default - Obtain a SID for a given security context, * falling back to specified default if needed. Loading Loading @@ -2604,18 +2606,12 @@ int security_get_bools(int *len, char ***names, int **values) goto err; for (i = 0; i < *len; i++) { size_t name_len; (*values)[i] = policydb.bool_val_to_struct[i]->state; name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1; rc = -ENOMEM; (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); (*names)[i] = kstrdup(sym_name(&policydb, SYM_BOOLS, i), GFP_ATOMIC); if (!(*names)[i]) goto err; strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len); (*names)[i][name_len - 1] = 0; } rc = 0; out: Loading
