Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into next (d4a82a4a) · Commits · e / devices / android_kernel_teracube_2e

security/selinux/hooks.c

+1 −6

Original line number	Diff line number	Diff line
		@@ -82,7 +82,6 @@
		#include <linux/syslog.h>
		#include <linux/user_namespace.h>
		#include <linux/export.h>
		#include <linux/security.h>
		#include <linux/msg.h>
		#include <linux/shm.h>

		@@ -4474,14 +4473,10 @@ static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb,
		{
		struct sk_security_struct *sksec = sk->sk_security;
		int err;
		u16 family = sk->sk_family;
		u16 family = req->rsk_ops->family;
		u32 connsid;
		u32 peersid;

		/* handle mapped IPv4 packets arriving via IPv6 sockets */
		if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
		family = PF_INET;

		err = selinux_skb_peerlbl_sid(skb, family, &peersid);
		if (err)
		return err;

security/selinux/include/security.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -33,13 +33,14 @@
		#define POLICYDB_VERSION_ROLETRANS 26
		#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
		#define POLICYDB_VERSION_DEFAULT_TYPE 28
		#define POLICYDB_VERSION_CONSTRAINT_NAMES 29

		/* Range of policy versions we understand*/
		#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
		#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
		#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
		#else
		#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
		#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES
		#endif

		/* Mask for just the mount related flags */

security/selinux/netlabel.c

+30 −1

Original line number	Diff line number	Diff line
		@@ -100,6 +100,32 @@ static struct netlbl_lsm_secattr selinux_netlbl_sock_genattr(struct sock sk)
		return secattr;
		}

		/**
		* selinux_netlbl_sock_getattr - Get the cached NetLabel secattr
		* @sk: the socket
		* @sid: the SID
		*
		* Query the socket's cached secattr and if the SID matches the cached value
		* return the cache, otherwise return NULL.
		*
		*/
		static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
		const struct sock *sk,
		u32 sid)
		{
		struct sk_security_struct *sksec = sk->sk_security;
		struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;

		if (secattr == NULL)
		return NULL;

		if ((secattr->flags & NETLBL_SECATTR_SECID) &&
		(secattr->attr.secid == sid))
		return secattr;

		return NULL;
		}

		/**
		* selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
		*
		@@ -224,7 +250,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
		struct sk_security_struct *sksec = sk->sk_security;
		if (sksec->nlbl_state != NLBL_REQSKB)
		return 0;
		secattr = sksec->nlbl_secattr;
		secattr = selinux_netlbl_sock_getattr(sk, sid);
		}
		if (secattr == NULL) {
		secattr = &secattr_storage;
		@@ -410,6 +436,9 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
		sksec->nlbl_state == NLBL_CONNLABELED)) {
		netlbl_secattr_init(&secattr);
		lock_sock(sk);
		/* call the netlabel function directly as we want to see the
		* on-the-wire label that is assigned via the socket's options
		* and not the cached netlabel/lsm attributes */
		rc = netlbl_sock_getattr(sk, &secattr);
		release_sock(sk);
		if (rc == 0)

security/selinux/ss/constraint.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -48,6 +48,7 @@ struct constraint_expr {
		u32 op; /* operator */

		struct ebitmap names; /* names */
		struct type_set *type_names;

		struct constraint_expr next; / next expression */
		};

security/selinux/ss/policydb.c

+87 −9

Original line number	Diff line number	Diff line
		@@ -143,6 +143,11 @@ static struct policydb_compat_info policydb_compat[] = {
		.sym_num = SYM_NUM,
		.ocon_num = OCON_NUM,
		},
		{
		.version = POLICYDB_VERSION_CONSTRAINT_NAMES,
		.sym_num = SYM_NUM,
		.ocon_num = OCON_NUM,
		},
		};

		static struct policydb_compat_info *policydb_lookup_compat(int version)
		@@ -613,6 +618,19 @@ static int common_destroy(void key, void datum, void *p)
		return 0;
		}

		static void constraint_expr_destroy(struct constraint_expr *expr)
		{
		if (expr) {
		ebitmap_destroy(&expr->names);
		if (expr->type_names) {
		ebitmap_destroy(&expr->type_names->types);
		ebitmap_destroy(&expr->type_names->negset);
		kfree(expr->type_names);
		}
		kfree(expr);
		}
		}

		static int cls_destroy(void key, void datum, void *p)
		{
		struct class_datum *cladatum;
		@@ -628,10 +646,9 @@ static int cls_destroy(void key, void datum, void *p)
		while (constraint) {
		e = constraint->expr;
		while (e) {
		ebitmap_destroy(&e->names);
		etmp = e;
		e = e->next;
		kfree(etmp);
		constraint_expr_destroy(etmp);
		}
		ctemp = constraint;
		constraint = constraint->next;
		@@ -642,16 +659,14 @@ static int cls_destroy(void key, void datum, void *p)
		while (constraint) {
		e = constraint->expr;
		while (e) {
		ebitmap_destroy(&e->names);
		etmp = e;
		e = e->next;
		kfree(etmp);
		constraint_expr_destroy(etmp);
		}
		ctemp = constraint;
		constraint = constraint->next;
		kfree(ctemp);
		}

		kfree(cladatum->comkey);
		}
		kfree(datum);
		@@ -1156,8 +1171,34 @@ static int common_read(struct policydb p, struct hashtab h, void *fp)
		return rc;
		}

		static int read_cons_helper(struct constraint_node **nodep, int ncons,
		int allowxtarget, void *fp)
		static void type_set_init(struct type_set *t)
		{
		ebitmap_init(&t->types);
		ebitmap_init(&t->negset);
		}

		static int type_set_read(struct type_set t, void fp)
		{
		__le32 buf[1];
		int rc;

		if (ebitmap_read(&t->types, fp))
		return -EINVAL;
		if (ebitmap_read(&t->negset, fp))
		return -EINVAL;

		rc = next_entry(buf, fp, sizeof(u32));
		if (rc < 0)
		return -EINVAL;
		t->flags = le32_to_cpu(buf[0]);

		return 0;
		}


		static int read_cons_helper(struct policydb *p,
		struct constraint_node **nodep,
		int ncons, int allowxtarget, void *fp)
		{
		struct constraint_node c, lc;
		struct constraint_expr e, le;
		@@ -1225,6 +1266,18 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
		rc = ebitmap_read(&e->names, fp);
		if (rc)
		return rc;
		if (p->policyvers >=
		POLICYDB_VERSION_CONSTRAINT_NAMES) {
		e->type_names = kzalloc(sizeof
		(*e->type_names),
		GFP_KERNEL);
		if (!e->type_names)
		return -ENOMEM;
		type_set_init(e->type_names);
		rc = type_set_read(e->type_names, fp);
		if (rc)
		return rc;
		}
		break;
		default:
		return -EINVAL;
		@@ -1301,7 +1354,7 @@ static int class_read(struct policydb p, struct hashtab h, void *fp)
		goto bad;
		}

		rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp);
		rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
		if (rc)
		goto bad;

		@@ -1311,7 +1364,8 @@ static int class_read(struct policydb p, struct hashtab h, void *fp)
		if (rc)
		goto bad;
		ncons = le32_to_cpu(buf[0]);
		rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp);
		rc = read_cons_helper(p, &cladatum->validatetrans,
		ncons, 1, fp);
		if (rc)
		goto bad;
		}
		@@ -2753,6 +2807,24 @@ static int common_write(void vkey, void datum, void *ptr)
		return 0;
		}

		static int type_set_write(struct type_set t, void fp)
		{
		int rc;
		__le32 buf[1];

		if (ebitmap_write(&t->types, fp))
		return -EINVAL;
		if (ebitmap_write(&t->negset, fp))
		return -EINVAL;

		buf[0] = cpu_to_le32(t->flags);
		rc = put_entry(buf, sizeof(u32), 1, fp);
		if (rc)
		return -EINVAL;

		return 0;
		}

		static int write_cons_helper(struct policydb p, struct constraint_node node,
		void *fp)
		{
		@@ -2784,6 +2856,12 @@ static int write_cons_helper(struct policydb p, struct constraint_node node,
		rc = ebitmap_write(&e->names, fp);
		if (rc)
		return rc;
		if (p->policyvers >=
		POLICYDB_VERSION_CONSTRAINT_NAMES) {
		rc = type_set_write(e->type_names, fp);
		if (rc)
		return rc;
		}
		break;
		default:
		break;