leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6

Browse Source 
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
  SELinux: one little, two little, three little whitespaces, the avc.c saga.
  SELinux: cleanup on isle selinuxfs.c
  changing whitespace for fun and profit: policydb.c
  SELinux: whitespace and formating fixes for hooks.c
  SELinux: clean up printks
  SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: services.c whitespace, syntax, and static declaraction cleanups
  SELinux: mls.c whitespace, syntax, and static declaraction cleanups
  SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups
  SELinux: conditional.c whitespace, syntax, and static declaraction cleanups
  SELinux: avtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups
  SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups
  SELinux: netnode.c whitespace, syntax, and static declaraction cleanups
  SELinux: netlink.c whitespace, syntax, and static declaraction cleanups
  SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups
  SELinux: netif.c whitespace, syntax, and static declaraction cleanups
This commit is contained in:
Linus Torvalds 2008-04-21 16:01:40 -07:00
commit 19b5b517a8
17 changed files with 611 additions and 636 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
security/selinux/avc.c
View File

@ -44,7 +44,7 @@ static const char *class_to_string[] = {
#undef S_
};
#define TB_(s) static const char * s [] = {
#define TB_(s) static const char *s[] = {
#define TE_(s) };
#define S_(s) s,
#include "common_perm_to_string.h"
@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void)
int hvalue, try, ecx;
unsigned long flags;
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) {
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert)
spin_lock_irqsave(&notif_lock, flag);
if (is_insert) {
if (seqno < avc_cache.latest_notif) {
printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n",
printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n",
seqno, avc_cache.latest_notif);
ret = -EAGAIN;
}
@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid,
if (!ab)
return; /* audit_panic has been called */
audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
avc_dump_av(ab, tclass,audited);
avc_dump_av(ab, tclass, audited);
audit_log_format(ab, " for ");
if (a && a->tsk)
tsk = a->tsk;
@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
hvalue = avc_hash(ssid, tsid, tclass);
spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
list_for_each_entry(pos, &avc_cache.slots[hvalue], list){
if ( ssid==pos->ae.ssid &&
tsid==pos->ae.tsid &&
tclass==pos->ae.tclass ){
list_for_each_entry(pos, &avc_cache.slots[hvalue], list) {
if (ssid == pos->ae.ssid &&
tsid == pos->ae.tsid &&
tclass == pos->ae.tclass){
orig = pos;
break;
}
@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
node = avc_lookup(ssid, tsid, tclass, requested);
if (!node) {
rcu_read_unlock();
rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd);
rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd);
if (rc)
goto out;
rcu_read_lock();
node = avc_insert(ssid,tsid,tclass,&entry);
node = avc_insert(ssid, tsid, tclass, &entry);
}
p_ae = node ? &node->ae : &entry;

148
security/selinux/hooks.c
View File

@ -99,11 +99,11 @@ extern struct security_operations *security_ops;
atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing = 0;
int selinux_enforcing;
static int __init enforcing_setup(char *str)
{
selinux_enforcing = simple_strtol(str,NULL,0);
selinux_enforcing = simple_strtol(str, NULL, 0);
return 1;
}
__setup("enforcing=", enforcing_setup);
@ -123,13 +123,13 @@ int selinux_enabled = 1;
#endif
/* Original (dummy) security module. */
static struct security_operations *original_ops = NULL;
static struct security_operations *original_ops;
/* Minimal support for a secondary security module,
just to allow the use of the dummy or capability modules.
The owlsm module can alternatively be used as a secondary
module as long as CONFIG_OWLSM_FD is not enabled. */
static struct security_operations *secondary_ops = NULL;
static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized
before the policy was loaded. */
@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
goto out;
}
rc = -EINVAL;
printk(KERN_WARNING "Unable to set superblock options before "
"the security server is initialized\n");
printk(KERN_WARNING "SELinux: Unable to set superblock options "
"before the security server is initialized\n");
goto out;
}
@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de,
int buflen, rc;
char *buffer, *path, *end;
buffer = (char*)__get_free_page(GFP_KERNEL);
buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer)
return -ENOMEM;
@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
dentry = d_find_alias(inode);
}
if (!dentry) {
printk(KERN_WARNING "%s: no dentry for dev=%s "
printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
"ino=%ld\n", __func__, inode->i_sb->s_id,
inode->i_ino);
goto out_unlock;
@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
dput(dentry);
if (rc < 0) {
if (rc != -ENODATA) {
printk(KERN_WARNING "%s: getxattr returned "
printk(KERN_WARNING "SELinux: %s: getxattr returned "
"%d for dev=%s ino=%ld\n", __func__,
-rc, inode->i_sb->s_id, inode->i_ino);
kfree(context);
@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
sbsec->def_sid,
GFP_NOFS);
if (rc) {
printk(KERN_WARNING "%s: context_to_sid(%s) "
printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
"returned %d for dev=%s ino=%ld\n",
__func__, context, -rc,
inode->i_sb->s_id, inode->i_ino);
@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk,
tsec = tsk->security;
AVC_AUDIT_DATA_INIT(&ad,CAP);
AVC_AUDIT_DATA_INIT(&ad, CAP);
ad.tsk = tsk;
ad.u.cap = cap;
@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk,
struct inode_security_struct *isec;
struct avc_audit_data ad;
if (unlikely (IS_PRIVATE (inode)))
if (unlikely(IS_PRIVATE(inode)))
return 0;
tsec = tsk->security;
@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk,
{
struct inode *inode = dentry->d_inode;
struct avc_audit_data ad;
AVC_AUDIT_DATA_INIT(&ad,FS);
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.mnt = mnt;
ad.u.fs.path.dentry = dentry;
return inode_has_perm(tsk, inode, av, &ad);
@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir,
av = DIR__RMDIR;
break;
default:
printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
__func__, kind);
return 0;
}
@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
else if (S_ISDIR(mode))
av |= DIR__OPEN;
else
printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
"with unknown mode:%x\n", mode);
printk(KERN_ERR "SELinux: WARNING: inside %s with "
"unknown mode:%x\n", __func__, mode);
}
return av;
}
@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
{
int rc;
rc = secondary_ops->ptrace(parent,child);
rc = secondary_ops->ptrace(parent, child);
if (rc)
return rc;
@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap)
if (rc)
return rc;
return task_has_capability(tsk,cap);
return task_has_capability(tsk, cap);
}
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
char *buffer, *path, *end;
rc = -ENOMEM;
buffer = (char*)__get_free_page(GFP_KERNEL);
buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer)
goto out;
@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op)
/* The op values are "defined" in sysctl.c, thereby creating
* a bad coupling between this module and sysctl.c */
if(op == 001) {
if (op == 001) {
error = avc_has_perm(tsec->sid, tsid,
SECCLASS_DIR, DIR__SEARCH, NULL);
} else {
@ -1817,16 +1818,14 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
case Q_QUOTAOFF:
case Q_SETINFO:
case Q_SETQUOTA:
rc = superblock_has_perm(current,
sb,
FILESYSTEM__QUOTAMOD, NULL);
rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
NULL);
break;
case Q_GETFMT:
case Q_GETINFO:
case Q_GETQUOTA:
rc = superblock_has_perm(current,
sb,
FILESYSTEM__QUOTAGET, NULL);
rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
NULL);
break;
default:
rc = 0; /* let the kernel handle invalid cmds */
@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
return 0;
}
static int selinux_bprm_check_security (struct linux_binprm *bprm)
static int selinux_bprm_check_security(struct linux_binprm *bprm)
{
return secondary_ops->bprm_check_security(bprm);
}
static int selinux_bprm_secureexec (struct linux_binprm *bprm)
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
struct task_security_struct *tsec = current->security;
int atsecure = 0;
@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount;
extern struct dentry *selinux_null;
/* Derived from fs/exec.c:flush_old_files. */
static inline void flush_unauthorized_files(struct files_struct * files)
static inline void flush_unauthorized_files(struct files_struct *files)
{
struct avc_audit_data ad;
struct file *file, *devnull = NULL;
@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
/* Revalidate access to inherited open files. */
AVC_AUDIT_DATA_INIT(&ad,FS);
AVC_AUDIT_DATA_INIT(&ad, FS);
spin_lock(&files->file_lock);
for (;;) {
@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
if (!set)
continue;
spin_unlock(&files->file_lock);
for ( ; set ; i++,set >>= 1) {
for ( ; set ; i++, set >>= 1) {
if (set & 1) {
file = fget(i);
if (!file)
@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
for (i = 0; i < RLIM_NLIMITS; i++) {
rlim = current->signal->rlim + i;
initrlim = init_task.signal->rlim+i;
rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
}
if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
/*
@ -2314,8 +2313,7 @@ static inline void take_selinux_option(char **to, char *from, int *first,
if (!*first) {
**to = '|';
*to += 1;
}
else
} else
*first = 0;
while (current_size < len) {
@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
if (rc)
return rc;
AVC_AUDIT_DATA_INIT(&ad,FS);
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = sb->s_root;
return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
}
@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry)
{
struct avc_audit_data ad;
AVC_AUDIT_DATA_INIT(&ad,FS);
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = dentry->d_sb->s_root;
return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
}
static int selinux_mount(char * dev_name,
static int selinux_mount(char *dev_name,
struct nameidata *nd,
char * type,
char *type,
unsigned long flags,
void * data)
void *data)
{
int rc;
@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags)
if (rc)
return rc;
return superblock_has_perm(current,mnt->mnt_sb,
FILESYSTEM__UNMOUNT,NULL);
return superblock_has_perm(current, mnt->mnt_sb,
FILESYSTEM__UNMOUNT, NULL);
}
/* inode security operations */
@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru
{
int rc;
rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
if (rc)
return rc;
return may_link(dir, old_dentry, MAY_LINK);
@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
{
int rc;
rc = secondary_ops->inode_follow_link(dentry,nameidata);
rc = secondary_ops->inode_follow_link(dentry, nameidata);
if (rc)
return rc;
return dentry_has_perm(current, NULL, dentry, FILE__READ);
@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
if (!is_owner_or_cap(inode))
return -EPERM;
AVC_AUDIT_DATA_INIT(&ad,FS);
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.path.dentry = dentry;
rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
return;
}
static int selinux_inode_getxattr (struct dentry *dentry, char *name)
static int selinux_inode_getxattr(struct dentry *dentry, char *name)
{
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
}
static int selinux_inode_listxattr (struct dentry *dentry)
static int selinux_inode_listxattr(struct dentry *dentry)
{
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
}
static int selinux_inode_removexattr (struct dentry *dentry, char *name)
static int selinux_inode_removexattr(struct dentry *dentry, char *name)
{
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
if (!value || !size)
return -EACCES;
rc = security_context_to_sid((void*)value, size, &newsid);
rc = security_context_to_sid((void *)value, size, &newsid);
if (rc)
return rc;
@ -2885,7 +2883,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
case KDSKBENT:
case KDSKBSENT:
error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
break;
/* default case assumes that the command will go
@ -2893,7 +2891,6 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
*/
default:
error = file_has_perm(current, file, FILE__IOCTL);
}
return error;
}
@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
unsigned long addr, unsigned long addr_only)
{
int rc = 0;
u32 sid = ((struct task_security_struct*)(current->security))->sid;
u32 sid = ((struct task_security_struct *)(current->security))->sid;
if (addr < mmap_min_addr)
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@ -3010,7 +3007,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
}
if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
err = file_has_perm(current, file,FILE__WRITE);
err = file_has_perm(current, file, FILE__WRITE);
break;
}
/* fall through */
@ -3164,7 +3161,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{
return secondary_ops->task_post_setuid(id0,id1,id2,flags);
return secondary_ops->task_post_setuid(id0, id1, id2, flags);
}
static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@ -3208,7 +3205,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
if (rc)
return rc;
return task_has_perm(current,p, PROCESS__SETSCHED);
return task_has_perm(current, p, PROCESS__SETSCHED);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
@ -3573,7 +3570,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
if (isec->sid == SECINITSID_KERNEL)
goto out;
AVC_AUDIT_DATA_INIT(&ad,NET);
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = sock->sk;
err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
@ -3683,7 +3680,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
snum, &sid);
if (err)
goto out;
AVC_AUDIT_DATA_INIT(&ad,NET);
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum);
ad.u.net.family = family;
err = avc_has_perm(isec->sid, sid,
@ -3694,7 +3691,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
}
}
switch(isec->sclass) {
switch (isec->sclass) {
case SECCLASS_TCP_SOCKET:
node_perm = TCP_SOCKET__NODE_BIND;
break;
@ -3716,7 +3713,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
if (err)
goto out;
AVC_AUDIT_DATA_INIT(&ad,NET);
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum);
ad.u.net.family = family;
@ -3775,7 +3772,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
AVC_AUDIT_DATA_INIT(&ad,NET);
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.dport = htons(snum);
ad.u.net.family = sk->sk_family;
err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@ -3840,7 +3837,7 @@ static int selinux_socket_getpeername(struct socket *sock)
return socket_has_perm(current, sock, SOCKET__GETATTR);
}
static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
{
int err;
@ -3879,7 +3876,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security;
AVC_AUDIT_DATA_INIT(&ad,NET);
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid,
@ -3911,7 +3908,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security;
AVC_AUDIT_DATA_INIT(&ad,NET);
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid,
@ -4201,7 +4198,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
}
}
static void selinux_sock_graft(struct sock* sk, struct socket *parent)
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
@ -4722,7 +4719,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
int err;
int perms;
switch(cmd) {
switch (cmd) {
case IPC_INFO:
case MSG_INFO:
/* No specific object, just general system-wide information. */
@ -4870,7 +4867,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
int perms;
int err;
switch(cmd) {
switch (cmd) {
case IPC_INFO:
case SHM_INFO:
/* No specific object, just general system-wide information. */
@ -4969,7 +4966,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
int err;
u32 perms;
switch(cmd) {
switch (cmd) {
case IPC_INFO:
case SEM_INFO:
/* No specific object, just general system-wide information. */
@ -5041,7 +5038,7 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
}
/* module stacking operations */
static int selinux_register_security (const char *name, struct security_operations *ops)
static int selinux_register_security(const char *name, struct security_operations *ops)
{
if (secondary_ops != original_ops) {
printk(KERN_ERR "%s: There is already a secondary security "
@ -5058,7 +5055,7 @@ static int selinux_register_security (const char *name, struct security_operatio
return 0;
}
static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (inode)
inode_doinit_with_dentry(inode, dentry);
@ -5218,8 +5215,7 @@ static int selinux_setprocattr(struct task_struct *p,
tsec->sid = sid;
task_unlock(p);
}
}
else
} else
return -EINVAL;
return size;
@ -5519,15 +5515,14 @@ static __init int selinux_init(void)
original_ops = secondary_ops = security_ops;
if (!secondary_ops)
panic ("SELinux: No initial security operations\n");
if (register_security (&selinux_ops))
panic("SELinux: No initial security operations\n");
if (register_security(&selinux_ops))
panic("SELinux: Unable to register with kernel.\n");
if (selinux_enforcing) {
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
} else {
else
printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
}
#ifdef CONFIG_KEYS
/* Add security information to initial keyrings */
@ -5672,10 +5667,11 @@ static void selinux_nf_ip_exit(void)
#endif /* CONFIG_NETFILTER */
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static int selinux_disabled;
int selinux_disable(void)
{
extern void exit_sel_fs(void);
static int selinux_disabled = 0;
if (ss_initialized) {
/* Not permitted after initial policy load. */

3
security/selinux/netif.c
View File

@ -31,8 +31,7 @@
#define SEL_NETIF_HASH_SIZE 64
#define SEL_NETIF_HASH_MAX 1024
struct sel_netif
{
struct sel_netif {
struct list_head list;
struct netif_security_struct nsec;
struct rcu_head rcu_head;

3
security/selinux/nlmsgtab.c
View File

@ -23,8 +23,7 @@
#include "flask.h"
#include "av_permissions.h"
struct nlmsg_perm
{
struct nlmsg_perm {
u16 nlmsg_type;
u32 perm;
};

109
security/selinux/selinuxfs.c
View File

@ -57,14 +57,14 @@ int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
static int __init checkreqprot_setup(char *str)
{
selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1;
}
__setup("checkreqprot=", checkreqprot_setup);
static int __init selinux_compat_net_setup(char *str)
{
selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1;
}
__setup("selinux_compat_net=", selinux_compat_net_setup);
@ -73,17 +73,17 @@ __setup("selinux_compat_net=", selinux_compat_net_setup);
static DEFINE_MUTEX(sel_mutex);
/* global data for booleans */
static struct dentry *bool_dir = NULL;
static int bool_num = 0;
static struct dentry *bool_dir;
static int bool_num;
static char **bool_pending_names;
static int *bool_pending_values = NULL;
static int *bool_pending_values;
/* global data for classes */
static struct dentry *class_dir = NULL;
static struct dentry *class_dir;
static unsigned long last_class_ino;
/* global data for policy capabilities */
static struct dentry *policycap_dir = NULL;
static struct dentry *policycap_dir;
extern void selnl_notify_setenforce(int val);
@ -142,7 +142,7 @@ static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
}
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
@ -156,7 +156,7 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
/* No partial writes. */
return -EINVAL;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
@ -213,7 +213,7 @@ static const struct file_operations sel_handle_unknown_ops = {
};
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static ssize_t sel_write_disable(struct file * file, const char __user * buf,
static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
@ -228,7 +228,7 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
/* No partial writes. */
return -EINVAL;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
@ -299,7 +299,7 @@ static const struct file_operations sel_mls_ops = {
.read = sel_read_mls,
};
static ssize_t sel_write_load(struct file * file, const char __user * buf,
static ssize_t sel_write_load(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
@ -371,7 +371,7 @@ static const struct file_operations sel_load_ops = {
.write = sel_write_load,
};
static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
{
char *canon;
u32 sid, len;
@ -390,8 +390,8 @@ static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
return length;
if (len > SIMPLE_TRANSACTION_LIMIT) {
printk(KERN_ERR "%s: context size (%u) exceeds payload "
"max\n", __func__, len);
printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
"payload max\n", __func__, len);
length = -ERANGE;
goto out;
}
@ -413,7 +413,7 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf,
static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
@ -430,7 +430,7 @@ static ssize_t sel_write_checkreqprot(struct file * file, const char __user * bu
/* No partial writes. */
return -EINVAL;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
@ -462,7 +462,7 @@ static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
@ -479,7 +479,7 @@ static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
/* No partial writes. */
return -EINVAL;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
@ -504,11 +504,11 @@ static const struct file_operations sel_compat_net_ops = {
/*
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
*/
static ssize_t sel_write_access(struct file * file, char *buf, size_t size);
static ssize_t sel_write_create(struct file * file, char *buf, size_t size);
static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size);
static ssize_t sel_write_user(struct file * file, char *buf, size_t size);
static ssize_t sel_write_member(struct file * file, char *buf, size_t size);
static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_ACCESS] = sel_write_access,
@ -533,7 +533,7 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b
return PTR_ERR(data);
rv = write_op[ino](file, data, size);
if (rv>0) {
if (rv > 0) {
simple_transaction_set(file, rv);
rv = size;
}
@ -552,7 +552,7 @@ static const struct file_operations transaction_ops = {
* and the length returned. Otherwise return 0 or and -error.
*/
static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid;
@ -601,7 +601,7 @@ out:
return length;
}
static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
@ -643,8 +643,8 @@ static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
printk(KERN_ERR "%s: context size (%u) exceeds payload "
"max\n", __func__, len);
printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
"payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
@ -660,7 +660,7 @@ out:
return length;
}
static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
@ -717,7 +717,7 @@ out:
return length;
}
static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{
char *con, *user, *ptr;
u32 sid, *sids;
@ -778,7 +778,7 @@ out:
return length;
}
static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
@ -820,8 +820,8 @@ static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
printk(KERN_ERR "%s: context size (%u) exceeds payload "
"max\n", __func__, len);
printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
"payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
@ -872,7 +872,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
ret = -EINVAL;
goto out;
}
if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
goto out;
}
@ -923,7 +924,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
length = -EINVAL;
goto out;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
@ -977,7 +978,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
/* No partial writes. */
goto out;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
@ -991,9 +992,8 @@ static ssize_t sel_commit_bools_write(struct file *filep,
if (sscanf(page, "%d", &new_value) != 1)
goto out;
if (new_value && bool_pending_values) {
if (new_value && bool_pending_values)
security_set_bools(bool_num, bool_pending_values);
}
length = count;
@ -1055,7 +1055,8 @@ static int sel_make_bools(void)
sel_remove_entries(dir);
if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
ret = security_get_bools(&num, &names, &values);
@ -1082,8 +1083,9 @@ static int sel_make_bools(void)
ret = -ENAMETOOLONG;
goto err;
}
isec = (struct inode_security_struct*)inode->i_security;
if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
isec = (struct inode_security_struct *)inode->i_security;
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret)
goto err;
isec->sid = sid;
isec->initialized = 1;
@ -1111,7 +1113,7 @@ err:
#define NULL_FILE_NAME "null"
struct dentry *selinux_null = NULL;
struct dentry *selinux_null;
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
@ -1123,8 +1125,8 @@ static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
static ssize_t sel_write_avc_cache_threshold(struct file * file,
const char __user * buf,
static ssize_t sel_write_avc_cache_threshold(struct file *file,
const char __user *buf,
size_t count, loff_t *ppos)
{
@ -1143,7 +1145,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file * file,
goto out;
}
page = (char*)get_zeroed_page(GFP_KERNEL);
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
goto out;
@ -1301,7 +1303,7 @@ out:
return ret;
}
static ssize_t sel_read_initcon(struct file * file, char __user *buf,
static ssize_t sel_read_initcon(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct inode *inode;
@ -1375,7 +1377,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino)
return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
}
static ssize_t sel_read_class(struct file * file, char __user *buf,
static ssize_t sel_read_class(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
@ -1399,7 +1401,7 @@ static const struct file_operations sel_class_ops = {
.read = sel_read_class,
};
static ssize_t sel_read_perm(struct file * file, char __user *buf,
static ssize_t sel_read_perm(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
@ -1412,7 +1414,7 @@ static ssize_t sel_read_perm(struct file * file, char __user *buf,
goto out;
}
len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino));
len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
rc = simple_read_from_buffer(buf, count, ppos, page, len);
free_page((unsigned long)page);
out:
@ -1640,7 +1642,7 @@ out:
return ret;
}
static int sel_fill_super(struct super_block * sb, void * data, int silent)
static int sel_fill_super(struct super_block *sb, void *data, int silent)
{
int ret;
struct dentry *dentry;
@ -1696,7 +1698,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
goto err;
}
inode->i_ino = ++sel_last_ino;
isec = (struct inode_security_struct*)inode->i_security;
isec = (struct inode_security_struct *)inode->i_security;
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
@ -1760,7 +1762,8 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
out:
return ret;
err:
printk(KERN_ERR "%s: failed while creating inodes\n", __func__);
printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
__func__);
goto out;
}

40
security/selinux/ss/avtab.c
View File

@ -33,10 +33,10 @@ static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
static struct avtab_node*
avtab_insert_node(struct avtab *h, int hvalue,
struct avtab_node * prev, struct avtab_node * cur,
struct avtab_node *prev, struct avtab_node *cur,
struct avtab_key *key, struct avtab_datum *datum)
{
struct avtab_node * newnode;
struct avtab_node *newnode;
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL)
return NULL;
@ -84,7 +84,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
}
newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
if(!newnode)
if (!newnode)
return -ENOMEM;
return 0;
@ -95,7 +95,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
* It also returns a pointer to the node inserted.
*/
struct avtab_node *
avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_datum * datum)
avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
{
int hvalue;
struct avtab_node *prev, *cur, *newnode;
@ -310,8 +310,8 @@ void avtab_hash_eval(struct avtab *h, char *tag)
}
}
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest "
"chain length %d sum of chain length^2 %Lu\n",
printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
"longest chain length %d sum of chain length^2 %Lu\n",
tag, h->nel, slots_used, h->nslot, max_chain_len,
chain2_len_sum);
}
@ -364,19 +364,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
val = le32_to_cpu(buf32[items++]);
key.source_type = (u16)val;
if (key.source_type != val) {
printk("SELinux: avtab: truncated source type\n");
printk(KERN_ERR "SELinux: avtab: truncated source type\n");
return -1;
}
val = le32_to_cpu(buf32[items++]);
key.target_type = (u16)val;
if (key.target_type != val) {
printk("SELinux: avtab: truncated target type\n");
printk(KERN_ERR "SELinux: avtab: truncated target type\n");
return -1;
}
val = le32_to_cpu(buf32[items++]);
key.target_class = (u16)val;
if (key.target_class != val) {
printk("SELinux: avtab: truncated target class\n");
printk(KERN_ERR "SELinux: avtab: truncated target class\n");
return -1;
}
@ -384,12 +384,12 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
printk("SELinux: avtab: null entry\n");
printk(KERN_ERR "SELinux: avtab: null entry\n");
return -1;
}
if ((val & AVTAB_AV) &&
(val & AVTAB_TYPE)) {
printk("SELinux: avtab: entry has both access vectors and types\n");
printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
return -1;
}
@ -398,12 +398,13 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
key.specified = spec_order[i] | enabled;
datum.data = le32_to_cpu(buf32[items++]);
rc = insertf(a, &key, &datum, p);
if (rc) return rc;
if (rc)
return rc;
}
}
if (items != items2) {
printk("SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items);
return -1;
}
return 0;
@ -411,7 +412,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
rc = next_entry(buf16, fp, sizeof(u16)*4);
if (rc < 0) {
printk("SELinux: avtab: truncated entry\n");
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return -1;
}
@ -424,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
if (!policydb_type_isvalid(pol, key.source_type) ||
!policydb_type_isvalid(pol, key.target_type) ||
!policydb_class_isvalid(pol, key.target_class)) {
printk(KERN_WARNING "SELinux: avtab: invalid type or class\n");
printk(KERN_ERR "SELinux: avtab: invalid type or class\n");
return -1;
}
@ -434,20 +435,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
set++;
}
if (!set || set > 1) {
printk(KERN_WARNING
"SELinux: avtab: more than one specifier\n");
printk(KERN_ERR "SELinux: avtab: more than one specifier\n");
return -1;
}
rc = next_entry(buf32, fp, sizeof(u32));
if (rc < 0) {
printk("SELinux: avtab: truncated entry\n");
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return -1;
}
datum.data = le32_to_cpu(*buf32);
if ((key.specified & AVTAB_TYPE) &&
!policydb_type_isvalid(pol, datum.data)) {
printk(KERN_WARNING "SELinux: avtab: invalid type\n");
printk(KERN_ERR "SELinux: avtab: invalid type\n");
return -1;
}
return insertf(a, &key, &datum, p);
@ -513,5 +513,5 @@ void avtab_cache_init(void)
void avtab_cache_destroy(void)
{
kmem_cache_destroy (avtab_node_cachep);
kmem_cache_destroy(avtab_node_cachep);
}

63
security/selinux/ss/conditional.c
View File

@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
int evaluate_cond_node(struct policydb *p, struct cond_node *node)
{
int new_state;
struct cond_av_list* cur;
struct cond_av_list *cur;
new_state = cond_evaluate_expr(p, node->expr);
if (new_state != node->cur_state) {
@ -98,22 +98,20 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
/* turn the rules on or off */
for (cur = node->true_list; cur != NULL; cur = cur->next) {
if (new_state <= 0) {
if (new_state <= 0)
cur->node->key.specified &= ~AVTAB_ENABLED;
} else {
else
cur->node->key.specified |= AVTAB_ENABLED;
}
}
for (cur = node->false_list; cur != NULL; cur = cur->next) {
/* -1 or 1 */
if (new_state) {
if (new_state)
cur->node->key.specified &= ~AVTAB_ENABLED;
} else {
else
cur->node->key.specified |= AVTAB_ENABLED;
}
}
}
return 0;
}
@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
int cond_init_bool_indexes(struct policydb *p)
{
kfree(p->bool_val_to_struct);
p->bool_val_to_struct = (struct cond_bool_datum**)
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL);
p->bool_val_to_struct = (struct cond_bool_datum **)
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
if (!p->bool_val_to_struct)
return -1;
return 0;
@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
return -EINVAL;
p->p_bool_val_to_name[booldatum->value - 1] = key;
p->bool_val_to_struct[booldatum->value -1] = booldatum;
p->bool_val_to_struct[booldatum->value - 1] = booldatum;
return 0;
}
@ -251,8 +249,7 @@ err:
return -1;
}
struct cond_insertf_data
{
struct cond_insertf_data {
struct policydb *p;
struct cond_av_list *other;
struct cond_av_list *head;
@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
*/
if (k->specified & AVTAB_TYPE) {
if (avtab_search(&p->te_avtab, k)) {
printk("SELinux: type rule already exists outside of a conditional.");
printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
goto err;
}
/*
@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
node_ptr = avtab_search_node(&p->te_cond_avtab, k);
if (node_ptr) {
if (avtab_search_node_next(node_ptr, k->specified)) {
printk("SELinux: too many conflicting type rules.");
printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
goto err;
}
found = 0;
@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
}
}
if (!found) {
printk("SELinux: conflicting type rules.\n");
printk(KERN_ERR "SELinux: conflicting type rules.\n");
goto err;
}
}
} else {
if (avtab_search(&p->te_cond_avtab, k)) {
printk("SELinux: conflicting type rules when adding type rule for true.\n");
printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
goto err;
}
}
@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
if (!node_ptr) {
printk("SELinux: could not insert rule.");
printk(KERN_ERR "SELinux: could not insert rule.\n");
goto err;
}
@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
return -1;
len = le32_to_cpu(buf[0]);
if (len == 0) {
if (len == 0)
return 0;
}
data.p = p;
data.other = other;
@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
{
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
printk("SELinux: conditional expressions uses unknown operator.\n");
printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
return 0;
}
if (expr->bool > p->p_bools.nprim) {
printk("SELinux: conditional expressions uses unknown bool.\n");
printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
return 0;
}
return 1;
@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
/* expr */
len = le32_to_cpu(buf[0]);
for (i = 0; i < len; i++ ) {
for (i = 0; i < len; i++) {
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0)
goto err;
expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
if (!expr) {
if (!expr)
goto err;
}
expr->expr_type = le32_to_cpu(buf[0]);
expr->bool = le32_to_cpu(buf[1]);
@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err;
}
if (i == 0) {
if (i == 0)
node->expr = expr;
} else {
else
last->next = expr;
}
last = expr;
}
@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
if (cond_read_node(p, node, fp) != 0)
goto err;
if (i == 0) {
if (i == 0)
p->cond_list = node;
} else {
else
last->next = node;
}
last = node;
}
return 0;
@ -489,15 +482,15 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
{
struct avtab_node *node;
if(!ctab || !key || !avd)
if (!ctab || !key || !avd)
return;
for(node = avtab_search_node(ctab, key); node != NULL;
for (node = avtab_search_node(ctab, key); node != NULL;
node = avtab_search_node_next(node, key->specified)) {
if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) ==
if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
avd->allowed |= node->datum.data;
if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) ==
if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a
* permission we do NOT want to audit (dontaudit), we use
@ -505,7 +498,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
* are retained (much unlike the allow and auditallow cases).
*/
avd->auditdeny &= node->datum.data;
if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
avd->auditallow |= node->datum.data;
}

5
security/selinux/ss/ebitmap.c
View File

@ -411,11 +411,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
}
/* round down */
tmp->startbit = startbit - (startbit % EBITMAP_SIZE);
if (n) {
if (n)
n->next = tmp;
} else {
else
e->node = tmp;
}
n = tmp;
} else if (startbit <= n->startbit) {
printk(KERN_ERR "SELinux: ebitmap: start bit %d"

11
security/selinux/ss/mls.c
View File

@ -32,7 +32,7 @@
* Return the length in bytes for the MLS fields of the
* security context string representation of `context'.
*/
int mls_compute_context_len(struct context * context)
int mls_compute_context_len(struct context *context)
{
int i, l, len, head, prev;
char *nm;
@ -305,7 +305,8 @@ int mls_context_to_sid(char oldc,
*p++ = 0;
/* Separate into range if exists */
if ((rngptr = strchr(scontextp, '.')) != NULL) {
rngptr = strchr(scontextp, '.');
if (rngptr != NULL) {
/* Remove '.' */
*rngptr++ = 0;
}
@ -449,11 +450,11 @@ int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
that of the user's default clearance (but
only if the "fromcon" clearance dominates
the user's computed sensitivity level) */
if (mls_level_dom(user_clr, fromcon_clr)) {
if (mls_level_dom(user_clr, fromcon_clr))
*usercon_clr = *fromcon_clr;
} else if (mls_level_dom(fromcon_clr, user_clr)) {
else if (mls_level_dom(fromcon_clr, user_clr))
*usercon_clr = *user_clr;
} else
else
return -EINVAL;
}

90
security/selinux/ss/policydb.c
View File

@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = {
};
#endif
int selinux_mls_enabled = 0;
int selinux_mls_enabled;
static unsigned int symtab_sizes[SYM_NUM] = {
2,
@ -152,7 +152,7 @@ static int roles_init(struct policydb *p)
rc = -EINVAL;
goto out_free_role;
}
key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL);
key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto out_free_role;
@ -390,7 +390,7 @@ static void symtab_hash_eval(struct symtab *s)
struct hashtab_info info;
hashtab_stat(h, &info);
printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, "
printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
"longest chain length %d\n", symtab_name[i], h->nel,
info.slots_used, h->size, info.max_chain_len);
}
@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p)
while (c) {
ctmp = c;
c = c->next;
ocontext_destroy(ctmp,i);
ocontext_destroy(ctmp, i);
}
p->ocontexts[i] = NULL;
}
@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p)
while (c) {
ctmp = c;
c = c->next;
ocontext_destroy(ctmp,OCON_FSUSE);
ocontext_destroy(ctmp, OCON_FSUSE);
}
gtmp = g;
g = g->next;
@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p)
}
kfree(ltr);
for (ra = p->role_allow; ra; ra = ra -> next) {
for (ra = p->role_allow; ra; ra = ra->next) {
cond_resched();
kfree(lra);
lra = ra;
}
kfree(lra);
for (rt = p->range_tr; rt; rt = rt -> next) {
for (rt = p->range_tr; rt; rt = rt->next) {
cond_resched();
if (lrt) {
ebitmap_destroy(&lrt->target_range.level[0].cat);
@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]);
perdatum->value = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_KERNEL);
key = kmalloc(len + 1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
comdatum->permissions.nprim = le32_to_cpu(buf[2]);
nel = le32_to_cpu(buf[3]);
key = kmalloc(len + 1,GFP_KERNEL);
key = kmalloc(len + 1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
if (!c)
return -ENOMEM;
if (lc) {
if (lc)
lc->next = c;
} else {
else
*nodep = c;
}
rc = next_entry(buf, fp, (sizeof(u32) * 2));
if (rc < 0)
@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
if (!e)
return -ENOMEM;
if (le) {
if (le)
le->next = e;
} else {
else
c->expr = e;
}
rc = next_entry(buf, fp, (sizeof(u32) * 3));
if (rc < 0)
@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
ncons = le32_to_cpu(buf[5]);
key = kmalloc(len + 1,GFP_KERNEL);
key = kmalloc(len + 1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
key[len] = 0;
if (len2) {
cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL);
cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
if (!cladatum->comkey) {
rc = -ENOMEM;
goto bad;
@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]);
role->value = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_KERNEL);
key = kmalloc(len + 1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1215,7 +1213,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
if (strcmp(key, OBJECT_R) == 0) {
if (role->value != OBJECT_R_VAL) {
printk(KERN_ERR "Role %s has wrong value %d\n",
printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
OBJECT_R, role->value);
rc = -EINVAL;
goto bad;
@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3];
u32 len;
typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL);
typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
if (!typdatum) {
rc = -ENOMEM;
return rc;
@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
typdatum->value = le32_to_cpu(buf[1]);
typdatum->primary = le32_to_cpu(buf[2]);
key = kmalloc(len + 1,GFP_KERNEL);
key = kmalloc(len + 1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]);
usrdatum->value = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_KERNEL);
key = kmalloc(len + 1, GFP_KERNEL);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]);
levdatum->isalias = le32_to_cpu(buf[1]);
key = kmalloc(len + 1,GFP_ATOMIC);
key = kmalloc(len + 1, GFP_ATOMIC);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
catdatum->value = le32_to_cpu(buf[1]);
catdatum->isalias = le32_to_cpu(buf[2]);
key = kmalloc(len + 1,GFP_ATOMIC);
key = kmalloc(len + 1, GFP_ATOMIC);
if (!key) {
rc = -ENOMEM;
goto bad;
@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp)
goto out;
/* Read the magic number and string length. */
rc = next_entry(buf, fp, sizeof(u32)* 2);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0)
goto bad;
@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp)
len, strlen(POLICYDB_STRING));
goto bad;
}
policydb_str = kmalloc(len + 1,GFP_KERNEL);
policydb_str = kmalloc(len + 1, GFP_KERNEL);
if (!policydb_str) {
printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
"string of length %d\n", len);
@ -1551,22 +1549,23 @@ int policydb_read(struct policydb *p, void *fp)
if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
if (ss_initialized && !selinux_mls_enabled) {
printk(KERN_ERR "Cannot switch between non-MLS and MLS "
"policies\n");
printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
" and MLS policies\n");
goto bad;
}
selinux_mls_enabled = 1;
config |= POLICYDB_CONFIG_MLS;
if (p->policyvers < POLICYDB_VERSION_MLS) {
printk(KERN_ERR "security policydb version %d (MLS) "
"not backwards compatible\n", p->policyvers);
printk(KERN_ERR "SELinux: security policydb version %d "
"(MLS) not backwards compatible\n",
p->policyvers);
goto bad;
}
} else {
if (ss_initialized && selinux_mls_enabled) {
printk(KERN_ERR "Cannot switch between MLS and non-MLS "
"policies\n");
printk(KERN_ERR "SELinux: Cannot switch between MLS and"
" non-MLS policies\n");
goto bad;
}
}
@ -1633,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM;
goto bad;
}
if (ltr) {
if (ltr)
ltr->next = tr;
} else {
else
p->role_tr = tr;
}
rc = next_entry(buf, fp, sizeof(u32)*3);
if (rc < 0)
goto bad;
@ -1664,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM;
goto bad;
}
if (lra) {
if (lra)
lra->next = ra;
} else {
else
p->role_allow = ra;
}
rc = next_entry(buf, fp, sizeof(u32)*2);
if (rc < 0)
goto bad;
@ -1702,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM;
goto bad;
}
if (l) {
if (l)
l->next = c;
} else {
else
p->ocontexts[i] = c;
}
l = c;
rc = -EINVAL;
switch (i) {
@ -1725,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp)
if (rc < 0)
goto bad;
len = le32_to_cpu(buf[0]);
c->u.name = kmalloc(len + 1,GFP_KERNEL);
c->u.name = kmalloc(len + 1, GFP_KERNEL);
if (!c->u.name) {
rc = -ENOMEM;
goto bad;
@ -1753,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad;
break;
case OCON_NODE:
rc = next_entry(buf, fp, sizeof(u32)* 2);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0)
goto bad;
c->u.node.addr = le32_to_cpu(buf[0]);
@ -1770,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp)
if (c->v.behavior > SECURITY_FS_USE_NONE)
goto bad;
len = le32_to_cpu(buf[1]);
c->u.name = kmalloc(len + 1,GFP_KERNEL);
c->u.name = kmalloc(len + 1, GFP_KERNEL);
if (!c->u.name) {
rc = -ENOMEM;
goto bad;
@ -1818,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad;
}
newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL);
newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
if (!newgenfs->fstype) {
rc = -ENOMEM;
kfree(newgenfs);
@ -1864,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad;
}
newc->u.name = kmalloc(len + 1,GFP_KERNEL);
newc->u.name = kmalloc(len + 1, GFP_KERNEL);
if (!newc->u.name) {
rc = -ENOMEM;
goto bad_newc;
@ -1968,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp)
out:
return rc;
bad_newc:
ocontext_destroy(newc,OCON_FSUSE);
ocontext_destroy(newc, OCON_FSUSE);
bad:
if (!rc)
rc = -EINVAL;

98
security/selinux/ss/services.c
View File

@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
static struct sidtab sidtab;
struct policydb policydb;
int ss_initialized = 0;
int ss_initialized;
/*
* The largest sequence number that has been used when
@ -90,7 +90,7 @@ int ss_initialized = 0;
* The sequence number only changes when a policy change
* occurs.
*/
static u32 latest_granting = 0;
static u32 latest_granting;
/* Forward declaration. */
static int context_struct_to_string(struct context *context, char **scontext,
@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
val1 - 1);
continue;
case CEXPR_INCOMP:
s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
s[++sp] = (!ebitmap_get_bit(&r1->dominates,
val2 - 1) &&
!ebitmap_get_bit(&r2->dominates,
val1 - 1) );
val1 - 1));
continue;
default:
break;
@ -415,7 +415,8 @@ static int context_struct_compute_av(struct context *scontext,
return 0;
inval_class:
printk(KERN_ERR "%s: unrecognized class %d\n", __func__, tclass);
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
tclass);
return -EINVAL;
}
@ -499,8 +500,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
tclass = SECCLASS_NETLINK_SOCKET;
if (!tclass || tclass > policydb.p_classes.nprim) {
printk(KERN_ERR "security_validate_transition: "
"unrecognized class %d\n", tclass);
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
__func__, tclass);
rc = -EINVAL;
goto out;
}
@ -508,24 +509,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
ocontext = sidtab_search(&sidtab, oldsid);
if (!ocontext) {
printk(KERN_ERR "security_validate_transition: "
" unrecognized SID %d\n", oldsid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, oldsid);
rc = -EINVAL;
goto out;
}
ncontext = sidtab_search(&sidtab, newsid);
if (!ncontext) {
printk(KERN_ERR "security_validate_transition: "
" unrecognized SID %d\n", newsid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, newsid);
rc = -EINVAL;
goto out;
}
tcontext = sidtab_search(&sidtab, tasksid);
if (!tcontext) {
printk(KERN_ERR "security_validate_transition: "
" unrecognized SID %d\n", tasksid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, tasksid);
rc = -EINVAL;
goto out;
}
@ -581,15 +582,15 @@ int security_compute_av(u32 ssid,
scontext = sidtab_search(&sidtab, ssid);
if (!scontext) {
printk(KERN_ERR "security_compute_av: unrecognized SID %d\n",
ssid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, ssid);
rc = -EINVAL;
goto out;
}
tcontext = sidtab_search(&sidtab, tsid);
if (!tcontext) {
printk(KERN_ERR "security_compute_av: unrecognized SID %d\n",
tsid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, tsid);
rc = -EINVAL;
goto out;
}
@ -623,9 +624,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
/* Allocate space for the context; caller must free this space. */
scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
if (!scontextp) {
if (!scontextp)
return -ENOMEM;
}
*scontext = scontextp;
/*
@ -678,7 +678,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
char *scontextp;
*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
if (!scontextp) {
rc = -ENOMEM;
goto out;
@ -687,16 +687,16 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
*scontext = scontextp;
goto out;
}
printk(KERN_ERR "security_sid_to_context: called before initial "
"load_policy on unknown SID %d\n", sid);
printk(KERN_ERR "SELinux: %s: called before initial "
"load_policy on unknown SID %d\n", __func__, sid);
rc = -EINVAL;
goto out;
}
POLICY_RDLOCK;
context = sidtab_search(&sidtab, sid);
if (!context) {
printk(KERN_ERR "security_sid_to_context: unrecognized SID "
"%d\n", sid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, sid);
rc = -EINVAL;
goto out_unlock;
}
@ -926,15 +926,15 @@ static int security_compute_sid(u32 ssid,
scontext = sidtab_search(&sidtab, ssid);
if (!scontext) {
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n",
ssid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, ssid);
rc = -EINVAL;
goto out_unlock;
}
tcontext = sidtab_search(&sidtab, tsid);
if (!tcontext) {
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n",
tsid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, tsid);
rc = -EINVAL;
goto out_unlock;
}
@ -974,7 +974,7 @@ static int security_compute_sid(u32 ssid,
avdatum = avtab_search(&policydb.te_avtab, &avkey);
/* If no permanent rule, also check for enabled conditional rules */
if(!avdatum) {
if (!avdatum) {
node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
for (; node != NULL; node = avtab_search_node_next(node, specified)) {
if (node->key.specified & AVTAB_ENABLED) {
@ -1289,25 +1289,22 @@ static int convert_context(u32 key,
/* Convert the user. */
usrdatum = hashtab_search(args->newp->p_users.table,
args->oldp->p_user_val_to_name[c->user - 1]);
if (!usrdatum) {
if (!usrdatum)
goto bad;
}
c->user = usrdatum->value;
/* Convert the role. */
role = hashtab_search(args->newp->p_roles.table,
args->oldp->p_role_val_to_name[c->role - 1]);
if (!role) {
if (!role)
goto bad;
}
c->role = role->value;
/* Convert the type. */
typdatum = hashtab_search(args->newp->p_types.table,
args->oldp->p_type_val_to_name[c->type - 1]);
if (!typdatum) {
if (!typdatum)
goto bad;
}
c->type = typdatum->value;
rc = mls_convert_context(args->oldp, args->newp, c);
@ -1556,8 +1553,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
{
int i, fail = 0;
for(i = 0; i < 4; i++)
if(addr[i] != (input[i] & mask[i])) {
for (i = 0; i < 4; i++)
if (addr[i] != (input[i] & mask[i])) {
fail = 1;
break;
}
@ -1881,7 +1878,7 @@ int security_get_bools(int *len, char ***names, int **values)
goto out;
}
*names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
*names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
if (!*names)
goto err;
@ -1938,12 +1935,11 @@ int security_set_bools(int len, int *values)
audit_get_loginuid(current),
audit_get_sessionid(current));
}
if (values[i]) {
if (values[i])
policydb.bool_val_to_struct[i]->state = 1;
} else {
else
policydb.bool_val_to_struct[i]->state = 0;
}
}
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
rc = evaluate_cond_node(&policydb, cur);
@ -2036,16 +2032,16 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
POLICY_RDLOCK;
context1 = sidtab_search(&sidtab, sid);
if (!context1) {
printk(KERN_ERR "security_sid_mls_copy: unrecognized SID "
"%d\n", sid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, sid);
rc = -EINVAL;
goto out_unlock;
}
context2 = sidtab_search(&sidtab, mls_sid);
if (!context2) {
printk(KERN_ERR "security_sid_mls_copy: unrecognized SID "
"%d\n", mls_sid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, mls_sid);
rc = -EINVAL;
goto out_unlock;
}
@ -2136,17 +2132,15 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
if (!nlbl_ctx) {
printk(KERN_ERR
"security_sid_mls_cmp: unrecognized SID %d\n",
nlbl_sid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, nlbl_sid);
rc = -EINVAL;
goto out_slowpath;
}
xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
if (!xfrm_ctx) {
printk(KERN_ERR
"security_sid_mls_cmp: unrecognized SID %d\n",
xfrm_sid);
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
__func__, xfrm_sid);
rc = -EINVAL;
goto out_slowpath;
}
@ -2226,7 +2220,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
match = hashtab_search(policydb.p_classes.table, class);
if (!match) {
printk(KERN_ERR "%s: unrecognized class %s\n",
printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
__func__, class);
rc = -EINVAL;
goto out;

6
security/selinux/ss/sidtab.c
View File

@ -156,12 +156,10 @@ void sidtab_map_remove_on_error(struct sidtab *s,
while (cur != NULL) {
ret = apply(cur->sid, &cur->context, args);
if (ret) {
if (last) {
if (last)
last->next = cur->next;
} else {
else
s->htable[i] = cur->next;
}
temp = cur;
cur = cur->next;
context_destroy(&temp->context);

5
security/selinux/xfrm.c
View File

@ -180,8 +180,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
if (!ckall)
break;
}
else if (*sid != ctx->ctx_sid)
} else if (*sid != ctx->ctx_sid)
return -EINVAL;
}
}
@ -326,7 +325,6 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
if (ctx)
kfree(ctx);
}
@ -372,7 +370,6 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
void selinux_xfrm_state_free(struct xfrm_state *x)
{
struct xfrm_sec_ctx *ctx = x->security;
if (ctx)
kfree(ctx);
}