diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/capability.c | 6 | ||||
| -rw-r--r-- | security/keys/internal.h | 1 | ||||
| -rw-r--r-- | security/keys/key.c | 58 | ||||
| -rw-r--r-- | security/keys/keyring.c | 66 | ||||
| -rw-r--r-- | security/keys/user_defined.c | 33 | ||||
| -rw-r--r-- | security/selinux/include/av_perm_to_string.h | 3 | ||||
| -rw-r--r-- | security/selinux/include/av_permissions.h | 3 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 4 | ||||
| -rw-r--r-- | security/selinux/ss/avtab.c | 2 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 2 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 8 |
11 files changed, 14 insertions, 172 deletions
diff --git a/security/capability.c b/security/capability.c index ec18d6075625..f9b35cc0b248 100644 --- a/security/capability.c +++ b/security/capability.c @@ -49,8 +49,6 @@ static struct security_operations capability_ops = { .vm_enough_memory = cap_vm_enough_memory, }; -#define MY_NAME __stringify(KBUILD_MODNAME) - /* flag to keep track of how we were registered */ static int secondary; @@ -67,7 +65,7 @@ static int __init capability_init (void) /* register ourselves with the security framework */ if (register_security (&capability_ops)) { /* try registering with primary module */ - if (mod_reg_security (MY_NAME, &capability_ops)) { + if (mod_reg_security (KBUILD_MODNAME, &capability_ops)) { printk (KERN_INFO "Failure registering capabilities " "with primary security module.\n"); return -EINVAL; @@ -85,7 +83,7 @@ static void __exit capability_exit (void) return; /* remove ourselves from the security framework */ if (secondary) { - if (mod_unreg_security (MY_NAME, &capability_ops)) + if (mod_unreg_security (KBUILD_MODNAME, &capability_ops)) printk (KERN_INFO "Failure unregistering capabilities " "with primary module.\n"); return; diff --git a/security/keys/internal.h b/security/keys/internal.h index db99ed434f3a..39cba97c5eb9 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -25,7 +25,6 @@ #define kdebug(FMT, a...) do {} while(0) #endif -extern struct key_type key_type_dead; extern struct key_type key_type_user; /*****************************************************************************/ diff --git a/security/keys/key.c b/security/keys/key.c index 01bcfecb7eae..99781b798312 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -36,7 +36,7 @@ static DECLARE_WORK(key_cleanup_task, key_cleanup, NULL); DECLARE_RWSEM(key_construction_sem); /* any key who's type gets unegistered will be re-typed to this */ -struct key_type key_type_dead = { +static struct key_type key_type_dead = { .name = "dead", }; @@ -240,9 +240,9 @@ static inline void key_alloc_serial(struct key *key) /* * allocate a key of the specified type * - update the user's quota to reflect the existence of the key - * - called from a key-type operation with key_types_sem read-locked by either - * key_create_or_update() or by key_duplicate(); this prevents unregistration - * of the key type + * - called from a key-type operation with key_types_sem read-locked by + * key_create_or_update() + * - this prevents unregistration of the key type * - upon return the key is as yet uninstantiated; the caller needs to either * instantiate the key or discard it before returning */ @@ -889,56 +889,6 @@ EXPORT_SYMBOL(key_update); /*****************************************************************************/ /* - * duplicate a key, potentially with a revised description - * - must be supported by the keytype (keyrings for instance can be duplicated) - */ -struct key *key_duplicate(struct key *source, const char *desc) -{ - struct key *key; - int ret; - - key_check(source); - - if (!desc) - desc = source->description; - - down_read(&key_types_sem); - - ret = -EINVAL; - if (!source->type->duplicate) - goto error; - - /* allocate and instantiate a key */ - key = key_alloc(source->type, desc, current->fsuid, current->fsgid, - source->perm, 0); - if (IS_ERR(key)) - goto error_k; - - down_read(&source->sem); - ret = key->type->duplicate(key, source); - up_read(&source->sem); - if (ret < 0) - goto error2; - - atomic_inc(&key->user->nikeys); - set_bit(KEY_FLAG_INSTANTIATED, &key->flags); - - error_k: - up_read(&key_types_sem); - out: - return key; - - error2: - key_put(key); - error: - up_read(&key_types_sem); - key = ERR_PTR(ret); - goto out; - -} /* end key_duplicate() */ - -/*****************************************************************************/ -/* * revoke a key */ void key_revoke(struct key *key) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 4e9fa8be44b8..5d22c0388b32 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -48,7 +48,6 @@ static inline unsigned keyring_hash(const char *desc) */ static int keyring_instantiate(struct key *keyring, const void *data, size_t datalen); -static int keyring_duplicate(struct key *keyring, const struct key *source); static int keyring_match(const struct key *keyring, const void *criterion); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); @@ -59,7 +58,6 @@ struct key_type key_type_keyring = { .name = "keyring", .def_datalen = sizeof(struct keyring_list), .instantiate = keyring_instantiate, - .duplicate = keyring_duplicate, .match = keyring_match, .destroy = keyring_destroy, .describe = keyring_describe, @@ -70,7 +68,7 @@ struct key_type key_type_keyring = { * semaphore to serialise link/link calls to prevent two link calls in parallel * introducing a cycle */ -DECLARE_RWSEM(keyring_serialise_link_sem); +static DECLARE_RWSEM(keyring_serialise_link_sem); /*****************************************************************************/ /* @@ -120,68 +118,6 @@ static int keyring_instantiate(struct key *keyring, /*****************************************************************************/ /* - * duplicate the list of subscribed keys from a source keyring into this one - */ -static int keyring_duplicate(struct key *keyring, const struct key *source) -{ - struct keyring_list *sklist, *klist; - unsigned max; - size_t size; - int loop, ret; - - const unsigned limit = - (PAGE_SIZE - sizeof(*klist)) / sizeof(struct key *); - - ret = 0; - - /* find out how many keys are currently linked */ - rcu_read_lock(); - sklist = rcu_dereference(source->payload.subscriptions); - max = 0; - if (sklist) - max = sklist->nkeys; - rcu_read_unlock(); - - /* allocate a new payload and stuff load with key links */ - if (max > 0) { - BUG_ON(max > limit); - - max = (max + 3) & ~3; - if (max > limit) - max = limit; - - ret = -ENOMEM; - size = sizeof(*klist) + sizeof(struct key *) * max; - klist = kmalloc(size, GFP_KERNEL); - if (!klist) - goto error; - - /* set links */ - rcu_read_lock(); - sklist = rcu_dereference(source->payload.subscriptions); - - klist->maxkeys = max; - klist->nkeys = sklist->nkeys; - memcpy(klist->keys, - sklist->keys, - sklist->nkeys * sizeof(struct key *)); - - for (loop = klist->nkeys - 1; loop >= 0; loop--) - atomic_inc(&klist->keys[loop]->usage); - - rcu_read_unlock(); - - rcu_assign_pointer(keyring->payload.subscriptions, klist); - ret = 0; - } - - error: - return ret; - -} /* end keyring_duplicate() */ - -/*****************************************************************************/ -/* * match keyrings on their name */ static int keyring_match(const struct key *keyring, const void *description) diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index cbda3b2780a1..8e71895b97a7 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -26,7 +26,6 @@ struct key_type key_type_user = { .name = "user", .instantiate = user_instantiate, - .duplicate = user_duplicate, .update = user_update, .match = user_match, .destroy = user_destroy, @@ -68,42 +67,10 @@ error: return ret; } /* end user_instantiate() */ - EXPORT_SYMBOL_GPL(user_instantiate); /*****************************************************************************/ /* - * duplicate a user defined key - * - both keys' semaphores are locked against further modification - * - the new key cannot yet be accessed - */ -int user_duplicate(struct key *key, const struct key *source) -{ - struct user_key_payload *upayload, *spayload; - int ret; - - /* just copy the payload */ - ret = -ENOMEM; - upayload = kmalloc(sizeof(*upayload) + source->datalen, GFP_KERNEL); - if (upayload) { - spayload = rcu_dereference(source->payload.data); - BUG_ON(source->datalen != spayload->datalen); - - upayload->datalen = key->datalen = spayload->datalen; - memcpy(upayload->data, spayload->data, key->datalen); - - key->payload.data = upayload; - ret = 0; - } - - return ret; - -} /* end user_duplicate() */ - -EXPORT_SYMBOL_GPL(user_duplicate); - -/*****************************************************************************/ -/* * dispose of the old data from an updated user defined key */ static void user_update_rcu_disposal(struct rcu_head *rcu) diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 71aeb12f07c8..591e98d9315a 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -238,5 +238,4 @@ S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom") - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto") + S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index d1d0996049e3..d7f02edf3930 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -908,8 +908,7 @@ #define ASSOCIATION__SENDTO 0x00000001UL #define ASSOCIATION__RECVFROM 0x00000002UL -#define ASSOCIATION__RELABELFROM 0x00000004UL -#define ASSOCIATION__RELABELTO 0x00000008UL +#define ASSOCIATION__SETCONTEXT 0x00000004UL #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 0e1352a555c8..e59da6398d44 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -376,7 +376,7 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b char *data; ssize_t rv; - if (ino >= sizeof(write_op)/sizeof(write_op[0]) || !write_op[ino]) + if (ino >= ARRAY_SIZE(write_op) || !write_op[ino]) return -EINVAL; data = simple_transaction_get(file, buf, size); @@ -1161,7 +1161,7 @@ static int sel_make_avc_files(struct dentry *dir) #endif }; - for (i = 0; i < sizeof (files) / sizeof (files[0]); i++) { + for (i = 0; i < ARRAY_SIZE(files); i++) { struct inode *inode; struct dentry *dentry; diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index dde094feb20d..d049c7acbc8b 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -359,7 +359,7 @@ int avtab_read_item(void *fp, u32 vers, struct avtab *a, return -1; } - for (i = 0; i < sizeof(spec_order)/sizeof(u16); i++) { + for (i = 0; i < ARRAY_SIZE(spec_order); i++) { if (val & spec_order[i]) { key.specified = spec_order[i] | enabled; datum.data = le32_to_cpu(buf32[items++]); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 0ac311dc8371..0111990ba837 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -103,7 +103,7 @@ static struct policydb_compat_info *policydb_lookup_compat(int version) int i; struct policydb_compat_info *info = NULL; - for (i = 0; i < sizeof(policydb_compat)/sizeof(*info); i++) { + for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { if (policydb_compat[i].version == version) { info = &policydb_compat[i]; break; diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c4d87d4dca7b..5b7776504e4c 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us * Must be permitted to relabel from default socket type (process type) * to specified context */ - rc = avc_has_perm(tsec->sid, tsec->sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__RELABELFROM, NULL); - if (rc) - goto out; - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__RELABELTO, NULL); + ASSOCIATION__SETCONTEXT, NULL); if (rc) goto out; |