summaryrefslogtreecommitdiff
path: root/security/ipe/policy_fs.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/ipe/policy_fs.c')
-rw-r--r--security/ipe/policy_fs.c36
1 files changed, 27 insertions, 9 deletions
diff --git a/security/ipe/policy_fs.c b/security/ipe/policy_fs.c
index 3bcd8cbd09df..db26032ccbe1 100644
--- a/security/ipe/policy_fs.c
+++ b/security/ipe/policy_fs.c
@@ -12,11 +12,16 @@
#include "policy.h"
#include "eval.h"
#include "fs.h"
+#include "audit.h"
#define MAX_VERSION_SIZE ARRAY_SIZE("65535.65535.65535")
/**
- * ipefs_file - defines a file in securityfs.
+ * struct ipefs_file - defines a file in securityfs.
+ *
+ * @name: file name inside the policy subdirectory
+ * @access: file permissions
+ * @fops: &file_operations specific to this file
*/
struct ipefs_file {
const char *name;
@@ -282,8 +287,13 @@ static ssize_t getactive(struct file *f, char __user *data,
* On success this updates the policy represented by $name,
* in-place.
*
- * Return: Length of buffer written on success. If an error occurs,
- * the function will return the -errno.
+ * Return:
+ * * Length of buffer written - Success
+ * * %-EPERM - Insufficient permission
+ * * %-ENOMEM - Out of memory (OOM)
+ * * %-ENOENT - Policy was deleted while updating
+ * * %-EINVAL - Policy name mismatch
+ * * %-ESTALE - Policy version too old
*/
static ssize_t update_policy(struct file *f, const char __user *data,
size_t len, loff_t *offset)
@@ -292,21 +302,29 @@ static ssize_t update_policy(struct file *f, const char __user *data,
char *copy = NULL;
int rc = 0;
- if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN))
- return -EPERM;
+ if (!file_ns_capable(f, &init_user_ns, CAP_MAC_ADMIN)) {
+ rc = -EPERM;
+ goto out;
+ }
copy = memdup_user(data, len);
- if (IS_ERR(copy))
- return PTR_ERR(copy);
+ if (IS_ERR(copy)) {
+ rc = PTR_ERR(copy);
+ copy = NULL;
+ goto out;
+ }
root = d_inode(f->f_path.dentry->d_parent);
inode_lock(root);
rc = ipe_update_policy(root, NULL, 0, copy, len);
inode_unlock(root);
+out:
kfree(copy);
- if (rc)
+ if (rc) {
+ ipe_audit_policy_load(ERR_PTR(rc));
return rc;
+ }
return len;
}
@@ -401,7 +419,7 @@ static const struct file_operations delete_fops = {
.write = delete_policy,
};
-/**
+/*
* policy_subdir - files under a policy subdirectory
*/
static const struct ipefs_file policy_subdir[] = {
generated by cgit v1.2.3 (git 2.39.0) at 2025-08-22 10:55:28 +0300