summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/inode.c4
-rw-r--r--security/keys/compat.c1
-rw-r--r--security/keys/key.c33
-rw-r--r--security/keys/proc.c4
-rw-r--r--security/keys/user_defined.c1
-rw-r--r--security/security.c1
-rw-r--r--security/selinux/avc.c3
-rw-r--r--security/selinux/hooks.c53
-rw-r--r--security/selinux/selinuxfs.c26
-rw-r--r--security/selinux/ss/avtab.c3
-rw-r--r--security/selinux/ss/sidtab.c1
11 files changed, 81 insertions, 49 deletions
diff --git a/security/inode.c b/security/inode.c
index 9b16e14f3a80..d7ecf89fbc74 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -50,7 +50,7 @@ static int default_open(struct inode *inode, struct file *file)
return 0;
}
-static struct file_operations default_file_ops = {
+static const struct file_operations default_file_ops = {
.read = default_read_file,
.write = default_write_file,
.open = default_open,
@@ -215,7 +215,7 @@ static int create_by_name(const char *name, mode_t mode,
*/
struct dentry *securityfs_create_file(const char *name, mode_t mode,
struct dentry *parent, void *data,
- struct file_operations *fops)
+ const struct file_operations *fops)
{
struct dentry *dentry = NULL;
int error;
diff --git a/security/keys/compat.c b/security/keys/compat.c
index bcdb28533733..e10ec995f275 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -9,7 +9,6 @@
* 2 of the License, or (at your option) any later version.
*/
-#include <linux/sched.h>
#include <linux/syscalls.h>
#include <linux/keyctl.h>
#include <linux/compat.h>
diff --git a/security/keys/key.c b/security/keys/key.c
index ac9326c5f1da..700400d801dc 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key)
spin_lock(&key_serial_lock);
+attempt_insertion:
parent = NULL;
p = &key_serial_tree.rb_node;
@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key)
else
goto serial_exists;
}
- goto insert_here;
+
+ /* we've found a suitable hole - arrange for this key to occupy it */
+ rb_link_node(&key->serial_node, parent, p);
+ rb_insert_color(&key->serial_node, &key_serial_tree);
+
+ spin_unlock(&key_serial_lock);
+ return;
/* we found a key with the proposed serial number - walk the tree from
* that point looking for the next unused serial number */
serial_exists:
for (;;) {
key->serial++;
- if (key->serial < 2)
- key->serial = 2;
-
- if (!rb_parent(parent))
- p = &key_serial_tree.rb_node;
- else if (rb_parent(parent)->rb_left == parent)
- p = &(rb_parent(parent)->rb_left);
- else
- p = &(rb_parent(parent)->rb_right);
+ if (key->serial < 3) {
+ key->serial = 3;
+ goto attempt_insertion;
+ }
parent = rb_next(parent);
if (!parent)
- break;
+ goto attempt_insertion;
xkey = rb_entry(parent, struct key, serial_node);
if (key->serial < xkey->serial)
- goto insert_here;
+ goto attempt_insertion;
}
- /* we've found a suitable hole - arrange for this key to occupy it */
-insert_here:
- rb_link_node(&key->serial_node, parent, p);
- rb_insert_color(&key->serial_node, &key_serial_tree);
-
- spin_unlock(&key_serial_lock);
-
} /* end key_alloc_serial() */
/*****************************************************************************/
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 686a9ee0c5de..3e0d0a6e224f 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -33,7 +33,7 @@ static struct seq_operations proc_keys_ops = {
.show = proc_keys_show,
};
-static struct file_operations proc_keys_fops = {
+static const struct file_operations proc_keys_fops = {
.open = proc_keys_open,
.read = seq_read,
.llseek = seq_lseek,
@@ -54,7 +54,7 @@ static struct seq_operations proc_key_users_ops = {
.show = proc_key_users_show,
};
-static struct file_operations proc_key_users_fops = {
+static const struct file_operations proc_key_users_fops = {
.open = proc_key_users_open,
.read = seq_read,
.llseek = seq_lseek,
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 5bbfdebb7acf..7c687d568221 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -11,7 +11,6 @@
#include <linux/module.h>
#include <linux/init.h>
-#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/seq_file.h>
#include <linux/err.h>
diff --git a/security/security.c b/security/security.c
index ee4e0701b6e0..fc8601b2b7ac 100644
--- a/security/security.c
+++ b/security/security.c
@@ -15,7 +15,6 @@
#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
-#include <linux/sched.h>
#include <linux/security.h>
#define SECURITY_FRAMEWORK_VERSION "1.0.0"
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index e7c0b5e2066b..da8caf10ef97 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -332,11 +332,10 @@ static struct avc_node *avc_alloc_node(void)
{
struct avc_node *node;
- node = kmem_cache_alloc(avc_node_cachep, GFP_ATOMIC);
+ node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC);
if (!node)
goto out;
- memset(node, 0, sizeof(*node));
INIT_RCU_HEAD(&node->rhead);
INIT_LIST_HEAD(&node->list);
atomic_set(&node->ae.used, 1);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 65fb5e8ea941..b1ac22d23195 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -181,11 +181,10 @@ static int inode_alloc_security(struct inode *inode)
struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec;
- isec = kmem_cache_alloc(sel_inode_cache, GFP_KERNEL);
+ isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
if (!isec)
return -ENOMEM;
- memset(isec, 0, sizeof(*isec));
mutex_init(&isec->lock);
INIT_LIST_HEAD(&isec->list);
isec->inode = inode;
@@ -1078,6 +1077,9 @@ static int inode_has_perm(struct task_struct *tsk,
struct inode_security_struct *isec;
struct avc_audit_data ad;
+ if (unlikely (IS_PRIVATE (inode)))
+ return 0;
+
tsec = tsk->security;
isec = inode->i_security;
@@ -1424,6 +1426,47 @@ static int selinux_capable(struct task_struct *tsk, int cap)
return task_has_capability(tsk,cap);
}
+static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
+{
+ int buflen, rc;
+ char *buffer, *path, *end;
+
+ rc = -ENOMEM;
+ buffer = (char*)__get_free_page(GFP_KERNEL);
+ if (!buffer)
+ goto out;
+
+ buflen = PAGE_SIZE;
+ end = buffer+buflen;
+ *--end = '\0';
+ buflen--;
+ path = end-1;
+ *path = '/';
+ while (table) {
+ const char *name = table->procname;
+ size_t namelen = strlen(name);
+ buflen -= namelen + 1;
+ if (buflen < 0)
+ goto out_free;
+ end -= namelen;
+ memcpy(end, name, namelen);
+ *--end = '/';
+ path = end;
+ table = table->parent;
+ }
+ buflen -= 4;
+ if (buflen < 0)
+ goto out_free;
+ end -= 4;
+ memcpy(end, "/sys", 4);
+ path = end;
+ rc = security_genfs_sid("proc", path, tclass, sid);
+out_free:
+ free_page((unsigned long)buffer);
+out:
+ return rc;
+}
+
static int selinux_sysctl(ctl_table *table, int op)
{
int error = 0;
@@ -1438,8 +1481,8 @@ static int selinux_sysctl(ctl_table *table, int op)
tsec = current->security;
- rc = selinux_proc_get_sid(table->de, (op == 001) ?
- SECCLASS_DIR : SECCLASS_FILE, &tsid);
+ rc = selinux_sysctl_get_sid(table, (op == 0001) ?
+ SECCLASS_DIR : SECCLASS_FILE, &tsid);
if (rc) {
/* Default to the well-defined sysctl SID. */
tsid = SECINITSID_SYSCTL;
@@ -2655,7 +2698,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
struct file_security_struct *fsec;
/* struct fown_struct is never outside the context of a struct file */
- file = (struct file *)((long)fown - offsetof(struct file,f_owner));
+ file = container_of(fown, struct file, f_owner);
tsec = tsk->security;
fsec = file->f_security;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c8bf6e172f6e..93b3177c7585 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -161,7 +161,7 @@ out:
#define sel_write_enforce NULL
#endif
-static struct file_operations sel_enforce_ops = {
+static const struct file_operations sel_enforce_ops = {
.read = sel_read_enforce,
.write = sel_write_enforce,
};
@@ -211,7 +211,7 @@ out:
#define sel_write_disable NULL
#endif
-static struct file_operations sel_disable_ops = {
+static const struct file_operations sel_disable_ops = {
.write = sel_write_disable,
};
@@ -225,7 +225,7 @@ static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static struct file_operations sel_policyvers_ops = {
+static const struct file_operations sel_policyvers_ops = {
.read = sel_read_policyvers,
};
@@ -242,7 +242,7 @@ static ssize_t sel_read_mls(struct file *filp, char __user *buf,
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static struct file_operations sel_mls_ops = {
+static const struct file_operations sel_mls_ops = {
.read = sel_read_mls,
};
@@ -294,7 +294,7 @@ out:
return length;
}
-static struct file_operations sel_load_ops = {
+static const struct file_operations sel_load_ops = {
.write = sel_write_load,
};
@@ -374,7 +374,7 @@ out:
free_page((unsigned long) page);
return length;
}
-static struct file_operations sel_checkreqprot_ops = {
+static const struct file_operations sel_checkreqprot_ops = {
.read = sel_read_checkreqprot,
.write = sel_write_checkreqprot,
};
@@ -423,7 +423,7 @@ out:
free_page((unsigned long) page);
return length;
}
-static struct file_operations sel_compat_net_ops = {
+static const struct file_operations sel_compat_net_ops = {
.read = sel_read_compat_net,
.write = sel_write_compat_net,
};
@@ -467,7 +467,7 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b
return rv;
}
-static struct file_operations transaction_ops = {
+static const struct file_operations transaction_ops = {
.write = selinux_transaction_write,
.read = simple_transaction_read,
.release = simple_transaction_release,
@@ -875,7 +875,7 @@ out:
return length;
}
-static struct file_operations sel_bool_ops = {
+static const struct file_operations sel_bool_ops = {
.read = sel_read_bool,
.write = sel_write_bool,
};
@@ -932,7 +932,7 @@ out:
return length;
}
-static struct file_operations sel_commit_bools_ops = {
+static const struct file_operations sel_commit_bools_ops = {
.write = sel_commit_bools_write,
};
@@ -1131,12 +1131,12 @@ out:
return ret;
}
-static struct file_operations sel_avc_cache_threshold_ops = {
+static const struct file_operations sel_avc_cache_threshold_ops = {
.read = sel_read_avc_cache_threshold,
.write = sel_write_avc_cache_threshold,
};
-static struct file_operations sel_avc_hash_stats_ops = {
+static const struct file_operations sel_avc_hash_stats_ops = {
.read = sel_read_avc_hash_stats,
};
@@ -1198,7 +1198,7 @@ static int sel_open_avc_cache_stats(struct inode *inode, struct file *file)
return seq_open(file, &sel_avc_cache_stats_seq_ops);
}
-static struct file_operations sel_avc_cache_stats_ops = {
+static const struct file_operations sel_avc_cache_stats_ops = {
.open = sel_open_avc_cache_stats,
.read = seq_read,
.llseek = seq_lseek,
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index ebb993c5c244..9142073319c0 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -36,10 +36,9 @@ avtab_insert_node(struct avtab *h, int hvalue,
struct avtab_key *key, struct avtab_datum *datum)
{
struct avtab_node * newnode;
- newnode = kmem_cache_alloc(avtab_node_cachep, GFP_KERNEL);
+ newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL)
return NULL;
- memset(newnode, 0, sizeof(struct avtab_node));
newnode->key = *key;
newnode->datum = *datum;
if (prev) {
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 871c33bd0741..d78f9ff30da9 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -7,7 +7,6 @@
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/errno.h>
-#include <linux/sched.h>
#include "flask.h"
#include "security.h"
#include "sidtab.h"