diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 78 |
1 files changed, 42 insertions, 36 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 447a1e0f48c..45c41490d52 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -122,11 +122,10 @@ static int task_alloc_security(struct task_struct *task) { struct task_security_struct *tsec; - tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL); + tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); if (!tsec) return -ENOMEM; - memset(tsec, 0, sizeof(struct task_security_struct)); tsec->magic = SELINUX_MAGIC; tsec->task = task; tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; @@ -151,11 +150,10 @@ static int inode_alloc_security(struct inode *inode) struct task_security_struct *tsec = current->security; struct inode_security_struct *isec; - isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL); + isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL); if (!isec) return -ENOMEM; - memset(isec, 0, sizeof(struct inode_security_struct)); init_MUTEX(&isec->sem); INIT_LIST_HEAD(&isec->list); isec->magic = SELINUX_MAGIC; @@ -193,11 +191,10 @@ static int file_alloc_security(struct file *file) struct task_security_struct *tsec = current->security; struct file_security_struct *fsec; - fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC); + fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC); if (!fsec) return -ENOMEM; - memset(fsec, 0, sizeof(struct file_security_struct)); fsec->magic = SELINUX_MAGIC; fsec->file = file; if (tsec && tsec->magic == SELINUX_MAGIC) { @@ -227,11 +224,10 @@ static int superblock_alloc_security(struct super_block *sb) { struct superblock_security_struct *sbsec; - sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); + sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); if (!sbsec) return -ENOMEM; - memset(sbsec, 0, sizeof(struct superblock_security_struct)); init_MUTEX(&sbsec->sem); INIT_LIST_HEAD(&sbsec->list); INIT_LIST_HEAD(&sbsec->isec_head); @@ -269,11 +265,10 @@ static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) if (family != PF_UNIX) return 0; - ssec = kmalloc(sizeof(*ssec), priority); + ssec = kzalloc(sizeof(*ssec), priority); if (!ssec) return -ENOMEM; - memset(ssec, 0, sizeof(*ssec)); ssec->magic = SELINUX_MAGIC; ssec->sk = sk; ssec->peer_sid = SECINITSID_UNLABELED; @@ -1483,11 +1478,10 @@ static int selinux_bprm_alloc_security(struct linux_binprm *bprm) { struct bprm_security_struct *bsec; - bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); + bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); if (!bsec) return -ENOMEM; - memset(bsec, 0, sizeof *bsec); bsec->magic = SELINUX_MAGIC; bsec->bprm = bprm; bsec->sid = SECINITSID_UNLABELED; @@ -1615,7 +1609,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) if (tty) { file_list_lock(); - file = list_entry(tty->tty_files.next, typeof(*file), f_list); + file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); if (file) { /* Revalidate access to controlling tty. Use inode_has_perm on the tty inode directly rather @@ -2211,12 +2205,6 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, static int selinux_inode_getxattr (struct dentry *dentry, char *name) { - struct inode *inode = dentry->d_inode; - struct superblock_security_struct *sbsec = inode->i_sb->s_security; - - if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) - return -EOPNOTSUPP; - return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); } @@ -2247,33 +2235,54 @@ static int selinux_inode_removexattr (struct dentry *dentry, char *name) return -EACCES; } -static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) +/* + * Copy the in-core inode security context value to the user. If the + * getxattr() prior to this succeeded, check to see if we need to + * canonicalize the value to be finally returned to the user. + * + * Permission check is handled by selinux_inode_getxattr hook. + */ +static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) { struct inode_security_struct *isec = inode->i_security; char *context; unsigned len; int rc; - /* Permission check handled by selinux_inode_getxattr hook.*/ - - if (strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; + if (strcmp(name, XATTR_SELINUX_SUFFIX)) { + rc = -EOPNOTSUPP; + goto out; + } rc = security_sid_to_context(isec->sid, &context, &len); if (rc) - return rc; + goto out; + /* Probe for required buffer size */ if (!buffer || !size) { - kfree(context); - return len; + rc = len; + goto out_free; } + if (size < len) { - kfree(context); - return -ERANGE; + rc = -ERANGE; + goto out_free; + } + + if (err > 0) { + if ((len == err) && !(memcmp(context, buffer, len))) { + /* Don't need to canonicalize value */ + rc = err; + goto out_free; + } + memset(buffer, 0, size); } memcpy(buffer, context, len); + rc = len; +out_free: kfree(context); - return len; +out: + return rc; } static int selinux_inode_setsecurity(struct inode *inode, const char *name, @@ -2704,8 +2713,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int si if (rc) return rc; - if (info && ((unsigned long)info == 1 || - (unsigned long)info == 2 || SI_FROMKERNEL(info))) + if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) return 0; if (!sig) @@ -3599,11 +3607,10 @@ static int ipc_alloc_security(struct task_struct *task, struct task_security_struct *tsec = task->security; struct ipc_security_struct *isec; - isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); + isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); if (!isec) return -ENOMEM; - memset(isec, 0, sizeof(struct ipc_security_struct)); isec->magic = SELINUX_MAGIC; isec->sclass = sclass; isec->ipc_perm = perm; @@ -3631,11 +3638,10 @@ static int msg_msg_alloc_security(struct msg_msg *msg) { struct msg_security_struct *msec; - msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL); + msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); if (!msec) return -ENOMEM; - memset(msec, 0, sizeof(struct msg_security_struct)); msec->magic = SELINUX_MAGIC; msec->msg = msg; msec->sid = SECINITSID_UNLABELED; |