openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'stable-4.12' of git://git.infradead.org/users/pcmoore/selinux into next

This commit is contained in:
James Morris 2017-04-19 08:30:08 +10:00
parent 30a83251dd cae303df3f
commit fa5b5b26e2
11 changed files with 69 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
fs/namei.c
View File

@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
if (S_ISDIR(inode->i_mode)) { if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */ /* DACs are overridable for directories */
if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
if (!(mask & MAY_WRITE)) if (!(mask & MAY_WRITE))
if (capable_wrt_inode_uidgid(inode, if (capable_wrt_inode_uidgid(inode,
CAP_DAC_READ_SEARCH)) CAP_DAC_READ_SEARCH))
return 0; return 0;
return -EACCES;
}
/*
* Read/write DACs are always overridable.
* Executable DACs are overridable when there is
* at least one exec bit set.
*/
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0; return 0;
return -EACCES;
}
/* /*
* Searching includes executable on directories, else just read. * Searching includes executable on directories, else just read.
@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
if (mask == MAY_READ) if (mask == MAY_READ)
if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
return 0; return 0;
/*
* Read/write DACs are always overridable.
* Executable DACs are overridable when there is
* at least one exec bit set.
*/
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
return -EACCES; return -EACCES;
} }

1
scripts/selinux/genheaders/genheaders.c
View File

@ -8,6 +8,7 @@
#include <string.h> #include <string.h>
#include <errno.h> #include <errno.h>
#include <ctype.h> #include <ctype.h>
#include <sys/socket.h>
struct security_class_mapping { struct security_class_mapping {
const char *name; const char *name;

1
scripts/selinux/mdp/mdp.c
View File

@ -32,6 +32,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
#include <sys/socket.h>
static void usage(char *name) static void usage(char *name)
{ {

8
security/selinux/hooks.c
View File

@ -4367,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
u32 sid, node_perm; u32 sid, node_perm;
if (family == PF_INET) { if (family == PF_INET) {
if (addrlen < sizeof(struct sockaddr_in)) {
err = -EINVAL;
goto out;
}
addr4 = (struct sockaddr_in *)address; addr4 = (struct sockaddr_in *)address;
snum = ntohs(addr4->sin_port); snum = ntohs(addr4->sin_port);
addrp = (char *)&addr4->sin_addr.s_addr; addrp = (char *)&addr4->sin_addr.s_addr;
} else { } else {
if (addrlen < SIN6_LEN_RFC2133) {
err = -EINVAL;
goto out;
}
addr6 = (struct sockaddr_in6 *)address; addr6 = (struct sockaddr_in6 *)address;
snum = ntohs(addr6->sin6_port); snum = ntohs(addr6->sin6_port);
addrp = (char *)&addr6->sin6_addr.s6_addr; addrp = (char *)&addr6->sin6_addr.s6_addr;

10
security/selinux/nlmsgtab.c
View File

@ -28,7 +28,7 @@ struct nlmsg_perm {
u32 perm; u32 perm;
}; };
static struct nlmsg_perm nlmsg_route_perms[] = static const struct nlmsg_perm nlmsg_route_perms[] =
{ {
{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
@ -80,7 +80,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
}; };
static struct nlmsg_perm nlmsg_tcpdiag_perms[] = static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
{ {
{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
@ -88,7 +88,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
}; };
static struct nlmsg_perm nlmsg_xfrm_perms[] = static const struct nlmsg_perm nlmsg_xfrm_perms[] =
{ {
{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
@ -115,7 +115,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
}; };
static struct nlmsg_perm nlmsg_audit_perms[] = static const struct nlmsg_perm nlmsg_audit_perms[] =
{ {
{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
@ -136,7 +136,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
}; };
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize) static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
{ {
int i, err = -EINVAL; int i, err = -EINVAL;

8
security/selinux/selinuxfs.c
View File

@ -1456,10 +1456,10 @@ static int sel_avc_stats_seq_show(struct seq_file *seq, void *v)
{ {
struct avc_cache_stats *st = v; struct avc_cache_stats *st = v;
if (v == SEQ_START_TOKEN) if (v == SEQ_START_TOKEN) {
seq_printf(seq, "lookups hits misses allocations reclaims " seq_puts(seq,
"frees\n"); "lookups hits misses allocations reclaims frees\n");
else { } else {
unsigned int lookups = st->lookups; unsigned int lookups = st->lookups;
unsigned int misses = st->misses; unsigned int misses = st->misses;
unsigned int hits = lookups - misses; unsigned int hits = lookups - misses;

14
security/selinux/ss/conditional.c
View File

@ -176,8 +176,9 @@ void cond_policydb_destroy(struct policydb *p)
int cond_init_bool_indexes(struct policydb *p) int cond_init_bool_indexes(struct policydb *p)
{ {
kfree(p->bool_val_to_struct); kfree(p->bool_val_to_struct);
p->bool_val_to_struct = p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL); sizeof(*p->bool_val_to_struct),
GFP_KERNEL);
if (!p->bool_val_to_struct) if (!p->bool_val_to_struct)
return -ENOMEM; return -ENOMEM;
return 0; return 0;
@ -226,7 +227,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
u32 len; u32 len;
int rc; int rc;
booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL); booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
if (!booldatum) if (!booldatum)
return -ENOMEM; return -ENOMEM;
@ -331,7 +332,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
goto err; goto err;
} }
list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL); list = kzalloc(sizeof(*list), GFP_KERNEL);
if (!list) { if (!list) {
rc = -ENOMEM; rc = -ENOMEM;
goto err; goto err;
@ -420,7 +421,7 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err; goto err;
rc = -ENOMEM; rc = -ENOMEM;
expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); expr = kzalloc(sizeof(*expr), GFP_KERNEL);
if (!expr) if (!expr)
goto err; goto err;
@ -471,7 +472,7 @@ int cond_read_list(struct policydb *p, void *fp)
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
rc = -ENOMEM; rc = -ENOMEM;
node = kzalloc(sizeof(struct cond_node), GFP_KERNEL); node = kzalloc(sizeof(*node), GFP_KERNEL);
if (!node) if (!node)
goto err; goto err;
@ -663,5 +664,4 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
(node->key.specified & AVTAB_XPERMS)) (node->key.specified & AVTAB_XPERMS))
services_compute_xperms_drivers(xperms, node); services_compute_xperms_drivers(xperms, node);
} }
return;
} }

10
security/selinux/ss/hashtab.c
View File

@ -17,15 +17,15 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *
u32 i; u32 i;
p = kzalloc(sizeof(*p), GFP_KERNEL); p = kzalloc(sizeof(*p), GFP_KERNEL);
if (p == NULL) if (!p)
return p; return p;
p->size = size; p->size = size;
p->nel = 0; p->nel = 0;
p->hash_value = hash_value; p->hash_value = hash_value;
p->keycmp = keycmp; p->keycmp = keycmp;
p->htable = kmalloc(sizeof(*(p->htable)) * size, GFP_KERNEL); p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL);
if (p->htable == NULL) { if (!p->htable) {
kfree(p); kfree(p);
return NULL; return NULL;
} }
@ -58,7 +58,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
return -EEXIST; return -EEXIST;
newnode = kzalloc(sizeof(*newnode), GFP_KERNEL); newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
if (newnode == NULL) if (!newnode)
return -ENOMEM; return -ENOMEM;
newnode->key = key; newnode->key = key;
newnode->datum = datum; newnode->datum = datum;
@ -87,7 +87,7 @@ void *hashtab_search(struct hashtab *h, const void *key)
while (cur && h->keycmp(h, key, cur->key) > 0) while (cur && h->keycmp(h, key, cur->key) > 0)
cur = cur->next; cur = cur->next;
if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) if (!cur || (h->keycmp(h, key, cur->key) != 0))
return NULL; return NULL;
return cur->datum; return cur->datum;

59
security/selinux/ss/policydb.c
View File

@ -178,10 +178,9 @@ static int roles_init(struct policydb *p)
int rc; int rc;
struct role_datum *role; struct role_datum *role;
rc = -ENOMEM;
role = kzalloc(sizeof(*role), GFP_KERNEL); role = kzalloc(sizeof(*role), GFP_KERNEL);
if (!role) if (!role)
goto out; return -ENOMEM;
rc = -EINVAL; rc = -EINVAL;
role->value = ++p->p_roles.nprim; role->value = ++p->p_roles.nprim;
@ -540,23 +539,23 @@ static int policydb_index(struct policydb *p)
#endif #endif
rc = -ENOMEM; rc = -ENOMEM;
p->class_val_to_struct = p->class_val_to_struct = kcalloc(p->p_classes.nprim,
kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), sizeof(*p->class_val_to_struct),
GFP_KERNEL); GFP_KERNEL);
if (!p->class_val_to_struct) if (!p->class_val_to_struct)
goto out; goto out;
rc = -ENOMEM; rc = -ENOMEM;
p->role_val_to_struct = p->role_val_to_struct = kcalloc(p->p_roles.nprim,
kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), sizeof(*p->role_val_to_struct),
GFP_KERNEL); GFP_KERNEL);
if (!p->role_val_to_struct) if (!p->role_val_to_struct)
goto out; goto out;
rc = -ENOMEM; rc = -ENOMEM;
p->user_val_to_struct = p->user_val_to_struct = kcalloc(p->p_users.nprim,
kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), sizeof(*p->user_val_to_struct),
GFP_KERNEL); GFP_KERNEL);
if (!p->user_val_to_struct) if (!p->user_val_to_struct)
goto out; goto out;
@ -880,8 +879,6 @@ void policydb_destroy(struct policydb *p)
ebitmap_destroy(&p->filename_trans_ttypes); ebitmap_destroy(&p->filename_trans_ttypes);
ebitmap_destroy(&p->policycaps); ebitmap_destroy(&p->policycaps);
ebitmap_destroy(&p->permissive_map); ebitmap_destroy(&p->permissive_map);
return;
} }
/* /*
@ -1120,10 +1117,9 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[2]; __le32 buf[2];
u32 len; u32 len;
rc = -ENOMEM;
perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL); perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
if (!perdatum) if (!perdatum)
goto bad; return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf); rc = next_entry(buf, fp, sizeof buf);
if (rc) if (rc)
@ -1154,10 +1150,9 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
u32 len, nel; u32 len, nel;
int i, rc; int i, rc;
rc = -ENOMEM;
comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL); comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
if (!comdatum) if (!comdatum)
goto bad; return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf); rc = next_entry(buf, fp, sizeof buf);
if (rc) if (rc)
@ -1320,10 +1315,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
u32 len, len2, ncons, nel; u32 len, len2, ncons, nel;
int i, rc; int i, rc;
rc = -ENOMEM;
cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL); cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
if (!cladatum) if (!cladatum)
goto bad; return -ENOMEM;
rc = next_entry(buf, fp, sizeof(u32)*6); rc = next_entry(buf, fp, sizeof(u32)*6);
if (rc) if (rc)
@ -1414,10 +1408,9 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3]; __le32 buf[3];
u32 len; u32 len;
rc = -ENOMEM;
role = kzalloc(sizeof(*role), GFP_KERNEL); role = kzalloc(sizeof(*role), GFP_KERNEL);
if (!role) if (!role)
goto bad; return -ENOMEM;
if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
to_read = 3; to_read = 3;
@ -1471,10 +1464,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[4]; __le32 buf[4];
u32 len; u32 len;
rc = -ENOMEM;
typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
if (!typdatum) if (!typdatum)
goto bad; return -ENOMEM;
if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
to_read = 4; to_read = 4;
@ -1546,10 +1538,9 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3]; __le32 buf[3];
u32 len; u32 len;
rc = -ENOMEM;
usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL); usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
if (!usrdatum) if (!usrdatum)
goto bad; return -ENOMEM;
if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
to_read = 3; to_read = 3;
@ -1597,10 +1588,9 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[2]; __le32 buf[2];
u32 len; u32 len;
rc = -ENOMEM;
levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC); levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
if (!levdatum) if (!levdatum)
goto bad; return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf); rc = next_entry(buf, fp, sizeof buf);
if (rc) if (rc)
@ -1614,7 +1604,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
goto bad; goto bad;
rc = -ENOMEM; rc = -ENOMEM;
levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); levdatum->level = kmalloc(sizeof(*levdatum->level), GFP_ATOMIC);
if (!levdatum->level) if (!levdatum->level)
goto bad; goto bad;
@ -1639,10 +1629,9 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3]; __le32 buf[3];
u32 len; u32 len;
rc = -ENOMEM;
catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC); catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
if (!catdatum) if (!catdatum)
goto bad; return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf); rc = next_entry(buf, fp, sizeof buf);
if (rc) if (rc)
@ -1854,7 +1843,7 @@ static int range_read(struct policydb *p, void *fp)
rc = next_entry(buf, fp, sizeof(u32)); rc = next_entry(buf, fp, sizeof(u32));
if (rc) if (rc)
goto out; return rc;
nel = le32_to_cpu(buf[0]); nel = le32_to_cpu(buf[0]);
for (i = 0; i < nel; i++) { for (i = 0; i < nel; i++) {
@ -1931,7 +1920,6 @@ static int filename_trans_read(struct policydb *p, void *fp)
nel = le32_to_cpu(buf[0]); nel = le32_to_cpu(buf[0]);
for (i = 0; i < nel; i++) { for (i = 0; i < nel; i++) {
ft = NULL;
otype = NULL; otype = NULL;
name = NULL; name = NULL;
@ -2008,7 +1996,7 @@ static int genfs_read(struct policydb *p, void *fp)
rc = next_entry(buf, fp, sizeof(u32)); rc = next_entry(buf, fp, sizeof(u32));
if (rc) if (rc)
goto out; return rc;
nel = le32_to_cpu(buf[0]); nel = le32_to_cpu(buf[0]);
for (i = 0; i < nel; i++) { for (i = 0; i < nel; i++) {
@ -2100,9 +2088,10 @@ static int genfs_read(struct policydb *p, void *fp)
} }
rc = 0; rc = 0;
out: out:
if (newgenfs) if (newgenfs) {
kfree(newgenfs->fstype); kfree(newgenfs->fstype);
kfree(newgenfs); kfree(newgenfs);
}
ocontext_destroy(newc, OCON_FSUSE); ocontext_destroy(newc, OCON_FSUSE);
return rc; return rc;

2
security/selinux/ss/services.c
View File

@ -157,7 +157,7 @@ static int selinux_set_mapping(struct policydb *pol,
} }
k = 0; k = 0;
while (p_in->perms && p_in->perms[k]) { while (p_in->perms[k]) {
/* An empty permission string skips ahead */ /* An empty permission string skips ahead */
if (!*p_in->perms[k]) { if (!*p_in->perms[k]) {
k++; k++;

6
security/selinux/ss/sidtab.c
View File

@ -18,7 +18,7 @@ int sidtab_init(struct sidtab *s)
{ {
int i; int i;
s->htable = kmalloc(sizeof(*(s->htable)) * SIDTAB_SIZE, GFP_ATOMIC); s->htable = kmalloc_array(SIDTAB_SIZE, sizeof(*s->htable), GFP_ATOMIC);
if (!s->htable) if (!s->htable)
return -ENOMEM; return -ENOMEM;
for (i = 0; i < SIDTAB_SIZE; i++) for (i = 0; i < SIDTAB_SIZE; i++)
@ -54,7 +54,7 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context)
} }
newnode = kmalloc(sizeof(*newnode), GFP_ATOMIC); newnode = kmalloc(sizeof(*newnode), GFP_ATOMIC);
if (newnode == NULL) { if (!newnode) {
rc = -ENOMEM; rc = -ENOMEM;
goto out; goto out;
} }
@ -98,7 +98,7 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
if (force && cur && sid == cur->sid && cur->context.len) if (force && cur && sid == cur->sid && cur->context.len)
return &cur->context; return &cur->context;
if (cur == NULL || sid != cur->sid || cur->context.len) { if (!cur || sid != cur->sid || cur->context.len) {
/* Remap invalid SIDs to the unlabeled SID. */ /* Remap invalid SIDs to the unlabeled SID. */
sid = SECINITSID_UNLABELED; sid = SECINITSID_UNLABELED;
hvalue = SIDTAB_HASH(sid); hvalue = SIDTAB_HASH(sid);