selinux/stable-4.15 PR 20171113
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAloJ+XwUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQVeRaWujKfIqv3w//aNbHxEvf59yf9TjdrmJE6ivFlTAL RmYCMsFn7uEisolTX1LPnz3cVNqN2/GQ5cnfcnrMiw7d2E/k85jq6Ket6NysX0Wi LCj6V/JTDeibB41GPDbiC9pSbIER5kUaqXI+X2aR4PgGumxxjdIqmammd1Sf1Hy9 470OJjDnhH68KFLG4bxVPY8Y4j4i/xgIKHU9z9EUA5LErhDAajWADSbvLcTZcp4b eja/DeSb8zbvHloB/maoqI9mnSKnwuGd91nz6cJBb92Lhy2A6xXNMCIVY/9tsb9n ZOw8NvFbfpOZ6WUZgwQCjdyn4nV0TuJQPpXNcjVoD9djczTnBq5EXz0FpHcM7d7n d44DeHOMJmJ2vGIbUz9MpelAxqckhY9wh/XTi1Kszr6qR8kSfzSnDsk1/bOWHWdk 2dKz6MAr4GbN6vgWRTtuuZ7db8TqFa1KdLVicKC0okaYlc0dH5PWC3KahKHbjgGi 5COdBhFexkeL82kJtMrFbusMNetBrYoLO4qOoSThuEOoCEGh0Fgx5zXlLFlEm3uv hLtEdxT+FLO3jFKCVejLoIHwl/YJ+Pd8C2rAkaXV8AEvs2Cn1gni4lb150nXtq5+ BhkrkjvthYTXuQZH+yMsoTVFVa0QVm2U+QgLmf19MT1EUqc46xIczYUAInV2VxlY 2WQ4d6mcD+PMzoQ= =VtxX -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull SELinux updates from Paul Moore: "Seven SELinux patches for v4.15, although five of the seven are small build fixes and cleanups. Of the remaining two patches, the only one worth really calling out is Eric's fix for the SELinux filesystem xattr set/remove code; the other patch simply converts the SELinux hash table implementation to use kmem_cache. Eric's setxattr/removexattr tweak converts SELinux back to calling the commoncap implementations when the xattr is not SELinux related. The immediate win is to fixup filesystem capabilities in user namespaces, but it makes things a bit saner overall; more information in the commit description" * tag 'selinux-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: remove extraneous initialization of slots_used and max_chain_len selinux: remove redundant assignment to len selinux: remove redundant assignment to str selinux: fix build warning selinux: fix build warning by removing the unused sid variable selinux: Perform both commoncap and selinux xattr checks selinux: Use kmem_cache for hashtab_node
This commit is contained in:
Linus Torvalds
commit
8c38fb5c3d
|
|
@ -2935,13 +2935,12 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
|
|||
{
|
||||
const struct task_security_struct *tsec = current_security();
|
||||
struct superblock_security_struct *sbsec;
|
||||
u32 sid, newsid, clen;
|
||||
u32 newsid, clen;
|
||||
int rc;
|
||||
char *context;
|
||||
|
||||
sbsec = dir->i_sb->s_security;
|
||||
|
||||
sid = tsec->sid;
|
||||
newsid = tsec->create_sid;
|
||||
|
||||
rc = selinux_determine_inode_label(current_security(),
|
||||
|
|
@ -3141,27 +3140,6 @@ static int selinux_inode_getattr(const struct path *path)
|
|||
return path_has_perm(current_cred(), path, FILE__GETATTR);
|
||||
}
|
||||
|
||||
static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
|
||||
if (!strncmp(name, XATTR_SECURITY_PREFIX,
|
||||
sizeof XATTR_SECURITY_PREFIX - 1)) {
|
||||
if (!strcmp(name, XATTR_NAME_CAPS)) {
|
||||
if (!capable(CAP_SETFCAP))
|
||||
return -EPERM;
|
||||
} else if (!capable(CAP_SYS_ADMIN)) {
|
||||
/* A different attribute in the security namespace.
|
||||
Restrict to administrator. */
|
||||
return -EPERM;
|
||||
}
|
||||
}
|
||||
|
||||
/* Not an attribute we recognize, so just check the
|
||||
ordinary setattr permission. */
|
||||
return dentry_has_perm(cred, dentry, FILE__SETATTR);
|
||||
}
|
||||
|
||||
static bool has_cap_mac_admin(bool audit)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
|
|
@ -3184,8 +3162,15 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
|||
u32 newsid, sid = current_sid();
|
||||
int rc = 0;
|
||||
|
||||
if (strcmp(name, XATTR_NAME_SELINUX))
|
||||
return selinux_inode_setotherxattr(dentry, name);
|
||||
if (strcmp(name, XATTR_NAME_SELINUX)) {
|
||||
rc = cap_inode_setxattr(dentry, name, value, size, flags);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
/* Not an attribute we recognize, so just check the
|
||||
ordinary setattr permission. */
|
||||
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
|
||||
}
|
||||
|
||||
sbsec = inode->i_sb->s_security;
|
||||
if (!(sbsec->flags & SBLABEL_MNT))
|
||||
|
|
@ -3208,18 +3193,17 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
|||
if (!has_cap_mac_admin(true)) {
|
||||
struct audit_buffer *ab;
|
||||
size_t audit_size;
|
||||
const char *str;
|
||||
|
||||
/* We strip a nul only if it is at the end, otherwise the
|
||||
* context contains a nul and we should audit that */
|
||||
if (value) {
|
||||
str = value;
|
||||
const char *str = value;
|
||||
|
||||
if (str[size - 1] == '\0')
|
||||
audit_size = size - 1;
|
||||
else
|
||||
audit_size = size;
|
||||
} else {
|
||||
str = "";
|
||||
audit_size = 0;
|
||||
}
|
||||
ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
|
||||
|
|
@ -3299,8 +3283,15 @@ static int selinux_inode_listxattr(struct dentry *dentry)
|
|||
|
||||
static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
|
||||
{
|
||||
if (strcmp(name, XATTR_NAME_SELINUX))
|
||||
return selinux_inode_setotherxattr(dentry, name);
|
||||
if (strcmp(name, XATTR_NAME_SELINUX)) {
|
||||
int rc = cap_inode_removexattr(dentry, name);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
/* Not an attribute we recognize, so just check the
|
||||
ordinary setattr permission. */
|
||||
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
|
||||
}
|
||||
|
||||
/* No one is allowed to remove a SELinux security label.
|
||||
You can change the label, but all data must be labeled. */
|
||||
|
|
@ -3995,8 +3986,8 @@ static int selinux_task_getioprio(struct task_struct *p)
|
|||
PROCESS__GETSCHED, NULL);
|
||||
}
|
||||
|
||||
int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
|
||||
unsigned int flags)
|
||||
static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
|
||||
unsigned int flags)
|
||||
{
|
||||
u32 av = 0;
|
||||
|
||||
|
|
|
|||
|
|
@ -361,7 +361,6 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
|
|||
|
||||
*ret_list = NULL;
|
||||
|
||||
len = 0;
|
||||
rc = next_entry(buf, fp, sizeof(u32));
|
||||
if (rc)
|
||||
return rc;
|
||||
|
|
|
|||
|
|
@ -10,6 +10,8 @@
|
|||
#include <linux/sched.h>
|
||||
#include "hashtab.h"
|
||||
|
||||
static struct kmem_cache *hashtab_node_cachep;
|
||||
|
||||
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
|
||||
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
|
||||
u32 size)
|
||||
|
|
@ -58,7 +60,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
|
|||
if (cur && (h->keycmp(h, key, cur->key) == 0))
|
||||
return -EEXIST;
|
||||
|
||||
newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
|
||||
newnode = kmem_cache_zalloc(hashtab_node_cachep, GFP_KERNEL);
|
||||
if (!newnode)
|
||||
return -ENOMEM;
|
||||
newnode->key = key;
|
||||
|
|
@ -107,7 +109,7 @@ void hashtab_destroy(struct hashtab *h)
|
|||
while (cur) {
|
||||
temp = cur;
|
||||
cur = cur->next;
|
||||
kfree(temp);
|
||||
kmem_cache_free(hashtab_node_cachep, temp);
|
||||
}
|
||||
h->htable[i] = NULL;
|
||||
}
|
||||
|
|
@ -149,7 +151,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
|
|||
|
||||
slots_used = 0;
|
||||
max_chain_len = 0;
|
||||
for (slots_used = max_chain_len = i = 0; i < h->size; i++) {
|
||||
for (i = 0; i < h->size; i++) {
|
||||
cur = h->htable[i];
|
||||
if (cur) {
|
||||
slots_used++;
|
||||
|
|
@ -167,3 +169,14 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
|
|||
info->slots_used = slots_used;
|
||||
info->max_chain_len = max_chain_len;
|
||||
}
|
||||
void hashtab_cache_init(void)
|
||||
{
|
||||
hashtab_node_cachep = kmem_cache_create("hashtab_node",
|
||||
sizeof(struct hashtab_node),
|
||||
0, SLAB_PANIC, NULL);
|
||||
}
|
||||
|
||||
void hashtab_cache_destroy(void)
|
||||
{
|
||||
kmem_cache_destroy(hashtab_node_cachep);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -85,4 +85,8 @@ int hashtab_map(struct hashtab *h,
|
|||
/* Fill info with some hash table statistics */
|
||||
void hashtab_stat(struct hashtab *h, struct hashtab_info *info);
|
||||
|
||||
/* Use kmem_cache for hashtab_node */
|
||||
void hashtab_cache_init(void);
|
||||
void hashtab_cache_destroy(void);
|
||||
|
||||
#endif /* _SS_HASHTAB_H */
|
||||
|
|
|
|||
|
|
@ -2060,10 +2060,12 @@ int security_load_policy(void *data, size_t len)
|
|||
if (!ss_initialized) {
|
||||
avtab_cache_init();
|
||||
ebitmap_cache_init();
|
||||
hashtab_cache_init();
|
||||
rc = policydb_read(&policydb, fp);
|
||||
if (rc) {
|
||||
avtab_cache_destroy();
|
||||
ebitmap_cache_destroy();
|
||||
hashtab_cache_destroy();
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
@ -2075,6 +2077,7 @@ int security_load_policy(void *data, size_t len)
|
|||
policydb_destroy(&policydb);
|
||||
avtab_cache_destroy();
|
||||
ebitmap_cache_destroy();
|
||||
hashtab_cache_destroy();
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
@ -2083,6 +2086,7 @@ int security_load_policy(void *data, size_t len)
|
|||
policydb_destroy(&policydb);
|
||||
avtab_cache_destroy();
|
||||
ebitmap_cache_destroy();
|
||||
hashtab_cache_destroy();
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue