diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-08-04 10:28:39 -0700 | 
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-08-04 10:28:39 -0700 | 
| commit | 7e6880951da86928c7f6cecf26dcb8e8d9f826da (patch) | |
| tree | 1ad8af6c52e06710f93847933c2720751100d668 /security/selinux/ss/conditional.c | |
| parent | 3a09b1be53d23df780a0cd0e4087a05e2ca4a00c (diff) | |
| parent | 77c80e6b2fd049848bfd1bdab67899ad3ac407a7 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (90 commits)
  AppArmor: fix build warnings for non-const use of get_task_cred
  selinux: convert the policy type_attr_map to flex_array
  AppArmor: Enable configuring and building of the AppArmor security module
  TOMOYO: Use pathname specified by policy rather than execve()
  AppArmor: update path_truncate method to latest version
  AppArmor: core policy routines
  AppArmor: policy routines for loading and unpacking policy
  AppArmor: mediation of non file objects
  AppArmor: LSM interface, and security module initialization
  AppArmor: Enable configuring and building of the AppArmor security module
  AppArmor: update Maintainer and Documentation
  AppArmor: functions for domain transitions
  AppArmor: file enforcement routines
  AppArmor: userspace interfaces
  AppArmor: dfa match engine
  AppArmor: contexts used in attaching policy to system objects
  AppArmor: basic auditing infrastructure.
  AppArmor: misc. base functions and defines
  TOMOYO: Update version to 2.3.0
  TOMOYO: Fix quota check.
  ...
Diffstat (limited to 'security/selinux/ss/conditional.c')
| -rw-r--r-- | security/selinux/ss/conditional.c | 65 | 
1 files changed, 40 insertions, 25 deletions
| diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 4a4e35cac22..c91e150c308 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -117,10 +117,14 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)  int cond_policydb_init(struct policydb *p)  { +	int rc; +  	p->bool_val_to_struct = NULL;  	p->cond_list = NULL; -	if (avtab_init(&p->te_cond_avtab)) -		return -1; + +	rc = avtab_init(&p->te_cond_avtab); +	if (rc) +		return rc;  	return 0;  } @@ -219,34 +223,37 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)  	booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL);  	if (!booldatum) -		return -1; +		return -ENOMEM;  	rc = next_entry(buf, fp, sizeof buf); -	if (rc < 0) +	if (rc)  		goto err;  	booldatum->value = le32_to_cpu(buf[0]);  	booldatum->state = le32_to_cpu(buf[1]); +	rc = -EINVAL;  	if (!bool_isvalid(booldatum))  		goto err;  	len = le32_to_cpu(buf[2]); +	rc = -ENOMEM;  	key = kmalloc(len + 1, GFP_KERNEL);  	if (!key)  		goto err;  	rc = next_entry(key, fp, len); -	if (rc < 0) +	if (rc)  		goto err;  	key[len] = '\0'; -	if (hashtab_insert(h, key, booldatum)) +	rc = hashtab_insert(h, key, booldatum); +	if (rc)  		goto err;  	return 0;  err:  	cond_destroy_bool(key, booldatum, NULL); -	return -1; +	return rc;  }  struct cond_insertf_data { @@ -263,7 +270,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum  	struct cond_av_list *other = data->other, *list, *cur;  	struct avtab_node *node_ptr;  	u8 found; - +	int rc = -EINVAL;  	/*  	 * For type rules we have to make certain there aren't any @@ -313,12 +320,15 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum  	node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);  	if (!node_ptr) {  		printk(KERN_ERR "SELinux: could not insert rule.\n"); +		rc = -ENOMEM;  		goto err;  	}  	list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL); -	if (!list) +	if (!list) { +		rc = -ENOMEM;  		goto err; +	}  	list->node = node_ptr;  	if (!data->head) @@ -331,7 +341,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum  err:  	cond_av_list_destroy(data->head);  	data->head = NULL; -	return -1; +	return rc;  }  static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list **ret_list, struct cond_av_list *other) @@ -345,8 +355,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *  	len = 0;  	rc = next_entry(buf, fp, sizeof(u32)); -	if (rc < 0) -		return -1; +	if (rc) +		return rc;  	len = le32_to_cpu(buf[0]);  	if (len == 0) @@ -361,7 +371,6 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *  				     &data);  		if (rc)  			return rc; -  	}  	*ret_list = data.head; @@ -390,24 +399,25 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)  	struct cond_expr *expr = NULL, *last = NULL;  	rc = next_entry(buf, fp, sizeof(u32)); -	if (rc < 0) -		return -1; +	if (rc) +		return rc;  	node->cur_state = le32_to_cpu(buf[0]);  	len = 0;  	rc = next_entry(buf, fp, sizeof(u32)); -	if (rc < 0) -		return -1; +	if (rc) +		return rc;  	/* expr */  	len = le32_to_cpu(buf[0]);  	for (i = 0; i < len; i++) {  		rc = next_entry(buf, fp, sizeof(u32) * 2); -		if (rc < 0) +		if (rc)  			goto err; +		rc = -ENOMEM;  		expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);  		if (!expr)  			goto err; @@ -416,6 +426,7 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)  		expr->bool = le32_to_cpu(buf[1]);  		if (!expr_isvalid(p, expr)) { +			rc = -EINVAL;  			kfree(expr);  			goto err;  		} @@ -427,14 +438,16 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)  		last = expr;  	} -	if (cond_read_av_list(p, fp, &node->true_list, NULL) != 0) +	rc = cond_read_av_list(p, fp, &node->true_list, NULL); +	if (rc)  		goto err; -	if (cond_read_av_list(p, fp, &node->false_list, node->true_list) != 0) +	rc = cond_read_av_list(p, fp, &node->false_list, node->true_list); +	if (rc)  		goto err;  	return 0;  err:  	cond_node_destroy(node); -	return -1; +	return rc;  }  int cond_read_list(struct policydb *p, void *fp) @@ -445,8 +458,8 @@ int cond_read_list(struct policydb *p, void *fp)  	int rc;  	rc = next_entry(buf, fp, sizeof buf); -	if (rc < 0) -		return -1; +	if (rc) +		return rc;  	len = le32_to_cpu(buf[0]); @@ -455,11 +468,13 @@ int cond_read_list(struct policydb *p, void *fp)  		goto err;  	for (i = 0; i < len; i++) { +		rc = -ENOMEM;  		node = kzalloc(sizeof(struct cond_node), GFP_KERNEL);  		if (!node)  			goto err; -		if (cond_read_node(p, node, fp) != 0) +		rc = cond_read_node(p, node, fp); +		if (rc)  			goto err;  		if (i == 0) @@ -472,7 +487,7 @@ int cond_read_list(struct policydb *p, void *fp)  err:  	cond_list_destroy(p->cond_list);  	p->cond_list = NULL; -	return -1; +	return rc;  }  /* Determine whether additional permissions are granted by the conditional | 
