diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-21 16:01:40 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-21 16:01:40 -0700 |
| commit | 19b5b517a8b81a448be9b2bdaf18a761a7b9799e (patch) | |
| tree | b1e83e331769d44f98e564c984acf3841261c2a8 /security | |
| parent | bda0c0afa7a694bb1459fd023515aca681e4d79a (diff) | |
| parent | 95fff33b8e306a4331024bbd31c0999d5bf48fcf (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: one little, two little, three little whitespaces, the avc.c saga.
SELinux: cleanup on isle selinuxfs.c
changing whitespace for fun and profit: policydb.c
SELinux: whitespace and formating fixes for hooks.c
SELinux: clean up printks
SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
SELinux: services.c whitespace, syntax, and static declaraction cleanups
SELinux: mls.c whitespace, syntax, and static declaraction cleanups
SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups
SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups
SELinux: conditional.c whitespace, syntax, and static declaraction cleanups
SELinux: avtab.c whitespace, syntax, and static declaraction cleanups
SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups
SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups
SELinux: netnode.c whitespace, syntax, and static declaraction cleanups
SELinux: netlink.c whitespace, syntax, and static declaraction cleanups
SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups
SELinux: netif.c whitespace, syntax, and static declaraction cleanups
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/avc.c | 58 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 512 | ||||
| -rw-r--r-- | security/selinux/netif.c | 19 | ||||
| -rw-r--r-- | security/selinux/netlabel.c | 2 | ||||
| -rw-r--r-- | security/selinux/netlink.c | 20 | ||||
| -rw-r--r-- | security/selinux/netnode.c | 2 | ||||
| -rw-r--r-- | security/selinux/nlmsgtab.c | 5 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 127 | ||||
| -rw-r--r-- | security/selinux/ss/avtab.c | 48 | ||||
| -rw-r--r-- | security/selinux/ss/conditional.c | 73 | ||||
| -rw-r--r-- | security/selinux/ss/ebitmap.c | 5 | ||||
| -rw-r--r-- | security/selinux/ss/hashtab.c | 4 | ||||
| -rw-r--r-- | security/selinux/ss/mls.c | 27 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 148 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 178 | ||||
| -rw-r--r-- | security/selinux/ss/sidtab.c | 6 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 9 |
17 files changed, 609 insertions, 634 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index a4fc6e6d038..1d69f6649bf 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -2,16 +2,16 @@ * Implementation of the kernel access vector cache (AVC). * * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> - * James Morris <jmorris@redhat.com> + * James Morris <jmorris@redhat.com> * * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> - * Replaced the avc_lock spinlock by RCU. + * Replaced the avc_lock spinlock by RCU. * * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. + * as published by the Free Software Foundation. */ #include <linux/types.h> #include <linux/stddef.h> @@ -44,7 +44,7 @@ static const char *class_to_string[] = { #undef S_ }; -#define TB_(s) static const char * s [] = { +#define TB_(s) static const char *s[] = { #define TE_(s) }; #define S_(s) s, #include "common_perm_to_string.h" @@ -72,7 +72,7 @@ const struct selinux_class_perm selinux_class_perm = { #define AVC_CACHE_RECLAIM 16 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS -#define avc_cache_stats_incr(field) \ +#define avc_cache_stats_incr(field) \ do { \ per_cpu(avc_cache_stats, get_cpu()).field++; \ put_cpu(); \ @@ -92,7 +92,7 @@ struct avc_entry { struct avc_node { struct avc_entry ae; struct list_head list; - struct rcu_head rhead; + struct rcu_head rhead; }; struct avc_cache { @@ -105,8 +105,8 @@ struct avc_cache { struct avc_callback_node { int (*callback) (u32 event, u32 ssid, u32 tsid, - u16 tclass, u32 perms, - u32 *out_retained); + u16 tclass, u32 perms, + u32 *out_retained); u32 events; u32 ssid; u32 tsid; @@ -202,7 +202,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla char *scontext; u32 scontext_len; - rc = security_sid_to_context(ssid, &scontext, &scontext_len); + rc = security_sid_to_context(ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, "ssid=%d", ssid); else { @@ -306,7 +306,7 @@ static inline int avc_reclaim_node(void) int hvalue, try, ecx; unsigned long flags; - for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++ ) { + for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) @@ -426,7 +426,7 @@ static int avc_latest_notif_update(int seqno, int is_insert) spin_lock_irqsave(¬if_lock, flag); if (is_insert) { if (seqno < avc_cache.latest_notif) { - printk(KERN_WARNING "avc: seqno %d < latest_notif %d\n", + printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", seqno, avc_cache.latest_notif); ret = -EAGAIN; } @@ -475,7 +475,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en if (pos->ae.ssid == ssid && pos->ae.tsid == tsid && pos->ae.tclass == tclass) { - avc_node_replace(node, pos); + avc_node_replace(node, pos); goto found; } } @@ -526,8 +526,8 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, * before calling the auditing code. */ void avc_audit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd, int result, struct avc_audit_data *a) + u16 tclass, u32 requested, + struct av_decision *avd, int result, struct avc_audit_data *a) { struct task_struct *tsk = current; struct inode *inode = NULL; @@ -541,7 +541,7 @@ void avc_audit(u32 ssid, u32 tsid, return; } else if (result) { audited = denied = requested; - } else { + } else { audited = requested; if (!(audited & avd->auditallow)) return; @@ -551,7 +551,7 @@ void avc_audit(u32 ssid, u32 tsid, if (!ab) return; /* audit_panic has been called */ audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); - avc_dump_av(ab, tclass,audited); + avc_dump_av(ab, tclass, audited); audit_log_format(ab, " for "); if (a && a->tsk) tsk = a->tsk; @@ -647,7 +647,7 @@ void avc_audit(u32 ssid, u32 tsid, break; } } - + switch (a->u.net.family) { case AF_INET: avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, @@ -702,10 +702,10 @@ void avc_audit(u32 ssid, u32 tsid, * -%ENOMEM if insufficient memory exists to add the callback. */ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, - u16 tclass, u32 perms, - u32 *out_retained), - u32 events, u32 ssid, u32 tsid, - u16 tclass, u32 perms) + u16 tclass, u32 perms, + u32 *out_retained), + u32 events, u32 ssid, u32 tsid, + u16 tclass, u32 perms) { struct avc_callback_node *c; int rc = 0; @@ -759,10 +759,10 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) hvalue = avc_hash(ssid, tsid, tclass); spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); - list_for_each_entry(pos, &avc_cache.slots[hvalue], list){ - if ( ssid==pos->ae.ssid && - tsid==pos->ae.tsid && - tclass==pos->ae.tclass ){ + list_for_each_entry(pos, &avc_cache.slots[hvalue], list) { + if (ssid == pos->ae.ssid && + tsid == pos->ae.tsid && + tclass == pos->ae.tclass){ orig = pos; break; } @@ -829,7 +829,7 @@ int avc_ss_reset(u32 seqno) for (c = avc_callbacks; c; c = c->next) { if (c->events & AVC_CALLBACK_RESET) { tmprc = c->callback(AVC_CALLBACK_RESET, - 0, 0, 0, 0, NULL); + 0, 0, 0, 0, NULL); /* save the first error encountered for the return value and continue processing the callbacks */ if (!rc) @@ -878,11 +878,11 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, node = avc_lookup(ssid, tsid, tclass, requested); if (!node) { rcu_read_unlock(); - rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd); + rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd); if (rc) goto out; rcu_read_lock(); - node = avc_insert(ssid,tsid,tclass,&entry); + node = avc_insert(ssid, tsid, tclass, &entry); } p_ae = node ? &node->ae : &entry; @@ -924,7 +924,7 @@ out: * another -errno upon other errors. */ int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, - u32 requested, struct avc_audit_data *auditdata) + u32 requested, struct avc_audit_data *auditdata) { struct av_decision avd; int rc; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f9927f02bc3..1bf2543ea94 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4,22 +4,22 @@ * This file contains the SELinux hook function implementations. * * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> - * Chris Vance, <cvance@nai.com> - * Wayne Salamon, <wsalamon@nai.com> - * James Morris <jmorris@redhat.com> + * Chris Vance, <cvance@nai.com> + * Wayne Salamon, <wsalamon@nai.com> + * James Morris <jmorris@redhat.com> * * Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - * <dgoeddel@trustedcs.com> + * <dgoeddel@trustedcs.com> * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. - * Paul Moore <paul.moore@hp.com> + * Paul Moore <paul.moore@hp.com> * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. - * Yuichi Nakamura <ynakam@hitachisoft.jp> + * Yuichi Nakamura <ynakam@hitachisoft.jp> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. + * as published by the Free Software Foundation. */ #include <linux/init.h> @@ -99,11 +99,11 @@ extern struct security_operations *security_ops; atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); #ifdef CONFIG_SECURITY_SELINUX_DEVELOP -int selinux_enforcing = 0; +int selinux_enforcing; static int __init enforcing_setup(char *str) { - selinux_enforcing = simple_strtol(str,NULL,0); + selinux_enforcing = simple_strtol(str, NULL, 0); return 1; } __setup("enforcing=", enforcing_setup); @@ -123,13 +123,13 @@ int selinux_enabled = 1; #endif /* Original (dummy) security module. */ -static struct security_operations *original_ops = NULL; +static struct security_operations *original_ops; /* Minimal support for a secondary security module, just to allow the use of the dummy or capability modules. The owlsm module can alternatively be used as a secondary module as long as CONFIG_OWLSM_FD is not enabled. */ -static struct security_operations *secondary_ops = NULL; +static struct security_operations *secondary_ops; /* Lists of inode and superblock security structures initialized before the policy was loaded. */ @@ -575,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } rc = -EINVAL; - printk(KERN_WARNING "Unable to set superblock options before " - "the security server is initialized\n"); + printk(KERN_WARNING "SELinux: Unable to set superblock options " + "before the security server is initialized\n"); goto out; } @@ -1054,7 +1054,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de, int buflen, rc; char *buffer, *path, *end; - buffer = (char*)__get_free_page(GFP_KERNEL); + buffer = (char *)__get_free_page(GFP_KERNEL); if (!buffer) return -ENOMEM; @@ -1135,7 +1135,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent dentry = d_find_alias(inode); } if (!dentry) { - printk(KERN_WARNING "%s: no dentry for dev=%s " + printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " "ino=%ld\n", __func__, inode->i_sb->s_id, inode->i_ino); goto out_unlock; @@ -1173,7 +1173,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent dput(dentry); if (rc < 0) { if (rc != -ENODATA) { - printk(KERN_WARNING "%s: getxattr returned " + printk(KERN_WARNING "SELinux: %s: getxattr returned " "%d for dev=%s ino=%ld\n", __func__, -rc, inode->i_sb->s_id, inode->i_ino); kfree(context); @@ -1187,7 +1187,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent sbsec->def_sid, GFP_NOFS); if (rc) { - printk(KERN_WARNING "%s: context_to_sid(%s) " + printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " "returned %d for dev=%s ino=%ld\n", __func__, context, -rc, inode->i_sb->s_id, inode->i_ino); @@ -1305,7 +1305,7 @@ static int task_has_capability(struct task_struct *tsk, tsec = tsk->security; - AVC_AUDIT_DATA_INIT(&ad,CAP); + AVC_AUDIT_DATA_INIT(&ad, CAP); ad.tsk = tsk; ad.u.cap = cap; @@ -1348,7 +1348,7 @@ static int inode_has_perm(struct task_struct *tsk, struct inode_security_struct *isec; struct avc_audit_data ad; - if (unlikely (IS_PRIVATE (inode))) + if (unlikely(IS_PRIVATE(inode))) return 0; tsec = tsk->security; @@ -1373,7 +1373,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, { struct inode *inode = dentry->d_inode; struct avc_audit_data ad; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.mnt = mnt; ad.u.fs.path.dentry = dentry; return inode_has_perm(tsk, inode, av, &ad); @@ -1470,9 +1470,9 @@ static int may_create_key(u32 ksid, return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); } -#define MAY_LINK 0 -#define MAY_UNLINK 1 -#define MAY_RMDIR 2 +#define MAY_LINK 0 +#define MAY_UNLINK 1 +#define MAY_RMDIR 2 /* Check whether a task can link, unlink, or rmdir a file/directory. */ static int may_link(struct inode *dir, @@ -1510,7 +1510,8 @@ static int may_link(struct inode *dir, av = DIR__RMDIR; break; default: - printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); + printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", + __func__, kind); return 0; } @@ -1640,8 +1641,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask) else if (S_ISDIR(mode)) av |= DIR__OPEN; else - printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " - "with unknown mode:%x\n", mode); + printk(KERN_ERR "SELinux: WARNING: inside %s with " + "unknown mode:%x\n", __func__, mode); } return av; } @@ -1675,7 +1676,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) { int rc; - rc = secondary_ops->ptrace(parent,child); + rc = secondary_ops->ptrace(parent, child); if (rc) return rc; @@ -1683,7 +1684,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) } static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) + kernel_cap_t *inheritable, kernel_cap_t *permitted) { int error; @@ -1695,7 +1696,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, } static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) + kernel_cap_t *inheritable, kernel_cap_t *permitted) { int error; @@ -1707,7 +1708,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect } static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) + kernel_cap_t *inheritable, kernel_cap_t *permitted) { secondary_ops->capset_set(target, effective, inheritable, permitted); } @@ -1720,7 +1721,7 @@ static int selinux_capable(struct task_struct *tsk, int cap) if (rc) return rc; - return task_has_capability(tsk,cap); + return task_has_capability(tsk, cap); } static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) @@ -1729,7 +1730,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) char *buffer, *path, *end; rc = -ENOMEM; - buffer = (char*)__get_free_page(GFP_KERNEL); + buffer = (char *)__get_free_page(GFP_KERNEL); if (!buffer) goto out; @@ -1787,7 +1788,7 @@ static int selinux_sysctl(ctl_table *table, int op) /* The op values are "defined" in sysctl.c, thereby creating * a bad coupling between this module and sysctl.c */ - if(op == 001) { + if (op == 001) { error = avc_has_perm(tsec->sid, tsid, SECCLASS_DIR, DIR__SEARCH, NULL); } else { @@ -1799,7 +1800,7 @@ static int selinux_sysctl(ctl_table *table, int op) if (av) error = avc_has_perm(tsec->sid, tsid, SECCLASS_FILE, av, NULL); - } + } return error; } @@ -1812,25 +1813,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) return 0; switch (cmds) { - case Q_SYNC: - case Q_QUOTAON: - case Q_QUOTAOFF: - case Q_SETINFO: - case Q_SETQUOTA: - rc = superblock_has_perm(current, - sb, - FILESYSTEM__QUOTAMOD, NULL); - break; - case Q_GETFMT: - case Q_GETINFO: - case Q_GETQUOTA: - rc = superblock_has_perm(current, - sb, - FILESYSTEM__QUOTAGET, NULL); - break; - default: - rc = 0; /* let the kernel handle invalid cmds */ - break; + case Q_SYNC: + case Q_QUOTAON: + case Q_QUOTAOFF: + case Q_SETINFO: + case Q_SETQUOTA: + rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD, + NULL); + break; + case Q_GETFMT: + case Q_GETINFO: + case Q_GETQUOTA: + rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET, + NULL); + break; + default: + rc = 0; /* let the kernel handle invalid cmds */ + break; } return rc; } @@ -1849,23 +1848,23 @@ static int selinux_syslog(int type) return rc; switch (type) { - case 3: /* Read last kernel messages */ - case 10: /* Return size of the log buffer */ - rc = task_has_system(current, SYSTEM__SYSLOG_READ); - break; - case 6: /* Disable logging to console */ - case 7: /* Enable logging to console */ - case 8: /* Set level of messages printed to console */ - rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); - break; - case 0: /* Close log */ - case 1: /* Open log */ - case 2: /* Read from log */ - case 4: /* Read/clear last kernel messages */ - case 5: /* Clear ring buffer */ - default: - rc = task_has_system(current, SYSTEM__SYSLOG_MOD); - break; + case 3: /* Read last kernel messages */ + case 10: /* Return size of the log buffer */ + rc = task_has_system(current, SYSTEM__SYSLOG_READ); + break; + case 6: /* Disable logging to console */ + case 7: /* Enable logging to console */ + case 8: /* Set level of messages printed to console */ + rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); + break; + case 0: /* Close log */ + case 1: /* Open log */ + case 2: /* Read from log */ + case 4: /* Read/clear last kernel messages */ + case 5: /* Clear ring buffer */ + default: + rc = task_has_system(current, SYSTEM__SYSLOG_MOD); + break; } return rc; } @@ -1971,7 +1970,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) } else { /* Check for a default transition on this program. */ rc = security_transition_sid(tsec->sid, isec->sid, - SECCLASS_PROCESS, &newsid); + SECCLASS_PROCESS, &newsid); if (rc) return rc; } @@ -1982,7 +1981,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) newsid = tsec->sid; - if (tsec->sid == newsid) { + if (tsec->sid == newsid) { rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); if (rc) @@ -2010,13 +2009,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) return 0; } -static int selinux_bprm_check_security (struct linux_binprm *bprm) +static int selinux_bprm_check_security(struct linux_binprm *bprm) { return secondary_ops->bprm_check_security(bprm); } -static int selinux_bprm_secureexec (struct linux_binprm *bprm) +static int selinux_bprm_secureexec(struct linux_binprm *bprm) { struct task_security_struct *tsec = current->security; int atsecure = 0; @@ -2043,7 +2042,7 @@ extern struct vfsmount *selinuxfs_mount; extern struct dentry *selinux_null; /* Derived from fs/exec.c:flush_old_files. */ -static inline void flush_unauthorized_files(struct files_struct * files) +static inline void flush_unauthorized_files(struct files_struct *files) { struct avc_audit_data ad; struct file *file, *devnull = NULL; @@ -2078,7 +2077,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) /* Revalidate access to inherited open files. */ - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); spin_lock(&files->file_lock); for (;;) { @@ -2094,7 +2093,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) if (!set) continue; spin_unlock(&files->file_lock); - for ( ; set ; i++,set >>= 1) { + for ( ; set ; i++, set >>= 1) { if (set & 1) { file = fget(i); if (!file) @@ -2251,7 +2250,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) for (i = 0; i < RLIM_NLIMITS; i++) { rlim = current->signal->rlim + i; initrlim = init_task.signal->rlim+i; - rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); + rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); } if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { /* @@ -2306,16 +2305,15 @@ static inline void take_option(char **to, char *from, int *first, int len) *to += len; } -static inline void take_selinux_option(char **to, char *from, int *first, - int len) +static inline void take_selinux_option(char **to, char *from, int *first, + int len) { int current_size = 0; if (!*first) { **to = '|'; *to += 1; - } - else + } else *first = 0; while (current_size < len) { @@ -2379,7 +2377,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) if (rc) return rc; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.dentry = sb->s_root; return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); } @@ -2388,16 +2386,16 @@ static int selinux_sb_statfs(struct dentry *dentry) { struct avc_audit_data ad; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.dentry = dentry->d_sb->s_root; return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); } -static int selinux_mount(char * dev_name, - struct nameidata *nd, - char * type, - unsigned long flags, - void * data) +static int selinux_mount(char *dev_name, + struct nameidata *nd, + char *type, + unsigned long flags, + void *data) { int rc; @@ -2407,10 +2405,10 @@ static int selinux_mount(char * dev_name, if (flags & MS_REMOUNT) return superblock_has_perm(current, nd->path.mnt->mnt_sb, - FILESYSTEM__REMOUNT, NULL); + FILESYSTEM__REMOUNT, NULL); else return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, - FILE__MOUNTON); + FILE__MOUNTON); } static int selinux_umount(struct vfsmount *mnt, int flags) @@ -2421,8 +2419,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags) if (rc) return rc; - return superblock_has_perm(current,mnt->mnt_sb, - FILESYSTEM__UNMOUNT,NULL); + return superblock_has_perm(current, mnt->mnt_sb, + FILESYSTEM__UNMOUNT, NULL); } /* inode security operations */ @@ -2508,7 +2506,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru { int rc; - rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); + rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); if (rc) return rc; return may_link(dir, old_dentry, MAY_LINK); @@ -2551,7 +2549,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod } static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, - struct inode *new_inode, struct dentry *new_dentry) + struct inode *new_inode, struct dentry *new_dentry) { return may_rename(old_inode, old_dentry, new_inode, new_dentry); } @@ -2565,7 +2563,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na { int rc; - rc = secondary_ops->inode_follow_link(dentry,nameidata); + rc = secondary_ops->inode_follow_link(dentry, nameidata); if (rc) return rc; return dentry_has_perm(current, NULL, dentry, FILE__READ); @@ -2651,7 +2649,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value if (!is_owner_or_cap(inode)) return -EPERM; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.dentry = dentry; rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, @@ -2669,7 +2667,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value return rc; rc = security_validate_transition(isec->sid, newsid, tsec->sid, - isec->sclass); + isec->sclass); if (rc) return rc; @@ -2681,7 +2679,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value } static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, - void *value, size_t size, int flags) + void *value, size_t size, int flags) { struct inode *inode = dentry->d_inode; struct inode_security_struct *isec = inode->i_security; @@ -2704,17 +2702,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, return; } -static int selinux_inode_getxattr (struct dentry *dentry, char *name) +static int selinux_inode_getxattr(struct dentry *dentry, char *name) { return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); } -static int selinux_inode_listxattr (struct dentry *dentry) +static int selinux_inode_listxattr(struct dentry *dentry) { return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); } -static int selinux_inode_removexattr (struct dentry *dentry, char *name) +static int selinux_inode_removexattr(struct dentry *dentry, char *name) { if (strcmp(name, XATTR_NAME_SELINUX)) return selinux_inode_setotherxattr(dentry, name); @@ -2755,7 +2753,7 @@ out_nofree: } static int selinux_inode_setsecurity(struct inode *inode, const char *name, - const void *value, size_t size, int flags) + const void *value, size_t size, int flags) { struct inode_security_struct *isec = inode->i_security; u32 newsid; @@ -2767,7 +2765,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, if (!value || !size) return -EACCES; - rc = security_context_to_sid((void*)value, size, &newsid); + rc = security_context_to_sid((void *)value, size, &newsid); if (rc) return rc; @@ -2858,42 +2856,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, int error = 0; switch (cmd) { - case FIONREAD: - /* fall through */ - case FIBMAP: - /* fall through */ - case FIGETBSZ: - /* fall through */ - case EXT2_IOC_GETFLAGS: - /* fall through */ - case EXT2_IOC_GETVERSION: - error = file_has_perm(current, file, FILE__GETATTR); - break; - - case EXT2_IOC_SETFLAGS: - /* fall through */ - case EXT2_IOC_SETVERSION: - error = file_has_perm(current, file, FILE__SETATTR); - break; + case FIONREAD: + /* fall through */ + case FIBMAP: + /* fall through */ + case FIGETBSZ: + /* fall through */ + case EXT2_IOC_GETFLAGS: + /* fall through */ + case EXT2_IOC_GETVERSION: + error = file_has_perm(current, file, FILE__GETATTR); + break; - /* sys_ioctl() checks */ - case FIONBIO: - /* fall through */ - case FIOASYNC: - error = file_has_perm(current, file, 0); - break; + case EXT2_IOC_SETFLAGS: + /* fall through */ + case EXT2_IOC_SETVERSION: + error = file_has_perm(current, file, FILE__SETATTR); + break; - case KDSKBENT: - case KDSKBSENT: - error = task_has_capability(current,CAP_SYS_TTY_CONFIG); - break; + /* sys_ioctl() checks */ + case FIONBIO: + /* fall through */ + case FIOASYNC: + error = file_has_perm(current, file, 0); + break; - /* default case assumes that the command will go - * to the file's ioctl() function. - */ - default: - error = file_has_perm(current, file, FILE__IOCTL); + case KDSKBENT: + case KDSKBSENT: + error = task_has_capability(current, CAP_SYS_TTY_CONFIG); + break; + /* default case assumes that the command will go + * to the file's ioctl() function. + */ + default: + error = file_has_perm(current, file, FILE__IOCTL); } return error; } @@ -2934,7 +2931,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, unsigned long addr, unsigned long addr_only) { int rc = 0; - u32 sid = ((struct task_security_struct*)(current->security))->sid; + u32 sid = ((struct task_security_struct *)(current->security))->sid; if (addr < mmap_min_addr) rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, @@ -3003,39 +3000,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd, int err = 0; switch (cmd) { - case F_SETFL: - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } + case F_SETFL: + if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { + err = -EINVAL; + break; + } - if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { - err = file_has_perm(current, file,FILE__WRITE); - break; - } - /* fall through */ - case F_SETOWN: - case F_SETSIG: - case F_GETFL: - case F_GETOWN: - case F_GETSIG: - /* Just check FD__USE permission */ - err = file_has_perm(current, file, 0); + if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { + err = file_has_perm(current, file, FILE__WRITE); break; - case F_GETLK: - case F_SETLK: - case F_SETLKW: + } + /* fall through */ + case F_SETOWN: + case F_SETSIG: + case F_GETFL: + case F_GETOWN: + case F_GETSIG: + /* Just check FD__USE permission */ + err = file_has_perm(current, file, 0); + break; + case F_GETLK: + case F_SETLK: + case F_SETLKW: #if BITS_PER_LONG == 32 - case F_GETLK64: - case F_SETLK64: - case F_SETLKW64: + case F_GETLK64: + case F_SETLK64: + case F_SETLKW64: #endif - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } - err = file_has_perm(current, file, FILE__LOCK); + if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { + err = -EINVAL; |