diff options
| author |   James Morris <james.l.morris@oracle.com> | 2015-12-26 16:07:31 +1100 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2015-12-26 16:07:31 +1100 |
| commit | 37babe4ec610ff288a60aa79619b3d2f00bcfd89 (patch) | |
| tree | a3f76e129675a77c560f118e0b12f525fb06f144 /security/selinux/ss/services.c | |
| parent | Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next (diff) | |
| parent | selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() (diff) | |
| download | linux-dev-37babe4ec610ff288a60aa79619b3d2f00bcfd89.tar.xz linux-dev-37babe4ec610ff288a60aa79619b3d2f00bcfd89.zip | |
Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/selinux into next
Diffstat (limited to 'security/selinux/ss/services.c')
| -rw-r--r-- | security/selinux/ss/services.c | 34 |
1 files changed, 27 insertions, 7 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ebb5eb3c318c..ebda97333f1b 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -778,8 +778,8 @@ out: return -EPERM; } -int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, - u16 orig_tclass) +static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid, + u16 orig_tclass, bool user) { struct context *ocontext; struct context *ncontext; @@ -794,11 +794,12 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, read_lock(&policy_rwlock); - tclass = unmap_class(orig_tclass); + if (!user) + tclass = unmap_class(orig_tclass); + else + tclass = orig_tclass; if (!tclass || tclass > policydb.p_classes.nprim) { - printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", - __func__, tclass); rc = -EINVAL; goto out; } @@ -832,8 +833,13 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, while (constraint) { if (!constraint_expr_eval(ocontext, ncontext, tcontext, constraint->expr)) { - rc = security_validtrans_handle_fail(ocontext, ncontext, - tcontext, tclass); + if (user) + rc = -EPERM; + else + rc = security_validtrans_handle_fail(ocontext, + ncontext, + tcontext, + tclass); goto out; } constraint = constraint->next; @@ -844,6 +850,20 @@ out: return rc; } +int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid, + u16 tclass) +{ + return security_compute_validatetrans(oldsid, newsid, tasksid, + tclass, true); +} + +int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, + u16 orig_tclass) +{ + return security_compute_validatetrans(oldsid, newsid, tasksid, + orig_tclass, false); +} + /* * security_bounded_transition - check whether the given * transition is directed to bounded, or not. |