diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 13 | ||||
-rw-r--r-- | security/selinux/ss/sidtab.c | 12 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 50 |
3 files changed, 28 insertions, 47 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9e8b2131a65..1659b59fb5d7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -698,7 +698,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || - !strcmp(sb->s_type->name, "binderfs") || + !strcmp(sb->s_type->name, "binder") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS; @@ -2778,7 +2778,7 @@ static int selinux_fs_context_dup(struct fs_context *fc, return 0; } -static const struct fs_parameter_spec selinux_param_specs[] = { +static const struct fs_parameter_spec selinux_fs_parameters[] = { fsparam_string(CONTEXT_STR, Opt_context), fsparam_string(DEFCONTEXT_STR, Opt_defcontext), fsparam_string(FSCONTEXT_STR, Opt_fscontext), @@ -2787,18 +2787,13 @@ static const struct fs_parameter_spec selinux_param_specs[] = { {} }; -static const struct fs_parameter_description selinux_fs_parameters = { - .name = "SELinux", - .specs = selinux_param_specs, -}; - static int selinux_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) { struct fs_parse_result result; int opt, rc; - opt = fs_parse(fc, &selinux_fs_parameters, param, &result); + opt = fs_parse(fc, selinux_fs_parameters, param, &result); if (opt < 0) return opt; @@ -7193,7 +7188,7 @@ static __init int selinux_init(void) else pr_debug("SELinux: Starting in permissive mode\n"); - fs_validate_description(&selinux_fs_parameters); + fs_validate_description("selinux", selinux_fs_parameters); return 0; } diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index a308ce1e6a13..f511ffccb131 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -518,19 +518,13 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, const char *str, u32 str_len) { struct sidtab_str_cache *cache, *victim = NULL; + unsigned long flags; /* do not cache invalid contexts */ if (entry->context.len) return; - /* - * Skip the put operation when in non-task context to avoid the need - * to disable interrupts while holding s->cache_lock. - */ - if (!in_task()) - return; - - spin_lock(&s->cache_lock); + spin_lock_irqsave(&s->cache_lock, flags); cache = rcu_dereference_protected(entry->cache, lockdep_is_held(&s->cache_lock)); @@ -561,7 +555,7 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, rcu_assign_pointer(entry->cache, cache); out_unlock: - spin_unlock(&s->cache_lock); + spin_unlock_irqrestore(&s->cache_lock, flags); kfree_rcu(victim, rcu_member); } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index ecea41ce919b..8c61d175e195 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -678,7 +678,7 @@ static int smack_fs_context_dup(struct fs_context *fc, return 0; } -static const struct fs_parameter_spec smack_param_specs[] = { +static const struct fs_parameter_spec smack_fs_parameters[] = { fsparam_string("smackfsdef", Opt_fsdefault), fsparam_string("smackfsdefault", Opt_fsdefault), fsparam_string("smackfsfloor", Opt_fsfloor), @@ -688,11 +688,6 @@ static const struct fs_parameter_spec smack_param_specs[] = { {} }; -static const struct fs_parameter_description smack_fs_parameters = { - .name = "smack", - .specs = smack_param_specs, -}; - /** * smack_fs_context_parse_param - Parse a single mount parameter * @fc: The new filesystem context being constructed. @@ -707,7 +702,7 @@ static int smack_fs_context_parse_param(struct fs_context *fc, struct fs_parse_result result; int opt, rc; - opt = fs_parse(fc, &smack_fs_parameters, param, &result); + opt = fs_parse(fc, smack_fs_parameters, param, &result); if (opt < 0) return opt; @@ -2831,42 +2826,39 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, int addrlen) { int rc = 0; -#if IS_ENABLED(CONFIG_IPV6) - struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; -#endif -#ifdef SMACK_IPV6_SECMARK_LABELING - struct smack_known *rsp; - struct socket_smack *ssp; -#endif if (sock->sk == NULL) return 0; - + if (sock->sk->sk_family != PF_INET && + (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) + return 0; + if (addrlen < offsetofend(struct sockaddr, sa_family)) + return 0; + if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { + struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; #ifdef SMACK_IPV6_SECMARK_LABELING - ssp = sock->sk->sk_security; + struct smack_known *rsp; #endif - switch (sock->sk->sk_family) { - case PF_INET: - if (addrlen < sizeof(struct sockaddr_in) || - sap->sa_family != AF_INET) - return -EINVAL; - rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); - break; - case PF_INET6: - if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6) - return -EINVAL; + if (addrlen < SIN6_LEN_RFC2133) + return 0; #ifdef SMACK_IPV6_SECMARK_LABELING rsp = smack_ipv6host_label(sip); - if (rsp != NULL) + if (rsp != NULL) { + struct socket_smack *ssp = sock->sk->sk_security; + rc = smk_ipv6_check(ssp->smk_out, rsp, sip, - SMK_CONNECTING); + SMK_CONNECTING); + } #endif #ifdef SMACK_IPV6_PORT_LABELING rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); #endif - break; + return rc; } + if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) + return 0; + rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); return rc; } |