X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=security%2Fselinux%2Fhooks.c;h=04acb5af831749652b3aa41db0412c8706cea4c9;hb=02539d71fa98d5737bb668b02286c76241e4bac9;hp=34f2d46c79847f8b8990cf57485a9fc308c84833;hpb=9e9abecfc0ff3a9ad2ead954b37bbfcb863c775e;p=linux-2.6 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 34f2d46c79..04acb5af83 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4,22 +4,22 @@ * This file contains the SELinux hook function implementations. * * Authors: Stephen Smalley, - * Chris Vance, - * Wayne Salamon, - * James Morris + * Chris Vance, + * Wayne Salamon, + * James Morris * * Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2003 Red Hat, Inc., James Morris * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - * + * * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. - * Paul Moore + * Paul Moore * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. - * Yuichi Nakamura + * Yuichi Nakamura * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. + * as published by the Free Software Foundation. */ #include @@ -83,6 +83,7 @@ #include "netport.h" #include "xfrm.h" #include "netlabel.h" +#include "audit.h" #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX @@ -98,11 +99,11 @@ extern struct security_operations *security_ops; atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); #ifdef CONFIG_SECURITY_SELINUX_DEVELOP -int selinux_enforcing = 0; +int selinux_enforcing; static int __init enforcing_setup(char *str) { - selinux_enforcing = simple_strtol(str,NULL,0); + selinux_enforcing = simple_strtol(str, NULL, 0); return 1; } __setup("enforcing=", enforcing_setup); @@ -122,13 +123,13 @@ int selinux_enabled = 1; #endif /* Original (dummy) security module. */ -static struct security_operations *original_ops = NULL; +static struct security_operations *original_ops; /* Minimal support for a secondary security module, just to allow the use of the dummy or capability modules. The owlsm module can alternatively be used as a secondary module as long as CONFIG_OWLSM_FD is not enabled. */ -static struct security_operations *secondary_ops = NULL; +static struct security_operations *secondary_ops; /* Lists of inode and superblock security structures initialized before the policy was loaded. */ @@ -574,8 +575,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, goto out; } rc = -EINVAL; - printk(KERN_WARNING "Unable to set superblock options before " - "the security server is initialized\n"); + printk(KERN_WARNING "SELinux: Unable to set superblock options " + "before the security server is initialized\n"); goto out; } @@ -754,9 +755,18 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, int set_context = (oldsbsec->flags & CONTEXT_MNT); int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); - /* we can't error, we can't save the info, this shouldn't get called - * this early in the boot process. */ - BUG_ON(!ss_initialized); + /* + * if the parent was able to be mounted it clearly had no special lsm + * mount options. thus we can safely put this sb on the list and deal + * with it later + */ + if (!ss_initialized) { + spin_lock(&sb_security_lock); + if (list_empty(&newsbsec->list)) + list_add(&newsbsec->list, &superblock_security_head); + spin_unlock(&sb_security_lock); + return; + } /* how can we clone if the old one wasn't set up?? */ BUG_ON(!oldsbsec->initialized); @@ -1053,7 +1063,7 @@ static int selinux_proc_get_sid(struct proc_dir_entry *de, int buflen, rc; char *buffer, *path, *end; - buffer = (char*)__get_free_page(GFP_KERNEL); + buffer = (char *)__get_free_page(GFP_KERNEL); if (!buffer) return -ENOMEM; @@ -1134,7 +1144,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent dentry = d_find_alias(inode); } if (!dentry) { - printk(KERN_WARNING "%s: no dentry for dev=%s " + printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " "ino=%ld\n", __func__, inode->i_sb->s_id, inode->i_ino); goto out_unlock; @@ -1172,7 +1182,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent dput(dentry); if (rc < 0) { if (rc != -ENODATA) { - printk(KERN_WARNING "%s: getxattr returned " + printk(KERN_WARNING "SELinux: %s: getxattr returned " "%d for dev=%s ino=%ld\n", __func__, -rc, inode->i_sb->s_id, inode->i_ino); kfree(context); @@ -1186,7 +1196,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent sbsec->def_sid, GFP_NOFS); if (rc) { - printk(KERN_WARNING "%s: context_to_sid(%s) " + printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " "returned %d for dev=%s ino=%ld\n", __func__, context, -rc, inode->i_sb->s_id, inode->i_ino); @@ -1304,7 +1314,7 @@ static int task_has_capability(struct task_struct *tsk, tsec = tsk->security; - AVC_AUDIT_DATA_INIT(&ad,CAP); + AVC_AUDIT_DATA_INIT(&ad, CAP); ad.tsk = tsk; ad.u.cap = cap; @@ -1347,7 +1357,7 @@ static int inode_has_perm(struct task_struct *tsk, struct inode_security_struct *isec; struct avc_audit_data ad; - if (unlikely (IS_PRIVATE (inode))) + if (unlikely(IS_PRIVATE(inode))) return 0; tsec = tsk->security; @@ -1372,7 +1382,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, { struct inode *inode = dentry->d_inode; struct avc_audit_data ad; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.mnt = mnt; ad.u.fs.path.dentry = dentry; return inode_has_perm(tsk, inode, av, &ad); @@ -1469,9 +1479,9 @@ static int may_create_key(u32 ksid, return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); } -#define MAY_LINK 0 -#define MAY_UNLINK 1 -#define MAY_RMDIR 2 +#define MAY_LINK 0 +#define MAY_UNLINK 1 +#define MAY_RMDIR 2 /* Check whether a task can link, unlink, or rmdir a file/directory. */ static int may_link(struct inode *dir, @@ -1509,7 +1519,8 @@ static int may_link(struct inode *dir, av = DIR__RMDIR; break; default: - printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); + printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", + __func__, kind); return 0; } @@ -1639,8 +1650,8 @@ static inline u32 open_file_mask_to_av(int mode, int mask) else if (S_ISDIR(mode)) av |= DIR__OPEN; else - printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " - "with unknown mode:%x\n", mode); + printk(KERN_ERR "SELinux: WARNING: inside %s with " + "unknown mode:%x\n", __func__, mode); } return av; } @@ -1674,7 +1685,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) { int rc; - rc = secondary_ops->ptrace(parent,child); + rc = secondary_ops->ptrace(parent, child); if (rc) return rc; @@ -1682,7 +1693,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) } static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) + kernel_cap_t *inheritable, kernel_cap_t *permitted) { int error; @@ -1694,7 +1705,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, } static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) + kernel_cap_t *inheritable, kernel_cap_t *permitted) { int error; @@ -1706,7 +1717,7 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect } static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) + kernel_cap_t *inheritable, kernel_cap_t *permitted) { secondary_ops->capset_set(target, effective, inheritable, permitted); } @@ -1719,7 +1730,7 @@ static int selinux_capable(struct task_struct *tsk, int cap) if (rc) return rc; - return task_has_capability(tsk,cap); + return task_has_capability(tsk, cap); } static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) @@ -1728,7 +1739,7 @@ static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) char *buffer, *path, *end; rc = -ENOMEM; - buffer = (char*)__get_free_page(GFP_KERNEL); + buffer = (char *)__get_free_page(GFP_KERNEL); if (!buffer) goto out; @@ -1786,7 +1797,7 @@ static int selinux_sysctl(ctl_table *table, int op) /* The op values are "defined" in sysctl.c, thereby creating * a bad coupling between this module and sysctl.c */ - if(op == 001) { + if (op == 001) { error = avc_has_perm(tsec->sid, tsid, SECCLASS_DIR, DIR__SEARCH, NULL); } else { @@ -1798,7 +1809,7 @@ static int selinux_sysctl(ctl_table *table, int op) if (av) error = avc_has_perm(tsec->sid, tsid, SECCLASS_FILE, av, NULL); - } + } return error; } @@ -1811,25 +1822,23 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) return 0; switch (cmds) { - case Q_SYNC: - case Q_QUOTAON: - case Q_QUOTAOFF: - case Q_SETINFO: - case Q_SETQUOTA: - rc = superblock_has_perm(current, - sb, - FILESYSTEM__QUOTAMOD, NULL); - break; - case Q_GETFMT: - case Q_GETINFO: - case Q_GETQUOTA: - rc = superblock_has_perm(current, - sb, - FILESYSTEM__QUOTAGET, NULL); - break; - default: - rc = 0; /* let the kernel handle invalid cmds */ - break; + case Q_SYNC: + case Q_QUOTAON: + case Q_QUOTAOFF: + case Q_SETINFO: + case Q_SETQUOTA: + rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD, + NULL); + break; + case Q_GETFMT: + case Q_GETINFO: + case Q_GETQUOTA: + rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET, + NULL); + break; + default: + rc = 0; /* let the kernel handle invalid cmds */ + break; } return rc; } @@ -1848,23 +1857,23 @@ static int selinux_syslog(int type) return rc; switch (type) { - case 3: /* Read last kernel messages */ - case 10: /* Return size of the log buffer */ - rc = task_has_system(current, SYSTEM__SYSLOG_READ); - break; - case 6: /* Disable logging to console */ - case 7: /* Enable logging to console */ - case 8: /* Set level of messages printed to console */ - rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); - break; - case 0: /* Close log */ - case 1: /* Open log */ - case 2: /* Read from log */ - case 4: /* Read/clear last kernel messages */ - case 5: /* Clear ring buffer */ - default: - rc = task_has_system(current, SYSTEM__SYSLOG_MOD); - break; + case 3: /* Read last kernel messages */ + case 10: /* Return size of the log buffer */ + rc = task_has_system(current, SYSTEM__SYSLOG_READ); + break; + case 6: /* Disable logging to console */ + case 7: /* Enable logging to console */ + case 8: /* Set level of messages printed to console */ + rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); + break; + case 0: /* Close log */ + case 1: /* Open log */ + case 2: /* Read from log */ + case 4: /* Read/clear last kernel messages */ + case 5: /* Clear ring buffer */ + default: + rc = task_has_system(current, SYSTEM__SYSLOG_MOD); + break; } return rc; } @@ -1970,7 +1979,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) } else { /* Check for a default transition on this program. */ rc = security_transition_sid(tsec->sid, isec->sid, - SECCLASS_PROCESS, &newsid); + SECCLASS_PROCESS, &newsid); if (rc) return rc; } @@ -1981,7 +1990,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) newsid = tsec->sid; - if (tsec->sid == newsid) { + if (tsec->sid == newsid) { rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); if (rc) @@ -2009,13 +2018,13 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) return 0; } -static int selinux_bprm_check_security (struct linux_binprm *bprm) +static int selinux_bprm_check_security(struct linux_binprm *bprm) { return secondary_ops->bprm_check_security(bprm); } -static int selinux_bprm_secureexec (struct linux_binprm *bprm) +static int selinux_bprm_secureexec(struct linux_binprm *bprm) { struct task_security_struct *tsec = current->security; int atsecure = 0; @@ -2042,7 +2051,7 @@ extern struct vfsmount *selinuxfs_mount; extern struct dentry *selinux_null; /* Derived from fs/exec.c:flush_old_files. */ -static inline void flush_unauthorized_files(struct files_struct * files) +static inline void flush_unauthorized_files(struct files_struct *files) { struct avc_audit_data ad; struct file *file, *devnull = NULL; @@ -2077,7 +2086,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) /* Revalidate access to inherited open files. */ - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); spin_lock(&files->file_lock); for (;;) { @@ -2093,7 +2102,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) if (!set) continue; spin_unlock(&files->file_lock); - for ( ; set ; i++,set >>= 1) { + for ( ; set ; i++, set >>= 1) { if (set & 1) { file = fget(i); if (!file) @@ -2250,7 +2259,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) for (i = 0; i < RLIM_NLIMITS; i++) { rlim = current->signal->rlim + i; initrlim = init_task.signal->rlim+i; - rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); + rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); } if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { /* @@ -2305,16 +2314,15 @@ static inline void take_option(char **to, char *from, int *first, int len) *to += len; } -static inline void take_selinux_option(char **to, char *from, int *first, - int len) +static inline void take_selinux_option(char **to, char *from, int *first, + int len) { int current_size = 0; if (!*first) { **to = '|'; *to += 1; - } - else + } else *first = 0; while (current_size < len) { @@ -2378,7 +2386,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) if (rc) return rc; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.dentry = sb->s_root; return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); } @@ -2387,29 +2395,29 @@ static int selinux_sb_statfs(struct dentry *dentry) { struct avc_audit_data ad; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.dentry = dentry->d_sb->s_root; return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); } -static int selinux_mount(char * dev_name, - struct nameidata *nd, - char * type, - unsigned long flags, - void * data) +static int selinux_mount(char *dev_name, + struct path *path, + char *type, + unsigned long flags, + void *data) { int rc; - rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); + rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); if (rc) return rc; if (flags & MS_REMOUNT) - return superblock_has_perm(current, nd->path.mnt->mnt_sb, - FILESYSTEM__REMOUNT, NULL); + return superblock_has_perm(current, path->mnt->mnt_sb, + FILESYSTEM__REMOUNT, NULL); else - return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, - FILE__MOUNTON); + return dentry_has_perm(current, path->mnt, path->dentry, + FILE__MOUNTON); } static int selinux_umount(struct vfsmount *mnt, int flags) @@ -2420,8 +2428,8 @@ static int selinux_umount(struct vfsmount *mnt, int flags) if (rc) return rc; - return superblock_has_perm(current,mnt->mnt_sb, - FILESYSTEM__UNMOUNT,NULL); + return superblock_has_perm(current, mnt->mnt_sb, + FILESYSTEM__UNMOUNT, NULL); } /* inode security operations */ @@ -2507,7 +2515,7 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru { int rc; - rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); + rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); if (rc) return rc; return may_link(dir, old_dentry, MAY_LINK); @@ -2550,7 +2558,7 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod } static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, - struct inode *new_inode, struct dentry *new_dentry) + struct inode *new_inode, struct dentry *new_dentry) { return may_rename(old_inode, old_dentry, new_inode, new_dentry); } @@ -2564,7 +2572,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na { int rc; - rc = secondary_ops->inode_follow_link(dentry,nameidata); + rc = secondary_ops->inode_follow_link(dentry, nameidata); if (rc) return rc; return dentry_has_perm(current, NULL, dentry, FILE__READ); @@ -2650,7 +2658,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value if (!is_owner_or_cap(inode)) return -EPERM; - AVC_AUDIT_DATA_INIT(&ad,FS); + AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.path.dentry = dentry; rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, @@ -2668,7 +2676,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value return rc; rc = security_validate_transition(isec->sid, newsid, tsec->sid, - isec->sclass); + isec->sclass); if (rc) return rc; @@ -2680,7 +2688,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value } static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, - void *value, size_t size, int flags) + void *value, size_t size, int flags) { struct inode *inode = dentry->d_inode; struct inode_security_struct *isec = inode->i_security; @@ -2703,17 +2711,17 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, return; } -static int selinux_inode_getxattr (struct dentry *dentry, char *name) +static int selinux_inode_getxattr(struct dentry *dentry, char *name) { return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); } -static int selinux_inode_listxattr (struct dentry *dentry) +static int selinux_inode_listxattr(struct dentry *dentry) { return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); } -static int selinux_inode_removexattr (struct dentry *dentry, char *name) +static int selinux_inode_removexattr(struct dentry *dentry, char *name) { if (strcmp(name, XATTR_NAME_SELINUX)) return selinux_inode_setotherxattr(dentry, name); @@ -2754,7 +2762,7 @@ out_nofree: } static int selinux_inode_setsecurity(struct inode *inode, const char *name, - const void *value, size_t size, int flags) + const void *value, size_t size, int flags) { struct inode_security_struct *isec = inode->i_security; u32 newsid; @@ -2766,7 +2774,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, if (!value || !size) return -EACCES; - rc = security_context_to_sid((void*)value, size, &newsid); + rc = security_context_to_sid((void *)value, size, &newsid); if (rc) return rc; @@ -2792,6 +2800,12 @@ static int selinux_inode_killpriv(struct dentry *dentry) return secondary_ops->inode_killpriv(dentry); } +static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) +{ + struct inode_security_struct *isec = inode->i_security; + *secid = isec->sid; +} + /* file security operations */ static int selinux_revalidate_file_permission(struct file *file, int mask) @@ -2851,42 +2865,41 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, int error = 0; switch (cmd) { - case FIONREAD: - /* fall through */ - case FIBMAP: - /* fall through */ - case FIGETBSZ: - /* fall through */ - case EXT2_IOC_GETFLAGS: - /* fall through */ - case EXT2_IOC_GETVERSION: - error = file_has_perm(current, file, FILE__GETATTR); - break; - - case EXT2_IOC_SETFLAGS: - /* fall through */ - case EXT2_IOC_SETVERSION: - error = file_has_perm(current, file, FILE__SETATTR); - break; + case FIONREAD: + /* fall through */ + case FIBMAP: + /* fall through */ + case FIGETBSZ: + /* fall through */ + case EXT2_IOC_GETFLAGS: + /* fall through */ + case EXT2_IOC_GETVERSION: + error = file_has_perm(current, file, FILE__GETATTR); + break; - /* sys_ioctl() checks */ - case FIONBIO: - /* fall through */ - case FIOASYNC: - error = file_has_perm(current, file, 0); - break; + case EXT2_IOC_SETFLAGS: + /* fall through */ + case EXT2_IOC_SETVERSION: + error = file_has_perm(current, file, FILE__SETATTR); + break; - case KDSKBENT: - case KDSKBSENT: - error = task_has_capability(current,CAP_SYS_TTY_CONFIG); - break; + /* sys_ioctl() checks */ + case FIONBIO: + /* fall through */ + case FIOASYNC: + error = file_has_perm(current, file, 0); + break; - /* default case assumes that the command will go - * to the file's ioctl() function. - */ - default: - error = file_has_perm(current, file, FILE__IOCTL); + case KDSKBENT: + case KDSKBSENT: + error = task_has_capability(current, CAP_SYS_TTY_CONFIG); + break; + /* default case assumes that the command will go + * to the file's ioctl() function. + */ + default: + error = file_has_perm(current, file, FILE__IOCTL); } return error; } @@ -2927,7 +2940,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, unsigned long addr, unsigned long addr_only) { int rc = 0; - u32 sid = ((struct task_security_struct*)(current->security))->sid; + u32 sid = ((struct task_security_struct *)(current->security))->sid; if (addr < mmap_min_addr) rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, @@ -2996,39 +3009,39 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd, int err = 0; switch (cmd) { - case F_SETFL: - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } + case F_SETFL: + if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { + err = -EINVAL; + break; + } - if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { - err = file_has_perm(current, file,FILE__WRITE); - break; - } - /* fall through */ - case F_SETOWN: - case F_SETSIG: - case F_GETFL: - case F_GETOWN: - case F_GETSIG: - /* Just check FD__USE permission */ - err = file_has_perm(current, file, 0); + if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { + err = file_has_perm(current, file, FILE__WRITE); break; - case F_GETLK: - case F_SETLK: - case F_SETLKW: + } + /* fall through */ + case F_SETOWN: + case F_SETSIG: + case F_GETFL: + case F_GETOWN: + case F_GETSIG: + /* Just check FD__USE permission */ + err = file_has_perm(current, file, 0); + break; + case F_GETLK: + case F_SETLK: + case F_SETLKW: #if BITS_PER_LONG == 32 - case F_GETLK64: - case F_SETLK64: - case F_SETLKW64: + case F_GETLK64: + case F_SETLK64: + case F_SETLKW64: #endif - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } - err = file_has_perm(current, file, FILE__LOCK); + if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { + err = -EINVAL; break; + } + err = file_has_perm(current, file, FILE__LOCK); + break; } return err; @@ -3049,13 +3062,13 @@ static int selinux_file_set_fowner(struct file *file) static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { - struct file *file; + struct file *file; u32 perm; struct task_security_struct *tsec; struct file_security_struct *fsec; /* struct fown_struct is never outside the context of a struct file */ - file = container_of(fown, struct file, f_owner); + file = container_of(fown, struct file, f_owner); tsec = tsk->security; fsec = file->f_security; @@ -3157,7 +3170,7 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) { - return secondary_ops->task_post_setuid(id0,id1,id2,flags); + return secondary_ops->task_post_setuid(id0, id1, id2, flags); } static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) @@ -3183,7 +3196,8 @@ static int selinux_task_getsid(struct task_struct *p) static void selinux_task_getsecid(struct task_struct *p, u32 *secid) { - selinux_get_task_sid(p, secid); + struct task_security_struct *tsec = p->security; + *secid = tsec->sid; } static int selinux_task_setgroups(struct group_info *group_info) @@ -3200,7 +3214,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) if (rc) return rc; - return task_has_perm(current,p, PROCESS__SETSCHED); + return task_has_perm(current, p, PROCESS__SETSCHED); } static int selinux_task_setioprio(struct task_struct *p, int ioprio) @@ -3289,12 +3303,13 @@ static int selinux_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, - unsigned long arg5) + unsigned long arg5, + long *rc_p) { /* The current prctl operations do not appear to require any SELinux controls since they merely observe or modify the state of the current process. */ - return 0; + return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p); } static int selinux_task_wait(struct task_struct *p) @@ -3304,7 +3319,7 @@ static int selinux_task_wait(struct task_struct *p) static void selinux_task_reparent_to_init(struct task_struct *p) { - struct task_security_struct *tsec; + struct task_security_struct *tsec; secondary_ops->task_reparent_to_init(p); @@ -3349,11 +3364,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, *proto = ih->protocol; switch (ih->protocol) { - case IPPROTO_TCP: { - struct tcphdr _tcph, *th; + case IPPROTO_TCP: { + struct tcphdr _tcph, *th; - if (ntohs(ih->frag_off) & IP_OFFSET) - break; + if (ntohs(ih->frag_off) & IP_OFFSET) + break; offset += ihlen; th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); @@ -3363,23 +3378,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ad->u.net.sport = th->source; ad->u.net.dport = th->dest; break; - } - - case IPPROTO_UDP: { - struct udphdr _udph, *uh; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - + } + + case IPPROTO_UDP: { + struct udphdr _udph, *uh; + + if (ntohs(ih->frag_off) & IP_OFFSET) + break; + offset += ihlen; - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); + uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); if (uh == NULL) - break; + break; - ad->u.net.sport = uh->source; - ad->u.net.dport = uh->dest; - break; - } + ad->u.net.sport = uh->source; + ad->u.net.dport = uh->dest; + break; + } case IPPROTO_DCCP: { struct dccp_hdr _dccph, *dh; @@ -3395,11 +3410,11 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb, ad->u.net.sport = dh->dccph_sport; ad->u.net.dport = dh->dccph_dport; break; - } + } - default: - break; - } + default: + break; + } out: return ret; } @@ -3434,7 +3449,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, switch (nexthdr) { case IPPROTO_TCP: { - struct tcphdr _tcph, *th; + struct tcphdr _tcph, *th; th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); if (th == NULL) @@ -3467,7 +3482,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, ad->u.net.sport = dh->dccph_sport; ad->u.net.dport = dh->dccph_dport; break; - } + } /* includes fragments */ default: @@ -3565,7 +3580,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, if (isec->sid == SECINITSID_KERNEL) goto out; - AVC_AUDIT_DATA_INIT(&ad,NET); + AVC_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sk = sock->sk; err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); @@ -3675,7 +3690,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in snum, &sid); if (err) goto out; - AVC_AUDIT_DATA_INIT(&ad,NET); + AVC_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sport = htons(snum); ad.u.net.family = family; err = avc_has_perm(isec->sid, sid, @@ -3685,12 +3700,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in goto out; } } - - switch(isec->sclass) { + + switch (isec->sclass) { case SECCLASS_TCP_SOCKET: node_perm = TCP_SOCKET__NODE_BIND; break; - + case SECCLASS_UDP_SOCKET: node_perm = UDP_SOCKET__NODE_BIND; break; @@ -3703,12 +3718,12 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in node_perm = RAWIP_SOCKET__NODE_BIND; break; } - + err = sel_netnode_sid(addrp, family, &sid); if (err) goto out; - - AVC_AUDIT_DATA_INIT(&ad,NET); + + AVC_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sport = htons(snum); ad.u.net.family = family; @@ -3718,7 +3733,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); err = avc_has_perm(isec->sid, sid, - isec->sclass, node_perm, &ad); + isec->sclass, node_perm, &ad); if (err) goto out; } @@ -3767,7 +3782,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; - AVC_AUDIT_DATA_INIT(&ad,NET); + AVC_AUDIT_DATA_INIT(&ad, NET); ad.u.net.dport = htons(snum); ad.u.net.family = sk->sk_family; err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); @@ -3805,7 +3820,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) } static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, - int size) + int size) { int rc; @@ -3832,7 +3847,7 @@ static int selinux_socket_getpeername(struct socket *sock) return socket_has_perm(current, sock, SOCKET__GETATTR); } -static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) +static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) { int err; @@ -3871,7 +3886,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, isec = SOCK_INODE(sock)->i_security; other_isec = SOCK_INODE(other)->i_security; - AVC_AUDIT_DATA_INIT(&ad,NET); + AVC_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sk = other->sk; err = avc_has_perm(isec->sid, other_isec->sid, @@ -3883,7 +3898,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, /* connecting socket */ ssec = sock->sk->sk_security; ssec->peer_sid = other_isec->sid; - + /* server child socket */ ssec = newsk->sk_security; ssec->peer_sid = isec->sid; @@ -3903,7 +3918,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, isec = SOCK_INODE(sock)->i_security; other_isec = SOCK_INODE(other)->i_security; - AVC_AUDIT_DATA_INIT(&ad,NET); + AVC_AUDIT_DATA_INIT(&ad, NET); ad.u.net.sk = other->sk; err = avc_has_perm(isec->sid, other_isec->sid, @@ -3981,7 +3996,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); if (err) return err; - + err = sel_netnode_sid(addrp, family, &node_sid); if (err) return err; @@ -4132,7 +4147,7 @@ out_len: err = -EFAULT; kfree(scontext); -out: +out: return err; } @@ -4149,7 +4164,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * goto out; if (sock && family == PF_UNIX) - selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); + selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); else if (skb) selinux_skb_peerlbl_sid(skb, family, &peer_secid); @@ -4193,7 +4208,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid) } } -static void selinux_sock_graft(struct sock* sk, struct socket *parent) +static void selinux_sock_graft(struct sock *sk, struct socket *parent) { struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; struct sk_security_struct *sksec = sk->sk_security; @@ -4270,13 +4285,13 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) struct nlmsghdr *nlh; struct socket *sock = sk->sk_socket; struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; - + if (skb->len < NLMSG_SPACE(0)) { err = -EINVAL; goto out; } nlh = nlmsg_hdr(skb); - + err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); if (err) { if (err == -EINVAL) { @@ -4402,7 +4417,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, return err; err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); return err; - + err = sel_netnode_sid(addrp, family, &node_sid); if (err) return err; @@ -4585,7 +4600,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) ad.u.cap = capability; return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, - SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); + SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); } static int ipc_alloc_security(struct task_struct *task, @@ -4677,7 +4692,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) isec = msq->q_perm.security; AVC_AUDIT_DATA_INIT(&ad, IPC); - ad.u.ipc_id = msq->q_perm.key; + ad.u.ipc_id = msq->q_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, MSGQ__CREATE, &ad); @@ -4714,7 +4729,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) int err; int perms; - switch(cmd) { + switch (cmd) { case IPC_INFO: case MSG_INFO: /* No specific object, just general system-wide information. */ @@ -4798,7 +4813,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, msec = msg->security; AVC_AUDIT_DATA_INIT(&ad, IPC); - ad.u.ipc_id = msq->q_perm.key; + ad.u.ipc_id = msq->q_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, MSGQ__READ, &ad); @@ -4824,7 +4839,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) isec = shp->shm_perm.security; AVC_AUDIT_DATA_INIT(&ad, IPC); - ad.u.ipc_id = shp->shm_perm.key; + ad.u.ipc_id = shp->shm_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, SHM__CREATE, &ad); @@ -4862,7 +4877,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) int perms; int err; - switch(cmd) { + switch (cmd) { case IPC_INFO: case SHM_INFO: /* No specific object, just general system-wide information. */ @@ -4923,7 +4938,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) isec = sma->sem_perm.security; AVC_AUDIT_DATA_INIT(&ad, IPC); - ad.u.ipc_id = sma->sem_perm.key; + ad.u.ipc_id = sma->sem_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, SEM__CREATE, &ad); @@ -4961,7 +4976,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd) int err; u32 perms; - switch(cmd) { + switch (cmd) { case IPC_INFO: case SEM_INFO: /* No specific object, just general system-wide information. */ @@ -5026,14 +5041,20 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) return ipc_has_perm(ipcp, av); } +static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +{ + struct ipc_security_struct *isec = ipcp->security; + *secid = isec->sid; +} + /* module stacking operations */ -static int selinux_register_security (const char *name, struct security_operations *ops) +static int selinux_register_security(const char *name, struct security_operations *ops) { if (secondary_ops != original_ops) { printk(KERN_ERR "%s: There is already a secondary security " "module registered.\n", __func__); return -EINVAL; - } + } secondary_ops = ops; @@ -5044,7 +5065,7 @@ static int selinux_register_security (const char *name, struct security_operatio return 0; } -static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) +static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) { if (inode) inode_doinit_with_dentry(inode, dentry); @@ -5172,11 +5193,11 @@ static int selinux_setprocattr(struct task_struct *p, } while_each_thread(g, t); read_unlock(&tasklist_lock); - } + } /* Check permissions for the transition. */ error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, - PROCESS__DYNTRANSITION, NULL); + PROCESS__DYNTRANSITION, NULL); if (error) return error; @@ -5204,8 +5225,7 @@ static int selinux_setprocattr(struct task_struct *p, tsec->sid = sid; task_unlock(p); } - } - else + } else return -EINVAL; return size; @@ -5281,6 +5301,8 @@ static int selinux_key_permission(key_ref_t key_ref, #endif static struct security_operations selinux_ops = { + .name = "selinux", + .ptrace = selinux_ptrace, .capget = selinux_capget, .capset_check = selinux_capset_check, @@ -5293,7 +5315,7 @@ static struct security_operations selinux_ops = { .vm_enough_memory = selinux_vm_enough_memory, .netlink_send = selinux_netlink_send, - .netlink_recv = selinux_netlink_recv, + .netlink_recv = selinux_netlink_recv, .bprm_alloc_security = selinux_bprm_alloc_security, .bprm_free_security = selinux_bprm_free_security, @@ -5306,13 +5328,13 @@ static struct security_operations selinux_ops = { .sb_alloc_security = selinux_sb_alloc_security, .sb_free_security = selinux_sb_free_security, .sb_copy_data = selinux_sb_copy_data, - .sb_kern_mount = selinux_sb_kern_mount, + .sb_kern_mount = selinux_sb_kern_mount, .sb_statfs = selinux_sb_statfs, .sb_mount = selinux_mount, .sb_umount = selinux_umount, .sb_get_mnt_opts = selinux_get_mnt_opts, .sb_set_mnt_opts = selinux_set_mnt_opts, - .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, + .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, .sb_parse_opts_str = selinux_parse_opts_str, @@ -5337,11 +5359,12 @@ static struct security_operations selinux_ops = { .inode_getxattr = selinux_inode_getxattr, .inode_listxattr = selinux_inode_listxattr, .inode_removexattr = selinux_inode_removexattr, - .inode_getsecurity = selinux_inode_getsecurity, - .inode_setsecurity = selinux_inode_setsecurity, - .inode_listsecurity = selinux_inode_listsecurity, + .inode_getsecurity = selinux_inode_getsecurity, + .inode_setsecurity = selinux_inode_setsecurity, + .inode_listsecurity = selinux_inode_listsecurity, .inode_need_killpriv = selinux_inode_need_killpriv, .inode_killpriv = selinux_inode_killpriv, + .inode_getsecid = selinux_inode_getsecid, .file_permission = selinux_file_permission, .file_alloc_security = selinux_file_alloc_security, @@ -5355,7 +5378,7 @@ static struct security_operations selinux_ops = { .file_send_sigiotask = selinux_file_send_sigiotask, .file_receive = selinux_file_receive, - .dentry_open = selinux_dentry_open, + .dentry_open = selinux_dentry_open, .task_create = selinux_task_create, .task_alloc_security = selinux_task_alloc_security, @@ -5365,7 +5388,7 @@ static struct security_operations selinux_ops = { .task_setgid = selinux_task_setgid, .task_setpgid = selinux_task_setpgid, .task_getpgid = selinux_task_getpgid, - .task_getsid = selinux_task_getsid, + .task_getsid = selinux_task_getsid, .task_getsecid = selinux_task_getsecid, .task_setgroups = selinux_task_setgroups, .task_setnice = selinux_task_setnice, @@ -5379,9 +5402,10 @@ static struct security_operations selinux_ops = { .task_wait = selinux_task_wait, .task_prctl = selinux_task_prctl, .task_reparent_to_init = selinux_task_reparent_to_init, - .task_to_inode = selinux_task_to_inode, + .task_to_inode = selinux_task_to_inode, .ipc_permission = selinux_ipc_permission, + .ipc_getsecid = selinux_ipc_getsecid, .msg_msg_alloc_security = selinux_msg_msg_alloc_security, .msg_msg_free_security = selinux_msg_msg_free_security, @@ -5399,24 +5423,24 @@ static struct security_operations selinux_ops = { .shm_shmctl = selinux_shm_shmctl, .shm_shmat = selinux_shm_shmat, - .sem_alloc_security = selinux_sem_alloc_security, - .sem_free_security = selinux_sem_free_security, + .sem_alloc_security = selinux_sem_alloc_security, + .sem_free_security = selinux_sem_free_security, .sem_associate = selinux_sem_associate, .sem_semctl = selinux_sem_semctl, .sem_semop = selinux_sem_semop, .register_security = selinux_register_security, - .d_instantiate = selinux_d_instantiate, + .d_instantiate = selinux_d_instantiate, - .getprocattr = selinux_getprocattr, - .setprocattr = selinux_setprocattr, + .getprocattr = selinux_getprocattr, + .setprocattr = selinux_setprocattr, .secid_to_secctx = selinux_secid_to_secctx, .secctx_to_secid = selinux_secctx_to_secid, .release_secctx = selinux_release_secctx, - .unix_stream_connect = selinux_socket_unix_stream_connect, + .unix_stream_connect = selinux_socket_unix_stream_connect, .unix_may_send = selinux_socket_unix_may_send, .socket_create = selinux_socket_create, @@ -5438,7 +5462,7 @@ static struct security_operations selinux_ops = { .sk_alloc_security = selinux_sk_alloc_security, .sk_free_security = selinux_sk_free_security, .sk_clone_security = selinux_sk_clone_security, - .sk_getsecid = selinux_sk_getsecid, + .sk_getsecid = selinux_sk_getsecid, .sock_graft = selinux_sock_graft, .inet_conn_request = selinux_inet_conn_request, .inet_csk_clone = selinux_inet_csk_clone, @@ -5453,15 +5477,22 @@ static struct security_operations selinux_ops = { .xfrm_state_alloc_security = selinux_xfrm_state_alloc, .xfrm_state_free_security = selinux_xfrm_state_free, .xfrm_state_delete_security = selinux_xfrm_state_delete, - .xfrm_policy_lookup = selinux_xfrm_policy_lookup, + .xfrm_policy_lookup = selinux_xfrm_policy_lookup, .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, .xfrm_decode_session = selinux_xfrm_decode_session, #endif #ifdef CONFIG_KEYS - .key_alloc = selinux_key_alloc, - .key_free = selinux_key_free, - .key_permission = selinux_key_permission, + .key_alloc = selinux_key_alloc, + .key_free = selinux_key_free, + .key_permission = selinux_key_permission, +#endif + +#ifdef CONFIG_AUDIT + .audit_rule_init = selinux_audit_rule_init, + .audit_rule_known = selinux_audit_rule_known, + .audit_rule_match = selinux_audit_rule_match, + .audit_rule_free = selinux_audit_rule_free, #endif }; @@ -5469,6 +5500,11 @@ static __init int selinux_init(void) { struct task_security_struct *tsec; + if (!security_module_enable(&selinux_ops)) { + selinux_enabled = 0; + return 0; + } + if (!selinux_enabled) { printk(KERN_INFO "SELinux: Disabled at boot.\n"); return 0; @@ -5489,15 +5525,14 @@ static __init int selinux_init(void) original_ops = secondary_ops = security_ops; if (!secondary_ops) - panic ("SELinux: No initial security operations\n"); - if (register_security (&selinux_ops)) + panic("SELinux: No initial security operations\n"); + if (register_security(&selinux_ops)) panic("SELinux: Unable to register with kernel.\n"); - if (selinux_enforcing) { + if (selinux_enforcing) printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); - } else { + else printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); - } #ifdef CONFIG_KEYS /* Add security information to initial keyrings */ @@ -5522,8 +5557,8 @@ next_sb: if (!list_empty(&superblock_security_head)) { struct superblock_security_struct *sbsec = list_entry(superblock_security_head.next, - struct superblock_security_struct, - list); + struct superblock_security_struct, + list); struct super_block *sb = sbsec->sb; sb->s_count++; spin_unlock(&sb_security_lock); @@ -5642,10 +5677,11 @@ static void selinux_nf_ip_exit(void) #endif /* CONFIG_NETFILTER */ #ifdef CONFIG_SECURITY_SELINUX_DISABLE +static int selinux_disabled; + int selinux_disable(void) { extern void exit_sel_fs(void); - static int selinux_disabled = 0; if (ss_initialized) { /* Not permitted after initial policy load. */