forked from Minki/linux
selinux/stable-6.1 PR 20221003
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmM68ZsUHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOAtRAAw/lcyPoyN8ia6+PPihRtAKGUFIf5
+IdEPYfCqkGghqB7BRDl5bXOLFgpY/m/41g+xFvzJ0fhVPLa7UWB//N7yTu3OnW/
vXz1wn0EJAeDlLbPzWd6V/SpcxJ1WPzjHj2B3YXNWnukfMjCnPIA8XlZc18zAWS1
/OOEBoOo/a/8Giw2l1bEXxfmDI20NrXNL3vWKQ+Bbhg2PJaH/FTk4DNxopt84o28
vA+cbfQcOOjeRjBuncnTp9/b244ojeM+lRSJZozGTogFIeDUp3KW1D7NHqNwyX12
seDooqLEP25vP+kQh8zH7gvacpoeDLz40bSpd+MKKj02IxKGikykWuvtlFWY3xNB
o1mT4SJhh3JcewS7gh6P5aESSSgLg9zb3zMGtjHhtz+HHi/Sq7PK7xJgrnKOBNgu
CLIu3L+5vJpAgrsze2tIcwRUySIzDKnfgw8Oz7zaS2lOTJ58emz00QwEioHMQufK
8gZXTvZykJAtLF19PJw+mHKu38hbdD/4vt8AFuIgJzFkjWKzaZAxUBT+3p/uaLHG
2PegjKzpCqH9vZ/HCdYI42OB8TKiPU3eBtYZ2eP3h7cdDu++tp1rf0hwHQrwE2AD
PRuoCaBYOTUedbR8CV07fSSGFnZvlPnuk9yB7/eztV2thBQG28ALGxVhWadn4ap/
UIFgCs5QDRj11u8=
=BQ+i
-----END PGP SIGNATURE-----
Merge tag 'selinux-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux updates from Paul Moore:
"Six SELinux patches, all are simple and easily understood, but a list
of the highlights is below:
- Use 'grep -E' instead of 'egrep' in the SELinux policy install
script.
Fun fact, this seems to be GregKH's *second* dedicated SELinux
patch since we transitioned to git (ignoring merges, the SPDX
stuff, and a trivial fs reference removal when lustre was yanked);
the first was back in 2011 when selinuxfs was placed in
/sys/fs/selinux. Oh, the memories ...
- Convert the SELinux policy boolean values to use signed integer
types throughout the SELinux kernel code.
Prior to this we were using a mix of signed and unsigned integers
which was probably okay in this particular case, but it is
definitely not a good idea in general.
- Remove a reference to the SELinux runtime disable functionality in
/etc/selinux/config as we are in the process of deprecating that.
See [1] for more background on this if you missed the previous
notes on the deprecation.
- Minor cleanups: remove unneeded variables and function parameter
constification"
Link: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable [1]
* tag 'selinux-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: remove runtime disable message in the install_policy.sh script
selinux: use "grep -E" instead of "egrep"
selinux: remove the unneeded result variable
selinux: declare read-only parameters const
selinux: use int arrays for boolean values
selinux: remove an unneeded variable in sel_make_class_dir_entries()
This commit is contained in:
Linus Torvalds
commit
e816da29bc
@ -31,8 +31,7 @@ fi
|
||||
if selinuxenabled; then
|
||||
echo "SELinux is already enabled"
|
||||
echo "This prevents safely relabeling all files."
|
||||
echo "Boot with selinux=0 on the kernel command-line or"
|
||||
echo "SELINUX=disabled in /etc/selinux/config."
|
||||
echo "Boot with selinux=0 on the kernel command-line."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -78,7 +77,7 @@ cd /etc/selinux/dummy/contexts/files
|
||||
$SF -F file_contexts /
|
||||
|
||||
mounts=`cat /proc/$$/mounts | \
|
||||
egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
|
||||
grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
|
||||
awk '{ print $2 '}`
|
||||
$SF -F file_contexts $mounts
|
||||
|
||||
|
||||
@ -5987,7 +5987,6 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
|
||||
struct ipc_security_struct *isec;
|
||||
struct common_audit_data ad;
|
||||
u32 sid = current_sid();
|
||||
int rc;
|
||||
|
||||
isec = selinux_ipc(msq);
|
||||
ipc_init_security(isec, SECCLASS_MSGQ);
|
||||
@ -5995,10 +5994,9 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
|
||||
ad.type = LSM_AUDIT_DATA_IPC;
|
||||
ad.u.ipc_id = msq->key;
|
||||
|
||||
rc = avc_has_perm(&selinux_state,
|
||||
sid, isec->sid, SECCLASS_MSGQ,
|
||||
MSGQ__CREATE, &ad);
|
||||
return rc;
|
||||
return avc_has_perm(&selinux_state,
|
||||
sid, isec->sid, SECCLASS_MSGQ,
|
||||
MSGQ__CREATE, &ad);
|
||||
}
|
||||
|
||||
static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
|
||||
@ -6126,7 +6124,6 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
|
||||
struct ipc_security_struct *isec;
|
||||
struct common_audit_data ad;
|
||||
u32 sid = current_sid();
|
||||
int rc;
|
||||
|
||||
isec = selinux_ipc(shp);
|
||||
ipc_init_security(isec, SECCLASS_SHM);
|
||||
@ -6134,10 +6131,9 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
|
||||
ad.type = LSM_AUDIT_DATA_IPC;
|
||||
ad.u.ipc_id = shp->key;
|
||||
|
||||
rc = avc_has_perm(&selinux_state,
|
||||
sid, isec->sid, SECCLASS_SHM,
|
||||
SHM__CREATE, &ad);
|
||||
return rc;
|
||||
return avc_has_perm(&selinux_state,
|
||||
sid, isec->sid, SECCLASS_SHM,
|
||||
SHM__CREATE, &ad);
|
||||
}
|
||||
|
||||
static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
|
||||
@ -6211,7 +6207,6 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
|
||||
struct ipc_security_struct *isec;
|
||||
struct common_audit_data ad;
|
||||
u32 sid = current_sid();
|
||||
int rc;
|
||||
|
||||
isec = selinux_ipc(sma);
|
||||
ipc_init_security(isec, SECCLASS_SEM);
|
||||
@ -6219,10 +6214,9 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
|
||||
ad.type = LSM_AUDIT_DATA_IPC;
|
||||
ad.u.ipc_id = sma->key;
|
||||
|
||||
rc = avc_has_perm(&selinux_state,
|
||||
sid, isec->sid, SECCLASS_SEM,
|
||||
SEM__CREATE, &ad);
|
||||
return rc;
|
||||
return avc_has_perm(&selinux_state,
|
||||
sid, isec->sid, SECCLASS_SEM,
|
||||
SEM__CREATE, &ad);
|
||||
}
|
||||
|
||||
static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
|
||||
|
||||
@ -71,7 +71,7 @@ struct selinux_fs_info {
|
||||
struct dentry *bool_dir;
|
||||
unsigned int bool_num;
|
||||
char **bool_pending_names;
|
||||
unsigned int *bool_pending_values;
|
||||
int *bool_pending_values;
|
||||
struct dentry *class_dir;
|
||||
unsigned long last_class_ino;
|
||||
bool policy_opened;
|
||||
@ -356,7 +356,7 @@ static const struct file_operations sel_policyvers_ops = {
|
||||
/* declaration for sel_write_load */
|
||||
static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir,
|
||||
unsigned int *bool_num, char ***bool_pending_names,
|
||||
unsigned int **bool_pending_values);
|
||||
int **bool_pending_values);
|
||||
static int sel_make_classes(struct selinux_policy *newpolicy,
|
||||
struct dentry *class_dir,
|
||||
unsigned long *last_class_ino);
|
||||
@ -527,7 +527,7 @@ static const struct file_operations sel_policy_ops = {
|
||||
};
|
||||
|
||||
static void sel_remove_old_bool_data(unsigned int bool_num, char **bool_names,
|
||||
unsigned int *bool_values)
|
||||
int *bool_values)
|
||||
{
|
||||
u32 i;
|
||||
|
||||
@ -545,7 +545,7 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi,
|
||||
struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir, *old_dentry;
|
||||
unsigned int tmp_bool_num, old_bool_num;
|
||||
char **tmp_bool_names, **old_bool_names;
|
||||
unsigned int *tmp_bool_values, *old_bool_values;
|
||||
int *tmp_bool_values, *old_bool_values;
|
||||
unsigned long tmp_ino = fsi->last_ino; /* Don't increment last_ino in this function */
|
||||
|
||||
tmp_parent = sel_make_disconnected_dir(fsi->sb, &tmp_ino);
|
||||
@ -1423,7 +1423,7 @@ static void sel_remove_entries(struct dentry *de)
|
||||
|
||||
static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir,
|
||||
unsigned int *bool_num, char ***bool_pending_names,
|
||||
unsigned int **bool_pending_values)
|
||||
int **bool_pending_values)
|
||||
{
|
||||
int ret;
|
||||
ssize_t len;
|
||||
@ -1917,7 +1917,6 @@ static int sel_make_class_dir_entries(struct selinux_policy *newpolicy,
|
||||
struct selinux_fs_info *fsi = sb->s_fs_info;
|
||||
struct dentry *dentry = NULL;
|
||||
struct inode *inode = NULL;
|
||||
int rc;
|
||||
|
||||
dentry = d_alloc_name(dir, "index");
|
||||
if (!dentry)
|
||||
@ -1937,9 +1936,7 @@ static int sel_make_class_dir_entries(struct selinux_policy *newpolicy,
|
||||
if (IS_ERR(dentry))
|
||||
return PTR_ERR(dentry);
|
||||
|
||||
rc = sel_make_perm_files(newpolicy, classname, index, dentry);
|
||||
|
||||
return rc;
|
||||
return sel_make_perm_files(newpolicy, classname, index, dentry);
|
||||
}
|
||||
|
||||
static int sel_make_classes(struct selinux_policy *newpolicy,
|
||||
|
||||
@ -38,7 +38,7 @@ static inline void mls_context_init(struct context *c)
|
||||
memset(&c->range, 0, sizeof(c->range));
|
||||
}
|
||||
|
||||
static inline int mls_context_cpy(struct context *dst, struct context *src)
|
||||
static inline int mls_context_cpy(struct context *dst, const struct context *src)
|
||||
{
|
||||
int rc;
|
||||
|
||||
@ -58,7 +58,7 @@ out:
|
||||
/*
|
||||
* Sets both levels in the MLS range of 'dst' to the low level of 'src'.
|
||||
*/
|
||||
static inline int mls_context_cpy_low(struct context *dst, struct context *src)
|
||||
static inline int mls_context_cpy_low(struct context *dst, const struct context *src)
|
||||
{
|
||||
int rc;
|
||||
|
||||
@ -78,7 +78,7 @@ out:
|
||||
/*
|
||||
* Sets both levels in the MLS range of 'dst' to the high level of 'src'.
|
||||
*/
|
||||
static inline int mls_context_cpy_high(struct context *dst, struct context *src)
|
||||
static inline int mls_context_cpy_high(struct context *dst, const struct context *src)
|
||||
{
|
||||
int rc;
|
||||
|
||||
@ -97,9 +97,10 @@ out:
|
||||
|
||||
|
||||
static inline int mls_context_glblub(struct context *dst,
|
||||
struct context *c1, struct context *c2)
|
||||
const struct context *c1, const struct context *c2)
|
||||
{
|
||||
struct mls_range *dr = &dst->range, *r1 = &c1->range, *r2 = &c2->range;
|
||||
struct mls_range *dr = &dst->range;
|
||||
const struct mls_range *r1 = &c1->range, *r2 = &c2->range;
|
||||
int rc = 0;
|
||||
|
||||
if (r1->level[1].sens < r2->level[0].sens ||
|
||||
@ -127,7 +128,7 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
static inline int mls_context_cmp(struct context *c1, struct context *c2)
|
||||
static inline int mls_context_cmp(const struct context *c1, const struct context *c2)
|
||||
{
|
||||
return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
|
||||
ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
|
||||
@ -147,7 +148,7 @@ static inline void context_init(struct context *c)
|
||||
memset(c, 0, sizeof(*c));
|
||||
}
|
||||
|
||||
static inline int context_cpy(struct context *dst, struct context *src)
|
||||
static inline int context_cpy(struct context *dst, const struct context *src)
|
||||
{
|
||||
int rc;
|
||||
|
||||
@ -180,7 +181,7 @@ static inline void context_destroy(struct context *c)
|
||||
mls_context_destroy(c);
|
||||
}
|
||||
|
||||
static inline int context_cmp(struct context *c1, struct context *c2)
|
||||
static inline int context_cmp(const struct context *c1, const struct context *c2)
|
||||
{
|
||||
if (c1->len && c2->len)
|
||||
return (c1->len == c2->len && !strcmp(c1->str, c2->str));
|
||||
|
||||
@ -28,9 +28,9 @@
|
||||
|
||||
static struct kmem_cache *ebitmap_node_cachep __ro_after_init;
|
||||
|
||||
int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2)
|
||||
int ebitmap_cmp(const struct ebitmap *e1, const struct ebitmap *e2)
|
||||
{
|
||||
struct ebitmap_node *n1, *n2;
|
||||
const struct ebitmap_node *n1, *n2;
|
||||
|
||||
if (e1->highbit != e2->highbit)
|
||||
return 0;
|
||||
@ -50,9 +50,10 @@ int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
|
||||
int ebitmap_cpy(struct ebitmap *dst, const struct ebitmap *src)
|
||||
{
|
||||
struct ebitmap_node *n, *new, *prev;
|
||||
struct ebitmap_node *new, *prev;
|
||||
const struct ebitmap_node *n;
|
||||
|
||||
ebitmap_init(dst);
|
||||
n = src->node;
|
||||
@ -78,7 +79,7 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
|
||||
return 0;
|
||||
}
|
||||
|
||||
int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2)
|
||||
int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1, const struct ebitmap *e2)
|
||||
{
|
||||
struct ebitmap_node *n;
|
||||
int bit, rc;
|
||||
@ -217,9 +218,9 @@ netlbl_import_failure:
|
||||
* if last_e2bit is non-zero, the highest set bit in e2 cannot exceed
|
||||
* last_e2bit.
|
||||
*/
|
||||
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)
|
||||
int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2, u32 last_e2bit)
|
||||
{
|
||||
struct ebitmap_node *n1, *n2;
|
||||
const struct ebitmap_node *n1, *n2;
|
||||
int i;
|
||||
|
||||
if (e1->highbit < e2->highbit)
|
||||
@ -258,9 +259,9 @@ int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ebitmap_get_bit(struct ebitmap *e, unsigned long bit)
|
||||
int ebitmap_get_bit(const struct ebitmap *e, unsigned long bit)
|
||||
{
|
||||
struct ebitmap_node *n;
|
||||
const struct ebitmap_node *n;
|
||||
|
||||
if (e->highbit < bit)
|
||||
return 0;
|
||||
@ -467,7 +468,7 @@ bad:
|
||||
goto out;
|
||||
}
|
||||
|
||||
int ebitmap_write(struct ebitmap *e, void *fp)
|
||||
int ebitmap_write(const struct ebitmap *e, void *fp)
|
||||
{
|
||||
struct ebitmap_node *n;
|
||||
u32 count;
|
||||
|
||||
@ -44,7 +44,7 @@ struct ebitmap {
|
||||
|
||||
#define ebitmap_length(e) ((e)->highbit)
|
||||
|
||||
static inline unsigned int ebitmap_start_positive(struct ebitmap *e,
|
||||
static inline unsigned int ebitmap_start_positive(const struct ebitmap *e,
|
||||
struct ebitmap_node **n)
|
||||
{
|
||||
unsigned int ofs;
|
||||
@ -62,7 +62,7 @@ static inline void ebitmap_init(struct ebitmap *e)
|
||||
memset(e, 0, sizeof(*e));
|
||||
}
|
||||
|
||||
static inline unsigned int ebitmap_next_positive(struct ebitmap *e,
|
||||
static inline unsigned int ebitmap_next_positive(const struct ebitmap *e,
|
||||
struct ebitmap_node **n,
|
||||
unsigned int bit)
|
||||
{
|
||||
@ -85,7 +85,7 @@ static inline unsigned int ebitmap_next_positive(struct ebitmap *e,
|
||||
#define EBITMAP_NODE_OFFSET(node, bit) \
|
||||
(((bit) - (node)->startbit) % EBITMAP_UNIT_SIZE)
|
||||
|
||||
static inline int ebitmap_node_get_bit(struct ebitmap_node *n,
|
||||
static inline int ebitmap_node_get_bit(const struct ebitmap_node *n,
|
||||
unsigned int bit)
|
||||
{
|
||||
unsigned int index = EBITMAP_NODE_INDEX(n, bit);
|
||||
@ -122,15 +122,15 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
|
||||
(bit) < ebitmap_length(e); \
|
||||
(bit) = ebitmap_next_positive(e, &(n), bit)) \
|
||||
|
||||
int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
|
||||
int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
|
||||
int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2);
|
||||
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
|
||||
int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
|
||||
int ebitmap_cmp(const struct ebitmap *e1, const struct ebitmap *e2);
|
||||
int ebitmap_cpy(struct ebitmap *dst, const struct ebitmap *src);
|
||||
int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1, const struct ebitmap *e2);
|
||||
int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2, u32 last_e2bit);
|
||||
int ebitmap_get_bit(const struct ebitmap *e, unsigned long bit);
|
||||
int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
|
||||
void ebitmap_destroy(struct ebitmap *e);
|
||||
int ebitmap_read(struct ebitmap *e, void *fp);
|
||||
int ebitmap_write(struct ebitmap *e, void *fp);
|
||||
int ebitmap_write(const struct ebitmap *e, void *fp);
|
||||
u32 ebitmap_hash(const struct ebitmap *e, u32 hash);
|
||||
|
||||
#ifdef CONFIG_NETLABEL
|
||||
|
||||
@ -27,13 +27,13 @@ struct mls_range {
|
||||
struct mls_level level[2]; /* low == level[0], high == level[1] */
|
||||
};
|
||||
|
||||
static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
|
||||
static inline int mls_level_eq(const struct mls_level *l1, const struct mls_level *l2)
|
||||
{
|
||||
return ((l1->sens == l2->sens) &&
|
||||
ebitmap_cmp(&l1->cat, &l2->cat));
|
||||
}
|
||||
|
||||
static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
|
||||
static inline int mls_level_dom(const struct mls_level *l1, const struct mls_level *l2)
|
||||
{
|
||||
return ((l1->sens >= l2->sens) &&
|
||||
ebitmap_contains(&l1->cat, &l2->cat, 0));
|
||||
|
||||
Loading…
Reference in New Issue
Block a user