diff options
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 24 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 34 |
2 files changed, 32 insertions, 26 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9f8e9b2..c956390 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1572,6 +1572,18 @@ static inline int path_has_perm(const struct cred *cred, return inode_has_perm(cred, inode, av, &ad, 0); } +/* Same as path_has_perm, but uses the inode from the file struct. */ +static inline int file_path_has_perm(const struct cred *cred, + struct file *file, + u32 av) +{ + struct common_audit_data ad; + + ad.type = LSM_AUDIT_DATA_PATH; + ad.u.path = file->f_path; + return inode_has_perm(cred, file_inode(file), av, &ad, 0); +} + /* Check whether a task can use an open file descriptor to access an inode in a given way. Check access to the descriptor itself, and then use dentry_has_perm to @@ -2166,14 +2178,14 @@ static inline void flush_unauthorized_files(const struct cred *cred, struct tty_file_private *file_priv; /* Revalidate access to controlling tty. - Use path_has_perm on the tty path directly rather - than using file_has_perm, as this particular open - file may belong to another process and we are only - interested in the inode-based check here. */ + Use file_path_has_perm on the tty path directly + rather than using file_has_perm, as this particular + open file may belong to another process and we are + only interested in the inode-based check here. */ file_priv = list_first_entry(&tty->tty_files, struct tty_file_private, list); file = file_priv->file; - if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) + if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) drop_tty = 1; } spin_unlock(&tty_files_lock); @@ -3322,7 +3334,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred) * new inode label or new policy. * This check is not redundant - do not remove. */ - return path_has_perm(cred, &file->f_path, open_file_to_av(file)); + return file_path_has_perm(cred, file, open_file_to_av(file)); } /* task security operations */ diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 8ab2951..d030818 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -316,6 +316,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); + atomic_inc(&selinux_xfrm_refcount); *new_ctxp = new_ctx; } return 0; @@ -326,6 +327,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, */ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) { + atomic_dec(&selinux_xfrm_refcount); kfree(ctx); } @@ -335,17 +337,13 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) { const struct task_security_struct *tsec = current_security(); - int rc = 0; - if (ctx) { - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__SETCONTEXT, NULL); - if (rc == 0) - atomic_dec(&selinux_xfrm_refcount); - } + if (!ctx) + return 0; - return rc; + return avc_has_perm(tsec->sid, ctx->ctx_sid, + SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, + NULL); } /* @@ -370,8 +368,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct */ void selinux_xfrm_state_free(struct xfrm_state *x) { - struct xfrm_sec_ctx *ctx = x->security; - kfree(ctx); + atomic_dec(&selinux_xfrm_refcount); + kfree(x->security); } /* @@ -381,17 +379,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x) { const struct task_security_struct *tsec = current_security(); struct xfrm_sec_ctx *ctx = x->security; - int rc = 0; - if (ctx) { - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__SETCONTEXT, NULL); - if (rc == 0) - atomic_dec(&selinux_xfrm_refcount); - } + if (!ctx) + return 0; - return rc; + return avc_has_perm(tsec->sid, ctx->ctx_sid, + SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, + NULL); } /* |
