/* Updated: Karl MacMillan <kmacmillan@tresys.com>
*
- * Added conditional policy language extensions
+ * Added conditional policy language extensions
*
* Updated: Hewlett-Packard <paul.moore@hp.com>
*
- * Added support for the policy capability bitmap
+ * Added support for the policy capability bitmap
*
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
* This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#include <linux/percpu.h>
#include <linux/audit.h>
#include <asm/uaccess.h>
-#include <asm/semaphore.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
static int __init checkreqprot_setup(char *str)
{
- selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
+ selinux_checkreqprot = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1;
}
__setup("checkreqprot=", checkreqprot_setup);
static int __init selinux_compat_net_setup(char *str)
{
- selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
+ selinux_compat_net = simple_strtoul(str, NULL, 0) ? 1 : 0;
return 1;
}
__setup("selinux_compat_net=", selinux_compat_net_setup);
static DEFINE_MUTEX(sel_mutex);
/* global data for booleans */
- static struct dentry *bool_dir = NULL;
- static int bool_num = 0;
+ static struct dentry *bool_dir;
+ static int bool_num;
static char **bool_pending_names;
- static int *bool_pending_values = NULL;
+ static int *bool_pending_values;
/* global data for classes */
- static struct dentry *class_dir = NULL;
+ static struct dentry *class_dir;
static unsigned long last_class_ino;
/* global data for policy capabilities */
- static struct dentry *policycap_dir = NULL;
+ static struct dentry *policycap_dir;
extern void selnl_notify_setenforce(int val);
}
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
- static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
+ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
};
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
- static ssize_t sel_write_disable(struct file * file, const char __user * buf,
+ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
};
static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
- size_t count, loff_t *ppos)
+ size_t count, loff_t *ppos)
{
char tmpbuf[TMPBUFLEN];
ssize_t length;
.read = sel_read_mls,
};
- static ssize_t sel_write_load(struct file * file, const char __user * buf,
+ static ssize_t sel_write_load(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
.write = sel_write_load,
};
- static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
+ static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
{
char *canon;
u32 sid, len;
return length;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __func__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out;
}
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
- static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf,
+ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
- static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
+ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
/*
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
*/
- static ssize_t sel_write_access(struct file * file, char *buf, size_t size);
- static ssize_t sel_write_create(struct file * file, char *buf, size_t size);
- static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size);
- static ssize_t sel_write_user(struct file * file, char *buf, size_t size);
- static ssize_t sel_write_member(struct file * file, char *buf, size_t size);
+ static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
+ static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
+ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
+ static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
+ static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_ACCESS] = sel_write_access,
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
{
- ino_t ino = file->f_path.dentry->d_inode->i_ino;
+ ino_t ino = file->f_path.dentry->d_inode->i_ino;
char *data;
ssize_t rv;
if (IS_ERR(data))
return PTR_ERR(data);
- rv = write_op[ino](file, data, size);
- if (rv>0) {
+ rv = write_op[ino](file, data, size);
+ if (rv > 0) {
simple_transaction_set(file, rv);
rv = size;
}
* and the length returned. Otherwise return 0 or and -error.
*/
- static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
+ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid;
return length;
}
- static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
+ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __func__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
return length;
}
- static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
+ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
return length;
}
- static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
+ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{
char *con, *user, *ptr;
u32 sid, *sids;
return length;
}
- static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
+ static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __func__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
ret = -EINVAL;
goto out;
}
- if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {
+ page = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!page) {
ret = -ENOMEM;
goto out;
}
length = -EINVAL;
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
}
static const struct file_operations sel_bool_ops = {
- .read = sel_read_bool,
- .write = sel_write_bool,
+ .read = sel_read_bool,
+ .write = sel_write_bool,
};
static ssize_t sel_commit_bools_write(struct file *filep,
/* No partial writes. */
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
if (sscanf(page, "%d", &new_value) != 1)
goto out;
- if (new_value && bool_pending_values) {
+ if (new_value && bool_pending_values)
security_set_bools(bool_num, bool_pending_values);
- }
length = count;
}
static const struct file_operations sel_commit_bools_ops = {
- .write = sel_commit_bools_write,
+ .write = sel_commit_bools_write,
};
static void sel_remove_entries(struct dentry *de)
sel_remove_entries(dir);
- if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))
+ page = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!page)
return -ENOMEM;
ret = security_get_bools(&num, &names, &values);
ret = -ENAMETOOLONG;
goto err;
}
- isec = (struct inode_security_struct*)inode->i_security;
- if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
+ isec = (struct inode_security_struct *)inode->i_security;
+ ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
+ if (ret)
goto err;
isec->sid = sid;
isec->initialized = 1;
#define NULL_FILE_NAME "null"
- struct dentry *selinux_null = NULL;
+ struct dentry *selinux_null;
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
- static ssize_t sel_write_avc_cache_threshold(struct file * file,
- const char __user * buf,
+ static ssize_t sel_write_avc_cache_threshold(struct file *file,
+ const char __user *buf,
size_t count, loff_t *ppos)
{
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
goto out;
return ret;
}
- static ssize_t sel_read_initcon(struct file * file, char __user *buf,
+ static ssize_t sel_read_initcon(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct inode *inode;
return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
}
- static ssize_t sel_read_class(struct file * file, char __user *buf,
+ static ssize_t sel_read_class(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
.read = sel_read_class,
};
- static ssize_t sel_read_perm(struct file * file, char __user *buf,
+ static ssize_t sel_read_perm(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
goto out;
}
- len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino));
+ len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
rc = simple_read_from_buffer(buf, count, ppos, page, len);
free_page((unsigned long)page);
out:
return ret;
}
- static int sel_fill_super(struct super_block * sb, void * data, int silent)
+ static int sel_fill_super(struct super_block *sb, void *data, int silent)
{
int ret;
struct dentry *dentry;
goto err;
}
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct*)inode->i_security;
+ isec = (struct inode_security_struct *)inode->i_security;
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
out:
return ret;
err:
- printk(KERN_ERR "%s: failed while creating inodes\n", __func__);
+ printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
+ __func__);
goto out;
}
/* Authors: Karl MacMillan <kmacmillan@tresys.com>
- * Frank Mayer <mayerf@tresys.com>
+ * Frank Mayer <mayerf@tresys.com>
*
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#include <linux/errno.h>
#include <linux/string.h>
#include <linux/spinlock.h>
-#include <asm/semaphore.h>
#include <linux/slab.h>
#include "security.h"
int evaluate_cond_node(struct policydb *p, struct cond_node *node)
{
int new_state;
- struct cond_av_list* cur;
+ struct cond_av_list *cur;
new_state = cond_evaluate_expr(p, node->expr);
if (new_state != node->cur_state) {
printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
/* turn the rules on or off */
for (cur = node->true_list; cur != NULL; cur = cur->next) {
- if (new_state <= 0) {
+ if (new_state <= 0)
cur->node->key.specified &= ~AVTAB_ENABLED;
- } else {
+ else
cur->node->key.specified |= AVTAB_ENABLED;
- }
}
for (cur = node->false_list; cur != NULL; cur = cur->next) {
/* -1 or 1 */
- if (new_state) {
+ if (new_state)
cur->node->key.specified &= ~AVTAB_ENABLED;
- } else {
+ else
cur->node->key.specified |= AVTAB_ENABLED;
- }
}
}
return 0;
int cond_init_bool_indexes(struct policydb *p)
{
kfree(p->bool_val_to_struct);
- p->bool_val_to_struct = (struct cond_bool_datum**)
- kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL);
+ p->bool_val_to_struct = (struct cond_bool_datum **)
+ kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
if (!p->bool_val_to_struct)
return -1;
return 0;
return -EINVAL;
p->p_bool_val_to_name[booldatum->value - 1] = key;
- p->bool_val_to_struct[booldatum->value -1] = booldatum;
+ p->bool_val_to_struct[booldatum->value - 1] = booldatum;
return 0;
}
return -1;
}
- struct cond_insertf_data
- {
+ struct cond_insertf_data {
struct policydb *p;
struct cond_av_list *other;
struct cond_av_list *head;
*/
if (k->specified & AVTAB_TYPE) {
if (avtab_search(&p->te_avtab, k)) {
- printk("SELinux: type rule already exists outside of a conditional.");
+ printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
goto err;
}
/*
node_ptr = avtab_search_node(&p->te_cond_avtab, k);
if (node_ptr) {
if (avtab_search_node_next(node_ptr, k->specified)) {
- printk("SELinux: too many conflicting type rules.");
+ printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
goto err;
}
found = 0;
}
}
if (!found) {
- printk("SELinux: conflicting type rules.\n");
+ printk(KERN_ERR "SELinux: conflicting type rules.\n");
goto err;
}
}
} else {
if (avtab_search(&p->te_cond_avtab, k)) {
- printk("SELinux: conflicting type rules when adding type rule for true.\n");
+ printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
goto err;
}
}
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
if (!node_ptr) {
- printk("SELinux: could not insert rule.");
+ printk(KERN_ERR "SELinux: could not insert rule.\n");
goto err;
}
return -1;
len = le32_to_cpu(buf[0]);
- if (len == 0) {
+ if (len == 0)
return 0;
- }
data.p = p;
data.other = other;
static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
{
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
- printk("SELinux: conditional expressions uses unknown operator.\n");
+ printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
return 0;
}
if (expr->bool > p->p_bools.nprim) {
- printk("SELinux: conditional expressions uses unknown bool.\n");
+ printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
return 0;
}
return 1;
/* expr */
len = le32_to_cpu(buf[0]);
- for (i = 0; i < len; i++ ) {
+ for (i = 0; i < len; i++) {
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc < 0)
goto err;
expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
- if (!expr) {
+ if (!expr)
goto err;
- }
expr->expr_type = le32_to_cpu(buf[0]);
expr->bool = le32_to_cpu(buf[1]);
goto err;
}
- if (i == 0) {
+ if (i == 0)
node->expr = expr;
- } else {
+ else
last->next = expr;
- }
last = expr;
}
if (cond_read_node(p, node, fp) != 0)
goto err;
- if (i == 0) {
+ if (i == 0)
p->cond_list = node;
- } else {
+ else
last->next = node;
- }
last = node;
}
return 0;
{
struct avtab_node *node;
- if(!ctab || !key || !avd)
+ if (!ctab || !key || !avd)
return;
- for(node = avtab_search_node(ctab, key); node != NULL;
+ for (node = avtab_search_node(ctab, key); node != NULL;
node = avtab_search_node_next(node, key->specified)) {
- if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) ==
- (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
+ if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
avd->allowed |= node->datum.data;
- if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) ==
- (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
+ if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a
* permission we do NOT want to audit (dontaudit), we use
* the '&' operand to ensure that all '0's in the mask
* are retained (much unlike the allow and auditallow cases).
*/
avd->auditdeny &= node->datum.data;
- if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
- (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
+ if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
avd->auditallow |= node->datum.data;
}
return;