diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 22 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 6 | ||||
-rw-r--r-- | security/selinux/ss/services.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/sidtab.c | 6 |
4 files changed, 32 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f553c370397e..7c5c8d17695c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3240,6 +3240,25 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns, &ad); } +static int selinux_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + +static int selinux_inode_get_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); +} + +static int selinux_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) @@ -7088,6 +7107,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), + LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), + LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), + LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e63c4f942fd6..0092b29022f5 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2013,6 +2013,7 @@ static inline int convert_context_handle_invalid_context( * @args: populated convert_context_args struct * @oldc: original context * @newc: converted context + * @gfp_flags: allocation flags * * Convert the values in the security context structure @oldc from the values * specified in the policy @args->oldp to the values specified in the policy @@ -2020,7 +2021,8 @@ static inline int convert_context_handle_invalid_context( * context is valid under the new policy. */ int services_convert_context(struct convert_context_args *args, - struct context *oldc, struct context *newc) + struct context *oldc, struct context *newc, + gfp_t gfp_flags) { struct ocontext *oc; struct role_datum *role; @@ -2031,7 +2033,7 @@ int services_convert_context(struct convert_context_args *args, int rc; if (oldc->str) { - s = kstrdup(oldc->str, GFP_KERNEL); + s = kstrdup(oldc->str, gfp_flags); if (!s) return -ENOMEM; diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h index 6348c95ff0e5..c4301626487f 100644 --- a/security/selinux/ss/services.h +++ b/security/selinux/ss/services.h @@ -41,6 +41,7 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, struct avtab_node *node); int services_convert_context(struct convert_context_args *args, - struct context *oldc, struct context *newc); + struct context *oldc, struct context *newc, + gfp_t gfp_flags); #endif /* _SS_SERVICES_H_ */ diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 1c3d2cda6b92..38d25173aebd 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -328,7 +328,8 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context, } rc = services_convert_context(convert->args, - context, &dst_convert->context); + context, &dst_convert->context, + GFP_ATOMIC); if (rc) { context_destroy(&dst->context); goto out_unlock; @@ -407,7 +408,8 @@ static int sidtab_convert_tree(union sidtab_entry_inner *edst, while (i < SIDTAB_LEAF_ENTRIES && *pos < count) { rc = services_convert_context(convert->args, &esrc->ptr_leaf->entries[i].context, - &edst->ptr_leaf->entries[i].context); + &edst->ptr_leaf->entries[i].context, + GFP_KERNEL); if (rc) return rc; (*pos)++; |