diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 25 | ||||
-rw-r--r-- | security/selinux/include/security.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 12 |
3 files changed, 25 insertions, 15 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 41a049f50f5..d39b59cf8a0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -180,7 +180,7 @@ static int inode_alloc_security(struct inode *inode) struct task_security_struct *tsec = current->security; struct inode_security_struct *isec; - isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); + isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); if (!isec) return -ENOMEM; @@ -760,13 +760,13 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, * this early in the boot process. */ BUG_ON(!ss_initialized); - /* this might go away sometime down the line if there is a new user - * of clone, but for now, nfs better not get here... */ - BUG_ON(newsbsec->initialized); - /* how can we clone if the old one wasn't set up?? */ BUG_ON(!oldsbsec->initialized); + /* if fs is reusing a sb, just let its options stand... */ + if (newsbsec->initialized) + return; + mutex_lock(&newsbsec->lock); newsbsec->flags = oldsbsec->flags; @@ -1143,7 +1143,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } len = INITCONTEXTLEN; - context = kmalloc(len, GFP_KERNEL); + context = kmalloc(len, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); @@ -1161,7 +1161,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } kfree(context); len = rc; - context = kmalloc(len, GFP_KERNEL); + context = kmalloc(len, GFP_NOFS); if (!context) { rc = -ENOMEM; dput(dentry); @@ -1185,7 +1185,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent rc = 0; } else { rc = security_context_to_sid_default(context, rc, &sid, - sbsec->def_sid); + sbsec->def_sid, + GFP_NOFS); if (rc) { printk(KERN_WARNING "%s: context_to_sid(%s) " "returned %d for dev=%s ino=%ld\n", @@ -1630,6 +1631,12 @@ static inline u32 file_to_av(struct file *file) else av |= FILE__WRITE; } + if (!av) { + /* + * Special file opened with flags 3 for ioctl-only use. + */ + av = FILE__IOCTL; + } return av; } @@ -2423,7 +2430,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, return -EOPNOTSUPP; if (name) { - namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); + namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); if (!namep) return -ENOMEM; *name = namep; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index f7d2f03781f..44e12ec8809 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -86,7 +86,8 @@ int security_sid_to_context(u32 sid, char **scontext, int security_context_to_sid(char *scontext, u32 scontext_len, u32 *out_sid); -int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid); +int security_context_to_sid_default(char *scontext, u32 scontext_len, + u32 *out_sid, u32 def_sid, gfp_t gfp_flags); int security_get_user_sids(u32 callsid, char *username, u32 **sids, u32 *nel); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f3741860121..3f2bad28ee7 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -680,7 +680,8 @@ out: } -static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) +static int security_context_to_sid_core(char *scontext, u32 scontext_len, + u32 *sid, u32 def_sid, gfp_t gfp_flags) { char *scontext2; struct context context; @@ -709,7 +710,7 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s null suffix to the copy to avoid problems with the existing attr package, which doesn't view the null terminator as part of the attribute value. */ - scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); + scontext2 = kmalloc(scontext_len+1, gfp_flags); if (!scontext2) { rc = -ENOMEM; goto out; @@ -809,7 +810,7 @@ out: int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) { return security_context_to_sid_core(scontext, scontext_len, - sid, SECSID_NULL); + sid, SECSID_NULL, GFP_KERNEL); } /** @@ -829,10 +830,11 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient * memory is available, or 0 on success. */ -int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) +int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, + u32 def_sid, gfp_t gfp_flags) { return security_context_to_sid_core(scontext, scontext_len, - sid, def_sid); + sid, def_sid, gfp_flags); } static int compute_sid_handle_invalid_context( |