aboutsummaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/device_cgroup.c18
-rw-r--r--security/selinux/ss/services.c6
2 files changed, 12 insertions, 12 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 7bd296cca04..46f23971f7e 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -508,12 +508,11 @@ int devcgroup_inode_permission(struct inode *inode, int mask)
return 0;
if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode))
return 0;
- dev_cgroup = css_to_devcgroup(task_subsys_state(current,
- devices_subsys_id));
- if (!dev_cgroup)
- return 0;
rcu_read_lock();
+
+ dev_cgroup = task_devcgroup(current);
+
list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
if (wh->type & DEV_ALL)
goto acc_check;
@@ -533,6 +532,7 @@ acc_check:
rcu_read_unlock();
return 0;
}
+
rcu_read_unlock();
return -EPERM;
@@ -543,12 +543,10 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
struct dev_cgroup *dev_cgroup;
struct dev_whitelist_item *wh;
- dev_cgroup = css_to_devcgroup(task_subsys_state(current,
- devices_subsys_id));
- if (!dev_cgroup)
- return 0;
-
rcu_read_lock();
+
+ dev_cgroup = task_devcgroup(current);
+
list_for_each_entry(wh, &dev_cgroup->whitelist, list) {
if (wh->type & DEV_ALL)
goto acc_check;
@@ -566,6 +564,8 @@ acc_check:
rcu_read_unlock();
return 0;
}
+
rcu_read_unlock();
+
return -EPERM;
}
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4f233d9960e..876b815c1ba 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -981,11 +981,12 @@ static int string_to_context_struct(struct policydb *pol,
/* Check the validity of the new context. */
if (!policydb_context_isvalid(pol, ctx)) {
rc = -EINVAL;
- context_destroy(ctx);
goto out;
}
rc = 0;
out:
+ if (rc)
+ context_destroy(ctx);
return rc;
}
@@ -1038,8 +1039,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
} else if (rc)
goto out;
rc = sidtab_context_to_sid(&sidtab, &context, sid);
- if (rc)
- context_destroy(&context);
+ context_destroy(&context);
out:
read_unlock(&policy_rwlock);
kfree(scontext2);