GIT 85acdadd59ee652e53d89f65928220b674a38d7f git+ssh://master.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm commit 9fa641b08233f144fed7cd577bd8b41a706bc621 Author: Venkat Yekkirala Date: Tue Dec 12 13:02:41 2006 -0600 selinux: Delete mls_copy_context This deletes mls_copy_context() in favor of mls_context_cpy() and replaces mls_scopy_context() with mls_context_cpy_low(). Signed-off-by: Venkat Yekkirala Acked-by: Stephen Smalley Signed-off-by: James Morris commit 6dc6dca8bd34b1c8e4506f510adc78f40f0bc454 Author: Joy Latten Date: Thu Nov 30 15:50:43 2006 -0600 audit: disable ipsec auditing when CONFIG_AUDITSYSCALL=n Disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. Also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Signed-off-by: Joy Latten Signed-off-by: James Morris commit faafdc1dc743b7e8215e02219109f9e346430619 Author: Joy Latten Date: Mon Nov 27 13:11:54 2006 -0600 Add auditing to ipsec An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten Signed-off-by: James Morris security/selinux/ss/context.h | 23 +++++++++++++++++++++++ security/selinux/ss/mls.c | 30 +++++------------------------- security/selinux/ss/mls.h | 20 -------------------- security/selinux/ss/services.c | 3 +-- 4 files changed, 29 insertions(+), 47 deletions(-) diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h index 0562bac..2eee0da 100644 --- a/security/selinux/ss/context.h +++ b/security/selinux/ss/context.h @@ -55,6 +55,29 @@ out: return rc; } +/* + * Sets both levels in the MLS range of 'dst' to the low level of 'src'. + */ +static inline int mls_context_cpy_low(struct context *dst, struct context *src) +{ + int rc; + + if (!selinux_mls_enabled) + return 0; + + dst->range.level[0].sens = src->range.level[0].sens; + rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); + if (rc) + goto out; + + dst->range.level[1].sens = src->range.level[0].sens; + rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat); + if (rc) + ebitmap_destroy(&dst->range.level[0].cat); +out: + return rc; +} + static inline int mls_context_cmp(struct context *c1, struct context *c2) { if (!selinux_mls_enabled) diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index b4f682d..4a8bab2 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -270,7 +270,7 @@ int mls_context_to_sid(char oldc, if (!defcon) goto out; - rc = mls_copy_context(context, defcon); + rc = mls_context_cpy(context, defcon); goto out; } @@ -401,26 +401,6 @@ int mls_from_string(char *str, struct co } /* - * Copies the effective MLS range from `src' into `dst'. - */ -static inline int mls_scopy_context(struct context *dst, - struct context *src) -{ - int l, rc = 0; - - /* Copy the MLS range from the source context */ - for (l = 0; l < 2; l++) { - dst->range.level[l].sens = src->range.level[0].sens; - rc = ebitmap_cpy(&dst->range.level[l].cat, - &src->range.level[0].cat); - if (rc) - break; - } - - return rc; -} - -/* * Copies the MLS range `range' into `context'. */ static inline int mls_range_set(struct context *context, @@ -552,19 +532,19 @@ int mls_compute_sid(struct context *scon case AVTAB_CHANGE: if (tclass == SECCLASS_PROCESS) /* Use the process MLS attributes. */ - return mls_copy_context(newcontext, scontext); + return mls_context_cpy(newcontext, scontext); else /* Use the process effective MLS attributes. */ - return mls_scopy_context(newcontext, scontext); + return mls_context_cpy_low(newcontext, scontext); case AVTAB_MEMBER: /* Only polyinstantiate the MLS attributes if the type is being polyinstantiated */ if (newcontext->type != tcontext->type) { /* Use the process effective MLS attributes. */ - return mls_scopy_context(newcontext, scontext); + return mls_context_cpy_low(newcontext, scontext); } else { /* Use the related object MLS attributes. */ - return mls_copy_context(newcontext, tcontext); + return mls_context_cpy(newcontext, tcontext); } default: return -EINVAL; diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index 661d6fc..096d1b4 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h @@ -24,26 +24,6 @@ #define _SS_MLS_H_ #include "context.h" #include "policydb.h" -/* - * Copies the MLS range from `src' into `dst'. - */ -static inline int mls_copy_context(struct context *dst, - struct context *src) -{ - int l, rc = 0; - - /* Copy the MLS range from the source context */ - for (l = 0; l < 2; l++) { - dst->range.level[l].sens = src->range.level[l].sens; - rc = ebitmap_cpy(&dst->range.level[l].cat, - &src->range.level[l].cat); - if (rc) - break; - } - - return rc; -} - int mls_compute_context_len(struct context *context); void mls_sid_to_context(struct context *context, char **scontext); int mls_context_isvalid(struct policydb *p, struct context *c); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ee05815..372eaad 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1916,11 +1916,10 @@ int security_sid_mls_copy(u32 sid, u32 m newcon.user = context1->user; newcon.role = context1->role; newcon.type = context1->type; - rc = mls_copy_context(&newcon, context2); + rc = mls_context_cpy(&newcon, context2); if (rc) goto out_unlock; - /* Check the validity of the new context. */ if (!policydb_context_isvalid(&policydb, &newcon)) { rc = convert_context_handle_invalid_context(&newcon);