Merge branch 'hwmon-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6

[sfrench/cifs-2.6.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 44e9cd470543320ad736af1db38e2e63b94648ca..b1ac22d231954bc5e900c07da670962c953ba1c2 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -181,11 +181,10 @@ static int inode_alloc_security(struct inode *inode)
        struct task_security_struct *tsec = current->security;
        struct inode_security_struct *isec;
 
-       isec = kmem_cache_alloc(sel_inode_cache, GFP_KERNEL);
+       isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
        if (!isec)
                return -ENOMEM;
 
-       memset(isec, 0, sizeof(*isec));
        mutex_init(&isec->lock);
        INIT_LIST_HEAD(&isec->list);
        isec->inode = inode;
@@ -1078,6 +1077,9 @@ static int inode_has_perm(struct task_struct *tsk,
        struct inode_security_struct *isec;
        struct avc_audit_data ad;
 
+       if (unlikely (IS_PRIVATE (inode)))
+               return 0;
+
        tsec = tsk->security;
        isec = inode->i_security;
 
@@ -1120,8 +1122,8 @@ static int file_has_perm(struct task_struct *tsk,
 {
        struct task_security_struct *tsec = tsk->security;
        struct file_security_struct *fsec = file->f_security;
-       struct vfsmount *mnt = file->f_vfsmnt;
-       struct dentry *dentry = file->f_dentry;
+       struct vfsmount *mnt = file->f_path.mnt;
+       struct dentry *dentry = file->f_path.dentry;
        struct inode *inode = dentry->d_inode;
        struct avc_audit_data ad;
        int rc;
@@ -1424,6 +1426,47 @@ static int selinux_capable(struct task_struct *tsk, int cap)
        return task_has_capability(tsk,cap);
 }
 
+static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
+{
+       int buflen, rc;
+       char *buffer, *path, *end;
+
+       rc = -ENOMEM;
+       buffer = (char*)__get_free_page(GFP_KERNEL);
+       if (!buffer)
+               goto out;
+
+       buflen = PAGE_SIZE;
+       end = buffer+buflen;
+       *--end = '\0';
+       buflen--;
+       path = end-1;
+       *path = '/';
+       while (table) {
+               const char *name = table->procname;
+               size_t namelen = strlen(name);
+               buflen -= namelen + 1;
+               if (buflen < 0)
+                       goto out_free;
+               end -= namelen;
+               memcpy(end, name, namelen);
+               *--end = '/';
+               path = end;
+               table = table->parent;
+       }
+       buflen -= 4;
+       if (buflen < 0)
+               goto out_free;
+       end -= 4;
+       memcpy(end, "/sys", 4);
+       path = end;
+       rc = security_genfs_sid("proc", path, tclass, sid);
+out_free:
+       free_page((unsigned long)buffer);
+out:
+       return rc;
+}
+
 static int selinux_sysctl(ctl_table *table, int op)
 {
        int error = 0;
@@ -1438,8 +1481,8 @@ static int selinux_sysctl(ctl_table *table, int op)
 
        tsec = current->security;
 
-       rc = selinux_proc_get_sid(table->de, (op == 001) ?
-                                 SECCLASS_DIR : SECCLASS_FILE, &tsid);
+       rc = selinux_sysctl_get_sid(table, (op == 0001) ?
+                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
        if (rc) {
                /* Default to the well-defined sysctl SID. */
                tsid = SECINITSID_SYSCTL;
@@ -1581,7 +1624,7 @@ static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
 static int selinux_bprm_set_security(struct linux_binprm *bprm)
 {
        struct task_security_struct *tsec;
-       struct inode *inode = bprm->file->f_dentry->d_inode;
+       struct inode *inode = bprm->file->f_path.dentry->d_inode;
        struct inode_security_struct *isec;
        struct bprm_security_struct *bsec;
        u32 newsid;
@@ -1621,10 +1664,10 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
        }
 
        AVC_AUDIT_DATA_INIT(&ad, FS);
-       ad.u.fs.mnt = bprm->file->f_vfsmnt;
-       ad.u.fs.dentry = bprm->file->f_dentry;
+       ad.u.fs.mnt = bprm->file->f_path.mnt;
+       ad.u.fs.dentry = bprm->file->f_path.dentry;
 
-       if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
+       if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
                newsid = tsec->sid;
 
         if (tsec->sid == newsid) {
@@ -1695,9 +1738,10 @@ static inline void flush_unauthorized_files(struct files_struct * files)
        struct tty_struct *tty;
        struct fdtable *fdt;
        long j = -1;
+       int drop_tty = 0;
 
        mutex_lock(&tty_mutex);
-       tty = current->signal->tty;
+       tty = get_current_tty();
        if (tty) {
                file_list_lock();
                file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
@@ -1707,15 +1751,17 @@ static inline void flush_unauthorized_files(struct files_struct * files)
                           than using file_has_perm, as this particular open
                           file may belong to another process and we are only
                           interested in the inode-based check here. */
-                       struct inode *inode = file->f_dentry->d_inode;
+                       struct inode *inode = file->f_path.dentry->d_inode;
                        if (inode_has_perm(current, inode,
                                           FILE__READ | FILE__WRITE, NULL)) {
-                               /* Reset controlling tty. */
-                               current->signal->tty = NULL;
-                               current->signal->tty_old_pgrp = 0;
+                               drop_tty = 1;
                        }
                }
                file_list_unlock();
+
+               /* Reset controlling tty. */
+               if (drop_tty)
+                       proc_set_tty(current, NULL);
        }
        mutex_unlock(&tty_mutex);
 
@@ -1731,7 +1777,7 @@ static inline void flush_unauthorized_files(struct files_struct * files)
                j++;
                i = j * __NFDBITS;
                fdt = files_fdtable(files);
-               if (i >= fdt->max_fds || i >= fdt->max_fdset)
+               if (i >= fdt->max_fds)
                        break;
                set = fdt->open_fds->fds_bits[j];
                if (!set)
@@ -2417,7 +2463,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
 static int selinux_file_permission(struct file *file, int mask)
 {
        int rc;
-       struct inode *inode = file->f_dentry->d_inode;
+       struct inode *inode = file->f_path.dentry->d_inode;
 
        if (!mask) {
                /* No permission to check.  Existence test. */
@@ -2594,7 +2640,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
 
        switch (cmd) {
                case F_SETFL:
-                       if (!file->f_dentry || !file->f_dentry->d_inode) {
+                       if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
                                err = -EINVAL;
                                break;
                        }
@@ -2620,7 +2666,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
                case F_SETLK64:
                case F_SETLKW64:
 #endif
-                       if (!file->f_dentry || !file->f_dentry->d_inode) {
+                       if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
                                err = -EINVAL;
                                break;
                        }
@@ -2652,7 +2698,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
        struct file_security_struct *fsec;
 
        /* struct fown_struct is never outside the context of a struct file */
-        file = (struct file *)((long)fown - offsetof(struct file,f_owner));
+        file = container_of(fown, struct file, f_owner);
 
        tsec = tsk->security;
        fsec = file->f_security;