SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs code

[sfrench/cifs-2.6.git] / security / selinux / ss / services.c

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f96dec1f9258f31c88525543c59d586354619649..3f2bad28ee7b53abe273aea72990952d83513b5e 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -680,7 +680,8 @@ out:
 
 }
 
-static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+static int security_context_to_sid_core(char *scontext, u32 scontext_len,
+                                       u32 *sid, u32 def_sid, gfp_t gfp_flags)
 {
        char *scontext2;
        struct context context;
@@ -709,7 +710,7 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
           null suffix to the copy to avoid problems with the existing
           attr package, which doesn't view the null terminator as part
           of the attribute value. */
-       scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
+       scontext2 = kmalloc(scontext_len+1, gfp_flags);
        if (!scontext2) {
                rc = -ENOMEM;
                goto out;
@@ -809,7 +810,7 @@ out:
 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
 {
        return security_context_to_sid_core(scontext, scontext_len,
-                                           sid, SECSID_NULL);
+                                           sid, SECSID_NULL, GFP_KERNEL);
 }
 
 /**
@@ -829,10 +830,11 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
  * memory is available, or 0 on success.
  */
-int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid,
+                                   u32 def_sid, gfp_t gfp_flags)
 {
        return security_context_to_sid_core(scontext, scontext_len,
-                                           sid, def_sid);
+                                           sid, def_sid, gfp_flags);
 }
 
 static int compute_sid_handle_invalid_context(
@@ -1905,11 +1907,12 @@ int security_set_bools(int len, int *values)
                if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
                        audit_log(current->audit_context, GFP_ATOMIC,
                                AUDIT_MAC_CONFIG_CHANGE,
-                               "bool=%s val=%d old_val=%d auid=%u",
+                               "bool=%s val=%d old_val=%d auid=%u ses=%u",
                                policydb.p_bool_val_to_name[i],
                                !!values[i],
                                policydb.bool_val_to_struct[i]->state,
-                               audit_get_loginuid(current->audit_context));
+                               audit_get_loginuid(current),
+                               audit_get_sessionid(current));
                }
                if (values[i]) {
                        policydb.bool_val_to_struct[i]->state = 1;
@@ -2244,39 +2247,6 @@ int security_get_allow_unknown(void)
        return policydb.allow_unknown;
 }
 
-/**
- * security_get_policycaps - Query the loaded policy for its capabilities
- * @len: the number of capability bits
- * @values: the capability bit array
- *
- * Description:
- * Get an array of the policy capabilities in @values where each entry in
- * @values is either true (1) or false (0) depending the policy's support of
- * that feature.  The policy capabilities are defined by the
- * POLICYDB_CAPABILITY_* enums.  The size of the array is stored in @len and it
- * is up to the caller to free the array in @values.  Returns zero on success,
- * negative values on failure.
- *
- */
-int security_get_policycaps(int *len, int **values)
-{
-       int rc = -ENOMEM;
-       unsigned int iter;
-
-       POLICY_RDLOCK;
-
-       *values = kcalloc(POLICYDB_CAPABILITY_MAX, sizeof(int), GFP_ATOMIC);
-       if (*values == NULL)
-               goto out;
-       for (iter = 0; iter < POLICYDB_CAPABILITY_MAX; iter++)
-               (*values)[iter] = ebitmap_get_bit(&policydb.policycaps, iter);
-       *len = POLICYDB_CAPABILITY_MAX;
-
-out:
-       POLICY_RDUNLOCK;
-       return rc;
-}
-
 /**
  * security_policycap_supported - Check for a specific policy capability
  * @req_cap: capability
@@ -2692,7 +2662,6 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 
 netlbl_sid_to_secattr_failure:
        POLICY_RDUNLOCK;
-       netlbl_secattr_destroy(secattr);
        return rc;
 }
 #endif /* CONFIG_NETLABEL */