diff options
| author | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-12 13:46:48 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-12 13:46:48 -0700 |
| commit | bb50cbbd4beacd5ceda76c32fcb116c67fe8c66c (patch) | |
| tree | d57fe1a7c4214afbaacbcc5fb62ea6a5e9169b3f /security/selinux/avc.c | |
| parent | 702ed6ef375c19d65f2eeeefd3851476f2c4cee4 (diff) | |
| parent | d4cf291526a74cc33d33700a35b74395eec812fd (diff) | |
| download | kernel_samsung_tuna-bb50cbbd4beacd5ceda76c32fcb116c67fe8c66c.zip kernel_samsung_tuna-bb50cbbd4beacd5ceda76c32fcb116c67fe8c66c.tar.gz kernel_samsung_tuna-bb50cbbd4beacd5ceda76c32fcb116c67fe8c66c.tar.bz2 | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
security: unexport mmap_min_addr
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
security: Protection for exploiting null dereference using mmap
SELinux: Use %lu for inode->i_no when printing avc
SELinux: allow preemption between transition permission checks
selinux: introduce schedule points in policydb_destroy()
selinux: add selinuxfs structure for object class discovery
selinux: change sel_make_dir() to specify inode counter.
selinux: rename sel_remove_bools() for more general usage.
selinux: add support for querying object classes and permissions from the running policy
Diffstat (limited to 'security/selinux/avc.c')
| -rw-r--r-- | security/selinux/avc.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e4396a8..78c408f 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -586,7 +586,7 @@ void avc_audit(u32 ssid, u32 tsid, } } if (inode) - audit_log_format(ab, " dev=%s ino=%ld", + audit_log_format(ab, " dev=%s ino=%lu", inode->i_sb->s_id, inode->i_ino); break; @@ -832,6 +832,7 @@ int avc_ss_reset(u32 seqno) * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions, interpreted based on @tclass + * @flags: AVC_STRICT or 0 * @avd: access vector decisions * * Check the AVC to determine whether the @requested permissions are granted @@ -846,8 +847,9 @@ int avc_ss_reset(u32 seqno) * should be released for the auditing. */ int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd) + u16 tclass, u32 requested, + unsigned flags, + struct av_decision *avd) { struct avc_node *node; struct avc_entry entry, *p_ae; @@ -874,7 +876,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, denied = requested & ~(p_ae->avd.allowed); if (!requested || denied) { - if (selinux_enforcing) + if (selinux_enforcing || (flags & AVC_STRICT)) rc = -EACCES; else if (node) @@ -909,7 +911,7 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, struct av_decision avd; int rc; - rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, &avd); + rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); return rc; } |