diff options
author | Kevin Hilman <khilman@linaro.org> | 2015-06-10 15:23:11 -0700 |
---|---|---|
committer | Kevin Hilman <khilman@linaro.org> | 2015-06-10 15:23:11 -0700 |
commit | 2528dbd348dd541e090594b7aac3f62351078388 (patch) | |
tree | a2ddf8323359b85d4be7de3ba498d7ec18e6e3f3 /security/selinux/hooks.c | |
parent | d109c1ac070c962c4332015d06a008345a44a02c (diff) | |
parent | 17b3b28baf84999421d56dce68c4b1c1ec7f1ef3 (diff) |
Merge branch 'linaro-android-3.14-lsk' of git://android.git.linaro.org/kernel/linaro-android into linux-linaro-lsk-v3.14-androidlsk-v3.14-15.06-android
* 'linaro-android-3.14-lsk' of git://android.git.linaro.org/kernel/linaro-android:
fix: align closely to AOSP.
sched: cpufreq: update power usage only if cpufreq_stat is enabled
uid_cputime: Extends the cputime functionality to report power per uid
sched: cpufreq: Adds a field cpu_power in the task_struct
cpufreq_stats: Adds the fucntionality to load current values for each frequency for all the cores.
New Build Breakage in branch: kernel-m-dev-tegra-flounder-3.10 @ 1960706
net/unix: sk_socket can disappear when state is unlocked
selinux: enable genfscon labeling for sysfs and pstore files
ext4: don't save the error information if the block device is read-only
selinux: enable per-file labeling for debugfs files.
cpufreq: interactive: Rearm governor timer at max freq
cpufreq: interactive: Implement cluster-based min_sample_time
cpufreq: interactive: Exercise hispeed settings at a policy level
suspend: Return error when pending wakeup source is found.
proc: uid_cputime: fix show_uid_stat permission
nf: IDLETIMER: Fix broken uid field in the msg
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a10e0c772fed..6ce2734bcb37 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -731,7 +731,12 @@ static int selinux_set_mnt_opts(struct super_block *sb, } if (strcmp(sb->s_type->name, "proc") == 0) - sbsec->flags |= SE_SBPROC; + sbsec->flags |= SE_SBPROC | SE_SBGENFS; + + if (!strcmp(sb->s_type->name, "debugfs") || + !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore")) + sbsec->flags |= SE_SBGENFS; if (!sbsec->behavior) { /* @@ -1227,12 +1232,13 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc return SECCLASS_SOCKET; } -#ifdef CONFIG_PROC_FS -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) +static int selinux_genfs_get_sid(struct dentry *dentry, + u16 tclass, + u16 flags, + u32 *sid) { int rc; + struct super_block *sb = dentry->d_inode->i_sb; char *buffer, *path; buffer = (char *)__get_free_page(GFP_KERNEL); @@ -1243,26 +1249,20 @@ static int selinux_proc_get_sid(struct dentry *dentry, if (IS_ERR(path)) rc = PTR_ERR(path); else { - /* each process gets a /proc/PID/ entry. Strip off the - * PID part to get a valid selinux labeling. - * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ - while (path[1] >= '0' && path[1] <= '9') { - path[1] = '/'; - path++; + if (flags & SE_SBPROC) { + /* each process gets a /proc/PID/ entry. Strip off the + * PID part to get a valid selinux labeling. + * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ + while (path[1] >= '0' && path[1] <= '9') { + path[1] = '/'; + path++; + } } - rc = security_genfs_sid("proc", path, tclass, sid); + rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); } free_page((unsigned long)buffer); return rc; } -#else -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) -{ - return -EINVAL; -} -#endif /* The inode's security attributes must be initialized before first use. */ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) @@ -1419,7 +1419,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; - if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { + if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { /* We must have a dentry to determine the label on * procfs inodes */ if (opt_dentry) @@ -1442,7 +1442,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent if (!dentry) goto out_unlock; isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_proc_get_sid(dentry, isec->sclass, &sid); + rc = selinux_genfs_get_sid(dentry, isec->sclass, + sbsec->flags, &sid); dput(dentry); if (rc) goto out_unlock; |