diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/dummy.c | 10 | ||||
| -rw-r--r-- | security/security.c | 20 | ||||
| -rw-r--r-- | security/selinux/avc.c | 9 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 23 | ||||
| -rw-r--r-- | security/selinux/netif.c | 2 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 4 |
6 files changed, 44 insertions, 24 deletions
diff --git a/security/dummy.c b/security/dummy.c index 98d5f969cdc8..b0232bbf427b 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -196,13 +196,13 @@ static int dummy_sb_statfs (struct dentry *dentry) return 0; } -static int dummy_sb_mount (char *dev_name, struct nameidata *nd, char *type, +static int dummy_sb_mount (char *dev_name, struct path *path, char *type, unsigned long flags, void *data) { return 0; } -static int dummy_sb_check_sb (struct vfsmount *mnt, struct nameidata *nd) +static int dummy_sb_check_sb (struct vfsmount *mnt, struct path *path) { return 0; } @@ -229,17 +229,17 @@ static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags, } -static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) +static void dummy_sb_post_addmount (struct vfsmount *mnt, struct path *path) { return; } -static int dummy_sb_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) +static int dummy_sb_pivotroot (struct path *old_path, struct path *new_path) { return 0; } -static void dummy_sb_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) +static void dummy_sb_post_pivotroot (struct path *old_path, struct path *new_path) { return; } diff --git a/security/security.c b/security/security.c index 2e250c7028eb..8a285c7b9962 100644 --- a/security/security.c +++ b/security/security.c @@ -296,15 +296,15 @@ int security_sb_statfs(struct dentry *dentry) return security_ops->sb_statfs(dentry); } -int security_sb_mount(char *dev_name, struct nameidata *nd, +int security_sb_mount(char *dev_name, struct path *path, char *type, unsigned long flags, void *data) { - return security_ops->sb_mount(dev_name, nd, type, flags, data); + return security_ops->sb_mount(dev_name, path, type, flags, data); } -int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd) +int security_sb_check_sb(struct vfsmount *mnt, struct path *path) { - return security_ops->sb_check_sb(mnt, nd); + return security_ops->sb_check_sb(mnt, path); } int security_sb_umount(struct vfsmount *mnt, int flags) @@ -327,19 +327,19 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d security_ops->sb_post_remount(mnt, flags, data); } -void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) +void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint) { - security_ops->sb_post_addmount(mnt, mountpoint_nd); + security_ops->sb_post_addmount(mnt, mountpoint); } -int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) +int security_sb_pivotroot(struct path *old_path, struct path *new_path) { - return security_ops->sb_pivotroot(old_nd, new_nd); + return security_ops->sb_pivotroot(old_path, new_path); } -void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) +void security_sb_post_pivotroot(struct path *old_path, struct path *new_path) { - security_ops->sb_post_pivotroot(old_nd, new_nd); + security_ops->sb_post_pivotroot(old_path, new_path); } int security_sb_get_mnt_opts(const struct super_block *sb, diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 1d69f6649bff..95a8ef4a5073 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -312,6 +312,7 @@ static inline int avc_reclaim_node(void) if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) continue; + rcu_read_lock(); list_for_each_entry(node, &avc_cache.slots[hvalue], list) { if (atomic_dec_and_test(&node->ae.used)) { /* Recently Unused */ @@ -319,11 +320,13 @@ static inline int avc_reclaim_node(void) avc_cache_stats_incr(reclaims); ecx++; if (ecx >= AVC_CACHE_RECLAIM) { + rcu_read_unlock(); spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); goto out; } } } + rcu_read_unlock(); spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); } out: @@ -821,8 +824,14 @@ int avc_ss_reset(u32 seqno) for (i = 0; i < AVC_CACHE_SLOTS; i++) { spin_lock_irqsave(&avc_cache.slots_lock[i], flag); + /* + * With preemptable RCU, the outer spinlock does not + * prevent RCU grace periods from ending. + */ + rcu_read_lock(); list_for_each_entry(node, &avc_cache.slots[i], list) avc_node_delete(node); + rcu_read_unlock(); spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1bf2543ea942..308e2cf17d75 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -755,9 +755,18 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, int set_context = (oldsbsec->flags & CONTEXT_MNT); int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); - /* we can't error, we can't save the info, this shouldn't get called - * this early in the boot process. */ - BUG_ON(!ss_initialized); + /* + * if the parent was able to be mounted it clearly had no special lsm + * mount options. thus we can safely put this sb on the list and deal + * with it later + */ + if (!ss_initialized) { + spin_lock(&sb_security_lock); + if (list_empty(&newsbsec->list)) + list_add(&newsbsec->list, &superblock_security_head); + spin_unlock(&sb_security_lock); + return; + } /* how can we clone if the old one wasn't set up?? */ BUG_ON(!oldsbsec->initialized); @@ -2392,22 +2401,22 @@ static int selinux_sb_statfs(struct dentry *dentry) } static int selinux_mount(char *dev_name, - struct nameidata *nd, + struct path *path, char *type, unsigned long flags, void *data) { int rc; - rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); + rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); if (rc) return rc; if (flags & MS_REMOUNT) - return superblock_has_perm(current, nd->path.mnt->mnt_sb, + return superblock_has_perm(current, path->mnt->mnt_sb, FILESYSTEM__REMOUNT, NULL); else - return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, + return dentry_has_perm(current, path->mnt, path->dentry, FILE__MOUNTON); } diff --git a/security/selinux/netif.c b/security/selinux/netif.c index c658b84c3196..b4e14bc0bf32 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -239,11 +239,13 @@ static void sel_netif_kill(int ifindex) { struct sel_netif *netif; + rcu_read_lock(); spin_lock_bh(&sel_netif_lock); netif = sel_netif_find(ifindex); if (netif) sel_netif_destroy(netif); spin_unlock_bh(&sel_netif_lock); + rcu_read_unlock(); } /** diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 93f5b0ce662a..4215971434e6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -315,10 +315,10 @@ static int smack_sb_statfs(struct dentry *dentry) * Returns 0 if current can write the floor of the filesystem * being mounted on, an error code otherwise. */ -static int smack_sb_mount(char *dev_name, struct nameidata *nd, +static int smack_sb_mount(char *dev_name, struct path *path, char *type, unsigned long flags, void *data) { - struct superblock_smack *sbp = nd->path.mnt->mnt_sb->s_security; + struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; return smk_curacc(sbp->smk_floor, MAY_WRITE); } |