Merge head 'upstream' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev

[pandora-kernel.git] / security / selinux / ss / services.c

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 5a820cf..0141204 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
                goto out;
        if (context_struct_to_string(tcontext, &t, &tlen) < 0)
                goto out;
-       audit_log(current->audit_context,
+       audit_log(current->audit_context, AUDIT_SELINUX_ERR,
                  "security_validate_transition:  denied for"
                  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
                  o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -476,8 +476,8 @@ int security_compute_av(u32 ssid,
        int rc = 0;
 
        if (!ss_initialized) {
-               avd->allowed = requested;
-               avd->decided = requested;
+               avd->allowed = 0xffffffff;
+               avd->decided = 0xffffffff;
                avd->auditallow = 0;
                avd->auditdeny = 0xffffffff;
                avd->seqno = latest_granting;
@@ -601,18 +601,7 @@ out:
 
 }
 
-/**
- * security_context_to_sid - Obtain a SID for a given security context.
- * @scontext: security context
- * @scontext_len: length in bytes
- * @sid: security identifier, SID
- *
- * Obtains a SID associated with the security context that
- * has the string representation specified by @scontext.
- * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
- * memory is available, or 0 on success.
- */
-int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
+static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
 {
        char *scontext2;
        struct context context;
@@ -703,7 +692,7 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
 
        context.type = typdatum->value;
 
-       rc = mls_context_to_sid(oldc, &p, &context);
+       rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
        if (rc)
                goto out_unlock;
 
@@ -727,6 +716,46 @@ out:
        return rc;
 }
 
+/**
+ * security_context_to_sid - Obtain a SID for a given security context.
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ * @sid: security identifier, SID
+ *
+ * Obtains a SID associated with the security context that
+ * has the string representation specified by @scontext.
+ * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
+ * memory is available, or 0 on success.
+ */
+int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
+{
+       return security_context_to_sid_core(scontext, scontext_len,
+                                           sid, SECSID_NULL);
+}
+
+/**
+ * security_context_to_sid_default - Obtain a SID for a given security context,
+ * falling back to specified default if needed.
+ *
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ * @sid: security identifier, SID
+ * @def_sid: default SID to assign on errror
+ *
+ * Obtains a SID associated with the security context that
+ * has the string representation specified by @scontext.
+ * The default SID is passed to the MLS layer to be used to allow
+ * kernel labeling of the MLS field if the MLS field is not present
+ * (for upgrading to MLS without full relabel).
+ * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
+ * memory is available, or 0 on success.
+ */
+int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+{
+       return security_context_to_sid_core(scontext, scontext_len,
+                                           sid, def_sid);
+}
+
 static int compute_sid_handle_invalid_context(
        struct context *scontext,
        struct context *tcontext,
@@ -742,7 +771,7 @@ static int compute_sid_handle_invalid_context(
                goto out;
        if (context_struct_to_string(newcontext, &n, &nlen) < 0)
                goto out;
-       audit_log(current->audit_context,
+       audit_log(current->audit_context, AUDIT_SELINUX_ERR,
                  "security_compute_sid:  invalid context %s"
                  " for scontext=%s"
                  " tcontext=%s"
@@ -1196,9 +1225,11 @@ int security_load_policy(void *data, size_t len)
                }
                policydb_loaded_version = policydb.policyvers;
                ss_initialized = 1;
-
+               seqno = ++latest_granting;
                LOAD_UNLOCK;
                selinux_complete_init();
+               avc_ss_reset(seqno);
+               selnl_notify_policyload(seqno);
                return 0;
        }
 
@@ -1703,11 +1734,9 @@ out:
 err:
        if (*names) {
                for (i = 0; i < *len; i++)
-                       if ((*names)[i])
-                               kfree((*names)[i]);
+                       kfree((*names)[i]);
        }
-       if (*values)
-               kfree(*values);
+       kfree(*values);
        goto out;
 }