Tree - rpms/kernel - CentOS Git server

rpms / kernel

Files

Commit: fd75f39f64fbcf928c5b2e454c1ecc80a6538a00

Blob Blame History Raw

 Bugzilla: 1033965
Upstream-status: 3.13 possible, or alternate fix
 
From df777e7aa8e3dd330bde63238595266ce1ee2d42 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 10 Dec 2013 15:06:49 -0500
Subject: [PATCH] Revert "selinux: consider filesystem subtype in policies"
 
This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.
---
 security/selinux/hooks.c       | 40 ++++++++++++++++++----------------------
 security/selinux/ss/services.c | 42 ++++--------------------------------------
 2 files changed, 22 insertions(+), 60 deletions(-)
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 794c3ca..98b1caa 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -95,10 +95,6 @@
 #include "audit.h"
 #include "avc_ss.h"
 
-#define SB_TYPE_FMT "%s%s%s"
-#define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
-#define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
-
 extern struct security_operations *security_ops;
 
 /* SECMARK reference count */
@@ -413,8 +409,8 @@ static int sb_finish_set_opts(struct super_block *sb)
 		   the first boot of the SELinux kernel before we have
 		   assigned xattr values to the filesystem. */
 		if (!root_inode->i_op->getxattr) {
-			printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
-			       "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
+			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
+			       "xattr support\n", sb->s_id, sb->s_type->name);
 			rc = -EOPNOTSUPP;
 			goto out;
 		}
@@ -422,22 +418,22 @@ static int sb_finish_set_opts(struct super_block *sb)
 		if (rc < 0 && rc != -ENODATA) {
 			if (rc == -EOPNOTSUPP)
 				printk(KERN_WARNING "SELinux: (dev %s, type "
-				       SB_TYPE_FMT") has no security xattr handler\n",
-				       sb->s_id, SB_TYPE_ARGS(sb));
+				       "%s) has no security xattr handler\n",
+				       sb->s_id, sb->s_type->name);
 			else
 				printk(KERN_WARNING "SELinux: (dev %s, type "
-				       SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
-				       SB_TYPE_ARGS(sb), -rc);
+				       "%s) getxattr errno %d\n", sb->s_id,
+				       sb->s_type->name, -rc);
 			goto out;
 		}
 	}
 
 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
-		printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
-		       sb->s_id, SB_TYPE_ARGS(sb));
+		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
+		       sb->s_id, sb->s_type->name);
 	else
-		printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
-		       sb->s_id, SB_TYPE_ARGS(sb),
+		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
+		       sb->s_id, sb->s_type->name,
 		       labeling_behaviors[sbsec->behavior-1]);
 
 	sbsec->flags |= SE_SBINITIALIZED;
@@ -600,6 +596,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	const struct cred *cred = current_cred();
 	int rc = 0, i;
 	struct superblock_security_struct *sbsec = sb->s_security;
+	const char *name = sb->s_type->name;
 	struct inode *inode = sbsec->sb->s_root->d_inode;
 	struct inode_security_struct *root_isec = inode->i_security;
 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
@@ -658,8 +655,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 					     strlen(mount_options[i]), &sid);
 		if (rc) {
 			printk(KERN_WARNING "SELinux: security_context_to_sid"
-			       "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
-			       mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
+			       "(%s) failed for (dev %s, type %s) errno=%d\n",
+			       mount_options[i], sb->s_id, name, rc);
 			goto out;
 		}
 		switch (flags[i]) {
@@ -806,8 +803,7 @@ out:
 out_double_mount:
 	rc = -EINVAL;
 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
-	       "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
-	       SB_TYPE_ARGS(sb));
+	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
 	goto out;
 }
 
@@ -2480,8 +2476,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
 		rc = security_context_to_sid(mount_options[i], len, &sid);
 		if (rc) {
 			printk(KERN_WARNING "SELinux: security_context_to_sid"
-			       "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
-			       mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
+			       "(%s) failed for (dev %s, type %s) errno=%d\n",
+			       mount_options[i], sb->s_id, sb->s_type->name, rc);
 			goto out_free_opts;
 		}
 		rc = -EINVAL;
@@ -2519,8 +2515,8 @@ out_free_secdata:
 	return rc;
 out_bad_option:
 	printk(KERN_WARNING "SELinux: unable to change security options "
-	       "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
-	       SB_TYPE_ARGS(sb));
+	       "during remount (dev %s, type=%s)\n", sb->s_id,
+	       sb->s_type->name);
 	goto out_free_opts;
 }
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ee470a0..d106733 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2334,50 +2334,16 @@ int security_fs_use(struct super_block *sb)
 	struct ocontext *c;
 	struct superblock_security_struct *sbsec = sb->s_security;
 	const char *fstype = sb->s_type->name;
-	const char *subtype = (sb->s_subtype && sb->s_subtype[0]) ? sb->s_subtype : NULL;
-	struct ocontext *base = NULL;
 
 	read_lock(&policy_rwlock);
 
-	for (c = policydb.ocontexts[OCON_FSUSE]; c; c = c->next) {
-		char *sub;
-		int baselen;
-
-		baselen = strlen(fstype);
-
-		/* if base does not match, this is not the one */
-		if (strncmp(fstype, c->u.name, baselen))
-			continue;
-
-		/* if there is no subtype, this is the one! */
-		if (!subtype)
-			break;
-
-		/* skip past the base in this entry */
-		sub = c->u.name + baselen;
-
-		/* entry is only a base. save it. keep looking for subtype */
-		if (sub[0] == '\0') {
-			base = c;
-			continue;
-		}
-
-		/* entry is not followed by a subtype, so it is not a match */
-		if (sub[0] != '.')
-			continue;
-
-		/* whew, we found a subtype of this fstype */
-		sub++; /* move past '.' */
-
-		/* exact match of fstype AND subtype */
-		if (!strcmp(subtype, sub))
+	c = policydb.ocontexts[OCON_FSUSE];
+	while (c) {
+		if (strcmp(fstype, c->u.name) == 0)
 			break;
+		c = c->next;
 	}
 
-	/* in case we had found an fstype match but no subtype match */
-	if (!c)
-		c = base;
-
 	if (c) {
 		sbsec->behavior = c->v.behavior;
 		if (!c->sid[0]) {
-- 
1.8.3.1

	Bugzilla: 1033965
	Upstream-status: 3.13 possible, or alternate fix

	From df777e7aa8e3dd330bde63238595266ce1ee2d42 Mon Sep 17 00:00:00 2001
	From: Josh Boyer <jwboyer@fedoraproject.org>
	Date: Tue, 10 Dec 2013 15:06:49 -0500
	Subject: [PATCH] Revert "selinux: consider filesystem subtype in policies"

	This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.
	---
	security/selinux/hooks.c \| 40 ++++++++++++++++++----------------------
	security/selinux/ss/services.c \| 42 ++++--------------------------------------
	2 files changed, 22 insertions(+), 60 deletions(-)

	diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
	index 794c3ca..98b1caa 100644
	--- a/security/selinux/hooks.c
	+++ b/security/selinux/hooks.c
	@@ -95,10 +95,6 @@
	#include "audit.h"
	#include "avc_ss.h"

	-#define SB_TYPE_FMT "%s%s%s"
	-#define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
	-#define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
	-
	extern struct security_operations *security_ops;

	/* SECMARK reference count */
	@@ -413,8 +409,8 @@ static int sb_finish_set_opts(struct super_block *sb)
	the first boot of the SELinux kernel before we have
	assigned xattr values to the filesystem. */
	if (!root_inode->i_op->getxattr) {
	- printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
	- "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
	+ printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
	+ "xattr support\n", sb->s_id, sb->s_type->name);
	rc = -EOPNOTSUPP;
	goto out;
	}
	@@ -422,22 +418,22 @@ static int sb_finish_set_opts(struct super_block *sb)
	if (rc < 0 && rc != -ENODATA) {
	if (rc == -EOPNOTSUPP)
	printk(KERN_WARNING "SELinux: (dev %s, type "
	- SB_TYPE_FMT") has no security xattr handler\n",
	- sb->s_id, SB_TYPE_ARGS(sb));
	+ "%s) has no security xattr handler\n",
	+ sb->s_id, sb->s_type->name);
	else
	printk(KERN_WARNING "SELinux: (dev %s, type "
	- SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
	- SB_TYPE_ARGS(sb), -rc);
	+ "%s) getxattr errno %d\n", sb->s_id,
	+ sb->s_type->name, -rc);
	goto out;
	}
	}

	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
	- printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
	- sb->s_id, SB_TYPE_ARGS(sb));
	+ printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
	+ sb->s_id, sb->s_type->name);
	else
	- printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
	- sb->s_id, SB_TYPE_ARGS(sb),
	+ printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
	+ sb->s_id, sb->s_type->name,
	labeling_behaviors[sbsec->behavior-1]);

	sbsec->flags \|= SE_SBINITIALIZED;
	@@ -600,6 +596,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
	const struct cred *cred = current_cred();
	int rc = 0, i;
	struct superblock_security_struct *sbsec = sb->s_security;
	+ const char *name = sb->s_type->name;
	struct inode *inode = sbsec->sb->s_root->d_inode;
	struct inode_security_struct *root_isec = inode->i_security;
	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
	@@ -658,8 +655,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
	strlen(mount_options[i]), &sid);
	if (rc) {
	printk(KERN_WARNING "SELinux: security_context_to_sid"
	- "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
	- mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
	+ "(%s) failed for (dev %s, type %s) errno=%d\n",
	+ mount_options[i], sb->s_id, name, rc);
	goto out;
	}
	switch (flags[i]) {
	@@ -806,8 +803,7 @@ out:
	out_double_mount:
	rc = -EINVAL;
	printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
	- "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
	- SB_TYPE_ARGS(sb));
	+ "security settings for (dev %s, type %s)\n", sb->s_id, name);
	goto out;
	}

	@@ -2480,8 +2476,8 @@ static int selinux_sb_remount(struct super_block sb, void data)
	rc = security_context_to_sid(mount_options[i], len, &sid);
	if (rc) {
	printk(KERN_WARNING "SELinux: security_context_to_sid"
	- "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
	- mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
	+ "(%s) failed for (dev %s, type %s) errno=%d\n",
	+ mount_options[i], sb->s_id, sb->s_type->name, rc);
	goto out_free_opts;
	}
	rc = -EINVAL;
	@@ -2519,8 +2515,8 @@ out_free_secdata:
	return rc;
	out_bad_option:
	printk(KERN_WARNING "SELinux: unable to change security options "
	- "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
	- SB_TYPE_ARGS(sb));
	+ "during remount (dev %s, type=%s)\n", sb->s_id,
	+ sb->s_type->name);
	goto out_free_opts;
	}

	diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
	index ee470a0..d106733 100644
	--- a/security/selinux/ss/services.c
	+++ b/security/selinux/ss/services.c
	@@ -2334,50 +2334,16 @@ int security_fs_use(struct super_block *sb)
	struct ocontext *c;
	struct superblock_security_struct *sbsec = sb->s_security;
	const char *fstype = sb->s_type->name;
	- const char *subtype = (sb->s_subtype && sb->s_subtype[0]) ? sb->s_subtype : NULL;
	- struct ocontext *base = NULL;

	read_lock(&policy_rwlock);

	- for (c = policydb.ocontexts[OCON_FSUSE]; c; c = c->next) {
	- char *sub;
	- int baselen;
	-
	- baselen = strlen(fstype);
	-
	- /* if base does not match, this is not the one */
	- if (strncmp(fstype, c->u.name, baselen))
	- continue;
	-
	- /* if there is no subtype, this is the one! */
	- if (!subtype)
	- break;
	-
	- /* skip past the base in this entry */
	- sub = c->u.name + baselen;
	-
	- /* entry is only a base. save it. keep looking for subtype */
	- if (sub[0] == '\0') {
	- base = c;
	- continue;
	- }
	-
	- /* entry is not followed by a subtype, so it is not a match */
	- if (sub[0] != '.')
	- continue;
	-
	- /* whew, we found a subtype of this fstype */
	- sub++; /* move past '.' */
	-
	- /* exact match of fstype AND subtype */
	- if (!strcmp(subtype, sub))
	+ c = policydb.ocontexts[OCON_FSUSE];
	+ while (c) {
	+ if (strcmp(fstype, c->u.name) == 0)
	break;
	+ c = c->next;
	}

	- /* in case we had found an fstype match but no subtype match */
	- if (!c)
	- c = base;
	-
	if (c) {
	sbsec->behavior = c->v.behavior;
	if (!c->sid[0]) {
	--
	1.8.3.1

rpms / kernel

Source Code

Files