From e392febedb6e1050a1a81a7bd72456a32c88e710 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:08 -0400 Subject: SELinux: avc_ss.h whitespace, syntax, and other cleanups This patch changes avc_ss.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) whitespace at end of lines spaces followed by tabs spaces used instead of tabs spacing around parenthesis location of { around structs and else clauses location of * in pointer declarations removal of initialization of static data to keep it in the right section useless {} in if statemetns useless checking for NULL before kfree fixing of the indentation depth of switch statements no assignments in if statements and any number of other things I forgot to mention Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/include/avc_ss.h | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index ff869e8b6f4a..c0d314d9f8e1 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h @@ -10,22 +10,19 @@ int avc_ss_reset(u32 seqno); -struct av_perm_to_string -{ +struct av_perm_to_string { u16 tclass; u32 value; const char *name; }; -struct av_inherit -{ +struct av_inherit { u16 tclass; const char **common_pts; u32 common_base; }; -struct selinux_class_perm -{ +struct selinux_class_perm { const struct av_perm_to_string *av_perm_to_string; u32 av_pts_len; const char **class_to_string; -- cgit v1.2.3-58-ga151 From cc03766aaf0b670581ec2bd5cba2b9051d14df8d Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:09 -0400 Subject: SELinux: netlabel.h whitespace, syntax, and other cleanups This patch changes netlabel.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) spaces used instead of tabs Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/include/netlabel.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 9a9e7cd9a379..487a7d81fe20 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h @@ -64,7 +64,7 @@ static inline void selinux_netlbl_cache_invalidate(void) } static inline void selinux_netlbl_sk_security_reset( - struct sk_security_struct *ssec, + struct sk_security_struct *ssec, int family) { return; -- cgit v1.2.3-58-ga151 From a936b79bdf97285e0274eca7b656fc6350ca57ea Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:10 -0400 Subject: SELinux: objsec.h whitespace, syntax, and other cleanups This patch changes objsec.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) whitespace at end of lines spaces followed by tabs spaces used instead of tabs spacing around parenthesis location of { around structs and else clauses location of * in pointer declarations removal of initialization of static data to keep it in the right section useless {} in if statemetns useless checking for NULL before kfree fixing of the indentation depth of switch statements no assignments in if statements and any number of other things I forgot to mention Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/include/objsec.h | 60 +++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 300b61bad7b3..032c2357dad1 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -4,16 +4,16 @@ * This file contains the SELinux security data structures for kernel objects. * * Author(s): Stephen Smalley, - * Chris Vance, - * Wayne Salamon, - * James Morris + * Chris Vance, + * Wayne Salamon, + * James Morris * * Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2003 Red Hat, Inc., James Morris * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. + * as published by the Free Software Foundation. */ #ifndef _SELINUX_OBJSEC_H_ #define _SELINUX_OBJSEC_H_ @@ -28,58 +28,58 @@ #include "avc.h" struct task_security_struct { - u32 osid; /* SID prior to last execve */ - u32 sid; /* current SID */ - u32 exec_sid; /* exec SID */ - u32 create_sid; /* fscreate SID */ - u32 keycreate_sid; /* keycreate SID */ - u32 sockcreate_sid; /* fscreate SID */ + u32 osid; /* SID prior to last execve */ + u32 sid; /* current SID */ + u32 exec_sid; /* exec SID */ + u32 create_sid; /* fscreate SID */ + u32 keycreate_sid; /* keycreate SID */ + u32 sockcreate_sid; /* fscreate SID */ }; struct inode_security_struct { - struct inode *inode; /* back pointer to inode object */ - struct list_head list; /* list of inode_security_struct */ - u32 task_sid; /* SID of creating task */ - u32 sid; /* SID of this object */ - u16 sclass; /* security class of this object */ - unsigned char initialized; /* initialization flag */ + struct inode *inode; /* back pointer to inode object */ + struct list_head list; /* list of inode_security_struct */ + u32 task_sid; /* SID of creating task */ + u32 sid; /* SID of this object */ + u16 sclass; /* security class of this object */ + unsigned char initialized; /* initialization flag */ struct mutex lock; - unsigned char inherit; /* inherit SID from parent entry */ + unsigned char inherit; /* inherit SID from parent entry */ }; struct file_security_struct { - u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ - u32 isid; /* SID of inode at the time of file open */ - u32 pseqno; /* Policy seqno at the time of file open */ + u32 sid; /* SID of open file description */ + u32 fown_sid; /* SID of file owner (for SIGIO) */ + u32 isid; /* SID of inode at the time of file open */ + u32 pseqno; /* Policy seqno at the time of file open */ }; struct superblock_security_struct { - struct super_block *sb; /* back pointer to sb object */ - struct list_head list; /* list of superblock_security_struct */ + struct super_block *sb; /* back pointer to sb object */ + struct list_head list; /* list of superblock_security_struct */ u32 sid; /* SID of file system superblock */ u32 def_sid; /* default SID for labeling */ u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ - unsigned int behavior; /* labeling behavior */ - unsigned char initialized; /* initialization flag */ + unsigned int behavior; /* labeling behavior */ + unsigned char initialized; /* initialization flag */ unsigned char flags; /* which mount options were specified */ - unsigned char proc; /* proc fs */ + unsigned char proc; /* proc fs */ struct mutex lock; struct list_head isec_head; spinlock_t isec_lock; }; struct msg_security_struct { - u32 sid; /* SID of message */ + u32 sid; /* SID of message */ }; struct ipc_security_struct { u16 sclass; /* security class of this object */ - u32 sid; /* SID of IPC resource */ + u32 sid; /* SID of IPC resource */ }; struct bprm_security_struct { - u32 sid; /* SID for transformed process */ + u32 sid; /* SID for transformed process */ unsigned char set; /* @@ -123,7 +123,7 @@ struct sk_security_struct { }; struct key_security_struct { - u32 sid; /* SID of key */ + u32 sid; /* SID of key */ }; extern unsigned int selinux_checkreqprot; -- cgit v1.2.3-58-ga151 From b19d8eae99dae42bb747954fdbb2cd456922eb5f Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:11 -0400 Subject: SELinux: selinux/include/security.h whitespace, syntax, and other cleanups This patch changes selinux/include/security.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) whitespace at end of lines spaces followed by tabs spaces used instead of tabs spacing around parenthesis location of { around structs and else clauses location of * in pointer declarations removal of initialization of static data to keep it in the right section useless {} in if statemetns useless checking for NULL before kfree fixing of the indentation depth of switch statements no assignments in if statements and any number of other things I forgot to mention Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/include/security.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 1904c462a605..6445b6440648 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -62,7 +62,7 @@ enum { extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; -int security_load_policy(void * data, size_t len); +int security_load_policy(void *data, size_t len); int security_policycap_supported(unsigned int req_cap); @@ -110,7 +110,7 @@ int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, - u16 tclass); + u16 tclass); int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); -- cgit v1.2.3-58-ga151 From ccb3cbeb4f285a02103ded5298850a21e7028ba4 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:12 -0400 Subject: SELinux: ss/conditional.h whitespace, syntax, and other cleanups This patch changes ss/conditional.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) location of * in pointer declarations Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/ss/conditional.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h index f3a1fc6e5d66..65b9f8366e9c 100644 --- a/security/selinux/ss/conditional.h +++ b/security/selinux/ss/conditional.h @@ -59,10 +59,10 @@ struct cond_node { struct cond_node *next; }; -int cond_policydb_init(struct policydb* p); -void cond_policydb_destroy(struct policydb* p); +int cond_policydb_init(struct policydb *p); +void cond_policydb_destroy(struct policydb *p); -int cond_init_bool_indexes(struct policydb* p); +int cond_init_bool_indexes(struct policydb *p); int cond_destroy_bool(void *key, void *datum, void *p); int cond_index_bool(void *key, void *datum, void *datap); -- cgit v1.2.3-58-ga151 From 81fa42df78511e3bdbc0ea545990bda6a5b3e7de Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:13 -0400 Subject: SELinux: context.h whitespace, syntax, and other cleanups This patch changes context.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) include spaces around , in function calls Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/ss/context.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h index 2eee0dab524d..b9a6f7fc62fc 100644 --- a/security/selinux/ss/context.h +++ b/security/selinux/ss/context.h @@ -84,9 +84,9 @@ static inline int mls_context_cmp(struct context *c1, struct context *c2) return 1; return ((c1->range.level[0].sens == c2->range.level[0].sens) && - ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) && + ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) && (c1->range.level[1].sens == c2->range.level[1].sens) && - ebitmap_cmp(&c1->range.level[1].cat,&c2->range.level[1].cat)); + ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat)); } static inline void mls_context_destroy(struct context *c) -- cgit v1.2.3-58-ga151 From faff786ce2f7c14f25d29cf61b0634c8f6c4827f Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:14 -0400 Subject: SELinux: hashtab.h whitespace, syntax, and other cleanups This patch changes hashtab.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) spaces used instead of tabs Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/ss/hashtab.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/selinux/ss/hashtab.h b/security/selinux/ss/hashtab.h index 7e2ff3e3c6d2..953872cd84ab 100644 --- a/security/selinux/ss/hashtab.h +++ b/security/selinux/ss/hashtab.h @@ -40,8 +40,8 @@ struct hashtab_info { * the new hash table otherwise. */ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), - int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), - u32 size); + int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), + u32 size); /* * Inserts the specified (key, datum) pair into the specified hash table. @@ -49,7 +49,7 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void * * Returns -ENOMEM on memory allocation error, * -EEXIST if there is already an entry with the same key, * -EINVAL for general errors or - * 0 otherwise. + 0 otherwise. */ int hashtab_insert(struct hashtab *h, void *k, void *d); -- cgit v1.2.3-58-ga151 From d497fc87c0e201194c3af75b787178cf4559f84b Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:15 -0400 Subject: SELinux: mls.h whitespace, syntax, and other cleanups This patch changes mls.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) spaces used instead of tabs Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/ss/mls.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index ab53663d9f5f..0fdf6257ef64 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h @@ -13,7 +13,7 @@ /* * Updated: Hewlett-Packard * - * Added support to import/export the MLS label from NetLabel + * Added support to import/export the MLS label from NetLabel * * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 */ @@ -31,7 +31,7 @@ int mls_range_isvalid(struct policydb *p, struct mls_range *r); int mls_level_isvalid(struct policydb *p, struct mls_level *l); int mls_context_to_sid(char oldc, - char **scontext, + char **scontext, struct context *context, struct sidtab *s, u32 def_sid); @@ -49,7 +49,7 @@ int mls_compute_sid(struct context *scontext, struct context *newcontext); int mls_setup_user_range(struct context *fromcon, struct user_datum *user, - struct context *usercon); + struct context *usercon); #ifdef CONFIG_NETLABEL void mls_export_netlbl_lvl(struct context *context, -- cgit v1.2.3-58-ga151 From 8bf1f3a6c0f7e4092c0c041175a52734600490ba Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:16 -0400 Subject: SELinux: mls_types.h whitespace, syntax, and other cleanups This patch changes mls_types.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) spaces used instead of tabs Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/ss/mls_types.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h index 0c692d58d489..b6e943a21061 100644 --- a/security/selinux/ss/mls_types.h +++ b/security/selinux/ss/mls_types.h @@ -31,7 +31,7 @@ static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2) return 1; return ((l1->sens == l2->sens) && - ebitmap_cmp(&l1->cat, &l2->cat)); + ebitmap_cmp(&l1->cat, &l2->cat)); } static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) @@ -40,7 +40,7 @@ static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) return 1; return ((l1->sens >= l2->sens) && - ebitmap_contains(&l1->cat, &l2->cat)); + ebitmap_contains(&l1->cat, &l2->cat)); } #define mls_level_incomp(l1, l2) \ -- cgit v1.2.3-58-ga151 From 489a5fd7198d2d2368dd5cf697c841ea4d61ddd1 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 22 Apr 2008 17:46:17 -0400 Subject: SELinux: policydb.h whitespace, syntax, and other cleanups This patch changes policydb.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) spaces followed by tabs spaces used instead of tabs location of * in pointer declarations Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/selinux/ss/policydb.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index ba593a3da877..4253370fda6a 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -12,12 +12,12 @@ * * Updated: Frank Mayer and Karl MacMillan * - * Added conditional policy language extensions + * Added conditional policy language extensions * * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2003 - 2004 Tresys Technology, LLC * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by + * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 2. */ @@ -221,7 +221,7 @@ struct policydb { /* type enforcement conditional access vectors and transitions */ struct avtab te_cond_avtab; /* linked list indexing te_cond_avtab by conditional */ - struct cond_node* cond_list; + struct cond_node *cond_list; /* role allows */ struct role_allow *role_allow; @@ -230,10 +230,10 @@ struct policydb { TCP or UDP port numbers, network interfaces and nodes */ struct ocontext *ocontexts[OCON_NUM]; - /* security contexts for files in filesystems that cannot support + /* security contexts for files in filesystems that cannot support a persistent label mapping or use another fixed labeling behavior. */ - struct genfs *genfs; + struct genfs *genfs; /* range transitions */ struct range_trans *range_tr; -- cgit v1.2.3-58-ga151 From 7b41b1733ca1d3278c8eb891e17905d7d54f5bfa Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 23 Apr 2008 14:10:25 -0400 Subject: SELinux: include/security.h whitespace, syntax, and other cleanups This patch changes include/security.h to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) whitespace at end of lines spaces followed by tabs spaces used instead of tabs spacing around parenthesis location of { around structs and else clauses location of * in pointer declarations removal of initialization of static data to keep it in the right section useless {} in if statemetns useless checking for NULL before kfree fixing of the indentation depth of switch statements no assignments in if statements include spaces around , in function calls and any number of other things I forgot to mention Signed-off-by: Eric Paris Signed-off-by: James Morris --- include/linux/security.h | 898 +++++++++++++++++++++++------------------------ 1 file changed, 449 insertions(+), 449 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 53a34539382a..a90c06376eec 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -46,25 +46,25 @@ struct audit_krule; * These functions are in security/capability.c and are used * as the default capabilities functions */ -extern int cap_capable (struct task_struct *tsk, int cap); -extern int cap_settime (struct timespec *ts, struct timezone *tz); -extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); -extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); -extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); -extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); -extern int cap_bprm_set_security (struct linux_binprm *bprm); -extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); +extern int cap_capable(struct task_struct *tsk, int cap); +extern int cap_settime(struct timespec *ts, struct timezone *tz); +extern int cap_ptrace(struct task_struct *parent, struct task_struct *child); +extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); +extern int cap_capset_check(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); +extern void cap_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); +extern int cap_bprm_set_security(struct linux_binprm *bprm); +extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); extern int cap_bprm_secureexec(struct linux_binprm *bprm); extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); extern int cap_inode_removexattr(struct dentry *dentry, char *name); extern int cap_inode_need_killpriv(struct dentry *dentry); extern int cap_inode_killpriv(struct dentry *dentry); -extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); -extern void cap_task_reparent_to_init (struct task_struct *p); -extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); -extern int cap_task_setioprio (struct task_struct *p, int ioprio); -extern int cap_task_setnice (struct task_struct *p, int nice); -extern int cap_syslog (int type); +extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); +extern void cap_task_reparent_to_init(struct task_struct *p); +extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp); +extern int cap_task_setioprio(struct task_struct *p, int ioprio); +extern int cap_task_setnice(struct task_struct *p, int nice); +extern int cap_syslog(int type); extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); struct msghdr; @@ -128,7 +128,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) { int i; if (opts->mnt_opts) - for(i = 0; i < opts->num_mnt_opts; i++) + for (i = 0; i < opts->num_mnt_opts; i++) kfree(opts->mnt_opts[i]); kfree(opts->mnt_opts); opts->mnt_opts = NULL; @@ -190,21 +190,21 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @bprm contains the linux_binprm structure. * Return 0 if the hook is successful and permission is granted. * @bprm_check_security: - * This hook mediates the point when a search for a binary handler will - * begin. It allows a check the @bprm->security value which is set in - * the preceding set_security call. The primary difference from - * set_security is that the argv list and envp list are reliably - * available in @bprm. This hook may be called multiple times - * during a single execve; and in each pass set_security is called - * first. - * @bprm contains the linux_binprm structure. + * This hook mediates the point when a search for a binary handler will + * begin. It allows a check the @bprm->security value which is set in + * the preceding set_security call. The primary difference from + * set_security is that the argv list and envp list are reliably + * available in @bprm. This hook may be called multiple times + * during a single execve; and in each pass set_security is called + * first. + * @bprm contains the linux_binprm structure. * Return 0 if the hook is successful and permission is granted. * @bprm_secureexec: - * Return a boolean value (0 or 1) indicating whether a "secure exec" - * is required. The flag is passed in the auxiliary table - * on the initial stack to the ELF interpreter to indicate whether libc - * should enable secure mode. - * @bprm contains the linux_binprm structure. + * Return a boolean value (0 or 1) indicating whether a "secure exec" + * is required. The flag is passed in the auxiliary table + * on the initial stack to the ELF interpreter to indicate whether libc + * should enable secure mode. + * @bprm contains the linux_binprm structure. * * Security hooks for filesystem operations. * @@ -221,7 +221,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Check permission before obtaining filesystem statistics for the @mnt * mountpoint. * @dentry is a handle on the superblock for the filesystem. - * Return 0 if permission is granted. + * Return 0 if permission is granted. * @sb_mount: * Check permission before an object specified by @dev_name is mounted on * the mount point named by @nd. For an ordinary mount, @dev_name @@ -282,12 +282,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @sb_pivotroot: * Check permission before pivoting the root filesystem. * @old_path contains the path for the new location of the current root (put_old). - * @new_path contains the path for the new root (new_root). + * @new_path contains the path for the new root (new_root). * Return 0 if permission is granted. * @sb_post_pivotroot: * Update module state after a successful pivot. * @old_path contains the path for the old root. - * @new_path contains the path for the new root. + * @new_path contains the path for the new root. * @sb_get_mnt_opts: * Get the security relevant mount options used for a superblock * @sb the superblock to get security mount options from @@ -316,9 +316,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @inode_free_security: * @inode contains the inode structure. * Deallocate the inode security structure and set @inode->i_security to - * NULL. + * NULL. * @inode_init_security: - * Obtain the security attribute name suffix and value to set on a newly + * Obtain the security attribute name suffix and value to set on a newly * created inode and set up the incore security field for the new inode. * This hook is called by the fs code as part of the inode creation * transaction and provides for atomic labeling of the inode, unlike @@ -349,7 +349,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @new_dentry contains the dentry structure for the new link. * Return 0 if permission is granted. * @inode_unlink: - * Check the permission to remove a hard link to a file. + * Check the permission to remove a hard link to a file. * @dir contains the inode structure of parent directory of the file. * @dentry contains the dentry structure for file to be unlinked. * Return 0 if permission is granted. @@ -361,7 +361,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Return 0 if permission is granted. * @inode_mkdir: * Check permissions to create a new directory in the existing directory - * associated with inode strcture @dir. + * associated with inode strcture @dir. * @dir containst the inode structure of parent of the directory to be created. * @dentry contains the dentry structure of new directory. * @mode contains the mode of new directory. @@ -406,7 +406,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * called when the actual read/write operations are performed. * @inode contains the inode structure to check. * @mask contains the permission mask. - * @nd contains the nameidata (may be NULL). + * @nd contains the nameidata (may be NULL). * Return 0 if permission is granted. * @inode_setattr: * Check permission before setting file attributes. Note that the kernel @@ -428,24 +428,24 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * can use this hook to release any persistent label associated with the * inode. * @inode_setxattr: - * Check permission before setting the extended attributes - * @value identified by @name for @dentry. - * Return 0 if permission is granted. + * Check permission before setting the extended attributes + * @value identified by @name for @dentry. + * Return 0 if permission is granted. * @inode_post_setxattr: - * Update inode security field after successful setxattr operation. - * @value identified by @name for @dentry. + * Update inode security field after successful setxattr operation. + * @value identified by @name for @dentry. * @inode_getxattr: - * Check permission before obtaining the extended attributes - * identified by @name for @dentry. - * Return 0 if permission is granted. + * Check permission before obtaining the extended attributes + * identified by @name for @dentry. + * Return 0 if permission is granted. * @inode_listxattr: - * Check permission before obtaining the list of extended attribute - * names for @dentry. - * Return 0 if permission is granted. + * Check permission before obtaining the list of extended attribute + * names for @dentry. + * Return 0 if permission is granted. * @inode_removexattr: - * Check permission before removing the extended attribute - * identified by @name for @dentry. - * Return 0 if permission is granted. + * Check permission before removing the extended attribute + * identified by @name for @dentry. + * Return 0 if permission is granted. * @inode_getsecurity: * Retrieve a copy of the extended attribute representation of the * security label associated with @name for @inode via @buffer. Note that @@ -457,7 +457,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Set the security label associated with @name for @inode from the * extended attribute value @value. @size indicates the size of the * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. - * Note that @name is the remainder of the attribute name after the + * Note that @name is the remainder of the attribute name after the * security. prefix has been removed. * Return 0 on success. * @inode_listsecurity: @@ -564,7 +564,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * struct file, so the file structure (and associated security information) * can always be obtained: * container_of(fown, struct file, f_owner) - * @tsk contains the structure of task receiving signal. + * @tsk contains the structure of task receiving signal. * @fown contains the file owner information. * @sig is the signal that will be sent. When 0, kernel sends SIGIO. * Return 0 if permission is granted. @@ -722,12 +722,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @arg5 contains a argument. * Return 0 if permission is granted. * @task_reparent_to_init: - * Set the security attributes in @p->security for a kernel thread that - * is being reparented to the init task. + * Set the security attributes in @p->security for a kernel thread that + * is being reparented to the init task. * @p contains the task_struct for the kernel thread. * @task_to_inode: - * Set the security attributes for an inode based on an associated task's - * security attributes, e.g. for /proc/pid inodes. + * Set the security attributes for an inode based on an associated task's + * security attributes, e.g. for /proc/pid inodes. * @p contains the task_struct for the task. * @inode contains the inode structure for the inode. * @@ -737,7 +737,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Save security information for a netlink message so that permission * checking can be performed when the message is processed. The security * information can be saved using the eff_cap field of the - * netlink_skb_parms structure. Also may be used to provide fine + * netlink_skb_parms structure. Also may be used to provide fine * grained control over message transmission. * @sk associated sock of task sending the message., * @skb contains the sk_buff structure for the netlink message. @@ -805,14 +805,14 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @sock contains the socket structure. * @address contains the address to bind to. * @addrlen contains the length of address. - * Return 0 if permission is granted. + * Return 0 if permission is granted. * @socket_connect: * Check permission before socket protocol layer connect operation * attempts to connect socket @sock to a remote address, @address. * @sock contains the socket structure. * @address contains the address of remote endpoint. * @addrlen contains the length of address. - * Return 0 if permission is granted. + * Return 0 if permission is granted. * @socket_listen: * Check permission before socket protocol layer listen operation. * @sock contains the socket structure. @@ -842,7 +842,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @msg contains the message structure. * @size contains the size of message structure. * @flags contains the operational flags. - * Return 0 if permission is granted. + * Return 0 if permission is granted. * @socket_getsockname: * Check permission before the local address (name) of the socket object * @sock is retrieved. @@ -866,7 +866,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @sock contains the socket structure. * @level contains the protocol level to set options for. * @optname contains the name of the option to set. - * Return 0 if permission is granted. + * Return 0 if permission is granted. * @socket_shutdown: * Checks permission before all or part of a connection on the socket * @sock is shut down. @@ -893,19 +893,19 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Return 0 if all is well, otherwise, typical getsockopt return * values. * @socket_getpeersec_dgram: - * This hook allows the security module to provide peer socket security - * state for udp sockets on a per-packet basis to userspace via - * getsockopt SO_GETPEERSEC. The application must first have indicated - * the IP_PASSSEC option via getsockopt. It can then retrieve the - * security state returned by this hook for a packet via the SCM_SECURITY - * ancillary message type. - * @skb is the skbuff for the packet being queried - * @secdata is a pointer to a buffer in which to copy the security data - * @seclen is the maximum length for @secdata - * Return 0 on success, error on failure. + * This hook allows the security module to provide peer socket security + * state for udp sockets on a per-packet basis to userspace via + * getsockopt SO_GETPEERSEC. The application must first have indicated + * the IP_PASSSEC option via getsockopt. It can then retrieve the + * security state returned by this hook for a packet via the SCM_SECURITY + * ancillary message type. + * @skb is the skbuff for the packet being queried + * @secdata is a pointer to a buffer in which to copy the security data + * @seclen is the maximum length for @secdata + * Return 0 on success, error on failure. * @sk_alloc_security: - * Allocate and attach a security structure to the sk->sk_security field, - * which is used to copy security attributes between local stream sockets. + * Allocate and attach a security structure to the sk->sk_security field, + * which is used to copy security attributes between local stream sockets. * @sk_free_security: * Deallocate security structure. * @sk_clone_security: @@ -920,7 +920,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @inet_csk_clone: * Sets the new child socket's sid to the openreq sid. * @inet_conn_established: - * Sets the connection's peersid to the secmark on skb. + * Sets the connection's peersid to the secmark on skb. * @req_classify_flow: * Sets the flow's sid to the openreq sid. * @@ -999,13 +999,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * No return value. * @key_permission: * See whether a specific operational right is granted to a process on a - * key. + * key. * @key_ref refers to the key (key pointer + possession attribute bit). * @context points to the process to provide the context against which to - * evaluate the security data on the key. + * evaluate the security data on the key. * @perm describes the combination of permissions required of this key. * Return 1 if permission granted, 0 if permission denied and -ve it the - * normal permissions model should be effected. + * normal permissions model should be effected. * * Security hooks affecting all System V IPC operations. * @@ -1056,7 +1056,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO. * @msq contains the message queue to act upon. May be NULL. * @cmd contains the operation to be performed. - * Return 0 if permission is granted. + * Return 0 if permission is granted. * @msg_queue_msgsnd: * Check permission before a message, @msg, is enqueued on the message * queue, @msq. @@ -1066,8 +1066,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Return 0 if permission is granted. * @msg_queue_msgrcv: * Check permission before a message, @msg, is removed from the message - * queue, @msq. The @target task structure contains a pointer to the - * process that will be receiving the message (not equal to the current + * queue, @msq. The @target task structure contains a pointer to the + * process that will be receiving the message (not equal to the current * process when inline receives are being performed). * @msq contains the message queue to retrieve message from. * @msg contains the message destination. @@ -1132,15 +1132,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * Return 0 if permission is granted. * @sem_semctl: * Check permission when a semaphore operation specified by @cmd is to be - * performed on the semaphore @sma. The @sma may be NULL, e.g. for + * performed on the semaphore @sma. The @sma may be NULL, e.g. for * IPC_INFO or SEM_INFO. * @sma contains the semaphore structure. May be NULL. * @cmd contains the operation to be performed. * Return 0 if permission is granted. * @sem_semop * Check permissions before performing operations on members of the - * semaphore set @sma. If the @alter flag is nonzero, the semaphore set - * may be modified. + * semaphore set @sma. If the @alter flag is nonzero, the semaphore set + * may be modified. * @sma contains the semaphore structure. * @sops contains the operations to perform. * @nsops contains the number of operations to perform. @@ -1211,7 +1211,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @syslog: * Check permission before accessing the kernel message ring or changing * logging to the console. - * See the syslog(2) manual page for an explanation of the @type values. + * See the syslog(2) manual page for an explanation of the @type values. * @type contains the type of action. * Return 0 if permission is granted. * @settime: @@ -1223,22 +1223,22 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @vm_enough_memory: * Check permissions for allocating a new virtual mapping. * @mm contains the mm struct it is being added to. - * @pages contains the number of pages. + * @pages contains the number of pages. * Return 0 if permission is granted. * * @register_security: - * allow module stacking. - * @name contains the name of the security module being stacked. - * @ops contains a pointer to the struct security_operations of the module to stack. - * + * allow module stacking. + * @name contains the name of the security module being stacked. + * @ops contains a pointer to the struct security_operations of the module to stack. + * * @secid_to_secctx: * Convert secid to security context. * @secid contains the security ID. * @secdata contains the pointer that stores the converted security context. * @secctx_to_secid: - * Convert security context to secid. - * @secid contains the pointer to the generated security ID. - * @secdata contains the security context. + * Convert security context to secid. + * @secid contains the pointer to the generated security ID. + * @secdata contains the security context. * * @release_secctx: * Release the security context. @@ -1281,49 +1281,49 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) struct security_operations { char name[SECURITY_NAME_MAX + 1]; - int (*ptrace) (struct task_struct * parent, struct task_struct * child); - int (*capget) (struct task_struct * target, - kernel_cap_t * effective, - kernel_cap_t * inheritable, kernel_cap_t * permitted); - int (*capset_check) (struct task_struct * target, - kernel_cap_t * effective, - kernel_cap_t * inheritable, - kernel_cap_t * permitted); - void (*capset_set) (struct task_struct * target, - kernel_cap_t * effective, - kernel_cap_t * inheritable, - kernel_cap_t * permitted); - int (*capable) (struct task_struct * tsk, int cap); - int (*acct) (struct file * file); - int (*sysctl) (struct ctl_table * table, int op); - int (*quotactl) (int cmds, int type, int id, struct super_block * sb); - int (*quota_on) (struct dentry * dentry); + int (*ptrace) (struct task_struct *parent, struct task_struct *child); + int (*capget) (struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, kernel_cap_t *permitted); + int (*capset_check) (struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); + void (*capset_set) (struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); + int (*capable) (struct task_struct *tsk, int cap); + int (*acct) (struct file *file); + int (*sysctl) (struct ctl_table *table, int op); + int (*quotactl) (int cmds, int type, int id, struct super_block *sb); + int (*quota_on) (struct dentry *dentry); int (*syslog) (int type); int (*settime) (struct timespec *ts, struct timezone *tz); int (*vm_enough_memory) (struct mm_struct *mm, long pages); - int (*bprm_alloc_security) (struct linux_binprm * bprm); - void (*bprm_free_security) (struct linux_binprm * bprm); - void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe); - void (*bprm_post_apply_creds) (struct linux_binprm * bprm); - int (*bprm_set_security) (struct linux_binprm * bprm); - int (*bprm_check_security) (struct linux_binprm * bprm); - int (*bprm_secureexec) (struct linux_binprm * bprm); - - int (*sb_alloc_security) (struct super_block * sb); - void (*sb_free_security) (struct super_block * sb); - int (*sb_copy_data)(char *orig, char *copy); + int (*bprm_alloc_security) (struct linux_binprm *bprm); + void (*bprm_free_security) (struct linux_binprm *bprm); + void (*bprm_apply_creds) (struct linux_binprm *bprm, int unsafe); + void (*bprm_post_apply_creds) (struct linux_binprm *bprm); + int (*bprm_set_security) (struct linux_binprm *bprm); + int (*bprm_check_security) (struct linux_binprm *bprm); + int (*bprm_secureexec) (struct linux_binprm *bprm); + + int (*sb_alloc_security) (struct super_block *sb); + void (*sb_free_security) (struct super_block *sb); + int (*sb_copy_data) (char *orig, char *copy); int (*sb_kern_mount) (struct super_block *sb, void *data); int (*sb_statfs) (struct dentry *dentry); int (*sb_mount) (char *dev_name, struct path *path, char *type, unsigned long flags, void *data); - int (*sb_check_sb) (struct vfsmount * mnt, struct path *path); - int (*sb_umount) (struct vfsmount * mnt, int flags); - void (*sb_umount_close) (struct vfsmount * mnt); - void (*sb_umount_busy) (struct vfsmount * mnt); - void (*sb_post_remount) (struct vfsmount * mnt, + int (*sb_check_sb) (struct vfsmount *mnt, struct path *path); + int (*sb_umount) (struct vfsmount *mnt, int flags); + void (*sb_umount_close) (struct vfsmount *mnt); + void (*sb_umount_busy) (struct vfsmount *mnt); + void (*sb_post_remount) (struct vfsmount *mnt, unsigned long flags, void *data); - void (*sb_post_addmount) (struct vfsmount * mnt, + void (*sb_post_addmount) (struct vfsmount *mnt, struct path *mountpoint); int (*sb_pivotroot) (struct path *old_path, struct path *new_path); @@ -1337,29 +1337,29 @@ struct security_operations { struct super_block *newsb); int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); - int (*inode_alloc_security) (struct inode *inode); + int (*inode_alloc_security) (struct inode *inode); void (*inode_free_security) (struct inode *inode); int (*inode_init_security) (struct inode *inode, struct inode *dir, char **name, void **value, size_t *len); int (*inode_create) (struct inode *dir, - struct dentry *dentry, int mode); + struct dentry *dentry, int mode); int (*inode_link) (struct dentry *old_dentry, - struct inode *dir, struct dentry *new_dentry); + struct inode *dir, struct dentry *new_dentry); int (*inode_unlink) (struct inode *dir, struct dentry *dentry); int (*inode_symlink) (struct inode *dir, - struct dentry *dentry, const char *old_name); + struct dentry *dentry, const char *old_name); int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); int (*inode_mknod) (struct inode *dir, struct dentry *dentry, - int mode, dev_t dev); + int mode, dev_t dev); int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, - struct inode *new_dir, struct dentry *new_dentry); + struct inode *new_dir, struct dentry *new_dentry); int (*inode_readlink) (struct dentry *dentry); int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); - void (*inode_delete) (struct inode *inode); + void (*inode_delete) (struct inode *inode); int (*inode_setxattr) (struct dentry *dentry, char *name, void *value, size_t size, int flags); void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value, @@ -1369,145 +1369,145 @@ struct security_operations { int (*inode_removexattr) (struct dentry *dentry, char *name); int (*inode_need_killpriv) (struct dentry *dentry); int (*inode_killpriv) (struct dentry *dentry); - int (*inode_getsecurity)(const struct inode *inode, const char *name, void **buffer, bool alloc); - int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); - int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); - void (*inode_getsecid)(const struct inode *inode, u32 *secid); - - int (*file_permission) (struct file * file, int mask); - int (*file_alloc_security) (struct file * file); - void (*file_free_security) (struct file * file); - int (*file_ioctl) (struct file * file, unsigned int cmd, + int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc); + int (*inode_setsecurity) (struct inode *inode, const char *name, const void *value, size_t size, int flags); + int (*inode_listsecurity) (struct inode *inode, char *buffer, size_t buffer_size); + void (*inode_getsecid) (const struct inode *inode, u32 *secid); + + int (*file_permission) (struct file *file, int mask); + int (*file_alloc_security) (struct file *file); + void (*file_free_security) (struct file *file); + int (*file_ioctl) (struct file *file, unsigned int cmd, unsigned long arg); - int (*file_mmap) (struct file * file, + int (*file_mmap) (struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags, unsigned long addr, unsigned long addr_only); - int (*file_mprotect) (struct vm_area_struct * vma, + int (*file_mprotect) (struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot); - int (*file_lock) (struct file * file, unsigned int cmd); - int (*file_fcntl) (struct file * file, unsigned int cmd, + int (*file_lock) (struct file *file, unsigned int cmd); + int (*file_fcntl) (struct file *file, unsigned int cmd, unsigned long arg); - int (*file_set_fowner) (struct file * file); - int (*file_send_sigiotask) (struct task_struct * tsk, - struct fown_struct * fown, int sig); - int (*file_receive) (struct file * file); - int (*dentry_open) (struct file *file); + int (*file_set_fowner) (struct file *file); + int (*file_send_sigiotask) (struct task_struct *tsk, + struct fown_struct *fown, int sig); + int (*file_receive) (struct file *file); + int (*dentry_open) (struct file *file); int (*task_create) (unsigned long clone_flags); - int (*task_alloc_security) (struct task_struct * p); - void (*task_free_security) (struct task_struct * p); + int (*task_alloc_security) (struct task_struct *p); + void (*task_free_security) (struct task_struct *p); int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ , uid_t old_euid, uid_t old_suid, int flags); int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); - int (*task_setpgid) (struct task_struct * p, pid_t pgid); - int (*task_getpgid) (struct task_struct * p); - int (*task_getsid) (struct task_struct * p); - void (*task_getsecid) (struct task_struct * p, u32 * secid); + int (*task_setpgid) (struct task_struct *p, pid_t pgid); + int (*task_getpgid) (struct task_struct *p); + int (*task_getsid) (struct task_struct *p); + void (*task_getsecid) (struct task_struct *p, u32 *secid); int (*task_setgroups) (struct group_info *group_info); - int (*task_setnice) (struct task_struct * p, int nice); - int (*task_setioprio) (struct task_struct * p, int ioprio); - int (*task_getioprio) (struct task_struct * p); - int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); - int (*task_setscheduler) (struct task_struct * p, int policy, - struct sched_param * lp); - int (*task_getscheduler) (struct task_struct * p); - int (*task_movememory) (struct task_struct * p); - int (*task_kill) (struct task_struct * p, - struct siginfo * info, int sig, u32 secid); - int (*task_wait) (struct task_struct * p); + int (*task_setnice) (struct task_struct *p, int nice); + int (*task_setioprio) (struct task_struct *p, int ioprio); + int (*task_getioprio) (struct task_struct *p); + int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim); + int (*task_setscheduler) (struct task_struct *p, int policy, + struct sched_param *lp); + int (*task_getscheduler) (struct task_struct *p); + int (*task_movememory) (struct task_struct *p); + int (*task_kill) (struct task_struct *p, + struct siginfo *info, int sig, u32 secid); + int (*task_wait) (struct task_struct *p); int (*task_prctl) (int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); - void (*task_reparent_to_init) (struct task_struct * p); - void (*task_to_inode)(struct task_struct *p, struct inode *inode); + void (*task_reparent_to_init) (struct task_struct *p); + void (*task_to_inode) (struct task_struct *p, struct inode *inode); - int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); + int (*ipc_permission) (struct kern_ipc_perm *ipcp, short flag); void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid); - int (*msg_msg_alloc_security) (struct msg_msg * msg); - void (*msg_msg_free_security) (struct msg_msg * msg); - - int (*msg_queue_alloc_security) (struct msg_queue * msq); - void (*msg_queue_free_security) (struct msg_queue * msq); - int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); - int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); - int (*msg_queue_msgsnd) (struct msg_queue * msq, - struct msg_msg * msg, int msqflg); - int (*msg_queue_msgrcv) (struct msg_queue * msq, - struct msg_msg * msg, - struct task_struct * target, + int (*msg_msg_alloc_security) (struct msg_msg *msg); + void (*msg_msg_free_security) (struct msg_msg *msg); + + int (*msg_queue_alloc_security) (struct msg_queue *msq); + void (*msg_queue_free_security) (struct msg_queue *msq); + int (*msg_queue_associate) (struct msg_queue *msq, int msqflg); + int (*msg_queue_msgctl) (struct msg_queue *msq, int cmd); + int (*msg_queue_msgsnd) (struct msg_queue *msq, + struct msg_msg *msg, int msqflg); + int (*msg_queue_msgrcv) (struct msg_queue *msq, + struct msg_msg *msg, + struct task_struct *target, long type, int mode); - int (*shm_alloc_security) (struct shmid_kernel * shp); - void (*shm_free_security) (struct shmid_kernel * shp); - int (*shm_associate) (struct shmid_kernel * shp, int shmflg); - int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); - int (*shm_shmat) (struct shmid_kernel * shp, + int (*shm_alloc_security) (struct shmid_kernel *shp); + void (*shm_free_security) (struct shmid_kernel *shp); + int (*shm_associate) (struct shmid_kernel *shp, int shmflg); + int (*shm_shmctl) (struct shmid_kernel *shp, int cmd); + int (*shm_shmat) (struct shmid_kernel *shp, char __user *shmaddr, int shmflg); - int (*sem_alloc_security) (struct sem_array * sma); - void (*sem_free_security) (struct sem_array * sma); - int (*sem_associate) (struct sem_array * sma, int semflg); - int (*sem_semctl) (struct sem_array * sma, int cmd); - int (*sem_semop) (struct sem_array * sma, - struct sembuf * sops, unsigned nsops, int alter); + int (*sem_alloc_security) (struct sem_array *sma); + void (*sem_free_security) (struct sem_array *sma); + int (*sem_associate) (struct sem_array *sma, int semflg); + int (*sem_semctl) (struct sem_array *sma, int cmd); + int (*sem_semop) (struct sem_array *sma, + struct sembuf *sops, unsigned nsops, int alter); - int (*netlink_send) (struct sock * sk, struct sk_buff * skb); - int (*netlink_recv) (struct sk_buff * skb, int cap); + int (*netlink_send) (struct sock *sk, struct sk_buff *skb); + int (*netlink_recv) (struct sk_buff *skb, int cap); /* allow module stacking */ int (*register_security) (const char *name, - struct security_operations *ops); + struct security_operations *ops); void (*d_instantiate) (struct dentry *dentry, struct inode *inode); - int (*getprocattr)(struct task_struct *p, char *name, char **value); - int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); - int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen); - int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid); - void (*release_secctx)(char *secdata, u32 seclen); + int (*getprocattr) (struct task_struct *p, char *name, char **value); + int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size); + int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen); + int (*secctx_to_secid) (char *secdata, u32 seclen, u32 *secid); + void (*release_secctx) (char *secdata, u32 seclen); #ifdef CONFIG_SECURITY_NETWORK - int (*unix_stream_connect) (struct socket * sock, - struct socket * other, struct sock * newsk); - int (*unix_may_send) (struct socket * sock, struct socket * other); + int (*unix_stream_connect) (struct socket *sock, + struct socket *other, struct sock *newsk); + int (*unix_may_send) (struct socket *sock, struct socket *other); int (*socket_create) (int family, int type, int protocol, int kern); - int (*socket_post_create) (struct socket * sock, int family, + int (*socket_post_create) (struct socket *sock, int family, int type, int protocol, int kern); - int (*socket_bind) (struct socket * sock, - struct sockaddr * address, int addrlen); - int (*socket_connect) (struct socket * sock, - struct sockaddr * address, int addrlen); - int (*socket_listen) (struct socket * sock, int backlog); - int (*socket_accept) (struct socket * sock, struct socket * newsock); - void (*socket_post_accept) (struct socket * sock, - struct socket * newsock); - int (*socket_sendmsg) (struct socket * sock, - struct msghdr * msg, int size); - int (*socket_recvmsg) (struct socket * sock, - struct msghdr * msg, int size, int flags); - int (*socket_getsockname) (struct socket * sock); - int (*socket_getpeername) (struct socket * sock); - int (*socket_getsockopt) (struct socket * sock, int level, int optname); - int (*socket_setsockopt) (struct socket * sock, int level, int optname); - int (*socket_shutdown) (struct socket * sock, int how); - int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); + int (*socket_bind) (struct socket *sock, + struct sockaddr *address, int addrlen); + int (*socket_connect) (struct socket *sock, + struct sockaddr *address, int addrlen); + int (*socket_listen) (struct socket *sock, int backlog); + int (*socket_accept) (struct socket *sock, struct socket *newsock); + void (*socket_post_accept) (struct socket *sock, + struct socket *newsock); + int (*socket_sendmsg) (struct socket *sock, + struct msghdr *msg, int size); + int (*socket_recvmsg) (struct socket *sock, + struct msghdr *msg, int size, int flags); + int (*socket_getsockname) (struct socket *sock); + int (*socket_getpeername) (struct socket *sock); + int (*socket_getsockopt) (struct socket *sock, int level, int optname); + int (*socket_setsockopt) (struct socket *sock, int level, int optname); + int (*socket_shutdown) (struct socket *sock, int how); + int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb); int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid); int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); void (*sk_free_security) (struct sock *sk); void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); void (*sk_getsecid) (struct sock *sk, u32 *secid); - void (*sock_graft)(struct sock* sk, struct socket *parent); - int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, - struct request_sock *req); - void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); - void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb); - void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); + void (*sock_graft) (struct sock *sk, struct socket *parent); + int (*inet_conn_request) (struct sock *sk, struct sk_buff *skb, + struct request_sock *req); + void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req); + void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb); + void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM @@ -1521,57 +1521,57 @@ struct security_operations { u32 secid); void (*xfrm_state_free_security) (struct xfrm_state *x); int (*xfrm_state_delete_security) (struct xfrm_state *x); - int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); - int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, - struct xfrm_policy *xp, struct flowi *fl); - int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); + int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); + int (*xfrm_state_pol_flow_match) (struct xfrm_state *x, + struct xfrm_policy *xp, + struct flowi *fl); + int (*xfrm_decode_session) (struct sk_buff *skb, u32 *secid, int ckall); #endif /* CONFIG_SECURITY_NETWORK_XFRM */ /* key management security hooks */ #ifdef CONFIG_KEYS - int (*key_alloc)(struct key *key, struct task_struct *tsk, unsigned long flags); - void (*key_free)(struct key *key); - int (*key_permission)(key_ref_t key_ref, - struct task_struct *context, - key_perm_t perm); + int (*key_alloc) (struct key *key, struct task_struct *tsk, unsigned long flags); + void (*key_free) (struct key *key); + int (*key_permission) (key_ref_t key_ref, + struct task_struct *context, + key_perm_t perm); #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT - int (*audit_rule_init)(u32 field, u32 op, char *rulestr, void **lsmrule); - int (*audit_rule_known)(struct audit_krule *krule); - int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule, - struct audit_context *actx); - void (*audit_rule_free)(void *lsmrule); + int (*audit_rule_init) (u32 field, u32 op, char *rulestr, void **lsmrule); + int (*audit_rule_known) (struct audit_krule *krule); + int (*audit_rule_match) (u32 secid, u32 field, u32 op, void *lsmrule, + struct audit_context *actx); + void (*audit_rule_free) (void *lsmrule); #endif /* CONFIG_AUDIT */ }; /* prototypes */ -extern int security_init (void); +extern int security_init(void); extern int security_module_enable(struct security_operations *ops); -extern int register_security (struct security_operations *ops); -extern int mod_reg_security (const char *name, struct security_operations *ops); +extern int register_security(struct security_operations *ops); +extern int mod_reg_security(const char *name, struct security_operations *ops); extern struct dentry *securityfs_create_file(const char *name, mode_t mode, struct dentry *parent, void *data, const struct file_operations *fops); extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); extern void securityfs_remove(struct dentry *dentry); - /* Security operations */ int security_ptrace(struct task_struct *parent, struct task_struct *child); int security_capget(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted); + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); int security_capset_check(struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted); -void security_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); +void security_capset_set(struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); int security_capable(struct task_struct *tsk, int cap); int security_acct(struct file *file); int security_sysctl(struct ctl_table *table, int op); @@ -1594,7 +1594,7 @@ int security_sb_copy_data(char *orig, char *copy); int security_sb_kern_mount(struct super_block *sb, void *data); int security_sb_statfs(struct dentry *dentry); int security_sb_mount(char *dev_name, struct path *path, - char *type, unsigned long flags, void *data); + char *type, unsigned long flags, void *data); int security_sb_check_sb(struct vfsmount *mnt, struct path *path); int security_sb_umount(struct vfsmount *mnt, int flags); void security_sb_umount_close(struct vfsmount *mnt); @@ -1619,12 +1619,12 @@ int security_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry); int security_inode_unlink(struct inode *dir, struct dentry *dentry); int security_inode_symlink(struct inode *dir, struct dentry *dentry, - const char *old_name); + const char *old_name); int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode); int security_inode_rmdir(struct inode *dir, struct dentry *dentry); int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev); int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, - struct inode *new_dir, struct dentry *new_dentry); + struct inode *new_dir, struct dentry *new_dentry); int security_inode_readlink(struct dentry *dentry); int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd); @@ -1632,9 +1632,9 @@ int security_inode_setattr(struct dentry *dentry, struct iattr *attr); int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); void security_inode_delete(struct inode *inode); int security_inode_setxattr(struct dentry *dentry, char *name, - void *value, size_t size, int flags); + void *value, size_t size, int flags); void security_inode_post_setxattr(struct dentry *dentry, char *name, - void *value, size_t size, int flags); + void *value, size_t size, int flags); int security_inode_getxattr(struct dentry *dentry, char *name); int security_inode_listxattr(struct dentry *dentry); int security_inode_removexattr(struct dentry *dentry, char *name); @@ -1652,12 +1652,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags, unsigned long addr, unsigned long addr_only); int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, - unsigned long prot); + unsigned long prot); int security_file_lock(struct file *file, unsigned int cmd); int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); int security_file_set_fowner(struct file *file); int security_file_send_sigiotask(struct task_struct *tsk, - struct fown_struct *fown, int sig); + struct fown_struct *fown, int sig); int security_file_receive(struct file *file); int security_dentry_open(struct file *file); int security_task_create(unsigned long clone_flags); @@ -1665,7 +1665,7 @@ int security_task_alloc(struct task_struct *p); void security_task_free(struct task_struct *p); int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, - uid_t old_suid, int flags); + uid_t old_suid, int flags); int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); @@ -1696,9 +1696,9 @@ void security_msg_queue_free(struct msg_queue *msq); int security_msg_queue_associate(struct msg_queue *msq, int msqflg); int security_msg_queue_msgctl(struct msg_queue *msq, int cmd); int security_msg_queue_msgsnd(struct msg_queue *msq, - struct msg_msg *msg, int msqflg); + struct msg_msg *msg, int msqflg); int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, - struct task_struct *target, long type, int mode); + struct task_struct *target, long type, int mode); int security_shm_alloc(struct shmid_kernel *shp); void security_shm_free(struct shmid_kernel *shp); int security_shm_associate(struct shmid_kernel *shp, int shmflg); @@ -1710,7 +1710,7 @@ int security_sem_associate(struct sem_array *sma, int semflg); int security_sem_semctl(struct sem_array *sma, int cmd); int security_sem_semop(struct sem_array *sma, struct sembuf *sops, unsigned nsops, int alter); -void security_d_instantiate (struct dentry *dentry, struct inode *inode); +void security_d_instantiate(struct dentry *dentry, struct inode *inode); int security_getprocattr(struct task_struct *p, char *name, char **value); int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); @@ -1741,33 +1741,33 @@ static inline int security_init(void) return 0; } -static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) +static inline int security_ptrace(struct task_struct *parent, struct task_struct *child) { - return cap_ptrace (parent, child); + return cap_ptrace(parent, child); } -static inline int security_capget (struct task_struct *target, +static inline int security_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - return cap_capget (target, effective, inheritable, permitted); + return cap_capget(target, effective, inheritable, permitted); } -static inline int security_capset_check (struct task_struct *target, +static inline int security_capset_check(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - return cap_capset_check (target, effective, inheritable, permitted); + return cap_capset_check(target, effective, inheritable, permitted); } -static inline void security_capset_set (struct task_struct *target, +static inline void security_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - cap_capset_set (target, effective, inheritable, permitted); + cap_capset_set(target, effective, inheritable, permitted); } static inline int security_capable(struct task_struct *tsk, int cap) @@ -1775,7 +1775,7 @@ static inline int security_capable(struct task_struct *tsk, int cap) return cap_capable(tsk, cap); } -static inline int security_acct (struct file *file) +static inline int security_acct(struct file *file) { return 0; } @@ -1785,13 +1785,13 @@ static inline int security_sysctl(struct ctl_table *table, int op) return 0; } -static inline int security_quotactl (int cmds, int type, int id, - struct super_block * sb) +static inline int security_quotactl(int cmds, int type, int id, + struct super_block *sb) { return 0; } -static inline int security_quota_on (struct dentry * dentry) +static inline int security_quota_on(struct dentry *dentry) { return 0; } @@ -1816,102 +1816,102 @@ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) return cap_vm_enough_memory(mm, pages); } -static inline int security_bprm_alloc (struct linux_binprm *bprm) +static inline int security_bprm_alloc(struct linux_binprm *bprm) { return 0; } -static inline void security_bprm_free (struct linux_binprm *bprm) +static inline void security_bprm_free(struct linux_binprm *bprm) { } -static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) -{ - cap_bprm_apply_creds (bprm, unsafe); +static inline void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) +{ + cap_bprm_apply_creds(bprm, unsafe); } -static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) +static inline void security_bprm_post_apply_creds(struct linux_binprm *bprm) { return; } -static inline int security_bprm_set (struct linux_binprm *bprm) +static inline int security_bprm_set(struct linux_binprm *bprm) { - return cap_bprm_set_security (bprm); + return cap_bprm_set_security(bprm); } -static inline int security_bprm_check (struct linux_binprm *bprm) +static inline int security_bprm_check(struct linux_binprm *bprm) { return 0; } -static inline int security_bprm_secureexec (struct linux_binprm *bprm) +static inline int security_bprm_secureexec(struct linux_binprm *bprm) { return cap_bprm_secureexec(bprm); } -static inline int security_sb_alloc (struct super_block *sb) +static inline int security_sb_alloc(struct super_block *sb) { return 0; } -static inline void security_sb_free (struct super_block *sb) +static inline void security_sb_free(struct super_block *sb) { } -static inline int security_sb_copy_data (char *orig, char *copy) +static inline int security_sb_copy_data(char *orig, char *copy) { return 0; } -static inline int security_sb_kern_mount (struct super_block *sb, void *data) +static inline int security_sb_kern_mount(struct super_block *sb, void *data) { return 0; } -static inline int security_sb_statfs (struct dentry *dentry) +static inline int security_sb_statfs(struct dentry *dentry) { return 0; } -static inline int security_sb_mount (char *dev_name, struct path *path, +static inline int security_sb_mount(char *dev_name, struct path *path, char *type, unsigned long flags, void *data) { return 0; } -static inline int security_sb_check_sb (struct vfsmount *mnt, - struct path *path) +static inline int security_sb_check_sb(struct vfsmount *mnt, + struct path *path) { return 0; } -static inline int security_sb_umount (struct vfsmount *mnt, int flags) +static inline int security_sb_umount(struct vfsmount *mnt, int flags) { return 0; } -static inline void security_sb_umount_close (struct vfsmount *mnt) +static inline void security_sb_umount_close(struct vfsmount *mnt) { } -static inline void security_sb_umount_busy (struct vfsmount *mnt) +static inline void security_sb_umount_busy(struct vfsmount *mnt) { } -static inline void security_sb_post_remount (struct vfsmount *mnt, +static inline void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data) { } -static inline void security_sb_post_addmount (struct vfsmount *mnt, - struct path *mountpoint) +static inline void security_sb_post_addmount(struct vfsmount *mnt, + struct path *mountpoint) { } -static inline int security_sb_pivotroot (struct path *old_path, - struct path *new_path) +static inline int security_sb_pivotroot(struct path *old_path, + struct path *new_path) { return 0; } -static inline void security_sb_post_pivotroot (struct path *old_path, - struct path *new_path) +static inline void security_sb_post_pivotroot(struct path *old_path, + struct path *new_path) { } static inline int security_sb_get_mnt_opts(const struct super_block *sb, struct security_mnt_opts *opts) @@ -1935,15 +1935,15 @@ static inline int security_sb_parse_opts_str(char *options, struct security_mnt_ return 0; } -static inline int security_inode_alloc (struct inode *inode) +static inline int security_inode_alloc(struct inode *inode) { return 0; } -static inline void security_inode_free (struct inode *inode) +static inline void security_inode_free(struct inode *inode) { } -static inline int security_inode_init_security (struct inode *inode, +static inline int security_inode_init_security(struct inode *inode, struct inode *dir, char **name, void **value, @@ -1951,55 +1951,55 @@ static inline int security_inode_init_security (struct inode *inode, { return -EOPNOTSUPP; } - -static inline int security_inode_create (struct inode *dir, + +static inline int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) { return 0; } -static inline int security_inode_link (struct dentry *old_dentry, +static inline int security_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) { return 0; } -static inline int security_inode_unlink (struct inode *dir, +static inline int security_inode_unlink(struct inode *dir, struct dentry *dentry) { return 0; } -static inline int security_inode_symlink (struct inode *dir, +static inline int security_inode_symlink(struct inode *dir, struct dentry *dentry, const char *old_name) { return 0; } -static inline int security_inode_mkdir (struct inode *dir, +static inline int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) { return 0; } -static inline int security_inode_rmdir (struct inode *dir, +static inline int security_inode_rmdir(struct inode *dir, struct dentry *dentry) { return 0; } -static inline int security_inode_mknod (struct inode *dir, +static inline int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { return 0; } -static inline int security_inode_rename (struct inode *old_dir, +static inline int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry) @@ -2007,59 +2007,59 @@ static inline int security_inode_rename (struct inode *old_dir, return 0; } -static inline int security_inode_readlink (struct dentry *dentry) +static inline int security_inode_readlink(struct dentry *dentry) { return 0; } -static inline int security_inode_follow_link (struct dentry *dentry, +static inline int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd) { return 0; } -static inline int security_inode_permission (struct inode *inode, int mask, +static inline int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd) { return 0; } -static inline int security_inode_setattr (struct dentry *dentry, +static inline int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { return 0; } -static inline int security_inode_getattr (struct vfsmount *mnt, +static inline int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) { return 0; } -static inline void security_inode_delete (struct inode *inode) +static inline void security_inode_delete(struct inode *inode) { } -static inline int security_inode_setxattr (struct dentry *dentry, char *name, +static inline int security_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) { return cap_inode_setxattr(dentry, name, value, size, flags); } -static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, +static inline void security_inode_post_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) { } -static inline int security_inode_getxattr (struct dentry *dentry, char *name) +static inline int security_inode_getxattr(struct dentry *dentry, char *name) { return 0; } -static inline int security_inode_listxattr (struct dentry *dentry) +static inline int security_inode_listxattr(struct dentry *dentry) { return 0; } -static inline int security_inode_removexattr (struct dentry *dentry, char *name) +static inline int security_inode_removexattr(struct dentry *dentry, char *name) { return cap_inode_removexattr(dentry, name); } @@ -2094,198 +2094,198 @@ static inline void security_inode_getsecid(const struct inode *inode, u32 *secid *secid = 0; } -static inline int security_file_permission (struct file *file, int mask) +static inline int security_file_permission(struct file *file, int mask) { return 0; } -static inline int security_file_alloc (struct file *file) +static inline int security_file_alloc(struct file *file) { return 0; } -static inline void security_file_free (struct file *file) +static inline void security_file_free(struct file *file) { } -static inline int security_file_ioctl (struct file *file, unsigned int cmd, - unsigned long arg) +static inline int security_file_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) { return 0; } -static inline int security_file_mmap (struct file *file, unsigned long reqprot, - unsigned long prot, - unsigned long flags, - unsigned long addr, - unsigned long addr_only) +static inline int security_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, + unsigned long flags, + unsigned long addr, + unsigned long addr_only) { return 0; } -static inline int security_file_mprotect (struct vm_area_struct *vma, - unsigned long reqprot, - unsigned long prot) +static inline int security_file_mprotect(struct vm_area_struct *vma, + unsigned long reqprot, + unsigned long prot) { return 0; } -static inline int security_file_lock (struct file *file, unsigned int cmd) +static inline int security_file_lock(struct file *file, unsigned int cmd) { return 0; } -static inline int security_file_fcntl (struct file *file, unsigned int cmd, - unsigned long arg) +static inline int security_file_fcntl(struct file *file, unsigned int cmd, + unsigned long arg) { return 0; } -static inline int security_file_set_fowner (struct file *file) +static inline int security_file_set_fowner(struct file *file) { return 0; } -static inline int security_file_send_sigiotask (struct task_struct *tsk, - struct fown_struct *fown, - int sig) +static inline int security_file_send_sigiotask(struct task_struct *tsk, + struct fown_struct *fown, + int sig) { return 0; } -static inline int security_file_receive (struct file *file) +static inline int security_file_receive(struct file *file) { return 0; } -static inline int security_dentry_open (struct file *file) +static inline int security_dentry_open(struct file *file) { return 0; } -static inline int security_task_create (unsigned long clone_flags) +static inline int security_task_create(unsigned long clone_flags) { return 0; } -static inline int security_task_alloc (struct task_struct *p) +static inline int security_task_alloc(struct task_struct *p) { return 0; } -static inline void security_task_free (struct task_struct *p) +static inline void security_task_free(struct task_struct *p) { } -static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, - int flags) +static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, + int flags) { return 0; } -static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, - uid_t old_suid, int flags) +static inline int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, + uid_t old_suid, int flags) { - return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); + return cap_task_post_setuid(old_ruid, old_euid, old_suid, flags); } -static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, - int flags) +static inline int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, + int flags) { return 0; } -static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) +static inline int security_task_setpgid(struct task_struct *p, pid_t pgid) { return 0; } -static inline int security_task_getpgid (struct task_struct *p) +static inline int security_task_getpgid(struct task_struct *p) { return 0; } -static inline int security_task_getsid (struct task_struct *p) +static inline int security_task_getsid(struct task_struct *p) { return 0; } -static inline void security_task_getsecid (struct task_struct *p, u32 *secid) +static inline void security_task_getsecid(struct task_struct *p, u32 *secid) { *secid = 0; } -static inline int security_task_setgroups (struct group_info *group_info) +static inline int security_task_setgroups(struct group_info *group_info) { return 0; } -static inline int security_task_setnice (struct task_struct *p, int nice) +static inline int security_task_setnice(struct task_struct *p, int nice) { return cap_task_setnice(p, nice); } -static inline int security_task_setioprio (struct task_struct *p, int ioprio) +static inline int security_task_setioprio(struct task_struct *p, int ioprio) { return cap_task_setioprio(p, ioprio); } -static inline int security_task_getioprio (struct task_struct *p) +static inline int security_task_getioprio(struct task_struct *p) { return 0; } -static inline int security_task_setrlimit (unsigned int resource, - struct rlimit *new_rlim) +static inline int security_task_setrlimit(unsigned int resource, + struct rlimit *new_rlim) { return 0; } -static inline int security_task_setscheduler (struct task_struct *p, - int policy, - struct sched_param *lp) +static inline int security_task_setscheduler(struct task_struct *p, + int policy, + struct sched_param *lp) { return cap_task_setscheduler(p, policy, lp); } -static inline int security_task_getscheduler (struct task_struct *p) +static inline int security_task_getscheduler(struct task_struct *p) { return 0; } -static inline int security_task_movememory (struct task_struct *p) +static inline int security_task_movememory(struct task_struct *p) { return 0; } -static inline int security_task_kill (struct task_struct *p, - struct siginfo *info, int sig, - u32 secid) +static inline int security_task_kill(struct task_struct *p, + struct siginfo *info, int sig, + u32 secid) { return 0; } -static inline int security_task_wait (struct task_struct *p) +static inline int security_task_wait(struct task_struct *p) { return 0; } -static inline int security_task_prctl (int option, unsigned long arg2, - unsigned long arg3, - unsigned long arg4, - unsigned long arg5) +static inline int security_task_prctl(int option, unsigned long arg2, + unsigned long arg3, + unsigned long arg4, + unsigned long arg5) { return 0; } -static inline void security_task_reparent_to_init (struct task_struct *p) +static inline void security_task_reparent_to_init(struct task_struct *p) { - cap_task_reparent_to_init (p); + cap_task_reparent_to_init(p); } static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) { } -static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, - short flag) +static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, + short flag) { return 0; } @@ -2295,98 +2295,98 @@ static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) *secid = 0; } -static inline int security_msg_msg_alloc (struct msg_msg * msg) +static inline int security_msg_msg_alloc(struct msg_msg *msg) { return 0; } -static inline void security_msg_msg_free (struct msg_msg * msg) +static inline void security_msg_msg_free(struct msg_msg *msg) { } -static inline int security_msg_queue_alloc (struct msg_queue *msq) +static inline int security_msg_queue_alloc(struct msg_queue *msq) { return 0; } -static inline void security_msg_queue_free (struct msg_queue *msq) +static inline void security_msg_queue_free(struct msg_queue *msq) { } -static inline int security_msg_queue_associate (struct msg_queue * msq, - int msqflg) +static inline int security_msg_queue_associate(struct msg_queue *msq, + int msqflg) { return 0; } -static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) +static inline int security_msg_queue_msgctl(struct msg_queue *msq, int cmd) { return 0; } -static inline int security_msg_queue_msgsnd (struct msg_queue * msq, - struct msg_msg * msg, int msqflg) +static inline int security_msg_queue_msgsnd(struct msg_queue *msq, + struct msg_msg *msg, int msqflg) { return 0; } -static inline int security_msg_queue_msgrcv (struct msg_queue * msq, - struct msg_msg * msg, - struct task_struct * target, - long type, int mode) +static inline int security_msg_queue_msgrcv(struct msg_queue *msq, + struct msg_msg *msg, + struct task_struct *target, + long type, int mode) { return 0; } -static inline int security_shm_alloc (struct shmid_kernel *shp) +static inline int security_shm_alloc(struct shmid_kernel *shp) { return 0; } -static inline void security_shm_free (struct shmid_kernel *shp) +static inline void security_shm_free(struct shmid_kernel *shp) { } -static inline int security_shm_associate (struct shmid_kernel * shp, - int shmflg) +static inline int security_shm_associate(struct shmid_kernel *shp, + int shmflg) { return 0; } -static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) +static inline int security_shm_shmctl(struct shmid_kernel *shp, int cmd) { return 0; } -static inline int security_shm_shmat (struct shmid_kernel * shp, - char __user *shmaddr, int shmflg) +static inline int security_shm_shmat(struct shmid_kernel *shp, + char __user *shmaddr, int shmflg) { return 0; } -static inline int security_sem_alloc (struct sem_array *sma) +static inline int security_sem_alloc(struct sem_array *sma) { return 0; } -static inline void security_sem_free (struct sem_array *sma) +static inline void security_sem_free(struct sem_array *sma) { } -static inline int security_sem_associate (struct sem_array * sma, int semflg) +static inline int security_sem_associate(struct sem_array *sma, int semflg) { return 0; } -static inline int security_sem_semctl (struct sem_array * sma, int cmd) +static inline int security_sem_semctl(struct sem_array *sma, int cmd) { return 0; } -static inline int security_sem_semop (struct sem_array * sma, - struct sembuf * sops, unsigned nsops, - int alter) +static inline int security_sem_semop(struct sem_array *sma, + struct sembuf *sops, unsigned nsops, + int alter) { return 0; } -static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) +static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode) { } static inline int security_getprocattr(struct task_struct *p, char *name, char **value) @@ -2399,14 +2399,14 @@ static inline int security_setprocattr(struct task_struct *p, char *name, void * return -EINVAL; } -static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) +static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb) { - return cap_netlink_send (sk, skb); + return cap_netlink_send(sk, skb); } -static inline int security_netlink_recv (struct sk_buff *skb, int cap) +static inline int security_netlink_recv(struct sk_buff *skb, int cap) { - return cap_netlink_recv (skb, cap); + return cap_netlink_recv(skb, cap); } static inline struct dentry *securityfs_create_dir(const char *name, @@ -2484,26 +2484,26 @@ void security_inet_conn_established(struct sock *sk, struct sk_buff *skb); #else /* CONFIG_SECURITY_NETWORK */ -static inline int security_unix_stream_connect(struct socket * sock, - struct socket * other, - struct sock * newsk) +static inline int security_unix_stream_connect(struct socket *sock, + struct socket *other, + struct sock *newsk) { return 0; } -static inline int security_unix_may_send(struct socket * sock, - struct socket * other) +static inline int security_unix_may_send(struct socket *sock, + struct socket *other) { return 0; } -static inline int security_socket_create (int family, int type, - int protocol, int kern) +static inline int security_socket_create(int family, int type, + int protocol, int kern) { return 0; } -static inline int security_socket_post_create(struct socket * sock, +static inline int security_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) @@ -2511,77 +2511,77 @@ static inline int security_socket_post_create(struct socket * sock, return 0; } -static inline int security_socket_bind(struct socket * sock, - struct sockaddr * address, +static inline int security_socket_bind(struct socket *sock, + struct sockaddr *address, int addrlen) { return 0; } -static inline int security_socket_connect(struct socket * sock, - struct sockaddr * address, +static inline int security_socket_connect(struct socket *sock, + struct sockaddr *address, int addrlen) { return 0; } -static inline int security_socket_listen(struct socket * sock, int backlog) +static inline int security_socket_listen(struct socket *sock, int backlog) { return 0; } -static inline int security_socket_accept(struct socket * sock, - struct socket * newsock) +static inline int security_socket_accept(struct socket *sock, + struct socket *newsock) { return 0; } -static inline void security_socket_post_accept(struct socket * sock, - struct socket * newsock) +static inline void security_socket_post_accept(struct socket *sock, + struct socket *newsock) { } -static inline int security_socket_sendmsg(struct socket * sock, - struct msghdr * msg, int size) +static inline int security_socket_sendmsg(struct socket *sock, + struct msghdr *msg, int size) { return 0; } -static inline int security_socket_recvmsg(struct socket * sock, - struct msghdr * msg, int size, +static inline int security_socket_recvmsg(struct socket *sock, + struct msghdr *msg, int size, int flags) { return 0; } -static inline int security_socket_getsockname(struct socket * sock) +static inline int security_socket_getsockname(struct socket *sock) { return 0; } -static inline int security_socket_getpeername(struct socket * sock) +static inline int security_socket_getpeername(struct socket *sock) { return 0; } -static inline int security_socket_getsockopt(struct socket * sock, +static inline int security_socket_getsockopt(struct socket *sock, int level, int optname) { return 0; } -static inline int security_socket_setsockopt(struct socket * sock, +static inline int security_socket_setsockopt(struct socket *sock, int level, int optname) { return 0; } -static inline int security_socket_shutdown(struct socket * sock, int how) +static inline int security_socket_shutdown(struct socket *sock, int how) { return 0; } -static inline int security_sock_rcv_skb (struct sock * sk, - struct sk_buff * skb) +static inline int security_sock_rcv_skb(struct sock *sk, + struct sk_buff *skb) { return 0; } @@ -2618,7 +2618,7 @@ static inline void security_req_classify_flow(const struct request_sock *req, st { } -static inline void security_sock_graft(struct sock* sk, struct socket *parent) +static inline void security_sock_graft(struct sock *sk, struct socket *parent) { } -- cgit v1.2.3-58-ga151 From a639e7ca8e8282b75be2724a28bfc788aa3bb156 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 25 Apr 2008 15:03:34 -0400 Subject: SELinux: Made netnode cache adds faster When adding new entries to the network node cache we would walk the entire hash bucket to make sure we didn't cross a threshold (done to bound the cache size). This isn't a very quick or elegant solution for something which is supposed to be quick-ish so add a counter to each hash bucket to track the size of the bucket and eliminate the need to walk the entire bucket list on each add. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/netnode.c | 104 +++++++++++++++++++++------------------------ 1 file changed, 49 insertions(+), 55 deletions(-) diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 2edc4c5e0c61..b6ccd09379f1 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -40,11 +40,17 @@ #include #include +#include "netnode.h" #include "objsec.h" #define SEL_NETNODE_HASH_SIZE 256 #define SEL_NETNODE_HASH_BKT_LIMIT 16 +struct sel_netnode_bkt { + unsigned int size; + struct list_head list; +}; + struct sel_netnode { struct netnode_security_struct nsec; @@ -60,7 +66,7 @@ struct sel_netnode { static LIST_HEAD(sel_netnode_list); static DEFINE_SPINLOCK(sel_netnode_lock); -static struct list_head sel_netnode_hash[SEL_NETNODE_HASH_SIZE]; +static struct sel_netnode_bkt sel_netnode_hash[SEL_NETNODE_HASH_SIZE]; /** * sel_netnode_free - Frees a node entry @@ -87,7 +93,7 @@ static void sel_netnode_free(struct rcu_head *p) * the bucket number for the given IP address. * */ -static u32 sel_netnode_hashfn_ipv4(__be32 addr) +static unsigned int sel_netnode_hashfn_ipv4(__be32 addr) { /* at some point we should determine if the mismatch in byte order * affects the hash function dramatically */ @@ -103,7 +109,7 @@ static u32 sel_netnode_hashfn_ipv4(__be32 addr) * the bucket number for the given IP address. * */ -static u32 sel_netnode_hashfn_ipv6(const struct in6_addr *addr) +static unsigned int sel_netnode_hashfn_ipv6(const struct in6_addr *addr) { /* just hash the least significant 32 bits to keep things fast (they * are the most likely to be different anyway), we can revisit this @@ -123,7 +129,7 @@ static u32 sel_netnode_hashfn_ipv6(const struct in6_addr *addr) */ static struct sel_netnode *sel_netnode_find(const void *addr, u16 family) { - u32 idx; + unsigned int idx; struct sel_netnode *node; switch (family) { @@ -137,7 +143,7 @@ static struct sel_netnode *sel_netnode_find(const void *addr, u16 family) BUG(); } - list_for_each_entry_rcu(node, &sel_netnode_hash[idx], list) + list_for_each_entry_rcu(node, &sel_netnode_hash[idx].list, list) if (node->nsec.family == family) switch (family) { case PF_INET: @@ -159,15 +165,12 @@ static struct sel_netnode *sel_netnode_find(const void *addr, u16 family) * @node: the new node record * * Description: - * Add a new node record to the network address hash table. Returns zero on - * success, negative values on failure. + * Add a new node record to the network address hash table. * */ -static int sel_netnode_insert(struct sel_netnode *node) +static void sel_netnode_insert(struct sel_netnode *node) { - u32 idx; - u32 count = 0; - struct sel_netnode *iter; + unsigned int idx; switch (node->nsec.family) { case PF_INET: @@ -179,32 +182,21 @@ static int sel_netnode_insert(struct sel_netnode *node) default: BUG(); } - list_add_rcu(&node->list, &sel_netnode_hash[idx]); + + INIT_RCU_HEAD(&node->rcu); /* we need to impose a limit on the growth of the hash table so check * this bucket to make sure it is within the specified bounds */ - list_for_each_entry(iter, &sel_netnode_hash[idx], list) - if (++count > SEL_NETNODE_HASH_BKT_LIMIT) { - list_del_rcu(&iter->list); - call_rcu(&iter->rcu, sel_netnode_free); - break; - } - - return 0; -} - -/** - * sel_netnode_destroy - Remove a node record from the table - * @node: the existing node record - * - * Description: - * Remove an existing node record from the network address table. - * - */ -static void sel_netnode_destroy(struct sel_netnode *node) -{ - list_del_rcu(&node->list); - call_rcu(&node->rcu, sel_netnode_free); + list_add_rcu(&node->list, &sel_netnode_hash[idx].list); + if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) { + struct sel_netnode *tail; + tail = list_entry( + rcu_dereference(sel_netnode_hash[idx].list.prev), + struct sel_netnode, list); + list_del_rcu(&tail->list); + call_rcu(&tail->rcu, sel_netnode_free); + } else + sel_netnode_hash[idx].size++; } /** @@ -222,7 +214,7 @@ static void sel_netnode_destroy(struct sel_netnode *node) */ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) { - int ret; + int ret = -ENOMEM; struct sel_netnode *node; struct sel_netnode *new = NULL; @@ -230,25 +222,21 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) node = sel_netnode_find(addr, family); if (node != NULL) { *sid = node->nsec.sid; - ret = 0; - goto out; + spin_unlock_bh(&sel_netnode_lock); + return 0; } new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) { - ret = -ENOMEM; + if (new == NULL) goto out; - } switch (family) { case PF_INET: ret = security_node_sid(PF_INET, - addr, sizeof(struct in_addr), - &new->nsec.sid); + addr, sizeof(struct in_addr), sid); new->nsec.addr.ipv4 = *(__be32 *)addr; break; case PF_INET6: ret = security_node_sid(PF_INET6, - addr, sizeof(struct in6_addr), - &new->nsec.sid); + addr, sizeof(struct in6_addr), sid); ipv6_addr_copy(&new->nsec.addr.ipv6, addr); break; default: @@ -256,11 +244,10 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) } if (ret != 0) goto out; + new->nsec.family = family; - ret = sel_netnode_insert(new); - if (ret != 0) - goto out; - *sid = new->nsec.sid; + new->nsec.sid = *sid; + sel_netnode_insert(new); out: spin_unlock_bh(&sel_netnode_lock); @@ -312,13 +299,18 @@ int sel_netnode_sid(void *addr, u16 family, u32 *sid) */ static void sel_netnode_flush(void) { - u32 idx; - struct sel_netnode *node; + unsigned int idx; + struct sel_netnode *node, *node_tmp; spin_lock_bh(&sel_netnode_lock); - for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) - list_for_each_entry(node, &sel_netnode_hash[idx], list) - sel_netnode_destroy(node); + for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) { + list_for_each_entry_safe(node, node_tmp, + &sel_netnode_hash[idx].list, list) { + list_del_rcu(&node->list); + call_rcu(&node->rcu, sel_netnode_free); + } + sel_netnode_hash[idx].size = 0; + } spin_unlock_bh(&sel_netnode_lock); } @@ -340,8 +332,10 @@ static __init int sel_netnode_init(void) if (!selinux_enabled) return 0; - for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) - INIT_LIST_HEAD(&sel_netnode_hash[iter]); + for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) { + INIT_LIST_HEAD(&sel_netnode_hash[iter].list); + sel_netnode_hash[iter].size = 0; + } ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); -- cgit v1.2.3-58-ga151 From c9b7b9793764b171a118d049d4b721a7f5d8ac82 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 25 Apr 2008 15:03:39 -0400 Subject: SELinux: Fix a RCU free problem with the netport cache The netport cache doesn't free resources in a manner which is safe or orderly. This patch fixes this by adding in a missing call to rcu_dereference() in sel_netport_insert() as well as some general cleanup throughout the file. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/netport.c | 40 ++++++++++++++++++---------------------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 68ede3c498ab..90b4cff7c350 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -114,8 +114,7 @@ static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum) idx = sel_netport_hashfn(pnum); list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list) - if (port->psec.port == pnum && - port->psec.protocol == protocol) + if (port->psec.port == pnum && port->psec.protocol == protocol) return port; return NULL; @@ -126,11 +125,10 @@ static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum) * @port: the new port record * * Description: - * Add a new port record to the network address hash table. Returns zero on - * success, negative values on failure. + * Add a new port record to the network address hash table. * */ -static int sel_netport_insert(struct sel_netport *port) +static void sel_netport_insert(struct sel_netport *port) { unsigned int idx; @@ -140,13 +138,13 @@ static int sel_netport_insert(struct sel_netport *port) list_add_rcu(&port->list, &sel_netport_hash[idx].list); if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { struct sel_netport *tail; - tail = list_entry(port->list.prev, struct sel_netport, list); - list_del_rcu(port->list.prev); + tail = list_entry( + rcu_dereference(sel_netport_hash[idx].list.prev), + struct sel_netport, list); + list_del_rcu(&tail->list); call_rcu(&tail->rcu, sel_netport_free); } else sel_netport_hash[idx].size++; - - return 0; } /** @@ -163,7 +161,7 @@ static int sel_netport_insert(struct sel_netport *port) */ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) { - int ret; + int ret = -ENOMEM; struct sel_netport *port; struct sel_netport *new = NULL; @@ -171,23 +169,20 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) port = sel_netport_find(protocol, pnum); if (port != NULL) { *sid = port->psec.sid; - ret = 0; - goto out; + spin_unlock_bh(&sel_netport_lock); + return 0; } new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) { - ret = -ENOMEM; + if (new == NULL) goto out; - } - ret = security_port_sid(protocol, pnum, &new->psec.sid); + ret = security_port_sid(protocol, pnum, sid); if (ret != 0) goto out; + new->psec.port = pnum; new->psec.protocol = protocol; - ret = sel_netport_insert(new); - if (ret != 0) - goto out; - *sid = new->psec.sid; + new->psec.sid = *sid; + sel_netport_insert(new); out: spin_unlock_bh(&sel_netport_lock); @@ -239,11 +234,12 @@ int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid) static void sel_netport_flush(void) { unsigned int idx; - struct sel_netport *port; + struct sel_netport *port, *port_tmp; spin_lock_bh(&sel_netport_lock); for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) { - list_for_each_entry(port, &sel_netport_hash[idx].list, list) { + list_for_each_entry_safe(port, port_tmp, + &sel_netport_hash[idx].list, list) { list_del_rcu(&port->list); call_rcu(&port->rcu, sel_netport_free); } -- cgit v1.2.3-58-ga151