diff options
author | Kevin Hilman <khilman@linaro.org> | 2015-06-16 11:32:45 -0700 |
---|---|---|
committer | Kevin Hilman <khilman@linaro.org> | 2015-06-16 11:32:45 -0700 |
commit | 3d84ced2488b2cede1c52ada86db26d1e55f4898 (patch) | |
tree | 97ca64887ca0c0362118c6858b4e686dc42ec427 /security | |
parent | 3f1011ae062950b30326fa7d0538d5083a91ece6 (diff) | |
parent | 3174b276b358c0e9416bc58af120b9ab7860907c (diff) |
Merge branch 'android-3.18' of https://android.googlesource.com/kernel/common into linux-linaro-lsk-v3.18-android
* 'android-3.18' of https://android.googlesource.com/kernel/common:
sched: cpufreq: update power usage only if cpufreq_stat is enabled
cpufreq: Iterate over all the possible cpus to create powerstats.
uid_cputime: Extends the cputime functionality to report power per uid
sched: cpufreq: Adds a field cpu_power in the task_struct
cpufreq_stats: Adds the fucntionality to load current values for each frequency for all the cores.
cgroup: Fix issues in allow_attach callback
New Build Breakage in branch: kernel-m-dev-tegra-flounder-3.10 @ 1960706
net/unix: sk_socket can disappear when state is unlocked
selinux: enable genfscon labeling for sysfs and pstore files
ext4: don't save the error information if the block device is read-only
selinux: enable per-file labeling for debugfs files.
cpufreq: interactive: Rearm governor timer at max freq
cpufreq: interactive: Implement cluster-based min_sample_time
cpufreq: interactive: Exercise hispeed settings at a policy level
cpufreq: interactive: Round up timer_rate to match jiffy
cpufreq: interactive: Don't set floor_validate_time during boost
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 45 | ||||
-rw-r--r-- | security/selinux/include/security.h | 1 |
2 files changed, 24 insertions, 22 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e097b8757a90..946120d21663 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -731,7 +731,12 @@ static int selinux_set_mnt_opts(struct super_block *sb, } if (strcmp(sb->s_type->name, "proc") == 0) - sbsec->flags |= SE_SBPROC; + sbsec->flags |= SE_SBPROC | SE_SBGENFS; + + if (!strcmp(sb->s_type->name, "debugfs") || + !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore")) + sbsec->flags |= SE_SBGENFS; if (!sbsec->behavior) { /* @@ -1227,12 +1232,13 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc return SECCLASS_SOCKET; } -#ifdef CONFIG_PROC_FS -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) +static int selinux_genfs_get_sid(struct dentry *dentry, + u16 tclass, + u16 flags, + u32 *sid) { int rc; + struct super_block *sb = dentry->d_inode->i_sb; char *buffer, *path; buffer = (char *)__get_free_page(GFP_KERNEL); @@ -1243,26 +1249,20 @@ static int selinux_proc_get_sid(struct dentry *dentry, if (IS_ERR(path)) rc = PTR_ERR(path); else { - /* each process gets a /proc/PID/ entry. Strip off the - * PID part to get a valid selinux labeling. - * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ - while (path[1] >= '0' && path[1] <= '9') { - path[1] = '/'; - path++; + if (flags & SE_SBPROC) { + /* each process gets a /proc/PID/ entry. Strip off the + * PID part to get a valid selinux labeling. + * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ + while (path[1] >= '0' && path[1] <= '9') { + path[1] = '/'; + path++; + } } - rc = security_genfs_sid("proc", path, tclass, sid); + rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); } free_page((unsigned long)buffer); return rc; } -#else -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) -{ - return -EINVAL; -} -#endif /* The inode's security attributes must be initialized before first use. */ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) @@ -1419,7 +1419,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; - if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { + if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { /* We must have a dentry to determine the label on * procfs inodes */ if (opt_dentry) @@ -1442,7 +1442,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent if (!dentry) goto out_unlock; isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_proc_get_sid(dentry, isec->sclass, &sid); + rc = selinux_genfs_get_sid(dentry, isec->sclass, + sbsec->flags, &sid); dput(dentry); if (rc) goto out_unlock; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 9f4f7cbe2e7d..8d506832927f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -57,6 +57,7 @@ /* Non-mount related flags */ #define SE_SBINITIALIZED 0x0100 #define SE_SBPROC 0x0200 +#define SE_SBGENFS 0x0400 #define CONTEXT_STR "context=" #define FSCONTEXT_STR "fscontext=" |