avc.c - OpenGrok cross reference for /openbmc/linux/security/selinux/avc.c

Deleted Added

sdiffudifftextold (aaccf3c9..)new (3a28cff3..)

avc.c (aaccf3c97418f169afdbb5855e9cbcbda34e90fd)	avc.c (3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e)
1/* 2 * Implementation of the kernel access vector cache (AVC). 3 * 4 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> 8 * Replaced the avc_lock spinlock by RCU. --- 824 unchanged lines hidden (view full) --- 833 834/** 835 * avc_update_node Update an AVC entry 836 * @event : Updating event 837 * @perms : Permission mask bits 838 * @ssid,@tsid,@tclass : identifier of an AVC entry 839 * @seqno : sequence number when decision was made 840 * @xpd: extended_perms_decision to be added to the node	1/* 2 * Implementation of the kernel access vector cache (AVC). 3 * 4 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> 8 * Replaced the avc_lock spinlock by RCU. --- 824 unchanged lines hidden (view full) --- 833 834/** 835 * avc_update_node Update an AVC entry 836 * @event : Updating event 837 * @perms : Permission mask bits 838 * @ssid,@tsid,@tclass : identifier of an AVC entry 839 * @seqno : sequence number when decision was made 840 * @xpd: extended_perms_decision to be added to the node
	841 * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.
841 * 842 * if a valid AVC entry doesn't exist,this function returns -ENOENT. 843 * if kmalloc() called internal returns NULL, this function returns -ENOMEM. 844 * otherwise, this function updates the AVC entry. The original AVC-entry object 845 * will release later by RCU. 846 / 847static int avc_update_node(struct selinux_avc avc, 848 u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, 849 u32 tsid, u16 tclass, u32 seqno, 850 struct extended_perms_decision xpd, 851 u32 flags) 852{ 853 int hvalue, rc = 0; 854 unsigned long flag; 855 struct avc_node pos, node, orig = NULL; 856 struct hlist_head head; 857 spinlock_t lock; 858	842 * 843 * if a valid AVC entry doesn't exist,this function returns -ENOENT. 844 * if kmalloc() called internal returns NULL, this function returns -ENOMEM. 845 * otherwise, this function updates the AVC entry. The original AVC-entry object 846 * will release later by RCU. 847 / 848static int avc_update_node(struct selinux_avc avc, 849 u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, 850 u32 tsid, u16 tclass, u32 seqno, 851 struct extended_perms_decision xpd, 852 u32 flags) 853{ 854 int hvalue, rc = 0; 855 unsigned long flag; 856 struct avc_node pos, node, orig = NULL; 857 struct hlist_head head; 858 spinlock_t lock; 859
	860 /* 861 * If we are in a non-blocking code path, e.g. VFS RCU walk, 862 * then we must not add permissions to a cache entry 863 * because we cannot safely audit the denial. Otherwise, 864 * during the subsequent blocking retry (e.g. VFS ref walk), we 865 * will find the permissions already granted in the cache entry 866 * and won't audit anything at all, leading to silent denials in 867 * permissive mode that only appear when in enforcing mode. 868 * 869 * See the corresponding handling in slow_avc_audit(), and the 870 * logic in selinux_inode_follow_link and selinux_inode_permission 871 * for the VFS MAY_NOT_BLOCK flag, which is transliterated into 872 * AVC_NONBLOCKING for avc_has_perm_noaudit(). 873 */ 874 if (flags & AVC_NONBLOCKING) 875 return 0; 876
859 node = avc_alloc_node(avc); 860 if (!node) { 861 rc = -ENOMEM; 862 goto out; 863 } 864 865 /* Lock the target slot / 866 hvalue = avc_hash(ssid, tsid, tclass); --- 243 unchanged lines hidden* (view full) --- 1110} 1111 1112/** 1113 * avc_has_perm_noaudit - Check permissions but perform no auditing. 1114 * @ssid: source security identifier 1115 * @tsid: target security identifier 1116 * @tclass: target security class 1117 * @requested: requested permissions, interpreted based on @tclass	877 node = avc_alloc_node(avc); 878 if (!node) { 879 rc = -ENOMEM; 880 goto out; 881 } 882 883 /* Lock the target slot / 884 hvalue = avc_hash(ssid, tsid, tclass); --- 243 unchanged lines hidden* (view full) --- 1128} 1129 1130/** 1131 * avc_has_perm_noaudit - Check permissions but perform no auditing. 1132 * @ssid: source security identifier 1133 * @tsid: target security identifier 1134 * @tclass: target security class 1135 * @requested: requested permissions, interpreted based on @tclass
1118 * @flags: AVC_STRICT or 0	1136 * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0
1119 * @avd: access vector decisions 1120 * 1121 * Check the AVC to determine whether the @requested permissions are granted 1122 * for the SID pair (@ssid, @tsid), interpreting the permissions 1123 * based on @tclass, and call the security server on a cache miss to obtain 1124 * a new decision and add it to the cache. Return a copy of the decisions 1125 * in @avd. Return %0 if all @requested permissions are granted, 1126 * -%EACCES if any permissions are denied, or another -errno upon --- 67 unchanged lines hidden (view full) --- 1194int avc_has_perm_flags(struct selinux_state state, 1195 u32 ssid, u32 tsid, u16 tclass, u32 requested, 1196 struct common_audit_data auditdata, 1197 int flags) 1198{ 1199 struct av_decision avd; 1200 int rc, rc2; 1201	1137 * @avd: access vector decisions 1138 * 1139 * Check the AVC to determine whether the @requested permissions are granted 1140 * for the SID pair (@ssid, @tsid), interpreting the permissions 1141 * based on @tclass, and call the security server on a cache miss to obtain 1142 * a new decision and add it to the cache. Return a copy of the decisions 1143 * in @avd. Return %0 if all @requested permissions are granted, 1144 * -%EACCES if any permissions are denied, or another -errno upon --- 67 unchanged lines hidden (view full) --- 1212int avc_has_perm_flags(struct selinux_state state, 1213 u32 ssid, u32 tsid, u16 tclass, u32 requested, 1214 struct common_audit_data auditdata, 1215 int flags) 1216{ 1217 struct av_decision avd; 1218 int rc, rc2; 1219
1202 rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0,	1220 rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 1221 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
1203 &avd); 1204 1205 rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, 1206 auditdata, flags); 1207 if (rc2) 1208 return rc2; 1209 return rc; 1210} --- 24 unchanged lines hidden ---	1222 &avd); 1223 1224 rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, 1225 auditdata, flags); 1226 if (rc2) 1227 return rc2; 1228 return rc; 1229} --- 24 unchanged lines hidden ---