Commit e816da29 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull SELinux updates from Paul Moore:
 "Six SELinux patches, all are simple and easily understood, but a list
  of the highlights is below:

   - Use 'grep -E' instead of 'egrep' in the SELinux policy install
     script.

     Fun fact, this seems to be GregKH's *second* dedicated SELinux
     patch since we transitioned to git (ignoring merges, the SPDX
     stuff, and a trivial fs reference removal when lustre was yanked);
     the first was back in 2011 when selinuxfs was placed in
     /sys/fs/selinux. Oh, the memories ...

   - Convert the SELinux policy boolean values to use signed integer
     types throughout the SELinux kernel code.

     Prior to this we were using a mix of signed and unsigned integers
     which was probably okay in this particular case, but it is
     definitely not a good idea in general.

   - Remove a reference to the SELinux runtime disable functionality in
     /etc/selinux/config as we are in the process of deprecating that.

     See [1] for more background on this if you missed the previous
     notes on the deprecation.

   - Minor cleanups: remove unneeded variables and function parameter
     constification"

Link: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable [1]

* tag 'selinux-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: remove runtime disable message in the install_policy.sh script
  selinux: use "grep -E" instead of "egrep"
  selinux: remove the unneeded result variable
  selinux: declare read-only parameters const
  selinux: use int arrays for boolean values
  selinux: remove an unneeded variable in sel_make_class_dir_entries()
parents eafb121e 2fe2fb4c

scripts/selinux/install_policy.sh

+2 −3
Original line number Diff line number Diff line
@@ -31,8 +31,7 @@ fi 
if selinuxenabled; then

    echo "SELinux is already enabled"

    echo "This prevents safely relabeling all files."

    echo "Boot with selinux=0 on the kernel command-line or"

    echo "SELINUX=disabled in /etc/selinux/config."

    echo "Boot with selinux=0 on the kernel command-line."

    exit 1

fi
@@ -78,7 +77,7 @@ cd /etc/selinux/dummy/contexts/files 
$SF -F file_contexts /



mounts=`cat /proc/$$/mounts | \

	egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \

	grep -E "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \

	awk '{ print $2 '}`

$SF -F file_contexts $mounts

security/selinux/hooks.c

+9 −15
Original line number Diff line number Diff line
@@ -5987,7 +5987,6 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 
	struct ipc_security_struct *isec;

	struct common_audit_data ad;

	u32 sid = current_sid();

	int rc;



	isec = selinux_ipc(msq);

	ipc_init_security(isec, SECCLASS_MSGQ);
@@ -5995,10 +5994,9 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 
	ad.type = LSM_AUDIT_DATA_IPC;

	ad.u.ipc_id = msq->key;



	rc = avc_has_perm(&selinux_state,

	return avc_has_perm(&selinux_state,

			    sid, isec->sid, SECCLASS_MSGQ,

			    MSGQ__CREATE, &ad);

	return rc;

}



static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
@@ -6126,7 +6124,6 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 
	struct ipc_security_struct *isec;

	struct common_audit_data ad;

	u32 sid = current_sid();

	int rc;



	isec = selinux_ipc(shp);

	ipc_init_security(isec, SECCLASS_SHM);
@@ -6134,10 +6131,9 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 
	ad.type = LSM_AUDIT_DATA_IPC;

	ad.u.ipc_id = shp->key;



	rc = avc_has_perm(&selinux_state,

	return avc_has_perm(&selinux_state,

			    sid, isec->sid, SECCLASS_SHM,

			    SHM__CREATE, &ad);

	return rc;

}



static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
@@ -6211,7 +6207,6 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 
	struct ipc_security_struct *isec;

	struct common_audit_data ad;

	u32 sid = current_sid();

	int rc;



	isec = selinux_ipc(sma);

	ipc_init_security(isec, SECCLASS_SEM);
@@ -6219,10 +6214,9 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 
	ad.type = LSM_AUDIT_DATA_IPC;

	ad.u.ipc_id = sma->key;



	rc = avc_has_perm(&selinux_state,

	return avc_has_perm(&selinux_state,

			    sid, isec->sid, SECCLASS_SEM,

			    SEM__CREATE, &ad);

	return rc;

}



static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)

security/selinux/selinuxfs.c

+6 −9
Original line number Diff line number Diff line
@@ -71,7 +71,7 @@ struct selinux_fs_info { 
	struct dentry *bool_dir;

	unsigned int bool_num;

	char **bool_pending_names;

	unsigned int *bool_pending_values;

	int *bool_pending_values;

	struct dentry *class_dir;

	unsigned long last_class_ino;

	bool policy_opened;
@@ -356,7 +356,7 @@ static const struct file_operations sel_policyvers_ops = { 
/* declaration for sel_write_load */

static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir,

			  unsigned int *bool_num, char ***bool_pending_names,

			  unsigned int **bool_pending_values);

			  int **bool_pending_values);

static int sel_make_classes(struct selinux_policy *newpolicy,

			    struct dentry *class_dir,

			    unsigned long *last_class_ino);
@@ -527,7 +527,7 @@ static const struct file_operations sel_policy_ops = { 
};



static void sel_remove_old_bool_data(unsigned int bool_num, char **bool_names,

				unsigned int *bool_values)

				     int *bool_values)

{

	u32 i;
@@ -545,7 +545,7 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, 
	struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir, *old_dentry;

	unsigned int tmp_bool_num, old_bool_num;

	char **tmp_bool_names, **old_bool_names;

	unsigned int *tmp_bool_values, *old_bool_values;

	int *tmp_bool_values, *old_bool_values;

	unsigned long tmp_ino = fsi->last_ino; /* Don't increment last_ino in this function */



	tmp_parent = sel_make_disconnected_dir(fsi->sb, &tmp_ino);
@@ -1423,7 +1423,7 @@ static void sel_remove_entries(struct dentry *de) 


static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir,

			  unsigned int *bool_num, char ***bool_pending_names,

			  unsigned int **bool_pending_values)

			  int **bool_pending_values)

{

	int ret;

	ssize_t len;
@@ -1917,7 +1917,6 @@ static int sel_make_class_dir_entries(struct selinux_policy *newpolicy, 
	struct selinux_fs_info *fsi = sb->s_fs_info;

	struct dentry *dentry = NULL;

	struct inode *inode = NULL;

	int rc;



	dentry = d_alloc_name(dir, "index");

	if (!dentry)
@@ -1937,9 +1936,7 @@ static int sel_make_class_dir_entries(struct selinux_policy *newpolicy, 
	if (IS_ERR(dentry))

		return PTR_ERR(dentry);



	rc = sel_make_perm_files(newpolicy, classname, index, dentry);



	return rc;

	return sel_make_perm_files(newpolicy, classname, index, dentry);

}



static int sel_make_classes(struct selinux_policy *newpolicy,

security/selinux/ss/context.h

+9 −8
Original line number Diff line number Diff line
@@ -38,7 +38,7 @@ static inline void mls_context_init(struct context *c) 
	memset(&c->range, 0, sizeof(c->range));

}



static inline int mls_context_cpy(struct context *dst, struct context *src)

static inline int mls_context_cpy(struct context *dst, const struct context *src)

{

	int rc;
@@ -58,7 +58,7 @@ static inline int mls_context_cpy(struct context *dst, struct context *src) 
/*

 * Sets both levels in the MLS range of 'dst' to the low level of 'src'.

 */

static inline int mls_context_cpy_low(struct context *dst, struct context *src)

static inline int mls_context_cpy_low(struct context *dst, const struct context *src)

{

	int rc;
@@ -78,7 +78,7 @@ static inline int mls_context_cpy_low(struct context *dst, struct context *src) 
/*

 * Sets both levels in the MLS range of 'dst' to the high level of 'src'.

 */

static inline int mls_context_cpy_high(struct context *dst, struct context *src)

static inline int mls_context_cpy_high(struct context *dst, const struct context *src)

{

	int rc;
@@ -97,9 +97,10 @@ static inline int mls_context_cpy_high(struct context *dst, struct context *src) 




static inline int mls_context_glblub(struct context *dst,

				     struct context *c1, struct context *c2)

				     const struct context *c1, const struct context *c2)

{

	struct mls_range *dr = &dst->range, *r1 = &c1->range, *r2 = &c2->range;

	struct mls_range *dr = &dst->range;

	const struct mls_range *r1 = &c1->range, *r2 = &c2->range;

	int rc = 0;



	if (r1->level[1].sens < r2->level[0].sens ||
@@ -127,7 +128,7 @@ static inline int mls_context_glblub(struct context *dst, 
	return rc;

}



static inline int mls_context_cmp(struct context *c1, struct context *c2)

static inline int mls_context_cmp(const struct context *c1, const struct context *c2)

{

	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&

		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
@@ -147,7 +148,7 @@ static inline void context_init(struct context *c) 
	memset(c, 0, sizeof(*c));

}



static inline int context_cpy(struct context *dst, struct context *src)

static inline int context_cpy(struct context *dst, const struct context *src)

{

	int rc;
@@ -180,7 +181,7 @@ static inline void context_destroy(struct context *c) 
	mls_context_destroy(c);

}



static inline int context_cmp(struct context *c1, struct context *c2)

static inline int context_cmp(const struct context *c1, const struct context *c2)

{

	if (c1->len && c2->len)

		return (c1->len == c2->len && !strcmp(c1->str, c2->str));

security/selinux/ss/ebitmap.c

+11 −10
Original line number Diff line number Diff line
@@ -28,9 +28,9 @@ 


static struct kmem_cache *ebitmap_node_cachep __ro_after_init;



int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2)

int ebitmap_cmp(const struct ebitmap *e1, const struct ebitmap *e2)

{

	struct ebitmap_node *n1, *n2;

	const struct ebitmap_node *n1, *n2;



	if (e1->highbit != e2->highbit)

		return 0;
@@ -50,9 +50,10 @@ int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2) 
	return 1;

}



int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)

int ebitmap_cpy(struct ebitmap *dst, const struct ebitmap *src)

{

	struct ebitmap_node *n, *new, *prev;

	struct ebitmap_node *new, *prev;

	const struct ebitmap_node *n;



	ebitmap_init(dst);

	n = src->node;
@@ -78,7 +79,7 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src) 
	return 0;

}



int ebitmap_and(struct ebitmap *dst, struct ebitmap *e1, struct ebitmap *e2)

int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1, const struct ebitmap *e2)

{

	struct ebitmap_node *n;

	int bit, rc;
@@ -217,9 +218,9 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap, 
 * if last_e2bit is non-zero, the highest set bit in e2 cannot exceed

 * last_e2bit.

 */

int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)

int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2, u32 last_e2bit)

{

	struct ebitmap_node *n1, *n2;

	const struct ebitmap_node *n1, *n2;

	int i;



	if (e1->highbit < e2->highbit)
@@ -258,9 +259,9 @@ int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit) 
	return 1;

}



int ebitmap_get_bit(struct ebitmap *e, unsigned long bit)

int ebitmap_get_bit(const struct ebitmap *e, unsigned long bit)

{

	struct ebitmap_node *n;

	const struct ebitmap_node *n;



	if (e->highbit < bit)

		return 0;
@@ -467,7 +468,7 @@ int ebitmap_read(struct ebitmap *e, void *fp) 
	goto out;

}



int ebitmap_write(struct ebitmap *e, void *fp)

int ebitmap_write(const struct ebitmap *e, void *fp)

{

	struct ebitmap_node *n;

	u32 count;