summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c115
1 files changed, 55 insertions, 60 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b341b8fd8c7..fc3dfca475d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2,7 +2,7 @@
* Implementation of the security services.
*
* Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
- * James Morris <jmorris@redhat.com>
+ * James Morris <jmorris@redhat.com>
*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
@@ -11,7 +11,7 @@
*
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
- * Added conditional policy language extensions
+ * Added conditional policy language extensions
*
* Updated: Hewlett-Packard <paul.moore@hp.com>
*
@@ -27,7 +27,7 @@
* Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#include <linux/kernel.h>
@@ -82,7 +82,7 @@ static DEFINE_MUTEX(load_mutex);
static struct sidtab sidtab;
struct policydb policydb;
-int ss_initialized = 0;
+int ss_initialized;
/*
* The largest sequence number that has been used when
@@ -90,7 +90,7 @@ int ss_initialized = 0;
* The sequence number only changes when a policy change
* occurs.
*/
-static u32 latest_granting = 0;
+static u32 latest_granting;
/* Forward declaration. */
static int context_struct_to_string(struct context *context, char **scontext,
@@ -163,10 +163,10 @@ static int constraint_expr_eval(struct context *scontext,
val1 - 1);
continue;
case CEXPR_INCOMP:
- s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
- val2 - 1) &&
- !ebitmap_get_bit(&r2->dominates,
- val1 - 1) );
+ s[++sp] = (!ebitmap_get_bit(&r1->dominates,
+ val2 - 1) &&
+ !ebitmap_get_bit(&r2->dominates,
+ val1 - 1));
continue;
default:
break;
@@ -409,7 +409,7 @@ static int context_struct_compute_av(struct context *scontext,
}
if (!ra)
avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
- PROCESS__DYNTRANSITION);
+ PROCESS__DYNTRANSITION);
}
return 0;
@@ -445,9 +445,9 @@ int security_permissive_sid(u32 sid)
}
static int security_validtrans_handle_fail(struct context *ocontext,
- struct context *ncontext,
- struct context *tcontext,
- u16 tclass)
+ struct context *ncontext,
+ struct context *tcontext,
+ u16 tclass)
{
char *o = NULL, *n = NULL, *t = NULL;
u32 olen, nlen, tlen;
@@ -459,9 +459,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
if (context_struct_to_string(tcontext, &t, &tlen) < 0)
goto out;
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "security_validate_transition: denied for"
- " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
- o, n, t, policydb.p_class_val_to_name[tclass-1]);
+ "security_validate_transition: denied for"
+ " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
+ o, n, t, policydb.p_class_val_to_name[tclass-1]);
out:
kfree(o);
kfree(n);
@@ -473,7 +473,7 @@ out:
}
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
- u16 tclass)
+ u16 tclass)
{
struct context *ocontext;
struct context *ncontext;
@@ -533,9 +533,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
constraint = tclass_datum->validatetrans;
while (constraint) {
if (!constraint_expr_eval(ocontext, ncontext, tcontext,
- constraint->expr)) {
+ constraint->expr)) {
rc = security_validtrans_handle_fail(ocontext, ncontext,
- tcontext, tclass);
+ tcontext, tclass);
goto out;
}
constraint = constraint->next;
@@ -623,9 +623,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
/* Allocate space for the context; caller must free this space. */
scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
- if (!scontextp) {
+ if (!scontextp)
return -ENOMEM;
- }
*scontext = scontextp;
/*
@@ -636,8 +635,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
policydb.p_role_val_to_name[context->role - 1],
policydb.p_type_val_to_name[context->type - 1]);
scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
- 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
- 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
+ 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
+ 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
mls_sid_to_context(context, &scontextp);
@@ -678,7 +677,7 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
char *scontextp;
*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
- scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
+ scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
if (!scontextp) {
rc = -ENOMEM;
goto out;
@@ -974,7 +973,7 @@ static int security_compute_sid(u32 ssid,
avdatum = avtab_search(&policydb.te_avtab, &avkey);
/* If no permanent rule, also check for enabled conditional rules */
- if(!avdatum) {
+ if (!avdatum) {
node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
for (; node != NULL; node = avtab_search_node_next(node, specified)) {
if (node->key.specified & AVTAB_ENABLED) {
@@ -1288,26 +1287,23 @@ static int convert_context(u32 key,
/* Convert the user. */
usrdatum = hashtab_search(args->newp->p_users.table,
- args->oldp->p_user_val_to_name[c->user - 1]);
- if (!usrdatum) {
+ args->oldp->p_user_val_to_name[c->user - 1]);
+ if (!usrdatum)
goto bad;
- }
c->user = usrdatum->value;
/* Convert the role. */
role = hashtab_search(args->newp->p_roles.table,
- args->oldp->p_role_val_to_name[c->role - 1]);
- if (!role) {
+ args->oldp->p_role_val_to_name[c->role - 1]);
+ if (!role)
goto bad;
- }
c->role = role->value;
/* Convert the type. */
typdatum = hashtab_search(args->newp->p_types.table,
- args->oldp->p_type_val_to_name[c->type - 1]);
- if (!typdatum) {
+ args->oldp->p_type_val_to_name[c->type - 1]);
+ if (!typdatum)
goto bad;
- }
c->type = typdatum->value;
rc = mls_convert_context(args->oldp, args->newp, c);
@@ -1556,8 +1552,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
{
int i, fail = 0;
- for(i = 0; i < 4; i++)
- if(addr[i] != (input[i] & mask[i])) {
+ for (i = 0; i < 4; i++)
+ if (addr[i] != (input[i] & mask[i])) {
fail = 1;
break;
}
@@ -1656,7 +1652,7 @@ out:
*/
int security_get_user_sids(u32 fromsid,
- char *username,
+ char *username,
u32 **sids,
u32 *nel)
{
@@ -1766,7 +1762,7 @@ out:
* transition SIDs or task SIDs.
*/
int security_genfs_sid(const char *fstype,
- char *path,
+ char *path,
u16 sclass,
u32 *sid)
{
@@ -1881,7 +1877,7 @@ int security_get_bools(int *len, char ***names, int **values)
goto out;
}
- *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
+ *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
if (!*names)
goto err;
@@ -1893,7 +1889,7 @@ int security_get_bools(int *len, char ***names, int **values)
size_t name_len;
(*values)[i] = policydb.bool_val_to_struct[i]->state;
name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
- (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
+ (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
if (!(*names)[i])
goto err;
strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1938,11 +1934,10 @@ int security_set_bools(int len, int *values)
audit_get_loginuid(current),
audit_get_sessionid(current));
}
- if (values[i]) {
+ if (values[i])
policydb.bool_val_to_struct[i]->state = 1;
- } else {
+ else
policydb.bool_val_to_struct[i]->state = 0;
- }
}
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
@@ -2435,7 +2430,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
if (!rule) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "selinux_audit_rule_match: missing rule\n");
+ "selinux_audit_rule_match: missing rule\n");
return -ENOENT;
}
@@ -2443,7 +2438,7 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
if (rule->au_seqno < latest_granting) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "selinux_audit_rule_match: stale rule\n");
+ "selinux_audit_rule_match: stale rule\n");
match = -ESTALE;
goto out;
}
@@ -2451,8 +2446,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
ctxt = sidtab_search(&sidtab, sid);
if (!ctxt) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "selinux_audit_rule_match: unrecognized SID %d\n",
- sid);
+ "selinux_audit_rule_match: unrecognized SID %d\n",
+ sid);
match = -ENOENT;
goto out;
}
@@ -2498,36 +2493,36 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
case AUDIT_OBJ_LEV_LOW:
case AUDIT_OBJ_LEV_HIGH:
level = ((field == AUDIT_SUBJ_SEN ||
- field == AUDIT_OBJ_LEV_LOW) ?
- &ctxt->range.level[0] : &ctxt->range.level[1]);
+ field == AUDIT_OBJ_LEV_LOW) ?
+ &ctxt->range.level[0] : &ctxt->range.level[1]);
switch (op) {
case AUDIT_EQUAL:
match = mls_level_eq(&rule->au_ctxt.range.level[0],
- level);
+ level);
break;
case AUDIT_NOT_EQUAL:
match = !mls_level_eq(&rule->au_ctxt.range.level[0],
- level);
+ level);
break;
case AUDIT_LESS_THAN:
match = (mls_level_dom(&rule->au_ctxt.range.level[0],
- level) &&
- !mls_level_eq(&rule->au_ctxt.range.level[0],
- level));
+ level) &&
+ !mls_level_eq(&rule->au_ctxt.range.level[0],
+ level));
break;
case AUDIT_LESS_THAN_OR_EQUAL:
match = mls_level_dom(&rule->au_ctxt.range.level[0],
- level);
+ level);
break;
case AUDIT_GREATER_THAN:
match = (mls_level_dom(level,
- &rule->au_ctxt.range.level[0]) &&
- !mls_level_eq(level,
- &rule->au_ctxt.range.level[0]));
+ &rule->au_ctxt.range.level[0]) &&
+ !mls_level_eq(level,
+ &rule->au_ctxt.range.level[0]));
break;
case AUDIT_GREATER_THAN_OR_EQUAL:
match = mls_level_dom(level,
- &rule->au_ctxt.range.level[0]);
+ &rule->au_ctxt.range.level[0]);
break;
}
}
@@ -2554,7 +2549,7 @@ static int __init aurule_init(void)
int err;
err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
- SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
+ SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
if (err)
panic("avc_add_callback() failed, error %d\n", err);