tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'stable-4.9' of git://git.infradead.org/users/pcmoore/selinux into next
+211
-65
+22
fs/overlayfs/copy_up.c
+22
fs/overlayfs/copy_up.c
···
103
103
goto retry;
104
104
}
105
105
106
+
error = security_inode_copy_up_xattr(name);
107
+
if (error < 0 && error != -EOPNOTSUPP)
108
+
break;
109
+
if (error == 1) {
110
+
error = 0;
111
+
continue; /* Discard */
112
+
}
106
113
error = vfs_setxattr(new, name, value, size, 0);
107
114
if (error)
108
115
break;
···
253
246
struct dentry *upper = NULL;
254
247
umode_t mode = stat->mode;
255
248
int err;
249
+
const struct cred *old_creds = NULL;
250
+
struct cred *new_creds = NULL;
256
251
257
252
newdentry = ovl_lookup_temp(workdir, dentry);
258
253
err = PTR_ERR(newdentry);
···
267
258
if (IS_ERR(upper))
268
259
goto out1;
269
260
261
+
err = security_inode_copy_up(dentry, &new_creds);
262
+
if (err < 0)
263
+
goto out2;
264
+
265
+
if (new_creds)
266
+
old_creds = override_creds(new_creds);
267
+
270
268
/* Can't properly set mode on creation because of the umask */
271
269
stat->mode &= S_IFMT;
272
270
err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
273
271
stat->mode = mode;
272
+
273
+
if (new_creds) {
274
+
revert_creds(old_creds);
275
+
put_cred(new_creds);
276
+
}
277
+
274
278
if (err)
275
279
goto out2;
276
280
+10
fs/overlayfs/dir.c
+10
fs/overlayfs/dir.c
···
435
435
if (override_cred) {
436
436
override_cred->fsuid = inode->i_uid;
437
437
override_cred->fsgid = inode->i_gid;
438
+
if (!hardlink) {
439
+
err = security_dentry_create_files_as(dentry,
440
+
stat->mode, &dentry->d_name, old_cred,
441
+
override_cred);
442
+
if (err) {
443
+
put_cred(override_cred);
444
+
goto out_revert_creds;
445
+
}
446
+
}
438
447
put_cred(override_creds(override_cred));
439
448
put_cred(override_cred);
440
449
···
454
445
err = ovl_create_over_whiteout(dentry, inode, stat,
455
446
link, hardlink);
456
447
}
448
+
out_revert_creds:
457
449
revert_creds(old_cred);
458
450
if (!err) {
459
451
struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
+36
include/linux/lsm_hooks.h
+36
include/linux/lsm_hooks.h
···
151
151
* @name name of the last path component used to create file
152
152
* @ctx pointer to place the pointer to the resulting context in.
153
153
* @ctxlen point to place the length of the resulting context.
154
+
* @dentry_create_files_as:
155
+
* Compute a context for a dentry as the inode is not yet available
156
+
* and set that context in passed in creds so that new files are
157
+
* created using that context. Context is calculated using the
158
+
* passed in creds and not the creds of the caller.
159
+
* @dentry dentry to use in calculating the context.
160
+
* @mode mode used to determine resource type.
161
+
* @name name of the last path component used to create file
162
+
* @old creds which should be used for context calculation
163
+
* @new creds to modify
154
164
*
155
165
*
156
166
* Security hooks for inode operations.
···
411
401
* @inode contains a pointer to the inode.
412
402
* @secid contains a pointer to the location where result will be saved.
413
403
* In case of failure, @secid will be set to zero.
404
+
* @inode_copy_up:
405
+
* A file is about to be copied up from lower layer to upper layer of
406
+
* overlay filesystem. Security module can prepare a set of new creds
407
+
* and modify as need be and return new creds. Caller will switch to
408
+
* new creds temporarily to create new file and release newly allocated
409
+
* creds.
410
+
* @src indicates the union dentry of file that is being copied up.
411
+
* @new pointer to pointer to return newly allocated creds.
412
+
* Returns 0 on success or a negative error code on error.
413
+
* @inode_copy_up_xattr:
414
+
* Filter the xattrs being copied up when a unioned file is copied
415
+
* up from a lower layer to the union/overlay layer.
416
+
* @name indicates the name of the xattr.
417
+
* Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
418
+
* security module does not know about attribute or a negative error code
419
+
* to abort the copy up. Note that the caller is responsible for reading
420
+
* and writing the xattrs as this hook is merely a filter.
414
421
*
415
422
* Security hooks for file operations
416
423
*
···
1385
1358
int (*dentry_init_security)(struct dentry *dentry, int mode,
1386
1359
const struct qstr *name, void **ctx,
1387
1360
u32 *ctxlen);
1361
+
int (*dentry_create_files_as)(struct dentry *dentry, int mode,
1362
+
struct qstr *name,
1363
+
const struct cred *old,
1364
+
struct cred *new);
1388
1365
1389
1366
1390
1367
#ifdef CONFIG_SECURITY_PATH
···
1456
1425
int (*inode_listsecurity)(struct inode *inode, char *buffer,
1457
1426
size_t buffer_size);
1458
1427
void (*inode_getsecid)(struct inode *inode, u32 *secid);
1428
+
int (*inode_copy_up)(struct dentry *src, struct cred **new);
1429
+
int (*inode_copy_up_xattr)(const char *name);
1459
1430
1460
1431
int (*file_permission)(struct file *file, int mask);
1461
1432
int (*file_alloc_security)(struct file *file);
···
1688
1655
struct list_head sb_clone_mnt_opts;
1689
1656
struct list_head sb_parse_opts_str;
1690
1657
struct list_head dentry_init_security;
1658
+
struct list_head dentry_create_files_as;
1691
1659
#ifdef CONFIG_SECURITY_PATH
1692
1660
struct list_head path_unlink;
1693
1661
struct list_head path_mkdir;
···
1729
1695
struct list_head inode_setsecurity;
1730
1696
struct list_head inode_listsecurity;
1731
1697
struct list_head inode_getsecid;
1698
+
struct list_head inode_copy_up;
1699
+
struct list_head inode_copy_up_xattr;
1732
1700
struct list_head file_permission;
1733
1701
struct list_head file_alloc_security;
1734
1702
struct list_head file_free_security;
+24
include/linux/security.h
+24
include/linux/security.h
···
242
242
int security_dentry_init_security(struct dentry *dentry, int mode,
243
243
const struct qstr *name, void **ctx,
244
244
u32 *ctxlen);
245
+
int security_dentry_create_files_as(struct dentry *dentry, int mode,
246
+
struct qstr *name,
247
+
const struct cred *old,
248
+
struct cred *new);
245
249
246
250
int security_inode_alloc(struct inode *inode);
247
251
void security_inode_free(struct inode *inode);
···
286
282
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
287
283
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
288
284
void security_inode_getsecid(struct inode *inode, u32 *secid);
285
+
int security_inode_copy_up(struct dentry *src, struct cred **new);
286
+
int security_inode_copy_up_xattr(const char *name);
289
287
int security_file_permission(struct file *file, int mask);
290
288
int security_file_alloc(struct file *file);
291
289
void security_file_free(struct file *file);
···
603
597
return -EOPNOTSUPP;
604
598
}
605
599
600
+
static inline int security_dentry_create_files_as(struct dentry *dentry,
601
+
int mode, struct qstr *name,
602
+
const struct cred *old,
603
+
struct cred *new)
604
+
{
605
+
return 0;
606
+
}
607
+
606
608
607
609
static inline int security_inode_init_security(struct inode *inode,
608
610
struct inode *dir,
···
769
755
static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
770
756
{
771
757
*secid = 0;
758
+
}
759
+
760
+
static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
761
+
{
762
+
return 0;
763
+
}
764
+
765
+
static inline int security_inode_copy_up_xattr(const char *name)
766
+
{
767
+
return -EOPNOTSUPP;
772
768
}
773
769
774
770
static inline int security_file_permission(struct file *file, int mask)
+2
-2
security/lsm_audit.c
+2
-2
security/lsm_audit.c
···
99
99
}
100
100
return ret;
101
101
}
102
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
102
+
#if IS_ENABLED(CONFIG_IPV6)
103
103
/**
104
104
* ipv6_skb_to_auditdata : fill auditdata from skb
105
105
* @skb : the skb
···
257
257
audit_log_format(ab, " ino=%lu", inode->i_ino);
258
258
}
259
259
260
-
audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
260
+
audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
261
261
break;
262
262
}
263
263
case LSM_AUDIT_DATA_DENTRY: {
+27
security/security.c
+27
security/security.c
···
364
364
}
365
365
EXPORT_SYMBOL(security_dentry_init_security);
366
366
367
+
int security_dentry_create_files_as(struct dentry *dentry, int mode,
368
+
struct qstr *name,
369
+
const struct cred *old, struct cred *new)
370
+
{
371
+
return call_int_hook(dentry_create_files_as, 0, dentry, mode,
372
+
name, old, new);
373
+
}
374
+
EXPORT_SYMBOL(security_dentry_create_files_as);
375
+
367
376
int security_inode_init_security(struct inode *inode, struct inode *dir,
368
377
const struct qstr *qstr,
369
378
const initxattrs initxattrs, void *fs_data)
···
756
747
{
757
748
call_void_hook(inode_getsecid, inode, secid);
758
749
}
750
+
751
+
int security_inode_copy_up(struct dentry *src, struct cred **new)
752
+
{
753
+
return call_int_hook(inode_copy_up, 0, src, new);
754
+
}
755
+
EXPORT_SYMBOL(security_inode_copy_up);
756
+
757
+
int security_inode_copy_up_xattr(const char *name)
758
+
{
759
+
return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
760
+
}
761
+
EXPORT_SYMBOL(security_inode_copy_up_xattr);
759
762
760
763
int security_file_permission(struct file *file, int mask)
761
764
{
···
1644
1623
LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
1645
1624
.dentry_init_security =
1646
1625
LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
1626
+
.dentry_create_files_as =
1627
+
LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
1647
1628
#ifdef CONFIG_SECURITY_PATH
1648
1629
.path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink),
1649
1630
.path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir),
···
1707
1684
LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
1708
1685
.inode_getsecid =
1709
1686
LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
1687
+
.inode_copy_up =
1688
+
LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
1689
+
.inode_copy_up_xattr =
1690
+
LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
1710
1691
.file_permission =
1711
1692
LIST_HEAD_INIT(security_hook_heads.file_permission),
1712
1693
.file_alloc_security =
-38
security/selinux/Kconfig
-38
security/selinux/Kconfig
···
93
93
via /selinux/checkreqprot if authorized by policy.
94
94
95
95
If you are unsure how to answer this question, answer 0.
96
-
97
-
config SECURITY_SELINUX_POLICYDB_VERSION_MAX
98
-
bool "NSA SELinux maximum supported policy format version"
99
-
depends on SECURITY_SELINUX
100
-
default n
101
-
help
102
-
This option enables the maximum policy format version supported
103
-
by SELinux to be set to a particular value. This value is reported
104
-
to userspace via /selinux/policyvers and used at policy load time.
105
-
It can be adjusted downward to support legacy userland (init) that
106
-
does not correctly handle kernels that support newer policy versions.
107
-
108
-
Examples:
109
-
For the Fedora Core 3 or 4 Linux distributions, enable this option
110
-
and set the value via the next option. For Fedora Core 5 and later,
111
-
do not enable this option.
112
-
113
-
If you are unsure how to answer this question, answer N.
114
-
115
-
config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
116
-
int "NSA SELinux maximum supported policy format version value"
117
-
depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
118
-
range 15 23
119
-
default 19
120
-
help
121
-
This option sets the value for the maximum policy format version
122
-
supported by SELinux.
123
-
124
-
Examples:
125
-
For Fedora Core 3, use 18.
126
-
For Fedora Core 4, use 19.
127
-
128
-
If you are unsure how to answer this question, look for the
129
-
policy format version supported by your policy toolchain, by
130
-
running 'checkpolicy -V'. Or look at what policy you have
131
-
installed under /etc/selinux/$SELINUXTYPE/policy, where
132
-
SELINUXTYPE is defined in your /etc/selinux/config.
133
-
+75
-15
security/selinux/hooks.c
+75
-15
security/selinux/hooks.c
···
1808
1808
/*
1809
1809
* Determine the label for an inode that might be unioned.
1810
1810
*/
1811
-
static int selinux_determine_inode_label(struct inode *dir,
1812
-
const struct qstr *name,
1813
-
u16 tclass,
1814
-
u32 *_new_isid)
1811
+
static int
1812
+
selinux_determine_inode_label(const struct task_security_struct *tsec,
1813
+
struct inode *dir,
1814
+
const struct qstr *name, u16 tclass,
1815
+
u32 *_new_isid)
1815
1816
{
1816
1817
const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1817
-
const struct task_security_struct *tsec = current_security();
1818
1818
1819
1819
if ((sbsec->flags & SE_SBINITIALIZED) &&
1820
1820
(sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
···
1857
1857
if (rc)
1858
1858
return rc;
1859
1859
1860
-
rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1861
-
&newsid);
1860
+
rc = selinux_determine_inode_label(current_security(), dir,
1861
+
&dentry->d_name, tclass, &newsid);
1862
1862
if (rc)
1863
1863
return rc;
1864
1864
···
2838
2838
u32 newsid;
2839
2839
int rc;
2840
2840
2841
-
rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2841
+
rc = selinux_determine_inode_label(current_security(),
2842
+
d_inode(dentry->d_parent), name,
2842
2843
inode_mode_to_security_class(mode),
2843
2844
&newsid);
2844
2845
if (rc)
2845
2846
return rc;
2846
2847
2847
2848
return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2849
+
}
2850
+
2851
+
static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2852
+
struct qstr *name,
2853
+
const struct cred *old,
2854
+
struct cred *new)
2855
+
{
2856
+
u32 newsid;
2857
+
int rc;
2858
+
struct task_security_struct *tsec;
2859
+
2860
+
rc = selinux_determine_inode_label(old->security,
2861
+
d_inode(dentry->d_parent), name,
2862
+
inode_mode_to_security_class(mode),
2863
+
&newsid);
2864
+
if (rc)
2865
+
return rc;
2866
+
2867
+
tsec = new->security;
2868
+
tsec->create_sid = newsid;
2869
+
return 0;
2848
2870
}
2849
2871
2850
2872
static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
···
2885
2863
sid = tsec->sid;
2886
2864
newsid = tsec->create_sid;
2887
2865
2888
-
rc = selinux_determine_inode_label(
2866
+
rc = selinux_determine_inode_label(current_security(),
2889
2867
dir, qstr,
2890
2868
inode_mode_to_security_class(inode->i_mode),
2891
2869
&newsid);
···
3313
3291
{
3314
3292
struct inode_security_struct *isec = inode_security_novalidate(inode);
3315
3293
*secid = isec->sid;
3294
+
}
3295
+
3296
+
static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3297
+
{
3298
+
u32 sid;
3299
+
struct task_security_struct *tsec;
3300
+
struct cred *new_creds = *new;
3301
+
3302
+
if (new_creds == NULL) {
3303
+
new_creds = prepare_creds();
3304
+
if (!new_creds)
3305
+
return -ENOMEM;
3306
+
}
3307
+
3308
+
tsec = new_creds->security;
3309
+
/* Get label from overlay inode and set it in create_sid */
3310
+
selinux_inode_getsecid(d_inode(src), &sid);
3311
+
tsec->create_sid = sid;
3312
+
*new = new_creds;
3313
+
return 0;
3314
+
}
3315
+
3316
+
static int selinux_inode_copy_up_xattr(const char *name)
3317
+
{
3318
+
/* The copy_up hook above sets the initial context on an inode, but we
3319
+
* don't then want to overwrite it by blindly copying all the lower
3320
+
* xattrs up. Instead, we have to filter out SELinux-related xattrs.
3321
+
*/
3322
+
if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3323
+
return 1; /* Discard */
3324
+
/*
3325
+
* Any other attribute apart from SELINUX is not claimed, supported
3326
+
* by selinux.
3327
+
*/
3328
+
return -EOPNOTSUPP;
3316
3329
}
3317
3330
3318
3331
/* file security operations */
···
4041
3984
return ret;
4042
3985
}
4043
3986
4044
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3987
+
#if IS_ENABLED(CONFIG_IPV6)
4045
3988
4046
3989
/* Returns error only if unable to parse addresses */
4047
3990
static int selinux_parse_skb_ipv6(struct sk_buff *skb,
···
4132
4075
&ad->u.net->v4info.daddr);
4133
4076
goto okay;
4134
4077
4135
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4078
+
#if IS_ENABLED(CONFIG_IPV6)
4136
4079
case PF_INET6:
4137
4080
ret = selinux_parse_skb_ipv6(skb, ad, proto);
4138
4081
if (ret)
···
5086
5029
return selinux_ip_forward(skb, state->in, PF_INET);
5087
5030
}
5088
5031
5089
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5032
+
#if IS_ENABLED(CONFIG_IPV6)
5090
5033
static unsigned int selinux_ipv6_forward(void *priv,
5091
5034
struct sk_buff *skb,
5092
5035
const struct nf_hook_state *state)
···
5144
5087
return selinux_ip_output(skb, PF_INET);
5145
5088
}
5146
5089
5147
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5090
+
#if IS_ENABLED(CONFIG_IPV6)
5148
5091
static unsigned int selinux_ipv6_output(void *priv,
5149
5092
struct sk_buff *skb,
5150
5093
const struct nf_hook_state *state)
···
5330
5273
return selinux_ip_postroute(skb, state->out, PF_INET);
5331
5274
}
5332
5275
5333
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5276
+
#if IS_ENABLED(CONFIG_IPV6)
5334
5277
static unsigned int selinux_ipv6_postroute(void *priv,
5335
5278
struct sk_buff *skb,
5336
5279
const struct nf_hook_state *state)
···
6119
6062
LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6120
6063
6121
6064
LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6065
+
LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6122
6066
6123
6067
LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6124
6068
LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
···
6146
6088
LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6147
6089
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6148
6090
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6091
+
LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6092
+
LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6149
6093
6150
6094
LSM_HOOK_INIT(file_permission, selinux_file_permission),
6151
6095
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
···
6377
6317
.hooknum = NF_INET_LOCAL_OUT,
6378
6318
.priority = NF_IP_PRI_SELINUX_FIRST,
6379
6319
},
6380
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6320
+
#if IS_ENABLED(CONFIG_IPV6)
6381
6321
{
6382
6322
.hook = selinux_ipv6_postroute,
6383
6323
.pf = NFPROTO_IPV6,
-4
security/selinux/include/security.h
-4
security/selinux/include/security.h
···
39
39
40
40
/* Range of policy versions we understand*/
41
41
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
42
-
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
43
-
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
44
-
#else
45
42
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_XPERMS_IOCTL
46
-
#endif
47
43
48
44
/* Mask for just the mount related flags */
49
45
#define SE_MNTMASK 0x0f
+2
security/selinux/ss/conditional.c
+2
security/selinux/ss/conditional.c
+3
security/selinux/ss/ebitmap.c
+3
security/selinux/ss/ebitmap.c
+8
-4
security/selinux/ss/policydb.c
+8
-4
security/selinux/ss/policydb.c
···
541
541
542
542
rc = -ENOMEM;
543
543
p->class_val_to_struct =
544
-
kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)),
544
+
kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)),
545
545
GFP_KERNEL);
546
546
if (!p->class_val_to_struct)
547
547
goto out;
548
548
549
549
rc = -ENOMEM;
550
550
p->role_val_to_struct =
551
-
kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
551
+
kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
552
552
GFP_KERNEL);
553
553
if (!p->role_val_to_struct)
554
554
goto out;
555
555
556
556
rc = -ENOMEM;
557
557
p->user_val_to_struct =
558
-
kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
558
+
kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
559
559
GFP_KERNEL);
560
560
if (!p->user_val_to_struct)
561
561
goto out;
···
964
964
* Role must be authorized for the type.
965
965
*/
966
966
role = p->role_val_to_struct[c->role - 1];
967
-
if (!ebitmap_get_bit(&role->types, c->type - 1))
967
+
if (!role || !ebitmap_get_bit(&role->types, c->type - 1))
968
968
/* role may not be associated with type */
969
969
return 0;
970
970
···
1093
1093
{
1094
1094
int rc;
1095
1095
char *str;
1096
+
1097
+
if ((len == 0) || (len == (u32)-1))
1098
+
return -EINVAL;
1096
1099
1097
1100
str = kmalloc(len + 1, flags);
1098
1101
if (!str)
···
2417
2414
} else
2418
2415
tr->tclass = p->process_class;
2419
2416
2417
+
rc = -EINVAL;
2420
2418
if (!policydb_role_isvalid(p, tr->role) ||
2421
2419
!policydb_type_isvalid(p, tr->type) ||
2422
2420
!policydb_class_isvalid(p, tr->tclass) ||
+2
-2
security/smack/smack_netfilter.c
+2
-2
security/smack/smack_netfilter.c
···
20
20
#include <net/inet_sock.h>
21
21
#include "smack.h"
22
22
23
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
23
+
#if IS_ENABLED(CONFIG_IPV6)
24
24
25
25
static unsigned int smack_ipv6_output(void *priv,
26
26
struct sk_buff *skb,
···
64
64
.hooknum = NF_INET_LOCAL_OUT,
65
65
.priority = NF_IP_PRI_SELINUX_FIRST,
66
66
},
67
-
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
67
+
#if IS_ENABLED(CONFIG_IPV6)
68
68
{
69
69
.hook = smack_ipv6_output,
70
70
.pf = NFPROTO_IPV6,