/* Updated: Karl MacMillan <kmacmillan@tresys.com>
*
- * Added conditional policy language extensions
+ * Added conditional policy language extensions
*
+ * Updated: Hewlett-Packard <paul.moore@hp.com>
+ *
+ * Added support for the policy capability bitmap
+ *
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
* This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*/
#include <linux/seq_file.h>
#include <linux/percpu.h>
#include <linux/audit.h>
-#include <asm/uaccess.h>
-#include <asm/semaphore.h>
+#include <linux/uaccess.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
#include "objsec.h"
#include "conditional.h"
-unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-
-#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
-#define SELINUX_COMPAT_NET_VALUE 0
-#else
-#define SELINUX_COMPAT_NET_VALUE 1
-#endif
+/* Policy capability filenames */
+static char *policycap_names[] = {
+ "network_peer_controls",
+ "open_perms"
+};
-int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
+unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
static int __init checkreqprot_setup(char *str)
{
- selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
+ unsigned long checkreqprot;
+ if (!strict_strtoul(str, 0, &checkreqprot))
+ selinux_checkreqprot = checkreqprot ? 1 : 0;
return 1;
}
__setup("checkreqprot=", checkreqprot_setup);
-static int __init selinux_compat_net_setup(char *str)
-{
- selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
- return 1;
-}
-__setup("selinux_compat_net=", selinux_compat_net_setup);
-
-
static DEFINE_MUTEX(sel_mutex);
/* global data for booleans */
-static struct dentry *bool_dir = NULL;
-static int bool_num = 0;
-static int *bool_pending_values = NULL;
+static struct dentry *bool_dir;
+static int bool_num;
+static char **bool_pending_names;
+static int *bool_pending_values;
/* global data for classes */
-static struct dentry *class_dir = NULL;
+static struct dentry *class_dir;
static unsigned long last_class_ino;
+/* global data for policy capabilities */
+static struct dentry *policycap_dir;
+
extern void selnl_notify_setenforce(int val);
/* Check whether a task is allowed to use a security operation. */
static int task_has_security(struct task_struct *tsk,
u32 perms)
{
- struct task_security_struct *tsec;
-
- tsec = tsk->security;
+ const struct task_security_struct *tsec;
+ u32 sid = 0;
+
+ rcu_read_lock();
+ tsec = __task_cred(tsk)->security;
+ if (tsec)
+ sid = tsec->sid;
+ rcu_read_unlock();
if (!tsec)
return -EACCES;
- return avc_has_perm(tsec->sid, SECINITSID_SECURITY,
+ return avc_has_perm(sid, SECINITSID_SECURITY,
SECCLASS_SECURITY, perms, NULL);
}
static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
-#define SEL_INITCON_INO_OFFSET 0x01000000
-#define SEL_BOOL_INO_OFFSET 0x02000000
-#define SEL_CLASS_INO_OFFSET 0x04000000
-#define SEL_INO_MASK 0x00ffffff
+#define SEL_INITCON_INO_OFFSET 0x01000000
+#define SEL_BOOL_INO_OFFSET 0x02000000
+#define SEL_CLASS_INO_OFFSET 0x04000000
+#define SEL_POLICYCAP_INO_OFFSET 0x08000000
+#define SEL_INO_MASK 0x00ffffff
#define TMPBUFLEN 12
static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
}
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
+static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "enforcing=%d old_enforcing=%d auid=%u", new_value,
- selinux_enforcing,
- audit_get_loginuid(current->audit_context));
+ "enforcing=%d old_enforcing=%d auid=%u ses=%u",
+ new_value, selinux_enforcing,
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
};
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static ssize_t sel_write_disable(struct file * file, const char __user * buf,
+static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
if (length < 0)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "selinux=0 auid=%u",
- audit_get_loginuid(current->audit_context));
+ "selinux=0 auid=%u ses=%u",
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
}
length = count;
};
static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
- size_t count, loff_t *ppos)
+ size_t count, loff_t *ppos)
{
char tmpbuf[TMPBUFLEN];
ssize_t length;
/* declaration for sel_write_load */
static int sel_make_bools(void);
static int sel_make_classes(void);
+static int sel_make_policycap(void);
/* declaration for sel_make_class_dirs */
static int sel_make_dir(struct inode *dir, struct dentry *dentry,
.read = sel_read_mls,
};
-static ssize_t sel_write_load(struct file * file, const char __user * buf,
+static ssize_t sel_write_load(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
}
ret = sel_make_classes();
+ if (ret) {
+ length = ret;
+ goto out1;
+ }
+
+ ret = sel_make_policycap();
if (ret)
length = ret;
else
length = count;
out1:
-
- printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
- (security_get_reject_unknown() ? "reject" :
- (security_get_allow_unknown() ? "allow" : "deny")));
-
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
- "policy loaded auid=%u",
- audit_get_loginuid(current->audit_context));
+ "policy loaded auid=%u ses=%u",
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
out:
mutex_unlock(&sel_mutex);
vfree(data);
.write = sel_write_load,
};
-static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
{
char *canon;
u32 sid, len;
return length;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __FUNCTION__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out;
}
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf,
+static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *page;
/* No partial writes. */
return -EINVAL;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
length = -EFAULT;
.write = sel_write_checkreqprot,
};
-static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
- size_t count, loff_t *ppos)
-{
- char tmpbuf[TMPBUFLEN];
- ssize_t length;
-
- length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
- return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
-}
-
-static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
- size_t count, loff_t *ppos)
-{
- char *page;
- ssize_t length;
- int new_value;
-
- length = task_has_security(current, SECURITY__LOAD_POLICY);
- if (length)
- return length;
-
- if (count >= PAGE_SIZE)
- return -ENOMEM;
- if (*ppos != 0) {
- /* No partial writes. */
- return -EINVAL;
- }
- page = (char*)get_zeroed_page(GFP_KERNEL);
- if (!page)
- return -ENOMEM;
- length = -EFAULT;
- if (copy_from_user(page, buf, count))
- goto out;
-
- length = -EINVAL;
- if (sscanf(page, "%d", &new_value) != 1)
- goto out;
-
- selinux_compat_net = new_value ? 1 : 0;
- length = count;
-out:
- free_page((unsigned long) page);
- return length;
-}
-static const struct file_operations sel_compat_net_ops = {
- .read = sel_read_compat_net,
- .write = sel_write_compat_net,
-};
-
/*
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
*/
-static ssize_t sel_write_access(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_create(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_user(struct file * file, char *buf, size_t size);
-static ssize_t sel_write_member(struct file * file, char *buf, size_t size);
+static ssize_t sel_write_access(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_create(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_user(struct file *file, char *buf, size_t size);
+static ssize_t sel_write_member(struct file *file, char *buf, size_t size);
static ssize_t (*write_op[])(struct file *, char *, size_t) = {
[SEL_ACCESS] = sel_write_access,
static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
{
- ino_t ino = file->f_path.dentry->d_inode->i_ino;
+ ino_t ino = file->f_path.dentry->d_inode->i_ino;
char *data;
ssize_t rv;
if (IS_ERR(data))
return PTR_ERR(data);
- rv = write_op[ino](file, data, size);
- if (rv>0) {
+ rv = write_op[ino](file, data, size);
+ if (rv > 0) {
simple_transaction_set(file, rv);
rv = size;
}
* and the length returned. Otherwise return 0 or and -error.
*/
-static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid;
goto out2;
length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
- "%x %x %x %x %u",
- avd.allowed, avd.decided,
+ "%x %x %x %x %u %x",
+ avd.allowed, 0xffffffff,
avd.auditallow, avd.auditdeny,
- avd.seqno);
+ avd.seqno, avd.flags);
out2:
kfree(tcon);
out:
return length;
}
-static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __FUNCTION__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
return length;
}
-static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
return length;
}
-static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{
char *con, *user, *ptr;
u32 sid, *sids;
return length;
}
-static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
+static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
{
char *scon, *tcon;
u32 ssid, tsid, newsid;
goto out2;
if (len > SIMPLE_TRANSACTION_LIMIT) {
- printk(KERN_ERR "%s: context size (%u) exceeds payload "
- "max\n", __FUNCTION__, len);
+ printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
+ "payload max\n", __func__, len);
length = -ERANGE;
goto out3;
}
if (ret) {
ret->i_mode = mode;
- ret->i_uid = ret->i_gid = 0;
- ret->i_blocks = 0;
ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME;
}
return ret;
ssize_t length;
ssize_t ret;
int cur_enforcing;
- struct inode *inode;
+ struct inode *inode = filep->f_path.dentry->d_inode;
+ unsigned index = inode->i_ino & SEL_INO_MASK;
+ const char *name = filep->f_path.dentry->d_name.name;
mutex_lock(&sel_mutex);
- ret = -EFAULT;
-
- /* check to see if this file has been deleted */
- if (!filep->f_op)
- goto out;
-
- if (count > PAGE_SIZE) {
+ if (index >= bool_num || strcmp(name, bool_pending_names[index])) {
ret = -EINVAL;
goto out;
}
- if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {
+
+ page = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!page) {
ret = -ENOMEM;
goto out;
}
- inode = filep->f_path.dentry->d_inode;
- cur_enforcing = security_get_bool_value(inode->i_ino&SEL_INO_MASK);
+ cur_enforcing = security_get_bool_value(index);
if (cur_enforcing < 0) {
ret = cur_enforcing;
goto out;
}
-
length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
- bool_pending_values[inode->i_ino&SEL_INO_MASK]);
+ bool_pending_values[index]);
ret = simple_read_from_buffer(buf, count, ppos, page, length);
out:
mutex_unlock(&sel_mutex);
size_t count, loff_t *ppos)
{
char *page = NULL;
- ssize_t length = -EFAULT;
+ ssize_t length;
int new_value;
- struct inode *inode;
+ struct inode *inode = filep->f_path.dentry->d_inode;
+ unsigned index = inode->i_ino & SEL_INO_MASK;
+ const char *name = filep->f_path.dentry->d_name.name;
mutex_lock(&sel_mutex);
if (length)
goto out;
- /* check to see if this file has been deleted */
- if (!filep->f_op)
+ if (index >= bool_num || strcmp(name, bool_pending_names[index])) {
+ length = -EINVAL;
goto out;
+ }
if (count >= PAGE_SIZE) {
length = -ENOMEM;
goto out;
}
+
if (*ppos != 0) {
/* No partial writes. */
+ length = -EINVAL;
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
}
+ length = -EFAULT;
if (copy_from_user(page, buf, count))
goto out;
if (new_value)
new_value = 1;
- inode = filep->f_path.dentry->d_inode;
- bool_pending_values[inode->i_ino&SEL_INO_MASK] = new_value;
+ bool_pending_values[index] = new_value;
length = count;
out:
}
static const struct file_operations sel_bool_ops = {
- .read = sel_read_bool,
- .write = sel_write_bool,
+ .read = sel_read_bool,
+ .write = sel_write_bool,
};
static ssize_t sel_commit_bools_write(struct file *filep,
size_t count, loff_t *ppos)
{
char *page = NULL;
- ssize_t length = -EFAULT;
+ ssize_t length;
int new_value;
mutex_lock(&sel_mutex);
if (length)
goto out;
- /* check to see if this file has been deleted */
- if (!filep->f_op)
- goto out;
-
if (count >= PAGE_SIZE) {
length = -ENOMEM;
goto out;
/* No partial writes. */
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
length = -ENOMEM;
goto out;
}
+ length = -EFAULT;
if (copy_from_user(page, buf, count))
goto out;
if (sscanf(page, "%d", &new_value) != 1)
goto out;
- if (new_value && bool_pending_values) {
+ if (new_value && bool_pending_values)
security_set_bools(bool_num, bool_pending_values);
- }
length = count;
}
static const struct file_operations sel_commit_bools_ops = {
- .write = sel_commit_bools_write,
+ .write = sel_commit_bools_write,
};
-/* partial revoke() from fs/proc/generic.c proc_kill_inodes */
static void sel_remove_entries(struct dentry *de)
{
- struct list_head *p, *node;
- struct super_block *sb = de->d_sb;
+ struct list_head *node;
spin_lock(&dcache_lock);
node = de->d_subdirs.next;
}
spin_unlock(&dcache_lock);
-
- file_list_lock();
- list_for_each(p, &sb->s_files) {
- struct file * filp = list_entry(p, struct file, f_u.fu_list);
- struct dentry * dentry = filp->f_path.dentry;
-
- if (dentry->d_parent != de) {
- continue;
- }
- filp->f_op = NULL;
- }
- file_list_unlock();
}
#define BOOL_DIR_NAME "booleans"
u32 sid;
/* remove any existing files */
+ kfree(bool_pending_names);
kfree(bool_pending_values);
+ bool_pending_names = NULL;
bool_pending_values = NULL;
sel_remove_entries(dir);
- if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))
+ page = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!page)
return -ENOMEM;
ret = security_get_bools(&num, &names, &values);
ret = -ENAMETOOLONG;
goto err;
}
- isec = (struct inode_security_struct*)inode->i_security;
- if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
+ isec = (struct inode_security_struct *)inode->i_security;
+ ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
+ if (ret)
goto err;
isec->sid = sid;
isec->initialized = 1;
d_add(dentry, inode);
}
bool_num = num;
+ bool_pending_names = names;
bool_pending_values = values;
out:
free_page((unsigned long)page);
+ return ret;
+err:
if (names) {
for (i = 0; i < num; i++)
kfree(names[i]);
kfree(names);
}
- return ret;
-err:
kfree(values);
sel_remove_entries(dir);
ret = -ENOMEM;
#define NULL_FILE_NAME "null"
-struct dentry *selinux_null = NULL;
+struct dentry *selinux_null;
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
-static ssize_t sel_write_avc_cache_threshold(struct file * file,
- const char __user * buf,
+static ssize_t sel_write_avc_cache_threshold(struct file *file,
+ const char __user *buf,
size_t count, loff_t *ppos)
{
goto out;
}
- page = (char*)get_zeroed_page(GFP_KERNEL);
+ page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
goto out;
{
int cpu;
- for (cpu = *idx; cpu < NR_CPUS; ++cpu) {
+ for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) {
if (!cpu_possible(cpu))
continue;
*idx = cpu + 1;
static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v)
{ }
-static struct seq_operations sel_avc_cache_stats_seq_ops = {
+static const struct seq_operations sel_avc_cache_stats_seq_ops = {
.start = sel_avc_stats_seq_start,
.next = sel_avc_stats_seq_next,
.show = sel_avc_stats_seq_show,
return ret;
}
-static ssize_t sel_read_initcon(struct file * file, char __user *buf,
+static ssize_t sel_read_initcon(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct inode *inode;
return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
}
-static ssize_t sel_read_class(struct file * file, char __user *buf,
+static ssize_t sel_read_class(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
.read = sel_read_class,
};
-static ssize_t sel_read_perm(struct file * file, char __user *buf,
+static ssize_t sel_read_perm(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
ssize_t rc, len;
goto out;
}
- len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino));
+ len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
rc = simple_read_from_buffer(buf, count, ppos, page, len);
free_page((unsigned long)page);
out:
.read = sel_read_perm,
};
+static ssize_t sel_read_policycap(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ int value;
+ char tmpbuf[TMPBUFLEN];
+ ssize_t length;
+ unsigned long i_ino = file->f_path.dentry->d_inode->i_ino;
+
+ value = security_policycap_supported(i_ino & SEL_INO_MASK);
+ length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value);
+
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
+static const struct file_operations sel_policycap_ops = {
+ .read = sel_read_policycap,
+};
+
static int sel_make_perm_files(char *objclass, int classvalue,
struct dentry *dir)
{
return rc;
}
+static int sel_make_policycap(void)
+{
+ unsigned int iter;
+ struct dentry *dentry = NULL;
+ struct inode *inode = NULL;
+
+ sel_remove_entries(policycap_dir);
+
+ for (iter = 0; iter <= POLICYDB_CAPABILITY_MAX; iter++) {
+ if (iter < ARRAY_SIZE(policycap_names))
+ dentry = d_alloc_name(policycap_dir,
+ policycap_names[iter]);
+ else
+ dentry = d_alloc_name(policycap_dir, "unknown");
+
+ if (dentry == NULL)
+ return -ENOMEM;
+
+ inode = sel_make_inode(policycap_dir->d_sb, S_IFREG | S_IRUGO);
+ if (inode == NULL)
+ return -ENOMEM;
+
+ inode->i_fop = &sel_policycap_ops;
+ inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET;
+ d_add(dentry, inode);
+ }
+
+ return 0;
+}
+
static int sel_make_dir(struct inode *dir, struct dentry *dentry,
unsigned long *ino)
{
return ret;
}
-static int sel_fill_super(struct super_block * sb, void * data, int silent)
+static int sel_fill_super(struct super_block *sb, void *data, int silent)
{
int ret;
struct dentry *dentry;
[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
- [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
/* last one */ {""}
goto err;
}
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct*)inode->i_security;
+ isec = (struct inode_security_struct *)inode->i_security;
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
class_dir = dentry;
+ dentry = d_alloc_name(sb->s_root, "policy_capabilities");
+ if (!dentry) {
+ ret = -ENOMEM;
+ goto err;
+ }
+
+ ret = sel_make_dir(root_inode, dentry, &sel_last_ino);
+ if (ret)
+ goto err;
+
+ policycap_dir = dentry;
+
out:
return ret;
err:
- printk(KERN_ERR "%s: failed while creating inodes\n", __FUNCTION__);
+ printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
+ __func__);
goto out;
}