Loading fs/namei.c +10 −10 Original line number Original line Diff line number Diff line Loading @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) if (S_ISDIR(inode->i_mode)) { if (S_ISDIR(inode->i_mode)) { /* DACs are overridable for directories */ /* DACs are overridable for directories */ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; if (!(mask & MAY_WRITE)) if (!(mask & MAY_WRITE)) if (capable_wrt_inode_uidgid(inode, if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) CAP_DAC_READ_SEARCH)) return 0; return 0; return -EACCES; } /* * Read/write DACs are always overridable. * Executable DACs are overridable when there is * at least one exec bit set. */ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; return 0; return -EACCES; } /* /* * Searching includes executable on directories, else just read. * Searching includes executable on directories, else just read. Loading @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) if (mask == MAY_READ) if (mask == MAY_READ) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; return 0; /* * Read/write DACs are always overridable. * Executable DACs are overridable when there is * at least one exec bit set. */ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; return -EACCES; return -EACCES; } } Loading scripts/selinux/genheaders/genheaders.c +1 −0 Original line number Original line Diff line number Diff line Loading @@ -8,6 +8,7 @@ #include <string.h> #include <string.h> #include <errno.h> #include <errno.h> #include <ctype.h> #include <ctype.h> #include <sys/socket.h> struct security_class_mapping { struct security_class_mapping { const char *name; const char *name; Loading scripts/selinux/mdp/mdp.c +1 −0 Original line number Original line Diff line number Diff line Loading @@ -32,6 +32,7 @@ #include <stdlib.h> #include <stdlib.h> #include <unistd.h> #include <unistd.h> #include <string.h> #include <string.h> #include <sys/socket.h> static void usage(char *name) static void usage(char *name) { { Loading security/selinux/hooks.c +8 −0 Original line number Original line Diff line number Diff line Loading @@ -4367,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in u32 sid, node_perm; u32 sid, node_perm; if (family == PF_INET) { if (family == PF_INET) { if (addrlen < sizeof(struct sockaddr_in)) { err = -EINVAL; goto out; } addr4 = (struct sockaddr_in *)address; addr4 = (struct sockaddr_in *)address; snum = ntohs(addr4->sin_port); snum = ntohs(addr4->sin_port); addrp = (char *)&addr4->sin_addr.s_addr; addrp = (char *)&addr4->sin_addr.s_addr; } else { } else { if (addrlen < SIN6_LEN_RFC2133) { err = -EINVAL; goto out; } addr6 = (struct sockaddr_in6 *)address; addr6 = (struct sockaddr_in6 *)address; snum = ntohs(addr6->sin6_port); snum = ntohs(addr6->sin6_port); addrp = (char *)&addr6->sin6_addr.s6_addr; addrp = (char *)&addr6->sin6_addr.s6_addr; Loading security/selinux/nlmsgtab.c +5 −5 Original line number Original line Diff line number Diff line Loading @@ -28,7 +28,7 @@ struct nlmsg_perm { u32 perm; u32 perm; }; }; static struct nlmsg_perm nlmsg_route_perms[] = static const struct nlmsg_perm nlmsg_route_perms[] = { { { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, Loading Loading @@ -80,7 +80,7 @@ static struct nlmsg_perm nlmsg_route_perms[] = { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, }; }; static struct nlmsg_perm nlmsg_tcpdiag_perms[] = static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = { { { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, Loading @@ -88,7 +88,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] = { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, }; }; static struct nlmsg_perm nlmsg_xfrm_perms[] = static const struct nlmsg_perm nlmsg_xfrm_perms[] = { { { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, Loading @@ -115,7 +115,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] = { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, }; }; static struct nlmsg_perm nlmsg_audit_perms[] = static const struct nlmsg_perm nlmsg_audit_perms[] = { { { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, Loading @@ -136,7 +136,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] = }; }; static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize) static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize) { { int i, err = -EINVAL; int i, err = -EINVAL; Loading Loading
fs/namei.c +10 −10 Original line number Original line Diff line number Diff line Loading @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) if (S_ISDIR(inode->i_mode)) { if (S_ISDIR(inode->i_mode)) { /* DACs are overridable for directories */ /* DACs are overridable for directories */ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; if (!(mask & MAY_WRITE)) if (!(mask & MAY_WRITE)) if (capable_wrt_inode_uidgid(inode, if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) CAP_DAC_READ_SEARCH)) return 0; return 0; return -EACCES; } /* * Read/write DACs are always overridable. * Executable DACs are overridable when there is * at least one exec bit set. */ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; return 0; return -EACCES; } /* /* * Searching includes executable on directories, else just read. * Searching includes executable on directories, else just read. Loading @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) if (mask == MAY_READ) if (mask == MAY_READ) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; return 0; /* * Read/write DACs are always overridable. * Executable DACs are overridable when there is * at least one exec bit set. */ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; return -EACCES; return -EACCES; } } Loading
scripts/selinux/genheaders/genheaders.c +1 −0 Original line number Original line Diff line number Diff line Loading @@ -8,6 +8,7 @@ #include <string.h> #include <string.h> #include <errno.h> #include <errno.h> #include <ctype.h> #include <ctype.h> #include <sys/socket.h> struct security_class_mapping { struct security_class_mapping { const char *name; const char *name; Loading
scripts/selinux/mdp/mdp.c +1 −0 Original line number Original line Diff line number Diff line Loading @@ -32,6 +32,7 @@ #include <stdlib.h> #include <stdlib.h> #include <unistd.h> #include <unistd.h> #include <string.h> #include <string.h> #include <sys/socket.h> static void usage(char *name) static void usage(char *name) { { Loading
security/selinux/hooks.c +8 −0 Original line number Original line Diff line number Diff line Loading @@ -4367,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in u32 sid, node_perm; u32 sid, node_perm; if (family == PF_INET) { if (family == PF_INET) { if (addrlen < sizeof(struct sockaddr_in)) { err = -EINVAL; goto out; } addr4 = (struct sockaddr_in *)address; addr4 = (struct sockaddr_in *)address; snum = ntohs(addr4->sin_port); snum = ntohs(addr4->sin_port); addrp = (char *)&addr4->sin_addr.s_addr; addrp = (char *)&addr4->sin_addr.s_addr; } else { } else { if (addrlen < SIN6_LEN_RFC2133) { err = -EINVAL; goto out; } addr6 = (struct sockaddr_in6 *)address; addr6 = (struct sockaddr_in6 *)address; snum = ntohs(addr6->sin6_port); snum = ntohs(addr6->sin6_port); addrp = (char *)&addr6->sin6_addr.s6_addr; addrp = (char *)&addr6->sin6_addr.s6_addr; Loading
security/selinux/nlmsgtab.c +5 −5 Original line number Original line Diff line number Diff line Loading @@ -28,7 +28,7 @@ struct nlmsg_perm { u32 perm; u32 perm; }; }; static struct nlmsg_perm nlmsg_route_perms[] = static const struct nlmsg_perm nlmsg_route_perms[] = { { { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, Loading Loading @@ -80,7 +80,7 @@ static struct nlmsg_perm nlmsg_route_perms[] = { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, }; }; static struct nlmsg_perm nlmsg_tcpdiag_perms[] = static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = { { { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, Loading @@ -88,7 +88,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] = { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, }; }; static struct nlmsg_perm nlmsg_xfrm_perms[] = static const struct nlmsg_perm nlmsg_xfrm_perms[] = { { { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, Loading @@ -115,7 +115,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] = { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, }; }; static struct nlmsg_perm nlmsg_audit_perms[] = static const struct nlmsg_perm nlmsg_audit_perms[] = { { { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, Loading @@ -136,7 +136,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] = }; }; static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize) static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize) { { int i, err = -EINVAL; int i, err = -EINVAL; Loading
