diff options
| author | Andrey Markovytch <andreym@codeaurora.org> | 2017-01-09 11:23:03 +0200 |
|---|---|---|
| committer | Andrey Markovytch <andreym@codeaurora.org> | 2017-01-09 11:23:03 +0200 |
| commit | 3eab9b61f3c0d660a89039b5dabbc7f31458af6f (patch) | |
| tree | ad4e305ea6ea42a76422b9cf6a699321598322c8 /security/selinux/hooks.c | |
| parent | 33eba0ae11ee6a1a9cef3969132e637724a780be (diff) | |
security: switched to stackable model for PFT/PFK module
Moved hooks from SELINUX framework to general SECURITY framework.
Change-Id: I37e701b4925c4993f724c32b258c5088f4dcbe4d
Signed-off-by: Andrey Markovytch <andreym@codeaurora.org>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 57 |
1 files changed, 2 insertions, 55 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bbfdfee59b38..96b2e3d521a6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -83,8 +83,6 @@ #include <linux/export.h> #include <linux/msg.h> #include <linux/shm.h> -#include <linux/pft.h> -#include <linux/pfk.h> #include "avc.h" #include "objsec.h" @@ -1773,15 +1771,9 @@ static int may_create(struct inode *dir, if (rc) return rc; - rc = avc_has_perm(newsid, sbsec->sid, + return avc_has_perm(newsid, sbsec->sid, SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, &ad); - if (rc) - return rc; - - rc = pft_inode_mknod(dir, dentry, 0, 0); - - return rc; } /* Check whether a task can create a key. */ @@ -1837,14 +1829,7 @@ static int may_link(struct inode *dir, return 0; } - rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); - if (rc) - return rc; - - if (kind == MAY_UNLINK) - rc = pft_inode_unlink(dir, dentry); - - return rc; + return avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); } static inline int may_rename(struct inode *old_dir, @@ -2814,21 +2799,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) { - int ret; - - ret = pft_inode_create(dir, dentry, mode); - if (ret < 0) - return ret; - return may_create(dir, dentry, SECCLASS_FILE); } -static int selinux_inode_post_create(struct inode *dir, struct dentry *dentry, - umode_t mode) -{ - return pft_inode_post_create(dir, dentry, mode); -} - static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) { return may_link(dir, old_dentry, MAY_LINK); @@ -2862,12 +2835,6 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) { - int rc; - - rc = pft_inode_rename(old_inode, old_dentry, new_inode, new_dentry); - if (rc) - return rc; - return may_rename(old_inode, old_dentry, new_inode, new_dentry); } @@ -2992,9 +2959,6 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) { const struct cred *cred = current_cred(); - if (pft_inode_set_xattr(dentry, name, NULL, 0, 0) < 0) - return -EACCES; - if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof XATTR_SECURITY_PREFIX - 1)) { if (!strcmp(name, XATTR_NAME_CAPS)) { @@ -3245,16 +3209,11 @@ static int selinux_file_permission(struct file *file, int mask) struct file_security_struct *fsec = file->f_security; struct inode_security_struct *isec = inode->i_security; u32 sid = current_sid(); - int ret; if (!mask) /* No permission to check. Existence test. */ return 0; - ret = pft_file_permission(file, mask); - if (ret < 0) - return ret; - if (sid == fsec->sid && fsec->isid == isec->sid && fsec->pseqno == avc_policy_seqno()) /* No change since file_open check. */ @@ -3545,11 +3504,6 @@ static int selinux_file_open(struct file *file, const struct cred *cred) { struct file_security_struct *fsec; struct inode_security_struct *isec; - int ret; - - ret = pft_file_open(file, cred); - if (ret < 0) - return ret; fsec = file->f_security; isec = file_inode(file)->i_security; @@ -3573,11 +3527,6 @@ static int selinux_file_open(struct file *file, const struct cred *cred) return file_path_has_perm(cred, file, open_file_to_av(file)); } -static int selinux_file_close(struct file *file) -{ - return pft_file_close(file); -} - /* task security operations */ static int selinux_task_create(unsigned long clone_flags) @@ -5981,7 +5930,6 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), LSM_HOOK_INIT(inode_create, selinux_inode_create), - LSM_HOOK_INIT(inode_post_create, selinux_inode_post_create), LSM_HOOK_INIT(inode_link, selinux_inode_link), LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), @@ -6018,7 +5966,6 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(file_receive, selinux_file_receive), LSM_HOOK_INIT(file_open, selinux_file_open), - LSM_HOOK_INIT(file_close, selinux_file_close), LSM_HOOK_INIT(task_create, selinux_task_create), LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), |