static struct selinux_avc selinux_avc;
-void selinux_avc_init(struct selinux_avc **avc)
+void selinux_avc_init(void)
{
int i;
}
atomic_set(&selinux_avc.avc_cache.active_nodes, 0);
atomic_set(&selinux_avc.avc_cache.lru_hint, 0);
- *avc = &selinux_avc;
}
-unsigned int avc_get_cache_threshold(struct selinux_avc *avc)
+unsigned int avc_get_cache_threshold(void)
{
- return avc->avc_cache_threshold;
+ return selinux_avc.avc_cache_threshold;
}
-void avc_set_cache_threshold(struct selinux_avc *avc,
- unsigned int cache_threshold)
+void avc_set_cache_threshold(unsigned int cache_threshold)
{
- avc->avc_cache_threshold = cache_threshold;
+ selinux_avc.avc_cache_threshold = cache_threshold;
}
static struct avc_callback_node *avc_callbacks __ro_after_init;
0, SLAB_PANIC, NULL);
}
-int avc_get_hash_stats(struct selinux_avc *avc, char *page)
+int avc_get_hash_stats(char *page)
{
int i, chain_len, max_chain_len, slots_used;
struct avc_node *node;
slots_used = 0;
max_chain_len = 0;
for (i = 0; i < AVC_CACHE_SLOTS; i++) {
- head = &avc->avc_cache.slots[i];
+ head = &selinux_avc.avc_cache.slots[i];
if (!hlist_empty(head)) {
slots_used++;
chain_len = 0;
return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n"
"longest chain: %d\n",
- atomic_read(&avc->avc_cache.active_nodes),
+ atomic_read(&selinux_avc.avc_cache.active_nodes),
slots_used, AVC_CACHE_SLOTS, max_chain_len);
}
return audited;
}
-static inline int avc_xperms_audit(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct av_decision *avd,
struct extended_perms_decision *xpd,
u8 perm, int result,
requested, avd, xpd, perm, result, &denied);
if (likely(!audited))
return 0;
- return slow_avc_audit(state, ssid, tsid, tclass, requested,
+ return slow_avc_audit(ssid, tsid, tclass, requested,
audited, denied, result, ad);
}
avc_cache_stats_incr(frees);
}
-static void avc_node_delete(struct selinux_avc *avc, struct avc_node *node)
+static void avc_node_delete(struct avc_node *node)
{
hlist_del_rcu(&node->list);
call_rcu(&node->rhead, avc_node_free);
- atomic_dec(&avc->avc_cache.active_nodes);
+ atomic_dec(&selinux_avc.avc_cache.active_nodes);
}
-static void avc_node_kill(struct selinux_avc *avc, struct avc_node *node)
+static void avc_node_kill(struct avc_node *node)
{
avc_xperms_free(node->ae.xp_node);
kmem_cache_free(avc_node_cachep, node);
avc_cache_stats_incr(frees);
- atomic_dec(&avc->avc_cache.active_nodes);
+ atomic_dec(&selinux_avc.avc_cache.active_nodes);
}
-static void avc_node_replace(struct selinux_avc *avc,
- struct avc_node *new, struct avc_node *old)
+static void avc_node_replace(struct avc_node *new, struct avc_node *old)
{
hlist_replace_rcu(&old->list, &new->list);
call_rcu(&old->rhead, avc_node_free);
- atomic_dec(&avc->avc_cache.active_nodes);
+ atomic_dec(&selinux_avc.avc_cache.active_nodes);
}
-static inline int avc_reclaim_node(struct selinux_avc *avc)
+static inline int avc_reclaim_node(void)
{
struct avc_node *node;
int hvalue, try, ecx;
spinlock_t *lock;
for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
- hvalue = atomic_inc_return(&avc->avc_cache.lru_hint) &
+ hvalue = atomic_inc_return(&selinux_avc.avc_cache.lru_hint) &
(AVC_CACHE_SLOTS - 1);
- head = &avc->avc_cache.slots[hvalue];
- lock = &avc->avc_cache.slots_lock[hvalue];
+ head = &selinux_avc.avc_cache.slots[hvalue];
+ lock = &selinux_avc.avc_cache.slots_lock[hvalue];
if (!spin_trylock_irqsave(lock, flags))
continue;
rcu_read_lock();
hlist_for_each_entry(node, head, list) {
- avc_node_delete(avc, node);
+ avc_node_delete(node);
avc_cache_stats_incr(reclaims);
ecx++;
if (ecx >= AVC_CACHE_RECLAIM) {
return ecx;
}
-static struct avc_node *avc_alloc_node(struct selinux_avc *avc)
+static struct avc_node *avc_alloc_node(void)
{
struct avc_node *node;
INIT_HLIST_NODE(&node->list);
avc_cache_stats_incr(allocations);
- if (atomic_inc_return(&avc->avc_cache.active_nodes) >
- avc->avc_cache_threshold)
- avc_reclaim_node(avc);
+ if (atomic_inc_return(&selinux_avc.avc_cache.active_nodes) >
+ selinux_avc.avc_cache_threshold)
+ avc_reclaim_node();
out:
return node;
memcpy(&node->ae.avd, avd, sizeof(node->ae.avd));
}
-static inline struct avc_node *avc_search_node(struct selinux_avc *avc,
- u32 ssid, u32 tsid, u16 tclass)
+static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
{
struct avc_node *node, *ret = NULL;
int hvalue;
struct hlist_head *head;
hvalue = avc_hash(ssid, tsid, tclass);
- head = &avc->avc_cache.slots[hvalue];
+ head = &selinux_avc.avc_cache.slots[hvalue];
hlist_for_each_entry_rcu(node, head, list) {
if (ssid == node->ae.ssid &&
tclass == node->ae.tclass &&
/**
* avc_lookup - Look up an AVC entry.
- * @avc: the access vector cache
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* then this function returns the avc_node.
* Otherwise, this function returns NULL.
*/
-static struct avc_node *avc_lookup(struct selinux_avc *avc,
- u32 ssid, u32 tsid, u16 tclass)
+static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
{
struct avc_node *node;
avc_cache_stats_incr(lookups);
- node = avc_search_node(avc, ssid, tsid, tclass);
+ node = avc_search_node(ssid, tsid, tclass);
if (node)
return node;
return NULL;
}
-static int avc_latest_notif_update(struct selinux_avc *avc,
- int seqno, int is_insert)
+static int avc_latest_notif_update(int seqno, int is_insert)
{
int ret = 0;
static DEFINE_SPINLOCK(notif_lock);
spin_lock_irqsave(¬if_lock, flag);
if (is_insert) {
- if (seqno < avc->avc_cache.latest_notif) {
+ if (seqno < selinux_avc.avc_cache.latest_notif) {
pr_warn("SELinux: avc: seqno %d < latest_notif %d\n",
- seqno, avc->avc_cache.latest_notif);
+ seqno, selinux_avc.avc_cache.latest_notif);
ret = -EAGAIN;
}
} else {
- if (seqno > avc->avc_cache.latest_notif)
- avc->avc_cache.latest_notif = seqno;
+ if (seqno > selinux_avc.avc_cache.latest_notif)
+ selinux_avc.avc_cache.latest_notif = seqno;
}
spin_unlock_irqrestore(¬if_lock, flag);
/**
* avc_insert - Insert an AVC entry.
- * @avc: the access vector cache
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* the access vectors into a cache entry, returns
* avc_node inserted. Otherwise, this function returns NULL.
*/
-static struct avc_node *avc_insert(struct selinux_avc *avc,
- u32 ssid, u32 tsid, u16 tclass,
+static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass,
struct av_decision *avd,
struct avc_xperms_node *xp_node)
{
spinlock_t *lock;
struct hlist_head *head;
- if (avc_latest_notif_update(avc, avd->seqno, 1))
+ if (avc_latest_notif_update(avd->seqno, 1))
return NULL;
- node = avc_alloc_node(avc);
+ node = avc_alloc_node();
if (!node)
return NULL;
avc_node_populate(node, ssid, tsid, tclass, avd);
if (avc_xperms_populate(node, xp_node)) {
- avc_node_kill(avc, node);
+ avc_node_kill(node);
return NULL;
}
hvalue = avc_hash(ssid, tsid, tclass);
- head = &avc->avc_cache.slots[hvalue];
- lock = &avc->avc_cache.slots_lock[hvalue];
+ head = &selinux_avc.avc_cache.slots[hvalue];
+ lock = &selinux_avc.avc_cache.slots_lock[hvalue];
spin_lock_irqsave(lock, flag);
hlist_for_each_entry(pos, head, list) {
if (pos->ae.ssid == ssid &&
pos->ae.tsid == tsid &&
pos->ae.tclass == tclass) {
- avc_node_replace(avc, node, pos);
+ avc_node_replace(node, pos);
goto found;
}
}
u32 tcontext_len;
int rc;
- rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
+ rc = security_sid_to_context(sad->ssid, &scontext,
&scontext_len);
if (rc)
audit_log_format(ab, " ssid=%d", sad->ssid);
else
audit_log_format(ab, " scontext=%s", scontext);
- rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
+ rc = security_sid_to_context(sad->tsid, &tcontext,
&tcontext_len);
if (rc)
audit_log_format(ab, " tsid=%d", sad->tsid);
kfree(scontext);
/* in case of invalid context report also the actual context string */
- rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
+ rc = security_sid_to_context_inval(sad->ssid, &scontext,
&scontext_len);
if (!rc && scontext) {
if (scontext_len && scontext[scontext_len - 1] == '\0')
kfree(scontext);
}
- rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
+ rc = security_sid_to_context_inval(sad->tsid, &scontext,
&scontext_len);
if (!rc && scontext) {
if (scontext_len && scontext[scontext_len - 1] == '\0')
* Note that it is non-blocking and can be called from under
* rcu_read_lock().
*/
-noinline int slow_avc_audit(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
u32 requested, u32 audited, u32 denied, int result,
struct common_audit_data *a)
{
sad.audited = audited;
sad.denied = denied;
sad.result = result;
- sad.state = state;
a->selinux_audit_data = &sad;
/**
* avc_update_node - Update an AVC entry
- * @avc: the access vector cache
* @event : Updating event
* @perms : Permission mask bits
* @driver: xperm driver information
* otherwise, this function updates the AVC entry. The original AVC-entry object
* will release later by RCU.
*/
-static int avc_update_node(struct selinux_avc *avc,
- u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
+static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
u32 tsid, u16 tclass, u32 seqno,
struct extended_perms_decision *xpd,
u32 flags)
struct hlist_head *head;
spinlock_t *lock;
- node = avc_alloc_node(avc);
+ node = avc_alloc_node();
if (!node) {
rc = -ENOMEM;
goto out;
/* Lock the target slot */
hvalue = avc_hash(ssid, tsid, tclass);
- head = &avc->avc_cache.slots[hvalue];
- lock = &avc->avc_cache.slots_lock[hvalue];
+ head = &selinux_avc.avc_cache.slots[hvalue];
+ lock = &selinux_avc.avc_cache.slots_lock[hvalue];
spin_lock_irqsave(lock, flag);
if (!orig) {
rc = -ENOENT;
- avc_node_kill(avc, node);
+ avc_node_kill(node);
goto out_unlock;
}
if (orig->ae.xp_node) {
rc = avc_xperms_populate(node, orig->ae.xp_node);
if (rc) {
- avc_node_kill(avc, node);
+ avc_node_kill(node);
goto out_unlock;
}
}
avc_add_xperms_decision(node, xpd);
break;
}
- avc_node_replace(avc, node, orig);
+ avc_node_replace(node, orig);
out_unlock:
spin_unlock_irqrestore(lock, flag);
out:
/**
* avc_flush - Flush the cache
- * @avc: the access vector cache
*/
-static void avc_flush(struct selinux_avc *avc)
+static void avc_flush(void)
{
struct hlist_head *head;
struct avc_node *node;
int i;
for (i = 0; i < AVC_CACHE_SLOTS; i++) {
- head = &avc->avc_cache.slots[i];
- lock = &avc->avc_cache.slots_lock[i];
+ head = &selinux_avc.avc_cache.slots[i];
+ lock = &selinux_avc.avc_cache.slots_lock[i];
spin_lock_irqsave(lock, flag);
/*
*/
rcu_read_lock();
hlist_for_each_entry(node, head, list)
- avc_node_delete(avc, node);
+ avc_node_delete(node);
rcu_read_unlock();
spin_unlock_irqrestore(lock, flag);
}
/**
* avc_ss_reset - Flush the cache and revalidate migrated permissions.
- * @avc: the access vector cache
* @seqno: policy sequence number
*/
-int avc_ss_reset(struct selinux_avc *avc, u32 seqno)
+int avc_ss_reset(u32 seqno)
{
struct avc_callback_node *c;
int rc = 0, tmprc;
- avc_flush(avc);
+ avc_flush();
for (c = avc_callbacks; c; c = c->next) {
if (c->events & AVC_CALLBACK_RESET) {
}
}
- avc_latest_notif_update(avc, seqno, 0);
+ avc_latest_notif_update(seqno, 0);
return rc;
}
/**
* avc_compute_av - Add an entry to the AVC based on the security policy
- * @state: SELinux state pointer
* @ssid: subject
* @tsid: object/target
* @tclass: object class
* fails. Don't inline this, since it's the slow-path and just results in a
* bigger stack frame.
*/
-static noinline struct avc_node *avc_compute_av(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, u16 tclass,
struct av_decision *avd,
struct avc_xperms_node *xp_node)
{
INIT_LIST_HEAD(&xp_node->xpd_head);
- security_compute_av(state, ssid, tsid, tclass, avd, &xp_node->xp);
- return avc_insert(state->avc, ssid, tsid, tclass, avd, xp_node);
+ security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp);
+ return avc_insert(ssid, tsid, tclass, avd, xp_node);
}
-static noinline int avc_denied(struct selinux_state *state,
- u32 ssid, u32 tsid,
+static noinline int avc_denied(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
u8 driver, u8 xperm, unsigned int flags,
struct av_decision *avd)
if (flags & AVC_STRICT)
return -EACCES;
- if (enforcing_enabled(state) &&
+ if (enforcing_enabled() &&
!(avd->flags & AVD_FLAGS_PERMISSIVE))
return -EACCES;
- avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver,
+ avc_update_node(AVC_CALLBACK_GRANT, requested, driver,
xperm, ssid, tsid, tclass, avd->seqno, NULL, flags);
return 0;
}
* as-is the case with ioctls, then multiple may be chained together and the
* driver field is used to specify which set contains the permission.
*/
-int avc_has_extended_perms(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass, u32 requested,
+int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
u8 driver, u8 xperm, struct common_audit_data *ad)
{
struct avc_node *node;
rcu_read_lock();
- node = avc_lookup(state->avc, ssid, tsid, tclass);
+ node = avc_lookup(ssid, tsid, tclass);
if (unlikely(!node)) {
- avc_compute_av(state, ssid, tsid, tclass, &avd, xp_node);
+ avc_compute_av(ssid, tsid, tclass, &avd, xp_node);
} else {
memcpy(&avd, &node->ae.avd, sizeof(avd));
xp_node = node->ae.xp_node;
goto decision;
}
rcu_read_unlock();
- security_compute_xperms_decision(state, ssid, tsid, tclass,
+ security_compute_xperms_decision(ssid, tsid, tclass,
driver, &local_xpd);
rcu_read_lock();
- avc_update_node(state->avc, AVC_CALLBACK_ADD_XPERMS, requested,
+ avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested,
driver, xperm, ssid, tsid, tclass, avd.seqno,
&local_xpd, 0);
} else {
decision:
denied = requested & ~(avd.allowed);
if (unlikely(denied))
- rc = avc_denied(state, ssid, tsid, tclass, requested,
+ rc = avc_denied(ssid, tsid, tclass, requested,
driver, xperm, AVC_EXTENDED_PERMS, &avd);
rcu_read_unlock();
- rc2 = avc_xperms_audit(state, ssid, tsid, tclass, requested,
+ rc2 = avc_xperms_audit(ssid, tsid, tclass, requested,
&avd, xpd, xperm, rc, ad);
if (rc2)
return rc2;
/**
* avc_perm_nonode - Add an entry to the AVC
- * @state: SELinux state pointer
* @ssid: subject
* @tsid: object/target
* @tclass: object class
* unlikely and needs extra stack space for the new node that we generate, so
* don't inline it.
*/
-static noinline int avc_perm_nonode(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+static noinline int avc_perm_nonode(u32 ssid, u32 tsid, u16 tclass,
u32 requested, unsigned int flags,
struct av_decision *avd)
{
u32 denied;
struct avc_xperms_node xp_node;
- avc_compute_av(state, ssid, tsid, tclass, avd, &xp_node);
+ avc_compute_av(ssid, tsid, tclass, avd, &xp_node);
denied = requested & ~(avd->allowed);
if (unlikely(denied))
- return avc_denied(state, ssid, tsid, tclass, requested, 0, 0,
+ return avc_denied(ssid, tsid, tclass, requested, 0, 0,
flags, avd);
return 0;
}
/**
* avc_has_perm_noaudit - Check permissions but perform no auditing.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* auditing, e.g. in cases where a lock must be held for the check but
* should be released for the auditing.
*/
-inline int avc_has_perm_noaudit(struct selinux_state *state,
- u32 ssid, u32 tsid,
+inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
unsigned int flags,
struct av_decision *avd)
return -EACCES;
rcu_read_lock();
- node = avc_lookup(state->avc, ssid, tsid, tclass);
+ node = avc_lookup(ssid, tsid, tclass);
if (unlikely(!node)) {
rcu_read_unlock();
- return avc_perm_nonode(state, ssid, tsid, tclass, requested,
+ return avc_perm_nonode(ssid, tsid, tclass, requested,
flags, avd);
}
denied = requested & ~node->ae.avd.allowed;
rcu_read_unlock();
if (unlikely(denied))
- return avc_denied(state, ssid, tsid, tclass, requested, 0, 0,
+ return avc_denied(ssid, tsid, tclass, requested, 0, 0,
flags, avd);
return 0;
}
/**
* avc_has_perm - Check permissions and perform any appropriate auditing.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* permissions are granted, -%EACCES if any permissions are denied, or
* another -errno upon other errors.
*/
-int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass,
+int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
u32 requested, struct common_audit_data *auditdata)
{
struct av_decision avd;
int rc, rc2;
- rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0,
+ rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0,
&avd);
- rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
+ rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc,
auditdata);
if (rc2)
return rc2;
return rc;
}
-u32 avc_policy_seqno(struct selinux_state *state)
+u32 avc_policy_seqno(void)
{
- return state->avc->avc_cache.latest_notif;
+ return selinux_avc.avc_cache.latest_notif;
}
void avc_disable(void)
* the cache and get that memory back.
*/
if (avc_node_cachep) {
- avc_flush(selinux_state.avc);
+ avc_flush();
/* kmem_cache_destroy(avc_node_cachep); */
}
}
might_sleep_if(may_sleep);
- if (selinux_initialized(&selinux_state) &&
+ if (selinux_initialized() &&
isec->initialized != LABEL_INITIALIZED) {
if (!may_sleep)
return -ECHILD;
const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
- rc = avc_has_perm(&selinux_state,
- tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
- rc = avc_has_perm(&selinux_state,
- tsec->sid, sid, SECCLASS_FILESYSTEM,
+ rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELTO, NULL);
return rc;
}
{
const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
- rc = avc_has_perm(&selinux_state,
- tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
- rc = avc_has_perm(&selinux_state,
- sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__ASSOCIATE, NULL);
return rc;
}
fallback:
/* No xattr support - try to fallback to genfs if possible. */
- rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
+ rc = security_genfs_sid(sb->s_type->name, "/",
SECCLASS_DIR, &sid);
if (rc)
return -EOPNOTSUPP;
mutex_lock(&sbsec->lock);
- if (!selinux_initialized(&selinux_state)) {
+ if (!selinux_initialized()) {
if (!opts) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
* Determine the labeling behavior to use for this
* filesystem type.
*/
- rc = security_fs_use(&selinux_state, sb);
+ rc = security_fs_use(sb);
if (rc) {
pr_warn("%s: security_fs_use(%s) returned %d\n",
__func__, sb->s_type->name, rc);
}
if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
- rc = security_transition_sid(&selinux_state,
- current_sid(),
+ rc = security_transition_sid(current_sid(),
current_sid(),
SECCLASS_FILE, NULL,
&sbsec->mntpoint_sid);
* if the parent was able to be mounted it clearly had no special lsm
* mount options. thus we can safely deal with this superblock later
*/
- if (!selinux_initialized(&selinux_state))
+ if (!selinux_initialized())
return 0;
/*
if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
- rc = security_fs_use(&selinux_state, newsb);
+ rc = security_fs_use(newsb);
if (rc)
goto out;
}
if (!s)
return -EINVAL;
- if (!selinux_initialized(&selinux_state)) {
+ if (!selinux_initialized()) {
pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
return -EINVAL;
}
WARN_ON(1);
return -EINVAL;
}
- rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);
+ rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
if (rc)
pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
s, rc);
u32 len;
int rc;
- rc = security_sid_to_context(&selinux_state, sid,
- &context, &len);
+ rc = security_sid_to_context(sid, &context, &len);
if (!rc) {
bool has_comma = strchr(context, ',');
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
- if (!selinux_initialized(&selinux_state))
+ if (!selinux_initialized())
return 0;
if (sbsec->flags & FSCONTEXT_MNT) {
path++;
}
}
- rc = security_genfs_sid(&selinux_state, sb->s_type->name,
+ rc = security_genfs_sid(sb->s_type->name,
path, tclass, sid);
if (rc == -ENOENT) {
/* No match in policy, mark as unlabeled. */
return 0;
}
- rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
+ rc = security_context_to_sid_default(context, rc, sid,
def_sid, GFP_NOFS);
if (rc) {
char *dev = inode->i_sb->s_id;
sid = sbsec->sid;
/* Try to obtain a transition SID. */
- rc = security_transition_sid(&selinux_state, task_sid, sid,
+ rc = security_transition_sid(task_sid, sid,
sclass, NULL, &sid);
if (rc)
goto out;
return -EINVAL;
}
- rc = avc_has_perm_noaudit(&selinux_state,
- sid, sid, sclass, av, 0, &avd);
+ rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
if (!(opts & CAP_OPT_NOAUDIT)) {
- int rc2 = avc_audit(&selinux_state,
- sid, sid, sclass, av, &avd, rc, &ad);
+ int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
if (rc2)
return rc2;
}
sid = cred_sid(cred);
isec = selinux_inode(inode);
- return avc_has_perm(&selinux_state,
- sid, isec->sid, isec->sclass, perms, adp);
+ return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
}
/* Same as inode_has_perm, but pass explicit audit data containing
ad.u.file = file;
if (sid != fsec->sid) {
- rc = avc_has_perm(&selinux_state,
- sid, fsec->sid,
+ rc = avc_has_perm(sid, fsec->sid,
SECCLASS_FD,
FD__USE,
&ad);
*_new_isid = tsec->create_sid;
} else {
const struct inode_security_struct *dsec = inode_security(dir);
- return security_transition_sid(&selinux_state, tsec->sid,
+ return security_transition_sid(tsec->sid,
dsec->sid, tclass,
name, _new_isid);
}
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
- rc = avc_has_perm(&selinux_state,
- sid, dsec->sid, SECCLASS_DIR,
+ rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
DIR__ADD_NAME | DIR__SEARCH,
&ad);
if (rc)
if (rc)
return rc;
- rc = avc_has_perm(&selinux_state,
- sid, newsid, tclass, FILE__CREATE, &ad);
+ rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
if (rc)
return rc;
- return avc_has_perm(&selinux_state,
- newsid, sbsec->sid,
+ return avc_has_perm(newsid, sbsec->sid,
SECCLASS_FILESYSTEM,
FILESYSTEM__ASSOCIATE, &ad);
}
av = DIR__SEARCH;
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
- rc = avc_has_perm(&selinux_state,
- sid, dsec->sid, SECCLASS_DIR, av, &ad);
+ rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
if (rc)
return rc;
return 0;
}
- rc = avc_has_perm(&selinux_state,
- sid, isec->sid, isec->sclass, av, &ad);
+ rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
return rc;
}
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = old_dentry;
- rc = avc_has_perm(&selinux_state,
- sid, old_dsec->sid, SECCLASS_DIR,
+ rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
DIR__REMOVE_NAME | DIR__SEARCH, &ad);
if (rc)
return rc;
- rc = avc_has_perm(&selinux_state,
- sid, old_isec->sid,
+ rc = avc_has_perm(sid, old_isec->sid,
old_isec->sclass, FILE__RENAME, &ad);
if (rc)
return rc;
if (old_is_dir && new_dir != old_dir) {
- rc = avc_has_perm(&selinux_state,
- sid, old_isec->sid,
+ rc = avc_has_perm(sid, old_isec->sid,
old_isec->sclass, DIR__REPARENT, &ad);
if (rc)
return rc;
av = DIR__ADD_NAME | DIR__SEARCH;
if (d_is_positive(new_dentry))
av |= DIR__REMOVE_NAME;
- rc = avc_has_perm(&selinux_state,
- sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
+ rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
if (rc)
return rc;
if (d_is_positive(new_dentry)) {
new_isec = backing_inode_security(new_dentry);
new_is_dir = d_is_dir(new_dentry);
- rc = avc_has_perm(&selinux_state,
- sid, new_isec->sid,
+ rc = avc_has_perm(sid, new_isec->sid,
new_isec->sclass,
(new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
if (rc)
u32 sid = cred_sid(cred);
sbsec = selinux_superblock(sb);
- return avc_has_perm(&selinux_state,
- sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
+ return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
/* Convert a Linux mode and permission mask to an access vector. */
static int selinux_binder_set_context_mgr(const struct cred *mgr)
{
- return avc_has_perm(&selinux_state,
- current_sid(), cred_sid(mgr), SECCLASS_BINDER,
+ return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
BINDER__SET_CONTEXT_MGR, NULL);
}
int rc;
if (mysid != fromsid) {
- rc = avc_has_perm(&selinux_state,
- mysid, fromsid, SECCLASS_BINDER,
+ rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
BINDER__IMPERSONATE, NULL);
if (rc)
return rc;
}
- return avc_has_perm(&selinux_state, fromsid, tosid,
+ return avc_has_perm(fromsid, tosid,
SECCLASS_BINDER, BINDER__CALL, NULL);
}
static int selinux_binder_transfer_binder(const struct cred *from,
const struct cred *to)
{
- return avc_has_perm(&selinux_state,
- cred_sid(from), cred_sid(to),
+ return avc_has_perm(cred_sid(from), cred_sid(to),
SECCLASS_BINDER, BINDER__TRANSFER,
NULL);
}
ad.u.path = file->f_path;
if (sid != fsec->sid) {
- rc = avc_has_perm(&selinux_state,
- sid, fsec->sid,
+ rc = avc_has_perm(sid, fsec->sid,
SECCLASS_FD,
FD__USE,
&ad);
return 0;
isec = backing_inode_security(dentry);
- return avc_has_perm(&selinux_state,
- sid, isec->sid, isec->sclass, file_to_av(file),
+ return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
&ad);
}
u32 csid = task_sid_obj(child);
if (mode & PTRACE_MODE_READ)
- return avc_has_perm(&selinux_state,
- sid, csid, SECCLASS_FILE, FILE__READ, NULL);
+ return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
+ NULL);
- return avc_has_perm(&selinux_state,
- sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
+ return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
+ NULL);
}
static int selinux_ptrace_traceme(struct task_struct *parent)
{
- return avc_has_perm(&selinux_state,
- task_sid_obj(parent), task_sid_obj(current),
+ return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
}
static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
- PROCESS__GETCAP, NULL);
+ return avc_has_perm(current_sid(), task_sid_obj(target),
+ SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
}
static int selinux_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- return avc_has_perm(&selinux_state,
- cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
+ return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
PROCESS__SETCAP, NULL);
}
switch (type) {
case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL,
SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
/* Set level of messages printed to console */
case SYSLOG_ACTION_CONSOLE_LEVEL:
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL,
SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
NULL);
}
/* All other syslog types */
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL,
SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
}
av |= PROCESS2__NNP_TRANSITION;
if (nosuid)
av |= PROCESS2__NOSUID_TRANSITION;
- rc = avc_has_perm(&selinux_state,
- old_tsec->sid, new_tsec->sid,
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
SECCLASS_PROCESS2, av, NULL);
if (!rc)
return 0;
* i.e. SIDs that are guaranteed to only be allowed a subset
* of the permissions of the current SID.
*/
- rc = security_bounded_transition(&selinux_state, old_tsec->sid,
+ rc = security_bounded_transition(old_tsec->sid,
new_tsec->sid);
if (!rc)
return 0;
return rc;
} else {
/* Check for a default transition on this program. */
- rc = security_transition_sid(&selinux_state, old_tsec->sid,
+ rc = security_transition_sid(old_tsec->sid,
isec->sid, SECCLASS_PROCESS, NULL,
&new_tsec->sid);
if (rc)
ad.u.file = bprm->file;
if (new_tsec->sid == old_tsec->sid) {
- rc = avc_has_perm(&selinux_state,
- old_tsec->sid, isec->sid,
+ rc = avc_has_perm(old_tsec->sid, isec->sid,
SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
if (rc)
return rc;
} else {
/* Check permissions for the transition. */
- rc = avc_has_perm(&selinux_state,
- old_tsec->sid, new_tsec->sid,
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
if (rc)
return rc;
- rc = avc_has_perm(&selinux_state,
- new_tsec->sid, isec->sid,
+ rc = avc_has_perm(new_tsec->sid, isec->sid,
SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
if (rc)
return rc;
/* Check for shared state */
if (bprm->unsafe & LSM_UNSAFE_SHARE) {
- rc = avc_has_perm(&selinux_state,
- old_tsec->sid, new_tsec->sid,
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
SECCLASS_PROCESS, PROCESS__SHARE,
NULL);
if (rc)
if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
u32 ptsid = ptrace_parent_sid();
if (ptsid != 0) {
- rc = avc_has_perm(&selinux_state,
- ptsid, new_tsec->sid,
+ rc = avc_has_perm(ptsid, new_tsec->sid,
SECCLASS_PROCESS,
PROCESS__PTRACE, NULL);
if (rc)
/* Enable secure mode for SIDs transitions unless
the noatsecure permission is granted between
the two SIDs, i.e. ahp returns 0. */
- rc = avc_has_perm(&selinux_state,
- old_tsec->sid, new_tsec->sid,
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
SECCLASS_PROCESS, PROCESS__NOATSECURE,
NULL);
bprm->secureexec |= !!rc;
* higher than the default soft limit for cases where the default is
* lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
*/
- rc = avc_has_perm(&selinux_state,
- new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
+ rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
PROCESS__RLIMITINH, NULL);
if (rc) {
/* protect against do_prlimit() */
* This must occur _after_ the task SID has been updated so that any
* kill done after the flush will be checked against the new SID.
*/
- rc = avc_has_perm(&selinux_state,
- osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
+ rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
if (rc) {
clear_itimer();
if (xattr_name)
*xattr_name = XATTR_NAME_SELINUX;
- return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
+ return security_sid_to_context(newsid, (char **)ctx,
ctxlen);
}
isec->initialized = LABEL_INITIALIZED;
}
- if (!selinux_initialized(&selinux_state) ||
+ if (!selinux_initialized() ||
!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
*name = XATTR_SELINUX_SUFFIX;
if (value && len) {
- rc = security_sid_to_context_force(&selinux_state, newsid,
+ rc = security_sid_to_context_force(newsid,
&context, &clen);
if (rc)
return rc;
struct inode_security_struct *isec;
int rc;
- if (unlikely(!selinux_initialized(&selinux_state)))
+ if (unlikely(!selinux_initialized()))
return 0;
isec = selinux_inode(inode);
} else {
isec->sclass = SECCLASS_ANON_INODE;
rc = security_transition_sid(
- &selinux_state, tsec->sid, tsec->sid,
+ tsec->sid, tsec->sid,
isec->sclass, name, &isec->sid);
if (rc)
return rc;
ad.type = LSM_AUDIT_DATA_ANONINODE;
ad.u.anonclass = name ? (const char *)name->name : "?";
- return avc_has_perm(&selinux_state,
- tsec->sid,
+ return avc_has_perm(tsec->sid,
isec->sid,
isec->sclass,
FILE__CREATE,
if (IS_ERR(isec))
return PTR_ERR(isec);
- return avc_has_perm(&selinux_state,
- sid, isec->sid, isec->sclass, FILE__READ, &ad);
+ return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
}
static noinline int audit_inode_permission(struct inode *inode,
ad.type = LSM_AUDIT_DATA_INODE;
ad.u.inode = inode;
- return slow_avc_audit(&selinux_state,
- current_sid(), isec->sid, isec->sclass, perms,
+ return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
audited, denied, result, &ad);
}
if (IS_ERR(isec))
return PTR_ERR(isec);
- rc = avc_has_perm_noaudit(&selinux_state,
- sid, isec->sid, isec->sclass, perms, 0,
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
&avd);
audited = avc_audit_required(perms, &avd, rc,
from_access ? FILE__AUDIT_ACCESS : 0,
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}
- if (!selinux_initialized(&selinux_state))
+ if (!selinux_initialized())
return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
sbsec = selinux_superblock(inode->i_sb);
ad.u.dentry = dentry;
isec = backing_inode_security(dentry);
- rc = avc_has_perm(&selinux_state,
- sid, isec->sid, isec->sclass,
+ rc = avc_has_perm(sid, isec->sid, isec->sclass,
FILE__RELABELFROM, &ad);
if (rc)
return rc;
- rc = security_context_to_sid(&selinux_state, value, size, &newsid,
+ rc = security_context_to_sid(value, size, &newsid,
GFP_KERNEL);
if (rc == -EINVAL) {
if (!has_cap_mac_admin(true)) {
return rc;
}
- rc = security_context_to_sid_force(&selinux_state, value,
+ rc = security_context_to_sid_force(value,
size, &newsid);
}
if (rc)
return rc;
- rc = avc_has_perm(&selinux_state,
- sid, newsid, isec->sclass,
+ rc = avc_has_perm(sid, newsid, isec->sclass,
FILE__RELABELTO, &ad);
if (rc)
return rc;
- rc = security_validate_transition(&selinux_state, isec->sid, newsid,
+ rc = security_validate_transition(isec->sid, newsid,
sid, isec->sclass);
if (rc)
return rc;
- return avc_has_perm(&selinux_state,
- newsid,
+ return avc_has_perm(newsid,
sbsec->sid,
SECCLASS_FILESYSTEM,
FILESYSTEM__ASSOCIATE,
return;
}
- if (!selinux_initialized(&selinux_state)) {
+ if (!selinux_initialized()) {
/* If we haven't even been initialized, then we can't validate
* against a policy, so leave the label as invalid. It may
* resolve to a valid label on the next revalidation try if
return;
}
- rc = security_context_to_sid_force(&selinux_state, value, size,
+ rc = security_context_to_sid_force(value, size,
&newsid);
if (rc) {
pr_err("SELinux: unable to map context to SID"
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}
- if (!selinux_initialized(&selinux_state))
+ if (!selinux_initialized())
return 0;
/* No one is allowed to remove a SELinux security label.
* If we're not initialized yet, then we can't validate contexts, so
* just let vfs_getxattr fall back to using the on-disk xattr.
*/
- if (!selinux_initialized(&selinux_state) ||
+ if (!selinux_initialized() ||
strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
*/
isec = inode_security(inode);
if (has_cap_mac_admin(false))
- error = security_sid_to_context_force(&selinux_state,
- isec->sid, &context,
+ error = security_sid_to_context_force(isec->sid, &context,
&size);
else
- error = security_sid_to_context(&selinux_state, isec->sid,
+ error = security_sid_to_context(isec->sid,
&context, &size);
if (error)
return error;
if (!value || !size)
return -EACCES;
- rc = security_context_to_sid(&selinux_state, value, size, &newsid,
+ rc = security_context_to_sid(value, size, &newsid,
GFP_KERNEL);
if (rc)
return rc;
{
const int len = sizeof(XATTR_NAME_SELINUX);
- if (!selinux_initialized(&selinux_state))
+ if (!selinux_initialized())
return 0;
if (buffer && len <= buffer_size)
return rc;
}
- rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
+ rc = security_context_to_sid(context, clen, &parent_sid,
GFP_KERNEL);
kfree(context);
if (rc)
q.name = kn->name;
q.hash_len = hashlen_string(kn_dir, kn->name);
- rc = security_transition_sid(&selinux_state, tsec->sid,
+ rc = security_transition_sid(tsec->sid,
parent_sid, secclass, &q,
&newsid);
if (rc)
return rc;
}
- rc = security_sid_to_context_force(&selinux_state, newsid,
+ rc = security_sid_to_context_force(newsid,
&context, &clen);
if (rc)
return rc;
isec = inode_security(inode);
if (sid == fsec->sid && fsec->isid == isec->sid &&
- fsec->pseqno == avc_policy_seqno(&selinux_state))
+ fsec->pseqno == avc_policy_seqno())
/* No change since file_open check. */
return 0;
ad.u.op->path = file->f_path;
if (ssid != fsec->sid) {
- rc = avc_has_perm(&selinux_state,
- ssid, fsec->sid,
+ rc = avc_has_perm(ssid, fsec->sid,
SECCLASS_FD,
FD__USE,
&ad);
return 0;
isec = inode_security(inode);
- rc = avc_has_extended_perms(&selinux_state,
- ssid, isec->sid, isec->sclass,
+ rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
requested, driver, xperm, &ad);
out:
return rc;
* private file mapping that will also be writable.
* This has an additional check.
*/
- rc = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_PROCESS,
+ rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECMEM, NULL);
if (rc)
goto error;
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
u32 sid = current_sid();
- rc = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_MEMPROTECT,
+ rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
MEMPROTECT__MMAP_ZERO, NULL);
}
return rc;
}
- if (checkreqprot_get(&selinux_state))
+ if (checkreqprot_get())
prot = reqprot;
return file_map_prot_check(file, prot,
const struct cred *cred = current_cred();
u32 sid = cred_sid(cred);
- if (checkreqprot_get(&selinux_state))
+ if (checkreqprot_get())
prot = reqprot;
if (default_noexec &&
int rc = 0;
if (vma->vm_start >= vma->vm_mm->start_brk &&
vma->vm_end <= vma->vm_mm->brk) {
- rc = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_PROCESS,
+ rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECHEAP, NULL);
} else if (!vma->vm_file &&
((vma->vm_start <= vma->vm_mm->start_stack &&
vma->vm_end >= vma->vm_mm->start_stack) ||
vma_is_stack_for_current(vma))) {
- rc = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_PROCESS,
+ rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECSTACK, NULL);
} else if (vma->vm_file && vma->anon_vma) {
/*
else
perm = signal_to_av(signum);
- return avc_has_perm(&selinux_state,
- fsec->fown_sid, sid,
+ return avc_has_perm(fsec->fown_sid, sid,
SECCLASS_PROCESS, perm, NULL);
}
* struct as its SID.
*/
fsec->isid = isec->sid;
- fsec->pseqno = avc_policy_seqno(&selinux_state);
+ fsec->pseqno = avc_policy_seqno();
/*
* Since the inode label or policy seqno may have changed
* between the selinux_inode_permission check and the saving
{
u32 sid = current_sid();
- return avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
+ return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
}
/*
u32 sid = current_sid();
int ret;
- ret = avc_has_perm(&selinux_state,
- sid, secid,
+ ret = avc_has_perm(sid, secid,
SECCLASS_KERNEL_SERVICE,
KERNEL_SERVICE__USE_AS_OVERRIDE,
NULL);
u32 sid = current_sid();
int ret;
- ret = avc_has_perm(&selinux_state,
- sid, isec->sid,
+ ret = avc_has_perm(sid, isec->sid,
SECCLASS_KERNEL_SERVICE,
KERNEL_SERVICE__CREATE_FILES_AS,
NULL);
ad.type = LSM_AUDIT_DATA_KMOD;
ad.u.kmod_name = kmod_name;
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
SYSTEM__MODULE_REQUEST, &ad);
}
/* init_module */
if (file == NULL)
- return avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_SYSTEM,
+ return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);
/* finit_module */
fsec = selinux_file(file);
if (sid != fsec->sid) {
- rc = avc_has_perm(&selinux_state,
- sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
+ rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
if (rc)
return rc;
}
isec = inode_security(file_inode(file));
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_SYSTEM,
+ return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, &ad);
}
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__SETPGID, NULL);
}
static int selinux_task_getpgid(struct task_struct *p)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__GETPGID, NULL);
}
static int selinux_task_getsid(struct task_struct *p)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__GETSESSION, NULL);
}
static int selinux_task_setnice(struct task_struct *p, int nice)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__SETSCHED, NULL);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__SETSCHED, NULL);
}
static int selinux_task_getioprio(struct task_struct *p)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__GETSCHED, NULL);
}
av |= PROCESS__SETRLIMIT;
if (flags & LSM_PRLIMIT_READ)
av |= PROCESS__GETRLIMIT;
- return avc_has_perm(&selinux_state,
- cred_sid(cred), cred_sid(tcred),
+ return avc_has_perm(cred_sid(cred), cred_sid(tcred),
SECCLASS_PROCESS, av, NULL);
}
later be used as a safe reset point for the soft limit
upon context transitions. See selinux_bprm_committing_creds. */
if (old_rlim->rlim_max != new_rlim->rlim_max)
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p),
+ return avc_has_perm(current_sid(), task_sid_obj(p),
SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
return 0;
static int selinux_task_setscheduler(struct task_struct *p)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__SETSCHED, NULL);
}
static int selinux_task_getscheduler(struct task_struct *p)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__GETSCHED, NULL);
}
static int selinux_task_movememory(struct task_struct *p)
{
- return avc_has_perm(&selinux_state,
- current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
+ return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
PROCESS__SETSCHED, NULL);
}
secid = current_sid();
else
secid = cred_sid(cred);
- return avc_has_perm(&selinux_state,
- secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
+ return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
}
static void selinux_task_to_inode(struct task_struct *p,
{
u32 sid = current_sid();
- return avc_has_perm(&selinux_state, sid, sid, SECCLASS_USER_NAMESPACE,
- USER_NAMESPACE__CREATE, NULL);
+ return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
+ USER_NAMESPACE__CREATE, NULL);
}
/* Returns error only if unable to parse addresses */
if (unlikely(err))
return -EACCES;
- err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
+ err = security_net_peersid_resolve(nlbl_sid,
nlbl_type, xfrm_sid, sid);
if (unlikely(err)) {
pr_warn(
int err = 0;
if (skb_sid != SECSID_NULL)
- err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
+ err = security_sid_mls_copy(sk_sid, skb_sid,
conn_sid);
else
*conn_sid = sk_sid;
return 0;
}
- return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
+ return security_transition_sid(tsec->sid, tsec->sid,
secclass, NULL, socksid);
}
ad.u.net = &net;
ad.u.net->sk = sk;
- return avc_has_perm(&selinux_state,
- current_sid(), sksec->sid, sksec->sclass, perms,
+ return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
&ad);
}
if (rc)
return rc;
- return avc_has_perm(&selinux_state,
- tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
+ return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
}
static int selinux_socket_post_create(struct socket *sock, int family,
snum, &sid);
if (err)
goto out;
- err = avc_has_perm(&selinux_state,
- sksec->sid, sid,
+ err = avc_has_perm(sksec->sid, sid,
sksec->sclass,
SOCKET__NAME_BIND, &ad);
if (err)
else
ad.u.net->v6info.saddr = addr6->sin6_addr;
- err = avc_has_perm(&selinux_state,
- sksec->sid, sid,
+ err = avc_has_perm(sksec->sid, sid,
sksec->sclass, node_perm, &ad);
if (err)
goto out;
ad.u.net = &net;
ad.u.net->dport = htons(snum);
ad.u.net->family = address->sa_family;
- err = avc_has_perm(&selinux_state,
- sksec->sid, sid, sksec->sclass, perm, &ad);
+ err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
if (err)
return err;
}
ad.u.net = &net;
ad.u.net->sk = other;
- err = avc_has_perm(&selinux_state,
- sksec_sock->sid, sksec_other->sid,
+ err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
sksec_other->sclass,
UNIX_STREAM_SOCKET__CONNECTTO, &ad);
if (err)
/* server child socket */
sksec_new->peer_sid = sksec_sock->sid;
- err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
+ err = security_sid_mls_copy(sksec_other->sid,
sksec_sock->sid, &sksec_new->sid);
if (err)
return err;
ad.u.net = &net;
ad.u.net->sk = other->sk;
- return avc_has_perm(&selinux_state,
- ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
+ return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
&ad);
}
err = sel_netif_sid(ns, ifindex, &if_sid);
if (err)
return err;
- err = avc_has_perm(&selinux_state,
- peer_sid, if_sid,
+ err = avc_has_perm(peer_sid, if_sid,
SECCLASS_NETIF, NETIF__INGRESS, ad);
if (err)
return err;
err = sel_netnode_sid(addrp, family, &node_sid);
if (err)
return err;
- return avc_has_perm(&selinux_state,
- peer_sid, node_sid,
+ return avc_has_perm(peer_sid, node_sid,
SECCLASS_NODE, NODE__RECVFROM, ad);
}
return err;
if (selinux_secmark_enabled()) {
- err = avc_has_perm(&selinux_state,
- sk_sid, skb->secmark, SECCLASS_PACKET,
+ err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
selinux_netlbl_err(skb, family, err, 0);
return err;
}
- err = avc_has_perm(&selinux_state,
- sk_sid, peer_sid, SECCLASS_PEER,
+ err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad);
if (err) {
selinux_netlbl_err(skb, family, err, 0);
}
if (secmark_active) {
- err = avc_has_perm(&selinux_state,
- sk_sid, skb->secmark, SECCLASS_PACKET,
+ err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
if (peer_sid == SECSID_NULL)
return -ENOPROTOOPT;
- err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
+ err = security_sid_to_context(peer_sid, &scontext,
&scontext_len);
if (err)
return err;
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
ad.u.net->sk = asoc->base.sk;
- err = avc_has_perm(&selinux_state,
- sksec->peer_sid, asoc->peer_secid,
+ err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
sksec->sclass, SCTP_SOCKET__ASSOCIATION,
&ad);
if (err)
__tsec = selinux_cred(current_cred());
tsid = __tsec->sid;
- return avc_has_perm(&selinux_state,
- tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
+ return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
NULL);
}
* connections unlike traditional sockets - check the TUN driver to
* get a better understanding of why this socket is special */
- return avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
+ return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
NULL);
}
{
struct tun_security_struct *tunsec = security;
- return avc_has_perm(&selinux_state,
- current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
+ return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
TUN_SOCKET__ATTACH_QUEUE, NULL);
}
u32 sid = current_sid();
int err;
- err = avc_has_perm(&selinux_state,
- sid, tunsec->sid, SECCLASS_TUN_SOCKET,
+ err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
TUN_SOCKET__RELABELFROM, NULL);
if (err)
return err;
- err = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_TUN_SOCKET,
+ err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
TUN_SOCKET__RELABELTO, NULL);
if (err)
return err;
}
if (secmark_active)
- if (avc_has_perm(&selinux_state,
- peer_sid, skb->secmark,
+ if (avc_has_perm(peer_sid, skb->secmark,
SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
return NF_DROP;
return NF_DROP;
if (selinux_secmark_enabled())
- if (avc_has_perm(&selinux_state,
- sksec->sid, skb->secmark,
+ if (avc_has_perm(sksec->sid, skb->secmark,
SECCLASS_PACKET, PACKET__SEND, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
return NF_DROP;
if (secmark_active)
- if (avc_has_perm(&selinux_state,
- peer_sid, skb->secmark,
+ if (avc_has_perm(peer_sid, skb->secmark,
SECCLASS_PACKET, secmark_perm, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
if (sel_netif_sid(state->net, ifindex, &if_sid))
return NF_DROP;
- if (avc_has_perm(&selinux_state,
- peer_sid, if_sid,
+ if (avc_has_perm(peer_sid, if_sid,
SECCLASS_NETIF, NETIF__EGRESS, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
if (sel_netnode_sid(addrp, family, &node_sid))
return NF_DROP;
- if (avc_has_perm(&selinux_state,
- peer_sid, node_sid,
+ if (avc_has_perm(peer_sid, node_sid,
SECCLASS_NODE, NODE__SENDTO, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
}
sk->sk_protocol, nlh->nlmsg_type,
secclass_map[sclass - 1].name,
task_pid_nr(current), current->comm);
- if (enforcing_enabled(&selinux_state) &&
- !security_get_allow_unknown(&selinux_state))
+ if (enforcing_enabled() &&
+ !security_get_allow_unknown())
return rc;
rc = 0;
} else if (rc == -ENOENT) {
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, isec->sclass, perms, &ad);
+ return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
}
static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_MSGQ,
+ return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad);
}
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_MSGQ,
+ return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__ASSOCIATE, &ad);
}
case IPC_INFO:
case MSG_INFO:
/* No specific object, just general system-wide information. */
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL,
SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
case IPC_STAT:
case MSG_STAT:
* Compute new sid based on current process and
* message queue this message will be stored in
*/
- rc = security_transition_sid(&selinux_state, sid, isec->sid,
+ rc = security_transition_sid(sid, isec->sid,
SECCLASS_MSG, NULL, &msec->sid);
if (rc)
return rc;
ad.u.ipc_id = msq->key;
/* Can this process write to the queue? */
- rc = avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_MSGQ,
+ rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__WRITE, &ad);
if (!rc)
/* Can this process send the message */
- rc = avc_has_perm(&selinux_state,
- sid, msec->sid, SECCLASS_MSG,
+ rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
MSG__SEND, &ad);
if (!rc)
/* Can the message be put in the queue? */
- rc = avc_has_perm(&selinux_state,
- msec->sid, isec->sid, SECCLASS_MSGQ,
+ rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
MSGQ__ENQUEUE, &ad);
return rc;
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->key;
- rc = avc_has_perm(&selinux_state,
- sid, isec->sid,
+ rc = avc_has_perm(sid, isec->sid,
SECCLASS_MSGQ, MSGQ__READ, &ad);
if (!rc)
- rc = avc_has_perm(&selinux_state,
- sid, msec->sid,
+ rc = avc_has_perm(sid, msec->sid,
SECCLASS_MSG, MSG__RECEIVE, &ad);
return rc;
}
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_SHM,
+ return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad);
}
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_SHM,
+ return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
SHM__ASSOCIATE, &ad);
}
case IPC_INFO:
case SHM_INFO:
/* No specific object, just general system-wide information. */
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL,
SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
case IPC_STAT:
case SHM_STAT:
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_SEM,
+ return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad);
}
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->key;
- return avc_has_perm(&selinux_state,
- sid, isec->sid, SECCLASS_SEM,
+ return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
SEM__ASSOCIATE, &ad);
}
case IPC_INFO:
case SEM_INFO:
/* No specific object, just general system-wide information. */
- return avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_KERNEL,
+ return avc_has_perm(current_sid(), SECINITSID_KERNEL,
SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
case GETPID:
case GETNCNT:
__tsec = selinux_cred(__task_cred(p));
if (current != p) {
- error = avc_has_perm(&selinux_state,
- current_sid(), __tsec->sid,
+ error = avc_has_perm(current_sid(), __tsec->sid,
SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
if (error)
goto bad;
if (!sid)
return 0;
- error = security_sid_to_context(&selinux_state, sid, value, &len);
+ error = security_sid_to_context(sid, value, &len);
if (error)
return error;
return len;
* Basic control over ability to set these attributes at all.
*/
if (!strcmp(name, "exec"))
- error = avc_has_perm(&selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETEXEC, NULL);
else if (!strcmp(name, "fscreate"))
- error = avc_has_perm(&selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETFSCREATE, NULL);
else if (!strcmp(name, "keycreate"))
- error = avc_has_perm(&selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETKEYCREATE, NULL);
else if (!strcmp(name, "sockcreate"))
- error = avc_has_perm(&selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETSOCKCREATE, NULL);
else if (!strcmp(name, "current"))
- error = avc_has_perm(&selinux_state,
- mysid, mysid, SECCLASS_PROCESS,
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETCURRENT, NULL);
else
error = -EINVAL;
str[size-1] = 0;
size--;
}
- error = security_context_to_sid(&selinux_state, value, size,
+ error = security_context_to_sid(value, size,
&sid, GFP_KERNEL);
if (error == -EINVAL && !strcmp(name, "fscreate")) {
if (!has_cap_mac_admin(true)) {
return error;
}
- error = security_context_to_sid_force(
- &selinux_state,
- value, size, &sid);
+ error = security_context_to_sid_force(value, size,
+ &sid);
}
if (error)
return error;
tsec->create_sid = sid;
} else if (!strcmp(name, "keycreate")) {
if (sid) {
- error = avc_has_perm(&selinux_state, mysid, sid,
+ error = avc_has_perm(mysid, sid,
SECCLASS_KEY, KEY__CREATE, NULL);
if (error)
goto abort_change;
/* Only allow single threaded processes to change context */
if (!current_is_single_threaded()) {
- error = security_bounded_transition(&selinux_state,
- tsec->sid, sid);
+ error = security_bounded_transition(tsec->sid, sid);
if (error)
goto abort_change;
}
/* Check permissions for the transition. */
- error = avc_has_perm(&selinux_state,
- tsec->sid, sid, SECCLASS_PROCESS,
+ error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
PROCESS__DYNTRANSITION, NULL);
if (error)
goto abort_change;
Otherwise, leave SID unchanged and fail. */
ptsid = ptrace_parent_sid();
if (ptsid != 0) {
- error = avc_has_perm(&selinux_state,
- ptsid, sid, SECCLASS_PROCESS,
+ error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
PROCESS__PTRACE, NULL);
if (error)
goto abort_change;
static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return security_sid_to_context(&selinux_state, secid,
+ return security_sid_to_context(secid,
secdata, seclen);
}
static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- return security_context_to_sid(&selinux_state, secdata, seclen,
+ return security_context_to_sid(secdata, seclen,
secid, GFP_KERNEL);
}
key = key_ref_to_ptr(key_ref);
ksec = key->security;
- return avc_has_perm(&selinux_state,
- sid, ksec->sid, SECCLASS_KEY, perm, NULL);
+ return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
unsigned len;
int rc;
- rc = security_sid_to_context(&selinux_state, ksec->sid,
+ rc = security_sid_to_context(ksec->sid,
&context, &len);
if (!rc)
rc = len;
struct key_security_struct *ksec = key->security;
u32 sid = current_sid();
- return avc_has_perm(&selinux_state,
- sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
+ return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
}
#endif
#endif
ibpkey.subnet_prefix = subnet_prefix;
ibpkey.pkey = pkey_val;
ad.u.ibpkey = &ibpkey;
- return avc_has_perm(&selinux_state,
- sec->sid, sid,
+ return avc_has_perm(sec->sid, sid,
SECCLASS_INFINIBAND_PKEY,
INFINIBAND_PKEY__ACCESS, &ad);
}
struct ib_security_struct *sec = ib_sec;
struct lsm_ibendport_audit ibendport;
- err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
+ err = security_ib_endport_sid(dev_name, port_num,
&sid);
if (err)
ibendport.dev_name = dev_name;
ibendport.port = port_num;
ad.u.ibendport = &ibendport;
- return avc_has_perm(&selinux_state,
- sec->sid, sid,
+ return avc_has_perm(sec->sid, sid,
SECCLASS_INFINIBAND_ENDPORT,
INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
}
switch (cmd) {
case BPF_MAP_CREATE:
- ret = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
+ ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
NULL);
break;
case BPF_PROG_LOAD:
- ret = avc_has_perm(&selinux_state,
- sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
+ ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
NULL);
break;
default:
if (file->f_op == &bpf_map_fops) {
map = file->private_data;
bpfsec = map->security;
- ret = avc_has_perm(&selinux_state,
- sid, bpfsec->sid, SECCLASS_BPF,
+ ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
bpf_map_fmode_to_av(file->f_mode), NULL);
if (ret)
return ret;
} else if (file->f_op == &bpf_prog_fops) {
prog = file->private_data;
bpfsec = prog->aux->security;
- ret = avc_has_perm(&selinux_state,
- sid, bpfsec->sid, SECCLASS_BPF,
+ ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
BPF__PROG_RUN, NULL);
if (ret)
return ret;
struct bpf_security_struct *bpfsec;
bpfsec = map->security;
- return avc_has_perm(&selinux_state,
- sid, bpfsec->sid, SECCLASS_BPF,
+ return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
bpf_map_fmode_to_av(fmode), NULL);
}
struct bpf_security_struct *bpfsec;
bpfsec = prog->aux->security;
- return avc_has_perm(&selinux_state,
- sid, bpfsec->sid, SECCLASS_BPF,
+ return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
BPF__PROG_RUN, NULL);
}
else
return -EINVAL;
- return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
+ return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
requested, NULL);
}
struct perf_event_security_struct *perfsec = event->security;
u32 sid = current_sid();
- return avc_has_perm(&selinux_state, sid, perfsec->sid,
+ return avc_has_perm(sid, perfsec->sid,
SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
}
struct perf_event_security_struct *perfsec = event->security;
u32 sid = current_sid();
- return avc_has_perm(&selinux_state, sid, perfsec->sid,
+ return avc_has_perm(sid, perfsec->sid,
SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
}
#endif
*/
static int selinux_uring_override_creds(const struct cred *new)
{
- return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
+ return avc_has_perm(current_sid(), cred_sid(new),
SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
}
{
int sid = current_sid();
- return avc_has_perm(&selinux_state, sid, sid,
+ return avc_has_perm(sid, sid,
SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
}
ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file;
- return avc_has_perm(&selinux_state, current_sid(), isec->sid,
+ return avc_has_perm(current_sid(), isec->sid,
SECCLASS_IO_URING, IO_URING__CMD, &ad);
}
#endif /* CONFIG_IO_URING */
pr_info("SELinux: Initializing.\n");
memset(&selinux_state, 0, sizeof(selinux_state));
- enforcing_set(&selinux_state, selinux_enforcing_boot);
+ enforcing_set(selinux_enforcing_boot);
if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n");
- checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
- selinux_avc_init(&selinux_state.avc);
+ checkreqprot_set(selinux_checkreqprot_boot);
+ selinux_avc_init();
mutex_init(&selinux_state.status_lock);
mutex_init(&selinux_state.policy_mutex);
#endif /* CONFIG_NETFILTER */
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-int selinux_disable(struct selinux_state *state)
+int selinux_disable(void)
{
- if (selinux_initialized(state)) {
+ if (selinux_initialized()) {
/* Not permitted after initial policy load. */
return -EINVAL;
}
- if (selinux_disabled(state)) {
+ if (selinux_disabled()) {
/* Only do this once. */
return -EINVAL;
}
- selinux_mark_disabled(state);
+ selinux_mark_disabled();
pr_info("SELinux: Disabled at runtime.\n");
return 0;
}
- ret = security_ib_pkey_sid(&selinux_state, subnet_prefix, pkey_num,
+ ret = security_ib_pkey_sid(subnet_prefix, pkey_num,
sid);
if (ret)
goto out;
/*
* selinux_ima_collect_state - Read selinux configuration settings
*
- * @state: selinux_state
- *
* On success returns the configuration settings string.
* On error, returns NULL.
*/
-static char *selinux_ima_collect_state(struct selinux_state *state)
+static char *selinux_ima_collect_state(void)
{
const char *on = "=1;", *off = "=0;";
char *buf;
rc = strscpy(buf, "initialized", buf_len);
WARN_ON(rc < 0);
- rc = strlcat(buf, selinux_initialized(state) ? on : off, buf_len);
+ rc = strlcat(buf, selinux_initialized() ? on : off, buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, "enforcing", buf_len);
WARN_ON(rc >= buf_len);
- rc = strlcat(buf, enforcing_enabled(state) ? on : off, buf_len);
+ rc = strlcat(buf, enforcing_enabled() ? on : off, buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, "checkreqprot", buf_len);
WARN_ON(rc >= buf_len);
- rc = strlcat(buf, checkreqprot_get(state) ? on : off, buf_len);
+ rc = strlcat(buf, checkreqprot_get() ? on : off, buf_len);
WARN_ON(rc >= buf_len);
for (i = 0; i < __POLICYDB_CAP_MAX; i++) {
rc = strlcat(buf, selinux_policycap_names[i], buf_len);
WARN_ON(rc >= buf_len);
- rc = strlcat(buf, state->policycap[i] ? on : off, buf_len);
+ rc = strlcat(buf, selinux_state.policycap[i] ? on : off,
+ buf_len);
WARN_ON(rc >= buf_len);
}
/*
* selinux_ima_measure_state_locked - Measure SELinux state and hash of policy
- *
- * @state: selinux state struct
*/
-void selinux_ima_measure_state_locked(struct selinux_state *state)
+void selinux_ima_measure_state_locked(void)
{
char *state_str = NULL;
void *policy = NULL;
size_t policy_len;
int rc = 0;
- lockdep_assert_held(&state->policy_mutex);
+ lockdep_assert_held(&selinux_state.policy_mutex);
- state_str = selinux_ima_collect_state(state);
+ state_str = selinux_ima_collect_state();
if (!state_str) {
pr_err("SELinux: %s: failed to read state.\n", __func__);
return;
/*
* Measure SELinux policy only after initialization is completed.
*/
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return;
- rc = security_read_state_kernel(state, &policy, &policy_len);
+ rc = security_read_state_kernel(&policy, &policy_len);
if (rc) {
pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc);
return;
/*
* selinux_ima_measure_state - Measure SELinux state and hash of policy
- *
- * @state: selinux state struct
*/
-void selinux_ima_measure_state(struct selinux_state *state)
+void selinux_ima_measure_state(void)
{
- lockdep_assert_not_held(&state->policy_mutex);
+ lockdep_assert_not_held(&selinux_state.policy_mutex);
- mutex_lock(&state->policy_mutex);
- selinux_ima_measure_state_locked(state);
- mutex_unlock(&state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
+ selinux_ima_measure_state_locked();
+ mutex_unlock(&selinux_state.policy_mutex);
}
u32 audited;
u32 denied;
int result;
- struct selinux_state *state;
} __randomize_layout;
/*
return audited;
}
-int slow_avc_audit(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
u32 requested, u32 audited, u32 denied, int result,
struct common_audit_data *a);
/**
* avc_audit - Audit the granting or denial of permissions.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* be performed under a lock, to allow the lock to be released
* before calling the auditing code.
*/
-static inline int avc_audit(struct selinux_state *state,
- u32 ssid, u32 tsid,
+static inline int avc_audit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct av_decision *avd,
int result,
audited = avc_audit_required(requested, avd, result, 0, &denied);
if (likely(!audited))
return 0;
- return slow_avc_audit(state, ssid, tsid, tclass,
+ return slow_avc_audit(ssid, tsid, tclass,
requested, audited, denied, result,
a);
}
#define AVC_STRICT 1 /* Ignore permissive mode. */
#define AVC_EXTENDED_PERMS 2 /* update extended permissions */
-int avc_has_perm_noaudit(struct selinux_state *state,
- u32 ssid, u32 tsid,
+int avc_has_perm_noaudit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
unsigned flags,
struct av_decision *avd);
-int avc_has_perm(struct selinux_state *state,
- u32 ssid, u32 tsid,
+int avc_has_perm(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct common_audit_data *auditdata);
-int avc_has_extended_perms(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass, u32 requested,
+int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
u8 driver, u8 perm, struct common_audit_data *ad);
-u32 avc_policy_seqno(struct selinux_state *state);
+u32 avc_policy_seqno(void);
#define AVC_CALLBACK_GRANT 1
#define AVC_CALLBACK_TRY_REVOKE 2
int avc_add_callback(int (*callback)(u32 event), u32 events);
/* Exported to selinuxfs */
-struct selinux_avc;
-int avc_get_hash_stats(struct selinux_avc *avc, char *page);
-unsigned int avc_get_cache_threshold(struct selinux_avc *avc);
-void avc_set_cache_threshold(struct selinux_avc *avc,
- unsigned int cache_threshold);
+int avc_get_hash_stats(char *page);
+unsigned int avc_get_cache_threshold(void);
+void avc_set_cache_threshold(unsigned int cache_threshold);
/* Attempt to free avc node cache */
void avc_disable(void);
#include <linux/types.h>
-struct selinux_avc;
-int avc_ss_reset(struct selinux_avc *avc, u32 seqno);
+int avc_ss_reset(u32 seqno);
/* Class/perm mapping support */
struct security_class_mapping {
int security_get_bools(struct selinux_policy *policy,
u32 *len, char ***names, int **values);
-int security_set_bools(struct selinux_state *state, u32 len, int *values);
+int security_set_bools(u32 len, int *values);
-int security_get_bool_value(struct selinux_state *state, u32 index);
+int security_get_bool_value(u32 index);
#endif
#include "security.h"
#ifdef CONFIG_IMA
-extern void selinux_ima_measure_state(struct selinux_state *selinux_state);
-extern void selinux_ima_measure_state_locked(
- struct selinux_state *selinux_state);
+extern void selinux_ima_measure_state(void);
+extern void selinux_ima_measure_state_locked(void);
#else
-static inline void selinux_ima_measure_state(struct selinux_state *selinux_state)
+static inline void selinux_ima_measure_state(void)
{
}
-static inline void selinux_ima_measure_state_locked(
- struct selinux_state *selinux_state)
+static inline void selinux_ima_measure_state_locked(void)
{
}
#endif
/* limitation of boundary depth */
#define POLICYDB_BOUNDS_MAXDEPTH 4
-struct selinux_avc;
struct selinux_policy;
struct selinux_state {
struct page *status_page;
struct mutex status_lock;
- struct selinux_avc *avc;
struct selinux_policy __rcu *policy;
struct mutex policy_mutex;
} __randomize_layout;
-void selinux_avc_init(struct selinux_avc **avc);
+void selinux_avc_init(void);
extern struct selinux_state selinux_state;
-static inline bool selinux_initialized(const struct selinux_state *state)
+static inline bool selinux_initialized(void)
{
/* do a synchronized load to avoid race conditions */
- return smp_load_acquire(&state->initialized);
+ return smp_load_acquire(&selinux_state.initialized);
}
-static inline void selinux_mark_initialized(struct selinux_state *state)
+static inline void selinux_mark_initialized(void)
{
/* do a synchronized write to avoid race conditions */
- smp_store_release(&state->initialized, true);
+ smp_store_release(&selinux_state.initialized, true);
}
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static inline bool enforcing_enabled(struct selinux_state *state)
+static inline bool enforcing_enabled(void)
{
- return READ_ONCE(state->enforcing);
+ return READ_ONCE(selinux_state.enforcing);
}
-static inline void enforcing_set(struct selinux_state *state, bool value)
+static inline void enforcing_set(bool value)
{
- WRITE_ONCE(state->enforcing, value);
+ WRITE_ONCE(selinux_state.enforcing, value);
}
#else
-static inline bool enforcing_enabled(struct selinux_state *state)
+static inline bool enforcing_enabled(void)
{
return true;
}
-static inline void enforcing_set(struct selinux_state *state, bool value)
+static inline void enforcing_set(bool value)
{
}
#endif
-static inline bool checkreqprot_get(const struct selinux_state *state)
+static inline bool checkreqprot_get(void)
{
- return READ_ONCE(state->checkreqprot);
+ return READ_ONCE(selinux_state.checkreqprot);
}
-static inline void checkreqprot_set(struct selinux_state *state, bool value)
+static inline void checkreqprot_set(bool value)
{
if (value)
pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n");
- WRITE_ONCE(state->checkreqprot, value);
+ WRITE_ONCE(selinux_state.checkreqprot, value);
}
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static inline bool selinux_disabled(struct selinux_state *state)
+static inline bool selinux_disabled(void)
{
- return READ_ONCE(state->disabled);
+ return READ_ONCE(selinux_state.disabled);
}
-static inline void selinux_mark_disabled(struct selinux_state *state)
+static inline void selinux_mark_disabled(void)
{
- WRITE_ONCE(state->disabled, true);
+ WRITE_ONCE(selinux_state.disabled, true);
}
#else
-static inline bool selinux_disabled(struct selinux_state *state)
+static inline bool selinux_disabled(void)
{
return false;
}
struct selinux_policy_convert_data *convert_data;
};
-int security_mls_enabled(struct selinux_state *state);
-int security_load_policy(struct selinux_state *state,
- void *data, size_t len,
+int security_mls_enabled(void);
+int security_load_policy(void *data, size_t len,
struct selinux_load_state *load_state);
-void selinux_policy_commit(struct selinux_state *state,
- struct selinux_load_state *load_state);
-void selinux_policy_cancel(struct selinux_state *state,
- struct selinux_load_state *load_state);
-int security_read_policy(struct selinux_state *state,
- void **data, size_t *len);
-int security_read_state_kernel(struct selinux_state *state,
- void **data, size_t *len);
-int security_policycap_supported(struct selinux_state *state,
- unsigned int req_cap);
+void selinux_policy_commit(struct selinux_load_state *load_state);
+void selinux_policy_cancel(struct selinux_load_state *load_state);
+int security_read_policy(void **data, size_t *len);
+int security_read_state_kernel(void **data, size_t *len);
+int security_policycap_supported(unsigned int req_cap);
#define SEL_VEC_MAX 32
struct av_decision {
/* definitions of av_decision.flags */
#define AVD_FLAGS_PERMISSIVE 0x0001
-void security_compute_av(struct selinux_state *state,
- u32 ssid, u32 tsid,
+void security_compute_av(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd,
struct extended_perms *xperms);
-void security_compute_xperms_decision(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass,
u8 driver,
struct extended_perms_decision *xpermd);
-void security_compute_av_user(struct selinux_state *state,
- u32 ssid, u32 tsid,
+void security_compute_av_user(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd);
-int security_transition_sid(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
const struct qstr *qstr, u32 *out_sid);
-int security_transition_sid_user(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
const char *objname, u32 *out_sid);
-int security_member_sid(struct selinux_state *state, u32 ssid, u32 tsid,
- u16 tclass, u32 *out_sid);
+int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
-int security_change_sid(struct selinux_state *state, u32 ssid, u32 tsid,
- u16 tclass, u32 *out_sid);
+int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
-int security_sid_to_context(struct selinux_state *state, u32 sid,
- char **scontext, u32 *scontext_len);
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len);
-int security_sid_to_context_force(struct selinux_state *state,
- u32 sid, char **scontext, u32 *scontext_len);
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
-int security_sid_to_context_inval(struct selinux_state *state,
- u32 sid, char **scontext, u32 *scontext_len);
+int security_sid_to_context_inval(u32 sid, char **scontext, u32 *scontext_len);
-int security_context_to_sid(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid(const char *scontext, u32 scontext_len,
u32 *out_sid, gfp_t gfp);
-int security_context_str_to_sid(struct selinux_state *state,
- const char *scontext, u32 *out_sid, gfp_t gfp);
+int security_context_str_to_sid(const char *scontext, u32 *out_sid, gfp_t gfp);
-int security_context_to_sid_default(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
-int security_context_to_sid_force(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
u32 *sid);
-int security_get_user_sids(struct selinux_state *state,
- u32 callsid, char *username,
- u32 **sids, u32 *nel);
+int security_get_user_sids(u32 callsid, char *username, u32 **sids, u32 *nel);
-int security_port_sid(struct selinux_state *state,
- u8 protocol, u16 port, u32 *out_sid);
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
-int security_ib_pkey_sid(struct selinux_state *state,
- u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
+int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
-int security_ib_endport_sid(struct selinux_state *state,
- const char *dev_name, u8 port_num, u32 *out_sid);
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
-int security_netif_sid(struct selinux_state *state,
- char *name, u32 *if_sid);
+int security_netif_sid(char *name, u32 *if_sid);
-int security_node_sid(struct selinux_state *state,
- u16 domain, void *addr, u32 addrlen,
+int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid);
-int security_validate_transition(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass);
-int security_validate_transition_user(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass);
-int security_bounded_transition(struct selinux_state *state,
- u32 oldsid, u32 newsid);
+int security_bounded_transition(u32 oldsid, u32 newsid);
-int security_sid_mls_copy(struct selinux_state *state,
- u32 sid, u32 mls_sid, u32 *new_sid);
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
-int security_net_peersid_resolve(struct selinux_state *state,
- u32 nlbl_sid, u32 nlbl_type,
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
u32 xfrm_sid,
u32 *peer_sid);
char ***classes, int *nclasses);
int security_get_permissions(struct selinux_policy *policy,
char *class, char ***perms, int *nperms);
-int security_get_reject_unknown(struct selinux_state *state);
-int security_get_allow_unknown(struct selinux_state *state);
+int security_get_reject_unknown(void);
+int security_get_allow_unknown(void);
#define SECURITY_FS_USE_XATTR 1 /* use xattr */
#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
-int security_fs_use(struct selinux_state *state, struct super_block *sb);
+int security_fs_use(struct super_block *sb);
-int security_genfs_sid(struct selinux_state *state,
- const char *fstype, const char *path, u16 sclass,
+int security_genfs_sid(const char *fstype, const char *path, u16 sclass,
u32 *sid);
int selinux_policy_genfs_sid(struct selinux_policy *policy,
u32 *sid);
#ifdef CONFIG_NETLABEL
-int security_netlbl_secattr_to_sid(struct selinux_state *state,
- struct netlbl_lsm_secattr *secattr,
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
u32 *sid);
-int security_netlbl_sid_to_secattr(struct selinux_state *state,
- u32 sid,
+int security_netlbl_sid_to_secattr(u32 sid,
struct netlbl_lsm_secattr *secattr);
#else
-static inline int security_netlbl_secattr_to_sid(struct selinux_state *state,
- struct netlbl_lsm_secattr *secattr,
+static inline int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
u32 *sid)
{
return -EIDRM;
}
-static inline int security_netlbl_sid_to_secattr(struct selinux_state *state,
- u32 sid,
+static inline int security_netlbl_sid_to_secattr(u32 sid,
struct netlbl_lsm_secattr *secattr)
{
return -ENOENT;
/*
* status notifier using mmap interface
*/
-extern struct page *selinux_kernel_status_page(struct selinux_state *state);
+extern struct page *selinux_kernel_status_page(void);
#define SELINUX_KERNEL_STATUS_VERSION 1
struct selinux_kernel_status {
*/
} __packed;
-extern void selinux_status_update_setenforce(struct selinux_state *state,
- int enforcing);
-extern void selinux_status_update_policyload(struct selinux_state *state,
- int seqno);
+extern void selinux_status_update_setenforce(int enforcing);
+extern void selinux_status_update_policyload(int seqno);
extern void selinux_complete_init(void);
-extern int selinux_disable(struct selinux_state *state);
+extern int selinux_disable(void);
extern void exit_sel_fs(void);
extern struct path selinux_null;
extern void selnl_notify_setenforce(int val);
extern void avtab_cache_init(void);
extern void ebitmap_cache_init(void);
extern void hashtab_cache_init(void);
-extern int security_sidtab_hash_stats(struct selinux_state *state, char *page);
+extern int security_sidtab_hash_stats(char *page);
#endif /* _SELINUX_SECURITY_H_ */
goto out;
}
- ret = security_netif_sid(&selinux_state, dev->name, sid);
+ ret = security_netif_sid(dev->name, sid);
if (ret != 0)
goto out;
new = kzalloc(sizeof(*new), GFP_ATOMIC);
{
int rc;
- rc = security_netlbl_secattr_to_sid(&selinux_state, secattr, sid);
+ rc = security_netlbl_secattr_to_sid(secattr, sid);
if (rc == 0 &&
(secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
(secattr->flags & NETLBL_SECATTR_CACHE))
secattr = netlbl_secattr_alloc(GFP_ATOMIC);
if (secattr == NULL)
return NULL;
- rc = security_netlbl_sid_to_secattr(&selinux_state, sksec->sid,
- secattr);
+ rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
if (rc != 0) {
netlbl_secattr_free(secattr);
return NULL;
if (secattr == NULL) {
secattr = &secattr_storage;
netlbl_secattr_init(secattr);
- rc = security_netlbl_sid_to_secattr(&selinux_state, sid,
- secattr);
+ rc = security_netlbl_sid_to_secattr(sid, secattr);
if (rc != 0)
goto skbuff_setsid_return;
}
return 0;
netlbl_secattr_init(&secattr);
- rc = security_netlbl_sid_to_secattr(&selinux_state,
- asoc->secid, &secattr);
+ rc = security_netlbl_sid_to_secattr(asoc->secid, &secattr);
if (rc != 0)
goto assoc_request_return;
return 0;
netlbl_secattr_init(&secattr);
- rc = security_netlbl_sid_to_secattr(&selinux_state, req->secid,
- &secattr);
+ rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
if (rc != 0)
goto inet_conn_request_return;
rc = netlbl_req_setattr(req, &secattr);
perm = RAWIP_SOCKET__RECVFROM;
}
- rc = avc_has_perm(&selinux_state,
- sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
+ rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
if (rc == 0)
return 0;
new = kzalloc(sizeof(*new), GFP_ATOMIC);
switch (family) {
case PF_INET:
- ret = security_node_sid(&selinux_state, PF_INET,
+ ret = security_node_sid(PF_INET,
addr, sizeof(struct in_addr), sid);
if (new)
new->nsec.addr.ipv4 = *(__be32 *)addr;
break;
case PF_INET6:
- ret = security_node_sid(&selinux_state, PF_INET6,
+ ret = security_node_sid(PF_INET6,
addr, sizeof(struct in6_addr), sid);
if (new)
new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
return 0;
}
- ret = security_port_sid(&selinux_state, protocol, pnum, sid);
+ ret = security_port_sid(protocol, pnum, sid);
if (ret != 0)
goto out;
new = kzalloc(sizeof(*new), GFP_ATOMIC);
bool policy_opened;
struct dentry *policycap_dir;
unsigned long last_ino;
- struct selinux_state *state;
struct super_block *sb;
};
return -ENOMEM;
fsi->last_ino = SEL_INO_NEXT - 1;
- fsi->state = &selinux_state;
fsi->sb = sb;
sb->s_fs_info = fsi;
return 0;
static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
char tmpbuf[TMPBUFLEN];
ssize_t length;
length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
- enforcing_enabled(fsi->state));
+ enforcing_enabled());
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *page = NULL;
ssize_t length;
int old_value, new_value;
new_value = !!new_value;
- old_value = enforcing_enabled(state);
+ old_value = enforcing_enabled();
if (new_value != old_value) {
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETENFORCE,
NULL);
if (length)
new_value, old_value,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
- enforcing_set(state, new_value);
+ enforcing_set(new_value);
if (new_value)
- avc_ss_reset(state->avc, 0);
+ avc_ss_reset(0);
selnl_notify_setenforce(new_value);
- selinux_status_update_setenforce(state, new_value);
+ selinux_status_update_setenforce(new_value);
if (!new_value)
call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
- selinux_ima_measure_state(state);
+ selinux_ima_measure_state();
}
length = count;
out:
static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char tmpbuf[TMPBUFLEN];
ssize_t length;
ino_t ino = file_inode(filp)->i_ino;
int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ?
- security_get_reject_unknown(state) :
- !security_get_allow_unknown(state);
+ security_get_reject_unknown() :
+ !security_get_allow_unknown();
length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown);
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
static int sel_open_handle_status(struct inode *inode, struct file *filp)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
- struct page *status = selinux_kernel_status_page(fsi->state);
+ struct page *status = selinux_kernel_status_page();
if (!status)
return -ENOMEM;
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
char *page;
ssize_t length;
int new_value;
goto out;
if (new_value) {
- enforcing = enforcing_enabled(fsi->state);
- length = selinux_disable(fsi->state);
+ enforcing = enforcing_enabled();
+ length = selinux_disable();
if (length)
goto out;
audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
static ssize_t sel_read_mls(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
char tmpbuf[TMPBUFLEN];
ssize_t length;
length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
- security_mls_enabled(fsi->state));
+ security_mls_enabled());
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
static int sel_open_policy(struct inode *inode, struct file *filp)
{
struct selinux_fs_info *fsi = inode->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
struct policy_load_memory *plm = NULL;
int rc;
BUG_ON(filp->private_data);
- mutex_lock(&fsi->state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
- rc = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ rc = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL);
if (rc)
goto err;
if (!plm)
goto err;
- rc = security_read_policy(state, &plm->data, &plm->len);
+ rc = security_read_policy(&plm->data, &plm->len);
if (rc)
goto err;
filp->private_data = plm;
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
return 0;
err:
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
if (plm)
vfree(plm->data);
struct policy_load_memory *plm = filp->private_data;
int ret;
- ret = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ ret = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL);
if (ret)
return ret;
ssize_t length;
void *data = NULL;
- mutex_lock(&fsi->state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL);
if (length)
goto out;
if (copy_from_user(data, buf, count) != 0)
goto out;
- length = security_load_policy(fsi->state, data, count, &load_state);
+ length = security_load_policy(data, count, &load_state);
if (length) {
pr_warn_ratelimited("SELinux: failed to load policy\n");
goto out;
length = sel_make_policy_nodes(fsi, load_state.policy);
if (length) {
pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");
- selinux_policy_cancel(fsi->state, &load_state);
+ selinux_policy_cancel(&load_state);
goto out;
}
- selinux_policy_commit(fsi->state, &load_state);
+ selinux_policy_commit(&load_state);
length = count;
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
out:
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
vfree(data);
return length;
}
static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *canon = NULL;
u32 sid, len;
ssize_t length;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, NULL);
if (length)
goto out;
- length = security_context_to_sid(state, buf, size, &sid, GFP_KERNEL);
+ length = security_context_to_sid(buf, size, &sid, GFP_KERNEL);
if (length)
goto out;
- length = security_sid_to_context(state, sid, &canon, &len);
+ length = security_sid_to_context(sid, &canon, &len);
if (length)
goto out;
static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
char tmpbuf[TMPBUFLEN];
ssize_t length;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
- checkreqprot_get(fsi->state));
+ checkreqprot_get());
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
char *page;
ssize_t length;
unsigned int new_value;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,
NULL);
if (length)
comm, current->pid);
}
- checkreqprot_set(fsi->state, (new_value ? 1 : 0));
+ checkreqprot_set((new_value ? 1 : 0));
if (new_value)
ssleep(15);
length = count;
- selinux_ima_measure_state(fsi->state);
+ selinux_ima_measure_state();
out:
kfree(page);
const char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *oldcon = NULL, *newcon = NULL, *taskcon = NULL;
char *req = NULL;
u32 osid, nsid, tsid;
u16 tclass;
int rc;
- rc = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ rc = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__VALIDATE_TRANS, NULL);
if (rc)
goto out;
if (sscanf(req, "%s %s %hu %s", oldcon, newcon, &tclass, taskcon) != 4)
goto out;
- rc = security_context_str_to_sid(state, oldcon, &osid, GFP_KERNEL);
+ rc = security_context_str_to_sid(oldcon, &osid, GFP_KERNEL);
if (rc)
goto out;
- rc = security_context_str_to_sid(state, newcon, &nsid, GFP_KERNEL);
+ rc = security_context_str_to_sid(newcon, &nsid, GFP_KERNEL);
if (rc)
goto out;
- rc = security_context_str_to_sid(state, taskcon, &tsid, GFP_KERNEL);
+ rc = security_context_str_to_sid(taskcon, &tsid, GFP_KERNEL);
if (rc)
goto out;
- rc = security_validate_transition_user(state, osid, nsid, tsid, tclass);
+ rc = security_validate_transition_user(osid, nsid, tsid, tclass);
if (!rc)
rc = count;
out:
static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *scon = NULL, *tcon = NULL;
u32 ssid, tsid;
u16 tclass;
struct av_decision avd;
ssize_t length;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__COMPUTE_AV, NULL);
if (length)
goto out;
if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
goto out;
- length = security_context_str_to_sid(state, scon, &ssid, GFP_KERNEL);
+ length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
if (length)
goto out;
- length = security_context_str_to_sid(state, tcon, &tsid, GFP_KERNEL);
+ length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
if (length)
goto out;
- security_compute_av_user(state, ssid, tsid, tclass, &avd);
+ security_compute_av_user(ssid, tsid, tclass, &avd);
length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
"%x %x %x %x %u %x",
static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *scon = NULL, *tcon = NULL;
char *namebuf = NULL, *objname = NULL;
u32 ssid, tsid, newsid;
u32 len;
int nargs;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE,
NULL);
if (length)
objname = namebuf;
}
- length = security_context_str_to_sid(state, scon, &ssid, GFP_KERNEL);
+ length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
if (length)
goto out;
- length = security_context_str_to_sid(state, tcon, &tsid, GFP_KERNEL);
+ length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
if (length)
goto out;
- length = security_transition_sid_user(state, ssid, tsid, tclass,
+ length = security_transition_sid_user(ssid, tsid, tclass,
objname, &newsid);
if (length)
goto out;
- length = security_sid_to_context(state, newsid, &newcon, &len);
+ length = security_sid_to_context(newsid, &newcon, &len);
if (length)
goto out;
static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *scon = NULL, *tcon = NULL;
u32 ssid, tsid, newsid;
u16 tclass;
char *newcon = NULL;
u32 len;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL,
NULL);
if (length)
if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
goto out;
- length = security_context_str_to_sid(state, scon, &ssid, GFP_KERNEL);
+ length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
if (length)
goto out;
- length = security_context_str_to_sid(state, tcon, &tsid, GFP_KERNEL);
+ length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
if (length)
goto out;
- length = security_change_sid(state, ssid, tsid, tclass, &newsid);
+ length = security_change_sid(ssid, tsid, tclass, &newsid);
if (length)
goto out;
- length = security_sid_to_context(state, newsid, &newcon, &len);
+ length = security_sid_to_context(newsid, &newcon, &len);
if (length)
goto out;
static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *con = NULL, *user = NULL, *ptr;
u32 sid, *sids = NULL;
ssize_t length;
int i, rc;
u32 len, nsids;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
NULL);
if (length)
if (sscanf(buf, "%s %s", con, user) != 2)
goto out;
- length = security_context_str_to_sid(state, con, &sid, GFP_KERNEL);
+ length = security_context_str_to_sid(con, &sid, GFP_KERNEL);
if (length)
goto out;
- length = security_get_user_sids(state, sid, user, &sids, &nsids);
+ length = security_get_user_sids(sid, user, &sids, &nsids);
if (length)
goto out;
length = sprintf(buf, "%u", nsids) + 1;
ptr = buf + length;
for (i = 0; i < nsids; i++) {
- rc = security_sid_to_context(state, sids[i], &newcon, &len);
+ rc = security_sid_to_context(sids[i], &newcon, &len);
if (rc) {
length = rc;
goto out;
static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *scon = NULL, *tcon = NULL;
u32 ssid, tsid, newsid;
u16 tclass;
char *newcon = NULL;
u32 len;
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER,
NULL);
if (length)
if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
goto out;
- length = security_context_str_to_sid(state, scon, &ssid, GFP_KERNEL);
+ length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
if (length)
goto out;
- length = security_context_str_to_sid(state, tcon, &tsid, GFP_KERNEL);
+ length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
if (length)
goto out;
- length = security_member_sid(state, ssid, tsid, tclass, &newsid);
+ length = security_member_sid(ssid, tsid, tclass, &newsid);
if (length)
goto out;
- length = security_sid_to_context(state, newsid, &newcon, &len);
+ length = security_sid_to_context(newsid, &newcon, &len);
if (length)
goto out;
unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
const char *name = filep->f_path.dentry->d_name.name;
- mutex_lock(&fsi->state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
ret = -EINVAL;
if (index >= fsi->bool_num || strcmp(name,
if (!page)
goto out_unlock;
- cur_enforcing = security_get_bool_value(fsi->state, index);
+ cur_enforcing = security_get_bool_value(index);
if (cur_enforcing < 0) {
ret = cur_enforcing;
goto out_unlock;
}
length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
fsi->bool_pending_values[index]);
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
ret = simple_read_from_buffer(buf, count, ppos, page, length);
out_free:
free_page((unsigned long)page);
return ret;
out_unlock:
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
goto out_free;
}
if (IS_ERR(page))
return PTR_ERR(page);
- mutex_lock(&fsi->state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETBOOL,
NULL);
if (length)
length = count;
out:
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
kfree(page);
return length;
}
if (IS_ERR(page))
return PTR_ERR(page);
- mutex_lock(&fsi->state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
- length = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETBOOL,
NULL);
if (length)
length = 0;
if (new_value && fsi->bool_pending_values)
- length = security_set_bools(fsi->state, fsi->bool_num,
+ length = security_set_bools(fsi->bool_num,
fsi->bool_pending_values);
if (!length)
length = count;
out:
- mutex_unlock(&fsi->state->policy_mutex);
+ mutex_unlock(&selinux_state.policy_mutex);
kfree(page);
return length;
}
static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char tmpbuf[TMPBUFLEN];
ssize_t length;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
- avc_get_cache_threshold(state->avc));
+ avc_get_cache_threshold());
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *page;
ssize_t ret;
unsigned int new_value;
- ret = avc_has_perm(&selinux_state,
- current_sid(), SECINITSID_SECURITY,
+ ret = avc_has_perm(current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETSECPARAM,
NULL);
if (ret)
if (sscanf(page, "%u", &new_value) != 1)
goto out;
- avc_set_cache_threshold(state->avc, new_value);
+ avc_set_cache_threshold(new_value);
ret = count;
out:
static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *page;
ssize_t length;
if (!page)
return -ENOMEM;
- length = avc_get_hash_stats(state->avc, page);
+ length = avc_get_hash_stats(page);
if (length >= 0)
length = simple_read_from_buffer(buf, count, ppos, page, length);
free_page((unsigned long)page);
static ssize_t sel_read_sidtab_hash_stats(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
- struct selinux_state *state = fsi->state;
char *page;
ssize_t length;
if (!page)
return -ENOMEM;
- length = security_sidtab_hash_stats(state, page);
+ length = security_sidtab_hash_stats(page);
if (length >= 0)
length = simple_read_from_buffer(buf, count, ppos, page,
length);
static ssize_t sel_read_initcon(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
char *con;
u32 sid, len;
ssize_t ret;
sid = file_inode(file)->i_ino&SEL_INO_MASK;
- ret = security_sid_to_context(fsi->state, sid, &con, &len);
+ ret = security_sid_to_context(sid, &con, &len);
if (ret)
return ret;
static ssize_t sel_read_policycap(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
int value;
char tmpbuf[TMPBUFLEN];
ssize_t length;
unsigned long i_ino = file_inode(file)->i_ino;
- value = security_policycap_supported(fsi->state, i_ino & SEL_INO_MASK);
+ value = security_policycap_supported(i_ino & SEL_INO_MASK);
length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value);
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
}
-int security_mls_enabled(struct selinux_state *state)
+int security_mls_enabled(void)
{
int mls_enabled;
struct selinux_policy *policy;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
mls_enabled = policy->policydb.mls_enabled;
rcu_read_unlock();
return mls_enabled;
tclass, avd);
}
-static int security_validtrans_handle_fail(struct selinux_state *state,
- struct selinux_policy *policy,
+static int security_validtrans_handle_fail(struct selinux_policy *policy,
struct sidtab_entry *oentry,
struct sidtab_entry *nentry,
struct sidtab_entry *tentry,
kfree(n);
kfree(t);
- if (!enforcing_enabled(state))
+ if (!enforcing_enabled())
return 0;
return -EPERM;
}
-static int security_compute_validatetrans(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
u16 orig_tclass, bool user)
{
struct selinux_policy *policy;
int rc = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
if (user)
rc = -EPERM;
else
- rc = security_validtrans_handle_fail(state,
- policy,
+ rc = security_validtrans_handle_fail(policy,
oentry,
nentry,
tentry,
return rc;
}
-int security_validate_transition_user(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass)
{
- return security_compute_validatetrans(state, oldsid, newsid, tasksid,
+ return security_compute_validatetrans(oldsid, newsid, tasksid,
tclass, true);
}
-int security_validate_transition(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 orig_tclass)
{
- return security_compute_validatetrans(state, oldsid, newsid, tasksid,
+ return security_compute_validatetrans(oldsid, newsid, tasksid,
orig_tclass, false);
}
* It returns 0, if @newsid is bounded by @oldsid.
* Otherwise, it returns error code.
*
- * @state: SELinux state
* @oldsid : current security identifier
* @newsid : destinated security identifier
*/
-int security_bounded_transition(struct selinux_state *state,
- u32 old_sid, u32 new_sid)
+int security_bounded_transition(u32 old_sid, u32 new_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
int index;
int rc;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
}
}
-void security_compute_xperms_decision(struct selinux_state *state,
- u32 ssid,
+void security_compute_xperms_decision(u32 ssid,
u32 tsid,
u16 orig_tclass,
u8 driver,
memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
rcu_read_lock();
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
goto allow;
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_compute_av - Compute access vector decisions.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @orig_tclass: target security class
* Compute a set of access vector decisions based on the
* SID pair (@ssid, @tsid) for the permissions in @tclass.
*/
-void security_compute_av(struct selinux_state *state,
- u32 ssid,
+void security_compute_av(u32 ssid,
u32 tsid,
u16 orig_tclass,
struct av_decision *avd,
struct context *scontext = NULL, *tcontext = NULL;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
avd_init(policy, avd);
xperms->len = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
goto allow;
policydb = &policy->policydb;
goto out;
}
-void security_compute_av_user(struct selinux_state *state,
- u32 ssid,
+void security_compute_av_user(u32 ssid,
u32 tsid,
u16 tclass,
struct av_decision *avd)
struct context *scontext = NULL, *tcontext = NULL;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
avd_init(policy, avd);
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
goto allow;
policydb = &policy->policydb;
#include "initial_sid_to_string.h"
-int security_sidtab_hash_stats(struct selinux_state *state, char *page)
+int security_sidtab_hash_stats(char *page)
{
struct selinux_policy *policy;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
pr_err("SELinux: %s: called before initial load_policy\n",
__func__);
return -EINVAL;
}
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
rc = sidtab_hash_stats(policy->sidtab, page);
rcu_read_unlock();
return initial_sid_to_string[sid];
}
-static int security_sid_to_context_core(struct selinux_state *state,
- u32 sid, char **scontext,
+static int security_sid_to_context_core(u32 sid, char **scontext,
u32 *scontext_len, int force,
int only_invalid)
{
*scontext = NULL;
*scontext_len = 0;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
if (sid <= SECINITSID_NUM) {
char *scontextp;
const char *s = initial_sid_to_string[sid];
return -EINVAL;
}
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_sid_to_context - Obtain a context for a given SID.
- * @state: SELinux state
* @sid: security identifier, SID
* @scontext: security context
* @scontext_len: length in bytes
* into a dynamically allocated string of the correct size. Set @scontext
* to point to this string and set @scontext_len to the length of the string.
*/
-int security_sid_to_context(struct selinux_state *state,
- u32 sid, char **scontext, u32 *scontext_len)
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
{
- return security_sid_to_context_core(state, sid, scontext,
+ return security_sid_to_context_core(sid, scontext,
scontext_len, 0, 0);
}
-int security_sid_to_context_force(struct selinux_state *state, u32 sid,
+int security_sid_to_context_force(u32 sid,
char **scontext, u32 *scontext_len)
{
- return security_sid_to_context_core(state, sid, scontext,
+ return security_sid_to_context_core(sid, scontext,
scontext_len, 1, 0);
}
/**
* security_sid_to_context_inval - Obtain a context for a given SID if it
* is invalid.
- * @state: SELinux state
* @sid: security identifier, SID
* @scontext: security context
* @scontext_len: length in bytes
* this string (or NULL if the context is valid) and set @scontext_len to
* the length of the string (or 0 if the context is valid).
*/
-int security_sid_to_context_inval(struct selinux_state *state, u32 sid,
+int security_sid_to_context_inval(u32 sid,
char **scontext, u32 *scontext_len)
{
- return security_sid_to_context_core(state, sid, scontext,
+ return security_sid_to_context_core(sid, scontext,
scontext_len, 1, 1);
}
return rc;
}
-static int security_context_to_sid_core(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
u32 *sid, u32 def_sid, gfp_t gfp_flags,
int force)
{
if (!scontext2)
return -ENOMEM;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
int i;
for (i = 1; i < SECINITSID_NUM; i++) {
}
retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
rc = string_to_context_struct(policydb, sidtab, scontext2,
/**
* security_context_to_sid - Obtain a SID for a given security context.
- * @state: SELinux state
* @scontext: security context
* @scontext_len: length in bytes
* @sid: security identifier, SID
* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
* memory is available, or 0 on success.
*/
-int security_context_to_sid(struct selinux_state *state,
- const char *scontext, u32 scontext_len, u32 *sid,
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
gfp_t gfp)
{
- return security_context_to_sid_core(state, scontext, scontext_len,
+ return security_context_to_sid_core(scontext, scontext_len,
sid, SECSID_NULL, gfp, 0);
}
-int security_context_str_to_sid(struct selinux_state *state,
- const char *scontext, u32 *sid, gfp_t gfp)
+int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)
{
- return security_context_to_sid(state, scontext, strlen(scontext),
+ return security_context_to_sid(scontext, strlen(scontext),
sid, gfp);
}
* security_context_to_sid_default - Obtain a SID for a given security context,
* falling back to specified default if needed.
*
- * @state: SELinux state
* @scontext: security context
* @scontext_len: length in bytes
* @sid: security identifier, SID
* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
* memory is available, or 0 on success.
*/
-int security_context_to_sid_default(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
u32 *sid, u32 def_sid, gfp_t gfp_flags)
{
- return security_context_to_sid_core(state, scontext, scontext_len,
+ return security_context_to_sid_core(scontext, scontext_len,
sid, def_sid, gfp_flags, 1);
}
-int security_context_to_sid_force(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
u32 *sid)
{
- return security_context_to_sid_core(state, scontext, scontext_len,
+ return security_context_to_sid_core(scontext, scontext_len,
sid, SECSID_NULL, GFP_KERNEL, 1);
}
static int compute_sid_handle_invalid_context(
- struct selinux_state *state,
struct selinux_policy *policy,
struct sidtab_entry *sentry,
struct sidtab_entry *tentry,
kfree(s);
kfree(t);
kfree(n);
- if (!enforcing_enabled(state))
+ if (!enforcing_enabled())
return 0;
return -EACCES;
}
}
}
-static int security_compute_sid(struct selinux_state *state,
- u32 ssid,
+static int security_compute_sid(u32 ssid,
u32 tsid,
u16 orig_tclass,
u32 specified,
int rc = 0;
bool sock;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
switch (orig_tclass) {
case SECCLASS_PROCESS: /* kernel value */
*out_sid = ssid;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
if (kern) {
tclass = unmap_class(&policy->map, orig_tclass);
/* Check the validity of the context. */
if (!policydb_context_isvalid(policydb, &newcontext)) {
- rc = compute_sid_handle_invalid_context(state, policy, sentry,
+ rc = compute_sid_handle_invalid_context(policy, sentry,
tentry, tclass,
&newcontext);
if (rc)
/**
* security_transition_sid - Compute the SID for a new subject/object.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* if insufficient memory is available, or %0 if the new SID was
* computed successfully.
*/
-int security_transition_sid(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
const struct qstr *qstr, u32 *out_sid)
{
- return security_compute_sid(state, ssid, tsid, tclass,
+ return security_compute_sid(ssid, tsid, tclass,
AVTAB_TRANSITION,
qstr ? qstr->name : NULL, out_sid, true);
}
-int security_transition_sid_user(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
const char *objname, u32 *out_sid)
{
- return security_compute_sid(state, ssid, tsid, tclass,
+ return security_compute_sid(ssid, tsid, tclass,
AVTAB_TRANSITION,
objname, out_sid, false);
}
/**
* security_member_sid - Compute the SID for member selection.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* if insufficient memory is available, or %0 if the SID was
* computed successfully.
*/
-int security_member_sid(struct selinux_state *state,
- u32 ssid,
+int security_member_sid(u32 ssid,
u32 tsid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(state, ssid, tsid, tclass,
+ return security_compute_sid(ssid, tsid, tclass,
AVTAB_MEMBER, NULL,
out_sid, false);
}
/**
* security_change_sid - Compute the SID for object relabeling.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* if insufficient memory is available, or %0 if the SID was
* computed successfully.
*/
-int security_change_sid(struct selinux_state *state,
- u32 ssid,
+int security_change_sid(u32 ssid,
u32 tsid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(state,
- ssid, tsid, tclass, AVTAB_CHANGE, NULL,
+ return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
out_sid, false);
}
static inline int convert_context_handle_invalid_context(
- struct selinux_state *state,
struct policydb *policydb,
struct context *context)
{
char *s;
u32 len;
- if (enforcing_enabled(state))
+ if (enforcing_enabled())
return -EINVAL;
if (!context_struct_to_string(policydb, context, &s, &len)) {
/* Check the validity of the new context. */
if (!policydb_context_isvalid(args->newp, newc)) {
- rc = convert_context_handle_invalid_context(args->state,
- args->oldp, oldc);
+ rc = convert_context_handle_invalid_context(args->oldp, oldc);
if (rc)
goto bad;
}
return 0;
}
-static void security_load_policycaps(struct selinux_state *state,
- struct selinux_policy *policy)
+static void security_load_policycaps(struct selinux_policy *policy)
{
struct policydb *p;
unsigned int i;
p = &policy->policydb;
- for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
- WRITE_ONCE(state->policycap[i],
+ for (i = 0; i < ARRAY_SIZE(selinux_state.policycap); i++)
+ WRITE_ONCE(selinux_state.policycap[i],
ebitmap_get_bit(&p->policycaps, i));
for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
kfree(policy);
}
-void selinux_policy_cancel(struct selinux_state *state,
- struct selinux_load_state *load_state)
+void selinux_policy_cancel(struct selinux_load_state *load_state)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *oldpolicy;
oldpolicy = rcu_dereference_protected(state->policy,
kfree(load_state->convert_data);
}
-static void selinux_notify_policy_change(struct selinux_state *state,
- u32 seqno)
+static void selinux_notify_policy_change(u32 seqno)
{
/* Flush external caches and notify userspace of policy load */
- avc_ss_reset(state->avc, seqno);
+ avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
- selinux_status_update_policyload(state, seqno);
+ selinux_status_update_policyload(seqno);
selinux_netlbl_cache_invalidate();
selinux_xfrm_notify_policyload();
- selinux_ima_measure_state_locked(state);
+ selinux_ima_measure_state_locked();
}
-void selinux_policy_commit(struct selinux_state *state,
- struct selinux_load_state *load_state)
+void selinux_policy_commit(struct selinux_load_state *load_state)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *oldpolicy, *newpolicy = load_state->policy;
unsigned long flags;
u32 seqno;
}
/* Load the policycaps from the new policy */
- security_load_policycaps(state, newpolicy);
+ security_load_policycaps(newpolicy);
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
/*
* After first policy load, the security server is
* marked as initialized and ready to handle requests and
* any objects created prior to policy load are then labeled.
*/
- selinux_mark_initialized(state);
+ selinux_mark_initialized();
selinux_complete_init();
}
kfree(load_state->convert_data);
/* Notify others of the policy change */
- selinux_notify_policy_change(state, seqno);
+ selinux_notify_policy_change(seqno);
}
/**
* security_load_policy - Load a security policy configuration.
- * @state: SELinux state
* @data: binary policy data
* @len: length of data in bytes
* @load_state: policy load state
* This function will flush the access vector cache after
* loading the new policy.
*/
-int security_load_policy(struct selinux_state *state, void *data, size_t len,
+int security_load_policy(void *data, size_t len,
struct selinux_load_state *load_state)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *newpolicy, *oldpolicy;
struct selinux_policy_convert_data *convert_data;
int rc = 0;
goto err_mapping;
}
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
/* First policy load, so no need to preserve state from old policy */
load_state->policy = newpolicy;
load_state->convert_data = NULL;
goto err_free_isids;
}
- convert_data->args.state = state;
convert_data->args.oldp = &oldpolicy->policydb;
convert_data->args.newp = &newpolicy->policydb;
/**
* security_port_sid - Obtain the SID for a port.
- * @state: SELinux state
* @protocol: protocol number
* @port: port number
* @out_sid: security identifier
*/
-int security_port_sid(struct selinux_state *state,
- u8 protocol, u16 port, u32 *out_sid)
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
struct ocontext *c;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_PORT;
return 0;
}
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_ib_pkey_sid - Obtain the SID for a pkey.
- * @state: SELinux state
* @subnet_prefix: Subnet Prefix
* @pkey_num: pkey number
* @out_sid: security identifier
*/
-int security_ib_pkey_sid(struct selinux_state *state,
- u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
+int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
struct ocontext *c;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_UNLABELED;
return 0;
}
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_ib_endport_sid - Obtain the SID for a subnet management interface.
- * @state: SELinux state
* @dev_name: device name
* @port_num: port number
* @out_sid: security identifier
*/
-int security_ib_endport_sid(struct selinux_state *state,
- const char *dev_name, u8 port_num, u32 *out_sid)
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
struct ocontext *c;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_UNLABELED;
return 0;
}
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_netif_sid - Obtain the SID for a network interface.
- * @state: SELinux state
* @name: interface name
* @if_sid: interface SID
*/
-int security_netif_sid(struct selinux_state *state,
- char *name, u32 *if_sid)
+int security_netif_sid(char *name, u32 *if_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
int rc;
struct ocontext *c;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*if_sid = SECINITSID_NETIF;
return 0;
}
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_node_sid - Obtain the SID for a node (host).
- * @state: SELinux state
* @domain: communication domain aka address family
* @addrp: address
* @addrlen: address length in bytes
* @out_sid: security identifier
*/
-int security_node_sid(struct selinux_state *state,
- u16 domain,
+int security_node_sid(u16 domain,
void *addrp,
u32 addrlen,
u32 *out_sid)
int rc;
struct ocontext *c;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_NODE;
return 0;
}
retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_get_user_sids - Obtain reachable SIDs for a user.
- * @state: SELinux state
* @fromsid: starting SID
* @username: username
* @sids: array of reachable SIDs for user
* number of elements in the array.
*/
-int security_get_user_sids(struct selinux_state *state,
- u32 fromsid,
+int security_get_user_sids(u32 fromsid,
char *username,
u32 **sids,
u32 *nel)
*sids = NULL;
*nel = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
retry:
mynel = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
}
for (i = 0, j = 0; i < mynel; i++) {
struct av_decision dummy_avd;
- rc = avc_has_perm_noaudit(state,
- fromsid, mysids[i],
+ rc = avc_has_perm_noaudit(fromsid, mysids[i],
SECCLASS_PROCESS, /* kernel value */
PROCESS__TRANSITION, AVC_STRICT,
&dummy_avd);
/**
* security_genfs_sid - Obtain a SID for a file in a filesystem
- * @state: SELinux state
* @fstype: filesystem type
* @path: path from root of mount
* @orig_sclass: file security class
* Acquire policy_rwlock before calling __security_genfs_sid() and release
* it afterward.
*/
-int security_genfs_sid(struct selinux_state *state,
- const char *fstype,
+int security_genfs_sid(const char *fstype,
const char *path,
u16 orig_sclass,
u32 *sid)
struct selinux_policy *policy;
int retval;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*sid = SECINITSID_UNLABELED;
return 0;
}
do {
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
retval = __security_genfs_sid(policy, fstype, path,
orig_sclass, sid);
rcu_read_unlock();
/**
* security_fs_use - Determine how to handle labeling for a filesystem.
- * @state: SELinux state
* @sb: superblock in question
*/
-int security_fs_use(struct selinux_state *state, struct super_block *sb)
+int security_fs_use(struct super_block *sb)
{
struct selinux_policy *policy;
struct policydb *policydb;
struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *fstype = sb->s_type->name;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
sbsec->behavior = SECURITY_FS_USE_NONE;
sbsec->sid = SECINITSID_UNLABELED;
return 0;
retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
}
-int security_set_bools(struct selinux_state *state, u32 len, int *values)
+int security_set_bools(u32 len, int *values)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *newpolicy, *oldpolicy;
int rc;
u32 i, seqno = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return -EINVAL;
oldpolicy = rcu_dereference_protected(state->policy,
selinux_policy_cond_free(oldpolicy);
/* Notify others of the policy change */
- selinux_notify_policy_change(state, seqno);
+ selinux_notify_policy_change(seqno);
return 0;
}
-int security_get_bool_value(struct selinux_state *state,
- u32 index)
+int security_get_bool_value(u32 index)
{
struct selinux_policy *policy;
struct policydb *policydb;
int rc;
u32 len;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
rc = -EFAULT;
* security_sid_mls_copy() - computes a new sid based on the given
* sid and the mls portion of mls_sid.
*/
-int security_sid_mls_copy(struct selinux_state *state,
- u32 sid, u32 mls_sid, u32 *new_sid)
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
u32 len;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*new_sid = sid;
return 0;
}
context_init(&newcon);
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/* Check the validity of the new context. */
if (!policydb_context_isvalid(policydb, &newcon)) {
- rc = convert_context_handle_invalid_context(state, policydb,
+ rc = convert_context_handle_invalid_context(policydb,
&newcon);
if (rc) {
if (!context_struct_to_string(policydb, &newcon, &s,
/**
* security_net_peersid_resolve - Compare and resolve two network peer SIDs
- * @state: SELinux state
* @nlbl_sid: NetLabel SID
* @nlbl_type: NetLabel labeling protocol type
* @xfrm_sid: XFRM SID
* multiple, inconsistent labels | -<errno> | SECSID_NULL
*
*/
-int security_net_peersid_resolve(struct selinux_state *state,
- u32 nlbl_sid, u32 nlbl_type,
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
u32 xfrm_sid,
u32 *peer_sid)
{
return 0;
}
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
return rc;
}
-int security_get_reject_unknown(struct selinux_state *state)
+int security_get_reject_unknown(void)
{
struct selinux_policy *policy;
int value;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
value = policy->policydb.reject_unknown;
rcu_read_unlock();
return value;
}
-int security_get_allow_unknown(struct selinux_state *state)
+int security_get_allow_unknown(void)
{
struct selinux_policy *policy;
int value;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
value = policy->policydb.allow_unknown;
rcu_read_unlock();
return value;
/**
* security_policycap_supported - Check for a specific policy capability
- * @state: SELinux state
* @req_cap: capability
*
* Description:
* supported, false (0) if it isn't supported.
*
*/
-int security_policycap_supported(struct selinux_state *state,
- unsigned int req_cap)
+int security_policycap_supported(unsigned int req_cap)
{
struct selinux_policy *policy;
int rc;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
rc = ebitmap_get_bit(&policy->policydb.policycaps, req_cap);
rcu_read_unlock();
*rule = NULL;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return -EOPNOTSUPP;
switch (field) {
return -ENOENT;
}
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
/**
* security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
- * @state: SELinux state
* @secattr: the NetLabel packet security attributes
* @sid: the SELinux SID
*
* failure.
*
*/
-int security_netlbl_secattr_to_sid(struct selinux_state *state,
- struct netlbl_lsm_secattr *secattr,
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
u32 *sid)
{
struct selinux_policy *policy;
struct context *ctx;
struct context ctx_new;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*sid = SECSID_NULL;
return 0;
}
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
/**
* security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
- * @state: SELinux state
* @sid: the SELinux SID
* @secattr: the NetLabel packet security attributes
*
* Returns zero on success, negative values on failure.
*
*/
-int security_netlbl_sid_to_secattr(struct selinux_state *state,
- u32 sid, struct netlbl_lsm_secattr *secattr)
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
{
struct selinux_policy *policy;
struct policydb *policydb;
int rc;
struct context *ctx;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
rc = -ENOENT;
/**
* security_read_policy - read the policy.
- * @state: selinux_state
* @data: binary policy data
* @len: length of data in bytes
*
*/
-int security_read_policy(struct selinux_state *state,
- void **data, size_t *len)
+int security_read_policy(void **data, size_t *len)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *policy;
policy = rcu_dereference_protected(
/**
* security_read_state_kernel - read the policy.
- * @state: selinux_state
* @data: binary policy data
* @len: length of data in bytes
*
*
* This function must be called with policy_mutex held.
*/
-int security_read_state_kernel(struct selinux_state *state,
- void **data, size_t *len)
+int security_read_state_kernel(void **data, size_t *len)
{
int err;
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *policy;
policy = rcu_dereference_protected(
} __randomize_layout;
struct convert_context_args {
- struct selinux_state *state;
struct policydb *oldp;
struct policydb *newp;
};
* It returns a reference to selinux_status_page. If the status page is
* not allocated yet, it also tries to allocate it at the first time.
*/
-struct page *selinux_kernel_status_page(struct selinux_state *state)
+struct page *selinux_kernel_status_page(void)
{
struct selinux_kernel_status *status;
struct page *result = NULL;
- mutex_lock(&state->status_lock);
- if (!state->status_page) {
- state->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
+ mutex_lock(&selinux_state.status_lock);
+ if (!selinux_state.status_page) {
+ selinux_state.status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
- if (state->status_page) {
- status = page_address(state->status_page);
+ if (selinux_state.status_page) {
+ status = page_address(selinux_state.status_page);
status->version = SELINUX_KERNEL_STATUS_VERSION;
status->sequence = 0;
- status->enforcing = enforcing_enabled(state);
+ status->enforcing = enforcing_enabled();
/*
* NOTE: the next policyload event shall set
* a positive value on the status->policyload,
*/
status->policyload = 0;
status->deny_unknown =
- !security_get_allow_unknown(state);
+ !security_get_allow_unknown();
}
}
- result = state->status_page;
- mutex_unlock(&state->status_lock);
+ result = selinux_state.status_page;
+ mutex_unlock(&selinux_state.status_lock);
return result;
}
*
* It updates status of the current enforcing/permissive mode.
*/
-void selinux_status_update_setenforce(struct selinux_state *state,
- int enforcing)
+void selinux_status_update_setenforce(int enforcing)
{
struct selinux_kernel_status *status;
- mutex_lock(&state->status_lock);
- if (state->status_page) {
- status = page_address(state->status_page);
+ mutex_lock(&selinux_state.status_lock);
+ if (selinux_state.status_page) {
+ status = page_address(selinux_state.status_page);
status->sequence++;
smp_wmb();
smp_wmb();
status->sequence++;
}
- mutex_unlock(&state->status_lock);
+ mutex_unlock(&selinux_state.status_lock);
}
/*
* It updates status of the times of policy reloaded, and current
* setting of deny_unknown.
*/
-void selinux_status_update_policyload(struct selinux_state *state,
- int seqno)
+void selinux_status_update_policyload(int seqno)
{
struct selinux_kernel_status *status;
- mutex_lock(&state->status_lock);
- if (state->status_page) {
- status = page_address(state->status_page);
+ mutex_lock(&selinux_state.status_lock);
+ if (selinux_state.status_page) {
+ status = page_address(selinux_state.status_page);
status->sequence++;
smp_wmb();
status->policyload = seqno;
- status->deny_unknown = !security_get_allow_unknown(state);
+ status->deny_unknown = !security_get_allow_unknown();
smp_wmb();
status->sequence++;
}
- mutex_unlock(&state->status_lock);
+ mutex_unlock(&selinux_state.status_lock);
}
ctx->ctx_len = str_len;
memcpy(ctx->ctx_str, &uctx[1], str_len);
ctx->ctx_str[str_len] = '\0';
- rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
+ rc = security_context_to_sid(ctx->ctx_str, str_len,
&ctx->ctx_sid, gfp);
if (rc)
goto err;
- rc = avc_has_perm(&selinux_state,
- tsec->sid, ctx->ctx_sid,
+ rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
if (rc)
goto err;
if (!ctx)
return 0;
- return avc_has_perm(&selinux_state,
- tsec->sid, ctx->ctx_sid,
+ return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
}
if (!selinux_authorizable_ctx(ctx))
return -EINVAL;
- rc = avc_has_perm(&selinux_state,
- fl_secid, ctx->ctx_sid,
+ rc = avc_has_perm(fl_secid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
return (rc == -EACCES ? -ESRCH : rc);
}
/* We don't need a separate SA Vs. policy polmatch check since the SA
* is now of the same label as the flow and a flow Vs. policy polmatch
* check had already happened in selinux_xfrm_policy_lookup() above. */
- return (avc_has_perm(&selinux_state, flic_sid, state_sid,
+ return (avc_has_perm(flic_sid, state_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
NULL) ? 0 : 1);
}
if (secid == 0)
return -EINVAL;
- rc = security_sid_to_context(&selinux_state, secid, &ctx_str,
+ rc = security_sid_to_context(secid, &ctx_str,
&str_len);
if (rc)
return rc;
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
- return avc_has_perm(&selinux_state,
- sk_sid, peer_sid,
+ return avc_has_perm(sk_sid, peer_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
}
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
- return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED,
+ return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
}
projects / users / hch / configfs.git / commitdiff