korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-30 23:54:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

selinux: kill selinux_sb_get_mnt_opts()

Browse Source 
it's much easier to just do the right thing in ->sb_show_options(),
without bothering with allocating and populating arrays, etc.

Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro 2018-12-13 00:24:36 -05:00
parent 5b40023911
commit e3489f8974
1 changed files with 52 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

196
security/selinux/hooks.c
View File

@ -591,105 +591,6 @@ out:
return rc; return rc;
} }
/*
* This function should allow an FS to ask what it's mount security
* options were so it can use those later for submounts, displaying
* mount options, or whatever.
*/
static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
struct superblock_security_struct *sbsec = sb->s_security;
char *context = NULL;
u32 len;
char tmp;
security_init_mnt_opts(opts);
if (!(sbsec->flags & SE_SBINITIALIZED))
return -EINVAL;
if (!selinux_state.initialized)
return -EINVAL;
/* make sure we always check enough bits to cover the mask */
BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
tmp = sbsec->flags & SE_MNTMASK;
/* count the number of mount options for this sb */
for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
if (tmp & 0x01)
opts->num_mnt_opts++;
tmp >>= 1;
}
/* Check if the Label support flag is set */
if (sbsec->flags & SBLABEL_MNT)
opts->num_mnt_opts++;
opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
if (!opts->mnt_opts) {
rc = -ENOMEM;
goto out_free;
}
opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
if (!opts->mnt_opts_flags) {
rc = -ENOMEM;
goto out_free;
}
i = 0;
if (sbsec->flags & FSCONTEXT_MNT) {
rc = security_sid_to_context(&selinux_state, sbsec->sid,
&context, &len);
if (rc)
goto out_free;
opts->mnt_opts[i] = context;
opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
}
if (sbsec->flags & CONTEXT_MNT) {
rc = security_sid_to_context(&selinux_state,
sbsec->mntpoint_sid,
&context, &len);
if (rc)
goto out_free;
opts->mnt_opts[i] = context;
opts->mnt_opts_flags[i++] = CONTEXT_MNT;
}
if (sbsec->flags & DEFCONTEXT_MNT) {
rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
&context, &len);
if (rc)
goto out_free;
opts->mnt_opts[i] = context;
opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *isec = backing_inode_security(root);
rc = security_sid_to_context(&selinux_state, isec->sid,
&context, &len);
if (rc)
goto out_free;
opts->mnt_opts[i] = context;
opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
}
if (sbsec->flags & SBLABEL_MNT) {
opts->mnt_opts[i] = NULL;
opts->mnt_opts_flags[i++] = SBLABEL_MNT;
}
BUG_ON(i != opts->num_mnt_opts);
return 0;
out_free:
security_free_mnt_opts(opts);
return rc;
}
static int bad_option(struct superblock_security_struct *sbsec, char flag, static int bad_option(struct superblock_security_struct *sbsec, char flag,
u32 old_sid, u32 new_sid) u32 old_sid, u32 new_sid)
{ {
@ -1201,71 +1102,74 @@ out_err:
return rc; return rc;
} }
static void selinux_write_opts(struct seq_file *m, static int show_sid(struct seq_file *m, u32 sid)
struct security_mnt_opts *opts)
{ {
int i; char *context = NULL;
char *prefix; u32 len;
int rc;
for (i = 0; i < opts->num_mnt_opts; i++) { rc = security_sid_to_context(&selinux_state, sid,
char *has_comma; &context, &len);
if (!rc) {
bool has_comma = context && strchr(context, ',');
if (opts->mnt_opts[i])
has_comma = strchr(opts->mnt_opts[i], ',');
else
has_comma = NULL;
switch (opts->mnt_opts_flags[i]) {
case CONTEXT_MNT:
prefix = CONTEXT_STR;
break;
case FSCONTEXT_MNT:
prefix = FSCONTEXT_STR;
break;
case ROOTCONTEXT_MNT:
prefix = ROOTCONTEXT_STR;
break;
case DEFCONTEXT_MNT:
prefix = DEFCONTEXT_STR;
break;
case SBLABEL_MNT:
seq_putc(m, ',');
seq_puts(m, LABELSUPP_STR);
continue;
default:
BUG();
return;
};
/* we need a comma before each option */
seq_putc(m, ',');
seq_puts(m, prefix);
if (has_comma) if (has_comma)
seq_putc(m, '\"'); seq_putc(m, '\"');
seq_escape(m, opts->mnt_opts[i], "\"\n\\"); seq_escape(m, context, "\"\n\\");
if (has_comma) if (has_comma)
seq_putc(m, '\"'); seq_putc(m, '\"');
} }
kfree(context);
return rc;
} }
static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
{ {
struct security_mnt_opts opts; struct superblock_security_struct *sbsec = sb->s_security;
int rc; int rc;
rc = selinux_get_mnt_opts(sb, &opts); if (!(sbsec->flags & SE_SBINITIALIZED))
if (rc) { return 0;
/* before policy load we may get EINVAL, don't show anything */
if (rc == -EINVAL) if (!selinux_state.initialized)
rc = 0; return 0;
if (sbsec->flags & FSCONTEXT_MNT) {
seq_putc(m, ',');
seq_puts(m, FSCONTEXT_STR);
rc = show_sid(m, sbsec->sid);
if (rc)
return rc; return rc;
} }
if (sbsec->flags & CONTEXT_MNT) {
selinux_write_opts(m, &opts); seq_putc(m, ',');
seq_puts(m, CONTEXT_STR);
security_free_mnt_opts(&opts); rc = show_sid(m, sbsec->mntpoint_sid);
if (rc)
return rc; return rc;
} }
if (sbsec->flags & DEFCONTEXT_MNT) {
seq_putc(m, ',');
seq_puts(m, DEFCONTEXT_STR);
rc = show_sid(m, sbsec->def_sid);
if (rc)
return rc;
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *isec = backing_inode_security(root);
seq_putc(m, ',');
seq_puts(m, ROOTCONTEXT_STR);
rc = show_sid(m, isec->sid);
if (rc)
return rc;
}
if (sbsec->flags & SBLABEL_MNT) {
seq_putc(m, ',');
seq_puts(m, LABELSUPP_STR);
}
return 0;
}
static inline u16 inode_mode_to_security_class(umode_t mode) static inline u16 inode_mode_to_security_class(umode_t mode)
{ {