Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "Highlights for this window: - improved AVC hashing for SELinux by John Brooks and Stephen Smalley - addition of an unconfined label to Smack - Smack documentation update - TPM driver updates" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (28 commits) lsm: copy comm before calling audit_log to avoid race in string printing tomoyo: Do not generate empty policy files tomoyo: Use if_changed when generating builtin-policy.h tomoyo: Use bin2c to generate builtin-policy.h selinux: increase avtab max buckets selinux: Use a better hash function for avtab selinux: convert avtab hash table to flex_array selinux: reconcile security_netlbl_secattr_to_sid() and mls_import_netlbl_cat() selinux: remove unnecessary pointer reassignment Smack: Updates for Smack documentation tpm/st33zp24/spi: Add missing device table for spi phy. tpm/st33zp24: Add proper wait for ordinal duration in case of irq mode smack: Fix gcc warning from unused smack_syslog_lock mutex in smackfs.c Smack: Allow an unconfined label in bringup mode Smack: getting the Smack security context of keys Smack: Assign smack_known_web as default smk_in label for kernel thread's socket tpm/tpm_infineon: Use struct dev_pm_ops for power management MAINTAINERS: Add Jason as designated reviewer for TPM tpm: Update KConfig text to include TPM2.0 FIFO chips tpm/st33zp24/dts/st33zp24-spi: Add dts documentation for st33zp24 spi phy ...
This commit is contained in:
Linus Torvalds
@@ -724,12 +724,10 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
|
||||
rcu_read_lock();
|
||||
|
||||
node = avc_lookup(ssid, tsid, tclass);
|
||||
if (unlikely(!node)) {
|
||||
if (unlikely(!node))
|
||||
node = avc_compute_av(ssid, tsid, tclass, avd);
|
||||
} else {
|
||||
else
|
||||
memcpy(avd, &node->ae.avd, sizeof(*avd));
|
||||
avd = &node->ae.avd;
|
||||
}
|
||||
|
||||
denied = requested & ~(avd->allowed);
|
||||
if (unlikely(denied))
|
||||
|
||||
@@ -25,10 +25,43 @@
|
||||
|
||||
static struct kmem_cache *avtab_node_cachep;
|
||||
|
||||
static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
|
||||
/* Based on MurmurHash3, written by Austin Appleby and placed in the
|
||||
* public domain.
|
||||
*/
|
||||
static inline int avtab_hash(struct avtab_key *keyp, u32 mask)
|
||||
{
|
||||
return ((keyp->target_class + (keyp->target_type << 2) +
|
||||
(keyp->source_type << 9)) & mask);
|
||||
static const u32 c1 = 0xcc9e2d51;
|
||||
static const u32 c2 = 0x1b873593;
|
||||
static const u32 r1 = 15;
|
||||
static const u32 r2 = 13;
|
||||
static const u32 m = 5;
|
||||
static const u32 n = 0xe6546b64;
|
||||
|
||||
u32 hash = 0;
|
||||
|
||||
#define mix(input) { \
|
||||
u32 v = input; \
|
||||
v *= c1; \
|
||||
v = (v << r1) | (v >> (32 - r1)); \
|
||||
v *= c2; \
|
||||
hash ^= v; \
|
||||
hash = (hash << r2) | (hash >> (32 - r2)); \
|
||||
hash = hash * m + n; \
|
||||
}
|
||||
|
||||
mix(keyp->target_class);
|
||||
mix(keyp->target_type);
|
||||
mix(keyp->source_type);
|
||||
|
||||
#undef mix
|
||||
|
||||
hash ^= hash >> 16;
|
||||
hash *= 0x85ebca6b;
|
||||
hash ^= hash >> 13;
|
||||
hash *= 0xc2b2ae35;
|
||||
hash ^= hash >> 16;
|
||||
|
||||
return hash & mask;
|
||||
}
|
||||
|
||||
static struct avtab_node*
|
||||
@@ -46,8 +79,12 @@ avtab_insert_node(struct avtab *h, int hvalue,
|
||||
newnode->next = prev->next;
|
||||
prev->next = newnode;
|
||||
} else {
|
||||
newnode->next = h->htable[hvalue];
|
||||
h->htable[hvalue] = newnode;
|
||||
newnode->next = flex_array_get_ptr(h->htable, hvalue);
|
||||
if (flex_array_put_ptr(h->htable, hvalue, newnode,
|
||||
GFP_KERNEL|__GFP_ZERO)) {
|
||||
kmem_cache_free(avtab_node_cachep, newnode);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
h->nel++;
|
||||
@@ -64,7 +101,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
|
||||
return -EINVAL;
|
||||
|
||||
hvalue = avtab_hash(key, h->mask);
|
||||
for (prev = NULL, cur = h->htable[hvalue];
|
||||
for (prev = NULL, cur = flex_array_get_ptr(h->htable, hvalue);
|
||||
cur;
|
||||
prev = cur, cur = cur->next) {
|
||||
if (key->source_type == cur->key.source_type &&
|
||||
@@ -104,7 +141,7 @@ avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datu
|
||||
if (!h || !h->htable)
|
||||
return NULL;
|
||||
hvalue = avtab_hash(key, h->mask);
|
||||
for (prev = NULL, cur = h->htable[hvalue];
|
||||
for (prev = NULL, cur = flex_array_get_ptr(h->htable, hvalue);
|
||||
cur;
|
||||
prev = cur, cur = cur->next) {
|
||||
if (key->source_type == cur->key.source_type &&
|
||||
@@ -135,7 +172,8 @@ struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
|
||||
return NULL;
|
||||
|
||||
hvalue = avtab_hash(key, h->mask);
|
||||
for (cur = h->htable[hvalue]; cur; cur = cur->next) {
|
||||
for (cur = flex_array_get_ptr(h->htable, hvalue); cur;
|
||||
cur = cur->next) {
|
||||
if (key->source_type == cur->key.source_type &&
|
||||
key->target_type == cur->key.target_type &&
|
||||
key->target_class == cur->key.target_class &&
|
||||
@@ -170,7 +208,8 @@ avtab_search_node(struct avtab *h, struct avtab_key *key)
|
||||
return NULL;
|
||||
|
||||
hvalue = avtab_hash(key, h->mask);
|
||||
for (cur = h->htable[hvalue]; cur; cur = cur->next) {
|
||||
for (cur = flex_array_get_ptr(h->htable, hvalue); cur;
|
||||
cur = cur->next) {
|
||||
if (key->source_type == cur->key.source_type &&
|
||||
key->target_type == cur->key.target_type &&
|
||||
key->target_class == cur->key.target_class &&
|
||||
@@ -228,15 +267,14 @@ void avtab_destroy(struct avtab *h)
|
||||
return;
|
||||
|
||||
for (i = 0; i < h->nslot; i++) {
|
||||
cur = h->htable[i];
|
||||
cur = flex_array_get_ptr(h->htable, i);
|
||||
while (cur) {
|
||||
temp = cur;
|
||||
cur = cur->next;
|
||||
kmem_cache_free(avtab_node_cachep, temp);
|
||||
}
|
||||
h->htable[i] = NULL;
|
||||
}
|
||||
kfree(h->htable);
|
||||
flex_array_free(h->htable);
|
||||
h->htable = NULL;
|
||||
h->nslot = 0;
|
||||
h->mask = 0;
|
||||
@@ -251,7 +289,7 @@ int avtab_init(struct avtab *h)
|
||||
|
||||
int avtab_alloc(struct avtab *h, u32 nrules)
|
||||
{
|
||||
u16 mask = 0;
|
||||
u32 mask = 0;
|
||||
u32 shift = 0;
|
||||
u32 work = nrules;
|
||||
u32 nslot = 0;
|
||||
@@ -270,7 +308,8 @@ int avtab_alloc(struct avtab *h, u32 nrules)
|
||||
nslot = MAX_AVTAB_HASH_BUCKETS;
|
||||
mask = nslot - 1;
|
||||
|
||||
h->htable = kcalloc(nslot, sizeof(*(h->htable)), GFP_KERNEL);
|
||||
h->htable = flex_array_alloc(sizeof(struct avtab_node *), nslot,
|
||||
GFP_KERNEL | __GFP_ZERO);
|
||||
if (!h->htable)
|
||||
return -ENOMEM;
|
||||
|
||||
@@ -293,7 +332,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
|
||||
max_chain_len = 0;
|
||||
chain2_len_sum = 0;
|
||||
for (i = 0; i < h->nslot; i++) {
|
||||
cur = h->htable[i];
|
||||
cur = flex_array_get_ptr(h->htable, i);
|
||||
if (cur) {
|
||||
slots_used++;
|
||||
chain_len = 0;
|
||||
@@ -534,7 +573,8 @@ int avtab_write(struct policydb *p, struct avtab *a, void *fp)
|
||||
return rc;
|
||||
|
||||
for (i = 0; i < a->nslot; i++) {
|
||||
for (cur = a->htable[i]; cur; cur = cur->next) {
|
||||
for (cur = flex_array_get_ptr(a->htable, i); cur;
|
||||
cur = cur->next) {
|
||||
rc = avtab_write_item(p, cur, fp);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
@@ -23,6 +23,8 @@
|
||||
#ifndef _SS_AVTAB_H_
|
||||
#define _SS_AVTAB_H_
|
||||
|
||||
#include <linux/flex_array.h>
|
||||
|
||||
struct avtab_key {
|
||||
u16 source_type; /* source type */
|
||||
u16 target_type; /* target type */
|
||||
@@ -51,10 +53,10 @@ struct avtab_node {
|
||||
};
|
||||
|
||||
struct avtab {
|
||||
struct avtab_node **htable;
|
||||
struct flex_array *htable;
|
||||
u32 nel; /* number of elements */
|
||||
u32 nslot; /* number of hash slots */
|
||||
u16 mask; /* mask to compute hash func */
|
||||
u32 mask; /* mask to compute hash func */
|
||||
|
||||
};
|
||||
|
||||
@@ -84,7 +86,7 @@ struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified
|
||||
void avtab_cache_init(void);
|
||||
void avtab_cache_destroy(void);
|
||||
|
||||
#define MAX_AVTAB_HASH_BITS 11
|
||||
#define MAX_AVTAB_HASH_BITS 16
|
||||
#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
|
||||
|
||||
#endif /* _SS_AVTAB_H_ */
|
||||
|
||||
@@ -654,19 +654,15 @@ int mls_import_netlbl_cat(struct context *context,
|
||||
|
||||
rc = ebitmap_netlbl_import(&context->range.level[0].cat,
|
||||
secattr->attr.mls.cat);
|
||||
if (rc != 0)
|
||||
goto import_netlbl_cat_failure;
|
||||
|
||||
rc = ebitmap_cpy(&context->range.level[1].cat,
|
||||
&context->range.level[0].cat);
|
||||
if (rc != 0)
|
||||
if (rc)
|
||||
goto import_netlbl_cat_failure;
|
||||
memcpy(&context->range.level[1].cat, &context->range.level[0].cat,
|
||||
sizeof(context->range.level[0].cat));
|
||||
|
||||
return 0;
|
||||
|
||||
import_netlbl_cat_failure:
|
||||
ebitmap_destroy(&context->range.level[0].cat);
|
||||
ebitmap_destroy(&context->range.level[1].cat);
|
||||
return rc;
|
||||
}
|
||||
#endif /* CONFIG_NETLABEL */
|
||||
|
||||
@@ -3179,13 +3179,9 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
|
||||
ctx_new.type = ctx->type;
|
||||
mls_import_netlbl_lvl(&ctx_new, secattr);
|
||||
if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
|
||||
rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
|
||||
secattr->attr.mls.cat);
|
||||
rc = mls_import_netlbl_cat(&ctx_new, secattr);
|
||||
if (rc)
|
||||
goto out;
|
||||
memcpy(&ctx_new.range.level[1].cat,
|
||||
&ctx_new.range.level[0].cat,
|
||||
sizeof(ctx_new.range.level[0].cat));
|
||||
}
|
||||
rc = -EIDRM;
|
||||
if (!mls_context_isvalid(&policydb, &ctx_new))
|
||||
|
||||
Reference in New Issue
Block a user