There is no point in counting hits - we can calculate it from the number
of lookups and misses.

This makes the avc statistics a bit smaller, and makes the code
generation better too.
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

You can turn off the avc cache stats, but distributions seem to not do
that (perhaps because several performance tuning how-to's talk about the
avc cache statistics).

Which is sad, because the code it generates is truly horrendous, with
the statistics update being sandwitched between get_cpu/put_cpu which in
turn causes preemption disables etc.  We're talking ten+ instructions
just to increment a per-cpu variable in some pretty hot code.

Fix the craziness by just using 'this_cpu_inc()' instead.  Suddenly we
only need a single 'inc' instruction to increment the statistics.  This
is quite noticeable in the incredibly hot avc_has_perm_noaudit()
function (which triggers all the statistics by virtue of doing an
avc_lookup() call).
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted.  Remove them.
Reported-by: NPaul Bolle <pebolle@tiscali.nl>
Signed-off-by: NEric Paris <eparis@redhat.com>

In tomoyo_correct_domain() since 2.6.36, TOMOYO was by error validating
"<kernel>" + "/foo/\" + "/bar" when "<kernel> /foo/\* /bar" was given.
As a result, legal domainnames like "<kernel> /foo/\* /bar" are rejected.
Reported-by: NHayama Yossihiro <yossi@yedo.src.co.jp>
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

In the interest of keeping userspace from having to create new root
filesystems all the time, let's follow the lead of the other in-kernel
filesystems and provide a proper mount point for it in sysfs.

For selinuxfs, this mount point should be in /sys/fs/selinux/

Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Lennart Poettering <mzerqung@0pointer.de>
Cc: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
[include kobject.h - Eric Paris]
[use selinuxfs_obj throughout - Eric Paris]
Signed-off-by: NEric Paris <eparis@redhat.com>

The rcu callback sel_netif_free() just calls a kfree(),
so we use kfree_rcu() instead of the call_rcu(sel_netif_free).
Signed-off-by: NLai Jiangshan <laijs@cn.fujitsu.com>
Acked-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: NJosh Triplett <josh@joshtriplett.org>

The rcu callback user_update_rcu_disposal() just calls a kfree(),
so we use kfree_rcu() instead of the call_rcu(user_update_rcu_disposal).
Signed-off-by: NLai Jiangshan <laijs@cn.fujitsu.com>
Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: NDavid Howells <dhowells@redhat.com>
Reviewed-by: NJosh Triplett <josh@joshtriplett.org>

Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly.  flex_arrays got introduced before
they had users.  When folks started using it, they ended up needing a
different API than was coded up originally.  This swaps over to the API that
folks apparently need.
Based-on-patch-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NEric Paris <eparis@redhat.com>
Tested-by: NChris Richards <gizmo@giz-works.com>
Acked-by: NDave Hansen <dave@linux.vnet.ibm.com>
Cc: stable@kernel.org [2.6.38+]

New inodes are created in a two stage process.  We first will compute the
label on a new inode in security_inode_create() and check if the
operation is allowed.  We will then actually re-compute that same label and
apply it in security_inode_init_security().  The change to do new label
calculations based in part on the last component of the path name only
passed the path component information all the way down the
security_inode_init_security hook.  Down the security_inode_create hook the
path information did not make it past may_create.  Thus the two calculations
came up differently and the permissions check might not actually be against
the label that is created.  Pass and use the same information in both places
to harmonize the calculations and checks.
Reported-by: NDominick Grift <domg472@gmail.com>
Signed-off-by: NEric Paris <eparis@redhat.com>

We currently have inode_has_perm and dentry_has_perm.  dentry_has_perm just
calls inode_has_perm with additional audit data.  But dentry_has_perm can
take either a dentry or a path.  Split those to make the code obvious and
to fix the previous problem where I thought dentry_has_perm always had a
valid dentry and mnt.
Signed-off-by: NEric Paris <eparis@redhat.com>

Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly.  flex_arrays got introduced before
they had users.  When folks started using it, they ended up needing a
different API than was coded up originally.  This swaps over to the API that
folks apparently need.
Based-on-patch-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NEric Paris <eparis@redhat.com>
Tested-by: NChris Richards <gizmo@giz-works.com>
Acked-by: NDave Hansen <dave@linux.vnet.ibm.com>
Cc: stable@kernel.org [2.6.38+]

New inodes are created in a two stage process.  We first will compute the
label on a new inode in security_inode_create() and check if the
operation is allowed.  We will then actually re-compute that same label and
apply it in security_inode_init_security().  The change to do new label
calculations based in part on the last component of the path name only
passed the path component information all the way down the
security_inode_init_security hook.  Down the security_inode_create hook the
path information did not make it past may_create.  Thus the two calculations
came up differently and the permissions check might not actually be against
the label that is created.  Pass and use the same information in both places
to harmonize the calculations and checks.
Reported-by: NDominick Grift <domg472@gmail.com>
Signed-off-by: NEric Paris <eparis@redhat.com>

To shorten the list we need to run if filename trans rules exist for the type
of the given parent directory I put them in a hashtable.  Given the policy we
are expecting to use in Fedora this takes the worst case list run from about
5,000 entries to 17.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

Instead of a hashtab entry counter function only useful for range
transition rules make a function generic for any hashtable to use.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

We have custom debug functions like rangetr_hash_eval and symtab_hash_eval
which do the same thing.  Just create a generic function that takes the name
of the hash table as an argument instead of having custom functions.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

Right now we walk to filename trans rule list for every inode that is
created.  First passes at policy using this facility creates around 5000
filename trans rules.  Running a list of 5000 entries every time is a bad
idea.  This patch adds a new ebitmap to policy which has a bit set for each
ttype that has at least 1 filename trans rule.  Thus when an inode is
created we can quickly determine if any rules exist for this parent
directory type and can skip the list if we know there is definitely no
relevant entry.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

filename_compute_type() takes as arguments the numeric value of the type of
the subject and target.  It does not take a context.  Thus the names are
misleading.  Fix the argument names.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

filename_compute_type used to take a qstr, but it now takes just a name.
Fix the comments to indicate it is an objname, not a qstr.
Signed-off-by: NEric Paris <eparis@redhat.com>

Now that the security modules can decide whether they support the
dcache RCU walk or not it's possible to make selinux a bit more
RCU friendly.  The SELinux AVC and security server access decision
code is RCU safe.  A specific piece of the LSM audit code may not
be RCU safe.

This patch makes the VFS RCU walk retry if it would hit the non RCU
safe chunk of code.  It will normally just work under RCU.  This is
done simply by passing the VFS RCU state as a flag down into the
avc_audit() code and returning ECHILD there if it would have an issue.
Based-on-patch-by: NAndi Kleen <ak@linux.intel.com>
Signed-off-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

smack_file_lock has a struct path, so use that instead of only the
dentry.
Signed-off-by: NEric Paris <eparis@redhat.com>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>

This patch separates and audit message that only contains a dentry from
one that contains a full path.  This allows us to make it harder to
misuse the interfaces or for the interfaces to be implemented wrong.
Signed-off-by: NEric Paris <eparis@redhat.com>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>

The lsm common audit code has wacky contortions making sure which pieces
of information are set based on if it was given a path, dentry, or
inode.  Split this into path and inode to get rid of some of the code
complexity.
Signed-off-by: NEric Paris <eparis@redhat.com>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>

Now that the security modules can decide whether they support the
dcache RCU walk or not it's possible to make selinux a bit more
RCU friendly.  The SELinux AVC and security server access decision
code is RCU safe.  A specific piece of the LSM audit code may not
be RCU safe.

This patch makes the VFS RCU walk retry if it would hit the non RCU
safe chunk of code.  It will normally just work under RCU.  This is
done simply by passing the VFS RCU state as a flag down into the
avc_audit() code and returning ECHILD there if it would have an issue.
Based-on-patch-by: NAndi Kleen <ak@linux.intel.com>
Signed-off-by: NEric Paris <eparis@redhat.com>

Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.

Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=y
Signed-off-by: NAndi Kleen <ak@linux.intel.com>
Signed-off-by: NEric Paris <eparis@redhat.com>

The len should be an size_t but is a ssize_t.  Easy enough fix to silence
build warnings.  We have no need for signed-ness.
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

If one builds a kernel without CONFIG_BUG there are a number of 'may be
used uninitialized' warnings.  Silence these by returning after the BUG().
Signed-off-by: NEric Paris <eparis@redhat.com>
Reviewed-by: NJames Morris <jmorris@namei.org>

Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.

Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=y
Signed-off-by: NAndi Kleen <ak@linux.intel.com>
Acked-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted.  Remove them.
Signed-off-by: NEric Paris <eparis@redhat.com>

In tomoyo_mount_acl() since 2.6.36, reference to device file (e.g. /dev/sda1)
was leaking.
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

In tomoyo_flush(), head->r.w[0] holds pointer to string data to be printed.
But head->r.w[0] was updated only when the string data was partially
printed (because head->r.w[0] will be updated by head->r.w[1] later if
completely printed). However, regarding /sys/kernel/security/tomoyo/query ,
an additional '\0' is printed after the string data was completely printed.
But if free space for read buffer became 0 before printing the additional '\0',
tomoyo_flush() was returning without updating head->r.w[0]. As a result,
tomoyo_flush() forever reprints already printed string data.
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

"mount --bind /path/to/file1 /path/to/file2" is legal. Therefore,
"umount /path/to/file2" is also legal. Do not automatically append trailing '/'
if pathname to be unmounted does not end with '/'.
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

In tomoyo_write_profile() since 2.6.34, a lock was by error missing when
replacing profile's comment line. If multiple threads attempted

  echo '0-COMMENT=comment' > /sys/kernel/security/tomoyo/profile

in parallel, garbage collector will fail to kfree() the old value.
Protect the replacement using a lock. Also, keep the old value rather than
replace with empty string when out of memory error has occurred.
Signed-off-by: NXiaochen Wang <wangxiaochen0@gmail.com>
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

Signed-off-by: NJustin P. Mattock <justinmattock@gmail.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Initialize policydb.process_class once all symtabs read from policy image,
so that it could be used to setup the role_trans.tclass field when a lower
version policy.X is loaded.
Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com>
Signed-off-by: NEric Paris <eparis@redhat.com>

Commit 6f5317e7 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled.  Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.
Reported-by: N"Justin P. Mattock" <justinmattock@gmail.com>
Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NJames Morris <jmorris@namei.org>

When the global init task is exec'd we have special case logic to make sure
the pE is not reduced.  There is no reason for this.  If init wants to drop
it's pE is should be allowed to do so.  Remove this special logic.
Signed-off-by: NEric Paris <eparis@redhat.com>
Acked-by: NSerge Hallyn <serge@hallyn.com>
Acked-by: NDavid Howells <dhowells@redhat.com>
Acked-by: NAndrew G. Morgan <morgan@kernel.org>
Signed-off-by: NJames Morris <jmorris@namei.org>

The attached patch allows /selinux/create takes optional 4th argument
to support TYPE_TRANSITION with name extension for userspace object
managers.
If 4th argument is not supplied, it shall perform as existing kernel.
In fact, the regression test of SE-PostgreSQL works well on the patched
kernel.

Thanks,
Signed-off-by: NKaiGai Kohei <kohei.kaigai@eu.nec.com>
[manually verify fuzz was not an issue, and it wasn't: eparis]
Signed-off-by: NEric Paris <eparis@redhat.com>

Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: NLucas De Marchi <lucas.demarchi@profusion.mobi>

When memory used for policy exceeds the quota, tomoyo_memory_ok() return false.
In this case, tomoyo_commit_ok() must call kfree() before returning NULL.
This bug exists since 2.6.35.
Signed-off-by: NXiaochen Wang <wangxiaochen0@gmail.com>
Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

Commit 6f5317e7 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled.  Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.
Reported-by: N"Justin P. Mattock" <justinmattock@gmail.com>
Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NJames Morris <jmorris@namei.org>