Revert "selinux: consider filesystem subtype in policies"

+22 -60

2 changed files

expand all

security

selinux

hooks.c

services.c

+18 -22

security/selinux/hooks.c

··· 95 95 #include "audit.h" 96 96 #include "avc_ss.h" 97 97 98 - #define SB_TYPE_FMT "%s%s%s" 99 - #define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0]) 100 - #define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : "" 101 - 102 98 extern struct security_operations *security_ops; 103 99 104 100 /* SECMARK reference count */ ··· 409 413 the first boot of the SELinux kernel before we have 410 414 assigned xattr values to the filesystem. */ 411 415 if (!root_inode->i_op->getxattr) { 412 - printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no " 413 - "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb)); 416 + printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 417 + "xattr support\n", sb->s_id, sb->s_type->name); 414 418 rc = -EOPNOTSUPP; 415 419 goto out; 416 420 } ··· 418 422 if (rc < 0 && rc != -ENODATA) { 419 423 if (rc == -EOPNOTSUPP) 420 424 printk(KERN_WARNING "SELinux: (dev %s, type " 421 - SB_TYPE_FMT") has no security xattr handler\n", 422 - sb->s_id, SB_TYPE_ARGS(sb)); 425 + "%s) has no security xattr handler\n", 426 + sb->s_id, sb->s_type->name); 423 427 else 424 428 printk(KERN_WARNING "SELinux: (dev %s, type " 425 - SB_TYPE_FMT") getxattr errno %d\n", sb->s_id, 426 - SB_TYPE_ARGS(sb), -rc); 429 + "%s) getxattr errno %d\n", sb->s_id, 430 + sb->s_type->name, -rc); 427 431 goto out; 428 432 } 429 433 } 430 434 431 435 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 432 - printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n", 433 - sb->s_id, SB_TYPE_ARGS(sb)); 436 + printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 437 + sb->s_id, sb->s_type->name); 434 438 else 435 - printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n", 436 - sb->s_id, SB_TYPE_ARGS(sb), 439 + printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 440 + sb->s_id, sb->s_type->name, 437 441 labeling_behaviors[sbsec->behavior-1]); 438 442 439 443 sbsec->flags |= SE_SBINITIALIZED; ··· 596 600 const struct cred *cred = current_cred(); 597 601 int rc = 0, i; 598 602 struct superblock_security_struct *sbsec = sb->s_security; 603 + const char *name = sb->s_type->name; 599 604 struct inode *inode = sbsec->sb->s_root->d_inode; 600 605 struct inode_security_struct *root_isec = inode->i_security; 601 606 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; ··· 655 658 strlen(mount_options[i]), &sid); 656 659 if (rc) { 657 660 printk(KERN_WARNING "SELinux: security_context_to_sid" 658 - "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n", 659 - mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc); 661 + "(%s) failed for (dev %s, type %s) errno=%d\n", 662 + mount_options[i], sb->s_id, name, rc); 660 663 goto out; 661 664 } 662 665 switch (flags[i]) { ··· 803 806 out_double_mount: 804 807 rc = -EINVAL; 805 808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 806 - "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id, 807 - SB_TYPE_ARGS(sb)); 809 + "security settings for (dev %s, type %s)\n", sb->s_id, name); 808 810 goto out; 809 811 } 810 812 ··· 2476 2480 rc = security_context_to_sid(mount_options[i], len, &sid); 2477 2481 if (rc) { 2478 2482 printk(KERN_WARNING "SELinux: security_context_to_sid" 2479 - "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n", 2480 - mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc); 2483 + "(%s) failed for (dev %s, type %s) errno=%d\n", 2484 + mount_options[i], sb->s_id, sb->s_type->name, rc); 2481 2485 goto out_free_opts; 2482 2486 } 2483 2487 rc = -EINVAL; ··· 2515 2519 return rc; 2516 2520 out_bad_option: 2517 2521 printk(KERN_WARNING "SELinux: unable to change security options " 2518 - "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id, 2519 - SB_TYPE_ARGS(sb)); 2522 + "during remount (dev %s, type=%s)\n", sb->s_id, 2523 + sb->s_type->name); 2520 2524 goto out_free_opts; 2521 2525 } 2522 2526

+4 -38

security/selinux/ss/services.c

··· 2334 2334 struct ocontext *c; 2335 2335 struct superblock_security_struct *sbsec = sb->s_security; 2336 2336 const char *fstype = sb->s_type->name; 2337 - const char *subtype = (sb->s_subtype && sb->s_subtype[0]) ? sb->s_subtype : NULL; 2338 - struct ocontext *base = NULL; 2339 2337 2340 2338 read_lock(&policy_rwlock); 2341 2339 2342 - for (c = policydb.ocontexts[OCON_FSUSE]; c; c = c->next) { 2343 - char *sub; 2344 - int baselen; 2345 - 2346 - baselen = strlen(fstype); 2347 - 2348 - /* if base does not match, this is not the one */ 2349 - if (strncmp(fstype, c->u.name, baselen)) 2350 - continue; 2351 - 2352 - /* if there is no subtype, this is the one! */ 2353 - if (!subtype) 2340 + c = policydb.ocontexts[OCON_FSUSE]; 2341 + while (c) { 2342 + if (strcmp(fstype, c->u.name) == 0) 2354 2343 break; 2355 - 2356 - /* skip past the base in this entry */ 2357 - sub = c->u.name + baselen; 2358 - 2359 - /* entry is only a base. save it. keep looking for subtype */ 2360 - if (sub[0] == '\0') { 2361 - base = c; 2362 - continue; 2363 - } 2364 - 2365 - /* entry is not followed by a subtype, so it is not a match */ 2366 - if (sub[0] != '.') 2367 - continue; 2368 - 2369 - /* whew, we found a subtype of this fstype */ 2370 - sub++; /* move past '.' */ 2371 - 2372 - /* exact match of fstype AND subtype */ 2373 - if (!strcmp(subtype, sub)) 2374 - break; 2344 + c = c->next; 2375 2345 } 2376 - 2377 - /* in case we had found an fstype match but no subtype match */ 2378 - if (!c) 2379 - c = base; 2380 2346 2381 2347 if (c) { 2382 2348 sbsec->behavior = c->v.behavior;

Configure Feed

Configure Feed