summaryrefslogtreecommitdiff
path: root/security/selinux/ss/services.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss/services.c')
-rw-r--r--security/selinux/ss/services.c346
1 files changed, 141 insertions, 205 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0092b29022f5..f14d1ffe54c5 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -235,16 +235,16 @@ static void map_decision(struct selinux_map *map,
}
}
-int security_mls_enabled(struct selinux_state *state)
+int security_mls_enabled(void)
{
int mls_enabled;
struct selinux_policy *policy;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
mls_enabled = policy->policydb.mls_enabled;
rcu_read_unlock();
return mls_enabled;
@@ -713,8 +713,7 @@ static void context_struct_compute_av(struct policydb *policydb,
tclass, avd);
}
-static int security_validtrans_handle_fail(struct selinux_state *state,
- struct selinux_policy *policy,
+static int security_validtrans_handle_fail(struct selinux_policy *policy,
struct sidtab_entry *oentry,
struct sidtab_entry *nentry,
struct sidtab_entry *tentry,
@@ -740,13 +739,12 @@ out:
kfree(n);
kfree(t);
- if (!enforcing_enabled(state))
+ if (!enforcing_enabled())
return 0;
return -EPERM;
}
-static int security_compute_validatetrans(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
u16 orig_tclass, bool user)
{
struct selinux_policy *policy;
@@ -761,12 +759,12 @@ static int security_compute_validatetrans(struct selinux_state *state,
int rc = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -813,8 +811,7 @@ static int security_compute_validatetrans(struct selinux_state *state,
if (user)
rc = -EPERM;
else
- rc = security_validtrans_handle_fail(state,
- policy,
+ rc = security_validtrans_handle_fail(policy,
oentry,
nentry,
tentry,
@@ -829,19 +826,17 @@ out:
return rc;
}
-int security_validate_transition_user(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass)
{
- return security_compute_validatetrans(state, oldsid, newsid, tasksid,
+ return security_compute_validatetrans(oldsid, newsid, tasksid,
tclass, true);
}
-int security_validate_transition(struct selinux_state *state,
- u32 oldsid, u32 newsid, u32 tasksid,
+int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 orig_tclass)
{
- return security_compute_validatetrans(state, oldsid, newsid, tasksid,
+ return security_compute_validatetrans(oldsid, newsid, tasksid,
orig_tclass, false);
}
@@ -851,12 +846,10 @@ int security_validate_transition(struct selinux_state *state,
* It returns 0, if @newsid is bounded by @oldsid.
* Otherwise, it returns error code.
*
- * @state: SELinux state
* @oldsid : current security identifier
* @newsid : destinated security identifier
*/
-int security_bounded_transition(struct selinux_state *state,
- u32 old_sid, u32 new_sid)
+int security_bounded_transition(u32 old_sid, u32 new_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -866,11 +859,11 @@ int security_bounded_transition(struct selinux_state *state,
int index;
int rc;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -1004,8 +997,7 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
}
}
-void security_compute_xperms_decision(struct selinux_state *state,
- u32 ssid,
+void security_compute_xperms_decision(u32 ssid,
u32 tsid,
u16 orig_tclass,
u8 driver,
@@ -1029,10 +1021,10 @@ void security_compute_xperms_decision(struct selinux_state *state,
memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
rcu_read_lock();
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
goto allow;
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -1091,7 +1083,6 @@ allow:
/**
* security_compute_av - Compute access vector decisions.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @orig_tclass: target security class
@@ -1101,8 +1092,7 @@ allow:
* Compute a set of access vector decisions based on the
* SID pair (@ssid, @tsid) for the permissions in @tclass.
*/
-void security_compute_av(struct selinux_state *state,
- u32 ssid,
+void security_compute_av(u32 ssid,
u32 tsid,
u16 orig_tclass,
struct av_decision *avd,
@@ -1115,10 +1105,10 @@ void security_compute_av(struct selinux_state *state,
struct context *scontext = NULL, *tcontext = NULL;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
avd_init(policy, avd);
xperms->len = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
goto allow;
policydb = &policy->policydb;
@@ -1160,8 +1150,7 @@ allow:
goto out;
}
-void security_compute_av_user(struct selinux_state *state,
- u32 ssid,
+void security_compute_av_user(u32 ssid,
u32 tsid,
u16 tclass,
struct av_decision *avd)
@@ -1172,9 +1161,9 @@ void security_compute_av_user(struct selinux_state *state,
struct context *scontext = NULL, *tcontext = NULL;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
avd_init(policy, avd);
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
goto allow;
policydb = &policy->policydb;
@@ -1290,19 +1279,19 @@ static int sidtab_entry_to_string(struct policydb *p,
#include "initial_sid_to_string.h"
-int security_sidtab_hash_stats(struct selinux_state *state, char *page)
+int security_sidtab_hash_stats(char *page)
{
struct selinux_policy *policy;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
pr_err("SELinux: %s: called before initial load_policy\n",
__func__);
return -EINVAL;
}
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
rc = sidtab_hash_stats(policy->sidtab, page);
rcu_read_unlock();
@@ -1316,8 +1305,7 @@ const char *security_get_initial_sid_context(u32 sid)
return initial_sid_to_string[sid];
}
-static int security_sid_to_context_core(struct selinux_state *state,
- u32 sid, char **scontext,
+static int security_sid_to_context_core(u32 sid, char **scontext,
u32 *scontext_len, int force,
int only_invalid)
{
@@ -1331,7 +1319,7 @@ static int security_sid_to_context_core(struct selinux_state *state,
*scontext = NULL;
*scontext_len = 0;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
if (sid <= SECINITSID_NUM) {
char *scontextp;
const char *s = initial_sid_to_string[sid];
@@ -1352,7 +1340,7 @@ static int security_sid_to_context_core(struct selinux_state *state,
return -EINVAL;
}
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -1380,7 +1368,6 @@ out_unlock:
/**
* security_sid_to_context - Obtain a context for a given SID.
- * @state: SELinux state
* @sid: security identifier, SID
* @scontext: security context
* @scontext_len: length in bytes
@@ -1389,24 +1376,22 @@ out_unlock:
* into a dynamically allocated string of the correct size. Set @scontext
* to point to this string and set @scontext_len to the length of the string.
*/
-int security_sid_to_context(struct selinux_state *state,
- u32 sid, char **scontext, u32 *scontext_len)
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
{
- return security_sid_to_context_core(state, sid, scontext,
+ return security_sid_to_context_core(sid, scontext,
scontext_len, 0, 0);
}
-int security_sid_to_context_force(struct selinux_state *state, u32 sid,
+int security_sid_to_context_force(u32 sid,
char **scontext, u32 *scontext_len)
{
- return security_sid_to_context_core(state, sid, scontext,
+ return security_sid_to_context_core(sid, scontext,
scontext_len, 1, 0);
}
/**
* security_sid_to_context_inval - Obtain a context for a given SID if it
* is invalid.
- * @state: SELinux state
* @sid: security identifier, SID
* @scontext: security context
* @scontext_len: length in bytes
@@ -1417,10 +1402,10 @@ int security_sid_to_context_force(struct selinux_state *state, u32 sid,
* this string (or NULL if the context is valid) and set @scontext_len to
* the length of the string (or 0 if the context is valid).
*/
-int security_sid_to_context_inval(struct selinux_state *state, u32 sid,
+int security_sid_to_context_inval(u32 sid,
char **scontext, u32 *scontext_len)
{
- return security_sid_to_context_core(state, sid, scontext,
+ return security_sid_to_context_core(sid, scontext,
scontext_len, 1, 1);
}
@@ -1505,8 +1490,7 @@ out:
return rc;
}
-static int security_context_to_sid_core(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
u32 *sid, u32 def_sid, gfp_t gfp_flags,
int force)
{
@@ -1526,7 +1510,7 @@ static int security_context_to_sid_core(struct selinux_state *state,
if (!scontext2)
return -ENOMEM;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
int i;
for (i = 1; i < SECINITSID_NUM; i++) {
@@ -1551,7 +1535,7 @@ static int security_context_to_sid_core(struct selinux_state *state,
}
retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
rc = string_to_context_struct(policydb, sidtab, scontext2,
@@ -1583,7 +1567,6 @@ out:
/**
* security_context_to_sid - Obtain a SID for a given security context.
- * @state: SELinux state
* @scontext: security context
* @scontext_len: length in bytes
* @sid: security identifier, SID
@@ -1594,18 +1577,16 @@ out:
* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
* memory is available, or 0 on success.
*/
-int security_context_to_sid(struct selinux_state *state,
- const char *scontext, u32 scontext_len, u32 *sid,
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
gfp_t gfp)
{
- return security_context_to_sid_core(state, scontext, scontext_len,
+ return security_context_to_sid_core(scontext, scontext_len,
sid, SECSID_NULL, gfp, 0);
}
-int security_context_str_to_sid(struct selinux_state *state,
- const char *scontext, u32 *sid, gfp_t gfp)
+int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)
{
- return security_context_to_sid(state, scontext, strlen(scontext),
+ return security_context_to_sid(scontext, strlen(scontext),
sid, gfp);
}
@@ -1613,7 +1594,6 @@ int security_context_str_to_sid(struct selinux_state *state,
* security_context_to_sid_default - Obtain a SID for a given security context,
* falling back to specified default if needed.
*
- * @state: SELinux state
* @scontext: security context
* @scontext_len: length in bytes
* @sid: security identifier, SID
@@ -1629,24 +1609,21 @@ int security_context_str_to_sid(struct selinux_state *state,
* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
* memory is available, or 0 on success.
*/
-int security_context_to_sid_default(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
u32 *sid, u32 def_sid, gfp_t gfp_flags)
{
- return security_context_to_sid_core(state, scontext, scontext_len,
+ return security_context_to_sid_core(scontext, scontext_len,
sid, def_sid, gfp_flags, 1);
}
-int security_context_to_sid_force(struct selinux_state *state,
- const char *scontext, u32 scontext_len,
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
u32 *sid)
{
- return security_context_to_sid_core(state, scontext, scontext_len,
+ return security_context_to_sid_core(scontext, scontext_len,
sid, SECSID_NULL, GFP_KERNEL, 1);
}
static int compute_sid_handle_invalid_context(
- struct selinux_state *state,
struct selinux_policy *policy,
struct sidtab_entry *sentry,
struct sidtab_entry *tentry,
@@ -1679,7 +1656,7 @@ out:
kfree(s);
kfree(t);
kfree(n);
- if (!enforcing_enabled(state))
+ if (!enforcing_enabled())
return 0;
return -EACCES;
}
@@ -1714,8 +1691,7 @@ static void filename_compute_type(struct policydb *policydb,
}
}
-static int security_compute_sid(struct selinux_state *state,
- u32 ssid,
+static int security_compute_sid(u32 ssid,
u32 tsid,
u16 orig_tclass,
u32 specified,
@@ -1736,7 +1712,7 @@ static int security_compute_sid(struct selinux_state *state,
int rc = 0;
bool sock;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
switch (orig_tclass) {
case SECCLASS_PROCESS: /* kernel value */
*out_sid = ssid;
@@ -1754,7 +1730,7 @@ retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
if (kern) {
tclass = unmap_class(&policy->map, orig_tclass);
@@ -1886,7 +1862,7 @@ retry:
/* Check the validity of the context. */
if (!policydb_context_isvalid(policydb, &newcontext)) {
- rc = compute_sid_handle_invalid_context(state, policy, sentry,
+ rc = compute_sid_handle_invalid_context(policy, sentry,
tentry, tclass,
&newcontext);
if (rc)
@@ -1908,7 +1884,6 @@ out:
/**
* security_transition_sid - Compute the SID for a new subject/object.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
@@ -1921,27 +1896,24 @@ out:
* if insufficient memory is available, or %0 if the new SID was
* computed successfully.
*/
-int security_transition_sid(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
const struct qstr *qstr, u32 *out_sid)
{
- return security_compute_sid(state, ssid, tsid, tclass,
+ return security_compute_sid(ssid, tsid, tclass,
AVTAB_TRANSITION,
qstr ? qstr->name : NULL, out_sid, true);
}
-int security_transition_sid_user(struct selinux_state *state,
- u32 ssid, u32 tsid, u16 tclass,
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
const char *objname, u32 *out_sid)
{
- return security_compute_sid(state, ssid, tsid, tclass,
+ return security_compute_sid(ssid, tsid, tclass,
AVTAB_TRANSITION,
objname, out_sid, false);
}
/**
* security_member_sid - Compute the SID for member selection.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
@@ -1953,20 +1925,18 @@ int security_transition_sid_user(struct selinux_state *state,
* if insufficient memory is available, or %0 if the SID was
* computed successfully.
*/
-int security_member_sid(struct selinux_state *state,
- u32 ssid,
+int security_member_sid(u32 ssid,
u32 tsid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(state, ssid, tsid, tclass,
+ return security_compute_sid(ssid, tsid, tclass,
AVTAB_MEMBER, NULL,
out_sid, false);
}
/**
* security_change_sid - Compute the SID for object relabeling.
- * @state: SELinux state
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
@@ -1978,26 +1948,23 @@ int security_member_sid(struct selinux_state *state,
* if insufficient memory is available, or %0 if the SID was
* computed successfully.
*/
-int security_change_sid(struct selinux_state *state,
- u32 ssid,
+int security_change_sid(u32 ssid,
u32 tsid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(state,
- ssid, tsid, tclass, AVTAB_CHANGE, NULL,
+ return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
out_sid, false);
}
static inline int convert_context_handle_invalid_context(
- struct selinux_state *state,
struct policydb *policydb,
struct context *context)
{
char *s;
u32 len;
- if (enforcing_enabled(state))
+ if (enforcing_enabled())
return -EINVAL;
if (!context_struct_to_string(policydb, context, &s, &len)) {
@@ -2115,8 +2082,7 @@ int services_convert_context(struct convert_context_args *args,
/* Check the validity of the new context. */
if (!policydb_context_isvalid(args->newp, newc)) {
- rc = convert_context_handle_invalid_context(args->state,
- args->oldp, oldc);
+ rc = convert_context_handle_invalid_context(args->oldp, oldc);
if (rc)
goto bad;
}
@@ -2135,8 +2101,7 @@ bad:
return 0;
}
-static void security_load_policycaps(struct selinux_state *state,
- struct selinux_policy *policy)
+static void security_load_policycaps(struct selinux_policy *policy)
{
struct policydb *p;
unsigned int i;
@@ -2144,8 +2109,8 @@ static void security_load_policycaps(struct selinux_state *state,
p = &policy->policydb;
- for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
- WRITE_ONCE(state->policycap[i],
+ for (i = 0; i < ARRAY_SIZE(selinux_state.policycap); i++)
+ WRITE_ONCE(selinux_state.policycap[i],
ebitmap_get_bit(&p->policycaps, i));
for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
@@ -2181,9 +2146,9 @@ static void selinux_policy_cond_free(struct selinux_policy *policy)
kfree(policy);
}
-void selinux_policy_cancel(struct selinux_state *state,
- struct selinux_load_state *load_state)
+void selinux_policy_cancel(struct selinux_load_state *load_state)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *oldpolicy;
oldpolicy = rcu_dereference_protected(state->policy,
@@ -2194,21 +2159,20 @@ void selinux_policy_cancel(struct selinux_state *state,
kfree(load_state->convert_data);
}
-static void selinux_notify_policy_change(struct selinux_state *state,
- u32 seqno)
+static void selinux_notify_policy_change(u32 seqno)
{
/* Flush external caches and notify userspace of policy load */
- avc_ss_reset(state->avc, seqno);
+ avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
- selinux_status_update_policyload(state, seqno);
+ selinux_status_update_policyload(seqno);
selinux_netlbl_cache_invalidate();
selinux_xfrm_notify_policyload();
- selinux_ima_measure_state_locked(state);
+ selinux_ima_measure_state_locked();
}
-void selinux_policy_commit(struct selinux_state *state,
- struct selinux_load_state *load_state)
+void selinux_policy_commit(struct selinux_load_state *load_state)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *oldpolicy, *newpolicy = load_state->policy;
unsigned long flags;
u32 seqno;
@@ -2241,15 +2205,15 @@ void selinux_policy_commit(struct selinux_state *state,
}
/* Load the policycaps from the new policy */
- security_load_policycaps(state, newpolicy);
+ security_load_policycaps(newpolicy);
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
/*
* After first policy load, the security server is
* marked as initialized and ready to handle requests and
* any objects created prior to policy load are then labeled.
*/
- selinux_mark_initialized(state);
+ selinux_mark_initialized();
selinux_complete_init();
}
@@ -2259,12 +2223,11 @@ void selinux_policy_commit(struct selinux_state *state,
kfree(load_state->convert_data);
/* Notify others of the policy change */
- selinux_notify_policy_change(state, seqno);
+ selinux_notify_policy_change(seqno);
}
/**
* security_load_policy - Load a security policy configuration.
- * @state: SELinux state
* @data: binary policy data
* @len: length of data in bytes
* @load_state: policy load state
@@ -2274,9 +2237,10 @@ void selinux_policy_commit(struct selinux_state *state,
* This function will flush the access vector cache after
* loading the new policy.
*/
-int security_load_policy(struct selinux_state *state, void *data, size_t len,
+int security_load_policy(void *data, size_t len,
struct selinux_load_state *load_state)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *newpolicy, *oldpolicy;
struct selinux_policy_convert_data *convert_data;
int rc = 0;
@@ -2308,7 +2272,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len,
goto err_mapping;
}
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
/* First policy load, so no need to preserve state from old policy */
load_state->policy = newpolicy;
load_state->convert_data = NULL;
@@ -2336,7 +2300,6 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len,
goto err_free_isids;
}
- convert_data->args.state = state;
convert_data->args.oldp = &oldpolicy->policydb;
convert_data->args.newp = &newpolicy->policydb;
@@ -2410,13 +2373,11 @@ static int ocontext_to_sid(struct sidtab *sidtab, struct ocontext *c,
/**
* security_port_sid - Obtain the SID for a port.
- * @state: SELinux state
* @protocol: protocol number
* @port: port number
* @out_sid: security identifier
*/
-int security_port_sid(struct selinux_state *state,
- u8 protocol, u16 port, u32 *out_sid)
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -2424,7 +2385,7 @@ int security_port_sid(struct selinux_state *state,
struct ocontext *c;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_PORT;
return 0;
}
@@ -2432,7 +2393,7 @@ int security_port_sid(struct selinux_state *state,
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -2464,13 +2425,11 @@ out:
/**
* security_ib_pkey_sid - Obtain the SID for a pkey.
- * @state: SELinux state
* @subnet_prefix: Subnet Prefix
* @pkey_num: pkey number
* @out_sid: security identifier
*/
-int security_ib_pkey_sid(struct selinux_state *state,
- u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
+int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -2478,7 +2437,7 @@ int security_ib_pkey_sid(struct selinux_state *state,
struct ocontext *c;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_UNLABELED;
return 0;
}
@@ -2486,7 +2445,7 @@ int security_ib_pkey_sid(struct selinux_state *state,
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -2518,13 +2477,11 @@ out:
/**
* security_ib_endport_sid - Obtain the SID for a subnet management interface.
- * @state: SELinux state
* @dev_name: device name
* @port_num: port number
* @out_sid: security identifier
*/
-int security_ib_endport_sid(struct selinux_state *state,
- const char *dev_name, u8 port_num, u32 *out_sid)
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -2532,7 +2489,7 @@ int security_ib_endport_sid(struct selinux_state *state,
struct ocontext *c;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_UNLABELED;
return 0;
}
@@ -2540,7 +2497,7 @@ int security_ib_endport_sid(struct selinux_state *state,
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -2573,12 +2530,10 @@ out:
/**
* security_netif_sid - Obtain the SID for a network interface.
- * @state: SELinux state
* @name: interface name
* @if_sid: interface SID
*/
-int security_netif_sid(struct selinux_state *state,
- char *name, u32 *if_sid)
+int security_netif_sid(char *name, u32 *if_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -2586,7 +2541,7 @@ int security_netif_sid(struct selinux_state *state,
int rc;
struct ocontext *c;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*if_sid = SECINITSID_NETIF;
return 0;
}
@@ -2594,7 +2549,7 @@ int security_netif_sid(struct selinux_state *state,
retry:
rc = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -2636,14 +2591,12 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
/**
* security_node_sid - Obtain the SID for a node (host).
- * @state: SELinux state
* @domain: communication domain aka address family
* @addrp: address
* @addrlen: address length in bytes
* @out_sid: security identifier
*/
-int security_node_sid(struct selinux_state *state,
- u16 domain,
+int security_node_sid(u16 domain,
void *addrp,
u32 addrlen,
u32 *out_sid)
@@ -2654,14 +2607,14 @@ int security_node_sid(struct selinux_state *state,
int rc;
struct ocontext *c;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*out_sid = SECINITSID_NODE;
return 0;
}
retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -2725,7 +2678,6 @@ out:
/**
* security_get_user_sids - Obtain reachable SIDs for a user.
- * @state: SELinux state
* @fromsid: starting SID
* @username: username
* @sids: array of reachable SIDs for user
@@ -2738,8 +2690,7 @@ out:
* number of elements in the array.
*/
-int security_get_user_sids(struct selinux_state *state,
- u32 fromsid,
+int security_get_user_sids(u32 fromsid,
char *username,
u32 **sids,
u32 *nel)
@@ -2758,7 +2709,7 @@ int security_get_user_sids(struct selinux_state *state,
*sids = NULL;
*nel = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
@@ -2768,7 +2719,7 @@ int security_get_user_sids(struct selinux_state *state,
retry:
mynel = 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -2834,8 +2785,7 @@ out_unlock:
}
for (i = 0, j = 0; i < mynel; i++) {
struct av_decision dummy_avd;
- rc = avc_has_perm_noaudit(state,
- fromsid, mysids[i],
+ rc = avc_has_perm_noaudit(fromsid, mysids[i],
SECCLASS_PROCESS, /* kernel value */
PROCESS__TRANSITION, AVC_STRICT,
&dummy_avd);
@@ -2908,7 +2858,6 @@ static inline int __security_genfs_sid(struct selinux_policy *policy,
/**
* security_genfs_sid - Obtain a SID for a file in a filesystem
- * @state: SELinux state
* @fstype: filesystem type
* @path: path from root of mount
* @orig_sclass: file security class
@@ -2917,8 +2866,7 @@ static inline int __security_genfs_sid(struct selinux_policy *policy,
* Acquire policy_rwlock before calling __security_genfs_sid() and release
* it afterward.
*/
-int security_genfs_sid(struct selinux_state *state,
- const char *fstype,
+int security_genfs_sid(const char *fstype,
const char *path,
u16 orig_sclass,
u32 *sid)
@@ -2926,14 +2874,14 @@ int security_genfs_sid(struct selinux_state *state,
struct selinux_policy *policy;
int retval;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*sid = SECINITSID_UNLABELED;
return 0;
}
do {
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
retval = __security_genfs_sid(policy, fstype, path,
orig_sclass, sid);
rcu_read_unlock();
@@ -2953,10 +2901,9 @@ int selinux_policy_genfs_sid(struct selinux_policy *policy,
/**
* security_fs_use - Determine how to handle labeling for a filesystem.
- * @state: SELinux state
* @sb: superblock in question
*/
-int security_fs_use(struct selinux_state *state, struct super_block *sb)
+int security_fs_use(struct super_block *sb)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -2966,7 +2913,7 @@ int security_fs_use(struct selinux_state *state, struct super_block *sb)
struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *fstype = sb->s_type->name;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
sbsec->behavior = SECURITY_FS_USE_NONE;
sbsec->sid = SECINITSID_UNLABELED;
return 0;
@@ -2974,7 +2921,7 @@ int security_fs_use(struct selinux_state *state, struct super_block *sb)
retry:
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -3067,13 +3014,14 @@ err:
}
-int security_set_bools(struct selinux_state *state, u32 len, int *values)
+int security_set_bools(u32 len, int *values)
{
+ struct selinux_state *state = &selinux_state;
struct selinux_policy *newpolicy, *oldpolicy;
int rc;
u32 i, seqno = 0;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return -EINVAL;
oldpolicy = rcu_dereference_protected(state->policy,
@@ -3134,23 +3082,22 @@ int security_set_bools(struct selinux_state *state, u32 len, int *values)
selinux_policy_cond_free(oldpolicy);
/* Notify others of the policy change */
- selinux_notify_policy_change(state, seqno);
+ selinux_notify_policy_change(seqno);
return 0;
}
-int security_get_bool_value(struct selinux_state *state,
- u32 index)
+int security_get_bool_value(u32 index)
{
struct selinux_policy *policy;
struct policydb *policydb;
int rc;
u32 len;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
rc = -EFAULT;
@@ -3197,8 +3144,7 @@ out:
* security_sid_mls_copy() - computes a new sid based on the given
* sid and the mls portion of mls_sid.
*/
-int security_sid_mls_copy(struct selinux_state *state,
- u32 sid, u32 mls_sid, u32 *new_sid)
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
{
struct selinux_policy *policy;
struct policydb *policydb;
@@ -3210,7 +3156,7 @@ int security_sid_mls_copy(struct selinux_state *state,
u32 len;
int rc;
- if (!selinux_initialized(state)) {
+ if (!selinux_initialized()) {
*new_sid = sid;
return 0;
}
@@ -3220,7 +3166,7 @@ retry:
context_init(&newcon);
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -3254,7 +3200,7 @@ retry:
/* Check the validity of the new context. */
if (!policydb_context_isvalid(policydb, &newcon)) {
- rc = convert_context_handle_invalid_context(state, policydb,
+ rc = convert_context_handle_invalid_context(policydb,
&newcon);
if (rc) {
if (!context_struct_to_string(policydb, &newcon, &s,
@@ -3288,7 +3234,6 @@ out_unlock:
/**
* security_net_peersid_resolve - Compare and resolve two network peer SIDs
- * @state: SELinux state
* @nlbl_sid: NetLabel SID
* @nlbl_type: NetLabel labeling protocol type
* @xfrm_sid: XFRM SID
@@ -3308,8 +3253,7 @@ out_unlock:
* multiple, inconsistent labels | -<errno> | SECSID_NULL
*
*/
-int security_net_peersid_resolve(struct selinux_state *state,
- u32 nlbl_sid, u32 nlbl_type,
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
u32 xfrm_sid,
u32 *peer_sid)
{
@@ -3337,11 +3281,11 @@ int security_net_peersid_resolve(struct selinux_state *state,
return 0;
}
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
policydb = &policy->policydb;
sidtab = policy->sidtab;
@@ -3482,31 +3426,31 @@ err:
return rc;
}
-int security_get_reject_unknown(struct selinux_state *state)
+int security_get_reject_unknown(void)
{
struct selinux_policy *policy;
int value;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
value = policy->policydb.reject_unknown;
rcu_read_unlock();
return value;
}
-int security_get_allow_unknown(struct selinux_state *state)
+int security_get_allow_unknown(void)
{
struct selinux_policy *policy;
int value;
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return 0;
rcu_read_lock();
- policy = rcu_dereference(state->policy);
+ policy = rcu_dereference(selinux_state.policy);
value = policy->policydb.allow_unknown;
rcu_read_unlock();
return value;
@@ -3514,7 +3458,6 @@ int security_get_allow_unknown(struct selinux_state *state)
/**
* security_poli