On Thu, 2009-02-12 at 15:01 -0500, Eric Paris wrote:
> For cleanliness and efficiency remove all calls to secondary-> and instead
> call capabilities code directly. capabilities are the only module that
> selinux stacks with and so the code should not indicate that other stacking
> might be possible.
>
> Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
>
> security/selinux/hooks.c | 30 +++++++++++++-----------------
> 1 files changed, 13 insertions(+), 17 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 44f2170..e733fc1 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1863,7 +1863,7 @@ static int selinux_ptrace_may_access(struct task_struct *child,
> {
> int rc;
>
> - rc = secondary_ops->ptrace_may_access(child, mode);
> + rc = cap_ptrace_may_access(child, mode);
> if (rc)
> return rc;
>
> @@ -1880,7 +1880,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
> {
> int rc;
>
> - rc = secondary_ops->ptrace_traceme(parent);
> + rc = cap_ptrace_traceme(parent);
> if (rc)
> return rc;
>
> @@ -1896,7 +1896,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
> if (error)
> return error;
>
> - return secondary_ops->capget(target, effective, inheritable, permitted);
> + return cap_capget(target, effective, inheritable, permitted);
> }
>
> static int selinux_capset(struct cred *new, const struct cred *old,
> @@ -1906,7 +1906,7 @@ static int selinux_capset(struct cred *new, const struct cred *old,
> {
> int error;
>
> - error = secondary_ops->capset(new, old,
> + error = cap_capset(new, old,
> effective, inheritable, permitted);
> if (error)
> return error;
> @@ -1929,7 +1929,7 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
> {
> int rc;
>
> - rc = secondary_ops->capable(tsk, cred, cap, audit);
> + rc = cap_capable(tsk, cred, cap, audit);
> if (rc)
> return rc;
>
> @@ -2055,7 +2055,7 @@ static int selinux_syslog(int type)
> {
> int rc;
>
> - rc = secondary_ops->syslog(type);
> + rc = cap_syslog(type);
> if (rc)
> return rc;
>
> @@ -2086,10 +2086,6 @@ static int selinux_syslog(int type)
> * mapping. 0 means there is enough memory for the allocation to
> * succeed and -ENOMEM implies there is not.
> *
> - * Note that secondary_ops->capable and task_has_perm_noaudit return 0
> - * if the capability is granted, but __vm_enough_memory requires 1 if
> - * the capability is granted.
> - *
> * Do not audit the selinux permission check, as this is applied to all
> * processes that allocate mappings.
> */
> @@ -2116,7 +2112,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
> struct inode *inode = bprm->file->f_path.dentry->d_inode;
> int rc;
>
> - rc = secondary_ops->bprm_set_creds(bprm);
> + rc = cap_bprm_set_creds(bprm);
> if (rc)
> return rc;
>
> @@ -2233,7 +2229,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
> PROCESS__NOATSECURE, NULL);
> }
>
> - return (atsecure || secondary_ops->bprm_secureexec(bprm));
> + return (atsecure || cap_bprm_secureexec(bprm));
> }
>
> extern struct vfsmount *selinuxfs_mount;
> @@ -3334,7 +3330,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
> {
> int rc;
>
> - rc = secondary_ops->task_setnice(p, nice);
> + rc = cap_task_setnice(p, nice);
> if (rc)
> return rc;
>
> @@ -3345,7 +3341,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
> {
> int rc;
>
> - rc = secondary_ops->task_setioprio(p, ioprio);
> + rc = cap_task_setioprio(p, ioprio);
> if (rc)
> return rc;
>
> @@ -3375,7 +3371,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s
> {
> int rc;
>
> - rc = secondary_ops->task_setscheduler(p, policy, lp);
> + rc = cap_task_setscheduler(p, policy, lp);
> if (rc)
> return rc;
>
> @@ -4633,7 +4629,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
> {
> int err;
>
> - err = secondary_ops->netlink_send(sk, skb);
> + err = cap_netlink_send(sk, skb);
> if (err)
> return err;
>
> @@ -4648,7 +4644,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
> int err;
> struct avc_audit_data ad;
>
> - err = secondary_ops->netlink_recv(skb, capability);
> + err = cap_netlink_recv(skb, capability);
> if (err)
> return err;
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
