Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Creds: creds->security can be NULL is selinux is disabled

__validate_process_creds should check if selinux is actually enabled before
running tests on the selinux portion of the credentials struct.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Eric Paris 15 years ago
parent
86d710146f
commit
ed868a5698
3 changed files with 23 additions and 5 deletions
Unified View Show Diff Stats
  1. 8 5
      include/linux/cred.h
  2. 9 0
      include/linux/selinux.h
  3. 6 0
      security/selinux/exports.c

+ 8 - 5
include/linux/cred.h
View File 

@@ -15,6 +15,7 @@
 
 #include <linux/capability.h>
 
 #include <linux/capability.h>
 
 #include <linux/init.h>
 
 #include <linux/init.h>
 
 #include <linux/key.h>
 
 #include <linux/key.h>
 
+#include <linux/selinux.h>
 
 #include <asm/atomic.h>
 
 #include <asm/atomic.h>
 
 
 
 struct user_struct;
 
 struct user_struct;
 
@@ -182,11 +183,13 @@ static inline bool creds_are_invalid(const struct cred *cred)
 
 	if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
 
 	if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
 
 		return true;
 
 		return true;
 
 #ifdef CONFIG_SECURITY_SELINUX
 
 #ifdef CONFIG_SECURITY_SELINUX
 
-	if ((unsigned long) cred->security < PAGE_SIZE)
 
-		return true;
 
-	if ((*(u32*)cred->security & 0xffffff00) ==
 
-	    (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
 
-		return true;
 
+	if (selinux_is_enabled()) {
 
+		if ((unsigned long) cred->security < PAGE_SIZE)
 
+			return true;
 
+		if ((*(u32 *)cred->security & 0xffffff00) ==
 
+		    (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
 
+			return true;
 
+	}
 
 #endif
 
 #endif
 
 	return false;
 
 	return false;
 
 }
 
 }

+ 9 - 0
include/linux/selinux.h
View File 

@@ -61,6 +61,11 @@ void selinux_secmark_refcount_inc(void);
 
  *     existing SECMARK targets has been removed/flushed.
 
  *     existing SECMARK targets has been removed/flushed.
 
  */
 
  */
 
 void selinux_secmark_refcount_dec(void);
 
 void selinux_secmark_refcount_dec(void);
 
+
 
+/**
 
+ * selinux_is_enabled - is SELinux enabled?
 
+ */
 
+bool selinux_is_enabled(void);
 
 #else
 
 #else
 
 
 
 static inline int selinux_string_to_sid(const char *str, u32 *sid)
 
 static inline int selinux_string_to_sid(const char *str, u32 *sid)
 
@@ -84,6 +89,10 @@ static inline void selinux_secmark_refcount_dec(void)
 
 	return;
 
 	return;
 
 }
 
 }
 
 
 
+static bool selinux_is_enabled(void)
 
+{
 
+	return false;
 
+}
 
 #endif	/* CONFIG_SECURITY_SELINUX */
 
 #endif	/* CONFIG_SECURITY_SELINUX */
 
 
 
 #endif /* _LINUX_SELINUX_H */
 
 #endif /* _LINUX_SELINUX_H */

+ 6 - 0
security/selinux/exports.c
View File 

@@ -63,3 +63,9 @@ void selinux_secmark_refcount_dec(void)
 
 	atomic_dec(&selinux_secmark_refcount);
 
 	atomic_dec(&selinux_secmark_refcount);
 
 }
 
 }
 
 EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
 
 EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
 
+
 
+bool selinux_is_enabled(void)
 
+{
 
+	return selinux_enabled;
 
+}
 
+EXPORT_SYMBOL_GPL(selinux_is_enabled);