diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-06-30 14:55:42 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-06-30 14:55:42 -0700 |
commit | 6bd344e55f73f7ae671bf5c1ebe5bd814f3c4b27 (patch) | |
tree | 03dee12ff73d1f8cfb21e11fada2aa2ff964a49d /security/selinux/include/avc.h | |
parent | 44b6ed4cfab8474061707b60e35afaf2c92a9dc3 (diff) | |
parent | d99cf13f14200cdb5cbb704345774c9c0698612d (diff) |
Merge tag 'selinux-pr-20210629' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux updates from Paul Moore:
- The slow_avc_audit() function is now non-blocking so we can remove
the AVC_NONBLOCKING tricks; this also includes the 'flags' variant of
avc_has_perm().
- Use kmemdup() instead of kcalloc()+copy when copying parts of the
SELinux policydb.
- The InfiniBand device name is now passed by reference when possible
in the SELinux code, removing a strncpy().
- Minor cleanups including: constification of avtab function args,
removal of useless LSM/XFRM function args, SELinux kdoc fixes, and
removal of redundant assignments.
* tag 'selinux-pr-20210629' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: kill 'flags' argument in avc_has_perm_flags() and avc_audit()
selinux: slow_avc_audit has become non-blocking
selinux: Fix kernel-doc
selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
lsm_audit,selinux: pass IB device name by reference
selinux: Remove redundant assignment to rc
selinux: Corrected comment to match kernel-doc comment
selinux: delete selinux_xfrm_policy_lookup() useless argument
selinux: constify some avtab function arguments
selinux: simplify duplicate_policydb_cond_list() by using kmemdup()
Diffstat (limited to 'security/selinux/include/avc.h')
-rw-r--r-- | security/selinux/include/avc.h | 13 |
1 files changed, 1 insertions, 12 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index cf4cc3ef959b..00f78be48283 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -111,7 +111,6 @@ int slow_avc_audit(struct selinux_state *state, * @avd: access vector decisions * @result: result from avc_has_perm_noaudit * @a: auxiliary audit data - * @flags: VFS walk flags * * Audit the granting or denial of permissions in accordance * with the policy. This function is typically called by @@ -127,16 +126,12 @@ static inline int avc_audit(struct selinux_state *state, u16 tclass, u32 requested, struct av_decision *avd, int result, - struct common_audit_data *a, - int flags) + struct common_audit_data *a) { u32 audited, denied; audited = avc_audit_required(requested, avd, result, 0, &denied); if (likely(!audited)) return 0; - /* fall back to ref-walk if we have to generate audit */ - if (flags & MAY_NOT_BLOCK) - return -ECHILD; return slow_avc_audit(state, ssid, tsid, tclass, requested, audited, denied, result, a); @@ -144,7 +139,6 @@ static inline int avc_audit(struct selinux_state *state, #define AVC_STRICT 1 /* Ignore permissive mode. */ #define AVC_EXTENDED_PERMS 2 /* update extended permissions */ -#define AVC_NONBLOCKING 4 /* non blocking */ int avc_has_perm_noaudit(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, u32 requested, @@ -155,11 +149,6 @@ int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata); -int avc_has_perm_flags(struct selinux_state *state, - u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct common_audit_data *auditdata, - int flags); int avc_has_extended_perms(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, u32 requested, |