Creds: creds->security can be NULL is selinux is disabled

author Eric Paris <eparis@redhat.com>

Sun, 13 Sep 2009 02:54:10 +0000 (22:54 -0400)

committer James Morris <jmorris@namei.org>

Mon, 14 Sep 2009 02:34:07 +0000 (12:34 +1000)
author Eric Paris <eparis@redhat.com>
Sun, 13 Sep 2009 02:54:10 +0000 (22:54 -0400)
committer James Morris <jmorris@namei.org>
Mon, 14 Sep 2009 02:34:07 +0000 (12:34 +1000)
diff --git a/include/linux/cred.h b/include/linux/cred.h

index 24520a539c6ff18b9067b24d56dc22075c7096e2..fb371601a3b416d4bfd7aeed4932fdec39e0ac0c 100644 (file)
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -15,6 +15,7 @@
  #include <linux/capability.h>
  #include <linux/init.h>
  #include <linux/key.h>
+#include <linux/selinux.h>
  #include <asm/atomic.h>
  
  struct user_struct;
@@ -182,11 +183,13 @@ static inline bool creds_are_invalid(const struct cred *cred)
         if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
                 return true;
  #ifdef CONFIG_SECURITY_SELINUX
-       if ((unsigned long) cred->security < PAGE_SIZE)
-               return true;
-       if ((*(u32*)cred->security & 0xffffff00) ==
-           (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
-               return true;
+       if (selinux_is_enabled()) {
+               if ((unsigned long) cred->security < PAGE_SIZE)
+                       return true;
+               if ((*(u32 *)cred->security & 0xffffff00) ==
+                   (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
+                       return true;
+       }
  #endif
         return false;
  }
diff --git a/include/linux/selinux.h b/include/linux/selinux.h

index 20f965d4b041ca664847478ee89acca7a2e5d154..223d06a6feb116c968b84b40908bada3aa0af4e4 100644 (file)
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -61,6 +61,11 @@ void selinux_secmark_refcount_inc(void);
   *     existing SECMARK targets has been removed/flushed.
   */
  void selinux_secmark_refcount_dec(void);
+
+/**
+ * selinux_is_enabled - is SELinux enabled?
+ */
+bool selinux_is_enabled(void);
  #else
  
  static inline int selinux_string_to_sid(const char *str, u32 *sid)
@@ -84,6 +89,10 @@ static inline void selinux_secmark_refcount_dec(void)
         return;
  }
  
+static bool selinux_is_enabled(void)
+{
+       return false;
+}
  #endif /* CONFIG_SECURITY_SELINUX */
  
  #endif /* _LINUX_SELINUX_H */
diff --git a/security/selinux/exports.c b/security/selinux/exports.c

index c73aeaa008e81681cdc141dd3fb9b545cf715808..c0a454aee1e03cb0e3825a2c5f965c941636c4d9 100644 (file)
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -63,3 +63,9 @@ void selinux_secmark_refcount_dec(void)
         atomic_dec(&selinux_secmark_refcount);
  }
  EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
+
+bool selinux_is_enabled(void)
+{
+       return selinux_enabled;
+}
+EXPORT_SYMBOL_GPL(selinux_is_enabled);
author	Eric Paris <eparis@redhat.com>
	Sun, 13 Sep 2009 02:54:10 +0000 (22:54 -0400)
committer	James Morris <jmorris@namei.org>
	Mon, 14 Sep 2009 02:34:07 +0000 (12:34 +1000)
include/linux/cred.h		patch \| blob \| blame \| history
include/linux/selinux.h		patch \| blob \| blame \| history
security/selinux/exports.c		patch \| blob \| blame \| history