crypto: testmgr - allow ecdsa-nist-p256 and -p384 in FIPS mode

[linux.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f553c370397eeb16c2dc7509d97f733add15cfba..3c5be76a9199127c677f446b4aa5c9977817f8ba 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3240,6 +3240,25 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
                            &ad);
 }
 
+static int selinux_inode_set_acl(struct user_namespace *mnt_userns,
+                                struct dentry *dentry, const char *acl_name,
+                                struct posix_acl *kacl)
+{
+       return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+}
+
+static int selinux_inode_get_acl(struct user_namespace *mnt_userns,
+                                struct dentry *dentry, const char *acl_name)
+{
+       return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
+}
+
+static int selinux_inode_remove_acl(struct user_namespace *mnt_userns,
+                                   struct dentry *dentry, const char *acl_name)
+{
+       return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+}
+
 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
                                        const void *value, size_t size,
                                        int flags)
@@ -5119,11 +5138,12 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        return err;
 }
 
-static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
-                                           int __user *optlen, unsigned len)
+static int selinux_socket_getpeersec_stream(struct socket *sock,
+                                           sockptr_t optval, sockptr_t optlen,
+                                           unsigned int len)
 {
        int err = 0;
-       char *scontext;
+       char *scontext = NULL;
        u32 scontext_len;
        struct sk_security_struct *sksec = sock->sk->sk_security;
        u32 peer_sid = SECSID_NULL;
@@ -5139,17 +5159,15 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
                                      &scontext_len);
        if (err)
                return err;
-
        if (scontext_len > len) {
                err = -ERANGE;
                goto out_len;
        }
 
-       if (copy_to_user(optval, scontext, scontext_len))
+       if (copy_to_sockptr(optval, scontext, scontext_len))
                err = -EFAULT;
-
 out_len:
-       if (put_user(scontext_len, optlen))
+       if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
                err = -EFAULT;
        kfree(scontext);
        return err;
@@ -7088,6 +7106,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
        LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
        LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
+       LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
+       LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
+       LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
        LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
        LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
        LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),