diff options
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/Kconfig | 11 | ||||
| -rw-r--r-- | security/selinux/Makefile | 2 | ||||
| -rw-r--r-- | security/selinux/avc.c | 9 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 42 | ||||
| -rw-r--r-- | security/selinux/ibpkey.c | 5 | ||||
| -rw-r--r-- | security/selinux/include/audit.h | 9 | ||||
| -rw-r--r-- | security/selinux/include/classmap.h | 2 | ||||
| -rw-r--r-- | security/selinux/include/hash.h | 47 | ||||
| -rw-r--r-- | security/selinux/include/initcalls.h | 19 | ||||
| -rw-r--r-- | security/selinux/include/policycap.h | 1 | ||||
| -rw-r--r-- | security/selinux/include/policycap_names.h | 1 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 5 | ||||
| -rw-r--r-- | security/selinux/initcalls.c | 52 | ||||
| -rw-r--r-- | security/selinux/netif.c | 5 | ||||
| -rw-r--r-- | security/selinux/netlink.c | 5 | ||||
| -rw-r--r-- | security/selinux/netnode.c | 5 | ||||
| -rw-r--r-- | security/selinux/netport.c | 5 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 20 | ||||
| -rw-r--r-- | security/selinux/ss/avtab.c | 39 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 26 |
20 files changed, 220 insertions, 90 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 61abc1e094a8..5588c4d573f6 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -69,6 +69,17 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE If unsure, keep the default value. +config SECURITY_SELINUX_AVC_HASH_BITS + int "SELinux avc hashtable size" + depends on SECURITY_SELINUX + range 9 14 + default 9 + help + This option sets the number of buckets used in the AVC hash table + to 2^SECURITY_SELINUX_AVC_HASH_BITS. A higher value helps maintain + shorter chain lengths especially when expanding AVC nodes via + /sys/fs/selinux/avc/cache_threshold. + config SECURITY_SELINUX_DEBUG bool "SELinux kernel debugging support" depends on SECURITY_SELINUX diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 66e56e9011df..72d3baf7900c 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -15,7 +15,7 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include ccflags-$(CONFIG_SECURITY_SELINUX_DEBUG) += -DDEBUG selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ - netnode.o netport.o status.o \ + netnode.o netport.o status.o initcalls.o \ ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 430b0e23ee00..8f77b9a732e1 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -30,13 +30,14 @@ #include "avc.h" #include "avc_ss.h" #include "classmap.h" +#include "hash.h" #define CREATE_TRACE_POINTS #include <trace/events/avc.h> -#define AVC_CACHE_SLOTS 512 -#define AVC_DEF_CACHE_THRESHOLD 512 -#define AVC_CACHE_RECLAIM 16 +#define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS) +#define AVC_DEF_CACHE_THRESHOLD AVC_CACHE_SLOTS +#define AVC_CACHE_RECLAIM 16 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) @@ -124,7 +125,7 @@ static struct kmem_cache *avc_xperms_cachep __ro_after_init; static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass) { - return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); + return av_hash(ssid, tsid, (u32)tclass, (u32)(AVC_CACHE_SLOTS - 1)); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e713291db873..d053ce562370 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -93,7 +93,9 @@ #include <linux/fanotify.h> #include <linux/io_uring/cmd.h> #include <uapi/linux/lsm.h> +#include <linux/memfd.h> +#include "initcalls.h" #include "avc.h" #include "objsec.h" #include "netif.h" @@ -2319,6 +2321,10 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) new_crsec = selinux_cred(bprm->cred); isec = inode_security(inode); + if (WARN_ON(isec->sclass != SECCLASS_FILE && + isec->sclass != SECCLASS_MEMFD_FILE)) + return -EACCES; + /* Default to the current task SID. */ new_crsec->sid = old_crsec->sid; new_crsec->osid = old_crsec->sid; @@ -2371,8 +2377,8 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) ad.u.file = bprm->file; if (new_crsec->sid == old_crsec->sid) { - rc = avc_has_perm(old_crsec->sid, isec->sid, - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); + rc = avc_has_perm(old_crsec->sid, isec->sid, isec->sclass, + FILE__EXECUTE_NO_TRANS, &ad); if (rc) return rc; } else { @@ -2382,8 +2388,8 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) if (rc) return rc; - rc = avc_has_perm(new_crsec->sid, isec->sid, - SECCLASS_FILE, FILE__ENTRYPOINT, &ad); + rc = avc_has_perm(new_crsec->sid, isec->sid, isec->sclass, + FILE__ENTRYPOINT, &ad); if (rc) return rc; @@ -2978,10 +2984,18 @@ static int selinux_inode_init_security_anon(struct inode *inode, struct common_audit_data ad; struct inode_security_struct *isec; int rc; + bool is_memfd = false; if (unlikely(!selinux_initialized())) return 0; + if (name != NULL && name->name != NULL && + !strcmp(name->name, MEMFD_ANON_NAME)) { + if (!selinux_policycap_memfd_class()) + return 0; + is_memfd = true; + } + isec = selinux_inode(inode); /* @@ -3001,7 +3015,10 @@ static int selinux_inode_init_security_anon(struct inode *inode, isec->sclass = context_isec->sclass; isec->sid = context_isec->sid; } else { - isec->sclass = SECCLASS_ANON_INODE; + if (is_memfd) + isec->sclass = SECCLASS_MEMFD_FILE; + else + isec->sclass = SECCLASS_ANON_INODE; rc = security_transition_sid( sid, sid, isec->sclass, name, &isec->sid); @@ -4279,7 +4296,7 @@ static int selinux_kernel_read_file(struct file *file, { int rc = 0; - BUILD_BUG_ON_MSG(READING_MAX_ID > 7, + BUILD_BUG_ON_MSG(READING_MAX_ID > 8, "New kernel_read_file_id introduced; update SELinux!"); switch (id) { @@ -4287,6 +4304,7 @@ static int selinux_kernel_read_file(struct file *file, rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); break; case READING_MODULE: + case READING_MODULE_COMPRESSED: rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); break; case READING_KEXEC_IMAGE: @@ -4315,7 +4333,7 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) { int rc = 0; - BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7, + BUILD_BUG_ON_MSG(LOADING_MAX_ID > 8, "New kernel_load_data_id introduced; update SELinux!"); switch (id) { @@ -7617,6 +7635,10 @@ static __init int selinux_init(void) if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC LSM notifier callback\n"); + if (avc_add_callback(selinux_audit_rule_avc_callback, + AVC_CALLBACK_RESET)) + panic("SELinux: Unable to register AVC audit callback\n"); + if (selinux_enforcing_boot) pr_debug("SELinux: Starting in enforcing mode\n"); else @@ -7644,11 +7666,12 @@ void selinux_complete_init(void) /* SELinux requires early initialization in order to label all processes and objects when they are created. */ DEFINE_LSM(selinux) = { - .name = "selinux", + .id = &selinux_lsmid, .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &selinux_enabled_boot, .blobs = &selinux_blob_sizes, .init = selinux_init, + .initcall_device = selinux_initcall, }; #if defined(CONFIG_NETFILTER) @@ -7710,7 +7733,7 @@ static struct pernet_operations selinux_net_ops = { .exit = selinux_nf_unregister, }; -static int __init selinux_nf_ip_init(void) +int __init selinux_nf_ip_init(void) { int err; @@ -7725,5 +7748,4 @@ static int __init selinux_nf_ip_init(void) return 0; } -__initcall(selinux_nf_ip_init); #endif /* CONFIG_NETFILTER */ diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c index 470481cfe0e8..ea1d9b2c7d2b 100644 --- a/security/selinux/ibpkey.c +++ b/security/selinux/ibpkey.c @@ -23,6 +23,7 @@ #include <linux/list.h> #include <linux/spinlock.h> +#include "initcalls.h" #include "ibpkey.h" #include "objsec.h" @@ -218,7 +219,7 @@ void sel_ib_pkey_flush(void) spin_unlock_irqrestore(&sel_ib_pkey_lock, flags); } -static __init int sel_ib_pkey_init(void) +int __init sel_ib_pkey_init(void) { int iter; @@ -232,5 +233,3 @@ static __init int sel_ib_pkey_init(void) return 0; } - -subsys_initcall(sel_ib_pkey_init); diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index d5b0425055e4..85a531ac737b 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -16,6 +16,15 @@ #include <linux/types.h> /** + * selinux_audit_rule_avc_callback - update the audit LSM rules on AVC events. + * @event: the AVC event + * + * Update any audit LSM rules based on the AVC event specified in @event. + * Returns 0 on success, negative values otherwise. + */ +int selinux_audit_rule_avc_callback(u32 event); + +/** * selinux_audit_rule_init - alloc/init an selinux audit rule structure. * @field: the field this rule refers to * @op: the operator the rule uses diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 5665aa5e7853..3ec85142771f 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -179,6 +179,8 @@ const struct security_class_mapping secclass_map[] = { { "anon_inode", { COMMON_FILE_PERMS, NULL } }, { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } }, { "user_namespace", { "create", NULL } }, + { "memfd_file", + { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } }, /* last one */ { NULL, {} } }; diff --git a/security/selinux/include/hash.h b/security/selinux/include/hash.h new file mode 100644 index 000000000000..18956dbef8ff --- /dev/null +++ b/security/selinux/include/hash.h @@ -0,0 +1,47 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#ifndef _SELINUX_HASH_H_ +#define _SELINUX_HASH_H_ + +/* + * Based on MurmurHash3, written by Austin Appleby and placed in the + * public domain. + */ +static inline u32 av_hash(u32 key1, u32 key2, u32 key3, u32 mask) +{ + static const u32 c1 = 0xcc9e2d51; + static const u32 c2 = 0x1b873593; + static const u32 r1 = 15; + static const u32 r2 = 13; + static const u32 m = 5; + static const u32 n = 0xe6546b64; + + u32 hash = 0; + +#define mix(input) \ + do { \ + u32 v = input; \ + v *= c1; \ + v = (v << r1) | (v >> (32 - r1)); \ + v *= c2; \ + hash ^= v; \ + hash = (hash << r2) | (hash >> (32 - r2)); \ + hash = hash * m + n; \ + } while (0) + + mix(key1); + mix(key2); + mix(key3); + +#undef mix + + hash ^= hash >> 16; + hash *= 0x85ebca6b; + hash ^= hash >> 13; + hash *= 0xc2b2ae35; + hash ^= hash >> 16; + + return hash & mask; +} + +#endif /* _SELINUX_HASH_H_ */ diff --git a/security/selinux/include/initcalls.h b/security/selinux/include/initcalls.h new file mode 100644 index 000000000000..6674cf489473 --- /dev/null +++ b/security/selinux/include/initcalls.h @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * SELinux initcalls + */ + +#ifndef _SELINUX_INITCALLS_H +#define _SELINUX_INITCALLS_H + +int init_sel_fs(void); +int sel_netport_init(void); +int sel_netnode_init(void); +int sel_netif_init(void); +int sel_netlink_init(void); +int sel_ib_pkey_init(void); +int selinux_nf_ip_init(void); + +int selinux_initcall(void); + +#endif diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h index 135a969f873c..231d02227e59 100644 --- a/security/selinux/include/policycap.h +++ b/security/selinux/include/policycap.h @@ -18,6 +18,7 @@ enum { POLICYDB_CAP_NETIF_WILDCARD, POLICYDB_CAP_GENFS_SECLABEL_WILDCARD, POLICYDB_CAP_FUNCTIONFS_SECLABEL, + POLICYDB_CAP_MEMFD_CLASS, __POLICYDB_CAP_MAX }; #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1) diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h index ff8882887651..454dab37bda3 100644 --- a/security/selinux/include/policycap_names.h +++ b/security/selinux/include/policycap_names.h @@ -21,6 +21,7 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = { "netif_wildcard", "genfs_seclabel_wildcard", "functionfs_seclabel", + "memfd_class", }; /* clang-format on */ diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 0f954a40d3fc..5d1dad8058b1 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -209,6 +209,11 @@ static inline bool selinux_policycap_functionfs_seclabel(void) selinux_state.policycap[POLICYDB_CAP_FUNCTIONFS_SECLABEL]); } +static inline bool selinux_policycap_memfd_class(void) +{ + return READ_ONCE(selinux_state.policycap[POLICYDB_CAP_MEMFD_CLASS]); +} + struct selinux_policy_convert_data; struct selinux_load_state { diff --git a/security/selinux/initcalls.c b/security/selinux/initcalls.c new file mode 100644 index 000000000000..f6716a1d38c1 --- /dev/null +++ b/security/selinux/initcalls.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * SELinux initcalls + */ + +#include <linux/init.h> + +#include "initcalls.h" + +/** + * selinux_initcall - Perform the SELinux initcalls + * + * Used as a device initcall in the SELinux LSM definition. + */ +int __init selinux_initcall(void) +{ + int rc = 0, rc_tmp = 0; + + rc_tmp = init_sel_fs(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netport_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netnode_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netif_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netlink_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + +#if defined(CONFIG_SECURITY_INFINIBAND) + rc_tmp = sel_ib_pkey_init(); + if (!rc && rc_tmp) + rc = rc_tmp; +#endif + +#if defined(CONFIG_NETFILTER) + rc_tmp = selinux_nf_ip_init(); + if (!rc && rc_tmp) + rc = rc_tmp; +#endif + + return rc; +} diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 78afbecdbe57..e24b2cba28ea 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -22,6 +22,7 @@ #include <linux/rcupdate.h> #include <net/net_namespace.h> +#include "initcalls.h" #include "security.h" #include "objsec.h" #include "netif.h" @@ -265,7 +266,7 @@ static struct notifier_block sel_netif_netdev_notifier = { .notifier_call = sel_netif_netdev_notifier_handler, }; -static __init int sel_netif_init(void) +int __init sel_netif_init(void) { int i; @@ -280,5 +281,3 @@ static __init int sel_netif_init(void) return 0; } -__initcall(sel_netif_init); - diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 1760aee712fd..eb40e4603475 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c @@ -17,6 +17,7 @@ #include <net/net_namespace.h> #include <net/netlink.h> +#include "initcalls.h" #include "security.h" static struct sock *selnl __ro_after_init; @@ -105,7 +106,7 @@ void selnl_notify_policyload(u32 seqno) selnl_notify(SELNL_MSG_POLICYLOAD, &seqno); } -static int __init selnl_init(void) +int __init sel_netlink_init(void) { struct netlink_kernel_cfg cfg = { .groups = SELNLGRP_MAX, @@ -117,5 +118,3 @@ static int __init selnl_init(void) panic("SELinux: Cannot create netlink socket."); return 0; } - -__initcall(selnl_init); diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 5d0ed08d46e5..9b3da5ce8d39 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -30,6 +30,7 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "initcalls.h" #include "netnode.h" #include "objsec.h" @@ -290,7 +291,7 @@ void sel_netnode_flush(void) spin_unlock_bh(&sel_netnode_lock); } -static __init int sel_netnode_init(void) +int __init sel_netnode_init(void) { int iter; @@ -304,5 +305,3 @@ static __init int sel_netnode_init(void) return 0; } - -__initcall(sel_netnode_init); diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 6fd7da4b3576..9e62f7285e81 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -29,6 +29,7 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "initcalls.h" #include "netport.h" #include "objsec.h" @@ -218,7 +219,7 @@ void sel_netport_flush(void) spin_unlock_bh(&sel_netport_lock); } -static __init int sel_netport_init(void) +int __init sel_netport_init(void) { int iter; @@ -232,5 +233,3 @@ static __init int sel_netport_init(void) return 0; } - -__initcall(sel_netport_init); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 232e087bce3e..d98fbc4d068f 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -35,6 +35,7 @@ /* selinuxfs pseudo filesystem for exporting the security policy API. Based on the proc code and the fs/nfsd/nfsctl.c code. */ +#include "initcalls.h" #include "flask.h" #include "avc.h" #include "avc_ss.h" @@ -506,6 +507,7 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, { int ret = 0; struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir; + struct renamedata rd = {}; unsigned int bool_num = 0; char **bool_names = NULL; int *bool_values = NULL; @@ -539,9 +541,14 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, if (ret) goto out; - lock_rename(tmp_parent, fsi->sb->s_root); + rd.old_parent = tmp_parent; + rd.new_parent = fsi->sb->s_root; /* booleans */ + ret = start_renaming_two_dentries(&rd, tmp_bool_dir, fsi->bool_dir); + if (ret) + goto out; + d_exchange(tmp_bool_dir, fsi->bool_dir); swap(fsi->bool_num, bool_num); @@ -549,12 +556,17 @@ static int sel_make_policy_nodes(struct selinux_fs_info *fsi, swap(fsi->bool_pending_values, bool_values); fsi->bool_dir = tmp_bool_dir; + end_renaming(&rd); /* classes */ + ret = start_renaming_two_dentries(&rd, tmp_class_dir, fsi->class_dir); + if (ret) + goto out; + d_exchange(tmp_class_dir, fsi->class_dir); fsi->class_dir = tmp_class_dir; - unlock_rename(tmp_parent, fsi->sb->s_root); + end_renaming(&rd); out: sel_remove_old_bool_data(bool_num, bool_names, bool_values); @@ -2122,7 +2134,7 @@ static struct file_system_type sel_fs_type = { struct path selinux_null __ro_after_init; -static int __init init_sel_fs(void) +int __init init_sel_fs(void) { struct qstr null_name = QSTR_INIT(NULL_FILE_NAME, sizeof(NULL_FILE_NAME)-1); @@ -2166,5 +2178,3 @@ static int __init init_sel_fs(void) return err; } - -__initcall(init_sel_fs); diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index c2c31521cace..d12ca337e649 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -20,48 +20,15 @@ #include <linux/errno.h> #include "avtab.h" #include "policydb.h" +#include "hash.h" static struct kmem_cache *avtab_node_cachep __ro_after_init; static struct kmem_cache *avtab_xperms_cachep __ro_after_init; -/* Based on MurmurHash3, written by Austin Appleby and placed in the - * public domain. - */ static inline u32 avtab_hash(const struct avtab_key *keyp, u32 mask) { - static const u32 c1 = 0xcc9e2d51; - static const u32 c2 = 0x1b873593; - static const u32 r1 = 15; - static const u32 r2 = 13; - static const u32 m = 5; - static const u32 n = 0xe6546b64; - - u32 hash = 0; - -#define mix(input) \ - do { \ - u32 v = input; \ - v *= c1; \ - v = (v << r1) | (v >> (32 - r1)); \ - v *= c2; \ - hash ^= v; \ - hash = (hash << r2) | (hash >> (32 - r2)); \ - hash = hash * m + n; \ - } while (0) - - mix(keyp->target_class); - mix(keyp->target_type); - mix(keyp->source_type); - -#undef mix - - hash ^= hash >> 16; - hash *= 0x85ebca6b; - hash ^= hash >> 13; - hash *= 0xc2b2ae35; - hash ^= hash >> 16; - - return hash & mask; + return av_hash((u32)keyp->target_class, (u32)keyp->target_type, + (u32)keyp->source_type, mask); } static struct avtab_node *avtab_insert_node(struct avtab *h, diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 713130bd43c4..13fc712d5923 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3570,6 +3570,13 @@ struct selinux_audit_rule { struct context au_ctxt; }; +int selinux_audit_rule_avc_callback(u32 event) +{ + if (event == AVC_CALLBACK_RESET) + return audit_update_lsm_rules(); + return 0; +} + void selinux_audit_rule_free(void *vrule) { struct selinux_audit_rule *rule = vrule; @@ -3820,25 +3827,6 @@ out: return match; } -static int aurule_avc_callback(u32 event) -{ - if (event == AVC_CALLBACK_RESET) - return audit_update_lsm_rules(); - return 0; -} - -static int __init aurule_init(void) -{ - int err; - - err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET); - if (err) - panic("avc_add_callback() failed, error %d\n", err); - - return err; -} -__initcall(aurule_init); - #ifdef CONFIG_NETLABEL /** * security_netlbl_cache_add - Add an entry to the NetLabel cache |