Merge tag 'arm-defconfig-5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

[linux-2.6-microblaze.git] / security / selinux / ss / services.c

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 6f095c0..3016331 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -65,6 +65,7 @@
 #include "ebitmap.h"
 #include "audit.h"
 #include "policycap_names.h"
+#include "ima.h"
 
 struct convert_context_args {
        struct selinux_state *state;
@@ -2201,6 +2202,7 @@ static void selinux_notify_policy_change(struct selinux_state *state,
        selinux_status_update_policyload(state, seqno);
        selinux_netlbl_cache_invalidate();
        selinux_xfrm_notify_policyload();
+       selinux_ima_measure_state(state);
 }
 
 void selinux_policy_commit(struct selinux_state *state,
@@ -3967,8 +3969,33 @@ out:
 }
 #endif /* CONFIG_NETLABEL */
 
+/**
+ * __security_read_policy - read the policy.
+ * @policy: SELinux policy
+ * @data: binary policy data
+ * @len: length of data in bytes
+ *
+ */
+static int __security_read_policy(struct selinux_policy *policy,
+                                 void *data, size_t *len)
+{
+       int rc;
+       struct policy_file fp;
+
+       fp.data = data;
+       fp.len = *len;
+
+       rc = policydb_write(&policy->policydb, &fp);
+       if (rc)
+               return rc;
+
+       *len = (unsigned long)fp.data - (unsigned long)data;
+       return 0;
+}
+
 /**
  * security_read_policy - read the policy.
+ * @state: selinux_state
  * @data: binary policy data
  * @len: length of data in bytes
  *
@@ -3977,8 +4004,6 @@ int security_read_policy(struct selinux_state *state,
                         void **data, size_t *len)
 {
        struct selinux_policy *policy;
-       int rc;
-       struct policy_file fp;
 
        policy = rcu_dereference_protected(
                        state->policy, lockdep_is_held(&state->policy_mutex));
@@ -3990,14 +4015,35 @@ int security_read_policy(struct selinux_state *state,
        if (!*data)
                return -ENOMEM;
 
-       fp.data = *data;
-       fp.len = *len;
+       return __security_read_policy(policy, *data, len);
+}
 
-       rc = policydb_write(&policy->policydb, &fp);
-       if (rc)
-               return rc;
+/**
+ * security_read_state_kernel - read the policy.
+ * @state: selinux_state
+ * @data: binary policy data
+ * @len: length of data in bytes
+ *
+ * Allocates kernel memory for reading SELinux policy.
+ * This function is for internal use only and should not
+ * be used for returning data to user space.
+ *
+ * This function must be called with policy_mutex held.
+ */
+int security_read_state_kernel(struct selinux_state *state,
+                              void **data, size_t *len)
+{
+       struct selinux_policy *policy;
 
-       *len = (unsigned long)fp.data - (unsigned long)*data;
-       return 0;
+       policy = rcu_dereference_protected(
+                       state->policy, lockdep_is_held(&state->policy_mutex));
+       if (!policy)
+               return -EINVAL;
+
+       *len = policy->policydb.len;
+       *data = vmalloc(*len);
+       if (!*data)
+               return -ENOMEM;
 
+       return __security_read_policy(policy, *data, len);
 }