Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security system updates from James Morris: - incorporate new socketpair() hook into LSM and wire up the SELinux and Smack modules. From David Herrmann: "The idea is to allow SO_PEERSEC to be called on AF_UNIX sockets created via socketpair(2), and return the same information as if you emulated socketpair(2) via a temporary listener socket. Right now SO_PEERSEC will return the unlabeled credentials for a socketpair, rather than the actual credentials of the creating process." - remove the unused security_settime LSM hook (Sargun Dhillon). - remove some stack allocated arrays from the keys code (Tycho Andersen) * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: dh key: get rid of stack allocated array for zeroes dh key: get rid of stack allocated array big key: get rid of stack array allocation smack: provide socketpair callback selinux: provide socketpair callback net: hook socketpair() into LSM security: add hook for socketpair() security: remove security_settime
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-06-06 19:15:56 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-06-06 19:15:56 -0400
commit: 10b1eb7d8ce5635a7deb273f8291d8a0a7681de1 (patch)
tree: 946b7d496a4e24db5120be376e075b52982fae83 /include/linux
parent: d75ae5bdf2353e5c6a1f83da5f6f2d31582f09a3 (diff)
parent: 890e2abe1028c39e5399101a2c277219cd637aaa (diff)
2 files changed, 14 insertions, 14 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9d0b286f3dba..8f1131c8dd54 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -757,6 +757,11 @@
 *      @type contains the requested communications type.
 *      @protocol contains the requested protocol.
 *      @kern set to 1 if a kernel socket.
+ * @socket_socketpair:
+ *      Check permissions before creating a fresh pair of sockets.
+ *      @socka contains the first socket structure.
+ *      @sockb contains the second socket structure.
+ *      Return 0 if permission is granted and the connection was established.
 * @socket_bind:
 *      Check permission before socket protocol layer bind operation is
 *      performed and the socket @sock is bound to the address specified in the
@@ -1656,6 +1661,7 @@ union security_list_options {
        int (*socket_create)(int family, int type, int protocol, int kern);
        int (*socket_post_create)(struct socket *sock, int family, int type,
                                        int protocol, int kern);
+        int (*socket_socketpair)(struct socket *socka, struct socket *sockb);
        int (*socket_bind)(struct socket *sock, struct sockaddr *address,
                                int addrlen);
        int (*socket_connect)(struct socket *sock, struct sockaddr *address,
@@ -1922,6 +1928,7 @@ struct security_hook_heads {
        struct hlist_head unix_may_send;
        struct hlist_head socket_create;
        struct hlist_head socket_post_create;
+        struct hlist_head socket_socketpair;
        struct hlist_head socket_bind;
        struct hlist_head socket_connect;
        struct hlist_head socket_listen;
diff --git a/include/linux/security.h b/include/linux/security.h
index 200920f521a1..63030c85ee19 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -220,12 +220,6 @@ int security_quotactl(int cmds, int type, int id, struct super_block *sb);
 int security_quota_on(struct dentry *dentry);
 int security_syslog(int type);
 int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
-static inline int security_settime(const struct timespec *ts, const struct timezone *tz)
-{
-        struct timespec64 ts64 = timespec_to_timespec64(*ts);
-        return security_settime64(&ts64, tz);
-}
 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
 int security_bprm_set_creds(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
@@ -508,14 +502,6 @@ static inline int security_settime64(const struct timespec64 *ts,
        return cap_settime(ts, tz);
 }
-static inline int security_settime(const struct timespec *ts,
-                                   const struct timezone *tz)
-{
-        struct timespec64 ts64 = timespec_to_timespec64(*ts);
-        return cap_settime(&ts64, tz);
-}
 static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
 {
        return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages));
@@ -1191,6 +1177,7 @@ int security_unix_may_send(struct socket *sock,  struct socket *other);
 int security_socket_create(int family, int type, int protocol, int kern);
 int security_socket_post_create(struct socket *sock, int family,
                                int type, int protocol, int kern);
+int security_socket_socketpair(struct socket *socka, struct socket *sockb);
 int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen);
 int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
 int security_socket_listen(struct socket *sock, int backlog);
@@ -1262,6 +1249,12 @@ static inline int security_socket_post_create(struct socket *sock,
        return 0;
 }
+static inline int security_socket_socketpair(struct socket *socka,
+                                             struct socket *sockb)
+{
+        return 0;
+}
 static inline int security_socket_bind(struct socket *sock,
                                       struct sockaddr *address,
                                       int addrlen)
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-06-06 19:15:56 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-06-06 19:15:56 -0400
commit	10b1eb7d8ce5635a7deb273f8291d8a0a7681de1 (patch)
tree	946b7d496a4e24db5120be376e075b52982fae83 /include/linux
parent	d75ae5bdf2353e5c6a1f83da5f6f2d31582f09a3 (diff)
parent	890e2abe1028c39e5399101a2c277219cd637aaa (diff)