diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-07-29 20:38:46 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-07-29 20:38:46 -0400 |
| commit | 7a1e8b80fb1e8ead4cec15d1fc494ed290e4d2e9 (patch) | |
| tree | 55a36d4256f1ae793b5c8e88c0f158737447193f /security/selinux/hooks.c | |
| parent | a867d7349e94b6409b08629886a819f802377e91 (diff) | |
| parent | 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- TPM core and driver updates/fixes
- IPv6 security labeling (CALIPSO)
- Lots of Apparmor fixes
- Seccomp: remove 2-phase API, close hole where ptrace can change
syscall #"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (156 commits)
apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
tpm: Add TPM 2.0 support to the Nuvoton i2c driver (NPCT6xx family)
tpm: Factor out common startup code
tpm: use devm_add_action_or_reset
tpm2_i2c_nuvoton: add irq validity check
tpm: read burstcount from TPM_STS in one 32-bit transaction
tpm: fix byte-order for the value read by tpm2_get_tpm_pt
tpm_tis_core: convert max timeouts from msec to jiffies
apparmor: fix arg_size computation for when setprocattr is null terminated
apparmor: fix oops, validate buffer size in apparmor_setprocattr()
apparmor: do not expose kernel stack
apparmor: fix module parameters can be changed after policy is locked
apparmor: fix oops in profile_unpack() when policy_db is not present
apparmor: don't check for vmalloc_addr if kvzalloc() failed
apparmor: add missing id bounds check on dfa verification
apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
apparmor: use list_next_entry instead of list_entry_next
apparmor: fix refcount race when finding a child profile
apparmor: fix ref count leak when profile sha1 hash is read
apparmor: check that xindex is in trans_table bounds
...
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 19be9d39c742..ec30880c4b98 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4627,13 +4627,13 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4627 | err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, | 4627 | err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, |
| 4628 | addrp, family, peer_sid, &ad); | 4628 | addrp, family, peer_sid, &ad); |
| 4629 | if (err) { | 4629 | if (err) { |
| 4630 | selinux_netlbl_err(skb, err, 0); | 4630 | selinux_netlbl_err(skb, family, err, 0); |
| 4631 | return err; | 4631 | return err; |
| 4632 | } | 4632 | } |
| 4633 | err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, | 4633 | err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, |
| 4634 | PEER__RECV, &ad); | 4634 | PEER__RECV, &ad); |
| 4635 | if (err) { | 4635 | if (err) { |
| 4636 | selinux_netlbl_err(skb, err, 0); | 4636 | selinux_netlbl_err(skb, family, err, 0); |
| 4637 | return err; | 4637 | return err; |
| 4638 | } | 4638 | } |
| 4639 | } | 4639 | } |
| @@ -5001,7 +5001,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, | |||
| 5001 | err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, | 5001 | err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, |
| 5002 | addrp, family, peer_sid, &ad); | 5002 | addrp, family, peer_sid, &ad); |
| 5003 | if (err) { | 5003 | if (err) { |
| 5004 | selinux_netlbl_err(skb, err, 1); | 5004 | selinux_netlbl_err(skb, family, err, 1); |
| 5005 | return NF_DROP; | 5005 | return NF_DROP; |
| 5006 | } | 5006 | } |
| 5007 | } | 5007 | } |
| @@ -5087,6 +5087,15 @@ static unsigned int selinux_ipv4_output(void *priv, | |||
| 5087 | return selinux_ip_output(skb, PF_INET); | 5087 | return selinux_ip_output(skb, PF_INET); |
| 5088 | } | 5088 | } |
| 5089 | 5089 | ||
| 5090 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
| 5091 | static unsigned int selinux_ipv6_output(void *priv, | ||
| 5092 | struct sk_buff *skb, | ||
| 5093 | const struct nf_hook_state *state) | ||
| 5094 | { | ||
| 5095 | return selinux_ip_output(skb, PF_INET6); | ||
| 5096 | } | ||
| 5097 | #endif /* IPV6 */ | ||
| 5098 | |||
| 5090 | static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | 5099 | static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, |
| 5091 | int ifindex, | 5100 | int ifindex, |
| 5092 | u16 family) | 5101 | u16 family) |
| @@ -6321,6 +6330,12 @@ static struct nf_hook_ops selinux_nf_ops[] = { | |||
| 6321 | .hooknum = NF_INET_FORWARD, | 6330 | .hooknum = NF_INET_FORWARD, |
| 6322 | .priority = NF_IP6_PRI_SELINUX_FIRST, | 6331 | .priority = NF_IP6_PRI_SELINUX_FIRST, |
| 6323 | }, | 6332 | }, |
| 6333 | { | ||
| 6334 | .hook = selinux_ipv6_output, | ||
| 6335 | .pf = NFPROTO_IPV6, | ||
| 6336 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 6337 | .priority = NF_IP6_PRI_SELINUX_FIRST, | ||
| 6338 | }, | ||
| 6324 | #endif /* IPV6 */ | 6339 | #endif /* IPV6 */ |
| 6325 | }; | 6340 | }; |
| 6326 | 6341 | ||