diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/capability.c | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 2 | ||||
| -rw-r--r-- | security/keys/request_key.c | 1 | ||||
| -rw-r--r-- | security/security.c | 3 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 22 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 14 |
6 files changed, 22 insertions, 22 deletions
diff --git a/security/capability.c b/security/capability.c index c773635ca3a0..2a5df2b7da83 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -548,7 +548,7 @@ static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops, | |||
| 548 | } | 548 | } |
| 549 | 549 | ||
| 550 | #ifdef CONFIG_SECURITY_NETWORK | 550 | #ifdef CONFIG_SECURITY_NETWORK |
| 551 | static int cap_unix_stream_connect(struct socket *sock, struct socket *other, | 551 | static int cap_unix_stream_connect(struct sock *sock, struct sock *other, |
| 552 | struct sock *newsk) | 552 | struct sock *newsk) |
| 553 | { | 553 | { |
| 554 | return 0; | 554 | return 0; |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index aef8c0a923ab..d661afbe474c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, | |||
| 253 | result = security_filter_rule_init(entry->lsm[lsm_rule].type, | 253 | result = security_filter_rule_init(entry->lsm[lsm_rule].type, |
| 254 | Audit_equal, args, | 254 | Audit_equal, args, |
| 255 | &entry->lsm[lsm_rule].rule); | 255 | &entry->lsm[lsm_rule].rule); |
| 256 | if (!entry->lsm[lsm_rule].rule) | ||
| 257 | return -EINVAL; | ||
| 256 | return result; | 258 | return result; |
| 257 | } | 259 | } |
| 258 | 260 | ||
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 0088dd8bf68a..0ea52d25a6bd 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
| @@ -403,7 +403,6 @@ link_check_failed: | |||
| 403 | return ret; | 403 | return ret; |
| 404 | 404 | ||
| 405 | link_prealloc_failed: | 405 | link_prealloc_failed: |
| 406 | up_write(&dest_keyring->sem); | ||
| 407 | mutex_unlock(&user->cons_lock); | 406 | mutex_unlock(&user->cons_lock); |
| 408 | kleave(" = %d [prelink]", ret); | 407 | kleave(" = %d [prelink]", ret); |
| 409 | return ret; | 408 | return ret; |
diff --git a/security/security.c b/security/security.c index 1b798d3df710..e5fb07a3052d 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -977,8 +977,7 @@ EXPORT_SYMBOL(security_inode_getsecctx); | |||
| 977 | 977 | ||
| 978 | #ifdef CONFIG_SECURITY_NETWORK | 978 | #ifdef CONFIG_SECURITY_NETWORK |
| 979 | 979 | ||
| 980 | int security_unix_stream_connect(struct socket *sock, struct socket *other, | 980 | int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) |
| 981 | struct sock *newsk) | ||
| 982 | { | 981 | { |
| 983 | return security_ops->unix_stream_connect(sock, other, newsk); | 982 | return security_ops->unix_stream_connect(sock, other, newsk); |
| 984 | } | 983 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 65fa8bf596f5..6f637d2678ac 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3921,18 +3921,18 @@ static int selinux_socket_shutdown(struct socket *sock, int how) | |||
| 3921 | return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); | 3921 | return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); |
| 3922 | } | 3922 | } |
| 3923 | 3923 | ||
| 3924 | static int selinux_socket_unix_stream_connect(struct socket *sock, | 3924 | static int selinux_socket_unix_stream_connect(struct sock *sock, |
| 3925 | struct socket *other, | 3925 | struct sock *other, |
| 3926 | struct sock *newsk) | 3926 | struct sock *newsk) |
| 3927 | { | 3927 | { |
| 3928 | struct sk_security_struct *sksec_sock = sock->sk->sk_security; | 3928 | struct sk_security_struct *sksec_sock = sock->sk_security; |
| 3929 | struct sk_security_struct *sksec_other = other->sk->sk_security; | 3929 | struct sk_security_struct *sksec_other = other->sk_security; |
| 3930 | struct sk_security_struct *sksec_new = newsk->sk_security; | 3930 | struct sk_security_struct *sksec_new = newsk->sk_security; |
| 3931 | struct common_audit_data ad; | 3931 | struct common_audit_data ad; |
| 3932 | int err; | 3932 | int err; |
| 3933 | 3933 | ||
| 3934 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3934 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
| 3935 | ad.u.net.sk = other->sk; | 3935 | ad.u.net.sk = other; |
| 3936 | 3936 | ||
| 3937 | err = avc_has_perm(sksec_sock->sid, sksec_other->sid, | 3937 | err = avc_has_perm(sksec_sock->sid, sksec_other->sid, |
| 3938 | sksec_other->sclass, | 3938 | sksec_other->sclass, |
| @@ -4520,11 +4520,11 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4520 | if (selinux_secmark_enabled()) | 4520 | if (selinux_secmark_enabled()) |
| 4521 | if (avc_has_perm(sksec->sid, skb->secmark, | 4521 | if (avc_has_perm(sksec->sid, skb->secmark, |
| 4522 | SECCLASS_PACKET, PACKET__SEND, &ad)) | 4522 | SECCLASS_PACKET, PACKET__SEND, &ad)) |
| 4523 | return NF_DROP; | 4523 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4524 | 4524 | ||
| 4525 | if (selinux_policycap_netpeer) | 4525 | if (selinux_policycap_netpeer) |
| 4526 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) | 4526 | if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) |
| 4527 | return NF_DROP; | 4527 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4528 | 4528 | ||
| 4529 | return NF_ACCEPT; | 4529 | return NF_ACCEPT; |
| 4530 | } | 4530 | } |
| @@ -4581,7 +4581,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4581 | secmark_perm = PACKET__SEND; | 4581 | secmark_perm = PACKET__SEND; |
| 4582 | break; | 4582 | break; |
| 4583 | default: | 4583 | default: |
| 4584 | return NF_DROP; | 4584 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4585 | } | 4585 | } |
| 4586 | if (secmark_perm == PACKET__FORWARD_OUT) { | 4586 | if (secmark_perm == PACKET__FORWARD_OUT) { |
| 4587 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) | 4587 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) |
| @@ -4603,7 +4603,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4603 | if (secmark_active) | 4603 | if (secmark_active) |
| 4604 | if (avc_has_perm(peer_sid, skb->secmark, | 4604 | if (avc_has_perm(peer_sid, skb->secmark, |
| 4605 | SECCLASS_PACKET, secmark_perm, &ad)) | 4605 | SECCLASS_PACKET, secmark_perm, &ad)) |
| 4606 | return NF_DROP; | 4606 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4607 | 4607 | ||
| 4608 | if (peerlbl_active) { | 4608 | if (peerlbl_active) { |
| 4609 | u32 if_sid; | 4609 | u32 if_sid; |
| @@ -4613,13 +4613,13 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4613 | return NF_DROP; | 4613 | return NF_DROP; |
| 4614 | if (avc_has_perm(peer_sid, if_sid, | 4614 | if (avc_has_perm(peer_sid, if_sid, |
| 4615 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) | 4615 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) |
| 4616 | return NF_DROP; | 4616 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4617 | 4617 | ||
| 4618 | if (sel_netnode_sid(addrp, family, &node_sid)) | 4618 | if (sel_netnode_sid(addrp, family, &node_sid)) |
| 4619 | return NF_DROP; | 4619 | return NF_DROP; |
| 4620 | if (avc_has_perm(peer_sid, node_sid, | 4620 | if (avc_has_perm(peer_sid, node_sid, |
| 4621 | SECCLASS_NODE, NODE__SENDTO, &ad)) | 4621 | SECCLASS_NODE, NODE__SENDTO, &ad)) |
| 4622 | return NF_DROP; | 4622 | return NF_DROP_ERR(-ECONNREFUSED); |
| 4623 | } | 4623 | } |
| 4624 | 4624 | ||
| 4625 | return NF_ACCEPT; | 4625 | return NF_ACCEPT; |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 489a85afa477..ccb71a044a1a 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -2408,22 +2408,22 @@ static int smack_setprocattr(struct task_struct *p, char *name, | |||
| 2408 | 2408 | ||
| 2409 | /** | 2409 | /** |
| 2410 | * smack_unix_stream_connect - Smack access on UDS | 2410 | * smack_unix_stream_connect - Smack access on UDS |
| 2411 | * @sock: one socket | 2411 | * @sock: one sock |
| 2412 | * @other: the other socket | 2412 | * @other: the other sock |
| 2413 | * @newsk: unused | 2413 | * @newsk: unused |
| 2414 | * | 2414 | * |
| 2415 | * Return 0 if a subject with the smack of sock could access | 2415 | * Return 0 if a subject with the smack of sock could access |
| 2416 | * an object with the smack of other, otherwise an error code | 2416 | * an object with the smack of other, otherwise an error code |
| 2417 | */ | 2417 | */ |
| 2418 | static int smack_unix_stream_connect(struct socket *sock, | 2418 | static int smack_unix_stream_connect(struct sock *sock, |
| 2419 | struct socket *other, struct sock *newsk) | 2419 | struct sock *other, struct sock *newsk) |
| 2420 | { | 2420 | { |
| 2421 | struct inode *sp = SOCK_INODE(sock); | 2421 | struct inode *sp = SOCK_INODE(sock->sk_socket); |
| 2422 | struct inode *op = SOCK_INODE(other); | 2422 | struct inode *op = SOCK_INODE(other->sk_socket); |
| 2423 | struct smk_audit_info ad; | 2423 | struct smk_audit_info ad; |
| 2424 | 2424 | ||
| 2425 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); | 2425 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); |
| 2426 | smk_ad_setfield_u_net_sk(&ad, other->sk); | 2426 | smk_ad_setfield_u_net_sk(&ad, other); |
| 2427 | return smk_access(smk_of_inode(sp), smk_of_inode(op), | 2427 | return smk_access(smk_of_inode(sp), smk_of_inode(op), |
| 2428 | MAY_READWRITE, &ad); | 2428 | MAY_READWRITE, &ad); |
| 2429 | } | 2429 | } |