diff options
author | Jiri Kosina <jkosina@suse.cz> | 2010-12-22 12:57:02 -0500 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2010-12-22 12:57:02 -0500 |
commit | 4b7bd364700d9ac8372eff48832062b936d0793b (patch) | |
tree | 0dbf78c95456a0b02d07fcd473281f04a87e266d /security | |
parent | c0d8768af260e2cbb4bf659ae6094a262c86b085 (diff) | |
parent | 90a8a73c06cc32b609a880d48449d7083327e11a (diff) |
Merge branch 'master' into for-next
Conflicts:
MAINTAINERS
arch/arm/mach-omap2/pm24xx.c
drivers/scsi/bfa/bfa_fcpim.c
Needed to update to apply fixes for which the old branch was too
outdated.
Diffstat (limited to 'security')
-rw-r--r-- | security/Kconfig | 12 | ||||
-rw-r--r-- | security/apparmor/lsm.c | 6 | ||||
-rw-r--r-- | security/apparmor/policy.c | 2 | ||||
-rw-r--r-- | security/capability.c | 5 | ||||
-rw-r--r-- | security/commoncap.c | 19 | ||||
-rw-r--r-- | security/security.c | 4 | ||||
-rw-r--r-- | security/selinux/hooks.c | 6 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 8 |
8 files changed, 27 insertions, 35 deletions
diff --git a/security/Kconfig b/security/Kconfig index bd72ae62349..e80da955e68 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -39,6 +39,18 @@ config KEYS_DEBUG_PROC_KEYS | |||
39 | 39 | ||
40 | If you are unsure as to whether this is required, answer N. | 40 | If you are unsure as to whether this is required, answer N. |
41 | 41 | ||
42 | config SECURITY_DMESG_RESTRICT | ||
43 | bool "Restrict unprivileged access to the kernel syslog" | ||
44 | default n | ||
45 | help | ||
46 | This enforces restrictions on unprivileged users reading the kernel | ||
47 | syslog via dmesg(8). | ||
48 | |||
49 | If this option is not selected, no restrictions will be enforced | ||
50 | unless the dmesg_restrict sysctl is explicitly set to (1). | ||
51 | |||
52 | If you are unsure how to answer this question, answer N. | ||
53 | |||
42 | config SECURITY | 54 | config SECURITY |
43 | bool "Enable different security models" | 55 | bool "Enable different security models" |
44 | depends on SYSFS | 56 | depends on SYSFS |
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index cf1de4462cc..b7106f192b7 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
@@ -922,7 +922,7 @@ static int __init apparmor_init(void) | |||
922 | error = register_security(&apparmor_ops); | 922 | error = register_security(&apparmor_ops); |
923 | if (error) { | 923 | if (error) { |
924 | AA_ERROR("Unable to register AppArmor\n"); | 924 | AA_ERROR("Unable to register AppArmor\n"); |
925 | goto register_security_out; | 925 | goto set_init_cxt_out; |
926 | } | 926 | } |
927 | 927 | ||
928 | /* Report that AppArmor successfully initialized */ | 928 | /* Report that AppArmor successfully initialized */ |
@@ -936,6 +936,9 @@ static int __init apparmor_init(void) | |||
936 | 936 | ||
937 | return error; | 937 | return error; |
938 | 938 | ||
939 | set_init_cxt_out: | ||
940 | aa_free_task_context(current->real_cred->security); | ||
941 | |||
939 | register_security_out: | 942 | register_security_out: |
940 | aa_free_root_ns(); | 943 | aa_free_root_ns(); |
941 | 944 | ||
@@ -944,7 +947,6 @@ alloc_out: | |||
944 | 947 | ||
945 | apparmor_enabled = 0; | 948 | apparmor_enabled = 0; |
946 | return error; | 949 | return error; |
947 | |||
948 | } | 950 | } |
949 | 951 | ||
950 | security_initcall(apparmor_init); | 952 | security_initcall(apparmor_init); |
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 52cc865f146..4f0eadee78b 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c | |||
@@ -306,7 +306,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix, | |||
306 | return ns; | 306 | return ns; |
307 | 307 | ||
308 | fail_unconfined: | 308 | fail_unconfined: |
309 | kzfree(ns->base.name); | 309 | kzfree(ns->base.hname); |
310 | fail_ns: | 310 | fail_ns: |
311 | kzfree(ns); | 311 | kzfree(ns); |
312 | return NULL; | 312 | return NULL; |
diff --git a/security/capability.c b/security/capability.c index 30ae00fbecd..c773635ca3a 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -17,6 +17,11 @@ static int cap_sysctl(ctl_table *table, int op) | |||
17 | return 0; | 17 | return 0; |
18 | } | 18 | } |
19 | 19 | ||
20 | static int cap_syslog(int type) | ||
21 | { | ||
22 | return 0; | ||
23 | } | ||
24 | |||
20 | static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) | 25 | static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) |
21 | { | 26 | { |
22 | return 0; | 27 | return 0; |
diff --git a/security/commoncap.c b/security/commoncap.c index 5e632b4857e..64c2ed9c901 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -27,7 +27,6 @@ | |||
27 | #include <linux/sched.h> | 27 | #include <linux/sched.h> |
28 | #include <linux/prctl.h> | 28 | #include <linux/prctl.h> |
29 | #include <linux/securebits.h> | 29 | #include <linux/securebits.h> |
30 | #include <linux/syslog.h> | ||
31 | 30 | ||
32 | /* | 31 | /* |
33 | * If a non-root user executes a setuid-root binary in | 32 | * If a non-root user executes a setuid-root binary in |
@@ -884,24 +883,6 @@ error: | |||
884 | } | 883 | } |
885 | 884 | ||
886 | /** | 885 | /** |
887 | * cap_syslog - Determine whether syslog function is permitted | ||
888 | * @type: Function requested | ||
889 | * @from_file: Whether this request came from an open file (i.e. /proc) | ||
890 | * | ||
891 | * Determine whether the current process is permitted to use a particular | ||
892 | * syslog function, returning 0 if permission is granted, -ve if not. | ||
893 | */ | ||
894 | int cap_syslog(int type, bool from_file) | ||
895 | { | ||
896 | if (type != SYSLOG_ACTION_OPEN && from_file) | ||
897 | return 0; | ||
898 | if ((type != SYSLOG_ACTION_READ_ALL && | ||
899 | type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) | ||
900 | return -EPERM; | ||
901 | return 0; | ||
902 | } | ||
903 | |||
904 | /** | ||
905 | * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted | 886 | * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted |
906 | * @mm: The VM space in which the new mapping is to be made | 887 | * @mm: The VM space in which the new mapping is to be made |
907 | * @pages: The size of the mapping | 888 | * @pages: The size of the mapping |
diff --git a/security/security.c b/security/security.c index 3ef5e2a7a74..1b798d3df71 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -197,9 +197,9 @@ int security_quota_on(struct dentry *dentry) | |||
197 | return security_ops->quota_on(dentry); | 197 | return security_ops->quota_on(dentry); |
198 | } | 198 | } |
199 | 199 | ||
200 | int security_syslog(int type, bool from_file) | 200 | int security_syslog(int type) |
201 | { | 201 | { |
202 | return security_ops->syslog(type, from_file); | 202 | return security_ops->syslog(type); |
203 | } | 203 | } |
204 | 204 | ||
205 | int security_settime(struct timespec *ts, struct timezone *tz) | 205 | int security_settime(struct timespec *ts, struct timezone *tz) |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9154cf90ae..65fa8bf596f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry) | |||
1973 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); | 1973 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); |
1974 | } | 1974 | } |
1975 | 1975 | ||
1976 | static int selinux_syslog(int type, bool from_file) | 1976 | static int selinux_syslog(int type) |
1977 | { | 1977 | { |
1978 | int rc; | 1978 | int rc; |
1979 | 1979 | ||
1980 | rc = cap_syslog(type, from_file); | ||
1981 | if (rc) | ||
1982 | return rc; | ||
1983 | |||
1984 | switch (type) { | 1980 | switch (type) { |
1985 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ | 1981 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ |
1986 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ | 1982 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index bc39f4067af..489a85afa47 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -157,15 +157,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
157 | * | 157 | * |
158 | * Returns 0 on success, error code otherwise. | 158 | * Returns 0 on success, error code otherwise. |
159 | */ | 159 | */ |
160 | static int smack_syslog(int type, bool from_file) | 160 | static int smack_syslog(int typefrom_file) |
161 | { | 161 | { |
162 | int rc; | 162 | int rc = 0; |
163 | char *sp = current_security(); | 163 | char *sp = current_security(); |
164 | 164 | ||
165 | rc = cap_syslog(type, from_file); | ||
166 | if (rc != 0) | ||
167 | return rc; | ||
168 | |||
169 | if (capable(CAP_MAC_OVERRIDE)) | 165 | if (capable(CAP_MAC_OVERRIDE)) |
170 | return 0; | 166 | return 0; |
171 | 167 | ||